DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Summary
This action is a responsive to the application filed on 8/27/2021.
Claims 1-20 are pending and have been examined.
Claims 1-20 are rejected.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 8/27/2021.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Drawings
The drawings are objected to as failing to comply with 37 CFR 1.84(p)(5) because they include the following reference character(s) not mentioned in the description: 234, 308, 324, 508.  Corrected drawing sheets in compliance with 37 CFR 1.121(d), or amendment to the specification to add the reference character(s) in the description in compliance with 37 CFR 1.121(b) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.

Claim Objections
Claim 7 objected to because of the following informalities:  
Claim 7 – “an updated start time and atime” should be “an updated start time and updated end time”.
Appropriate correction is required.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.



Claims 8 and 10-11 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Balasubramanian et al. (US 20200285697 A1).

As to claim 8, Balasubramanian et al. teaches a computerized method for predicting impact on infrastructure elements based on incident ticket data, the method comprising: identifying, by an extraction component, impact data associated with at least one issue based on incident-related data obtained from a selected incident ticket, the impact data including an impact time-period (See ¶¶ [0038], [0041], [0044], Teaches that community extractor 302 uses the number of communities identified by corpus sigma calculator 300 and further extracts additional communities present in the data (e.g., from historical incident alert data 110). In some embodiments, determining an affinity score may also include determining parent and child relationships between sources of incident alerts. An incident alert submitted for a child node or network element may be caused by a problem associated with a parent node or network element. attribute strapping 308 includes attaching attributes obtained in the previous stages, including attributes from corpus sigma calculator 300, community extractor 302, semantic analyzer 304, and/or dynamic clustering 306, as well as additional attributes obtained from historical incident alert data 110 to each cluster. For example, attribute strapping 308 may include attaching information about time ranges, affinity score delta, number of sources (e.g., nodes or network elements), parent-child relationship factors, and/or resolution/close notes associated with incident alerts to each of the clusters obtained or generated by dynamic clustering 306);
generating, by a prediction component, predicted impact data including additional data describing a set of potentially impacted infrastructure elements (See ¶¶ [0057], [0066], Teaches that a sequencer 312 is configured to identify the relationship sequence between cause and effect for incident alerts to predict which incident alert has to be acted upon before another incident alert. For example, a single cause of a problem in the infrastructure space of an enterprise environment can lead to many effects and, therefore, many incident alerts. Sequencer 312 may use information associated with incident alerts, including, but not limited to: category, time, source of the incident, incident location, description, parent/child relationship, assignment groups, etc., to determine an order for acting upon incident alerts);
and creating, by an update component, a labeled incident ticket associated with the issue, the labeled incident ticket including at least a portion of the predicted impact data (See ¶¶ [0073], [0025] Teaches that a prescriptive avoidance rule set is generated. The prescriptive avoidance rule set includes one or more rules of the plurality of rules from the rule knowledge base 310 that are configured to identify an incident alert as a dead-end ticket. A “dead-end ticket” means an incident alert or ticket for which a problem has no actionable resolution or for which the resolution is dependent on the resolution of a different incident alert or ticket.). 

As to claim 10, Balasubramanian et al. teaches the method according to claim 8 above. Balasubramanian et al. further teaches further comprising: training an impact model, by a ticket manager component, using training data, including the labeled incident ticket (See ¶¶ [0033], [0023] Teaches that after the rules knowledge base has been initially populated as part of training phase 200, incident avoidance system 120 may implement a reinforcement learning phase 210. Reinforcement learning phase 210 includes use of a machine learning algorithm that enables refinement and adjustment of the rules in the rules knowledge base through trial and error with feedback. For example, as described above, in some embodiments, a second subset of historical incident alert data 110 may be used by reinforcement engine module 124 to obtain positive and/or negative feedback on the rules in the rules knowledge base during reinforcement learning phase 210. In some cases, user input 212 may be received during reinforcement learning phase 210 to assist reinforcement engine module 124 with refining the rules in the rules knowledge base. User input 212 may be in the form of positive or negative feedback, as well as confirming or denying whether or not a particular incident alert is a dead-end ticket. Incident alert system 106 may be an information technology help desk or other resource for assisting users and troubleshooting system, software, and/or hardware problems within the enterprise network). 

As to claim 11, Balasubramanian et al.. teaches the method according to claim 8 above. Balasubramanian et al. further teaches further comprising: analyzing infrastructure data, including a set of known infrastructure components identifying at least one of hardware components and software components from the set of potentially impacted infrastructure elements; and identifying a list of potentially impacted infrastructure components unidentified in the incident ticket associated with the issue from the set of known infrastructure components (See ¶¶ [0041], [0057], [0066], Teaches that determining an affinity score may also include determining parent and child relationships between sources of incident alerts. An incident alert submitted for a child node or network element may be caused by a problem associated with a parent node or network element. For example, in an enterprise network, multiple incident alerts about problems with wireless network access submitted for different devices (i.e., child nodes) may be related to an incident alert about a problem with a wireless access point (i.e., parent node) serving those devices. In such cases, incident alerts for one or more child nodes are related to the incident alert for the parent node. As a result, a resolution of the problem associated with the incident alert for the parent node may be sufficient to resolve the problems detailed in the incident alerts for the child node or nodes. In some embodiments, determining a parent and child relationship between two or more nodes in the enterprise environment may be obtained by analyzing the relationships between the sources (i.e., nodes) included in the incident alerts in historical incident alert data 110. These parent-child relationships may then be used as part of the rules for the prescriptive avoidance rule set. A sequencer 312 is configured to identify the relationship sequence between cause and effect for incident alerts to predict which incident alert has to be acted upon before another incident alert. For example, a single cause of a problem in the infrastructure space of an enterprise environment can lead to many effects and, therefore, many incident alerts. Sequencer 312 may use information associated with incident alerts, including, but not limited to: category, time, source of the incident, incident location, description, parent/child relationship, assignment groups, etc., to determine an order for acting upon incident alerts). 
	
