DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions. In the event the determination of the status of the application as subject to AIA  35 U.S.C. §102 and §103 (or as subject to pre-AIA  35 U.S.C. §102 and §103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. 

Priority
Examiner acknowledges Applicant's claim for benefit based on 13/850,725 filed 3/26/2013 (now USPN 10,346,744), which claims benefit of 61/617,163 filed 3/29/2012.

Consideration of Art Cited in Parent Application(s)
As required by M.P.E.P. 2001.06(b) and 37 C.F.R. 1.98(d), since the instant application has been identified as a continuation/divisional/continuation-in-part application of earlier filed application(s) and is relied upon for an earlier filing date under 35 U.S.C. 120, the examiner has reviewed the prior art cited in the earlier related application(s) as required by M.P.E.P. 707.05 and 904 and as stated in M.P.E.P. 2001.06(b), no separate citation of the same prior art need be made by the applicants in the instant application. The case file(s), including Office Action(s) for the parent application(s), have also been reviewed.

Title
The title of the invention is not descriptive. A new title is required that is clearly indicative of the invention to which the claims are directed. Examiner believes that the title of the invention is imprecise. A descriptive title indicative of the invention will help in proper indexing, classifying, searching, etc. See MPEP §606.01. However, the title of the invention should be limited to 500 characters. Examiner suggests in including the aspect(s) of the claims which Applicant believes to be novel or nonobvious over the prior art.

Claim Interpretation
This application includes one or more claim limitations that use the word “means” or “step” but are nonetheless not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph because the claim limitation(s) recite(s) sufficient structure, materials, or acts to entirely perform the recited function. Such claim limitation(s) is/are: “computer means: to monitor and collect … to monitor and collect … to execute … to initiate displaying” in claim 20.
Because this/these claim limitation(s) is/are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are not being interpreted to cover only the corresponding structure, material, or acts described in the specification as performing the claimed function, and equivalents thereof.
If applicant intends to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitation(s) to remove the structure, materials, or acts that performs the claimed function; or (2) present a sufficient showing that the claim limitation(s) does/do not recite sufficient structure, materials, or acts to perform the claimed function.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-4, 6-8, 11-16, and 18-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 5, 12, 16, 19, and 23 of U.S. Patent No. 10,346,744. Although the claims at issue are not identical, they are not patentably distinct from each other because the claims are essentially performing the same functions as the patented claims, wherein the self-learning process of the instant claims is performing the same function as the analytics engine in the patented claims identifying the patterns as a behavior model.

Instant 16/424,127
USPN 10,346,744
1. A method for analyzing behavior of a computer infrastructure, the method comprising:
monitoring and collecting continuous data on at least one device of a computer infrastructure by at least one agent associated with the at least one device, the continuous data comprises system parameters regarding the at least one device;
monitoring and collecting asynchronous data, by the at least one agent, when changes happen on the at least one device of the computer infrastructure, the asynchronous data including at least log file data of the at least one device;
executing a self-learning process comprising:
probabilistically modelling behaviors of the computer infrastructure using the continuous data and the asynchronous data in real-time;
identifying patterns in the probabilistically modeled behaviors via one or more statistical methods over time that includes analyzing relationships between the continuous data and the asynchronous data to detect a behavior type, of a plurality of behavior types, of at least one component of the computer infrastructure; and
identifying abnormal behaviors based on the identified patterns; and
initiating displaying of an indication indicative of the detected behavior type as graphic elements, at least one of the graphic elements being linked to the continuous data and the asynchronous data.

12. A method for analysing a behaviour of a computer infrastructure, the method comprising:
monitoring and collecting, by least one agent, continuous data on at least one device and collecting asynchronous data on the at least one device when changes happen on the at least one device, wherein the asynchronous data includes at least log file data and the continuous data comprises computing resource data regarding the at least one device, the at least one agent forwarding the continuous data and the asynchronous data to a management system;
storing, in at least one database, the continuous data and the asynchronous data including associated time stamps, wherein the continuous data on the at least one device is stored in the at least one database only if a certain threshold value is reached, the management system aggregating the continuous data and the asynchronous data from a plurality of devices that include the at least one device;
analyzing relationships between the continuous data and the asynchronous data; 
detecting a behaviour type of the at least one device of the computer infrastructure based on the analysis;
recognizing recurrent patterns between the continuous data and asynchronous data to further detect the behaviour type;
transferring to a display, an indication of at least one detection of the detected behaviour type as graphic elements, wherein at least one of the graphic elements is linked to the continuous data and the asynchronous data collected by the at least one agent associated with the at least one device, and wherein the graphic elements have different colours or shapes in relation to a degree of impact of the behaviour on the computer infrastructure, further wherein at least a portion of the graphic elements are selectable and open related types of system parameters and the log file data of the continuous data and the asynchronous data within the computer infrastructure;
determining or simulating probabilities of at least a portion of streams of the log file data of the at least one device of the computer infrastructure; and
providing a forecast of possible future performance of the at least one device of the computer infrastructure based on the determination or simulation.

16. The method according to claim 12, further comprising diagnosing an abnormal one of the behaviour type by analysing at least one of a sequence of the at least log file data, temporal parameters of the at least log file data, and the relationships between one or more of the asynchronous data and the continuous data.

Claim 2-4, 6-8, 11-13
Claim 12
Claims 14-16, 18-19
Claims 1 and 5
Claim 20
Claim 19 and 23


CLAIM INTERPRETATION

The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

Claim 20: The claim limitation “computer means: to monitor and collect … to monitor and collect … to execute … to initiate displaying …” uses the phrase “means for” or “step for” or a generic placeholder coupled with functional language, but it is modified by some structure, material, or acts recited in the claim. The claim recites “computer means”, but upon the reviewing the specification the examiner has not found sufficient corresponding structure, material, or acts for performing the entire claimed function and such structure, material, or acts being clearly linked to the claimed function. These functions go beyond the off-the-shelf capabilities of a general-purpose computer, and therefore the “computer means” cannot be met by a general-purpose computer alone without particular algorithms, etc. 
Therefore, claim 20 invokes §112, sixth paragraph, but the disclosure lacks sufficient corresponding structure, material, or acts clearly linked to the claimed function for performing the entire claimed function. 
If applicant wishes to have the claim limitation treated under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may amend the claim so that the phrase “means for” or “step for” or the generic placeholder is clearly not modified by sufficient structure, material, or acts for performing the claimed function while presenting a sufficient showing that the specification provides sufficient structure, material, or acts for performing the claimed function. 
If applicant does not wish to have the claim limitation treated under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may amend the claim so that it will clearly not invoke 35 U.S.C. 112, sixth paragraph, or present a sufficient showing that the claim recites sufficient structure, material, or acts for performing the claimed function to preclude application of 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.
Examiner notes that if both instances of the word “means” were removed from claim 20, then 112, sixth paragraph, would not be invoked.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim 20: Claim limitation “computer means: to monitor and collect … to monitor and collect … to execute … to initiate displaying …” invokes 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. The functions listed (i.e. the entire body of claim 20) go beyond the off-the-shelf capabilities of a general-purpose computer, and therefore the “computer means” cannot be met by a general-purpose computer alone without particular algorithms, etc. rendering it to be a specific machine composed of structure, material, or acts for performing the entire claimed function. Examiner has reviewed the as-filed specification and has NOT found sufficient corresponding structure, material, or acts for performing the entire claimed function and such structure, material, or acts being clearly linked to the function. Therefore, the claim is indefinite and is rejected under 35 U.S.C. 112(b) or pre-AIA  35 U.S.C. 112, second paragraph.
Applicant may:
(a) Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph; 
(b) Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the entire claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(c) Amend the written description of the specification such that it clearly links the structure, material, or acts disclosed therein to the function recited in the claim, without introducing any new matter (35 U.S.C. 132(a)).
If applicant is of the opinion that the written description of the specification already implicitly or inherently discloses the corresponding structure, material, or acts and clearly links them to the function so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant should clarify the record by either: 
(a) Amending the written description of the specification such that it expressly recites the corresponding structure, material, or acts for performing the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(b) Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181.

Examiner notes that if both instances of the word “means” were removed from claim 20, then 112, sixth paragraph, would not be invoked and this rejection under 112, second paragraph, would be moot.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows: 
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claim(s) 1-20 is/are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea); and because the claim(s) as a whole, considering all claim elements both individually and in combination, does/do not amount to significantly more than the judicial exception. 

Step 1: Claims 1-13 are within a statutory category eligible for patent protection: process (claims 1-13), machines, manufactures, and compositions of matter. Claims falling under the subject matter categories may be ineligible for patent protection if they encompass laws of nature, physical phenomena, or abstract ideas (judicially recognized exceptions).
Claims 14-19 are rejected under §101 as being directed to software per se. Claim 14 recites a system comprising an agent and an analytical engine, which are both software elements. This “system” lacks anything that would render it as a patentable machine, and therefore these claims are rejected under §101 as being directed to software, per se.
Claim 20 is rejected under §101 as being directed to signals, per se. is directed towards a “computer-readable program stored on a non-volatile medium”. However, this is not a “non-transitory” medium and therefore the medium of claim 20 can be interpreted as represented by a signal or carrier wave. Claims that recite nothing but the physical characteristics of a form of energy, such as a signal or a carrier wave define energy or magnetism, per se, and as such are nonstatutory natural phenomena, see O’Reilly, 56 U.S. (15 How.) at 112-14.

