Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 18-21 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claims 18-21 disclose the preamble “The method of training a recurrent neural network of claim 16”, however claim 16 is not a method. Claim 16 recites, as a preamble, “the computer system of claim 9”.  Therefore, the dependency of claims 18-21 is unclear. For examination purposes, the claims are interpreted as best understood.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. 
Regarding claims 1-20, when considering subject matter eligibility under 35 U.S.C. 101, it must be determined whether the claim is directed to one of the four statutory categories of invention (i.e., process, machine, manufacture, or composition of matter (i.e., Step 1, MPEP 2106.03). If the claim does fall within one of the statutory categories, it must then be determined whether the claim is directed to a judicial exception (i.e., law of nature, natural phenomenon, and abstract idea) (i.e., Step 2A, MPEP 2106.04), and if so, it must additionally be determined whether the claim contains any additional elements that transform the exception into patent-eligible subject matter. 
	Eligibility Step One
	Each of the claims falls within one of the four statutory categories. However, as discussed below, the claims are directed to a non-statutory subject matter because the claims as a whole, considering all claim elements both individually and in combination, fall within the judicial exception of an abstract idea and do not amount to significantly more than an abstract idea.	
	Eligibility Step 2A, Prong One 
	Under Step 2A, Prong One, a claim is eligible unless it recites a judicial exception (an abstract idea, a law of nature, or natural phenomenon). 
	Claims 1, 9, and 17 are substantially similar and recite a judicial exception illustrated by:
	preprocessing commercial transaction data into a time series sequence of commercial transaction data;
providing the time series to a recurrent neural network; 
evaluating the provided time series in the recurrent neural network to generate and output a predicted next element in the time series; 
comparing the predicted next element in the time series with an observed actual next element in the time series; and 
determining whether the observed next element in the time series is anomalous based on a difference between the predicted next element in the time series with an observed actual next element in the time series.	
	As such, the abstract idea illustrated comprises functions and limitations associated with determining if an element in a time series is anomalous.
	Concepts determined to be abstract ideas, and thus patent ineligible, include mathematical concepts, certain methods of organizing human, and mental processes. Claims may recite multiple abstract ideas, which may fall in the same or different groupings. Examiners should identify at least one abstract idea grouping, but preferably identify all groupings to the extent possible, if a claim limitation(s) is determined to fall within multiple groupings. See October 2019 Update: Subject Matter Eligibility. Merely combining abstract ideas does not render the combination any less abstract. RecogniCorp, LLC v. Nintendo Co., 855 F.3d 1322, 1327 (Fed. Cir. 2017). 
	As such, the Examiner notes the abstract idea illustrated above comprises mental processes.
	Mental Processes
	Under the 2019 PEG, the “mental processes” grouping is defined as concepts performed in the human mind, and examples of mental processes include observations, evaluations, judgments, and opinions. Because both product and process claims may recite a “mental process,” the phrase “mental processes” should be understood as referring to the type of abstract idea, and not to the statutory category of the claim. See October 2019 Update: Subject Matter Eligibility. Claims recite a mental process when they contain limitations that can practically be performed in the human mind, including for example, observations, evaluations, judgments, and opinions. Id. The courts have found claims requiring a generic computer or nominally reciting a generic computer may still recite a mental process even though the claim limitations are not performed entirely in the human mind. Id. In evaluating whether a claim that requires a generic computer recites a mental process, examiners should carefully consider the broadest reasonable interpretation of the claim in light of the specification. Id. 
	Examiners may review the specification to determine if the underlying claimed invention is described as a concept that is performed in the human mind and applicant is merely claiming that concept performed 1) on a generic computer, 2) in a computer environment or 3) is merely using a computer as a tool to perform the concept. In these situations, the claim is considered to recite a mental process. Id. both product claims (e.g., computer system, computer-readable medium, etc.) and process claims may recite mental processes. Id.
	If a claim recites a limitation that can practically be performed in the human mind, the limitation falls within the mental processes grouping, and the claim recites an abstract idea. The use of a physical aid (i.e., the pen and paper) to help perform a mental step (e.g., a mathematical calculation) does not negate the mental nature of this limitation. Id. 
	In this instance, the limitations illustrating an abstract idea (noted above) are similar to mental processes comprising observations, evaluations, judgments, and opinions in the context of evaluation data collected in order to make a determination, which are steps that can be practically performed in the human mind, as well as collecting information, analyzing it, and displaying certain results of the collection and analysis, where the data analysis steps are recited at a high level of generality such that they could practically be performed in the human mind. The discussion above applies here, as well. With the aid of a pen and paper, a person could perform all of the limitations illustrating an abstract idea associated with transmitting and receiving data, collecting and comparing known information, and collecting information, analyzing it, and displaying certain results of the collection and analysis. As drafted, these limitations, under the broadest reasonable interpretation, and according to the Guidance, at least recite mental processes because the limitations encompass acts people can perform using their minds or pen and paper.  	
	As such, the claims are directed to an abstract idea comprising mental processes. 
Eligibility Step 2A, Prong Two
	The mere recitation of a judicial exception does not mean that the claim is “directed to” that judicial exception under Step 2A Prong Two. Instead, under Prong Two, a claim that recites a judicial exception is not directed to that judicial exception, if the claim as a whole “integrates the recited judicial exception into a practical application of that exception.” See October 2019 Update: Subject Matter Eligibility.  Under Step 2A, Prong Two, it must be determined if the claim recites additional elements that integrate the judicial exception into a practical application. The judicial exception is not integrated into a practical application because the claims recite additional elements in a manner which implies the claimed invention is comprised of generic components programmed to perform generic functions. The Examiner notes the specification describes the system as being comprised of generic components and computing devices [028] and Fig. 13.
This illustrates that the abstract idea is a computer-implemented abstract idea performed by computing devices performing generic computer functions using a standard operating system and software language. Courts have held computer-implemented processes not to be significantly more than an abstract idea (and thus ineligible) where the claim as a whole amounts to nothing more than generic computer functions merely used to implement an abstract idea, such as an idea that could be done by a human analog (i.e., by hand or by merely thinking). As discussed above with respect to integration of the abstract idea into a practical application, the additional elements amount to no more than mere instructions to apply the exception using a generic computer component. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. Additionally, the claim simply invokes a system and computing components as tools to perform an existing process of transmitting, receiving, and analyzing data. Additionally, the Examiner notes that the claim language does no more than generally link a judicial exception to a particular technological environment. Additionally, the Examiner notes the type of information collected and analyzed being limited to particular content does not change its character as information in the context of evaluating an abstract idea.
	The claims do not include additional elements that are sufficient to integrate the judicial exception into a practical application in a manner that imposes a meaningful limit on the judicial exception because the system and components performing the steps are recited at a high-level of generality (i.e., as generic system components performing generic computer functions to perform mental processes) such that it amounts no more than mere instructions to apply the exception using generic computer components as tools to implement the abstract idea. Accordingly, the additional elements, both alone and in combination, do not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claims are directed to an abstract idea.
	Eligibility Step 2B
	It is possible that a claim does not “integrate” a recited judicial exception is nonetheless patent eligible. The additional elements are considered both individually and in combination to determine whether they amount to significantly more than the judicial exception.
	As discussed above, the claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the system and components performing the steps are recited at a high-level of generality such that it amounts no more than mere instructions to apply the exception using a generic computer component. Accordingly, the additional elements, both alone and in combination, do not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The elements in the instant claims, when taken in combination, together do not offer “significantly more” than the abstract idea itself because the claims do not recite an improvement to another technology or technical field, an improvement to the functioning of the processor itself, or provide meaningful limitations beyond generally linking an abstract idea to a particular technological environment.
	The claims as a whole, considering all claim elements both individually and in combination, fall within the judicial exception of an abstract idea and do not amount to significantly more than an abstract idea. The claims are not patent eligible.
	As such, the additional elements do not add anything significant to the abstract idea.