	
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1, 3-6, 12 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Balasubramanian et al. (US 20200285697 A1) and further in view of Chen et al. (US 20180324062 A1).

As to claim 1, Balasubramanian et al. teaches a system predicting impact on infrastructure elements based on incident ticket data, the system comprising: at least one processor; and at least one memory comprising computer program code, the at least one memory and the computer program code configured to, with the at least one processor, implement a ticket manager component (See ¶¶ [0075], [0023], Teaches that incident avoidance system 120 includes one or more processors 800, memory 802, a network interface 810, and a database 812. Incident alert system 106 may be an information technology help desk or other resource for assisting users and troubleshooting system, software, and/or hardware problems within the enterprise network.), 
to cause the at least one processor to: identify, by an extraction component, impact data associated with at least one issue based on incident-related data obtained from a selected incident ticket, the impact data including an impact time-period (See ¶¶ [0038], [0041], [0044], Teaches that community extractor 302 uses the number of communities identified by corpus sigma calculator 300 and further extracts additional communities present in the data (e.g., from historical incident alert data 110). In some embodiments, determining an affinity score may also include determining parent and child relationships between sources of incident alerts. An incident alert submitted for a child node or network element may be caused by a problem associated with a parent node or network element. attribute strapping 308 includes attaching attributes obtained in the previous stages, including attributes from corpus sigma calculator 300, community extractor 302, semantic analyzer 304, and/or dynamic clustering 306, as well as additional attributes obtained from historical incident alert data 110 to each cluster. For example, attribute strapping 308 may include attaching information about time ranges, affinity score delta, number of sources (e.g., nodes or network elements), parent-child relationship factors, and/or resolution/close notes associated with incident alerts to each of the clusters obtained or generated by dynamic clustering 306);
generate, by a prediction component, predicted impact data including additional data describing a set of potentially impacted infrastructure elements, the set of potentially impacted infrastructure elements comprising a set of potentially impacted infrastructure components based on analysis of the impact data with infrastructure data and real-time monitor data associated with a set of infrastructure components (See ¶¶ [0057], [0066], Teaches that a sequencer 312 is configured to identify the relationship sequence between cause and effect for incident alerts to predict which incident alert has to be acted upon before another incident alert. For example, a single cause of a problem in the infrastructure space of an enterprise environment can lead to many effects and, therefore, many incident alerts. Sequencer 312 may use information associated with incident alerts, including, but not limited to: category, time, source of the incident, incident location, description, parent/child relationship, assignment groups, etc., to determine an order for acting upon incident alerts);
and create, by an update component, a set of labeled incident tickets associated with the issue, the set of labeled incident tickets including at least a portion of the predicted impact data (See ¶¶ [0073], [0025] Teaches that a prescriptive avoidance rule set is generated. The prescriptive avoidance rule set includes one or more rules of the plurality of rules from the rule knowledge base 310 that are configured to identify an incident alert as a dead-end ticket. A “dead-end ticket” means an incident alert or ticket for which a problem has no actionable resolution or for which the resolution is dependent on the resolution of a different incident alert or ticket.). 
However, it does not expressly teach the set of potentially impacted infrastructure elements comprising at least one of a set of potential impacted users.
Chen et al., from analogous art, teaches the set of potentially impacted infrastructure elements comprising at least one of a set of potential impacted users (See ¶¶ [0035], [0031], Teaches that all impacted entities (e.g., users, admins, technicians, etc.) are determined based on relationship maps 36 at S7, and at S8 the impacted entities are notified. Cloud users can be linked to components in the cloud 40, and different components can be linked).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Chen et al. into Balasubramanian et al. to efficiently identify and notify relevant users and responsible administrators of cloud-based incidents.
One of ordinary skill in the art would have been motivated because it allows one  to efficiently identify and notify relevant users and responsible administrators of cloud-based incidents (See Chen et al. ¶ [0001]).

As to claim 3, the combination of Balasubramanian et al. and Chen et al. teaches the system according to claim 1 above. Balasubramanian et al. further teaches wherein the ticket manager component further comprises an impact model utilizing machine learning, wherein the at least one memory and the computer program code is configured to, with the at least one processor, further cause the at least one processor to: train the impact model using training data, including the set of labeled incident tickets (See ¶ [0033], Teaches that after the rules knowledge base has been initially populated as part of training phase 200, incident avoidance system 120 may implement a reinforcement learning phase 210. Reinforcement learning phase 210 includes use of a machine learning algorithm that enables refinement and adjustment of the rules in the rules knowledge base through trial and error with feedback. For example, as described above, in some embodiments, a second subset of historical incident alert data 110 may be used by reinforcement engine module 124 to obtain positive and/or negative feedback on the rules in the rules knowledge base during reinforcement learning phase 210. In some cases, user input 212 may be received during reinforcement learning phase 210 to assist reinforcement engine module 124 with refining the rules in the rules knowledge base. User input 212 may be in the form of positive or negative feedback, as well as confirming or denying whether or not a particular incident alert is a dead-end ticket). 

