Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more. The claims recite an abstract idea as discussed below. This abstract idea is not integrated into a practical application for the reasons discussed below. The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception for the reasons discussed below. 
Step 1 of the 2019 Guidance requires the examiner to determine if the claims are to one of the statutory categories of invention.  Applied to the present application, the claims belong to one of the statutory classes of a process (method claims 1-9) and a product (apparatus claims 10-20).
Step 2A of the 2019 Guidance is divided into two Prongs.  Prong 1 requires the examiner to determine if the claims recite an abstract idea, and further requires that the abstract idea belong to one of three enumerated groupings: mathematical concepts, mental processes, and certain methods of organizing human activity.
Specifically, Claim 1 recites:
Claim 1. A method comprising:  
obtaining, by a device, an output of a machine learning-based anomaly detector for unstructured text, wherein the output comprises a sequence of text analyzed by the anomaly detector and an indication that a portion of the sequence of text was flagged by the anomaly detector as an anomaly;  
extracting, by the device, a context for the anomaly as an n-gram of portions of the sequence of text surrounding the anomaly;  
identifying, by the device, a structure of the anomaly by identifying portions of the extracted context as anchors; and 
generating, by the device and based on the identified structure, an expression that represents the structure of the anomaly within the unstructured text. 
The claim limitations in the abstract idea have been highlighted in bold above; the remaining limitations are “additional elements”.
Under the Step 1 of the eligibility analysis, we determine whether the claims are to a statutory category by considering whether the claimed subject matter falls within the four statutory categories of patentable subject matter identified by 35 U.S.C. 101: Process, machine, manufacture, or composition of matter. The above claim is considered to be in a statutory category (process).
Under the Step 2A, Prong One, we consider whether the claim recites a judicial exception (abstract idea). In the above claim, the highlighted portion constitutes an abstract idea because, under a broadest reasonable interpretation, it recites limitations that fall into recite an abstract idea exceptions. Specifically, under the 2019 Revised Patent Subject matter Eligibility Guidance, it falls into the grouping of subject matter when recited as such in a claim limitation that covers mental processes – concepts performed in the human mind including an observation, evaluation, judgement, and/or opinion.
For example, the limitations of steps 2 and 3 are treated by the Examiner as belonging to mental process grouping, and limitation of step 1 is treated as mere data gathering and extra solution activity recited in generality.
According to the 2019 PEG: “If a claim, under its broadest reasonable interpretation, covers performance in the mind but for the recitation of generic computer components, then it is still in the mental processes category unless the claim cannot practically be performed in the mind. See Intellectual Ventures I LLC v. Symantec Corp., 838 F.3d 1307, 1318 (Fed. Cir. 2016) (‘‘[W]ith the exception of generic computer implemented steps, there is nothing in the claims themselves that foreclose them from being performed by a human, mentally or with pen and paper.' ‘); Mortg. Grader, Inc. v. First Choice Loan Servs. Inc., 811 F.3d. 1314, 1324 (Fed. Cir. 2016) (holding that computer-implemented method for ‘‘anonymous loan shopping' ' was an abstract idea because it could be ‘‘performed by humans without a computer' ' ); Versata Dev. Grp. v. SAP Am., Inc., 793 F.3d 1306, 1335 (Fed. Cir. 2015) (‘‘Courts have examined claims that required the use of a computer and still found that the underlying, patent-ineligible invention could be performed via pen and paper or in a person's mind.' ' ).”
For example, the limitations of “extracting, by the device, a context for the anomaly as an n-gram of portions of the sequence of text surrounding the anomaly” and “identifying, by the device, a structure of the anomaly by identifying portions of the extracted context as anchors” are treated as belonging to mental process grouping.
The limitation of “obtaining, by a device, an output of a machine learning-based anomaly detector for unstructured text, wherein the output comprises a sequence of text analyzed by the anomaly detector and an indication that a portion of the sequence of text was flagged by the anomaly detector as an anomaly” is a mere data gathering, recited in generality and therefore not meaningful.