	Claims 2-3, 10-11 and 19-20 merely further embellish the abstract idea as related to the specific type of data. The claims do not add anything beyond the abstract idea.
	Claims 4, 7-8, 12, 15-16 and 21 merely further embellishes the abstract idea as related to providing data. The claim does not add anything beyond the abstract idea.
	Claims 5-6, and 13-14 merely further embellishes the abstract idea as related to describing a recurrent neural network without positively reciting any method step. The claim does not add anything beyond the abstract idea.
	The elements in the instant claims, when taken in combination, together do not offer “significantly more” than the abstract idea itself because the claims do not recite an improvement to another technology or technical field, an improvement to the functioning of the processor itself, or provide meaningful limitations beyond generally linking an abstract idea to a particular technological environment. As noted above, the Applicant describes in the Specification that a generic computer system using any suitable components and operating system is capable of implementing the claimed abstract idea.  As such the claims simply describe a problem, announce purely functional steps that purport to solve the problem, and recite standard computer operations to perform some of those steps, which is not “significantly more” than an abstract idea.  
Therefore, claims 1-20 are directed to non-statutory subject matter.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


1. Claim(s) 1-20 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated over Gefen (US Patent Publication 2019/0228296).
Regarding claim 1, Gefen discloses: a method of identifying anomalous data in a sequence of commercial transaction data (abstract), comprising: 
preprocessing commercial transaction data into a time series sequence of commercial transaction data ( [0024] In an embodiment, network system 100 includes an analysis server 108 that executes significant events identifier process 127 that gathers and analyzes time series data of the network and its devices to identify significant events among the vast number of events generated every period. It further provides a user interface to display the events in historical context so that SMEs and other personnel can assess actual network conditions and pursue appropriate remedial measures in the event of abnormal or problematic events. Embodiments of the significant event identifier 127 may be used with a root cause analyzer process 121. This process 121 may implement an automated procedure that finds the root cause of anomalies, unusual behavior or problems exhibited by any of the components in system 100. It uses a causal graph of the system acquired using domain experts or by using a semi-supervised tool. In an embodiment, the analyzer process 121 finds possible causes using a causal graph, and generates a prioritized list of possible causes to an observed anomaly. The result allows analysts to explore and verify the real cause of an anomaly in real or near real time. For the embodiment of FIG. 1, the significant events identifier 127 may be associated with, or included as part of the root cause analyzer 121 or it may be a separate component, as shown in FIG. 1. [0028] The significant events analyzer builds on an anomaly detection process and adds certain features including: analyzing numeric and performance data to detect an anomaly, analyzing textual information from multiple sources (e.g., log data) in the time area of the anomaly to find related and informative logs leveraging state-of-the-art deep learning models such as Recurrent Neural Networks (RNN) and LSTM in addition to Markov Chains, and automatically overlaying the most significant actual logs/source information over the time series display. This process does not just display the anomaly or a numerical indicator of the anomaly, but rather the actual related log/source events. This feature provides a major advantage over previous methods as it provides proof, context, or supporting evidence of an event. This data analysis and presentation adds tools to help understand the logs or figure out what parts of the data source is relevant. It greatly enables an SME reading the logs or data sources to relate the logs to the events and identify valid issues and appropriate remedial measures. [0029] FIG. 2 illustrates the main functional components and/or processes of the significant events identifier 127 of FIG. 1, under some embodiments. As shown in diagram 200, the main components include a near real-time data collection component 202, a time series anomaly detection module 204 that is applied over the numeric performance data by the collection component 202 to identify outages of the environment, a log analyzer 206 that filters and maps outages to relevant events, and a user interface 208 that presents the performance of the system across time overlapped with important events tagged to it.); 
providing the time series to a recurrent neural network ( [0026] Embodiments of significant identifier component 127 include a process and system to filter significant events using RNN and Markov Chains models to analyze the importance of each event of a time series of events. The process tags and shows the filtered events which overlays selected important events coming from all the different sources on top of any time series data for display to the user in the form of a comprehensive graph or report. The desired events are anomalies (in terms of textual content) or trend changes found on any of the data sources and displayed on a single chosen time-series. [0028] The significant events analyzer builds on an anomaly detection process and adds certain features including: analyzing numeric and performance data to detect an anomaly, analyzing textual information from multiple sources (e.g., log data) in the time area of the anomaly to find related and informative logs leveraging state-of-the-art deep learning models such as Recurrent Neural Networks (RNN) and LSTM in addition to Markov Chains, and automatically overlaying the most significant actual logs/source information over the time series display. This process does not just display the anomaly or a numerical indicator of the anomaly, but rather the actual related log/source events. This feature provides a major advantage over previous methods as it provides proof, context, or supporting evidence of an event. This data analysis and presentation adds tools to help understand the logs or figure out what parts of the data source is relevant. It greatly enables an SME reading the logs or data sources to relate the logs to the events and identify valid issues and appropriate remedial measures.);
evaluating the provided time series in the recurrent neural network to generate and output a predicted next element in the time series ( [0032] With respect to the time series anomaly detection module 204, there are several known ways to find anomalies in a time series. Anomaly detection for time series typically involves finding outlier data points relative to a standard (usual or normal) signal. There can be several types of anomalies and the primary types include additive outliers (spikes), temporal changes, and seasonal or level shifts. Anomaly detection processes typically work in one of two ways. First, they label each time point as an anomaly or non-anomaly; second, they forecast a signal for some point and test if the point value from the forecast by a margin defining it as an anomaly. In an embodiment, any anomaly detection method may be used including STL (seasonal-trend decomposition), classification and regression trees, ARIMA modeling, exponential smoothing, neural networks, and other similar methods. [0045] Embodiments of component 127 include a process and system to filter significant events using RNN and Markov chains models to analyze the importance of events. The process tags and shows the filtered events which overlays selected important events coming from all the different sources on top of any time series data. The desired events will be anomalies (in terms of textual content) or trend changes found on any of the data sources and displayed on a single chosen time-series. As shown in FIG. 2, a user interface 208 presents to the user the time series charts with labels on top of it to provide an interactive chart that connects the outliers (in contrasting display such as color or pattern) to the events. The graph is interactive so that the user can click on the tag labels to access further information about the event itself, such as event description, data source and timestamp. [0049] FIG. 5 is a flowchart illustrating an overall method of identifying significant events for an outlier root cause investigation, under some embodiments. Process 500 starts by collecting time series data for events for each device of the network, 502. A time series anomaly detector is then used to detect an anomaly that comprises an outlier on an edge of the time series data by comparing a predicted value of the event to an actual value of the event using a selected forecasting model, or any other appropriate anomaly detection method, 504. The process declares an event to be an anomaly at a particular time if a difference between the predicted value and actual value exceed a defined threshold based on residual values for other devices of the network, 506. A log events analyzer is then used to analyze all events for all devices of the network within a defined time proximity of the particular time of the anomaly to filter usual events and rank each event relative to the anomaly, 508. A labeled chart of the time series is then displayed to the user through a GUI to show the anomaly in a graphical context relative to all the other temporally proximate events, 510.); 