As to claim 4, the combination of Balasubramanian et al. and Chen et al. teaches the system according to claim 1 above. Balasubramanian et al. further teaches wherein the impact data includes user-generated data extracted from the selected incident ticket, the impact data identifying at least one of a set of impacted infrastructure components,  an impact start time and an impact end (See ¶¶ [0057], [0066], [0044], Teaches that a sequencer 312 is configured to identify the relationship sequence between cause and effect for incident alerts to predict which incident alert has to be acted upon before another incident alert. For example, a single cause of a problem in the infrastructure space of an enterprise environment can lead to many effects and, therefore, many incident alerts. Sequencer 312 may use information associated with incident alerts, including, but not limited to: category, time, source of the incident, incident location, description, parent/child relationship, assignment groups, etc., to determine an order for acting upon incident alerts. For example, attribute strapping 308 may include attaching information about time ranges, affinity score delta, number of sources (e.g., nodes or network elements), parent-child relationship factors, and/or resolution/close notes associated with incident alerts to each of the clusters obtained or generated by dynamic clustering 306.).
However, it does not expressly teach a set of impacted users.
Chen et al., from analogous art, teaches a set of impacted users (See ¶¶ [0035], [0031], Teaches that all impacted entities (e.g., users, admins, technicians, etc.) are determined based on relationship maps 36 at S7, and at S8 the impacted entities are notified. Cloud users can be linked to components in the cloud 40, and different components can be linked).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Chen et al. into the combination of Balasubramanian et al. and Chen et al. to efficiently identify and notify relevant users and responsible administrators of cloud-based incidents.
One of ordinary skill in the art would have been motivated because it allows one  to efficiently identify and notify relevant users and responsible administrators of cloud-based incidents (See Chen et al. ¶ [0001]).

As to claim 5, the combination of Balasubramanian et al. and Chen et al. teaches the system according to claim 1 above. Balasubramanian et al. further teaches wherein the at least one memory and the computer program code is configured to, with the at least one processor, further cause the at least one processor to: analyze the infrastructure data, including a set of known infrastructure components identifying at least one of hardware components and software components from the set of potentially impacted infrastructure elements; and identify a list of potentially impacted infrastructure components from the set of known infrastructure components and the predicted impact data, wherein the set of potentially impacted infrastructure components comprises at least one component unidentified in the incident ticket associated with the issue (See ¶¶ [0041], [0057], [0066], Teaches that determining an affinity score may also include determining parent and child relationships between sources of incident alerts. An incident alert submitted for a child node or network element may be caused by a problem associated with a parent node or network element. For example, in an enterprise network, multiple incident alerts about problems with wireless network access submitted for different devices (i.e., child nodes) may be related to an incident alert about a problem with a wireless access point (i.e., parent node) serving those devices. In such cases, incident alerts for one or more child nodes are related to the incident alert for the parent node. As a result, a resolution of the problem associated with the incident alert for the parent node may be sufficient to resolve the problems detailed in the incident alerts for the child node or nodes. In some embodiments, determining a parent and child relationship between two or more nodes in the enterprise environment may be obtained by analyzing the relationships between the sources (i.e., nodes) included in the incident alerts in historical incident alert data 110. These parent-child relationships may then be used as part of the rules for the prescriptive avoidance rule set. A sequencer 312 is configured to identify the relationship sequence between cause and effect for incident alerts to predict which incident alert has to be acted upon before another incident alert. For example, a single cause of a problem in the infrastructure space of an enterprise environment can lead to many effects and, therefore, many incident alerts. Sequencer 312 may use information associated with incident alerts, including, but not limited to: category, time, source of the incident, incident location, description, parent/child relationship, assignment groups, etc., to determine an order for acting upon incident alerts). 

As to claim 6, the combination of Balasubramanian et al. and Chen et al. teaches the system according to claim 1 above. However, it does not expressly teach wherein the at least one memory and the computer program code is configured to, with the at least one processor, further cause the at least one processor to: analyze the infrastructure data, including a set of known users associated with at least one infrastructure component from the set of potentially impacted infrastructure elements; and identify a list of additional potentially impacted users unidentified in the incident ticket associated with the issue from the set of known users that are potentially impacted by the issue.
Chen et al., from analogous art, teaches wherein the at least one memory and the computer program code is configured to, with the at least one processor, further cause the at least one processor to: analyze the infrastructure data, including a set of known users associated with at least one infrastructure component from the set of potentially impacted infrastructure elements; and identify a list of additional potentially impacted users unidentified in the incident ticket associated with the issue from the set of known users that are potentially impacted by the issue (See ¶¶ [0035], [0031], Teaches that all impacted entities (e.g., users, admins, technicians, etc.) are determined based on relationship maps 36 at S7, and at S8 the impacted entities are notified. Relationship manager 26 (FIG. 1) has two primary functions, to generate and maintain relationship maps 36 and to implement a correlation engine. Relationship maps 36 link objects within the topology, such as relationships between VMs, users, hardware, services, etc. The relationship maps 36 map be generated based on the topology 32, VM data, user data, etc. For example, illustrative maps may determine which VMs are associated with which hosts, which VMs are associated with which network bridges, which VMs are associated with which users, etc. For example, a first VM (VM1) may have relationships with a host (HOST2), network bridge (BR1), and a set of users (USER1, USER5, USER7). Over time, relationship manager 26 may utilize information from the monitoring module 24 to implement real-time updates to the relationship maps 36. For example, if a server is added to the cloud 40, the topology 32 and associated relationship map 36 will be updated. In this manner, cloud users can be linked to components in the cloud 40, and different components can be linked.).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Chen et al. into the combination of Balasubramanian et al. and Chen et al. to efficiently identify and notify relevant users and responsible administrators of cloud-based incidents.
One of ordinary skill in the art would have been motivated because it allows one  to efficiently identify and notify relevant users and responsible administrators of cloud-based incidents (See Chen et al. ¶ [0001]).