Claim 1 (Independent) 
	Step 2A, prong one: The claim recites: A method …, the method comprising: … executing a self-learning process (directed to Mental Processes, which may be implemented with pen & paper; EN: The human mind is a self-learning system of self-learning processes) comprising: probabilistically modelling behaviors of the computer infrastructure using the continuous data and the asynchronous data in real-time (directed to Mathematical Concepts and/or Mental Processes, which may be implemented with pen & paper); identifying patterns in the probabilistically modeled behaviors via one or more statistical methods over time that includes analyzing relationships between the continuous data and the asynchronous data to detect a behavior type, of a plurality of behavior types, of at least one component of the computer infrastructure (directed to Mental Processes, which may be implemented with pen & paper); and identifying abnormal behaviors based on the identified patterns (directed to Mental Processes, which may be implemented with pen & paper). 
Step 2A, prong two: This judicial exception is not integrated into a practical application. Beyond the recited abstract idea, the claim recites the additional limitations of: for analyzing behavior of a computer infrastructure, monitoring and collecting continuous data on at least one device of a computer infrastructure by at least one agent associated with the at least one device, the continuous data comprises system parameters regarding the at least one device; monitoring and collecting asynchronous data, by the at least one agent, when changes happen on the at least one device of the computer infrastructure, the asynchronous data including at least log file data of the at least one device; and initiating displaying of an indication indicative of the detected behavior type as graphic elements, at least one of the graphic elements being linked to the continuous data and the asynchronous data. The for analyzing behavior is merely an intended field of use. The computer infrastructure, device of a computer infrastructure, monitoring …, monitoring … are recited at a high –level of generality (i.e., as a generic processor performing a generic computer function) such that it amounts to no more than mere instructions to apply the exception using a generic computer component. The collecting continuous data on at least one device of a computer infrastructure by at least one agent associated with the at least one device, the continuous data comprises system parameters regarding the at least one device; collecting asynchronous data, by the at least one agent, when changes happen on the at least one device of the computer infrastructure, the asynchronous data including at least log file data of the at least one device; and initiating displaying of an indication indicative of the detected behavior type as graphic elements, at least one of the graphic elements being linked to the continuous data and the asynchronous data are merely extra-solution activity. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea.
Step 2B: The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements (identified in Step 2A prong two) when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea. The for analyzing behavior is merely an intended field of use, and limitations that amount to merely indicating a field of use or technological environment in which to apply a judicial exception do not amount to significantly more than the exception itself – see MPEP §2106.05(h). The computer infrastructure, device of a computer infrastructure, monitoring …, monitoring … amounts to using generic computing hardware to implement the abstract idea, which is insufficient to render the claim(s) as directed to significantly more than the abstract idea – see MPEP §2106.05(f). The collecting continuous data on at least one device of a computer infrastructure by at least one agent associated with the at least one device, the continuous data comprises system parameters regarding the at least one device; collecting asynchronous data, by the at least one agent, when changes happen on the at least one device of the computer infrastructure, the asynchronous data including at least log file data of the at least one device; initiating displaying of an indication indicative of the detected behavior type as graphic elements, at least one of the graphic elements being linked to the continuous data and the asynchronous data are merely extra-solution activity which amounts to mere data gathering and outputting which is insufficient to render the claim(s) as directed to significantly more than the abstract idea – see MPEP §2106.05(g). Looking at the limitations as an ordered combination adds nothing that is not already present when looking at the elements taken individually. There is no indication that the combination of elements improves the functioning of a computer or improves another technology. Their collective functions merely provide generic computer implementations applying the abstract idea – see MPEP §2106.05(f). 

Claim 2
	Step 2A, prong one: The claim recites: further comprising: determining or simulating probabilities of certain streams of the log file data of the at least one device of the computer infrastructure (directed to Mental Processes, which may be implemented with pen & paper); and providing a forecast of possible future performance of the at least one device of the computer infrastructure based on the determination or simulation (directed to Mental Processes, which may be implemented with pen & paper). 
Step 2A, prong two: This judicial exception is not integrated into a practical application. Beyond the recited abstract idea, the claim recites no additional limitations not already addressed for the parent claim(s). The same analysis applies here. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea.
Step 2B: The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements (identified in Step 2A prong two) when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea. Looking at the limitations as an ordered combination adds nothing that is not already present when looking at the elements taken individually. There is no indication that the combination of elements improves the functioning of a computer or improves another technology. Their collective functions merely provide generic computer implementations applying the abstract idea – see MPEP §2106.05(f). 

Claim 3
	Step 2A, prong one: The claim recites: wherein the probabilistically modelling identifies patterns across the log file data and the system parameters (directed to Mathematical Concepts and/or Mental Processes, which may be implemented with pen & paper). 
Step 2A, prong two: This judicial exception is not integrated into a practical application. Beyond the recited abstract idea, the claim recites no additional limitations not already addressed for the parent claim(s). 
Step 2A, prong two: This judicial exception is not integrated into a practical application. Beyond the recited abstract idea, the claim recites no additional limitations not already addressed for the parent claim(s). The same analysis applies here. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea.
Step 2B: The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements (identified in Step 2A prong two) when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea. Looking at the limitations as an ordered combination adds nothing that is not already present when looking at the elements taken individually. There is no indication that the combination of elements improves the functioning of a computer or improves another technology. Their collective functions merely provide generic computer implementations applying the abstract idea – see MPEP §2106.05(f). 

Claim 4
	Step 2A, prong one: The claim recites: wherein the one or more statistical methods identify patterns in the system parameters of the computer infrastructure (directed to Mathematical Concepts and/or Mental Processes, which may be implemented with pen & paper). 
Step 2A, prong two: This judicial exception is not integrated into a practical application. Beyond the recited abstract idea, the claim recites no additional limitations not already addressed for the parent claim(s). 
Step 2A, prong two: This judicial exception is not integrated into a practical application. Beyond the recited abstract idea, the claim recites no additional limitations not already addressed for the parent claim(s). The same analysis applies here. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea.
Step 2B: The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements (identified in Step 2A prong two) when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea. Looking at the limitations as an ordered combination adds nothing that is not already present when looking at the elements taken individually. There is no indication that the combination of elements improves the functioning of a computer or improves another technology. Their collective functions merely provide generic computer implementations applying the abstract idea – see MPEP §2106.05(f). 

Claim 5
	Step 2A, prong one: The claim recites: wherein the one or more statistical methods includes multivariate Gaussian analysis (directed to Mathematical Concepts). 
Step 2A, prong two: This judicial exception is not integrated into a practical application. Beyond the recited abstract idea, the claim recites no additional limitations not already addressed for the parent claim(s). Even if the multivariate Gaussian analysis was construed to be an additional element, it would be applying a known model as a tool, which fails to integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea.
Step 2B: The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements (identified in Step 2A prong two) when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea. Even if the multivariate Gaussian analysis was construed to be an additional element, it would be applying a known model as a tool, which amounts to using to applying generic computing hardware to perform an existing process, which is not significant – see MPEP §2106.05(f). Looking at the limitations as an ordered combination adds nothing that is not already present when looking at the elements taken individually. There is no indication that the combination of elements improves the functioning of a computer or improves another technology. Their collective functions merely provide generic computer implementations applying the abstract idea – see MPEP §2106.05(f). 

Claim 6
	Step 2A, prong one: The claim recites: the abstract idea of the parent claim. 
Step 2A, prong two: This judicial exception is not integrated into a practical application. Beyond the recited abstract idea, the claim recites the additional limitations of: further comprising linking at least some of the graphic elements to relationships determined between the system parameters and the log file data. The further comprising linking at least some of the graphic elements to relationships determined between the system parameters and the log file data is merely extra-solution activity. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea.
Step 2B: The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements (identified in Step 2A prong two) when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea. The further comprising linking at least some of the graphic elements to relationships determined between the system parameters and the log file data is merely extra-solution activity which amounts to mere data gathering and outputting which is insufficient to render the claim(s) as directed to significantly more than the abstract idea – see MPEP §2106.05(g). Looking at the limitations as an ordered combination adds nothing that is not already present when looking at the elements taken individually. There is no indication that the combination of elements improves the functioning of a computer or improves another technology. Their collective functions merely provide generic computer implementations applying the abstract idea – see MPEP §2106.05(f). 

Claim 7
Step 2A, prong one: The claim recites: the abstract idea of the parent claim. 
Step 2A, prong two: This judicial exception is not integrated into a practical application. Beyond the recited abstract idea, the claim recites the additional limitations of: wherein the system parameters include central processing unit (CPU) processing, access time, and/or memory usage. The wherein the system parameters include central processing unit (CPU) processing, access time, and/or memory usage is merely generic computing characteristics recited at a high level of generality which are being collected as extra-solution activity. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea.
Step 2B: The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements (identified in Step 2A prong two) when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea. The wherein the system parameters include central processing unit (CPU) processing, access time, and/or memory usage is merely generic computing characteristics recited at a high level of generality – see MPEP 2106.05(f) – which are being collected which is mere extra-solution activity which amounts to mere data gathering and outputting which is insufficient to render the claim(s) as directed to significantly more than the abstract idea – see MPEP §2106.05(g). Looking at the limitations as an ordered combination adds nothing that is not already present when looking at the elements taken individually. There is no indication that the combination of elements improves the functioning of a computer or improves another technology. Their collective functions merely provide generic computer implementations applying the abstract idea – see MPEP §2106.05(f). 

Claim 8
	Step 2A, prong one: The claim recites: wherein the self-learning process initially identifies a first one of the behaviors as being abnormal behavior (directed to Mental Processes, which may be implemented with pen & paper). 
Step 2A, prong two: This judicial exception is not integrated into a practical application. Beyond the recited abstract idea, the claim recites no additional limitations not already addressed for the parent claim(s). The same analysis applies here. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea.
Step 2B: The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements (identified in Step 2A prong two) when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea. Looking at the limitations as an ordered combination adds nothing that is not already present when looking at the elements taken individually. There is no indication that the combination of elements improves the functioning of a computer or improves another technology. Their collective functions merely provide generic computer implementations applying the abstract idea – see MPEP §2106.05(f). 

Claim 9
	Step 2A, prong one: The claim recites: wherein the self-learning process, in response to identifying a particular pattern, changes the identification of the first one of the behaviors from the abnormal behavior to a normal running process of the at least one device of the computer infrastructure (directed to Mental Processes, which may be implemented with pen & paper). 
Step 2A, prong two: This judicial exception is not integrated into a practical application. Beyond the recited abstract idea, the claim recites no additional limitations not already addressed for the parent claim(s). The same analysis applies here. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea.
Step 2B: The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements (identified in Step 2A prong two) when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea. Looking at the limitations as an ordered combination adds nothing that is not already present when looking at the elements taken individually. There is no indication that the combination of elements improves the functioning of a computer or improves another technology. Their collective functions merely provide generic computer implementations applying the abstract idea – see MPEP §2106.05(f). 

Claim 10
	Step 2A, prong one: The claim recites: wherein the self-learning process uses stored previously collected asynchronous and continuous data to establish an initial pattern to obtain an initial behavior of the computer infrastructure (directed to Mental Processes, which may be implemented with pen & paper). 
Step 2A, prong two: This judicial exception is not integrated into a practical application. Beyond the recited abstract idea, the claim recites no additional limitations not already addressed for the parent claim(s). The same analysis applies here. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea.
Step 2B: The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements (identified in Step 2A prong two) when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea. Looking at the limitations as an ordered combination adds nothing that is not already present when looking at the elements taken individually. There is no indication that the combination of elements improves the functioning of a computer or improves another technology. Their collective functions merely provide generic computer implementations applying the abstract idea – see MPEP §2106.05(f). 

