DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given via e-mail by Jonathon P. Western (Reg. No. 68,095) on June 15, 2022.

The application has been amended as follows: 
1.  (Currently Amended)  A method, comprising:
detecting, by a network assurance service that monitors a network, an anomaly in the network by applying a machine learning-based anomaly detector to telemetry data collected from the network;
sending, by the network assurance service, first interface data to a user interface, wherein the first interface data causes the user interface to present the detected anomaly and one or more candidate root cause metrics from the telemetry data associated with the detected anomaly;
receiving, at the network assurance service, feedback from the user interface regarding the one or more candidate root cause metrics from the telemetry data associated with the detected anomaly, wherein the feedback received from the user interface indicates whether or not a user deems the one or more candidate root cause metrics as a root cause of the anomaly;
using, by the network assurance service and based in part on the received feedback regarding the one or more candidate root cause metrics, a machine learning-based model to learn a root cause of the anomaly, wherein the root cause of the anomaly comprises one or more thresholds of the one or more candidate root cause metrics;
sending, by the network assurance service, second interface data to the user interface, wherein the second interface data causes the user interface to present at least one of the one or more candidate root cause metrics as a candidate root cause of a subsequent detected anomaly, based on the one or more thresholds; and
adding, by the network assurance service, the root cause of the anomaly comprising the one or more thresholds as a new root cause to a root cause database maintained by the network assurance service,
wherein the machine learning-based model comprises a random forest classifier trained to label the one or more thresholds of the one or more metrics as either likely to be deemed via the feedback from the user interface as a root cause of the anomaly or likely to not be deemed a root cause of the anomaly,
wherein the random forest classifier comprises an ensemble of stump classifiers, and 
wherein using the machine learning-based model to learn the root cause of the anomaly as one or more thresholds of the one or more candidate root cause metrics comprises:
computing the one or more thresholds as an average of thresholds labeled by the stump classifiers as likely to be deemed the root cause of the anomaly.

2.  (Canceled)  

3.  (Original)  The method as in claim 1, wherein the one or more candidate root cause metrics comprise at least one of: a Dynamic Host Configuration Protocol (DHCP) error count, a number of clients being onboarded to the network, or a number of Authentication, Authorization and Accounting (AAA) authentication failures.

4-6.  (Canceled)  

7.  (Previously Presented)  The method as in claim 1, wherein the feedback received from the user interface comprises a binary label that labels the one or more thresholds of the one or more candidate metrics as the likely root cause of the anomaly or not likely to be the root cause of the anomaly.

8.  (Original)  The method as in claim 1, wherein at least one of the candidate root cause metrics comprises a computational transformation of the telemetry data.

9.  (Currently Amended)  An apparatus, comprising:
one or more network interfaces to communicate with a network;
a processor coupled to the network interfaces and configured to execute one or more processes; and
a memory configured to store a process executable by the processor, the process when executed configured to: 
detect an anomaly in the network by applying a machine learning-based anomaly detector to telemetry data collected from the network;
send first interface data to a user interface, wherein the first interface data causes the user interface to present the detected anomaly and one or more candidate root cause metrics from the telemetry data associated with the detected anomaly;
receive feedback from the user interface regarding the one or more candidate root cause metrics from the telemetry data associated with the detected anomaly, wherein the feedback received from the user interface indicates whether or not a user deems the one or more candidate root cause metrics as a root cause of the anomaly;
use, based in part on the received feedback regarding the one or more candidate root cause metrics, a machine learning-based model to learn a root cause of the anomaly, wherein the root cause of the anomaly comprises one or more thresholds of the one or more candidate root cause metrics;
send second interface data to the user interface, wherein the second interface data causes the user interface to present at least one of the one or more candidate root cause metrics as a candidate root cause of a subsequent detected anomaly, based on the one or more thresholds; and
add the root cause of the anomaly comprising the one or more thresholds as a new root cause to a root cause database maintained by the network assurance service,
wherein the machine learning-based model comprises a random forest classifier trained to label the one or more thresholds of the one or more metrics as either likely to be deemed via the feedback from the user interface as a root cause of the anomaly or likely to not be deemed a root cause of the anomaly,
wherein the random forest classifier comprises an ensemble of stump classifiers, and 
wherein the apparatus uses the machine learning-based model to learn the root cause of the anomaly as one or more thresholds of the one or more candidate root cause metrics by:
computing the one or more thresholds as an average of thresholds labeled by the stump classifiers as likely to be deemed the root cause of the anomaly.

10.  (Canceled)  

11.  (Original)  The apparatus as in claim 9, wherein the one or more candidate root cause metrics comprise at least one of: a Dynamic Host Configuration Protocol (DHCP) error count, a number of clients being onboarded to the network, or a number of Authentication, Authorization and Accounting (AAA) authentication failures.

12-14.  (Canceled)  

15.  (Previously Presented)  The apparatus as in claim 9, wherein the feedback received from the user interface comprises a binary label that labels the one or more thresholds of the one or more candidate metrics as the likely root cause of the anomaly or not likely to be the root cause of the anomaly.

