Detailed Action
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1, 3, 5-6, 8, 10, 12-13, 15, 17, and 21-30 are pending for examination. Claims 1, 8, and 15 are independent.

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 06/20/2022 has been entered.

Response to Amendment
This office action is responsive to the amendment filed on 06/20/2022. As
directed by the amendment, claims 1, 8, and 15 are amended. Claims 2, 4, 7, 9 ,11, 14, 16, and 18-20 are cancelled. Claims 26-30 are new.

Response to Arguments
Applicant's arguments filed 06/20/2022 have been fully considered but they are not persuasive. 
Applicant Argues: 
“In the Advisory Action, the Examiner indicated that, "under the broadest reasonable interpretation, a 'flat' change in direction could be interpreted as no change in direction or a zero value in di. Brill describing, 'In the steady state (i.e., when no events are occurring)' could correspond to no change occurring in the distance between data points, also indication no event is occurring, under broadest reasonable interpretation, could still be interpreted as a measurement of an event." See Advisory Action, page 3. Applicant respectfully disagrees.”
“Applicant respectfully contends that the claim limitation "events occurring" cannot be reasonably interpreted as being taught by Brill, when Brill explicitly states that "no events are occurring" in the steady state. Applicant is unsure how "no events are occurring" could then be reasonably interpreted as a measurement of an event. Applicant respectfully asserts that even under a broadest reasonable interpretation, one cannot interpret a reference as teaching a claim limitation, when the reference explicitly states that it is the opposite of what is claimed.”

Examiner response: 
Examiner respectfully disagrees, Brill discloses in para 0088-0090, measurement of an occurring event. Examiner has added a new reference “Boerner” to explicitly disclose the 'flat' change in direction when evaluating streak attribute (See 35 USC 103 rejection below). The rest of the arguments are moot in view of the new ground of rejection.
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: "receive by the event identification module event information" and "evaluate by a probability function in the event identification module the measurement metric"  in claim 15.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.
101 rejections
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1, 3, 5-6, 8, 10, 12-13, 15, 17, and 21-30 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.

Step 1
According to the first part of the analysis, in the instant case, claims 1, 3, 5-6, and  21-30 are directed to a method, claims 8, 10, and 12-13 are directed to a computer program product, and claims 15 and 17 are directed toward a system. Thus, each of the claims falls within one of the four statutory categories (i.e. process, machine, manufacture, or composition of matter).

Step 2A, Prong 1
Following the determination of whether or not the claims fall within one of the four categories (Step 1), it must be determined if the claims recite a judicial exception (e.g. mathematical concepts, mental processes, certain methods of organizing human activity) (Step 2A, Prong 1). In this case, the claims are determined to recite a judicial exception as explained below.

Regarding Claims 1, 8, and 15
evaluating by a probability function the measurement metric for each occurring event to determine when any of the value attribute, the change attribute, the streak size attribute and the streak duration attribute is above a predetermined probability threshold or below a probability threshold wherein above a probability threshold or below a probability threshold is classified as alarm data (This step appears to evaluating using a probability function and is understood to be a recitation of mental process and mathematical calculations.); 
processing the alarm data through the decision tree after the training process has been performed to determine based on the training data when the alarm data is significant or when the alarm data is not significant and to reduce the number of alarm data to a predetermined number of significant alarm data, wherein the alarm data that is classified as significant requires attention  (This step for processing the alarm data appears to be practically implementable in the human mind and is understood to be a recitation of a mental process.); and Page 2 of 16Appl. No. 15/811,573 Amendment Accompanying Request for Continued Examination 

Step 2A, Prong 2
Following the determination that the claims recite a judicial exception, it must be determined if the claims recite additional elements that integrate the exception into a practical application of the exception (Step 2A, Prong 2). In this case, after considering all claim elements individually and as an ordered combination, it is determined that the claims do not include additional elements that integrate the exception into a practical application of the exception as explained below.