Claim 11
	Step 2A, prong one: The claim recites: the abstract idea of the parent claim.
Step 2A, prong two: This judicial exception is not integrated into a practical application. Beyond the recited abstract idea, the claim recites the additional limitations of: further comprising initiating display of an indication of a degree of impact of the detected behavior type on the computer infrastructure. The further comprising initiating display of an indication of a degree of impact of the detected behavior type on the computer infrastructure is merely extra-solution activity. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea.
Step 2B: The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements (identified in Step 2A prong two) when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea. The further comprising initiating display of an indication of a degree of impact of the detected behavior type on the computer infrastructure is merely extra-solution activity which amounts to mere data gathering and outputting which is insufficient to render the claim(s) as directed to significantly more than the abstract idea – see MPEP §2106.05(g). Looking at the limitations as an ordered combination adds nothing that is not already present when looking at the elements taken individually. There is no indication that the combination of elements improves the functioning of a computer or improves another technology. Their collective functions merely provide generic computer implementations applying the abstract idea – see MPEP §2106.05(f). 

Claim 12
Step 2A, prong one: The claim recites: the abstract idea of the parent claim. 
Step 2A, prong two: This judicial exception is not integrated into a practical application. Beyond the recited abstract idea, the claim recites the additional limitations of: wherein the graphic elements have different colors or shapes in relation to the degree of impact of the detected behavior type on the computer infrastructure. The wherein the graphic elements have different colors or shapes in relation to the degree of impact of the detected behavior type on the computer infrastructure is merely extra-solution activity. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea.
Step 2B: The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements (identified in Step 2A prong two) when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea. The wherein the graphic elements have different colors or shapes in relation to the degree of impact of the detected behavior type on the computer infrastructure is merely extra-solution activity which amounts to mere data gathering and outputting which is insufficient to render the claim(s) as directed to significantly more than the abstract idea – see MPEP §2106.05(g). Looking at the limitations as an ordered combination adds nothing that is not already present when looking at the elements taken individually. There is no indication that the combination of elements improves the functioning of a computer or improves another technology. Their collective functions merely provide generic computer implementations applying the abstract idea – see MPEP §2106.05(f). 

Claim 13
Step 2A, prong one: The claim recites: the abstract idea of the parent claim. 
Step 2A, prong two: This judicial exception is not integrated into a practical application. Beyond the recited abstract idea, the claim recites the additional limitations of: wherein at least a portion of the graphic elements are selectable and the method further includes, in response to a selection of at least a portion of the graphic elements, opening related types of the system parameters and the log file data entries of the continuous data and asynchronous data within the computer infrastructure. The wherein at least a portion of the graphic elements are selectable and the method further includes, in response to a selection of at least a portion of the graphic elements, opening related types of the system parameters and the log file data entries of the continuous data and asynchronous data within the computer infrastructure is merely extra-solution activity. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea.
Step 2B: The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements (identified in Step 2A prong two) when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea. The wherein at least a portion of the graphic elements are selectable and the method further includes, in response to a selection of at least a portion of the graphic elements, opening related types of the system parameters and the log file data entries of the continuous data and asynchronous data within the computer infrastructure is merely extra-solution activity which amounts to mere data gathering and outputting which is insufficient to render the claim(s) as directed to significantly more than the abstract idea – see MPEP §2106.05(g). Looking at the limitations as an ordered combination adds nothing that is not already present when looking at the elements taken individually. There is no indication that the combination of elements improves the functioning of a computer or improves another technology. Their collective functions merely provide generic computer implementations applying the abstract idea – see MPEP §2106.05(f). 

Claim 14 (Independent) 
	Step 2A, prong one: The claim recites: A system …, the system comprising: …; and an analytics engine (directed to Mental Processes, which may be implemented with pen & paper; EN: The human mind is an analytics engine) configured for: probabilistically modelling behaviors of computer infrastructure using the continuous data and the asynchronous data in real-time (directed to Mathematical Concepts and/or Mental Processes, which may be implemented with pen & paper); identifying patterns in the probabilistically modeled behaviors via one or more statistical methods over time that includes analyzing relationships between the continuous data and asynchronous data to detect a behavior type, of a plurality of behavior types, of at least one component of the computer infrastructure (directed to Mental Processes, which may be implemented with pen & paper); identifying abnormal behaviors based on the identified patterns (directed to Mental Processes, which may be implemented with pen & paper). 
Step 2A, prong two: This judicial exception is not integrated into a practical application. Beyond the recited abstract idea, the claim recites the additional limitations of: for the visualization of behavior within a computer infrastructure … at least one agent associated with at least one device of a computer infrastructure for monitoring and collecting continuous data on the at least one device, the continuous data comprises system parameters regarding the at least one device; the at least one agent further for monitoring and collecting asynchronous data when changes happen on the at least one device of the computer infrastructure, the asynchronous data including at least log file data of the at least one device of the computer infrastructure, and initiating displaying of an indication indicative of the detected behavior type as graphic elements, at least one of the graphic elements being linked to the continuous data and the asynchronous data. The for the visualization of behavior is merely an intended field of use. The computer infrastructure, at least one agent associated with at least one device of a computer infrastructure for monitoring … the at least one agent further monitoring … are recited at a high level of generality (i.e., as a generic processor performing a generic computer function) such that it amounts to no more than mere instructions to apply the exception using a generic computer component. The collecting continuous data on the at least one device, the continuous data comprises system parameters regarding the at least one device; collecting asynchronous data when changes happen on the at least one device of the computer infrastructure, the asynchronous data including at least log file data of the at least one device of the computer infrastructure; and initiating displaying of an indication indicative of the detected behavior type as graphic elements, at least one of the graphic elements being linked to the continuous data and the asynchronous data are merely extra-solution activity. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea.
Step 2B: The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements (identified in Step 2A prong two) when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea. The for the visualization of behavior is merely an intended field of use, and limitations that amount to merely indicating a field of use or technological environment in which to apply a judicial exception do not amount to significantly more than the exception itself – see MPEP §2106.05(h). The computer infrastructure, at least one agent associated with at least one device of a computer infrastructure for monitoring … the at least one agent further monitoring … amount to using generic computing hardware to implement the abstract idea, which is insufficient to render the claim(s) as directed to significantly more than the abstract idea – see MPEP §2106.05(f). The collecting continuous data on the at least one device, the continuous data comprises system parameters regarding the at least one device; collecting asynchronous data when changes happen on the at least one device of the computer infrastructure, the asynchronous data including at least log file data of the at least one device of the computer infrastructure; and initiating displaying of an indication indicative of the detected behavior type as graphic elements, at least one of the graphic elements being linked to the continuous data and the asynchronous data are merely extra-solution activity which amount to insignificant extra-solution activity which amounts to mere data gathering and outputting which is insufficient to render the claim(s) as directed to significantly more than the abstract idea – see MPEP §2106.05(g). Looking at the limitations as an ordered combination adds nothing that is not already present when looking at the elements taken individually. There is no indication that the combination of elements improves the functioning of a computer or improves another technology. Their collective functions merely provide generic computer implementations applying the abstract idea – see MPEP §2106.05(f). 

Claim 15
	Step 2A, prong one: The claim recites:
The system of claim 14, wherein the analytics engine is a self-learning system (directed to Mental Processes, which may be implemented with pen & paper; EN: The human mind is a self-learning system). 
Step 2A, prong two: This judicial exception is not integrated into a practical application. Beyond the recited abstract idea, the claim recites no additional limitations not already addressed for the parent claim(s). The same analysis applies here. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea.
Step 2B: The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements (identified in Step 2A prong two) when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea. Looking at the limitations as an ordered combination adds nothing that is not already present when looking at the elements taken individually. There is no indication that the combination of elements improves the functioning of a computer or improves another technology. Their collective functions merely provide generic computer implementations applying the abstract idea – see MPEP §2106.05(f). 

Claim 16
	Step 2A, prong one: The claim recites:
The system of claim 15, wherein the self-learning system is further configured for: determining or simulating probabilities of certain streams of the log file data of the at least one device of the computer infrastructure (directed to Mental Processes, which may be implemented with pen & paper); and providing a forecast of possible future performance of the at least one device of the computer infrastructure based on the determination or simulation (directed to Mental Processes, which may be implemented with pen & paper). 
Step 2A, prong two: This judicial exception is not integrated into a practical application. Beyond the recited abstract idea, the claim recites no additional limitations not already addressed for the parent claim(s). The same analysis applies here. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea.
Step 2B: The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements (identified in Step 2A prong two) when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea. Looking at the limitations as an ordered combination adds nothing that is not already present when looking at the elements taken individually. There is no indication that the combination of elements improves the functioning of a computer or improves another technology. Their collective functions merely provide generic computer implementations applying the abstract idea – see MPEP §2106.05(f). 

Claim 17
	Step 2A, prong one: The claim recites: the abstract idea of the parent claim.
Step 2A, prong two: This judicial exception is not integrated into a practical application. Beyond the recited abstract idea, the claim recites the additional limitations of: computer infrastructure is connectable with a data source for reception of data via a server and the server transfers data between the data source and the computer infrastructure. The computer infrastructure is connectable with a data source for reception of data via a server and the server transfers data between the data source and the computer infrastructure is recited at a high level of generality (i.e., as a generic processor performing a generic computer function) such that it amounts to no more than mere instructions to apply the exception using a generic computer component. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea.
Step 2B: The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements (identified in Step 2A prong two) when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea. The computer infrastructure is connectable with a data source for reception of data via a server and the server transfers data between the data source and the computer infrastructure amounts to receiving or transmitting data over a network, which the courts have found is insufficient to render the claim(s) as directed to significantly more than the abstract idea – see MPEP §2106.05(d). Looking at the limitations as an ordered combination adds nothing that is not already present when looking at the elements taken individually. There is no indication that the combination of elements improves the functioning of a computer or improves another technology. Their collective functions merely provide generic computer implementations applying the abstract idea – see MPEP §2106.05(f). 

Claim 18
Step 2A, prong one: The claim recites: the abstract idea of the parent claim. 
Step 2A, prong two: This judicial exception is not integrated into a practical application. Beyond the recited abstract idea, the claim recites the additional limitations of: wherein the graphic elements have different colors or shapes in relation to a degree of impact of the detected behavior type on the computer infrastructure. The wherein the graphic elements have different colors or shapes in relation to a degree of impact of the detected behavior type on the computer infrastructure is merely extra-solution activity. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea.
Step 2B: The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements (identified in Step 2A prong two) when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea. The wherein the graphic elements have different colors or shapes in relation to a degree of impact of the detected behavior type on the computer infrastructure is merely extra-solution activity which amounts to mere data gathering and outputting which is insufficient to render the claim(s) as directed to significantly more than the abstract idea – see MPEP §2106.05(g). Looking at the limitations as an ordered combination adds nothing that is not already present when looking at the elements taken individually. There is no indication that the combination of elements improves the functioning of a computer or improves another technology. Their collective functions merely provide generic computer implementations applying the abstract idea – see MPEP §2106.05(f). 