The additional limitations of “device” and “generating, by the device and based on the identified structure, an expression that represents the structure of the anomaly within the unstructured text” are the additional elements recited in generality and representing insignificant extra-solution activity.
Similar analysis is applied to the abstract ideas of Claim 10.
Independent Claim 10 recites:
Claim 10. An apparatus, comprising:  
one or more network interfaces to communicate with a network;  
a processor coupled to the network interfaces and configured to execute one or more processes; and  
a memory configured to store a process executable by the processor, the process when executed configured to:  
obtain an output of a machine learning-based anomaly detector for unstructured text, wherein the output comprises a sequence of text analyzed by the anomaly detector and an indication that a portion of the sequence of text was flagged by the anomaly detector as an anomaly;  
extract a context for the anomaly as an n-gram of portions of the sequence of text surrounding the anomaly;  
identify a structure of the anomaly by identifying portions of the extracted context as anchors; and  
generate, based on the identified structure, an expression that represents the structure of the anomaly within the unstructured text. 
For example, the limitations of “extract a context for the anomaly as an n-gram of portions of the sequence of text surrounding the anomaly” and “identify a structure of the anomaly by identifying portions of the extracted context as anchors” are treated by the Examiner as belonging to mental process grouping, and the limitation of “obtain an output of a machine learning-based anomaly detector for unstructured text, wherein the output comprises a sequence of text analyzed by the anomaly detector and an indication that a portion of the sequence of text was flagged by the anomaly detector as an anomaly” is treated as mere data gathering  and extra solution activity recited in generality.
Similar analysis is applied to the abstract ideas of Claim 10, including the additional limitations of “device”, “network”, “network interfaces”, “processor”, “memory”, and the limitations of “obtaining, by a device, an output of a machine learning-based anomaly detector for unstructured text, wherein the output comprises a sequence of text analyzed by the anomaly detector and an indication that a portion of the sequence of text was flagged by the anomaly detector as an anomaly”, which is a mere data gathering, recited in generality and therefore not meaningful, and the limitation of “generate, based on the identified structure, an expression that represents the structure of the anomaly within the unstructured text”, which is the additional element recited in generality and representing insignificant extra-solution activity.
Independent Claim 19 recites:
Claim 19. A tangible, non-transitory, computer-readable medium storing program instructions that cause a device to execute a process comprising:  
obtaining, by the device, an output of a machine learning-based anomaly detector for unstructured text, wherein the output comprises a sequence of text analyzed by the anomaly detector and an indication that a portion of the sequence of text was flagged by the anomaly detector as an anomaly;  
extracting, by the device, a context for the anomaly as an n-gram of portions of the sequence of text surrounding the anomaly;  
identifying, by the device, a structure of the anomaly by identifying portions of the extracted context as anchors; and  
generating, by the device and based on the identified structure, an expression that represents the structure of the anomaly within the unstructured text.  
Similar analysis is applied to the abstract ideas of Claim 19, including the additional limitations of “tangible, non-transitory, computer-readable medium storing program instructions”, “device”, and the limitations of “obtaining, by the device, an output of a machine learning-based anomaly detector for unstructured text, wherein the output comprises a sequence of text analyzed by the anomaly detector and an indication that a portion of the sequence of text was flagged by the anomaly detector as an anomaly” which is a mere data gathering, recited in generality and therefore not meaningful, and the limitation of “generating, by the device and based on the identified structure, an expression that represents the structure of the anomaly within the unstructured text”, which is the additional element recited in generality and representing insignificant extra-solution activity.
Next, under the Step 2A, Prong Two, we consider whether the claim that recites a judicial exception is integrated into a practical application.
In this step, we evaluate whether the claim recites additional elements that integrate the exception into a practical application of that exception.
The above claims comprise the following additional elements:
In Claim 1:
“device”;
Step 1 of “obtaining, by a device, an output of a machine learning-based anomaly detector for unstructured text, wherein the output comprises a sequence of text analyzed by the anomaly detector and an indication that a portion of the sequence of text was flagged by the anomaly detector as an anomaly”
Step 4 of “generating, by the device and based on the identified structure, an expression that represents the structure of the anomaly within the unstructured text. 