Regarding Claims 1, 8, and 15
A system for event identification comprising: an event identification module; a decision tree manager; a non-transitory storage medium that stores instructions; and a processor that executes the instructions: computer program product comprising a computer readable storage medium having program instructions embodied therewith, the program instructions executable by a processor to cause the processor to perform (The “event identification module” “decision tree manager” “non-transitory storage medium” “processor” “computer readable storage medium” are understood to be generic computer equipment.)
receiving event information pertaining to events occurring with respect to a computing environment, each occurring event having a measurement metric, the measurement metric for each occurring event including a value attribute, a change attribute, a streak size attribute and a streak duration attribute wherein the value attribute is the original series of measurement data over one or more measurement periods, the change attribute is the change of value at a current measurement period relative to a previous measurement period, the streak size attribute is the size of continuous change in one direction as positive, negative or flat and the streak duration attribute is the number of measurement periods of continuous change in one direction as positive, negative or flat; (This step appears to be directed to receiving information, which is understood to be insignificant extra-solution activity. The specification of data to be stored is understood to be a field of use limitation.)
training a decision tree by a training process using training data; (Generally linking the use of the judicial exception to a particular technological environment or field of use.)
displaying the predetermined number of significant alarm data to a user. (This step appears to be directed to transmitting information, which is understood to be insignificant extra-solution activity.)

Step 2B
Based on the determination in Step 2A of the analysis that the claims are directed to a judicial exception, it must be determined if the claims contain any element or combination of elements sufficient to ensure that the claim amounts to significantly more than the judicial exception (Step 2B). In this case, after considering all claim elements individually and as an ordered combination, it is determined that the claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception for the same reasons given above in the Step 2A, Prong 2 analysis. Furthermore, each additional element identified above as being insignificant extra-solution activity is also well-known, routine, conventional as described below.

Regarding Claims 1, 8, and 15
A system for event identification comprising: an event identification module; a decision tree manager; a non-transitory storage medium that stores instructions; and a processor that executes the instructions: computer program product comprising a computer readable storage medium having program instructions embodied therewith, the program instructions executable by a processor to cause the processor to perform (The “event identification module” “decision tree manager” “non-transitory storage medium” “processor” “computer readable storage medium” are understood to be generic computer equipment. See MPEP 2106.05(f).).
receiving event information pertaining to events occurring with respect to a computing environment, each occurring event having a measurement metric, the measurement metric for each occurring event including a value attribute, a change attribute, a streak size attribute and a streak duration attribute wherein the value attribute is the original series of measurement data over one or more measurement periods, the change attribute is the change of value at a current measurement period relative to a previous measurement period, the streak size attribute is the size of continuous change in one direction as positive, negative or flat and the streak duration attribute is the number of measurement periods of continuous change in one direction as positive, negative or flat; (This step appears to be directed to receiving information, which is understood to be insignificant extra-solution activity. See MPEP 2106.05(g). The specification of data to be stored is understood to be a field of use limitation. See MPEP 2106.05(h).)
training a decision tree by a training process using training data; (Generally linking the use of the judicial exception to a particular technological environment or field of use – see MPEP 2106.05(h))
displaying the predetermined number of significant alarm data to a user. (This step appears to be directed to transmitting/displaying information, which is understood to be insignificant extra-solution activity. See MPEP 2106.05(g).)

Step 2A, Prong 1

	Regarding Claims 3, 10, and 17
wherein processing the alarm data through the decision tree to determine when the alarm data is significant or when the alarm data is not significant includes a probability that the alarm data is significant or that the alarm data is not significant. (This step appears to be practically implementable in the human mind and is understood to be a recitation of a mental process.);

Step 2A, Prong 1

	Regarding Claim 5 and 12
creating a root node using the training data (This step appears to be practically implementable in the human mind and is understood to be a recitation of a mental process.); 
finding a splitting point of the value attribute, the change attribute, the streak size attribute and the streak duration attribute which makes the subset of the value attribute, the change attribute, the streak size attribute and the streak duration attribute most different; (This step appears to be practically implementable in the human mind and is understood to be a recitation of a mental process and math.)
comparing the value attribute, the change attribute, the streak size attribute and the streak duration attribute and choosing the attribute as a split node that results in the biggest difference between significant alarmed event and an insignificant alarmed event; Page 3 of 16Appl. No. 15/811,573Amendment Accompanying Request for Continued Examination(This step appears to be practically implementable in the human mind and is understood to be a recitation of a mental process.)
splitting the root node using the chosen attribute as the split node and new node to the decision tree Page 3 of 16Appl. No. 15/811,573Amendment Accompanying Request for Continued Examination(This step appears to be practically implementable in the human mind and is understood to be a recitation of a mental process.); and 
repeat finding the splitting node, comparing the value attribute and splitting the splitting node until all nodes terminate splitting. Page 3 of 16Appl. No. 15/811,573Amendment Accompanying Request for Continued Examination(This step appears to be practically implementable in the human mind and is understood to be a recitation of a mental process and math.)