Claim 19
Step 2A, prong one: The claim recites: the abstract idea of the parent claim. 
Step 2A, prong two: This judicial exception is not integrated into a practical application. Beyond the recited abstract idea, the claim recites the additional limitations of: wherein at least a portion of the graphic elements are selectable and the analytics engine is further configured to, in response to a selection of at least a portion of the graphic elements, open related types of the system parameters and the log file data entries of the continuous data and asynchronous data within the computer infrastructure. The wherein at least a portion of the graphic elements are selectable and the analytics engine is further configured to, in response to a selection of at least a portion of the graphic elements, open related types of the system parameters and the log file data entries of the continuous data and asynchronous data within the computer infrastructure is merely extra-solution activity. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea.
Step 2B: The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements (identified in Step 2A prong two) when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea. The wherein at least a portion of the graphic elements are selectable and the analytics engine is further configured to, in response to a selection of at least a portion of the graphic elements, open related types of the system parameters and the log file data entries of the continuous data and asynchronous data within the computer infrastructure is merely extra-solution activity which amounts to mere data gathering and outputting which is insufficient to render the claim(s) as directed to significantly more than the abstract idea – see MPEP §2106.05(g). Looking at the limitations as an ordered combination adds nothing that is not already present when looking at the elements taken individually. There is no indication that the combination of elements improves the functioning of a computer or improves another technology. Their collective functions merely provide generic computer implementations applying the abstract idea – see MPEP §2106.05(f). 

Claim 20 (Independent) 
	Step 2A, prong one: The claim recites: to execute a self-learning process, the self-learning process (directed to Mental Processes, which may be implemented with pen & paper; EN: The human mind is a self-learning system of self-learning processes) comprising: probabilistically modelling behaviors of computer infrastructure using the continuous data and the asynchronous data in real-time (directed to Mathematical Concepts and/or Mental Processes, which may be implemented with pen & paper); identifying patterns in the probabilistically modeled behaviors via one or more statistical methods over time that includes analyzing relationships between the continuous data and the asynchronous data to detect a behavior type, of a plurality of behavior types, of at least one component of the computer infrastructure (directed to Mental Processes, which may be implemented with pen & paper); and identifying abnormal behaviors based on the identified patterns (directed to Mental Processes, which may be implemented with pen & paper). 
Step 2A, prong two: This judicial exception is not integrated into a practical application. Beyond the recited abstract idea, the claim recites the additional limitations of: A computer-readable program stored on a non-volatile medium which, when executed on a computer means, causes the computer means: to monitor and collect continuous data on at least one device of a computer infrastructure by at least one agent associated with the at least one device, the continuous data comprises system parameters regarding the at least one device ( ); to monitor and collect asynchronous data when changes happen on the at least one device of the computer infrastructure by at least one agent associated with the at least one device, the asynchronous data including at least log file data of the at least one device of the computer infrastructure; and to initiate displaying of an indication indicative of the behavior type as graphic elements, at least one of the graphic elements being linked to the continuous data and the asynchronous data. The computer-readable program stored on a non-volatile medium which, when executed on a computer means, causes the computer means: to monitor … at least one device of a computer infrastructure … to monitor … are recited at a high level of generality (i.e., as a generic processor performing a generic computer function) such that it amounts to no more than mere instructions to apply the exception using a generic computer component. The collect continuous data on at least one device of a computer infrastructure by at least one agent associated with the at least one device, the continuous data comprises system parameters regarding the at least one device; collect asynchronous data when changes happen on the at least one device of the computer infrastructure by at least one agent associated with the at least one device, the asynchronous data including at least log file data of the at least one device of the computer infrastructure; and to initiate displaying of an indication indicative of the behavior type as graphic elements, at least one of the graphic elements being linked to the continuous data and the asynchronous data are merely extra-solution activity. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea.
Step 2B: The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements (identified in Step 2A prong two) when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea. The for the visualization of behavior is merely an intended field of use, and limitations that amount to merely indicating a field of use or technological environment in which to apply a judicial exception do not amount to significantly more than the exception itself – see MPEP §2106.05(h). The computer-readable program stored on a non-volatile medium which, when executed on a computer means, causes the computer means: to monitor … at least one device of a computer infrastructure … to monitor … amount to using generic computing hardware to implement the abstract idea, which is insufficient to render the claim(s) as directed to significantly more than the abstract idea – see MPEP §2106.05(f). The collect continuous data on at least one device of a computer infrastructure by at least one agent associated with the at least one device, the continuous data comprises system parameters regarding the at least one device; collect asynchronous data when changes happen on the at least one device of the computer infrastructure by at least one agent associated with the at least one device, the asynchronous data including at least log file data of the at least one device of the computer infrastructure; and to initiate displaying of an indication indicative of the behavior type as graphic elements, at least one of the graphic elements being linked to the continuous data and the asynchronous data are merely extra-solution activity which amounts to insignificant extra-solution activity which amounts to mere data gathering and outputting which is insufficient to render the claim(s) as directed to significantly more than the abstract idea – see MPEP §2106.05(g). Looking at the limitations as an ordered combination adds nothing that is not already present when looking at the elements taken individually. There is no indication that the combination of elements improves the functioning of a computer or improves another technology. Their collective functions merely provide generic computer implementations applying the abstract idea – see MPEP §2106.05(f). 

Appropriate corrections are required.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. §102 and §103 (or as subject to pre-AIA  35 U.S.C. §102 and §103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. 
The following is a quotation of pre-AIA  35 U.S.C. §103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the invention was made.

Claim(s) 1, 3-4, 6-10, 14-15, 17, and 20 is/are rejected under pre-AIA  35 U.S.C. §103(a) as being unpatentable over 
Aharon (“One Graph Is Worth a Thousand Logs: Uncovering Hidden Structures in Massive System Event Logs") in view of 
Cho (“Incorporating Soft Computing Techniques Into a Probabilistic Intrusion Detection System”).

Claim 1 (Independent)
Aharon discloses: A method for analyzing behavior of a computer infrastructure (e.g. §Abstract: system behavior; Also see §1), the method comprising: 
monitoring and collecting continuous data on at least one device of a computer infrastructure by at least one agent associated with the at least one device, the continuous data comprises system parameters regarding the at least one device (e.g. §1 especially ¶¶6-7: “event log streams … automatically discovers principle patterns (atoms) of log event types” or §5 especially ¶¶1-2: “large Enterprise IT systems … monitors of system behavior” or §6 especially ¶¶1,9-10,13: “Windows Server event log (which represents an infrastructure environment) and two enterprise business application logs ... routine monitoring of performance ... performance monitors … IT Management System” or Table 1 and the associated discussion; Since the claim does not further define “agent”, any software module or running process meets the broadest reasonable interpretation of an "agent", and the applied art has software processes continuously monitoring and collecting log streams (i.e. continuous data) for time-stamped events that may be unordered (i.e. not logged synchronously, and therefore by definition asynchronous data) – and specifically specifies using a Windows Server event log in an infrastructure environment as well as enterprise business application logs. Therefore the applied art meets the broadest reasonable interpretation of this claim limitation. Examiner encourages applicant to further amend the claim to define "agent", "infrastructure", "continuous data”, and “asynchronous data" in the claim using language supported by the instant specification that distinguishes over the applied art); 
monitoring and collecting asynchronous data, by the at least one agent, when changes happen on the at least one device of the computer infrastructure, the asynchronous data including at least log file data of the at least one device (e.g. §1 especially ¶7: “automatically discovers principle patterns (atoms) of log event types” or §5 especially ¶¶1-2: “large Enterprise IT systems … monitors of system behavior” or §6 especially ¶¶1,9-10,13: “Windows Server event log (which represents an infrastructure environment) and two enterprise business application logs ... routine monitoring of performance ... performance monitors … IT Management System” or Table 1 and the associated discussion; Since the claim does not further define “agent”, any software module or running process meets the broadest reasonable interpretation of an "agent", and the applied art has software processes continuously monitoring and collecting log streams (i.e. continuous data) for time-stamped events that may be unordered (i.e. not logged synchronously, and therefore by definition asynchronous data) – and specifically specifies using a Windows Server event log in an infrastructure environment as well as enterprise business application logs. Therefore the applied art meets the broadest reasonable interpretation of this claim limitation. Examiner encourages applicant to further amend the claim to define "agent", "infrastructure", "continuous data”, and “asynchronous data" in the claim using language supported by the instant specification that distinguishes over the applied art); 
executing a self-learning process (e.g. §5 especially ¶2-3: using machine learning methods … turns the log events to temporal measurements enabling the application of existing learning technologies … supervised learning … additional unsupervised techniques to detect anomalies or behavioral patterns”; Also see §1 or §7 or §8) comprising: 
identifying patterns in the … modeled behaviors via one or more statistical methods over time that includes analyzing relationships between the continuous data and the asynchronous data to detect a behavior type, of a plurality of behavior types, of at least one component of the computer infrastructure (e.g. §1 especially ¶¶3-4,6-8: “enabling automated analysis … analysis of log patterns from event log streams … PARIS algorithm … automatically discovers principle patterns (atoms) of log event types … our log analysis algorithms … datasets from enterprise applications” or §2 especially ¶¶4-5: “automatically discover such event sequences … sequences can be compared and matched … automatically discover repeating event sequences” or §4 especially ¶¶1,3: “full log is a union of the individual log sets ... a-synchronic ... input the full log, and identifies the individual sets of messages that belong to one process or failure … provides … a collection of atoms, where each atom is a known set of messages produced by one process or failure … Analysis – each atom stands for one process or failure” or §5 especially ¶¶Title,1-3 “Log Analysis Algorithms … event logs … useful for operations of large Enterprise IT systems … output of PARIS … to detect problems … turns the log events to temporal measurements enabling .... learning technologies to help classify and describe problem periods … diagnosis of a specific problem that occurred is a supervised learning problem … unsupervised techniques to detect anomalies or behavior patterns from the logs” or §6 especially ¶¶11,13-14: “monitor indicated multiple symptoms … different components that compose the environment all have corresponding logs with error messages that occurred at the time ... only when processing the system logs through the algorithms that a clear picture of the environment is composed … Analyzing the messages in this fashion assisted in isolating the root problem that caused the system errors … the problem is isolated” §6 or Table 1 and the associated discussion); and 
identifying abnormal behaviors based on the identified patterns (e.g. §6 especially ¶¶15-17: “information about the system's behavior can be obtained, both normal and abnormal … applied the PARIS algorithm … Table 4 below shows examples of three atoms, showing the corresponding event clusters in each. These atoms represent three failure types in the system”); and 
initiating displaying of an indication indicative of the detected behavior type as graphic elements, at least one of the graphic elements being linked to the continuous data and the asynchronous data (e.g. §1 especially ¶7: “visualize logs" or §5 especially ¶¶3: “visualization of the system event logs over time ... leveraging visualization ... to detect anomalies or behavioral patterns from the logs" or §6 especially ¶¶12,15-17: “Once processed through the algorithms, error messages from multiple sources were visualized together, indicating ... cluster classification … Analyzing the messages in this fashion assisted in isolating the root problem that caused the system errors … from the visualization, further information about the system's behavior can be obtained, both normal and abnormal … applied the PARIS algorithm … Table 4 below shows examples of three atoms, showing the corresponding event clusters in each. These atoms represent three failure types in the system” or Figures 3, 4, 5 and the associated discussion or Table 4 and the associated discussion; Examiner points out that Figure 4 uses the y-axis to denote the cluster IDs based on clusters created by the dictionary creation algorithm, and color codes behavior patterns (e.g. pink, green, purple, yellow). Examiner also points out that Figure 5 also uses color coded behaviors (e.g. blue, red, yellow, green, cyan, etc.). Further, Table 4 clearly depicts 3 atoms which each correspond to a different failure type, making it clear that behavior types are represented by the atoms. Examiner encourages applicant to further define the claimed "indication of at least detection of the detected behavior type" to define how the indication of detection of the detected behavior type is represented by the graphic elements, using language supported by the instant specification that distinguishes over the applied art). 
Aharon fails to explicitly recite:
probabilistically modelling behaviors of the computer infrastructure using the continuous data and the asynchronous data in real-time;
probabilistically modeled.
Cho discloses: 
executing a self-learning process (e.g. §III: model learning or §III.A especially ¶3: SOM is an unsupervised learning neural network) comprising: 
probabilistically modelling behaviors of the computer infrastructure using the continuous data and the asynchronous data in real-time (e.g. §I especially ¶¶1,5: “infrastructure … we extract the measures of audit data … and reduce them using self-organizing map (SOM)” or §III.B: “Behavior Modeling With HMM” or §III.C especially ¶2: “independently trained models”; Also see §Abstract, §III.A); 
identifying patterns in the probabilistically modeled behaviors via one or more statistical methods over time that includes analyzing relationships between the continuous data and the asynchronous data to detect a behavior type, of a plurality of behavior types, of at least one component of the computer infrastructure (e.g. §III.A ¶2: “organizes the map automatically according to the input pattern” or Figure 2: “Inference and Detection”; Also see §III.C); and 
identifying abnormal behaviors based on the identified patterns (e.g. §III.C especially ¶¶2: “decide if the current input sequence is abnormal” or §IV.B.1: “abnormal behavior … the system has a potential to effectively detect the intrusion”; Also see §IV.B.2). 
Rationale:
It would have been obvious to one of ordinary skill in the art at the time of the invention to modify the teachings of Aharon by self-learning self-organizing maps (SOM) and modeling behavior using Hidden Markov Models (HMM), which are probabilistic, and using these model to identify abnormal behavior patterns as taught by Cho for the benefit of effectively processing large amounts of data for intrusion detection using techniques that have been shown to effectively detect intrusions (Cho e.g. §1 or §IV.B.1 or §IV.B.2 or §V).