In Claim 10:
“device”; 
“network”; 
“network interfaces”;
“processor”; 
“memory”; 
the limitation of “obtain an output of a machine learning-based anomaly detector for unstructured text, wherein the output comprises a sequence of text analyzed by the anomaly detector and an indication that a portion of the sequence of text was flagged by the anomaly detector as an anomaly”
the limitation of “generate, based on the identified structure, an expression that represents the structure of the anomaly within the unstructured text”.
In Claim 19:
“A tangible, non-transitory, computer-readable medium storing program instructions”; 
“device”;
A step 1 of “obtaining, by the device, an output of a machine learning-based anomaly detector for unstructured text, wherein the output comprises a sequence of text analyzed by the anomaly detector and an indication that a portion of the sequence of text was flagged by the anomaly detector as an anomaly”;
A step 4 of “generating, by the device and based on the identified structure, an expression that represents the structure of the anomaly within the unstructured text”.
In Claim 1, generally recited element “device” is not meaningful and is not qualified as particular machines. A step of “obtaining, by a device, an output of a machine learning-based anomaly detector for unstructured text, wherein the output comprises a sequence of text analyzed by the anomaly detector and an indication that a portion of the sequence of text was flagged by the anomaly detector as an anomaly” is a mere data gathering step, recited in generality and therefore not meaningful. A step of “generating, by the device and based on the identified structure, an expression that represents the structure of the anomaly within the unstructured text” is recited in generality and represents insignificant extra-solution activity.
In Claim 10, generally recited elements “device”, “network”, “network interfaces”, “processor”, and “memory” are not meaningful and are not qualified as particular machines. A step of “obtain an output of a machine learning-based anomaly detector for unstructured text, wherein the output comprises a sequence of text analyzed by the anomaly detector and an indication that a portion of the sequence of text was flagged by the anomaly detector as an anomaly” is a mere data gathering step, recited in generality and therefore not meaningful. A step of “generate, based on the identified structure, an expression that represents the structure of the anomaly within the unstructured text” is recited in generality and represents insignificant extra-solution activity.
In Claim 19, the additional element in the preamble “A tangible, non-transitory, computer-readable medium storing program instructions” is not qualified for a meaningful limitation and it only links the use of the judicial exception to a particular operation or field of use. Generally-recited element “device” is not meaningful and is not qualified as particular machine. A step of “obtaining, by the device, an output of a machine learning-based anomaly detector for unstructured text, wherein the output comprises a sequence of text analyzed by the anomaly detector and an indication that a portion of the sequence of text was flagged by the anomaly detector as an anomaly” is a mere data gathering step, recited in generality and therefore not meaningful. A step of “generating, by the device and based on the identified structure, an expression that represents the structure of the anomaly within the unstructured text” is recited in generality and represents insignificant extra-solution activity.
According to MPEP 2106.05(g)(3): (3) Whether the limitation amounts to necessary data gathering and outputting, (i.e., all uses of the recited judicial exception require such data gathering or data output). See Mayo, 566 U.S. at 79, 101 USPQ2d at 1968; OIP Techs., Inc. v. Amazon.com, Inc., 788 F.3d 1359, 1363m 115 USPQ2d 1090, 1092-93 (Fed. Cir. 2015) (presenting offers and gathering statistics amounted to mere data gathering). This is considered in Step 2A Prong Two and Step 2B.
In conclusion, the above additional elements, considered individually and in combination with the other claim elements, do not reflect an improvement to other technology or technical field, and, therefore, do not integrate the judicial exception into a practical application. Therefore, the claims are directed to a judicial exception and require further analysis under the Step 2B.