Step 2A, Prong 2

	Regarding Claim 5 and 12
obtaining the training data, wherein the training data includes a plurality of event information that triggers an alarm regardless of whether the alarm is above the predetermined probability threshold or below the probability threshold, the plurality of event information that triggers the alarm having an indication of whether the event information that triggered the alarm was a significant alarmed event; (This step appears to be directed to receiving information, which is understood to be insignificant extra-solution activity. The specification of data to be stored is understood to be a field of use limitation.)

Step 2B

	Regarding Claim 5 and 12
obtaining the training data, wherein the training data includes a plurality of event information that triggers an alarm regardless of whether the alarm is above the predetermined probability threshold or below the probability threshold, the plurality of event information that triggers the alarm having an indication of whether the event information that triggered the alarm was a significant alarmed event; (This step appears to be directed to receiving information, which is understood to be insignificant extra-solution activity. See MPEP 2106.05(g). The specification of data to be stored is understood to be a field of use limitation. See MPEP 2106.05(h).)

Step 2A, Prong 1

Regarding Claim 6 and 13
wherein processing the alarm data through the decision tree to determine when the alarm data is significant or when the alarm data is not significant further to determine when the alarm data is not significant but the alarm data is unusual in that an odd pattern of data emerges. (This step appears to be practically implementable in the human mind and is understood to be a recitation of a mental process.)

Regarding Claim 21
wherein the reducing the number of alarm data to the predetermined number of significant alarm data comprises classifying a first set of significant alarm data, a second set of significant alarm data, and a third set of significant alarm data. (This step appears to be practically implementable in the human mind and is understood to be a recitation of a mental process.)

Regarding Claim 26
wherein the probability function is an inverse cumulative distribution function (INCDF). (This step appears to be describing the function and is understood to be a recitation of math.)

Regarding Claim 30
wherein the probability threshold is determined dynamically based on the measurement metric of each occurring event. (This step appears to be practically implementable in the human mind and is understood to be a recitation of a mental process.)
Step 2A, Prong 2

Regarding Claim 22
wherein the first set of significant alarm data is classified as good news, the second set of significant alarm data is classified as bad news, and the third set of significant alarm data is classified as other news (The specification of data to be stored is understood to be a field of use limitation. See MPEP 2106.05(h).), and wherein displaying the predetermined number of significant alarm data to the user includes displaying the classification of each of the sets of significant alarm data (This step appears to be directed to transmitting/displaying information, which is understood to be insignificant extra-solution activity.). 

Regarding Claim 23
wherein the first set of significant alarm data that is classified as good news exceeds a first threshold, wherein the second set of significant alarm data that is classified as bad news exceeds a second threshold, and wherein the third set of significant alarm data that classified as other news does not exceed either the first threshold or the second threshold. (The specification of data to be stored is understood to be a field of use limitation.)

Regarding Claim 24
wherein the decision tree is retrained with a second set of training data based on feedback received from the user. (Generally linking the use of the judicial exception to a particular technological environment or field of use.)

Regarding Claim 25
wherein the feedback received from the user indicates that at least one of the predetermined number of significant alarm data was classified incorrectly by the decision tree. (The specification of data to be stored is understood to be a field of use limitation.)

Regarding Claim 27
wherein the event information includes metadata comprising a disposition associated with each measurement metric. (The specification of data to be stored is understood to be a field of use limitation.)

Regarding Claim 28
wherein the disposition indicates that a positive change in a first measurement metric is considered bad and a negative change in the first measurement metric is considered good. (The specification of data to be stored is understood to be a field of use limitation.)

Regarding Claim 29
wherein displaying the classification of each of the sets of significant alarm data is summarized on a one page format. (The specification of data to be stored is understood to be a field of use limitation.)