Claim 14 (Independent)
Aharon discloses: A system for the visualization of behavior within a computer infrastructure (e.g. §Abstract: visualization of logs and characterization of system behavior or §6 especially ¶15: From the visualization, further information about the system’s behavior can be obtained), the system comprising: 
at least one agent associated with at least one device of a computer infrastructure for monitoring and collecting continuous data on the at least one device, the continuous data comprises system parameters regarding the at least one device (e.g. §1 especially ¶¶6-7: “event log streams … automatically discovers principle patterns (atoms) of log event types” or §5 especially ¶¶1-2: “large Enterprise IT systems … monitors of system behavior” or §6 especially ¶¶1,9-10,13: “Windows Server event log (which represents an infrastructure environment) and two enterprise business application logs ... routine monitoring of performance ... performance monitors … IT Management System” or Table 1 and the associated discussion; Since the claim does not further define “agent”, any software module or running process meets the broadest reasonable interpretation of an "agent", and the applied art has software processes continuously monitoring and collecting log streams (i.e. continuous data) for time-stamped events that may be unordered (i.e. not logged synchronously, and therefore by definition asynchronous data) – and specifically specifies using a Windows Server event log in an infrastructure environment as well as enterprise business application logs. Therefore the applied art meets the broadest reasonable interpretation of this claim limitation. Examiner encourages applicant to further amend the claim to define "agent", "infrastructure", "continuous data”, and “asynchronous data" in the claim using language supported by the instant specification that distinguishes over the applied art); 
the at least one agent further for monitoring and collecting asynchronous data when changes happen on the at least one device of the computer infrastructure, the asynchronous data including at least log file data of the at least one device of the computer infrastructure (e.g. §1 especially ¶7: “automatically discovers principle patterns (atoms) of log event types” or §5 especially ¶¶1-2: “large Enterprise IT systems … monitors of system behavior” or §6 especially ¶¶1,9-10,13: “Windows Server event log (which represents an infrastructure environment) and two enterprise business application logs ... routine monitoring of performance ... performance monitors … IT Management System” or Table 1 and the associated discussion; Since the claim does not further define “agent”, any software module or running process meets the broadest reasonable interpretation of an "agent", and the applied art has software processes continuously monitoring and collecting log streams (i.e. continuous data) for time-stamped events that may be unordered (i.e. not logged synchronously, and therefore by definition asynchronous data) – and specifically specifies using a Windows Server event log in an infrastructure environment as well as enterprise business application logs. Therefore the applied art meets the broadest reasonable interpretation of this claim limitation. Examiner encourages applicant to further amend the claim to define "agent", "infrastructure", "continuous data”, and “asynchronous data" in the claim using language supported by the instant specification that distinguishes over the applied art); 
an analytics engine (e.g. §5 especially ¶2-3: using machine learning methods … turns the log events to temporal measurements enabling the application of existing learning technologies … supervised learning … additional unsupervised techniques to detect anomalies or behavioral patterns”; Also see §1 or §7 or §8) configured for: 
identifying patterns in the … modeled behaviors via one or more statistical methods over time that includes analyzing relationships between the continuous data and the asynchronous data to detect a behavior type, of a plurality of behavior types, of at least one component of the computer infrastructure (e.g. §1 especially ¶¶3-4,6-8: “enabling automated analysis … analysis of log patterns from event log streams … PARIS algorithm … automatically discovers principle patterns (atoms) of log event types … our log analysis algorithms … datasets from enterprise applications” or §2 especially ¶¶4-5: “automatically discover such event sequences … sequences can be compared and matched … automatically discover repeating event sequences” or §4 especially ¶¶1,3: “full log is a union of the individual log sets ... a-synchronic ... input the full log, and identifies the individual sets of messages that belong to one process or failure … provides … a collection of atoms, where each atom is a known set of messages produced by one process or failure … Analysis – each atom stands for one process or failure” or §5 especially ¶¶Title,1-3 “Log Analysis Algorithms … event logs … useful for operations of large Enterprise IT systems … output of PARIS … to detect problems … turns the log events to temporal measurements enabling .... learning technologies to help classify and describe problem periods … diagnosis of a specific problem that occurred is a supervised learning problem … unsupervised techniques to detect anomalies or behavior patterns from the logs” or §6 especially ¶¶11,13-14: “monitor indicated multiple symptoms … different components that compose the environment all have corresponding logs with error messages that occurred at the time ... only when processing the system logs through the algorithms that a clear picture of the environment is composed … Analyzing the messages in this fashion assisted in isolating the root problem that caused the system errors … the problem is isolated” §6 or Table 1 and the associated discussion); and 
identifying abnormal behaviors based on the identified patterns (e.g. §6 especially ¶¶15-17: “information about the system's behavior can be obtained, both normal and abnormal … applied the PARIS algorithm … Table 4 below shows examples of three atoms, showing the corresponding event clusters in each. These atoms represent three failure types in the system”); and 
initiating displaying of an indication indicative of the detected behavior type as graphic elements, at least one of the graphic elements being linked to the continuous data and the asynchronous data (e.g. §1 especially ¶7: “visualize logs" or §5 especially ¶¶3: “visualization of the system event logs over time ... leveraging visualization ... to detect anomalies or behavioral patterns from the logs" or §6 especially ¶¶12,15-17: “Once processed through the algorithms, error messages from multiple sources were visualized together, indicating ... cluster classification … Analyzing the messages in this fashion assisted in isolating the root problem that caused the system errors … from the visualization, further information about the system's behavior can be obtained, both normal and abnormal … applied the PARIS algorithm … Table 4 below shows examples of three atoms, showing the corresponding event clusters in each. These atoms represent three failure types in the system” or Figures 3, 4, 5 and the associated discussion or Table 4 and the associated discussion; Examiner points out that Figure 4 uses the y-axis to denote the cluster IDs based on clusters created by the dictionary creation algorithm, and color codes behavior patterns (e.g. pink, green, purple, yellow). Examiner also points out that Figure 5 also uses color coded behaviors (e.g. blue, red, yellow, green, cyan, etc.). Further, Table 4 clearly depicts 3 atoms which each correspond to a different failure type, making it clear that behavior types are represented by the atoms. Examiner encourages applicant to further define the claimed "indication of at least detection of the detected behavior type" to define how the indication of detection of the detected behavior type is represented by the graphic elements, using language supported by the instant specification that distinguishes over the applied art). 
Aharon fails to explicitly recite:
probabilistically modelling behaviors of computer infrastructure using the continuous data and the asynchronous data in real-time;
probabilistically modeled.
Cho discloses: 
an analytics engine (e.g. §III: model learning or §III.A especially ¶3: SOM is an unsupervised learning neural network) configured for: 
probabilistically modelling behaviors of the computer infrastructure using the continuous data and the asynchronous data in real-time (e.g. §I especially ¶¶1,5: “infrastructure … we extract the measures of audit data … and reduce them using self-organizing map (SOM)” or §III.B: “Behavior Modeling With HMM” or §III.C especially ¶2: “independently trained models”; Also see §Abstract, §III.A); 
identifying patterns in the probabilistically modeled behaviors via one or more statistical methods over time that includes analyzing relationships between the continuous data and the asynchronous data to detect a behavior type, of a plurality of behavior types, of at least one component of the computer infrastructure (e.g. §III.A ¶2: “organizes the map automatically according to the input pattern” or Figure 2: “Inference and Detection”; Also see §III.C); and 
identifying abnormal behaviors based on the identified patterns (e.g. §III.C especially ¶¶2: “decide if the current input sequence is abnormal” or §IV.B.1: “abnormal behavior … the system has a potential to effectively detect the intrusion”; Also see §IV.B.2). 
Rationale:
It would have been obvious to one of ordinary skill in the art at the time of the invention to modify the teachings of Aharon by self-learning self-organizing maps (SOM) and modeling behavior using Hidden Markov Models (HMM), which are probabilistic, and using these model to identify abnormal behavior patterns as taught by Cho for the benefit of effectively processing large amounts of data for intrusion detection using techniques that have been shown to effectively detect intrusions (Cho e.g. §1 or §IV.B.1 or §IV.B.2 or §V).


