DETAILED ACTION
 	Claims 1-27 are pending. Claims 1-2, 5, 8-11, 14, 17-20, 23 and 26-27 are amended. This is in response to Applicant’s arguments and amendments filed on February 22, 2022.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant’s arguments with respect to claims 1, 10 and 19 in view of the 102 rejection have been considered but are moot in view of the amendments necessitated by a new ground of rejection.
Regarding claim 5, the 112b rejection is withdrawn in view of the amendment.
Regarding the 101 rejections, there are two different 101 rejections:
1) Applicant should be aware only claim 10 was rejected for not patent eligible as one of the four categories: a process, a machine, an article of manufacture or a composition of matter (see MPEP 2016.03). See top part of page 3 of the Non-Final mailed on January 11, 2021.
2) Claims 1, 10 and 19 were rejected under 101 statutory but in view of an abstract idea.
 	Hence, there is no error by Examiner to reject claims 1 and 19 as non-statutory subject matter. In fact, claims 1 and 19 are eligible as one of the four subject matter since claim 1 is a process claim and claim 19 is an article of manufacture.
	Regarding claim 10 for not being claimed as one of the four eligible subject matter, Applicant’s argument and amendment are not persuasive (per Remarks on page 13). The claim recites a computer system comprising: one or more processors; one or more data-storage devices; and machine-readable instructions. As presented the previous action, the computer system is interpreted as a virtual computer system having a virtual machine (VM) comprising one or more processors; one or more data-storage devices and instructions. In VMware’s world, a VM is a virtual PC, hence everything in it is considered as software per se. There is no clear recitation the claim ties to a physical apparatus/system unless Applicant amends such.
 	Regarding claim 1, 10 and 19 that were rejected under 101 but in view as an abstract idea, Applicant’s arguments and amendments are not persuasive. Examiner does not oversimplify the claims as accused. The claims recite collecting metric data produced by a software application to analyze for anomalous behaviors. This is an abstract idea as shown in court decisions such as in Classen and in Cybersource. Under broadest reasonable interpretation, covers performance of the limitations in the mind but for the recitation of generic computer components. That is, other than reciting instructions stored in a data storage executed using “one or more processors,” nothing in the claim element precludes the step from practically being performed in the mind. Furthermore, MPEM 2106.05(a) requires examiner to determine whether the claim purports to improve computer capabilities since mere automation of manual processes (e.g. a group of workers to collect data from each node for analysis), such as using a generic computer to process does not make the claim patent-eligible.
	This judicial exception is not integrated into a practical application. In particular, the claims only recite one additional element – using a processor to perform the collecting, analysis and providing an alert steps. The processor performs these steps is recited at a high-level of generality (i.e., as a generic processor performing a generic computer function of collecting information to perform analysis then providing an alert if anomaly is found) such that it amounts no more than mere instructions to apply the exception using a generic computer component. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea (e.g. if anomalous behavior found: does it stop the anomalous node? Or does it apply some patches/fixes to the node?, etc.). The claim is directed to an abstract idea.
	The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional element of using a processor to perform the aforementioned steps amounts to no more than mere instructions to apply the exception using a generic computer component. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. The claim is not patent eligible.
	This action is Final.


Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claim 10 is rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because the terms processors, storage devices and machine readable medium are interpreted as software per se. Disclosure suggest the computer system can be configured in a virtual environment, hence the computer system claim is read as a virtual computer system using a virtual machine (VM) to performs all the steps. 
Examiner suggest Applicant should amend claim 10 as follows to overcome the rejection:
10. A computer system to proactively manage resources in a distributed computing system, the system comprising: one or more hardware processors; one or more physical data-storage devicesstoring machine-readable instructions that when executed using the one or more processors…
Claims 11-18 are rejected as being dependent to claim 10.
 	Claim 1 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claim(s) recite(s) a process to collect streaming data in a periodic a for anomaly. Collecting data for analysis is known as an abstract idea (see Classen and Cybersource court decisions). This judicial exception is not integrated into a practical application because generating an alert and displaying the streams of metric data and log messages associated with the anomalous behavior in a graphical user interface does not improve the distributed computing system if malicious application executing in the system is detected. Moreover, using a processor to perform analysis is recited at a high-level of generality (i.e., as a generic processor performing a generic computer function of performing log message analysis on log messages associated with the nodes to detect anomalous behavior). The claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the integration of the abstract idea into a practical application, the additional element of using a processor to perform the analysis on collected data and providing an alert on an interface amounts to no more than mere instructions to apply the exception using a generic computer component. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. The claim is not patent eligible.
 	Claims 2-9 are rejected with same reasoning above since they only recite in detail on how stream of metric data and log message are analyzed.
	Claims 10 and 19 are rejected with same reasoning presented in claim 1 rejection.
	Claims 11-18 and 20-27 are also rejected with same reasoning.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

