Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


DETAILED ACTION
2.	This action is in response to the application filed March 12, 2019.

3.	Claims 1-20 have been examined and are pending with this action.


Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

4.	Claim(s) 1-20 are rejected under 35 U.S.C. 102(a)(1) and 102(a)(2) as being anticipated by Muntes-Mulero et al. (US 2019/0286757).
INDEPENDENT:
As per claim 1, Muntes-Mulero teaches a computer-implemented method, comprising: 
generating a connected graph comprising a plurality of first nodes, each of the first nodes corresponding to an infrastructure component, first edges connecting at least a portion of the first nodes, the first edges representing dependencies between the infrastructure components, a plurality of second nodes, each of the second nodes corresponding to an alarm generated by an anomaly detection system, and second edges connecting second nodes to first nodes, the second edges defining an association between an infrastructure component and an alarm (see Muntes-Mulero, [0016]: “The description below uses the term “system graph” to refer to a data structure that depicts connections or relationships between components. A system graph consists of nodes (vertices, points) and edges (arcs, lines) that connect them. A node represents a component, and an edge between two nodes represents a relationship between the two corresponding components. Nodes and edges may be labeled or enriched with data.  For example… a cause-and-effect type relationship”; [0017]: “or that a component stopped responding or failed.  An event indication can reference or include information about the event and is communicated to by an agent or probe to a component/agent/process that processes event indications”; and [0019]: “To aid in the root cause analysis of current system errors or anomalies”); 
computing scores for the infrastructure components based upon the connected graph (see Muntes-Mulero, [0019]: “The analysis software calculates a similarity score based on the comparison of the extracted pattern to patterns in the pattern library. The patterns in the pattern library represent previously encountered anomalies and include attributes, event data, expert/system administrator notes, etc., that can aid in diagnosing the current system anomaly”; and [0028]: “similarity calculator 108 generates a mapping between patterns that contains one-to-one mappings of nodes and edges in the compared patterns. In general, two patterns are similar if the patterns contain same types of components with similar relationships. A similarity score can also be affected by similarity of attributes, performance metrics, event logs, etc. For example, two components of different types may still be considered similar”); and 
identifying a root cause of an anomaly based, at least in part, on the scores computed for the infrastructure components (see Muntes-Mulero, Abstract, “Reducing the search space, exponentially reduces the number of iterations required for determining an optimal similarity score and improves the performance and scalability of the overall root cause analysis framework”; and [0002]: “Information related to interconnections among components in a system is often used for root cause analysis of system issues”).

As per claim 11, Muntes-Mulero teaches a computing system, comprising: 
one or more processors (see Muntes-Mulero, [0089]: “The program code may be provided to a processor of a general purpose computer, special purpose computer, or other programmable machine or apparatus”); and 
a computer-readable storage medium having computer-executable instructions stored thereupon which, when executed by the processor, cause the processor (see Muntes-Mulero, [0096]: “The program code may execute entirely on a stand-alone machine, may execute in a distributed manner across multiple machines, and may execute on one machine while providing results and or accepting input on another machine”) to: 
generate a connected graph defining a topology of infrastructure components and alarms generated by a machine learning component (see Muntes-Mulero, Abstract: “The decision to combine nodes also considers a node's topological features such as relationships and connections to other nodes”; [0016]: “The description below uses the term “system graph” to refer to a data structure that depicts connections or relationships between components. A system graph consists of nodes (vertices, points) and edges (arcs, lines) that connect them. A node represents a component, and an edge between two nodes represents a relationship between the two corresponding components. Nodes and edges may be labeled or enriched with data.  For example… a cause-and-effect type relationship”; [0017]: “or that a component stopped responding or failed.  An event indication can reference or include information about the event and is communicated to by an agent or probe to a component/agent/process that processes event indications”; [0019]: “To aid in the root cause analysis of current system errors or anomalies”; [0040]-[0051]: “pattern analyzer” or “analyzer”; and [0053]: “If a most similar pattern is associated with a script, the analyzer may modify the script based on an anomalous component in the extracted pattern (e.g. add an identifier or IP address for the component to the script) and automatically execute the commands in the script. The analyzer can then monitor events to determine whether the anomaly was solved and display to a user which actions were taken”), 
compute scores for the infrastructure components based upon the connected graph (see Muntes-Mulero, [0019]: “The analysis software calculates a similarity score based on the comparison of the extracted pattern to patterns in the pattern library. The patterns in the pattern library represent previously encountered anomalies and include attributes, event data, expert/system administrator notes, etc., that can aid in diagnosing the current system anomaly”; and [0028]: “similarity calculator 108 generates a mapping between patterns that contains one-to-one mappings of nodes and edges in the compared patterns. In general, two patterns are similar if the patterns contain same types of components with similar relationships. A similarity score can also be affected by similarity of attributes, performance metrics, event logs, etc. For example, two components of different types may still be considered similar”), and 
identify a root cause of an anomaly based, at least in part, on the scores computed for the infrastructure components (see Muntes-Mulero, Abstract, “Reducing the search space, exponentially reduces the number of iterations required for determining an optimal similarity score and improves the performance and scalability of the overall root cause analysis framework”; and [0002]: “Information related to interconnections among components in a system is often used for root cause analysis of system issues”).

