DETAILED ACTION
This communication is responsive to the application, filed December 20, 2019.  Claims 1-30 are pending in this application.

Examined under the first inventor to file provisions of the AIA 
The present application was filed on December 20, 2019, which is on or after March 16, 2013, and thus is being examined under the first inventor to file provisions of the AIA . 

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim 20 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 20 recites the limitation "the first configuration object" in lines 3-4.  There is insufficient antecedent basis for this limitation in the claim.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1-8, 11-18, and 21-28 are rejected under 35 U.S.C. 103 as being unpatentable over Marvasti et al. (US 7,620,523 B2) in view of Salunke et al. (US 2017/0329660 A1).

As per claim 1:  A computer-implemented method for performing anomaly detection, comprising: accessing an anomaly detection definition that defines how to populate a sequential set of time-series data points in a data window; 
Marvasti discloses [claim 1] collecting historical time-series data for a metric in the IT infrastructure for at least one monitoring period, each monitoring period having a plurality of timeslots and each timeslot observing metric data and screening the historical data to remove abnormal metric data to form a non-abnormal historical data set.
determining that one of a plurality of data streams is associated with the anomaly detection definition; and 
upon receiving an updated data point from the data stream, performing anomaly detection by: updating the data window by inserting the updated data point from the data stream into the data window; and 
analyzing the data window to determine a corresponding anomaly result for the anomaly detection definition.  
Marvasti discloses [claim 1] generating a simulated time-series data stream comprising sequential position of each data point in the data stream to create a set.  Then, comparing incoming data stream for each metric against the sequential data point in the historical data stream.  The cumulative sum value is compared to the threshold to detect anomalous events and initiating an alert state when an anomalous event is detected in the data stream.  Marvasti discloses determining data stream associated with anomaly detection definition and analyzing the data window to determine anomaly result, but fails to explicitly disclose updating data window by inserting updated points.  Salunke discloses a similar method, which further teaches [Fig. 6; 0107-0108] updating the correlation prediction model based on the incoming correlation data.  The incoming data may be fit into the prediction model to update the level, seasonal, and trend components in the model.  Salunke further discloses [0050] the predictive correlation models are trained to learn correlation patterns between different time-series over time.  This allows the predictive correlation model to be used to generate analytic outputs, such as flagging anomalies, raising alerts, and/or diagnosing problems or other events, based on a comparison between a predicted correlation and an observed correlation.  Salunke further discloses [0107] the model can be updated based on the incoming correlation data.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the teachings of Marvasti with that of Salunke.  One would have been motivated to update data window because it allows to train the correlation model [Salunke; 0050].

As per claim 2:  The computer-implemented method of claim 1, further comprising receiving the plurality of data streams as real-time data provided from data sources from an information technology system.  
Marvasti discloses [claim 1] comparing incoming real-time data against the sequential data points in the historical data stream.

As per claim 3:  The computer-implemented method of claim 1, further comprising receiving data from the data stream in an order that the data was created.  
Marvasti discloses [Fig. 8; 067] the data is received and aggregated into sets of timeslot data as it is received.

As per claim 4:  The computer-implemented method of claim 1, further comprising processing the data stream by indexing incoming data from the data stream and generating the updated data point as a key performance indicator from the incoming data.  
Salunke discloses [Fig. 6; 0107-0108] updating the correlation prediction model based on the incoming correlation data.  The incoming data may be fit into the prediction model to update the level, seasonal, and trend components in the model.  

As per claim 5:  The computer-implemented method of claim 1, further comprising applying an anomaly detection search command to the plurality of data streams to extract the updated data point for the data stream.  
Salunke discloses [0050] the predictive correlation models are trained to learn correlation patterns between different time-series over time.  This allows the predictive correlation model to be used to generate analytic outputs, such as flagging anomalies, raising alerts, and/or diagnosing problems or other events, based on a comparison between a predicted correlation and an observed correlation.  Salunke further discloses [0076] during the evaluation phase, the process searches for statistically signification abnormalities in the metric behavior.