However, the above claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because they are generically recited and are well-understood and/or conventional in the relevant art as evidenced from a prior art of record (Step 2B analysis), such as US2018314835 to Dodson et al. 
that discloses the use of machine learning to detect the anomalous activity receiving the input of data stream, where unstructured log files comprise an unstructured text, and flagging the data as anomalous depending on the magnitude of changes (Step 1), and automatically extracting regular expressions that uniquely match each cluster and the unstructured text log file includes the computing process output  (Step 4); and US2012278336 to Malik et al. that discloses a method for representing information included in unstructured text documents in a structured format (Step 1) and assigning a feature value to the generated outputted text document (Step 4).
The independent Claims 1, 10, and 19, therefore, are not patent eligible.
	With regards to the dependent Claims, Claims 2-9, 11-18, and 20, are similarly ineligible. Claims 2-9, 11-18, and 20 provide additional features/steps which are part of an expanded algorithm, so these limitations should be considered part of an expanded abstract idea of the independent claims (Step2A, Prong One), recite no additional elements reflecting a practical application (Step 2A, Prong Two), and fail a “significantly more” test under the step 2B for the same reasons as discussed with regards to the independent claims. 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1, 4, 7, and 9 are rejected under 35 U.S.C. 103 as being unpatentable over US20180314835 to Dodson et al. (hereinafter Dodson) in view of US2012278336 to Malik et al. (hereinafter Malik).

Regarding Claim 1:  Dodson discloses:
“A method comprising: obtaining, by a device, an output of a machine learning-based anomaly detector for unstructured text, wherein the output comprises a sequence of text analyzed by the anomaly detector and an indication that a portion of the sequence of text was flagged by the anomaly detector as an anomaly” (para 0018 – “The present disclosure is directed to various embodiments of systems and methods that use unsupervised machine learning to detect anomalous activity and isolate a source or sources thereof. In more detail, an input stream of data instances is received. The input stream can include data instances of behavior or activity of a computer environment.”; para 0019 – “Various analyses described herein examine the data instances over all or a portion of the period of time for which the input stream is collected. Anomalies can be detected within this input stream by examining and comparing principle values … These changes are identified as anomalies.”; para 0028 - “Changes in data instances over time can be flagged as anomalous if the changes have a magnitude that is unexpected.”);
“extracting, by the device, a context for the anomaly of portions of the sequence of text surrounding the anomaly” (para 0071 – “the machine learning-based classification processes disclosed herein can assist in supporting additional data analysis and filtering tools such as grok filter. Thus, the machine learning classification can be used to seed and maintain the input to a grok filter. In some embodiments, the machine learning capabilities disclosed herein for classifying unstructured log files provides a set of candidate patterns for categorical messages. However, machine learning will not know what entity is represented by a token. For example, a token may be a user or a host. Thus, some embodiments contemplate manual intervention to add this context”; para 0033 – “anomaly influence aims to understand the way that the categorical attributes are influencing the anomalies that are located by analyzing the principle value ν”);
“identifying, by the device, a structure of the anomaly by identifying portions of the extracted context as anchors” (para 0020 – “when an anomaly is detected, a cause or causes of the anomaly are located through a process of counterfactual processing. An exemplary process of counterfactual processing uses reductionism and elimination to isolate principle values and/or corresponding categorical attributes that contribute to the anomaly. In various embodiments, these anomalous principle values and/or corresponding categorical attributes are then traced back to a source”; para 0033 – “anomaly influence aims to understand the way that the categorical attributes are influencing the anomalies that are located by analyzing the principle value ν”); and 
“generating, by the device and based on the identified structure, an expression that represents the structure of the anomaly within the unstructured text” (para 0095 – “the systems will be configured to cluster strings using a distance metric that is tailored for log messages then automatically extract regular expressions that uniquely match each cluster”; para 0096 – “the systems disclosed herein can automatically extract a sequence of tokens {(t_1̂((i)), t_2̂((i)), . . . , t_n̂((i)))} which uniquely identifies each cluster i and map them to regular expressions {t_1̂((i)).*t_2̂((i)).* . . . *t_n̂((i))}”; para 0098 – “the categories that are available for matching are based on examples provided to the system, reverse engineering of the original segment/message content, regular expressions”).