Step 2B

Regarding Claim 22
wherein the first set of significant alarm data is classified as good news, the second set of significant alarm data is classified as bad news, and the third set of significant alarm data is classified as other news (The specification of data to be stored is understood to be a field of use limitation. See MPEP 2106.05(h).), and wherein displaying the predetermined number of significant alarm data to the user includes displaying the classification of each of the sets of significant alarm data (This step appears to be directed to transmitting/displaying information, which is understood to be insignificant extra-solution activity. See MPEP 2106.05(g).). 

Regarding Claim 23
wherein the first set of significant alarm data that is classified as good news exceeds a first threshold, wherein the second set of significant alarm data that is classified as bad news exceeds a second threshold, and wherein the third set of significant alarm data that classified as other news does not exceed either the first threshold or the second threshold. (The specification of data to be stored is understood to be a field of use limitation. See MPEP 2106.05(h).)

Regarding Claim 24
wherein the decision tree is retrained with a second set of training data based on feedback received from the user. (Generally linking the use of the judicial exception to a particular technological environment or field of use. See MPEP 2106.05(h))

Regarding Claim 25
wherein the feedback received from the user indicates that at least one of the predetermined number of significant alarm data was classified incorrectly by the decision tree. (The specification of data to be stored is understood to be a field of use limitation. See MPEP 2106.05(h).)

Regarding Claim 27
wherein the event information includes metadata comprising a disposition associated with each measurement metric. (The specification of data to be stored is understood to be a field of use limitation. See MPEP 2106.05(h).)

Regarding Claim 28
wherein the disposition indicates that a positive change in a first measurement metric is considered bad and a negative change in the first measurement metric is considered good. (The specification of data to be stored is understood to be a field of use limitation. See MPEP 2106.05(h).)

Regarding Claim 29
wherein displaying the classification of each of the sets of significant alarm data is summarized on a one page format. (The specification of data to be stored is understood to be a field of use limitation. See MPEP 2106.05(h).)

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 1, 8, 15, 21-25, 27-28 and 30 is/are rejected under 35 U.S.C. 103 as being unpatentable over Brill (US 20150205856, hereinafter "Brill") in view of Boerner (US 7818224 B2, hereinafter "Boerner") and Niininen et al. (US 20180150758, hereinafter "Niininen").