As to claim 12, Balasubramanian et al. teaches the method according to claim 8 above. However, it does not expressly teach further comprising: analyzing infrastructure data, including a set of known users associated with at least one infrastructure component from the set of potentially impacted infrastructure elements; and identifying a list of additional potentially impacted users unidentified in the incident ticket associated with the issue from the set of known users potentially impacted by the issue.
Chen et al., from analogous art, teaches further comprising: analyzing infrastructure data, including a set of known users associated with at least one infrastructure component from the set of potentially impacted infrastructure elements; and identifying a list of additional potentially impacted users unidentified in the incident ticket associated with the issue from the set of known users potentially impacted by the issue (See ¶¶ [0035], [0031], Teaches that all impacted entities (e.g., users, admins, technicians, etc.) are determined based on relationship maps 36 at S7, and at S8 the impacted entities are notified. Relationship manager 26 (FIG. 1) has two primary functions, to generate and maintain relationship maps 36 and to implement a correlation engine. Relationship maps 36 link objects within the topology, such as relationships between VMs, users, hardware, services, etc. The relationship maps 36 map be generated based on the topology 32, VM data, user data, etc. For example, illustrative maps may determine which VMs are associated with which hosts, which VMs are associated with which network bridges, which VMs are associated with which users, etc. For example, a first VM (VM1) may have relationships with a host (HOST2), network bridge (BR1), and a set of users (USER1, USER5, USER7). Over time, relationship manager 26 may utilize information from the monitoring module 24 to implement real-time updates to the relationship maps 36. For example, if a server is added to the cloud 40, the topology 32 and associated relationship map 36 will be updated. In this manner, cloud users can be linked to components in the cloud 40, and different components can be linked.).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Chen et al. into Balasubramanian et al. to efficiently identify and notify relevant users and responsible administrators of cloud-based incidents.
One of ordinary skill in the art would have been motivated because it allows one  to efficiently identify and notify relevant users and responsible administrators of cloud-based incidents (See Chen et al. ¶ [0001]).

As to claim 14, Balasubramanian et al. teaches the method according to claim 8 above. Balasubramanian et al. further teaches wherein the set of potentially impacted infrastructure elements comprises at least one of a set of potentially impacted infrastructure components and an updated time-period based on analysis of the impact data with infrastructure data and monitor data associated with a set of infrastructure components (See ¶¶ [0057], [0066], [0044], Teaches that a sequencer 312 is configured to identify the relationship sequence between cause and effect for incident alerts to predict which incident alert has to be acted upon before another incident alert. For example, a single cause of a problem in the infrastructure space of an enterprise environment can lead to many effects and, therefore, many incident alerts. Sequencer 312 may use information associated with incident alerts, including, but not limited to: category, time, source of the incident, incident location, description, parent/child relationship, assignment groups, etc., to determine an order for acting upon incident alerts. For example, attribute strapping 308 may include attaching information about time ranges, affinity score delta, number of sources (e.g., nodes or network elements), parent-child relationship factors, and/or resolution/close notes associated with incident alerts to each of the clusters obtained or generated by dynamic clustering 306.).
However, it does not expressly teach wherein the set of potentially impacted infrastructure elements comprises at least one of a set of potential impacted users.
Chen et al., from analogous art, teaches wherein the set of potentially impacted infrastructure elements comprises at least one of a set of potential impacted users (See ¶¶ [0035], [0031], Teaches that all impacted entities (e.g., users, admins, technicians, etc.) are determined based on relationship maps 36 at S7, and at S8 the impacted entities are notified. Cloud users can be linked to components in the cloud 40, and different components can be linked).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Chen et al. into Balasubramanian et al. to efficiently identify and notify relevant users and responsible administrators of cloud-based incidents.
One of ordinary skill in the art would have been motivated because it allows one  to efficiently identify and notify relevant users and responsible administrators of cloud-based incidents (See Chen et al. ¶ [0001]).

Claim 2 is rejected under 35 U.S.C. 103 as being unpatentable over Balasubramanian et al. (US 20200285697 A1) and Chen et al. (US 20180324062 A1) and further in view of Cai et al. (US 20190347282 A1).

As to claim 2, the combination of Balasubramanian et al. and Chen et al. teaches the system according to claim 1 above. However, it does not expressly teach wherein the at least one memory and the computer program code is configured to, with the at least one processor, further cause the at least one processor to: analyze, by an analysis component, the real-time monitor data during the impact time-period or an updated impact time-period to identify a set of anomalous data utilized to generate the set of labeled incident tickets, the set of anomalous data comprising at least one of anomalous event data and anomalous metric data.
Cai et al., from analogous art, teaches wherein the at least one memory and the computer program code is configured to, with the at least one processor, further cause the at least one processor to: analyze, by an analysis component, the real-time monitor data during the impact time-period or an updated impact time-period to identify a set of anomalous data utilized to generate the set of labeled incident tickets, the set of anomalous data comprising at least one of anomalous event data and anomalous metric data (See ¶¶ [0150], Teaches that The visual navigator of infrastructure components allows for real-time detection and prediction of vulnerabilities. The virtual agent 180 can display condensed summaries of a large amount of data and can link the summaries to predictive models 126 and operational risk models 124 to identify risk events and provide summaries of those events.).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Cai et al. into the combination of Balasubramanian et al. and Chen et al. to computationally analyze request strings in historical IT incident tickets to identify estimated recommendations representative of solutions based on the competition analysis.
One of ordinary skill in the art would have been motivated because it allows one to computationally analyze request strings in historical IT incident tickets to identify estimated recommendations representative of solutions based on the competition analysis (See Cai et al. ¶ [0065]).

Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Balasubramanian et al. (US 20200285697 A1) and Chen et al. (US 20180324062 A1) and further in view of Margalit et al. (US 20190036797 A1).

As to claim 7, the combination of Balasubramanian et al. and Chen et al. teaches the system according to claim 1 above. However, it does not expressly teach wherein the at least one memory and the computer program code is configured to, with the at least one processor, further cause the at least one processor to: analyze the real-time monitor data and the infrastructure data to determine whether to update the impact time-period; and update the impact time-period to include at least one of an updated start time and atime.
Margalit et al., from analogous art, teaches wherein the at least one memory and the computer program code is configured to, with the at least one processor, further cause the at least one processor to: analyze the real-time monitor data and the infrastructure data to determine whether to update the impact time-period; and update the impact time-period to include at least one of an updated start time and atime (See ¶ [0078] and Fig. 15, Teaches that temporal table 718 includes fields indicative of the valid time for alerts, such as a valid time start time indicative of a time at which the alert becomes valid and a valid time end time indicative of a time at which the alert ceases to be valid. In an implementation, the valid time start time for an alert can be represented by a timestamp recorded at the time the alert is identified. In an implementation, the valid time end time for the alert can be represented by a timestamp indicative of an impact calculation operation performed based on the alert. In an implementation, the valid time end time for the alert can be represented by a timestamp recorded at the time an update to or replacement for the alert is identified. For example, where the alert indicates a medium severity for a database, its valid time end time may be the time at which a new alert indicating a cleared severity for the database is identified).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Margalit et al. into the combination of Balasubramanian et al. and Chen et al. to identify alerts, each alert having a timestamp indicative of a first time at which it was identified, perform an impact calculation to generate the impact data based on alerts valid as of a second time proximate to an impact calculation start time, and generate the graphical display region including impact data valid as of a display time and alert data indicative of the alerts valid as of the second time.
One of ordinary skill in the art would have been motivated because it allows one to identify alerts, each alert having a timestamp indicative of a first time at which it was identified, perform an impact calculation to generate the impact data based on alerts valid as of a second time proximate to an impact calculation start time, and generate the graphical display region including impact data valid as of a display time and alert data indicative of the alerts valid as of the second time (See Margalit et al. ¶ [0004]).

Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Balasubramanian et al. (US 20200285697 A1) and further in view of Cai et al. (US 20190347282 A1).

As to claim 9, Balasubramanian et al. teaches the method according to claim 8 above. However, it does not expressly teach further comprising: analyzing, by an analysis component, monitor data during the impact time-period or an updated time-period to identify a set of anomalous data, wherein the set of anomalous data is utilized to generate the labeled incident ticket, the set of anomalous data comprising at least one of anomalous event data and anomalous metric data.
Cai et al., from analogous art, teaches further comprising: analyzing, by an analysis component, monitor data during the impact time-period or an updated time-period to identify a set of anomalous data, wherein the set of anomalous data is utilized to generate the labeled incident ticket, the set of anomalous data comprising at least one of anomalous event data and anomalous metric data (See ¶¶ [0150], Teaches that The visual navigator of infrastructure components allows for real-time detection and prediction of vulnerabilities. The virtual agent 180 can display condensed summaries of a large amount of data and can link the summaries to predictive models 126 and operational risk models 124 to identify risk events and provide summaries of those events.).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Cai et al. into Balasubramanian et al. to computationally analyze request strings in historical IT incident tickets to identify estimated recommendations representative of solutions based on the competition analysis.
One of ordinary skill in the art would have been motivated because it allows one to computationally analyze request strings in historical IT incident tickets to identify estimated recommendations representative of solutions based on the competition analysis (See Cai et al. ¶ [0065]).

Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Balasubramanian et al. (US 20200285697 A1) and further in view of Margalit et al. (US 20190036797 A1).

As to claim 13, Balasubramanian et al. teaches the method according to claim 8 above. However, it does not expressly teach further comprising: analyzing monitor data and infrastructure data to determine whether to expand the impact time-period; and updating the impact time-period to include at least one of an earlier start time and a later end time.
Margalit et al., from analogous art, teaches further comprising: analyzing monitor data and infrastructure data to determine whether to expand the impact time-period; and updating the impact time-period to include at least one of an earlier start time and a later end time (See ¶ [0078] and Fig. 15, Teaches that temporal table 718 includes fields indicative of the valid time for alerts, such as a valid time start time indicative of a time at which the alert becomes valid and a valid time end time indicative of a time at which the alert ceases to be valid. In an implementation, the valid time start time for an alert can be represented by a timestamp recorded at the time the alert is identified. In an implementation, the valid time end time for the alert can be represented by a timestamp indicative of an impact calculation operation performed based on the alert. In an implementation, the valid time end time for the alert can be represented by a timestamp recorded at the time an update to or replacement for the alert is identified. For example, where the alert indicates a medium severity for a database, its valid time end time may be the time at which a new alert indicating a cleared severity for the database is identified).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Margalit et al. into Balasubramanian et al. to identify alerts, each alert having a timestamp indicative of a first time at which it was identified, perform an impact calculation to generate the impact data based on alerts valid as of a second time proximate to an impact calculation start time, and generate the graphical display region including impact data valid as of a display time and alert data indicative of the alerts valid as of the second time.
One of ordinary skill in the art would have been motivated because it allows one to identify alerts, each alert having a timestamp indicative of a first time at which it was identified, perform an impact calculation to generate the impact data based on alerts valid as of a second time proximate to an impact calculation start time, and generate the graphical display region including impact data valid as of a display time and alert data indicative of the alerts valid as of the second time (See Margalit et al. ¶ [0004]).