	Dodson is silent on:
“as an n-gram”.
	However, Malik discloses:
“as an n-gram” (para 0005 – “The systems and techniques identify events and information associated with the events in unstructured documents, classify the identified events and information, and represent the identified events and information in a structured format based on a computed classification score.”; para 0068 – “the feature module 26 may apply the N-Grams feature generation schema by identifying each unique N-Gram included in the portion of unstructured text, generating a document feature for each of the identified N-Grams, and assigning a feature value to the generated document feature based on a frequency each identified unique N-gram occurs in the portion of unstructured text”).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method, disclosed by Dodson, as taught by Malik, in order to identify the anomaly in the unstructured text easily to speed up the process of identifying a structure of the anomaly and correcting it.

	Regarding Claim 4: Dodson/Malik combination discloses the method of Clam 1 (see the rejection for Claim 1).
	Dodson is silent on:
“wherein the output of the anomaly detector further includes 2 probabilities associated with the portions of the sequence of text analyzed by the anomaly detector, each probability indicative of its associated portion of text appearing in the sequence of text”.
	However, Malik discloses:
“wherein the output of the anomaly detector further includes 2 probabilities associated with the portions of the sequence of text analyzed by the anomaly detector, each probability indicative of its associated portion of text appearing in the sequence of text”: (para 0010 – “based upon the first classifier score, computing a first probability value using a probability estimation model, the first probability value indicating a likelihood that a first event attribute from the set of event attributes corresponds to the set of predefined event attributes”; para 0011 – “the second classifier score being generated with the classifier, and based upon the second classifier score, computing a second probability value using the probability estimation model, the second probability value indicating a likelihood that a second event attribute from the set of event attributes corresponds to the set of predefined event attributes”).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method, disclosed by Dodson, as taught by Malik, in order to identify the anomaly in the unstructured text easily to speed up the process of identifying a structure of the anomaly and correcting it.

	Regarding Claim 7: Dodson/Malik combination discloses the method of Clam 1 (see the rejection for Claim 1).
	Regarding the limitation “further comprising: storing the identified structure of the anomaly in a database of anomaly structures”: it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to store any information, including the identified structure of the anomaly, in the specific separate database, to make it possible to easily access the anomaly data and store the additional anomaly instances in such database.
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method, disclosed by Dodson, as taught by Malik, in order to lower the time necessary for identifying the anomaly structure and correcting the anomaly.

	Regarding Claim 9:  Dodson/Malik combination discloses the method as in Claim 1 (see the rejection for Claim 1).
	Dodson further discloses:
“wherein the expression includes the identified anchors and wildcards” (para 0020 – “when an anomaly is detected, a cause or causes of the anomaly are located through a process of counterfactual processing. An exemplary process of counterfactual processing uses reductionism and elimination to isolate principle values and/or corresponding categorical attributes that contribute to the anomaly. In various embodiments, these anomalous principle values and/or corresponding categorical attributes are then traced back to a source”; para 0033 – “anomaly influence aims to understand the way that the categorical attributes are influencing the anomalies that are located by analyzing the principle value ν”).

Claims 2, 5, 6, 8 are rejected under 35 U.S.C. 103 as being unpatentable over Dodson/Malik combination in view of US2018302423 to Muddu et al. (hereinafter Muddu).

	Regarding Claim 2:  Dodson/Malik combination discloses the method of Clam 1 (see the rejection for Claim 1).
	Dodson is silent on:
“further comprising: using the generated expression as a template or policy to detect an anomaly within unstructured text that was not analyzed by the machine learning-based anomaly detector”.