Regarding Claim 1
Brill discloses: A method for event identification ([Para 0039 and Fig 1]) comprising: receiving event information pertaining to events occurring with respect to a computing environment, each occurring event having a measurement metric ([Para 0040] “a data instance, X1, X2,...,XN represent the different attributes of the instance… Each one of sensor units 1021, 1022, ..., 102N provides the data instance produced thereby (i.e., the data measured thereby) to event detector and classifier 104.” Examiner interprets the data instances X as the measurement metric. [Para 0088-0090] discloses measurement of an occurring event.), the measurement metric for each occurring event including a value attribute, a change attribute, a streak size attribute and a streak duration attribute ([Para 0046 and Fig 2]) wherein the value attribute is the original series of measurement data over one or more measurement periods ([Para 0046] “Each point in the attribute space corresponds to a respective data instance and thus with respective attributes measurement values.” Examiner interprets the data instance measurement value as a value attribute and the time stamps (see para 0023) as the measurement periods.), the change attribute is the change of value at a current measurement period relative to a previous measurement period ([Para 0049] “Herein, the distance between a selected data point (i.e., with respective attributes measurement and time Stamp) TN and a respective preceding data point TN-K is denoted ‘d(K)’.” Examiner interprets the distance between selected data points as the change attribute.), 
evaluating by a probability function the measurement metric for each occurring event to determine when any of the value attribute, the change attribute, the streak size attribute and the streak duration attribute is above a predetermined probability threshold or below a probability threshold wherein above a probability threshold or below a probability threshold is classified as alarm data ([Para 0061] “if the time difference between a current event and a previous event is above or below the Mean Time Between Events (MTBE) by more than a selected number of standard deviations, then that event may be classified as an abnormal event.” Examiner interprets the Mean time between Events as the probability threshold and the classified abnormal event as alarm data.); 
training a decision tree by a training process using training data ([Para 0073 and Fig 5] “an exemplary decision tree, generally referenced 250, employed during classifications of the events, for example, in an ECT, in accordance with a further embodiment of the disclosed technique and referring to FIG. 1.” [Para 0075] “In general, event classification may include three phase, the training phase the testing phase and the monitoring phase. During the learning phase data related to known events is collected for each time-stamp t and stored in the system database.” Examiner reads the training/learning phase as a training process and data related to known events as training data used to train the Event classifier (i.e. decision tree).); 
processing the alarm data through the decision tree ([Para 0073-0074 and Fig 5] “decision tree, generally referenced 250, employed during classifications of the events…”) after the training process has been performed to determine based on the training data when the alarm data is significant or when the alarm data is not significant ([Para 0075-0078] “In general, event classification may include three phase, the training phase the testing phase and the monitoring phase… when the results obtained during testing phase 304 are satisfactory, the system moves to monitoring phase 306. When the results obtained during testing phase 304 are not satisfactory, the system may return to the learning phase 302” Examiner interprets the results of the trained Decision tree (i.e. hazardous/non-hazardous) as significant/not significant alarm data.) and to reduce the number of alarm data to a predetermined number of significant alarm data ([Para 0079] “During monitoring phase, the event detection and classification system classifies data instances according to that which has been learned and validated in the learning and testing phases. During this phase if an event (i.e., which is a group of related records or measurements) meets a determined criteria, an alarm may be generated.” Examiner interprets the monitoring phase as reducing the alarm data to a predetermined number of significant alarm data.), 
Brill does not explicitly disclose: the streak size attribute is the size of continuous change in one direction as positive, negative or flat and the streak duration attribute is the number of measurement periods of continuous change in one direction as positive, negative or flat;
However, Boerner discloses in the same field of endeavor: the streak size attribute is the size of continuous change in one direction as positive, negative or flat and the streak duration attribute is the number of measurement periods of continuous change in one direction as positive, negative or flat ([Col 12 line 12-27 and Fig 5] “Referring now to FIG. 5, which is a post-processing chart for the trends of a time series, the trends are counted in step 610, and statistics for each of the trends are calculated in steps 610-710. The statistics include: ... Determining the trend length at step 660; Determining the average trend correlation at step 670; Setting a flag at step 680 to indicate the direction of the trend, where up=+1, flat=0, and down=-1;”);
It would be obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to modify the method for abnormality detection taught by Brill with the method for Identifying trends in time series taught by Boerner. Doing so provides useful information about trends for particular data set (Col 2 line 35-40, Boerner).
Brill in view of Boerner does not explicitly discloses: wherein the alarm data that is classified as significant requires attention; and displaying the predetermined number of significant alarm data to a user.
However, Niininen discloses in the same field of endeavor: processing the alarm data through the decision tree after the training process has been performed to determine based on the training data when the alarm data is significant or when the alarm data is not significant and to reduce the number of alarm data to a predetermined number of significant alarm data, wherein the alarm data that is classified as significant requires attention ([Para 0085 and Fig 6] “In one embodiment, the predictive machine learning classifier is trained to classify each alert as actionable or non-actionable using the one or more data fields of each alert as one or more respective classification features, and to calculate a respective probability that said each alert is actionable or non-actionable (step 605).” [Para 0001] “For example, an alert is actionable if the alert requires action by IT service provider personnel to resolve;” [Para 0092] “features or data fields whose values do not vary from alert to alert of whose variance is below a predetermined threshold can be removed from the training data. In one embodiment, data fields that are calculated or determined to result in false positive rates above a threshold value can also be removed as a classification feature” [Para 0095] “In one embodiment , when the variable type is a decision tree variable type , the alert classifier 119 transforms the one or more data fields using a decision tree to correlate the one or more data fields to a likelihood of being associated with an actionable alert.” Examiner interprets an actionable alert as alarm data that is classified as significant and requires attention.); and 
displaying the predetermined number of significant alarm data to a user ([Para 0086 and Fig 6] “In step 607, the alert classifier 119 initiates a presentation of the plurality of alerts in a network monitoring user interface based on the respective probability of each alert being actionable or non-actionable.” [Para 0097] “As shown, the UI 800 presents the classified alerts in tabular form with the first column 801 presenting the predicted probability that the respective alert is an actionable alert…” [Para 0098] “the system 100 can present a UI 800 that displays only those alerts that are above the threshold value or enables operations personnel to selectively sort or filter based on predetermined probability thresholds or thresholds specified by the operational personnel. In yet another embodiment, the alerts with prediction values (e.g., probability that an alert is actionable) …”).
It would be obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to modify the method for abnormality detection taught by Brill with the method for Identifying trends in time series taught by Boerner with the method for Predicative Classification of Actionable Network alerts taught by Niininen. Doing so can classify alerts as actionable or non-actionable (Abstract, Niininen).