Claims 15 and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Balasubramanian et al. (US 20200285697 A1) and further in view of Chen et al. (US 20180324062 A1) and Margalit et al. (US 20190036797 A1).

As to claim 15, Balasubramanian et al. teaches one or more non-transitory computer readable storage media having computer- executable instructions for a ticket manager component predicting impact on infrastructure elements based on incident ticket data that, upon execution by a processor, cause the processor to at least: identify, by an extraction component, impact data associated with at least one issue based on incident-related data obtained from a selected incident ticket, the impact data including an impact time-period (See ¶¶ [0038], [0041], [0044], Teaches that community extractor 302 uses the number of communities identified by corpus sigma calculator 300 and further extracts additional communities present in the data (e.g., from historical incident alert data 110). In some embodiments, determining an affinity score may also include determining parent and child relationships between sources of incident alerts. An incident alert submitted for a child node or network element may be caused by a problem associated with a parent node or network element. attribute strapping 308 includes attaching attributes obtained in the previous stages, including attributes from corpus sigma calculator 300, community extractor 302, semantic analyzer 304, and/or dynamic clustering 306, as well as additional attributes obtained from historical incident alert data 110 to each cluster. For example, attribute strapping 308 may include attaching information about time ranges, affinity score delta, number of sources (e.g., nodes or network elements), parent-child relationship factors, and/or resolution/close notes associated with incident alerts to each of the clusters obtained or generated by dynamic clustering 306);
generate, by a prediction component, predicted impact data including additional data describing a set of potentially impacted infrastructure elements, the set of potentially impacted infrastructure elements comprising at least one of a set of potentially impacted infrastructure components (See ¶¶ [0057], [0066], Teaches that a sequencer 312 is configured to identify the relationship sequence between cause and effect for incident alerts to predict which incident alert has to be acted upon before another incident alert. For example, a single cause of a problem in the infrastructure space of an enterprise environment can lead to many effects and, therefore, many incident alerts. Sequencer 312 may use information associated with incident alerts, including, but not limited to: category, time, source of the incident, incident location, description, parent/child relationship, assignment groups, etc., to determine an order for acting upon incident alerts);
and create, by an update component, at least one labeled incident ticket associated with the issue, the at least one labeled incident ticket including at least a portion of the predicted impact data (See ¶¶ [0073], [0025] Teaches that a prescriptive avoidance rule set is generated. The prescriptive avoidance rule set includes one or more rules of the plurality of rules from the rule knowledge base 310 that are configured to identify an incident alert as a dead-end ticket. A “dead-end ticket” means an incident alert or ticket for which a problem has no actionable resolution or for which the resolution is dependent on the resolution of a different incident alert or ticket.). 
However, it does not expressly teach the set of potentially impacted infrastructure elements comprising at least one of a set of potential impacted users and an updated time-period based on analysis of the impact data with infrastructure data and real-time monitor data associated with a set of infrastructure components.
Chen et al., from analogous art, teaches the set of potentially impacted infrastructure elements comprising at least one of a set of potential impacted users (See ¶¶ [0035], [0031], Teaches that all impacted entities (e.g., users, admins, technicians, etc.) are determined based on relationship maps 36 at S7, and at S8 the impacted entities are notified. Cloud users can be linked to components in the cloud 40, and different components can be linked).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Chen et al. into Balasubramanian et al. to efficiently identify and notify relevant users and responsible administrators of cloud-based incidents.
One of ordinary skill in the art would have been motivated because it allows one  to efficiently identify and notify relevant users and responsible administrators of cloud-based incidents (See Chen et al. ¶ [0001]).
However, it does not expressly teach an updated time-period based on analysis of the impact data with infrastructure data and real-time monitor data associated with a set of infrastructure components.
Margalit et al., from analogous art, teaches an updated time-period based on analysis of the impact data with infrastructure data and real-time monitor data associated with a set of infrastructure components (See ¶ [0078] and Fig. 15, Teaches that temporal table 718 includes fields indicative of the valid time for alerts, such as a valid time start time indicative of a time at which the alert becomes valid and a valid time end time indicative of a time at which the alert ceases to be valid. In an implementation, the valid time start time for an alert can be represented by a timestamp recorded at the time the alert is identified. In an implementation, the valid time end time for the alert can be represented by a timestamp indicative of an impact calculation operation performed based on the alert. In an implementation, the valid time end time for the alert can be represented by a timestamp recorded at the time an update to or replacement for the alert is identified. For example, where the alert indicates a medium severity for a database, its valid time end time may be the time at which a new alert indicating a cleared severity for the database is identified).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Margalit et al. into the combination of Balasubramanian et al. and Chen et al. to identify alerts, each alert having a timestamp indicative of a first time at which it was identified, perform an impact calculation to generate the impact data based on alerts valid as of a second time proximate to an impact calculation start time, and generate the graphical display region including impact data valid as of a display time and alert data indicative of the alerts valid as of the second time.
One of ordinary skill in the art would have been motivated because it allows one to identify alerts, each alert having a timestamp indicative of a first time at which it was identified, perform an impact calculation to generate the impact data based on alerts valid as of a second time proximate to an impact calculation start time, and generate the graphical display region including impact data valid as of a display time and alert data indicative of the alerts valid as of the second time (See Margalit et al. ¶ [0004]).