	However, Muddu discloses:
“further comprising: using the generated expression as a template or policy to detect an anomaly within unstructured text that was not analyzed by the machine learning-based anomaly detector” (para 0205 – “after the data connectors 802 obtain/receive the data, if the data format of the data is unknown (e.g., the administrator has not specified how to parse the data) (i.e. the text was not analyzed, added by examiner), then the format detector 804 can be used to detect the data format of the input data. For example, the format detector 804 can perform pattern matching for all known formats to determine the most likely format of a particular event data. In some instances, the format detector 804 can embed regular expression rules and/or statistical rules in performing the format detection”).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method, disclosed by Dodson/Malik combination, as taught by Muddu, in order to identify the anomaly in the unstructured text easily to speed up the process of identifying a structure of the anomaly and correcting it.

Regarding Claim 5:  Dodson/Malik combination discloses the method of Clam 4 (see the rejection for Claim 4).
Dodson/Malik combination is silent on:
“wherein identifying the structure of the anomaly by identifying portions of the extracted context as anchors comprises: determining that a particular portion of the sequence of text included in the context is an anchor, based on that portion having an associated probability greater than a defined threshold”.
	However, Muddu discloses:
“wherein identifying the structure of the anomaly by identifying portions of the extracted context as anchors comprises: determining that a particular portion of the sequence of text included in the context is an anchor, based on that portion having an associated probability greater than a defined threshold” (para 0186 – “anomalies and threats are detected by comparing incoming event data (e.g., a series of events) against the baseline profile for an entity to which the event data relates (e.g., a user, an application, a network node or group of nodes, a software system, data files, etc.). If the variation is more than insignificant, the threshold for which may be dynamically or statically defined, an anomaly may be considered to be detected. The comparison may be based on any of various techniques, for example, time-series analysis (e.g., number of log-ins per hour), machine learning, or graphical analysis”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method, disclosed by Dodson/Malik combination, as taught by Muddu, in order to identify the anomaly in the unstructured text easily to speed up the process of identifying a structure of the anomaly and correcting it.

Regarding Claim 6:  Dodson/Malik combination discloses the method of Clam 4 (see the rejection for Claim 4).
Dodson further discloses:
“wherein identifying the structure of the anomaly by identifying portions of the extracted context as anchors comprises: determining that a number of anchors in the context is below a defined threshold” (para 0098 – “While these thresholds are based on empirical data, these thresholds can be adjusted as desired and/or as feedback into the system when a matching heuristic is used within the machine learning. It will be understood that the thresholds selected should not result in all tokens, segments, or messages being placed into one single category. When a match does not fall within the specified thresholds (interpreted as being below a defined threshold, added by examiner), a new category can be created”).
	Dodson is silent on:
“increasing a size of the n-gram until the number of anchors in the context meet or exceed the defined threshold”.
	However, Malik discloses:
“increasing a size of the n-gram until the number of anchors in the context meet or exceed the defined threshold” (para 0050 – “The feature module 26 uses the N-Grams schema to generate a document feature for each unique N-Gram (e.g., bi-gram, tri-gram, etc.) that occurs in the portion of unstructured text … the feature module 26 identifies each unique N-Gram included in the portion of unstructured text, generates a document feature for each of the identified N-Grams, and then assigns a feature value to the generated document feature based on a frequency each identified unique N-gram occurs in the portion of unstructured text”; para 0067 – “The feature module 26 may apply the Figure-Value-Threshold feature generation schema by identifying a numerical event attribute included in the portion of unstructured text, generating a document feature for the identified numerical event attribute, comparing the numerical event attribute to a pre-defined threshold value, and assigning a feature value to the generated document feature based on the comparison”)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method, disclosed by Dodson, as taught by Malik, in order to identify the anomaly in the unstructured text easily to speed up the process of identifying a structure of the anomaly and correcting it.

Regarding Claim 8:  Dodson/Malik combination discloses the method of Clam 7 (see the rejection for Claim 7).
Dodson/Malik combination is silent on:
“wherein generating the expression that represents the structure of the anomaly within the unstructured text comprises: forming a mapping of anomaly structures in the database in part by aggregating the identified structure of the anomaly with other entries in the database of anomaly structures; and converting the formed mapping into the expression that represents the structure of the anomaly within the unstructured text”.