comparing the predicted next element in the time series with an observed actual next element in the time series ( [0032] With respect to the time series anomaly detection module 204, there are several known ways to find anomalies in a time series. Anomaly detection for time series typically involves finding outlier data points relative to a standard (usual or normal) signal. There can be several types of anomalies and the primary types include additive outliers (spikes), temporal changes, and seasonal or level shifts. Anomaly detection processes typically work in one of two ways. First, they label each time point as an anomaly or non-anomaly; second, they forecast a signal for some point and test if the point value from the forecast by a margin defining it as an anomaly. In an embodiment, any anomaly detection method may be used including STL (seasonal-trend decomposition), classification and regression trees, ARIMA modeling, exponential smoothing, neural networks, and other similar methods. [0033] Some anomaly detection methods employ smoothers of the time-series while others use forecasting methods. For detecting an outlier on the edge of a time series (the newest point), forecasting methods are generally better suited. In an embodiment, the anomaly detection process 204 conducts a competition between different forecasting models and chooses the one that performs the best on a test data set, i.e., the one that has the minimal error. The best model is used for forecasting, and the difference between the actual value and the predicted one is calculated and evaluated. If the residual is significantly larger when comparing to the residual population the process declares the event to be an anomaly. This method also detects unexpected changes in trend or seasonality, where seasonality refers to the periodic fluctuations that may be displayed by time series, such as backup operations increasing at midnight. The process can also be configured to assign weights for the anomalies based on the significance of the residual for a weighted calculation. When an outage is discovered, the detection module 204 triggers the log events analyzer module 206, which will find the potential causes in the events data. [0040] In general, RNNs excel at capturing the order in which previous events were executed. This helps in the identification of anomalous processes, (e.g., a continued increase of power usage) which were hidden as normal events when analyzed separately. Using this output, the process 200 can learn the difference between the actual events and the predicted events. By further calculating the distances, it can determine if the sequence can be considered an anomaly. As used herein a distance is basically the probability of getting an event (event X) as an input. The RNN model can give as an output the distribution over all inputs, and the system can use these probabilities for calculating the distances. [0049] FIG. 5 is a flowchart illustrating an overall method of identifying significant events for an outlier root cause investigation, under some embodiments. Process 500 starts by collecting time series data for events for each device of the network, 502. A time series anomaly detector is then used to detect an anomaly that comprises an outlier on an edge of the time series data by comparing a predicted value of the event to an actual value of the event using a selected forecasting model, or any other appropriate anomaly detection method, 504. The process declares an event to be an anomaly at a particular time if a difference between the predicted value and actual value exceed a defined threshold based on residual values for other devices of the network, 506. A log events analyzer is then used to analyze all events for all devices of the network within a defined time proximity of the particular time of the anomaly to filter usual events and rank each event relative to the anomaly, 508. A labeled chart of the time series is then displayed to the user through a GUI to show the anomaly in a graphical context relative to all the other temporally proximate events, 510.) [0051] In an embodiment, anomaly detection can use a causal graph encompasses time-series data for each of the components, such as temporal log data from transactions for each component. Embodiments use one of several known ways to find anomalies in a time series. For example, one method uses smoothers of the time-series, while others use forecasting methods. For detecting an outlier on the edge of a time series (the newest point), forecasting methods are generally more suitable. In an embodiment, the process conducts a competition between different forecasting models and chooses the one that performs the best on a test data set, i.e., the one that has the minimal error. The best model is used for forecasting and the difference between the actual value and the predicted one is calculated and evaluated. If the residual is significantly larger when comparing to the residual population, it is declared as an anomaly. The residual population essentially defines a threshold value against which an actual residual can be compared to allow the process to declare the outlier to be an anomaly. This method will thus detect unexpected changes in trend or seasonality, where seasonality refers to the periodic fluctuations that may be displayed by time series, such as backup operations increasing at midnight. The process can also be configured to assign weights for the anomalies based on the significance of the residual for a weighted calculation.); and 
determining whether the observed next element in the time series is anomalous based on a difference between the predicted next element in the time series with an observed actual next element in the time series ([0033] Some anomaly detection methods employ smoothers of the time-series while others use forecasting methods. For detecting an outlier on the edge of a time series (the newest point), forecasting methods are generally better suited. In an embodiment, the anomaly detection process 204 conducts a competition between different forecasting models and chooses the one that performs the best on a test data set, i.e., the one that has the minimal error. The best model is used for forecasting, and the difference between the actual value and the predicted one is calculated and evaluated. If the residual is significantly larger when comparing to the residual population the process declares the event to be an anomaly. This method also detects unexpected changes in trend or seasonality, where seasonality refers to the periodic fluctuations that may be displayed by time series, such as backup operations increasing at midnight. The process can also be configured to assign weights for the anomalies based on the significance of the residual for a weighted calculation. When an outage is discovered, the detection module 204 triggers the log events analyzer module 206, which will find the potential causes in the events data. [0040] In general, RNNs excel at capturing the order in which previous events were executed. This helps in the identification of anomalous processes, (e.g., a continued increase of power usage) which were hidden as normal events when analyzed separately. Using this output, the process 200 can learn the difference between the actual events and the predicted events. By further calculating the distances, it can determine if the sequence can be considered an anomaly. As used herein a distance is basically the probability of getting an event (event X) as an input. The RNN model can give as an output the distribution over all inputs, and the system can use these probabilities for calculating the distances. [0049] FIG. 5 is a flowchart illustrating an overall method of identifying significant events for an outlier root cause investigation, under some embodiments. Process 500 starts by collecting time series data for events for each device of the network, 502. A time series anomaly detector is then used to detect an anomaly that comprises an outlier on an edge of the time series data by comparing a predicted value of the event to an actual value of the event using a selected forecasting model, or any other appropriate anomaly detection method, 504. The process declares an event to be an anomaly at a particular time if a difference between the predicted value and actual value exceed a defined threshold based on residual values for other devices of the network, 506. A log events analyzer is then used to analyze all events for all devices of the network within a defined time proximity of the particular time of the anomaly to filter usual events and rank each event relative to the anomaly, 508. A labeled chart of the time series is then displayed to the user through a GUI to show the anomaly in a graphical context relative to all the other temporally proximate events, 510. [0051] In an embodiment, anomaly detection can use a causal graph encompasses time-series data for each of the components, such as temporal log data from transactions for each component. Embodiments use one of several known ways to find anomalies in a time series. For example, one method uses smoothers of the time-series, while others use forecasting methods. For detecting an outlier on the edge of a time series (the newest point), forecasting methods are generally more suitable. In an embodiment, the process conducts a competition between different forecasting models and chooses the one that performs the best on a test data set, i.e., the one that has the minimal error. The best model is used for forecasting and the difference between the actual value and the predicted one is calculated and evaluated. If the residual is significantly larger when comparing to the residual population, it is declared as an anomaly. The residual population essentially defines a threshold value against which an actual residual can be compared to allow the process to declare the outlier to be an anomaly. This method will thus detect unexpected changes in trend or seasonality, where seasonality refers to the periodic fluctuations that may be displayed by time series, such as backup operations increasing at midnight. The process can also be configured to assign weights for the anomalies based on the significance of the residual for a weighted calculation. See also claim 1. ).
Regarding claims 2, 10, and 19, Gefen discloses: 
wherein the time series sequence of commercial transaction data is a high-dimensional time series sequence of commercial transaction data ([0034] With respect to the log events analyzer 206, given the output of the anomaly detection module 204, this module gets the timestamp of the outage and analyzes all the events around this timestamp from multiple sources. This helps to filter usual events and mark the importance of each event, which is the importance in terms of describing and explaining the outage cause. In order to determine which event is important and which is not, the method extracts the relevant features from the logs and counts the number of occurrences for each feature-value pair and their relative order. In an embodiment, the log events analyzer 206 uses a method that is based on LSTM/RNN (Long Short-Term Memory/Recurrent Neural Networks) and Markov Chains for log analysis. Both methods get as an input a series of log events, denoted (x.sub.0, . . . , x.sub.n-1), and the output is the probability of event x.sub.n to happen. This enables an understanding of whether or not an event can be considered normal or not normal. See claim 3. The method of claim 2 wherein the analyzing further comprises: extracting relevant features from the log information; assigning a value to each feature of the relevant features; and counting a number of occurrences for each feature value pair in their relative order.).