Regarding Claim 8
Brill in view of Boerner and Nininen discloses: A computer program product for event identification, the computer program product comprising a computer readable storage medium having program instructions embodied therewith, the program instructions executable by a processor to cause the processor to perform a method ([Para 0108 and Fig 10], Nininen) comprising: (The rest of the limitations are similar to corresponding claim 1 and are rejected on the same grounds.)

Regarding Claim 15
Brill in view of Boerner and Niininen discloses: A system for event identification comprising: an event identification module ([Fig 1], Brill); a decision tree manager ([Fig 5], Brill); a non-transitory storage medium that stores instructions ([Para 0117 and Fig 10], Niininen); and a processor that executes the instructions to perform the following functions ([Para 0108 and Fig 10], Niininen): (The rest of the limitations are similar to corresponding claim 1 and are rejected on the same grounds.)

Regarding Claim 21
Brill in view of Boerner and  Niininen discloses: The method of claim 1, wherein the reducing the number of alarm data to the predetermined number of significant alarm data comprises classifying a first set of significant alarm data, a second set of significant alarm data, and a third set of significant alarm data ([Para 0071], Brill “Following is a classification example in which an event is classified to be frequent or non-frequent and as either hazardous, non-hazardous or unknown (i.e., two-dimensional classification).”).

Regarding claim 22
Brill in view of Boerner and Niininen discloses: The method of claim 21, wherein the first set of significant alarm data is classified as good news, the second set of significant alarm data is classified as bad news, and the third set of significant alarm data is classified as other news ([Para 0071], Brill “Following is a classification example in which an event is classified to be frequent or non-frequent and as either hazardous, non-hazardous or unknown (i.e., two-dimensional classification).”)., and wherein displaying the predetermined number of significant alarm data to the user includes displaying the classification of each of the sets of significant alarm data ([Para 0086 and Fig 6], Niininen “In step 607, the alert classifier 119 initiates a presentation of the plurality of alerts in a network monitoring user interface based on the respective probability of each alert being actionable or non-actionable.”.

Regarding Claim 23
Brill in view of Boerner and Niininen discloses: The method of claim 22, wherein the first set of significant alarm data that is classified as good news exceeds a first threshold, wherein the second set of significant alarm data that is classified as bad news exceeds a second threshold, and wherein the third set of significant alarm data that classified as other news does not exceed either the first threshold or the second threshold ([Para 0070-0073, Fig. 5,  and Table 1], Brill “When SR is smaller than a value of u, then event detector and classifier 104 determines that the event is not a hazardous event. When NB is larger than u, then event detector and classifier 104 determines that the event is a hazardous event.” Examiner reads the unknown classification as not having to correspond with the u and β thresholds.).

Regarding Claim 24
Brill in view of Boerner and Niininen discloses: The method of claim 1, wherein the decision tree is retrained with a second set of training data based on feedback received from the user ([Para 0036], Niininen “In one embodiment, the alert classifier 119 incorporates a feedback loop between the predictive machine learning model 123 and manual classifications by operations personnel to constantly learn and improve the accuracy of the predictive machine learning model 123.” [Para 0087], Nininen “The alert classifier 119 then updates a training of the predictive machine learning model based on the feedback input.”).

Regarding Claim 25
Brill in view of Boerner and Niininen discloses: wherein the feedback received from the user indicates that at least one of the predetermined number of significant alarm data was classified incorrectly by the decision tree ([Para 0087], Niininen “For example, this feedback input may be provided by operations personnel directly (e.g., as corrective input to override the classification from the alert classifier 119). In other embodiments, the feedback can be inferred if an incident ticket is created or not created for a classified alert. For example, if an alert with a low calculated probability of being actionable is issued an incident ticket by operations personnel, the alert classifier 119 record the incident ticket as a feedback input indicating an erroneously classified alert”).