	However, Muddu discloses:
“wherein generating the expression that represents the structure of the anomaly within the unstructured text comprises: forming a mapping of anomaly structures in the database in part by aggregating the identified structure of the anomaly with other entries in the database of anomaly structures; and converting the formed mapping into the expression that represents the structure of the anomaly within the unstructured text” (para 0241 – “Like identity resolution (interpreted as aggregating the identified structure of the anomaly, added by examiner), such machine identifier mapping can be dynamically updated as the time goes by and more events are received. Whenever the environment changes, the device resolution module can derive a new mapping”; para 0432 – “The decision can be, e.g., a machine learning model or an analytics engine running a machine learning model. During the detection, the process first converts at least a portion of the composite relationship graph (e.g., the anomaly projection) into an anomaly relationship graph. The anomaly relationship graph includes anomaly nodes that represent anomalies and entity nodes that represent entities in the computer network. The computer system inputs the anomaly relationship graph into the decision engine. The decision engine can then identify a security threat by analyzing the anomalies in any of various different ways”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method, disclosed by Dodson/Malik combination, as taught by Muddu, in order to identify the anomaly in the unstructured text easily to speed up the process of identifying a structure of the anomaly and correcting it.

Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over Dodson/Malik combination in view of US20180032862 to Oliner et al. (hereinafter Oliner).

Regarding Claim 3: Dodson/Malik combination discloses the method of Clam 1 (see the rejection for Claim 1).
Dodson/Malik combination is silent on:
“wherein the machine learning-based model comprises a neural network”.
	However, Oliner discloses;
“wherein the machine learning-based model comprises a neural network” (para 0256 – “One or more embodiments of untrained engine 1832 utilize deep-learning architecture. Deep learning may also be known as deep structured learning, hierarchical learning, or deep machine learning.”; para 0258 – “There are various names given to various types of different deep-learning architectures. Examples include: deep neural networks, … convolutional neural networks, neural history compressor, recursive neural networks”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method, disclosed by Dodson/Malik combination, as taught by Oliner, in order to improve the performance of machine-learning based models in order to detect the anomaly faster and more efficiently.
With regards to Claims 10 and 19, Dodson/Malik combination discloses the claimed limitations as disclosed with regards to Claim 1.
With regards to Claim 11, Dodson/Malik/Muddu combination discloses the claimed limitations as disclosed with regards to Claim 2.
With regards to Claim 12, Dodson/Malik/Muddu/Oliner combination discloses the claimed limitations as disclosed with regards to Claim 3.
With regards to Claim 13 and 20, Dodson/Malik combination discloses the claimed limitations as disclosed with regards to Claim 4.
With regards to Claim 14, Dodson/Malik/Muddu combination discloses the claimed limitations as disclosed with regards to Claim 5.
With regards to Claim 15, Dodson/Malik combination discloses the claimed limitations as disclosed with regards to Claim 6.
With regards to Claim 16, Dodson/Malik combination discloses the claimed limitations as disclosed with regards to Claim 7.
With regards to Claim 17, Dodson/Malik/Muddu combination discloses the claimed limitations as disclosed with regards to Claim 8.
With regards to Claim 18, Dodson/Malik combination discloses the claimed limitations as disclosed with regards to Claim 9.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US20160292592A1 to Patthak et al. (hereinafter Patthak) discloses method and system for implementing machine learning classifications.
US20180039914A1 to Menahem et al. (hereinafter Menahem) discloses method and system for providing an enriched root cause of an incident using machine-generated textual data.
US20200372415A1 to Mann et al. (hereinafter Mann) discloses machine-learning and deep-learning techniques for predictive ticketing in information technology systems.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Lyudmila Zaykova-Feldman whose telephone number is (469)295-9269. The examiner can normally be reached 8:30am - 5:30pm, Monday through Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Arleen M. Vazquez can be reached on 571-272-2619. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/LYUDMILA ZAYKOVA-FELDMAN/           Examiner, Art Unit 2865                                                                                                                                                                                             

/ALEXANDER SATANOVSKY/           Primary Examiner, Art Unit 2863