Regarding claims 3, 11, and 20 Gefen discloses: 
wherein the high-dimensional time series comprises 30 or more features derived from the sequence of commercial transactions during preprocessing ( [0034] With respect to the log events analyzer 206, given the output of the anomaly detection module 204, this module gets the timestamp of the outage and analyzes all the events around this timestamp from multiple sources. This helps to filter usual events and mark the importance of each event, which is the importance in terms of describing and explaining the outage cause. In order to determine which event is important and which is not, the method extracts the relevant features from the logs and counts the number of occurrences for each feature-value pair and their relative order. In an embodiment, the log events analyzer 206 uses a method that is based on LSTM/RNN (Long Short-Term Memory/Recurrent Neural Networks) and Markov Chains for log analysis. Both methods get as an input a series of log events, denoted (x.sub.0, . . . , x.sub.n-1), and the output is the probability of event x.sub.n to happen. This enables an understanding of whether or not an event can be considered normal or not normal. See claim 3. The method of claim 2 wherein the analyzing further comprises: extracting relevant features from the log information; assigning a value to each feature of the relevant features; and counting a number of occurrences for each feature value pair in their relative order.).
Regarding claims 4, 12, Gefen discloses: 
wherein the recurrent neural network is configured to provide an output based on both the current input and at least one prior input in the sequence previously provided to the recurrent neural network ( [0035] A Markov chain describes a sequence of possible events in which the probability of each event depends only on the state attained in the previous event. A Markov chain can be expressed as follows: P(X.sub.n=x.sub.n|X.sub.n-1=x.sub.n-1,X.sub.n-2=x.sub.n-2, . . . X.sub.0=x.sub.0) =P(X.sub.n=x.sub.n|X.sub.n-1=x.sub.n-1) [0036] In an embodiment, the log events analyzer uses a Markov chain from order m, where m is the constant chosen for the analysis, and defines how many log events from the past that should be taken into account. The constant m can be a system or a user configured parameter. Using the constant value m, yields an expression of the Markov chain as follows:
P( X n = x n | X n - 1 = x n - 1 , X n - 2 = x n - 2 , .Math. .Math. , X 0 = x 0 ) = P  ( X n = x n | X n - 1 = x n - 1 , X n - 2 = x n - 2 , .Math. .Math. , X n - m = x 0 .Math. n - m ) [0040] In general, RNNs excel at capturing the order in which previous events were executed. This helps in the identification of anomalous processes, (e.g., a continued increase of power usage) which were hidden as normal events when analyzed separately. Using this output, the process 200 can learn the difference between the actual events and the predicted events. By further calculating the distances, it can determine if the sequence can be considered an anomaly. As used herein a distance is basically the probability of getting an event (event X) as an input. The RNN model can give as an output the distribution over all inputs, and the system can use these probabilities for calculating the distances. [0041] Using the methods of RNN/LSTM and Markov chain, the log events analyzer has the ability to calculate a score for each log record that will determine how rare is a present event.).
Regarding claims 5, 13, Gefen discloses: 
wherein the recurrent neural network is trained on windowed sequences from the sequence of computer network traffic ([0026] Embodiments of significant identifier component 127 include a process and system to filter significant events using RNN and Markov Chains models to analyze the importance of each event of a time series of events. The process tags and shows the filtered events which overlays selected important events coming from all the different sources on top of any time series data for display to the user in the form of a comprehensive graph or report. The desired events are anomalies (in terms of textual content) or trend changes found on any of the data sources and displayed on a single chosen time-series. [0029] FIG. 2 illustrates the main functional components and/or processes of the significant events identifier 127 of FIG. 1, under some embodiments. As shown in diagram 200, the main components include a near real-time data collection component 202, a time series anomaly detection module 204 that is applied over the numeric performance data by the collection component 202 to identify outages of the environment, a log analyzer 206 that filters and maps outages to relevant events, and a user interface 208 that presents the performance of the system across time overlapped with important events tagged to it. [0034] With respect to the log events analyzer 206, given the output of the anomaly detection module 204, this module gets the timestamp of the outage and analyzes all the events around this timestamp from multiple sources. This helps to filter usual events and mark the importance of each event, which is the importance in terms of describing and explaining the outage cause. In order to determine which event is important and which is not, the method extracts the relevant features from the logs and counts the number of occurrences for each feature-value pair and their relative order. [0033] Some anomaly detection methods employ smoothers of the time-series while others use forecasting methods. For detecting an outlier on the edge of a time series (the newest point), forecasting methods are generally better suited. In an embodiment, the anomaly detection process 204 conducts a competition between different forecasting models and chooses the one that performs the best on a test data set, i.e., the one that has the minimal error. The best model is used for forecasting, and the difference between the actual value and the predicted one is calculated and evaluated. If the residual is significantly larger when comparing to the residual population the process declares the event to be an anomaly. This method also detects unexpected changes in trend or seasonality, where seasonality refers to the periodic fluctuations that may be displayed by time series, such as backup operations increasing at midnight. The process can also be configured to assign weights for the anomalies based on the significance of the residual for a weighted calculation. When an outage is discovered, the detection module 204 triggers the log events analyzer module 206, which will find the potential causes in the events data. [0046] FIG. 4 illustrates an example labeled chart for the significant events identifier method, under some embodiments. The display 400 shown in the example of FIG. 4 comprises a graph 402 of network showing events as the performance of the network (devices and interfaces) along a timeline (e.g., hours in a day). The unit of performance can be any appropriate measurable metric, such as bandwidth, throughput, processor speed, and so on. The time-series performance metric generates a trace over time that is typically characterized by peaks and valleys, which themselves may be characterized as events. The graph 402 is tagged with an indexed label identifying each of the events and any detected anomalies in a contrasting visual manner. These are shown as indexed labels A through Z for display trace 402. the indexed label comprises an alphanumeric character superimposed proximate the events and anomaly, and wherein the chart comprises an interactive chart wherein each indexed label provides an interface providing to information about each event, the information including description, data source, and time of event. [0051] In an embodiment, anomaly detection can use a causal graph encompasses time-series data for each of the components, such as temporal log data from transactions for each component. Embodiments use one of several known ways to find anomalies in a time series. For example, one method uses smoothers of the time-series, while others use forecasting methods. For detecting an outlier on the edge of a time series (the newest point), forecasting methods are generally more suitable. In an embodiment, the process conducts a competition between different forecasting models and chooses the one that performs the best on a test data set, i.e., the one that has the minimal error. The best model is used for forecasting and the difference between the actual value and the predicted one is calculated and evaluated. If the residual is significantly larger when comparing to the residual population, it is declared as an anomaly. The residual population essentially defines a threshold value against which an actual residual can be compared to allow the process to declare the outlier to be an anomaly. This method will thus detect unexpected changes in trend or seasonality, where seasonality refers to the periodic fluctuations that may be displayed by time series, such as backup operations increasing at midnight. The process can also be configured to assign weights for the anomalies based on the significance of the residual for a weighted calculation.).
Regarding claims 6, 14, Gefen discloses:
wherein the window comprises a multiple of a day, a week, or a month ([0046] FIG. 4 illustrates an example labeled chart for the significant events identifier method, under some embodiments. The display 400 shown in the example of FIG. 4 comprises a graph 402 of network showing events as the performance of the network (devices and interfaces) along a timeline (e.g., hours in a day). The unit of performance can be any appropriate measurable metric, such as bandwidth, throughput, processor speed, and so on. The time-series performance metric generates a trace over time that is typically characterized by peaks and valleys, which themselves may be characterized as events. The graph 402 is tagged with an indexed label identifying each of the events and any detected anomalies in a contrasting visual manner. These are shown as indexed labels A through Z for display trace 402. the indexed label comprises an alphanumeric character superimposed proximate the events and anomaly, and wherein the chart comprises an interactive chart wherein each indexed label provides an interface providing to information about each event, the information including description, data source, and time of event.).