Claim 20 (Independent)
Aharon discloses: A computer-readable program stored on a non-volatile medium which, when executed on a computer means, causes the computer means (e.g. §1; One of ordinary skill in the art at the time of the invention would have understood the reference to be describing a technique implemented on a computer executing stored software instructions to accomplish the technique): 
to monitor and collect continuous data on at least one device of a computer infrastructure by at least one agent associated with the at least one device, the continuous data comprises system parameters regarding the at least one device (e.g. §1 especially ¶¶6-7: “event log streams … automatically discovers principle patterns (atoms) of log event types” or §5 especially ¶¶1-2: “large Enterprise IT systems … monitors of system behavior” or §6 especially ¶¶1,9-10,13: “Windows Server event log (which represents an infrastructure environment) and two enterprise business application logs ... routine monitoring of performance ... performance monitors … IT Management System” or Table 1 and the associated discussion; Since the claim does not further define “agent”, any software module or running process meets the broadest reasonable interpretation of an "agent", and the applied art has software processes continuously monitoring and collecting log streams (i.e. continuous data) for time-stamped events that may be unordered (i.e. not logged synchronously, and therefore by definition asynchronous data) – and specifically specifies using a Windows Server event log in an infrastructure environment as well as enterprise business application logs. Therefore the applied art meets the broadest reasonable interpretation of this claim limitation. Examiner encourages applicant to further amend the claim to define "agent", "infrastructure", "continuous data”, and “asynchronous data" in the claim using language supported by the instant specification that distinguishes over the applied art); 
to monitor and collect asynchronous data when changes happen on the at least one device of the computer infrastructure by at least one agent associated with the at least one device, the asynchronous data including at least log file data of the at least one device of the computer infrastructure (e.g. §1 especially ¶7: “automatically discovers principle patterns (atoms) of log event types” or §5 especially ¶¶1-2: “large Enterprise IT systems … monitors of system behavior” or §6 especially ¶¶1,9-10,13: “Windows Server event log (which represents an infrastructure environment) and two enterprise business application logs ... routine monitoring of performance ... performance monitors … IT Management System” or Table 1 and the associated discussion; Since the claim does not further define “agent”, any software module or running process meets the broadest reasonable interpretation of an "agent", and the applied art has software processes continuously monitoring and collecting log streams (i.e. continuous data) for time-stamped events that may be unordered (i.e. not logged synchronously, and therefore by definition asynchronous data) – and specifically specifies using a Windows Server event log in an infrastructure environment as well as enterprise business application logs. Therefore the applied art meets the broadest reasonable interpretation of this claim limitation. Examiner encourages applicant to further amend the claim to define "agent", "infrastructure", "continuous data”, and “asynchronous data" in the claim using language supported by the instant specification that distinguishes over the applied art); 
to execute a self-learning process (e.g. §5 especially ¶2-3: using machine learning methods … turns the log events to temporal measurements enabling the application of existing learning technologies … supervised learning … additional unsupervised techniques to detect anomalies or behavioral patterns”; Also see §1 or §7 or §8), the self-learning process comprising: 
identifying patterns in the … modeled behaviors via one or more statistical methods over time that includes analyzing relationships between the continuous data and the asynchronous data to detect a behavior type, of a plurality of behavior types, of at least one component of the computer infrastructure (e.g. §1 especially ¶¶3-4,6-8: “enabling automated analysis … analysis of log patterns from event log streams … PARIS algorithm … automatically discovers principle patterns (atoms) of log event types … our log analysis algorithms … datasets from enterprise applications” or §2 especially ¶¶4-5: “automatically discover such event sequences … sequences can be compared and matched … automatically discover repeating event sequences” or §4 especially ¶¶1,3: “full log is a union of the individual log sets ... a-synchronic ... input the full log, and identifies the individual sets of messages that belong to one process or failure … provides … a collection of atoms, where each atom is a known set of messages produced by one process or failure … Analysis – each atom stands for one process or failure” or §5 especially ¶¶Title,1-3 “Log Analysis Algorithms … event logs … useful for operations of large Enterprise IT systems … output of PARIS … to detect problems … turns the log events to temporal measurements enabling .... learning technologies to help classify and describe problem periods … diagnosis of a specific problem that occurred is a supervised learning problem … unsupervised techniques to detect anomalies or behavior patterns from the logs” or §6 especially ¶¶11,13-14: “monitor indicated multiple symptoms … different components that compose the environment all have corresponding logs with error messages that occurred at the time ... only when processing the system logs through the algorithms that a clear picture of the environment is composed … Analyzing the messages in this fashion assisted in isolating the root problem that caused the system errors … the problem is isolated” §6 or Table 1 and the associated discussion); and 
identifying abnormal behaviors based on the identified patterns (e.g. §6 especially ¶¶15-17: “information about the system's behavior can be obtained, both normal and abnormal … applied the PARIS algorithm … Table 4 below shows examples of three atoms, showing the corresponding event clusters in each. These atoms represent three failure types in the system”); and 
to initiate displaying of an indication indicative of the behavior type as graphic elements, at least one of the graphic elements being linked to the continuous data and the asynchronous data (e.g. §1 especially ¶7: “visualize logs" or §5 especially ¶¶3: “visualization of the system event logs over time ... leveraging visualization ... to detect anomalies or behavioral patterns from the logs" or §6 especially ¶¶12,15-17: “Once processed through the algorithms, error messages from multiple sources were visualized together, indicating ... cluster classification … Analyzing the messages in this fashion assisted in isolating the root problem that caused the system errors … from the visualization, further information about the system's behavior can be obtained, both normal and abnormal … applied the PARIS algorithm … Table 4 below shows examples of three atoms, showing the corresponding event clusters in each. These atoms represent three failure types in the system” or Figures 3, 4, 5 and the associated discussion or Table 4 and the associated discussion; Examiner points out that Figure 4 uses the y-axis to denote the cluster IDs based on clusters created by the dictionary creation algorithm, and color codes behavior patterns (e.g. pink, green, purple, yellow). Examiner also points out that Figure 5 also uses color coded behaviors (e.g. blue, red, yellow, green, cyan, etc.). Further, Table 4 clearly depicts 3 atoms which each correspond to a different failure type, making it clear that behavior types are represented by the atoms. Examiner encourages applicant to further define the claimed "indication of at least detection of the detected behavior type" to define how the indication of detection of the detected behavior type is represented by the graphic elements, using language supported by the instant specification that distinguishes over the applied art). 
Aharon fails to explicitly recite:
probabilistically modelling behaviors of the computer infrastructure using the continuous data and the asynchronous data in real-time;
probabilistically modeled.
Cho discloses: 
to execute a self-learning process (e.g. §III: model learning or §III.A especially ¶3: SOM is an unsupervised learning neural network), the self-learning process comprising: 
probabilistically modelling behaviors of the computer infrastructure using the continuous data and the asynchronous data in real-time (e.g. §I especially ¶¶1,5: “infrastructure … we extract the measures of audit data … and reduce them using self-organizing map (SOM)” or §III.B: “Behavior Modeling With HMM” or §III.C especially ¶2: “independently trained models”; Also see §Abstract, §III.A); 
identifying patterns in the probabilistically modeled behaviors via one or more statistical methods over time that includes analyzing relationships between the continuous data and the asynchronous data to detect a behavior type, of a plurality of behavior types, of at least one component of the computer infrastructure (e.g. §III.A ¶2: “organizes the map automatically according to the input pattern” or Figure 2: “Inference and Detection”; Also see §III.C); and 
identifying abnormal behaviors based on the identified patterns (e.g. §III.C especially ¶¶2: “decide if the current input sequence is abnormal” or §IV.B.1: “abnormal behavior … the system has a potential to effectively detect the intrusion”; Also see §IV.B.2). 
Rationale:
It would have been obvious to one of ordinary skill in the art at the time of the invention to modify the teachings of Aharon by self-learning self-organizing maps (SOM) and modeling behavior using Hidden Markov Models (HMM), which are probabilistic, and using these model to identify abnormal behavior patterns as taught by Cho for the benefit of effectively processing large amounts of data for intrusion detection using techniques that have been shown to effectively detect intrusions (Cho e.g. §1 or §IV.B.1 or §IV.B.2 or §V).


Claim 15
Aharon discloses: 
wherein the analytics engine is a self-learning system (e.g. §5 especially ¶2-3: using machine learning methods … turns the log events to temporal measurements enabling the application of existing learning technologies … supervised learning … additional unsupervised techniques to detect anomalies or behavioral patterns”; Also see §1 or §7 or §8). 
Cho also discloses: 
wherein the analytics engine is a self-learning system (e.g. § III: model learning or §III.A especially ¶3: SOM is an unsupervised learning neural network). 

Claim 3
Aharon discloses: 
identifies patterns across the log file data and the system parameters (e.g. §5: system behavior, such as CPU utilization, memory, network, etc, and system event logs. In recent years, work in this area showed how to aid in the diagnosis using machine learning methods).
Aharon fails to explicitly recite: 
probabilistically modeling.
Cho discloses: 
wherein the probabilistically modelling identifies patterns across the log file data and the system parameters (e.g. §I especially ¶¶1,5: “infrastructure … we extract the measures of audit data … and reduce them using self-organizing map (SOM)” or §III.B: “Behavior Modeling With HMM … state node contains initial state distribution and observation probability at which a given symbol is to be observed” or §III.C especially ¶2: “independently trained models”; Also see §Abstract, §III.A.). 
Rationale:
It would have been obvious to one of ordinary skill in the art at the time of the invention to modify the teachings of Aharon by probabilistically modeling behavior using Hidden Markov Models (HMM), and using these model to identify abnormal behavior patterns as taught by Cho for the benefit of effectively processing large amounts of data for intrusion detection using techniques that have been shown to effectively detect intrusions (Cho e.g. §1 or §IV.B.1 or §IV.B.2 or §V).