Claims 1-3, 10-13 and 19-21 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by PG Pub 20170063888 (hereinafter Muddu)
Regarding claim 1, Muddu discloses a process stored in one or more data-storage devices and executed using one or more processors of a computer system to detect and troubleshoot anomalous behavior of an application executing in a distributed computing system (Figs. 2-4 and par. [0139]-[0141] and [0159]-[0162] discloses a security platform to perform threat analyses in large scale for multiple networks where event data from the extract, transform, and load (ETL) analyzing over a batch processing for detecting anomalies in real-time where each batch of event data contains a collection of events that arrived over the batch period. The security platform can detect anomalies and threats produced by a user, a device, or an application (see Figs. 45E and 49A for examples among several interfaces to provide threat information), the process comprising: 
 	discovering nodes that comprise the application and execute software of the application (Figs. 54-58 and par. [0539]-[0542] disclose one of model of analyzing anomalies over a period of time. Fig. 69 and par. [0609]-[0616] disclose detecting an anomaly indicative of malware based on network traffic obtained event data);
 	 performing real time anomaly detection on multiple streams of metric data associated with the nodes in a time frame to detect anomalous behavior of the application and an approximate point in time when the anomalous behavior began, the time frame containing most recently generated metric values of the streams of metric data (Figs. 57-58 and related text disclose the exact timeline period of unusual sequences when a user accessing to a network); 
 	performing log message analysis on log messages associated with the nodes to detect anomalous behavior of the application recorded in the log messages generated in the time frame (see all of the above reasoning); and 
 	displaying an alert the approximate point in time and the streams of metric data and log messages associated with the anomalous behavior of the application in a graphical user interface when anomalous behavior is detected in at least one of the one or more streams of metric data and the log messages (par. [0151] and [0542] discloses the security platform can trigger several actions if a threat discovered including sending an alert to an administrator). 
	Claims 10 and 19 are rejected in view of claim 1 rejection.

 	Regarding claim 2, Muddu discloses wherein discovering the structure of nodes comprising the application comprises: partitioning nodes executing in the distributed computing system into types based on information streamed from agents within each node; determining which nodes have communications connections; and identifying the nodes that comprise the application and execute software of the application based on the node types and nodes with communication connections (Fig. 19 and par. [0302]-[0310] discloses “[a] model preparation process thread can assign (e.g., partition) the formatted subset of event feature sets into data groups (also referred to as "data partitions") according to the model type topology 1714 of the model type. The model type can correspond to an entity type (e.g., users, devices, systems, resource locators, applications, process threads, or anomalies) … the model preparation process thread instantiates … a subset of the computation workers 1526 according to the model type topology 1714. In some embodiments, each computation worker runs only model-specific process threads of one model type…”).

 	Regarding claim 3, Muddu discloses performing anomaly detection on the multiple streams of metric data comprises: for each time frame, receiving multiple streams of metric data generated by metric sources of objects executing the nodes, updating a performance model based on most recently received metric values of the streams of metric data, and detecting changes in one or more of the streams of metric data based on the updated performance model (par. [0233]-[0236] disclose using multiple machine learning models that are continually updated based on receiving a new event such as discovering a new particular machine identifier and a particular user identifier)