Regarding claims 7, 15, and 21, Gefen discloses:
wherein the difference between the predicted next element in the high-dimensional time series and an observed actual next element in the high- dimensional time series comprise at least one of long short history threshold, self- adapting dynamic threshold, absolute difference, difference relative to either predicted or actual observed next element, z-score, dynamic threshold, or difference between short- term and long-term prediction error ([0049] FIG. 5 is a flowchart illustrating an overall method of identifying significant events for an outlier root cause investigation, under some embodiments. Process 500 starts by collecting time series data for events for each device of the network, 502. A time series anomaly detector is then used to detect an anomaly that comprises an outlier on an edge of the time series data by comparing a predicted value of the event to an actual value of the event using a selected forecasting model, or any other appropriate anomaly detection method, 504. The process declares an event to be an anomaly at a particular time if a difference between the predicted value and actual value exceed a defined threshold based on residual values for other devices of the network, 506. A log events analyzer is then used to analyze all events for all devices of the network within a defined time proximity of the particular time of the anomaly to filter usual events and rank each event relative to the anomaly, 508. A labeled chart of the time series is then displayed to the user through a GUI to show the anomaly in a graphical context relative to all the other temporally proximate events, 510. [0051] In an embodiment, anomaly detection can use a causal graph encompasses time-series data for each of the components, such as temporal log data from transactions for each component. Embodiments use one of several known ways to find anomalies in a time series. For example, one method uses smoothers of the time-series, while others use forecasting methods. For detecting an outlier on the edge of a time series (the newest point), forecasting methods are generally more suitable. In an embodiment, the process conducts a competition between different forecasting models and chooses the one that performs the best on a test data set, i.e., the one that has the minimal error. The best model is used for forecasting and the difference between the actual value and the predicted one is calculated and evaluated. If the residual is significantly larger when comparing to the residual population, it is declared as an anomaly. The residual population essentially defines a threshold value against which an actual residual can be compared to allow the process to declare the outlier to be an anomaly. This method will thus detect unexpected changes in trend or seasonality, where seasonality refers to the periodic fluctuations that may be displayed by time series, such as backup operations increasing at midnight. The process can also be configured to assign weights for the anomalies based on the significance of the residual for a weighted calculation.).
Regarding claims 8, 16, Gefen discloses:
notifying a user upon determination that the observed next element in the time series is anomalous ([0026] Embodiments of significant identifier component 127 include a process and system to filter significant events using RNN and Markov Chains models to analyze the importance of each event of a time series of events. The process tags and shows the filtered events which overlays selected important events coming from all the different sources on top of any time series data for display to the user in the form of a comprehensive graph or report. The desired events are anomalies (in terms of textual content) or trend changes found on any of the data sources and displayed on a single chosen time-series. [0027] Embodiments include a graphical user interface (GUI) that allows personnel to get a visual display of the outages augmented with the relevant events tagged on top of it. The augmented tagged events will serve as supporting evidence of any outage investigated. This visual display can be used to help plan for the future and take more inform decisions with regards to resource planning as well as support and maintenance hours. In addition, since all the analysis is done in real-time the system can notify personnel if an unexpected behavior was identified and point to potential root cause or causes for it. [0049] FIG. 5 is a flowchart illustrating an overall method of identifying significant events for an outlier root cause investigation, under some embodiments. Process 500 starts by collecting time series data for events for each device of the network, 502. A time series anomaly detector is then used to detect an anomaly that comprises an outlier on an edge of the time series data by comparing a predicted value of the event to an actual value of the event using a selected forecasting model, or any other appropriate anomaly detection method, 504. The process declares an event to be an anomaly at a particular time if a difference between the predicted value and actual value exceed a defined threshold based on residual values for other devices of the network, 506. A log events analyzer is then used to analyze all events for all devices of the network within a defined time proximity of the particular time of the anomaly to filter usual events and rank each event relative to the anomaly, 508. A labeled chart of the time series is then displayed to the user through a GUI to show the anomaly in a graphical context relative to all the other temporally proximate events, 510. ).
Regarding claim 9, Gefen discloses:
a computer system configured to detect anomalies in a sequence of commercial transaction data (abstract), comprising: 
a processor operable to execute a series of computer instructions ([0025], [052]-[054]); and 
a set of computer instructions comprising a preprocessor module, a recurrent neural network module, and an output module ([0025], [052]-[055]); 
the preprocessor module operable to process commercial transaction data into a time series sequence of commercial transaction data ( [0024] In an embodiment, network system 100 includes an analysis server 108 that executes significant events identifier process 127 that gathers and analyzes time series data of the network and its devices to identify significant events among the vast number of events generated every period. It further provides a user interface to display the events in historical context so that SMEs and other personnel can assess actual network conditions and pursue appropriate remedial measures in the event of abnormal or problematic events. Embodiments of the significant event identifier 127 may be used with a root cause analyzer process 121. This process 121 may implement an automated procedure that finds the root cause of anomalies, unusual behavior or problems exhibited by any of the components in system 100. It uses a causal graph of the system acquired using domain experts or by using a semi-supervised tool. In an embodiment, the analyzer process 121 finds possible causes using a causal graph, and generates a prioritized list of possible causes to an observed anomaly. The result allows analysts to explore and verify the real cause of an anomaly in real or near real time. For the embodiment of FIG. 1, the significant events identifier 127 may be associated with, or included as part of the root cause analyzer 121 or it may be a separate component, as shown in FIG. 1. [0028] The significant events analyzer builds on an anomaly detection process and adds certain features including: analyzing numeric and performance data to detect an anomaly, analyzing textual information from multiple sources (e.g., log data) in the time area of the anomaly to find related and informative logs leveraging state-of-the-art deep learning models such as Recurrent Neural Networks (RNN) and LSTM in addition to Markov Chains, and automatically overlaying the most significant actual logs/source information over the time series display. This process does not just display the anomaly or a numerical indicator of the anomaly, but rather the actual related log/source events. This feature provides a major advantage over previous methods as it provides proof, context, or supporting evidence of an event. This data analysis and presentation adds tools to help understand the logs or figure out what parts of the data source is relevant. It greatly enables an SME reading the logs or data sources to relate the logs to the events and identify valid issues and appropriate remedial measures. [0029] FIG. 2 illustrates the main functional components and/or processes of the significant events identifier 127 of FIG. 1, under some embodiments. As shown in diagram 200, the main components include a near real-time data collection component 202, a time series anomaly detection module 204 that is applied over the numeric performance data by the collection component 202 to identify outages of the environment, a log analyzer 206 that filters and maps outages to relevant events, and a user interface 208 that presents the performance of the system across time overlapped with important events tagged to it.); 
the recurrent neural network module operable to receive the time series sequence of commercial transaction data from the preprocessor ([0026] Embodiments of significant identifier component 127 include a process and system to filter significant events using RNN and Markov Chains models to analyze the importance of each event of a time series of events. The process tags and shows the filtered events which overlays selected important events coming from all the different sources on top of any time series data for display to the user in the form of a comprehensive graph or report. The desired events are anomalies (in terms of textual content) or trend changes found on any of the data sources and displayed on a single chosen time-series. [0028] The significant events analyzer builds on an anomaly detection process and adds certain features including: analyzing numeric and performance data to detect an anomaly, analyzing textual information from multiple sources (e.g., log data) in the time area of the anomaly to find related and informative logs leveraging state-of-the-art deep learning models such as Recurrent Neural Networks (RNN) and LSTM in addition to Markov Chains, and automatically overlaying the most significant actual logs/source information over the time series display. This process does not just display the anomaly or a numerical indicator of the anomaly, but rather the actual related log/source events. This feature provides a major advantage over previous methods as it provides proof, context, or supporting evidence of an event. This data analysis and presentation adds tools to help understand the logs or figure out what parts of the data source is relevant. It greatly enables an SME reading the logs or data sources to relate the logs to the events and identify valid issues and appropriate remedial measures.) and to evaluate the provided time series sequence of commercial transaction data  to generate and output a predicted next element in the time series sequence of commercial transaction data( [0032] With respect to the time series anomaly detection module 204, there are several known ways to find anomalies in a time series. Anomaly detection for time series typically involves finding outlier data points relative to a standard (usual or normal) signal. There can be several types of anomalies and the primary types include additive outliers (spikes), temporal changes, and seasonal or level shifts. Anomaly detection processes typically work in one of two ways. First, they label each time point as an anomaly or non-anomaly; second, they forecast a signal for some point and test if the point value from the forecast by a margin defining it as an anomaly. In an embodiment, any anomaly detection method may be used including STL (seasonal-trend decomposition), classification and regression trees, ARIMA modeling, exponential smoothing, neural networks, and other similar methods. [0045] Embodiments of component 127 include a process and system to filter significant events using RNN and Markov chains models to analyze the importance of events. The process tags and shows the filtered events which overlays selected important events coming from all the different sources on top of any time series data. The desired events will be anomalies (in terms of textual content) or trend changes found on any of the data sources and displayed on a single chosen time-series. As shown in FIG. 2, a user interface 208 presents to the user the time series charts with labels on top of it to provide an interactive chart that connects the outliers (in contrasting display such as color or pattern) to the events. The graph is interactive so that the user can click on the tag labels to access further information about the event itself, such as event description, data source and timestamp. [0049] FIG. 5 is a flowchart illustrating an overall method of identifying significant events for an outlier root cause investigation, under some embodiments. Process 500 starts by collecting time series data for events for each device of the network, 502. A time series anomaly detector is then used to detect an anomaly that comprises an outlier on an edge of the time series data by comparing a predicted value of the event to an actual value of the event using a selected forecasting model, or any other appropriate anomaly detection method, 504. The process declares an event to be an anomaly at a particular time if a difference between the predicted value and actual value exceed a defined threshold based on residual values for other devices of the network, 506. A log events analyzer is then used to analyze all events for all devices of the network within a defined time proximity of the particular time of the anomaly to filter usual events and rank each event relative to the anomaly, 508. A labeled chart of the time series is then displayed to the user through a GUI to show the anomaly in a graphical context relative to all the other temporally proximate events, 510.); and 