As to claim 17, the combination of Balasubramanian et al. and Chen et al. and Margalit et al. teaches the one or more non-transitory computer readable storage media according to claim 15 above. Balasubramanian et al. further teaches wherein the ticket manager component further comprises an impact model utilizing machine learning, wherein the computer-executable instructions, upon execution by a processor, further cause the processor to at least: train the impact model using training data, including the at least one labeled incident ticket (See ¶ [0033], Teaches that after the rules knowledge base has been initially populated as part of training phase 200, incident avoidance system 120 may implement a reinforcement learning phase 210. Reinforcement learning phase 210 includes use of a machine learning algorithm that enables refinement and adjustment of the rules in the rules knowledge base through trial and error with feedback. For example, as described above, in some embodiments, a second subset of historical incident alert data 110 may be used by reinforcement engine module 124 to obtain positive and/or negative feedback on the rules in the rules knowledge base during reinforcement learning phase 210. In some cases, user input 212 may be received during reinforcement learning phase 210 to assist reinforcement engine module 124 with refining the rules in the rules knowledge base. User input 212 may be in the form of positive or negative feedback, as well as confirming or denying whether or not a particular incident alert is a dead-end ticket). 

As to claim 18, the combination of Balasubramanian et al. and Chen et al. and Margalit et al. teaches the one or more non-transitory computer readable storage media according to claim 15 above. Balasubramanian et al. further teaches wherein the computer- executable instructions, upon execution by a processor, further cause the processor to at least: analyze the infrastructure data, including a set of known infrastructure components identifying at least one of hardware components and software components from the set of potentially impacted infrastructure elements; and identify a list of potentially impacted infrastructure components unidentified in the incident ticket associated with the issue from the set of known infrastructure components (See ¶¶ [0041], [0057], [0066], Teaches that determining an affinity score may also include determining parent and child relationships between sources of incident alerts. An incident alert submitted for a child node or network element may be caused by a problem associated with a parent node or network element. For example, in an enterprise network, multiple incident alerts about problems with wireless network access submitted for different devices (i.e., child nodes) may be related to an incident alert about a problem with a wireless access point (i.e., parent node) serving those devices. In such cases, incident alerts for one or more child nodes are related to the incident alert for the parent node. As a result, a resolution of the problem associated with the incident alert for the parent node may be sufficient to resolve the problems detailed in the incident alerts for the child node or nodes. In some embodiments, determining a parent and child relationship between two or more nodes in the enterprise environment may be obtained by analyzing the relationships between the sources (i.e., nodes) included in the incident alerts in historical incident alert data 110. These parent-child relationships may then be used as part of the rules for the prescriptive avoidance rule set. A sequencer 312 is configured to identify the relationship sequence between cause and effect for incident alerts to predict which incident alert has to be acted upon before another incident alert. For example, a single cause of a problem in the infrastructure space of an enterprise environment can lead to many effects and, therefore, many incident alerts. Sequencer 312 may use information associated with incident alerts, including, but not limited to: category, time, source of the incident, incident location, description, parent/child relationship, assignment groups, etc., to determine an order for acting upon incident alerts). 

As to claim 19, the combination of Balasubramanian et al. and Chen et al. and Margalit et al. teaches the one or more non-transitory computer readable storage media according to claim 15 above. However, it does not expressly teach wherein the computer- executable instructions, upon execution by a processor, further cause the processor to at least: analyze the infrastructure data, including a set of known users associated with at least one infrastructure component from the set of potentially impacted infrastructure elements; and identify a list of additional potentially impacted users unidentified in the incident ticket associated with the issue from the set of known users potentially impacted by the issue.
Chen et al., from analogous art, teaches wherein the computer- executable instructions, upon execution by a processor, further cause the processor to at least: analyze the infrastructure data, including a set of known users associated with at least one infrastructure component from the set of potentially impacted infrastructure elements; and identify a list of additional potentially impacted users unidentified in the incident ticket associated with the issue from the set of known users potentially impacted by the issue (See ¶¶ [0035], [0031], Teaches that all impacted entities (e.g., users, admins, technicians, etc.) are determined based on relationship maps 36 at S7, and at S8 the impacted entities are notified. Relationship manager 26 (FIG. 1) has two primary functions, to generate and maintain relationship maps 36 and to implement a correlation engine. Relationship maps 36 link objects within the topology, such as relationships between VMs, users, hardware, services, etc. The relationship maps 36 map be generated based on the topology 32, VM data, user data, etc. For example, illustrative maps may determine which VMs are associated with which hosts, which VMs are associated with which network bridges, which VMs are associated with which users, etc. For example, a first VM (VM1) may have relationships with a host (HOST2), network bridge (BR1), and a set of users (USER1, USER5, USER7). Over time, relationship manager 26 may utilize information from the monitoring module 24 to implement real-time updates to the relationship maps 36. For example, if a server is added to the cloud 40, the topology 32 and associated relationship map 36 will be updated. In this manner, cloud users can be linked to components in the cloud 40, and different components can be linked.).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Chen et al. into the combination of Balasubramanian et al. and Chen et al. and Margalit et al. to efficiently identify and notify relevant users and responsible administrators of cloud-based incidents.
One of ordinary skill in the art would have been motivated because it allows one  to efficiently identify and notify relevant users and responsible administrators of cloud-based incidents (See Chen et al. ¶ [0001]).