16.  (Original)  The apparatus as in claim 9, wherein at least one of the candidate root cause metrics comprises a computational transformation of the telemetry data.

17.  (Currently Amended)  A tangible, non-transitory, computer-readable medium storing program instructions that cause a network assurance service that monitors a network to execute a process comprising:
detecting, by the network assurance service, an anomaly in the network by applying a machine learning-based anomaly detector to telemetry data collected from the network;
sending, by the network assurance service, first interface data to a user interface, wherein the first interface data causes the user interface to present the detected anomaly and one or more candidate root cause metrics from the telemetry data associated with the detected anomaly;
receiving, at the network assurance service, feedback from the user interface regarding the one or more candidate root cause metrics from the telemetry data associated with the detected anomaly, wherein the feedback received from the user interface indicates whether or not a user deems the one or more candidate root cause metrics as a root cause of the anomaly;
using, by the network assurance service and based in part on the received feedback regarding the one or more candidate root cause metrics, a machine learning-based model to learn a root cause of the anomaly, wherein the root cause of the anomaly comprises one or more thresholds of the one or more candidate root cause metrics;
sending, by the network assurance service, second interface data to the user interface, wherein the second interface data causes the user interface to present at least one of the one or more candidate root cause metrics as a candidate root cause of a subsequent detected anomaly, based on the one or more thresholds; and
adding, by the network assurance service, the root cause of the anomaly comprising the one or more thresholds as a new root cause to a root cause database maintained by the network assurance service,
wherein the machine learning-based model comprises a random forest classifier trained to label the one or more thresholds of the one or more metrics as either likely to be deemed via the feedback from the user interface as a root cause of the anomaly or likely to not be deemed a root cause of the anomaly,
wherein the random forest classifier comprises an ensemble of stump classifiers, and 
wherein using the machine learning-based model to learn the root cause of the anomaly as one or more thresholds of the one or more candidate root cause metrics comprises:
computing the one or more thresholds as an average of thresholds labeled by the stump classifiers as likely to be deemed the root cause of the anomaly.

18.  (Canceled)  

19.  (Original)  The computer-readable medium as in claim 17, wherein the one or more candidate root cause metrics comprise at least one of: a Dynamic Host Configuration Protocol (DHCP) error count, a number of clients being onboarded to the network, or a number of Authentication, Authorization and Accounting (AAA) authentication failures.

20.  (Canceled)  


REASONS FOR ALLOWANCE
The following is the Examiner’s statement of reasons for allowance:
	Independent claims 1, 9, and 17, among other things, teach a method, an apparatus, and a tangible, non-transitory, computer-readable medium for monitoring and detecting anomalies in the network by applying an anomaly detector to telemetry data collected from the network, and more particularly to anomalies detection with root cause learning in a network assurance service. The invention consists in detecting, by a network assurance service that monitors a network, an anomaly in the network by applying a machine learning-based anomaly detector to telemetry data collected from the network; sending, by the network assurance service, first interface data to a user interface, wherein the first interface data causes the user interface to present the detected anomaly and one or more candidate root cause metrics from the telemetry data associated with the detected anomaly; receiving, at the network assurance service, feedback from the user interface regarding the one or more candidate root cause metrics from the telemetry data associated with the detected anomaly, wherein the feedback received from the user interface indicates whether or not a user deems the one or more candidate root cause metrics as a root cause of the anomaly; using, by the network assurance service and based in part on the received feedback regarding the one or more candidate root cause metrics, a machine learning-based model to learn a root cause of the anomaly, wherein the root cause of the anomaly comprises one or more thresholds of the one or more candidate root cause metrics; sending, by the network assurance service, second interface data to the user interface, wherein the second interface data causes the user interface to present at least one of the one or more candidate root cause metrics as a candidate root cause of a subsequent detected anomaly, based on the one or more thresholds; and adding, by the network assurance service, the root cause of the anomaly comprising the one or more thresholds as a new root cause to a root cause database maintained by the network assurance service, wherein the machine learning-based model comprises a random forest classifier trained to label the one or more thresholds of the one or more metrics as either likely to be deemed via the feedback from the user interface as a root cause of the anomaly or likely to not be deemed a root cause of the anomaly, wherein the random forest classifier comprises an ensemble of stump classifiers, and wherein using the machine learning-based model to learn the root cause of the anomaly as one or more thresholds of the one or more candidate root cause metrics comprises: computing the one or more thresholds as an average of thresholds labeled by the stump classifiers as likely to be deemed the root cause of the anomaly. Thus, a single or obvious combination of prior arts, do not teach the cited limitations.
	Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled "Comments on Statement of Reasons for Allowance."


CORRESPONDANCE INFORMATION
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KARINA J. GARCIA-CHING whose telephone number is (571)270-7159.  The examiner can normally be reached on Monday - Wednesday (9:00 AM - 5:00 PM).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Vivek Srivastava can be reached on (571) 272-7304.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/KARINA J GARCIA-CHING/Examiner, Art Unit 2449                                                                                                                                                                                                        

/VIVEK SRIVASTAVA/Supervisory Patent Examiner, Art Unit 2449