As per claim 16, Muntes-Mulero teaches a computer-readable storage medium having computer-executable instructions stored thereupon which, when executed by the processor, cause the processor (see Muntes-Mulero, [0089]: “The program code may be provided to a processor of a general purpose computer, special purpose computer, or other programmable machine or apparatus”; and [0096]: “The program code may execute entirely on a stand-alone machine, may execute in a distributed manner across multiple machines, and may execute on one machine while providing results and or accepting input on another machine”) to: 
generate a connected graph defining a topology of infrastructure components and alarms generated by a machine learning component (see Muntes-Mulero, Abstract: “The decision to combine nodes also considers a node's topological features such as relationships and connections to other nodes”; [0016]: “The description below uses the term “system graph” to refer to a data structure that depicts connections or relationships between components. A system graph consists of nodes (vertices, points) and edges (arcs, lines) that connect them. A node represents a component, and an edge between two nodes represents a relationship between the two corresponding components. Nodes and edges may be labeled or enriched with data.  For example… a cause-and-effect type relationship”; [0017]: “or that a component stopped responding or failed.  An event indication can reference or include information about the event and is communicated to by an agent or probe to a component/agent/process that processes event indications”; [0019]: “To aid in the root cause analysis of current system errors or anomalies”; [0040]-[0051]: “pattern analyzer” or “analyzer”; and [0053]: “If a most similar pattern is associated with a script, the analyzer may modify the script based on an anomalous component in the extracted pattern (e.g. add an identifier or IP address for the component to the script) and automatically execute the commands in the script. The analyzer can then monitor events to determine whether the anomaly was solved and display to a user which actions were taken”); 
compute scores for the infrastructure components based upon the connected graph (see Muntes-Mulero, [0019]: “The analysis software calculates a similarity score based on the comparison of the extracted pattern to patterns in the pattern library. The patterns in the pattern library represent previously encountered anomalies and include attributes, event data, expert/system administrator notes, etc., that can aid in diagnosing the current system anomaly”; and [0028]: “similarity calculator 108 generates a mapping between patterns that contains one-to-one mappings of nodes and edges in the compared patterns. In general, two patterns are similar if the patterns contain same types of components with similar relationships. A similarity score can also be affected by similarity of attributes, performance metrics, event logs, etc. For example, two components of different types may still be considered similar”); and 
identify a root cause of an anomaly based, at least in part, on the scores computed for the infrastructure components (see Muntes-Mulero, Abstract, “Reducing the search space, exponentially reduces the number of iterations required for determining an optimal similarity score and improves the performance and scalability of the overall root cause analysis framework”; and [0002]: “Information related to interconnections among components in a system is often used for root cause analysis of system issues”).