the output module operable to compare the predicted next element in the time series sequence of commercial transaction data with an observed actual next element in the time series sequence of commercial transaction data  ( [0032] With respect to the time series anomaly detection module 204, there are several known ways to find anomalies in a time series. Anomaly detection for time series typically involves finding outlier data points relative to a standard (usual or normal) signal. There can be several types of anomalies and the primary types include additive outliers (spikes), temporal changes, and seasonal or level shifts. Anomaly detection processes typically work in one of two ways. First, they label each time point as an anomaly or non-anomaly; second, they forecast a signal for some point and test if the point value from the forecast by a margin defining it as an anomaly. In an embodiment, any anomaly detection method may be used including STL (seasonal-trend decomposition), classification and regression trees, ARIMA modeling, exponential smoothing, neural networks, and other similar methods. [0033] Some anomaly detection methods employ smoothers of the time-series while others use forecasting methods. For detecting an outlier on the edge of a time series (the newest point), forecasting methods are generally better suited. In an embodiment, the anomaly detection process 204 conducts a competition between different forecasting models and chooses the one that performs the best on a test data set, i.e., the one that has the minimal error. The best model is used for forecasting, and the difference between the actual value and the predicted one is calculated and evaluated. If the residual is significantly larger when comparing to the residual population the process declares the event to be an anomaly. This method also detects unexpected changes in trend or seasonality, where seasonality refers to the periodic fluctuations that may be displayed by time series, such as backup operations increasing at midnight. The process can also be configured to assign weights for the anomalies based on the significance of the residual for a weighted calculation. When an outage is discovered, the detection module 204 triggers the log events analyzer module 206, which will find the potential causes in the events data. [0040] In general, RNNs excel at capturing the order in which previous events were executed. This helps in the identification of anomalous processes, (e.g., a continued increase of power usage) which were hidden as normal events when analyzed separately. Using this output, the process 200 can learn the difference between the actual events and the predicted events. By further calculating the distances, it can determine if the sequence can be considered an anomaly. As used herein a distance is basically the probability of getting an event (event X) as an input. The RNN model can give as an output the distribution over all inputs, and the system can use these probabilities for calculating the distances. [0049] FIG. 5 is a flowchart illustrating an overall method of identifying significant events for an outlier root cause investigation, under some embodiments. Process 500 starts by collecting time series data for events for each device of the network, 502. A time series anomaly detector is then used to detect an anomaly that comprises an outlier on an edge of the time series data by comparing a predicted value of the event to an actual value of the event using a selected forecasting model, or any other appropriate anomaly detection method, 504. The process declares an event to be an anomaly at a particular time if a difference between the predicted value and actual value exceed a defined threshold based on residual values for other devices of the network, 506. A log events analyzer is then used to analyze all events for all devices of the network within a defined time proximity of the particular time of the anomaly to filter usual events and rank each event relative to the anomaly, 508. A labeled chart of the time series is then displayed to the user through a GUI to show the anomaly in a graphical context relative to all the other temporally proximate events, 510.) [0051] In an embodiment, anomaly detection can use a causal graph encompasses time-series data for each of the components, such as temporal log data from transactions for each component. Embodiments use one of several known ways to find anomalies in a time series. For example, one method uses smoothers of the time-series, while others use forecasting methods. For detecting an outlier on the edge of a time series (the newest point), forecasting methods are generally more suitable. In an embodiment, the process conducts a competition between different forecasting models and chooses the one that performs the best on a test data set, i.e., the one that has the minimal error. The best model is used for forecasting and the difference between the actual value and the predicted one is calculated and evaluated. If the residual is significantly larger when comparing to the residual population, it is declared as an anomaly. The residual population essentially defines a threshold value against which an actual residual can be compared to allow the process to declare the outlier to be an anomaly. This method will thus detect unexpected changes in trend or seasonality, where seasonality refers to the periodic fluctuations that may be displayed by time series, such as backup operations increasing at midnight. The process can also be configured to assign weights for the anomalies based on the significance of the residual for a weighted calculation.), and to determine whether the observed next element in the time series sequence of commercial transaction data is anomalous based on a difference between the predicted next element in the time series sequence of commercial transaction data with an observed actual next element in the time series sequence of commercial transaction data ([0033] Some anomaly detection methods employ smoothers of the time-series while others use forecasting methods. For detecting an outlier on the edge of a time series (the newest point), forecasting methods are generally better suited. In an embodiment, the anomaly detection process 204 conducts a competition between different forecasting models and chooses the one that performs the best on a test data set, i.e., the one that has the minimal error. The best model is used for forecasting, and the difference between the actual value and the predicted one is calculated and evaluated. If the residual is significantly larger when comparing to the residual population the process declares the event to be an anomaly. This method also detects unexpected changes in trend or seasonality, where seasonality refers to the periodic fluctuations that may be displayed by time series, such as backup operations increasing at midnight. The process can also be configured to assign weights for the anomalies based on the significance of the residual for a weighted calculation. When an outage is discovered, the detection module 204 triggers the log events analyzer module 206, which will find the potential causes in the events data. [0040] In general, RNNs excel at capturing the order in which previous events were executed. This helps in the identification of anomalous processes, (e.g., a continued increase of power usage) which were hidden as normal events when analyzed separately. Using this output, the process 200 can learn the difference between the actual events and the predicted events. By further calculating the distances, it can determine if the sequence can be considered an anomaly. As used herein a distance is basically the probability of getting an event (event X) as an input. The RNN model can give as an output the distribution over all inputs, and the system can use these probabilities for calculating the distances. [0049] FIG. 5 is a flowchart illustrating an overall method of identifying significant events for an outlier root cause investigation, under some embodiments. Process 500 starts by collecting time series data for events for each device of the network, 502. A time series anomaly detector is then used to detect an anomaly that comprises an outlier on an edge of the time series data by comparing a predicted value of the event to an actual value of the event using a selected forecasting model, or any other appropriate anomaly detection method, 504. The process declares an event to be an anomaly at a particular time if a difference between the predicted value and actual value exceed a defined threshold based on residual values for other devices of the network, 506. A log events analyzer is then used to analyze all events for all devices of the network within a defined time proximity of the particular time of the anomaly to filter usual events and rank each event relative to the anomaly, 508. A labeled chart of the time series is then displayed to the user through a GUI to show the anomaly in a graphical context relative to all the other temporally proximate events, 510. [0051] In an embodiment, anomaly detection can use a causal graph encompasses time-series data for each of the components, such as temporal log data from transactions for each component. Embodiments use one of several known ways to find anomalies in a time series. For example, one method uses smoothers of the time-series, while others use forecasting methods. For detecting an outlier on the edge of a time series (the newest point), forecasting methods are generally more suitable. In an embodiment, the process conducts a competition between different forecasting models and chooses the one that performs the best on a test data set, i.e., the one that has the minimal error. The best model is used for forecasting and the difference between the actual value and the predicted one is calculated and evaluated. If the residual is significantly larger when comparing to the residual population, it is declared as an anomaly. The residual population essentially defines a threshold value against which an actual residual can be compared to allow the process to declare the outlier to be an anomaly. This method will thus detect unexpected changes in trend or seasonality, where seasonality refers to the periodic fluctuations that may be displayed by time series, such as backup operations increasing at midnight. The process can also be configured to assign weights for the anomalies based on the significance of the residual for a weighted calculation. See also claim 1. ).