As to claim 20, the combination of Balasubramanian et al. and Chen et al. and Margalit et al. teaches the one or more non-transitory computer readable storage media according to claim 15 above. However, it does not expressly teach wherein the computer- executable instructions, upon execution by a processor, further cause the processor to at least: analyze the real-time monitor data and the infrastructure data to determine whether to expand the impact time-period, wherein generating the updated time-period includes updating the impact time period to include at least one of an earlier start time and a later end time.
Margalit et al., from analogous art, teaches wherein the computer- executable instructions, upon execution by a processor, further cause the processor to at least: analyze the real-time monitor data and the infrastructure data to determine whether to expand the impact time-period, wherein generating the updated time-period includes updating the impact time period to include at least one of an earlier start time and a later end time (See ¶ [0078] and Fig. 15, Teaches that temporal table 718 includes fields indicative of the valid time for alerts, such as a valid time start time indicative of a time at which the alert becomes valid and a valid time end time indicative of a time at which the alert ceases to be valid. In an implementation, the valid time start time for an alert can be represented by a timestamp recorded at the time the alert is identified. In an implementation, the valid time end time for the alert can be represented by a timestamp indicative of an impact calculation operation performed based on the alert. In an implementation, the valid time end time for the alert can be represented by a timestamp recorded at the time an update to or replacement for the alert is identified. For example, where the alert indicates a medium severity for a database, its valid time end time may be the time at which a new alert indicating a cleared severity for the database is identified).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Margalit et al. into the combination of Balasubramanian et al. and Chen et al. and Margalit et al. to identify alerts, each alert having a timestamp indicative of a first time at which it was identified, perform an impact calculation to generate the impact data based on alerts valid as of a second time proximate to an impact calculation start time, and generate the graphical display region including impact data valid as of a display time and alert data indicative of the alerts valid as of the second time.
One of ordinary skill in the art would have been motivated because it allows one to identify alerts, each alert having a timestamp indicative of a first time at which it was identified, perform an impact calculation to generate the impact data based on alerts valid as of a second time proximate to an impact calculation start time, and generate the graphical display region including impact data valid as of a display time and alert data indicative of the alerts valid as of the second time (See Margalit et al. ¶ [0004]).

Claim 16 is rejected under 35 U.S.C. 103 as being unpatentable over Balasubramanian et al. (US 20200285697 A1) and Chen et al. (US 20180324062 A1) and Margalit et al. (US 20190036797 A1) and further in view of Cai et al. (US 20190347282 A1).

As to claim 16, the combination of Balasubramanian et al. and Chen et al. and Margalit et al. teaches the one or more non-transitory computer readable storage media according to claim 15 above. However, it does not expressly teach wherein the computer- executable instructions, upon execution by a processor, further cause the processor to at least: analyze, by an analysis component, the real-time monitor data during the updated time-period to identify a set of anomalous data, wherein the set of anomalous data is utilized to generate the at least one labeled incident ticket, wherein the set of anomalous data comprises at least one of anomalous event data and anomalous metric data.
Cai et al., from analogous art, teaches wherein the computer- executable instructions, upon execution by a processor, further cause the processor to at least: analyze, by an analysis component, the real-time monitor data during the updated time-period to identify a set of anomalous data, wherein the set of anomalous data is utilized to generate the at least one labeled incident ticket, wherein the set of anomalous data comprises at least one of anomalous event data and anomalous metric data (See ¶¶ [0150], Teaches that The visual navigator of infrastructure components allows for real-time detection and prediction of vulnerabilities. The virtual agent 180 can display condensed summaries of a large amount of data and can link the summaries to predictive models 126 and operational risk models 124 to identify risk events and provide summaries of those events.).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Cai et al. into the combination of Balasubramanian et al. and Chen et al. and Margalit et al. to computationally analyze request strings in historical IT incident tickets to identify estimated recommendations representative of solutions based on the competition analysis.
One of ordinary skill in the art would have been motivated because it allows one to computationally analyze request strings in historical IT incident tickets to identify estimated recommendations representative of solutions based on the competition analysis (See Cai et al. ¶ [0065]).

Conclusion

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Badhe et al. (US 20130132060 A1) teaches an approach for prioritizing work requests to resolve incidents in an information technology (IT) infrastructure is presented. Historical data of work requests to resolve incidents in the IT infrastructure is divided into first and second data sets. A first set of data fields of work requests in the first data set is used to generate incident concept(s). The incident concept(s) are combined with a second set of data fields of the work requests in the first data set to form a set of predictive variables. Utilizing the predictive variables, a statistical model is generated for predicting whether or not work requests will be resolved in accordance with a service level target. The statistical model is validated using the second data set. The statistical model is deployed to the IT infrastructure.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to James R Hollister whose telephone number is (571)270-3152. The examiner can normally be reached Mon - Fri 7:30 am - 4:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Umar Cheema can be reached on (571) 270-3037. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





James Hollister
/J.R.H./Examiner, Art Unit 2456                                                                                                                                                                                                        4/14/22


/UMAR CHEEMA/Supervisory Patent Examiner, Art Unit 2456