As per claim 6:  The computer-implemented method of claim 1, further comprising updating the data window with data points from different data sources arriving at different intervals.  
Salunke discloses [0050] the predictive correlation models are trained to learn correlation patterns between different time-series over time.  This allows the predictive correlation model to be used to generate analytic outputs, such as flagging anomalies, raising alerts, and/or diagnosing problems or other events, based on a comparison between a predicted correlation and an observed correlation.  Salunke further discloses [0107] the model can be updated based on the incoming correlation data.

As per claim 7:  The computer-implemented method of claim 1, further comprising receiving the plurality of data streams from a plurality of data sources, each of the plurality of data sources providing multiple data streams of the plurality of data streams.  
Salunke discloses [Fig. 1; 0057-0059] receiving data streams from one or a plurality of targets to a collection logic.

As per claim 8:  The computer-implemented method of claim 1, further comprising receiving multiple data streams of the plurality of data streams from a single data source, wherein each of the multiple data streams reflects a different aspect of data provided by the data source.  
Salunke discloses [Fig. 1; 0057-0059] receiving data streams from one or a plurality of targets to a collection logic.

As per claims 11-18:  Although claims 11-18 are directed towards a medium claim, they are rejected under the same rationale as the method claims 1-8 above.

As per claims 21-28:  Although claims 21-28 are directed towards a system claim, they are rejected under the same rationale as the method claims 1-8 above.

Claims 9, 10, 19, 20, 29, and 30 are rejected under 35 U.S.C. 103 as being unpatentable over Marvasti in view of Salunke and further in view of Tee (US 2016/0218910 A1).

As per claim 9:  The computer-implemented method of claim 1, wherein the anomaly detection definition is one of a plurality of anomaly detection definitions, and wherein a configuration object includes all of the plurality of anomaly detection definitions.  
Marvasti and Salunke disclose the method of claim 1, but fail to explicitly disclose anomaly detection definition is one of a plurality of definitions.  Tee discloses a similar method, which further teaches [Fig. 1B; 0023] providing anomaly detection and definition of the anomalies in one place for the distributed system.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the teachings of Marvasti and Salunke with that of Tee.  One would have been motivated to include all of the plurality of anomaly detection definitions because it allows to create a knowledge base [Tee; 0128-0129].

As per claim 10:  The computer-implemented method of claim 1, wherein the anomaly detection definition is one of a plurality of anomaly detection definitions, wherein a configuration object includes all of the plurality of anomaly detection definitions, and wherein the configuration object defines a shared search for the plurality of anomaly detection definitions.
Marvasti and Salunke disclose the method of claim 1, but fail to explicitly disclose anomaly detection definition is one of a plurality of definitions.  Tee discloses a similar method, which further teaches [Fig. 1B; 0023] providing anomaly detection and definition of the anomalies in one place for the distributed system.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the teachings of Marvasti and Salunke with that of Tee.  One would have been motivated to include all of the plurality of anomaly detection definitions because it allows to create a knowledge base [Tee; 0128-0129].

As per claims 19 and 20:  Although claims 19 and 20 are directed towards a medium claim, they are rejected under the same rationale as the method claims 9 and 10 above.

As per claims 29 and 30:  Although claims 29 and 30 are directed towards a system claim, they are rejected under the same rationale as the method claims 9 and 10 above.

Conclusion
The following prior art made of record and not relied upon is cited to establish the level of skill in the applicant’s art and those arts considered reasonably pertinent to applicant’s disclosure. See MPEP 707.05(c).
·         US 20100229023 A1 – Gross discloses sequential-analysis technique used by filtering to a sequential probability ratio test.  It can be configured based on historical telemetry data associated with the monitored computer system and detecting anomalous behavior from the monitored computer systems.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JIGAR P PATEL whose telephone number is (571)270-5067.  The examiner can normally be reached on Monday to Friday 10AM-6PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Matt Kim, can be reached on 571-272-4182.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/JIGAR P PATEL/Primary Examiner, Art Unit 2114