Regarding claim 17, Gefen discloses:
a method of training a recurrent neural network to identify anomalous traffic in a sequence of commercial transaction data (abstract, [010]), comprising: 
preprocessing commercial transaction data into a time series sequence of commercial transaction data ( [0024] In an embodiment, network system 100 includes an analysis server 108 that executes significant events identifier process 127 that gathers and analyzes time series data of the network and its devices to identify significant events among the vast number of events generated every period. It further provides a user interface to display the events in historical context so that SMEs and other personnel can assess actual network conditions and pursue appropriate remedial measures in the event of abnormal or problematic events. Embodiments of the significant event identifier 127 may be used with a root cause analyzer process 121. This process 121 may implement an automated procedure that finds the root cause of anomalies, unusual behavior or problems exhibited by any of the components in system 100. It uses a causal graph of the system acquired using domain experts or by using a semi-supervised tool. In an embodiment, the analyzer process 121 finds possible causes using a causal graph, and generates a prioritized list of possible causes to an observed anomaly. The result allows analysts to explore and verify the real cause of an anomaly in real or near real time. For the embodiment of FIG. 1, the significant events identifier 127 may be associated with, or included as part of the root cause analyzer 121 or it may be a separate component, as shown in FIG. 1. [0028] The significant events analyzer builds on an anomaly detection process and adds certain features including: analyzing numeric and performance data to detect an anomaly, analyzing textual information from multiple sources (e.g., log data) in the time area of the anomaly to find related and informative logs leveraging state-of-the-art deep learning models such as Recurrent Neural Networks (RNN) and LSTM in addition to Markov Chains, and automatically overlaying the most significant actual logs/source information over the time series display. This process does not just display the anomaly or a numerical indicator of the anomaly, but rather the actual related log/source events. This feature provides a major advantage over previous methods as it provides proof, context, or supporting evidence of an event. This data analysis and presentation adds tools to help understand the logs or figure out what parts of the data source is relevant. It greatly enables an SME reading the logs or data sources to relate the logs to the events and identify valid issues and appropriate remedial measures. [0029] FIG. 2 illustrates the main functional components and/or processes of the significant events identifier 127 of FIG. 1, under some embodiments. As shown in diagram 200, the main components include a near real-time data collection component 202, a time series anomaly detection module 204 that is applied over the numeric performance data by the collection component 202 to identify outages of the environment, a log analyzer 206 that filters and maps outages to relevant events, and a user interface 208 that presents the performance of the system across time overlapped with important events tagged to it.); 
providing the time series to a recurrent neural network ( [0026] Embodiments of significant identifier component 127 include a process and system to filter significant events using RNN and Markov Chains models to analyze the importance of each event of a time series of events. The process tags and shows the filtered events which overlays selected important events coming from all the different sources on top of any time series data for display to the user in the form of a comprehensive graph or report. The desired events are anomalies (in terms of textual content) or trend changes found on any of the data sources and displayed on a single chosen time-series. [0028] The significant events analyzer builds on an anomaly detection process and adds certain features including: analyzing numeric and performance data to detect an anomaly, analyzing textual information from multiple sources (e.g., log data) in the time area of the anomaly to find related and informative logs leveraging state-of-the-art deep learning models such as Recurrent Neural Networks (RNN) and LSTM in addition to Markov Chains, and automatically overlaying the most significant actual logs/source information over the time series display. This process does not just display the anomaly or a numerical indicator of the anomaly, but rather the actual related log/source events. This feature provides a major advantage over previous methods as it provides proof, context, or supporting evidence of an event. This data analysis and presentation adds tools to help understand the logs or figure out what parts of the data source is relevant. It greatly enables an SME reading the logs or data sources to relate the logs to the events and identify valid issues and appropriate remedial measures.); 
evaluating the provided time series in the recurrent neural network to generate and output a predicted next element in the time series ( [0032] With respect to the time series anomaly detection module 204, there are several known ways to find anomalies in a time series. Anomaly detection for time series typically involves finding outlier data points relative to a standard (usual or normal) signal. There can be several types of anomalies and the primary types include additive outliers (spikes), temporal changes, and seasonal or level shifts. Anomaly detection processes typically work in one of two ways. First, they label each time point as an anomaly or non-anomaly; second, they forecast a signal for some point and test if the point value from the forecast by a margin defining it as an anomaly. In an embodiment, any anomaly detection method may be used including STL (seasonal-trend decomposition), classification and regression trees, ARIMA modeling, exponential smoothing, neural networks, and other similar methods. [0045] Embodiments of component 127 include a process and system to filter significant events using RNN and Markov chains models to analyze the importance of events. The process tags and shows the filtered events which overlays selected important events coming from all the different sources on top of any time series data. The desired events will be anomalies (in terms of textual content) or trend changes found on any of the data sources and displayed on a single chosen time-series. As shown in FIG. 2, a user interface 208 presents to the user the time series charts with labels on top of it to provide an interactive chart that connects the outliers (in contrasting display such as color or pattern) to the events. The graph is interactive so that the user can click on the tag labels to access further information about the event itself, such as event description, data source and timestamp. [0049] FIG. 5 is a flowchart illustrating an overall method of identifying significant events for an outlier root cause investigation, under some embodiments. Process 500 starts by collecting time series data for events for each device of the network, 502. A time series anomaly detector is then used to detect an anomaly that comprises an outlier on an edge of the time series data by comparing a predicted value of the event to an actual value of the event using a selected forecasting model, or any other appropriate anomaly detection method, 504. The process declares an event to be an anomaly at a particular time if a difference between the predicted value and actual value exceed a defined threshold based on residual values for other devices of the network, 506. A log events analyzer is then used to analyze all events for all devices of the network within a defined time proximity of the particular time of the anomaly to filter usual events and rank each event relative to the anomaly, 508. A labeled chart of the time series is then displayed to the user through a GUI to show the anomaly in a graphical context relative to all the other temporally proximate events, 510.); 
comparing the predicted next element in the time series with an observed actual next element in the time series ( [0032] With respect to the time series anomaly detection module 204, there are several known ways to find anomalies in a time series. Anomaly detection for time series typically involves finding outlier data points relative to a standard (usual or normal) signal. There can be several types of anomalies and the primary types include additive outliers (spikes), temporal changes, and seasonal or level shifts. Anomaly detection processes typically work in one of two ways. First, they label each time point as an anomaly or non-anomaly; second, they forecast a signal for some point and test if the point value from the forecast by a margin defining it as an anomaly. In an embodiment, any anomaly detection method may be used including STL (seasonal-trend decomposition), classification and regression trees, ARIMA modeling, exponential smoothing, neural networks, and other similar methods. [0033] Some anomaly detection methods employ smoothers of the time-series while others use forecasting methods. For detecting an outlier on the edge of a time series (the newest point), forecasting methods are generally better suited. In an embodiment, the anomaly detection process 204 conducts a competition between different forecasting models and chooses the one that performs the best on a test data set, i.e., the one that has the minimal error. The best model is used for forecasting, and the difference between the actual value and the predicted one is calculated and evaluated. If the residual is significantly larger when comparing to the residual population the process declares the event to be an anomaly. This method also detects unexpected changes in trend or seasonality, where seasonality refers to the periodic fluctuations that may be displayed by time series, such as backup operations increasing at midnight. The process can also be configured