Regarding Claim 27
Brill in view of Boerner and Niininen discloses: The method of claim 1, wherein the event information includes metadata comprising a disposition associated with each measurement metric ([Para 0034], Nininen “In one embodiment, the event broker 111 can enrich or append the alert (e.g., the data record representing the alert) with related metadata or con textual information about the alarm condition causing the alert, the impacted service 101 or application, and the like”).

Regarding Claim 28
Brill in view of Boerner and Niininen discloses: The method of claim 27, wherein the disposition indicates that a positive change in a first measurement metric is considered bad and a negative change in the first measurement metric is considered good ([Para 0073-0075], Brill “When ND is smaller than a value of B, then event detector and classifier 104 determines that the event is a hazardous event. When EP larger than B, then event detector and classifier 104 deter mines that the event is not a hazardous event.”).

Regarding Claim 30
Brill in view of Boerner and Niininen discloses: The method of claim 1, wherein the probability threshold is determined dynamically based on the measurement metric of each occurring event ([Para 0061] “if the time difference between a current event and a previous event is above or below the Mean Time Between Events (MTBE) by more than a selected number of standard deviations, then that event may be classified as an abnormal event.”).

Claim 3, 6, 10, 13, and 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Brill (US 20150205856, hereinafter "Brill") in view of Boerner (US 7818224 B2, hereinafter "Boerner") Niininen et al. (US 20180150758, hereinafter "Niininen") and Muddu et al. (US 20170063889, hereinafter "Muddu").

Regarding Claim 3
Brill in view of Boerner and Niininen discloses: The method of claim 1,
Brill in view of Boerner and Niininen does not explicitly discloses: wherein processing the alarm data through the decision tree to determine when the alarm data is significant or when the alarm data is not significantCN820170212US01 Page 22 of 28 includes a probability that the alarm data is significant or that the alarm data is not significant.
However, Muddu discloses in the same field of endeavor: wherein processing the alarm data through the decision tree to determine when the alarm data is significant or when the alarm data is not significantCN820170212US01 Page 22 of 28 includes a probability that the alarm data is significant or that the alarm data is not significant ([Para 0523 and Fig 52], Muddu “However, if the actual next symbol that appears is a "d," then because the prediction of the probability of "d" appearing is very low, this event/symbol is considered unusual, or rare. Thereafter, in some embodiments, such rare event can trigger an alert to the administrator for further analysis. As used herein, an unusual symbol (e.g., representing an event) is the actual occurrence of a symbol when the PST model predicts the probability of such symbol's occurrence is less than a threshold” Examiner interprets the probability determined from the Probabilistic Suffix Trees (PST model) for an event being unusual or rare as determining alarm data as significant/insignificant.).
It would be obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to modify the method for abnormality detection taught by Brill with the method for Identifying trends in time series taught by Boerner with the method for Predicative Classification of Actionable Network alerts taught by Niininen with the security platform for detecting anomalies taught by Muddu. Doing so discovered unusual behavioral sequences can be presented to an administrator for actions and/or feedbacks (para 0540, Muddu).

Regarding Claim 6
Brill in view of Boerner Niininen and Muddu disclose: The method of claim 1 wherein processing the alarm data through the decision tree to determine when the alarm data is significant or when the alarm data is not significant further to determine when the alarm data is not significant but the alarm data is unusual in that an odd pattern of data emerges ([Para 0186], Maddu “anomalies and threats are detected by comparing incoming event data (e.g., a series of events) against the baseline profile for an entity to which the event data relates (e.g., a user, an application, a network node or group of nodes, a software system, data files, etc.). If the variation is more than insignificant, the threshold for which may be dynamically or statically defined, an anomaly may be considered to be detected.” Examiner interprets the series of events as a pattern of data which indicates unusual alarm data when an odd pattern (i.e. series of events) is determined by the model. [Para 0523 and Fig 52], Muddu “However, if the actual next symbol that appears is a "d," then because the prediction of the probability of "d" appearing is very low, this event/symbol is considered unusual, or rare.)