Claim 4
Aharon discloses:
wherein the one or more statistical methods identify patterns in the system parameters of the computer infrastructure (e.g. §1 especially ¶¶3-4,6-8: “enabling automated analysis … analysis of log patterns from event log streams … PARIS algorithm … automatically discovers principle patterns (atoms) of log event types … our log analysis algorithms … datasets from enterprise applications” or §2 especially ¶¶4-5: “automatically discover such event sequences … sequences can be compared and matched … automatically discover repeating event sequences” or §4 especially ¶¶1,3: “full log is a union of the individual log sets ... a-synchronic ... input the full log, and identifies the individual sets of messages that belong to one process or failure … provides … a collection of atoms, where each atom is a known set of messages produced by one process or failure … Analysis – each atom stands for one process or failure” or §5 especially ¶¶Title,1-3 “Log Analysis Algorithms … event logs … useful for operations of large Enterprise IT systems … output of PARIS … to detect problems … turns the log events to temporal measurements enabling .... learning technologies to help classify and describe problem periods … diagnosis of a specific problem that occurred is a supervised learning problem … unsupervised techniques to detect anomalies or behavior patterns from the logs” or §6 especially ¶¶11,13-14: “monitor indicated multiple symptoms … different components that compose the environment all have corresponding logs with error messages that occurred at the time ... only when processing the system logs through the algorithms that a clear picture of the environment is composed … Analyzing the messages in this fashion assisted in isolating the root problem that caused the system errors … the problem is isolated” §6 or Table 1 and the associated discussion). 

Claim 6
Aharon discloses:
further comprising linking at least some of the graphic elements to relationships determined between the system parameters and the log file data (e.g. §5: “visualization of the system event logs over time ... leveraging visualization ... to detect anomalies or behavioral patterns from the logs" or §6: “Once processed through the algorithms, error messages from multiple sources were visualized together, indicating ... cluster classification … Analyzing the messages in this fashion assisted in isolating the root problem that caused the system errors … from the visualization, further information about the system's behavior can be obtained, both normal and abnormal … applied the PARIS algorithm … Table 4 below shows examples of three atoms, showing the corresponding event clusters in each. These atoms represent three failure types in the system” or Figures 3, 4, 5 and the associated discussion or Table 4 and the associated discussion; Examiner points out that Figure 4 uses the y-axis to denote the cluster IDs based on clusters created by the dictionary creation algorithm, and color codes behavior patterns (e.g. pink, green, purple, yellow). Examiner also points out that Figure 5 also uses color coded behaviors (e.g. blue, red, yellow, green, cyan, etc.). Further, Table 4 clearly depicts 3 atoms which each correspond to a different failure type, making it clear that behavior types are represented by the atoms.). 

Claim 7
Aharon discloses: 
wherein the system parameters include central processing unit (CPU) processing, access time, and/or memory usage (e.g. §5: monitors of system behavior, such as CPU utilization, memory, network, etc.). 

Claim 8
Aharon discloses: 
wherein the self-learning process initially identifies a first one of the behaviors as being abnormal behavior (e.g. §6: “information about the system's behavior can be obtained, both normal and abnormal … applied the PARIS algorithm … Table 4 below shows examples of three atoms, showing the corresponding event clusters in each. These atoms represent three failure types in the system”). 
Cho also discloses: 
wherein the self-learning process initially identifies a first one of the behaviors as being abnormal behavior (e.g. §III.C: “decide if the current input sequence is abnormal” or §IV.B.1: “abnormal behavior … the system has a potential to effectively detect the intrusion”; Also see §IV.B.2). 

Claim 9
Aharon discloses:
wherein the self-learning process, in response to identifying a particular pattern, changes the identification of the first one of the behaviors from the abnormal behavior to a normal running process of the at least one device of the computer infrastructure (e.g. §6 especially ¶15; EN: The visualization displays which running behaviors are abnormal and which are normal, such that the data streaming in can cause the determination of behavior identification to change/toggle between abnormal/normal). 
Cho also discloses:
wherein the self-learning process, in response to identifying a particular pattern, changes the identification of the first one of the behaviors from the abnormal behavior to a normal running process of the at least one device of the computer infrastructure (e.g. §III.C: decide if the current input is sequence is abnormal by obtaining and fusing the outputs form the different models; Also see §IV.B.3). 

Claim 10
Aharon fails to explicitly recite:
establishing an initial pattern.
Cho discloses:
wherein the self-learning process uses stored previously collected asynchronous and continuous data to establish an initial pattern to obtain an initial behavior of the computer infrastructure (e.g. §III.B: This model … contains initial state distribution and observation probability at which a given symbol is to be observed … B {bj(k)|bj(k)=Pr(vk at t|qj at t)}, observation symbol probability distribution; π {πi|πi=Pr(qi at t=1)}, initial stat distribution. The probability with which the sequence is generated from the model can be calculated; Also see §III.A). 
Rationale:
It would have been obvious to one of ordinary skill in the art at the time of the invention to modify the teachings of Aharon by initializing initial distributions (the initial “normal” behavior model) based on the existing data to be able to apply the model for probabilistically predicting input sequences as taught by Cho for the benefit of anomaly recognition by matching current behavior against the normal behavior models and calculating the probability with which it is generated out of each model and effectively processing large amounts of data for intrusion detection using techniques that have been shown to effectively detect intrusions (Cho e.g. §I or §III.B or §IV.B.1 or §IV.B.2 or §V).

Claim 17
Aharon discloses:
wherein the computer infrastructure is connectable with a data source for reception of data via a server and the server transfers data between the data source and the computer infrastructure (e.g. §5: Enterprise IT systems … event logs to aid in diagnosis of system problems … visualization of event logs over time … indexing of logs, reducing both space requirements and speeding up search or §6: Windows Server event log (which represents and infrastructure environment) and two enterprise business application logs; Also see §2). 
 

Claim Rejections - 35 USC § 103
Claim(s) 2 and 16 is/are rejected under pre-AIA  35 U.S.C. §103(a) as being unpatentable over 
Aharon (“One Graph Is Worth a Thousand Logs: Uncovering Hidden Structures in Massive System Event Logs") in view of 
Cho (“Incorporating Soft Computing Techniques Into a Probabilistic Intrusion Detection System”) further in view of
Gupta (US 2009/0070628).

Claims 2 & 16
Aharon discloses: wherein the self-learning system is further configured for: 
determining or simulating … of certain streams of the log file data of the at least one device of the computer infrastructure (¶¶3-4,6-8: “enabling automated analysis … analysis of log patterns from event log streams … PARIS algorithm … automatically discovers principle patterns (atoms) of log event types … our log analysis algorithms … datasets from enterprise applications” or §2 especially ¶¶4-5: “automatically discover such event sequences … sequences can be compared and matched … automatically discover repeating event sequences” or §4 especially ¶¶1,3: “full log is a union of the individual log sets ... a-synchronic ... input the full log, and identifies the individual sets of messages that belong to one process or failure … provides … a collection of atoms, where each atom is a known set of messages produced by one process or failure … Analysis – each atom stands for one process or failure” or §5 especially ¶¶Title,1-3 “Log Analysis Algorithms … event logs … useful for operations of large Enterprise IT systems … output of PARIS … to detect problems … turns the log events to temporal measurements enabling .... learning technologies to help classify and describe problem periods … diagnosis of a specific problem that occurred is a supervised learning problem … unsupervised techniques to detect anomalies or behavior patterns from the logs” or §6 especially ¶¶11,13-14: “monitor indicated multiple symptoms … different components that compose the environment all have corresponding logs with error messages that occurred at the time ... only when processing the system logs through the algorithms that a clear picture of the environment is composed … Analyzing the messages in this fashion assisted in isolating the root problem that caused the system errors … the problem is isolated” §6 or Table 1 and the associated discussion).
Aharon fails to explicitly recite: 
probabilities;
providing a forecast of possible future performance of the at least one device of the computer infrastructure based on the determination or simulation. 
Cho discloses: wherein the self-learning system is further configured for: 
determining or simulating probabilities of certain streams … of the at least one device of the computer infrastructure (e.g. §I especially ¶¶1,5: “infrastructure … we extract the measures of audit data” or §III.B especially ¶¶3-4: “Given an input sequence … HMM can model it with its own probability parameters using Markov process …. Once a model is built, the probability with which a given sequence is generated from the model can be evaluated … The probability with which the sequence is generated from the model can be calculated by summing the probabilities”). 
Rationale:
It would have been obvious to one of ordinary skill in the art at the time of the invention to modify the teachings of Aharon by self-learning self-organizing maps (SOM) and modeling behavior using Hidden Markov Models (HMM), which are probabilistic, and using these model to identify abnormal behavior patterns as taught by Cho for the benefit of effectively processing large amounts of data for intrusion detection using techniques that have been shown to effectively detect intrusions (Cho e.g. §1 or §IV.B.1 or §IV.B.2 or §V).
The combination of Aharon and Cho fails to explicitly recite: 
providing a forecast of possible future performance of the at least one device of the computer infrastructure based on the determination or simulation. 
Gupta discloses: further comprising: 
determining or simulating probabilities of certain streams of the log file data of the at least one device of the computer infrastructure (e.g. ¶8: “Bayesian network model … based upon the information in the event log and the system parameter log … predict future values of the system parameters” or ¶20: “Dynamic Bayesian Network … applies the decision criteria … to the logged information” or ¶21: “learns the error and event patterns and is able to flag nodes that have a high probability of failing or experience the occurrence of a critical event and the times at which any critical events are likely to occur”); and 
providing a forecast of possible future performance of the at least one device of the computer infrastructure based on the determination or simulation (e.g. ¶8: “predict the occurrence future critical events … predicted performance parameter or critical event occurrence for the node for a predetermined future period of time. Thus, the future performance of a node in the cluster is predicted based upon the information in the event log and the system parameter log” or ¶20: “predict future critical events … computer cluster and its nodes’ present and future performance … nodes and/or events that are causing critical events … the type of critical events … likely to occur in the future” or ¶21: “flag nodes that have a high probability of failing or experience the occurrence of a critical event and the times at which any critical events are likely to occur”). 
Rationale:
It would have been obvious to one of ordinary skill in the art at the time of the invention to modify the teachings of the combination of Aharon and Cho by modeling the logged information to learn the error and event patterns to predict future performance of the computing nodes and when which type of critical event is likely to occur as taught by Gupta for the benefit of predicting future values of the system parameters and occurrences of critical events (Gupta e.g. ¶¶8-10).


Claim Rejections - 35 USC § 103
Claim(s) 5 is/are rejected under pre-AIA  35 U.S.C. §103(a) as being unpatentable over 
Aharon (“One Graph Is Worth a Thousand Logs: Uncovering Hidden Structures in Massive System Event Logs") in view of 
Cho (“Incorporating Soft Computing Techniques Into a Probabilistic Intrusion Detection System”) further in view of
Callan (CA 2766560).