to assign weights for the anomalies based on the significance of the residual for a weighted calculation. When an outage is discovered, the detection module 204 triggers the log events analyzer module 206, which will find the potential causes in the events data. [0040] In general, RNNs excel at capturing the order in which previous events were executed. This helps in the identification of anomalous processes, (e.g., a continued increase of power usage) which were hidden as normal events when analyzed separately. Using this output, the process 200 can learn the difference between the actual events and the predicted events. By further calculating the distances, it can determine if the sequence can be considered an anomaly. As used herein a distance is basically the probability of getting an event (event X) as an input. The RNN model can give as an output the distribution over all inputs, and the system can use these probabilities for calculating the distances. [0049] FIG. 5 is a flowchart illustrating an overall method of identifying significant events for an outlier root cause investigation, under some embodiments. Process 500 starts by collecting time series data for events for each device of the network, 502. A time series anomaly detector is then used to detect an anomaly that comprises an outlier on an edge of the time series data by comparing a predicted value of the event to an actual value of the event using a selected forecasting model, or any other appropriate anomaly detection method, 504. The process declares an event to be an anomaly at a particular time if a difference between the predicted value and actual value exceed a defined threshold based on residual values for other devices of the network, 506. A log events analyzer is then used to analyze all events for all devices of the network within a defined time proximity of the particular time of the anomaly to filter usual events and rank each event relative to the anomaly, 508. A labeled chart of the time series is then displayed to the user through a GUI to show the anomaly in a graphical context relative to all the other temporally proximate events, 510.) [0051] In an embodiment, anomaly detection can use a causal graph encompasses time-series data for each of the components, such as temporal log data from transactions for each component. Embodiments use one of several known ways to find anomalies in a time series. For example, one method uses smoothers of the time-series, while others use forecasting methods. For detecting an outlier on the edge of a time series (the newest point), forecasting methods are generally more suitable. In an embodiment, the process conducts a competition between different forecasting models and chooses the one that performs the best on a test data set, i.e., the one that has the minimal error. The best model is used for forecasting and the difference between the actual value and the predicted one is calculated and evaluated. If the residual is significantly larger when comparing to the residual population, it is declared as an anomaly. The residual population essentially defines a threshold value against which an actual residual can be compared to allow the process to declare the outlier to be an anomaly. This method will thus detect unexpected changes in trend or seasonality, where seasonality refers to the periodic fluctuations that may be displayed by time series, such as backup operations increasing at midnight. The process can also be configured to assign weights for the anomalies based on the significance of the residual for a weighted calculation.); and 
training the recurrent neural network to better predict the next element using the loss metric by adjusting coefficients of the recurrent neural network to reduce the loss metric ([0028] The significant events analyzer builds on an anomaly detection process and adds certain features including: analyzing numeric and performance data to detect an anomaly, analyzing textual information from multiple sources (e.g., log data) in the time area of the anomaly to find related and informative logs leveraging state-of-the-art deep learning models such as Recurrent Neural Networks (RNN) and LSTM in addition to Markov Chains, and automatically overlaying the most significant actual logs/source information over the time series display. This process does not just display the anomaly or a numerical indicator of the anomaly, but rather the actual related log/source events. This feature provides a major advantage over previous methods as it provides proof, context, or supporting evidence of an event. This data analysis and presentation adds tools to help understand the logs or figure out what parts of the data source is relevant. It greatly enables an SME reading the logs or data sources to relate the logs to the events and identify valid issues and appropriate remedial measures. [0034] With respect to the log events analyzer 206, given the output of the anomaly detection module 204, this module gets the timestamp of the outage and analyzes all the events around this timestamp from multiple sources. This helps to filter usual events and mark the importance of each event, which is the importance in terms of describing and explaining the outage cause. In order to determine which event is important and which is not, the method extracts the relevant features from the logs and counts the number of occurrences for each feature-value pair and their relative order. In an embodiment, the log events analyzer 206 uses a method that is based on LSTM/RNN (Long Short-Term Memory/Recurrent Neural Networks) and Markov Chains for log analysis. Both methods get as an input a series of log events, denoted (x.sub.0, . . . , x.sub.n-1), and the output is the probability of event x.sub.n to happen. This enables an understanding of whether or not an event can be considered normal or not normal. [0037] In the RNN approach, the process also learns patterns of sequences (rather than single events) in the log data to determine what should be the next event that the system will generate. RNNs can be considered as neural networks with memory to keep information of what has been processed so far. An RNN is generally created by applying the same set of weights recursively over a differentiable graph by traversing the graph in topological order. The LSTM units are the building blocks for the RNN and an RNN composed of LSTM units is referred to as an LSTM network. A common LSTM unit is composed of a cell, an input gate, an output gate and a forget gate. The cell is responsible for remembering values over arbitrary time intervals, thus providing the memory function. RNNs are very powerful dynamic systems for sequence tasks, and this characteristic is leveraged for the log analysis process by inserting the log events in their original order to predict the next event.).
Regarding claim 18, Gefen discloses: 
repeating the preprocessing, providing, evaluating, comparing, and training steps for a series of sequential windowed data sets derived from the commercial transaction data ([0028] The significant events analyzer builds on an anomaly detection process and adds certain features including: analyzing numeric and performance data to detect an anomaly, analyzing textual information from multiple sources (e.g., log data) in the time area of the anomaly to find related and informative logs leveraging state-of-the-art deep learning models such as Recurrent Neural Networks (RNN) and LSTM in addition to Markov Chains, and automatically overlaying the most significant actual logs/source information over the time series display. This process does not just display the anomaly or a numerical indicator of the anomaly, but rather the actual related log/source events. This feature provides a major advantage over previous methods as it provides proof, context, or supporting evidence of an event. This data analysis and presentation adds tools to help understand the logs or figure out what parts of the data source is relevant. It greatly enables an SME reading the logs or data sources to relate the logs to the events and identify valid issues and appropriate remedial measures. [0034] With respect to the log events analyzer 206, given the output of the anomaly detection module 204, this module gets the timestamp of the outage and analyzes all the events around this timestamp from multiple sources. This helps to filter usual events and mark the importance of each event, which is the importance in terms of describing and explaining the outage cause. In order to determine which event is important and which is not, the method extracts the relevant features from the logs and counts the number of occurrences for each feature-value pair and their relative order. In an embodiment, the log events analyzer 206 uses a method that is based on LSTM/RNN (Long Short-Term Memory/Recurrent Neural Networks) and Markov Chains for log analysis. Both methods get as an input a series of log events, denoted (x.sub.0, . . . , x.sub.n-1), and the output is the probability of event x.sub.n to happen. This enables an understanding of whether or not an event can be considered normal or not normal. ).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Joseph (US Patent Pub 2020/0184494) This disclosure is directed to improved methods, systems and computer readable media for forecasting demand for products and/or services based on selecting from among a set of multiple different machine learning algorithms (e.g., linear regression, gradient boosting, neural network, etc.) that are each adapted for forecasting demand for a dataset.
Gefen (US Patent Pub 2019/0228353) Embodiments are generally directed to enterprise networks, and more specifically to anomaly detection and analysis of business processes in IT environments.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MARIA C SANTOS-DIAZ whose telephone number is (571)272-6532. The examiner can normally be reached Monday-Friday 8:00AM-5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Sarah Monfeldt can be reached on 571-270-1833. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MARIA C SANTOS-DIAZ/               Primary Examiner, Art Unit 3689