DEPENDENT:
As per claim 2, which depends on claim 1, Muntes-Mulero further teaches wherein the anomaly detection system includes a machine learning component (see Muntes-Mulero, [0028]: “the patterns in the pattern library 109 represent previous states of the components 101, the patterns in the pattern library 109 may be referred to as historical patterns”; [0039]: “The similarity score 303 may be updated in real time to reflect the effect of the modified weights on the similarity between the two patterns 301 and 302”; [0040]-[0052]: “pattern analyzer” or “analyzer”; and [0053]: “If a most similar pattern is associated with a script, the analyzer may modify the script based on an anomalous component in the extracted pattern (e.g. add an identifier or IP address for the component to the script) and automatically execute the commands in the script. The analyzer can then monitor events to determine whether the anomaly was solved and display to a user which actions were taken”).
As per claims 3, 13, and 18, which respectively depend on claims 2, 11, and 16, Muntes-Mulero further teaches wherein the machine learning component generates the alarm based on analysis of real-time data metrics (see Muntes-Mulero, [0034]: “As a result, the process described in FIG. 1 is repeated at various frequencies to continue monitoring and diagnosing anomalies experienced by the components 101”; [0039]: “The similarity score 303 may be updated in real time to reflect the effect of the modified weights on the similarity between the two patterns 301 and 302”; and [0052]: “If a most similar pattern is associated with a script, the analyzer may modify the script based on an anomalous component in the extracted pattern (e.g. add an identifier or IP address for the component to the script) and automatically execute the commands in the script. The analyzer can then monitor events to determine whether the anomaly was solved and display to a user which actions were taken”).
As per claims 4, 14, and 19, which respectively depend on claims 2, 11, and 16, Muntes-Mulero further teaches wherein the machine learning component is based on a clustering-based model, a forecasting-based model, or a smoothing-based model (see Muntes-Mulero, [0024]: “The system graph 111 is a data structure that models physical, functional, and event-based relationships between the components”; and [0026]: “Additionally, the extractor 107 can determine whether the node Y is part of a sub-system and select all components corresponding to the sub-system. For example, if the node Y is a database in a database cluster, the extractor 107 selects the node Y and all other nodes which represent databases in the cluster and other related components, such as the database management system”).
As per claim 5, which depends on claim 2, Muntes-Mulero further teaches wherein the machine learning component is configured to generate the alarms using unsupervised machine learning (see Muntes-Mulero, [0053]: “If a most similar pattern is associated with a script, the analyzer may modify the script based on an anomalous component in the extracted pattern (e.g. add an identifier or IP address for the component to the script) and automatically execute the commands in the script. The analyzer can then monitor events to determine whether the anomaly was solved and display to a user which actions were taken”).
As per claim 6, which depends on claim 1, Muntes-Mulero further teaches wherein the scores for the second edges are computed based, at least in part, upon a frequency of a corresponding alarm and a frequency of the corresponding alarm among all alarms for the plurality of second nodes (see Muntes-Mulero, [0027]: “The extractor 107 may track the frequency with which seemingly independent anomalies occur. If two or more independent anomalies frequently occur within a same time window, the extractor 107 can determine that there is a relationship between the anomalies, even if the affected components are disconnected in the system graph 111. The extractor 107 may extract a pattern from the system graph 111 with two or more disconnected regions to represent the separate, but potentially related, anomalous regions. After extracting the pattern 112, the extractor 107 passes the pattern 112 to the similarity calculator 108”).
As per claim 7, which depends on claim 6, Muntes-Mulero further teaches wherein the scores for the first nodes are computed by generating a node score for each of the plurality of first nodes and propagating the node scores between the plurality of first nodes (see Muntes-Mulero, [0020]: “The nodes which represent a same component type and have similar attributes will likely have a high similarity score and can be combined into a single node representing the entire class of the components”).
As per claims 8, 15, and 20, which respectively depend on claims 1, 12, and 17, Muntes-Mulero teaches further comprising presenting a user interface (UI), the UI comprising first UI elements corresponding to the plurality of first nodes, second UI elements corresponding to the first edges, third UI elements corresponding to the second nodes, and fourth UI elements corresponding to the second edges (see Muntes-Mulero, FIG. 1, E; [0033]: “At stage E, the user interface 110 displays the pattern 112 and the similar patterns 113. The user interface 110 displays the similarity scores for the similar patterns 113 and displays component/relationship mappings between each of the similar patterns 113 and the pattern 112. The user interface 110 also displays possible root causes or diagnoses based on data associated with each of the similar patterns 113. The user interface 110 can allow a user to iterate through the mappings and similarity scores for each of the similar patterns 113 and provide feedback on the usefulness of the mappings and similarity scores”).
As per claim 9, which depends on claim 8, Muntes-Mulero further teaches wherein a visual attribute used to present the first UI elements in the UI is selected based, at least in part, upon a score for associated infrastructure components (see Muntes-Mulero, [0033]: “At stage E, the user interface 110 displays the pattern 112 and the similar patterns 113. The user interface 110 displays the similarity scores for the similar patterns 113 and displays component/relationship mappings between each of the similar patterns 113 and the pattern 112. The user interface 110 also displays possible root causes or diagnoses based on data associated with each of the similar patterns 113. The user interface 110 can allow a user to iterate through the mappings and similarity scores for each of the similar patterns 113 and provide feedback on the usefulness of the mappings and similarity scores”).
As per claim 10, which depends on 8, Muntes-Mulero further teaches wherein a visual attribute used to present the fourth UI elements in the UI is selected based, at least in part, upon a severity of alarms generated by the machine learning component (see Muntes-Mulero, [0033]: “If the pattern 112 is to be added to the pattern library 109, the user interface 110 allows a user to prevent the addition of the pattern 112 or to modify components and relationships, add weights…”).
As per claims 12 and 17, which respectively depend on claim 11 and 16, Muntes-Mulero further teaches wherein the connected graph comprises: a plurality of first nodes, each of the first nodes corresponding to an infrastructure component; first edges connecting at least a portion of the first nodes, the first edges representing dependencies between the infrastructure components; a plurality of second nodes, each of the second nodes corresponding to an alarm generated by the machine learning component; and second edges connecting second nodes to first nodes, the second edges defining an association between an infrastructure component and an alarm (see Muntes-Mulero, [0016]: “The description below uses the term “system graph” to refer to a data structure that depicts connections or relationships between components. A system graph consists of nodes (vertices, points) and edges (arcs, lines) that connect them. A node represents a component, and an edge between two nodes represents a relationship between the two corresponding components. Nodes and edges may be labeled or enriched with data.  For example… a cause-and-effect type relationship”; [0017]: “or that a component stopped responding or failed.  An event indication can reference or include information about the event and is communicated to by an agent or probe to a component/agent/process that processes event indications”; and [0019]: “To aid in the root cause analysis of current system errors or anomalies”).


Conclusion
5.	For the reasons above, claims 1-20 have been rejected and remain pending.

6.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL Y WON whose telephone number is (571)272-3993.  The examiner can normally be reached on Wk.1: M-F: 8-5 PST & Wk.2: M-Th: 8-7 PST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  Please note, the examiner generally will not hold interviews after a Final Office Action has been issued.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Nicholas R Taylor can be reached on 571-272-3889.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


MICHAEL YOUNG WON
Primary Patent Examiner
Art Unit 2443



/Michael Won/
Primary Examiner, Art Unit 2443
April 28, 2022