	Claims 11-13 and 20-21 are rejected in view of claims 2-3 rejections respectively.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 4, 13 and 22 are rejected under 35 U.S.C. 103 as being unpatentable over Muddu in view of PG Pub 20190124099 (hereinafter Maselyukh) 	Regarding claim 4, Muddu discloses using machine learning analysis can be one of algorithm-based analysis, statistical analysis, etc. (par. [0162) but does not expressly disclose for new metric values of the streams of metric data, computing a mean of the recently received metric values; computing a sample standard deviation of the recently received metric values; and for each new metric value of the streams of metric data, computing a standard-score model based on the recently received metric value, the mean, and the sample standard deviation. Maselyukh discloses data streams collected then partitioned into time intervals where a value associated with each data stream for each of the plurality of time intervals is calculated a deviation for an anomaly in the collected data streams if the calculated deviation is above a threshold (Fig. 2, par. [0010] and [0041]-[0093]). Therefore, it would have been obvious before the effective filing date of the claimed invention to modify Muddu with Maselyukh to teach the claimed features. One would have done so to improve anomaly detection that can reduce the number of false positive detections whilst also improving the overall detection rate to ensure a higher proportion of true anomalies (Maselyukh).
 	Claims 13 and 22 are rejected in view of claim 4 rejection.

Claims 6, 8, 15, 17, 24 and 26 are rejected under 35 U.S.C. 103 as being unpatentable over Muddu in view of PG Pub 20140108640 (hereinafter Mathis) 	Regarding claim 6, Muddu discloses using machine learning analysis can be one of algorithm-based analysis, statistical analysis, etc. (par. [0162) but does not expressly disclose for each stream of the multiple streams of metric data, computing forecast metric values in a forecast interval; and computing a forecast confidence interval for each of the forecast metric values. Mathis discloses a method “…for anomaly detection in time series data using predictive modeling… The time-series data includes values for a network-site analytics metric over time. The method includes generating a predictive model for the metric based on a segment of the time-series data and using the predictive model to predict an expected value range for the network-site analytics metric for a future time…” (par. [0003]). Note, although the application Mathis used is not for malware detection, the passage above suggests for any time-series data a predictive model can be used to predict (e.g. forecast) anomaly if an actual value is off the expected (predicted) value range (par. [0031]-[0036] discloses the time-series data analysis involves the forecasted value, standard error and confidence level). Therefore, it would have been obvious before the effective filing date of the claimed invention to modifying Muddu with Mathis by applying the predictive model on each statistical data per interval of Schmitt would further teach the claimed features. One would have done so to improve data analytics on large amounts of data with large number of associated metrics (Mathis).

Regarding claim 8, Muddu and Mathis disclose wherein performing anomaly detection to detect changes in one or more of the streams of metric data based on the updated performance model comprises: determining a threshold based on the performance model; and when one or more streams of the metric data violates the threshold, identifying the resource in the graphical user interface as exhibiting anomalous behavior (As presented in claim 1 rejection, Mudd provides a pluralities of Interfaces with threat and anomalies information. Mathis, par. [0012] and [0027] disclose a metric is a measure of activities or performance. Hence, the predictive analytic would provide a predictive expected value vs the obtained actual value. If the actual value exceeds the expected range by a threshold it would consider to be anomalous).

 	Claims 15 and 24 are rejected in view of claim 6 rejection.

 	Claims 17 and 26 are rejected in view of claim 8 rejection.

Claims 9, 18 and 27 are rejected under 35 U.S.C. 103 as being unpatentable over Muddu in view of PG Pub 20070143851 (hereinafter Nicodemus)
Regarding claim 9, Muddu discloses using machine learning analysis can be one of algorithm-based analysis, statistical analysis, etc. (par. [0162) but does not expressly disclose wherein performing log message analysis on the log messages comprises: determining an event type for each log message; computed a relative frequency of each event type generated in the time frame; and generating the alert when the relative frequency of one of the event types is greater than an associated relative frequency threshold. Nicodemus discloses a system of monitoring software vulnerabilities with agent installed on each endpoint to be monitored (Fig. 5 and related text). Nicodemus discloses using different analysis algorithms such as mean-based, Standard-deviation based, etc. (par. [0917]-[0950]) where Nicodemus also analyzes collected data used to compare for relative frequency over a threshold for anomaly as defined in a policy. Therefore, it would have been obvious before the effective filing date of the claimed invention to modifying Muddu with Nicodemus by applying one of the analysis algorithms further teach the claimed features. One would have done so to use known method to arrive at the claimed invention with reasonable expectation for success.
 	Claims 18 and 27 are rejected in view of claim 9 rejection.

Allowable Subject Matter
Claims 5, 7, 14, 16, 23 and 25 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Inquiry communication
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRI M TRAN whose telephone number is (571)270-1994. The examiner can normally be reached Mon-Fri: 9am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached on (469)295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/TRI M TRAN/Primary Examiner, Art Unit 2432