Claim 5
The combination of Aharon and Cho fails to explicitly recite: 
multivariate Gaussian analysis.
Callan discloses: 
wherein the one or more statistical methods includes multivariate Gaussian analysis (e.g. page 8: In FIG. 2 … model components … X is a multivariate Gaussian … flow chart of a method of evaluating Variable Influence Indicators using a mixture model such as that illustrated in FIG. 2 is show in in FIG. 4). 
Rationale:
It would have been obvious to one of ordinary skill in the art at the time of the invention to modify the teachings of 
the combination of Aharon and Cho by using a multivariate Gaussian in analyzing for outlying data as taught by Callan for the benefit of predictions indicating which elements are most different in determining a Variable Influence Indicator using graphical transformations and inference (Callan e.g. page 8).


Claim Rejections - 35 USC § 103
Claim(s) 11-12 and 18 is/are rejected under pre-AIA  35 U.S.C. §103(a) as being unpatentable over 
Aharon (“One Graph Is Worth a Thousand Logs: Uncovering Hidden Structures in Massive System Event Logs") in view of 
Cho (“Incorporating Soft Computing Techniques Into a Probabilistic Intrusion Detection System”) further in view of
Harrison (USPN 6,901,582).

Claim 11
The combination of Aharon and Cho fails to explicitly recite: 
degree of impact.
Harrison discloses:
further comprising initiating display of an indication of a degree of impact of the detected behavior type on the computer infrastructure (e.g. C1L40–C3L20: “various graphical objects change their attributes, such as shape, color, rotation, texture, and movement … hierarchical set of severity levels to alert a user of the monitoring program, wherein the user is alerted with a first severity level when a threshold value is met and a lesser severity level when the threshold value is not met … severity protocol, associated with the on-screen graphic and configured to set a graphical attribute of the on-screen graphic, where the graphical attribute efficiently communicates to a user, the potential or actual existence of performance inhibitors” or C11L20–C13L20: “on-screen graphics provide visual feedback to the user … attributes that convey performance information … attributes include, for example, a shape, a label, a value and a color … color … indicates a caution level … color green corresponds to a low caution level, thereby indicating … an acceptable range … colors yellow and red correspond to increasingly higher caution levels indicating an increasing likelihood of a bottleneck or other application performance impediment … shape may advantageously include a wide number of conventional geographic shapes … color changes corresponding to a wide number of increasingly higher caution levels … color-coded caution levels … colors green through red correspond to increasingly higher caution levels indicating an increasing likelihood of a bottleneck … attributes represented by the meter icons … a shape, a label, and a color … shape comprises that of an increasing graphic such as a bar or a pie chart … indicates a number or percentage of the components being represented … color … indicates the forgoing caution levels … colors green through red correspond to increasingly higher caution levels”). 
Rationale:
It would have been obvious to one of ordinary skill in the art at the time of the invention to modify the teachings of 
the combination of Aharon and Cho by using a variable display using color to indicate the severity/degree of impact of the analysis result as taught by Harrison for the benefit of a straightforward, efficient, intuitive, monitoring system with a snapshot view (Harrison e.g. C1:60–C2:25).



Claims 12 &18
The combination of Aharon and Cho fails to explicitly recite: 
degree of impact.
Harrison discloses:
wherein the graphic elements have different colors or shapes in relation to the degree of impact of the detected behavior type on the computer infrastructure (e.g. C1L40–C3L20: “various graphical objects change their attributes, such as shape, color, rotation, texture, and movement … hierarchical set of severity levels to alert a user of the monitoring program, wherein the user is alerted with a first severity level when a threshold value is met and a lesser severity level when the threshold value is not met … severity protocol, associated with the on-screen graphic and configured to set a graphical attribute of the on-screen graphic, where the graphical attribute efficiently communicates to a user, the potential or actual existence of performance inhibitors” or C11L20–C13L20: “on-screen graphics provide visual feedback to the user … attributes that convey performance information … attributes include, for example, a shape, a label, a value and a color … color … indicates a caution level … color green corresponds to a low caution level, thereby indicating … an acceptable range … colors yellow and red correspond to increasingly higher caution levels indicating an increasing likelihood of a bottleneck or other application performance impediment … shape may advantageously include a wide number of conventional geographic shapes … color changes corresponding to a wide number of increasingly higher caution levels … color-coded caution levels … colors green through red correspond to increasingly higher caution levels indicating an increasing likelihood of a bottleneck … attributes represented by the meter icons … a shape, a label, and a color … shape comprises that of an increasing graphic such as a bar or a pie chart … indicates a number or percentage of the components being represented … color … indicates the forgoing caution levels … colors green through red correspond to increasingly higher caution levels”). 
Rationale:
It would have been obvious to one of ordinary skill in the art at the time of the invention to modify the teachings of 
the combination of Aharon and Cho by using a variable display using color to indicate the severity/degree of impact of the analysis result as taught by Harrison for the benefit of a straightforward, efficient, intuitive, monitoring system with a snapshot view (Harrison e.g. C1:60–C2:25).


Claim Rejections - 35 USC § 103
Claim(s) 13 and 19 is/are rejected under pre-AIA  35 U.S.C. §103(a) as being unpatentable over 
Aharon (“One Graph Is Worth a Thousand Logs: Uncovering Hidden Structures in Massive System Event Logs") in view of 
Cho (“Incorporating Soft Computing Techniques Into a Probabilistic Intrusion Detection System”) further in view of
Harrison (USPN 6,901,582) further in view of
Barsness (US 2012/0179809).

Claims 13 & 19
The combination of Aharon and Cho fails to explicitly recite: 
wherein at least a portion of the graphic elements are selectable and the method further includes, in response to a selection of at least a portion of the graphic elements, opening.
Harrison discloses:
wherein at least a portion of the graphic elements are …related types of the system parameters and the log file data entries of the continuous data and asynchronous data within the computer infrastructure (especially e.g. Figure 1a,1b,1c,1d,1e,4c,4d,4e,4g,4h,4l,5a,5b,5c,5d,5e and the associated discussion; The disclosed GUI clearly includes graphic elements depicting various related types of system parameters, such as e.g. server processes in Fig. 1a, SQL Memory and Disk Storage in Fig. 1b, CPU and Memory parameters in Fig. 1c, CPU and Memory in Fig. 1d, Channels and Cache in Fig. 1e, Server processes in Fig. 5b, read/s and changes/s in Fig. 5c, etc. The disclosed GUI clearly also includes graphic elements representing the log file data entries such as e.g. the Redo Logs in Fig. 1a, the Error Log and Log Files in Fig. 1b, the Logger in Fig. 1d, the Redo Log Writer in Fig. 5d, the Redo Logs and Archive Logs in Fig. 5e, etc.).
Rationale:
It would have been obvious to one of ordinary skill in the art at the time of the invention to modify the teachings of 
the combination of Aharon and Cho by using a variable display using color to indicate the severity/degree of impact of the analysis with selectable graphic elements result as taught by Harrison for the benefit of a straightforward, efficient, intuitive, monitoring system with a snapshot view (Harrison e.g. C1:60–C2:25).
The combination of Aharon and Cho and Harrison fails to explicitly recite: 
wherein at least a portion of the graphic elements are selectable and the method further includes, in response to a selection of at least a portion of the graphic elements, opening.
Barsness describes:
wherein at least a portion of the graphic elements are selectable and the method further includes, in response to a selection of at least a portion of the graphic elements, opening related types of the system parameters and the log file data entries of the continuous data and asynchronous data within the computer infrastructure (e.g. ¶56: “user interacts with the graphical representation … allow the user to access logs, parts of a log and performance metrics associated with the processing elements. A user may interact with the GUI 510 to view the operations of one of the selected operators 240 within a PE (or the connections between PEs). The GUI 510 may also be configured to display configurations of PEs (for example, which attributes of incoming data tuples are to be processed by a selected PE, etc.). A log file of a selected PE may also be viewed in the GUI 250. The log file of a selected PE typically includes pre-configured data related to the data processing of data tuples at the selected PE”). 
Rationale:
It would have been obvious to one of ordinary skill in the art at the time of the invention to modify the teachings of the combination of Aharon and Cho and Harrison by enabling a user to interact with the GUI to select and open the parameters/attributes and log files as taught by Barsness for the benefit of accessing logs, viewing the operations within a processing element (PE) and/or the connections between PEs, accessing performance metrics associated with the processing elements, displaying which attributes are to be processed by a selected PE, viewing log files, etc. (Barsness e.g. ¶56).

Examiner’s Note
The Examiner respectfully requests of the Applicant in preparing responses, to fully consider the entirety of the reference(s) as potentially teaching all or part of the claimed invention. It is noted, REFERENCES ARE RELEVANT AS PRIOR ART FOR ALL THEY CONTAIN. “The use of patents as references is not limited to what the patentees describe as their own inventions or to the problems with which they are concerned. They are part of the literature of the art, relevant for all they contain.” In re Heck, 699 F.2d 1331, 1332-33, 216 USPQ 1038, 1039 (Fed. Cir. 1983) (quoting In re Lemelson, 397 F.2d 1006, 1009, 158 USPQ 275, 277 (CCPA 1968)). A reference may be relied upon for all that it would have reasonably suggested to one having ordinary skill in the art, including non-preferred embodiments (see MPEP 2123). The Examiner has cited particular locations in the reference(s) as applied to the claim(s) above for the convenience of the Applicant. Although the specified citations are representative of the teachings of the art and are applied to the specific limitations within the individual claim(s), typically other passages and figures will apply as well.

Conclusion
Any prior art made of record on the attached PTO-892 and not relied upon is considered pertinent to applicant's disclosure.
Applicant is reminded that in amending in response to a rejection of claims, the patentable novelty must be clearly shown in view of the state of the art disclosed by the references cited and the objections made. Applicant must also show how the amendments avoid such references and objections. See 37 CFR §1.111(c). Additionally when amending, in their remarks Applicant should particularly cite to the supporting paragraphs in the original disclosure for the amendments.

Correspondence Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BENJAMIN J BUSS whose telephone number is (571)272-5831. The examiner can normally be reached on Monday, Tuesday, Thursday 9A-5P ET.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Abdullah Kawsar can be reached on 571-270-3169. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
As detailed in MPEP 502.03, communications via Internet e-mail are at the discretion of the applicant. Without a written authorization by applicant in place, the USPTO will not respond via Internet e-mail to any Internet correspondence which contains information subject to the confidentiality requirement as set forth in 35 U.S.C. 122. A paper copy of such correspondence will be placed in the appropriate patent application. Examiner suggests filing PTO/SB/439 if applicant desires the examiner to be able to communicate by email.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 


/B.B./
Examiner, Art Unit 2127

***


/ABDULLAH AL KAWSAR/Supervisory Patent Examiner, Art Unit 2127