Regarding Claim 10
(CLAIM 10 IS A COMPUTER PROGRAM PRODUCT CLAIM THAT CORRESPONDS TO METHOD CLAIM 3 AND IS REJECTED ON THE SAME GROUND)

Regarding Claim 13
(CLAIM 13 IS A COMPUTER PROGRAM PRODUCT CLAIM THAT CORRESPONDS TO METHOD CLAIM 6 AND IS REJECTED ON THE SAME GROUND)

Regarding Claim 17
(CLAIM 17 IS A SYSTEM CLAIM THAT CORRESPONDS TO METHOD CLAIM 3 AND IS REJECTED ON THE SAME GROUND)

Claim 5 and 12 is/are rejected under 35 U.S.C. 103 as being unpatentable over Brill (US 20150205856, hereinafter "Brill") in view of Boerner (US 7818224 B2, hereinafter "Boerner") Niininen et al. (US 20180150758, hereinafter "Niininen") and Nowozin ("Improved Information Gain Estimates for Decision Tree Induction", hereinafter "Nowozin").

Regarding Claim 5
Brill in view of Boerner and Niininen discloses: The method of claim 1, wherein training the decision tree by the training process using the training data comprises: obtaining the training data, wherein the training data includes a plurality of event information that triggers an alarm regardless of whether the alarm is above the predetermined probability threshold or below the probability threshold, the plurality of event information that triggers the alarm having an indication of whether the event information that triggered the alarm was a significant alarmed event ([Para 000075-0076] Brill “The records in the testing set are tagged by an expert as normal or abnormal. Furthermore, the expert may classify the event (e.g., faulty sensor, change of Supply Source). These tags and classifications are labeled as the actual classification.” Examiner interprets the labeled data as training data having an indication of whether the event information that triggered the alarm was a significant.); 
Brill in view of Boerner and Niininen does not explicitly disclose: creating a root node using the training data; finding a splitting point of the value attribute, the change attribute, the streak size attribute and the streak duration attribute which makes the subset of the value attribute, the change attribute, the streak size attribute and the streak duration attribute most different; comparing the value attribute, the change attribute, the streak size attribute and the streak duration attribute and choosing the attribute as a split node that results in the biggest difference between significant alarmed event and an insignificant alarmed event; splitting the root node using the chosen attribute as the split node and new node to the decision tree; and repeat finding the splitting node, comparing the value attribute and splitting the splitting node until all nodes terminate splitting.
However, Nowozin discloses in the same field of endeavor: creating a root node using the training data ([Section 1.1] “we start with an empty tree with just a root node. We then sample a number of split function candidates from a fixed distribution. Each split function partitions the training set into a left and right subset by some test on each xi”); finding a splitting point of the value attribute, the change attribute, the streak size attribute and the streak duration attribute which makes the subset of the value attribute, the change attribute, the streak size attribute and the streak duration attribute most different (“Given a data set {(xi, yi)}N i=1, we start with an empty tree with just a root node. We then sample a number of split function candidates from a fixed distribution. Each split function partitions the training set into a left and right subset by some test on each xi .” Examiner interprets the split function as finding a splitting point of an attribute x.); comparing the value attribute, the change attribute, the streak size attribute and the streak duration attribute and choosing the attribute as a split node that results in the biggest difference between significant alarmed event and an insignificant alarmed event ([Section 1.1 and Algorithm 1] “When we use the information gain criterion for recursive tree growing, we execute Algorithm 1 at each node in the decision tree, testing T candidate splits sequentially and keeping the one that achieves the highest estimated information gain” Examiner interprets Algorithm 1 as comparing the left or right nodes of the decision tree with the predicative output that results in the biggest difference from the input/output (see line 8 in Algorithm 1).); splitting the root node using the chosen attribute as the split node and new node to the decision tree ([Section 1.1 and Algorithm 1] “When we use the information gain criterion for recursive tree growing, we execute Algorithm 1 at each node in the decision tree, testing T candidate splits sequentially and keeping the one that achieves the highest estimated information gain”); and repeat finding the splitting node, comparing the value attribute and splitting the splitting node until all nodes terminate splitting ([Section 1.1 and Algorithm 1] “This procedure is applied recursively until some stopping conditions such as a maximum tree depth or minimum sample size are reached.”).
It would be obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to modify the method for abnormality detection taught by Brill with the method for Identifying trends in time series taught by Boerner with the method for Predicative Classification of Actionable Network alerts taught by Niininen with the method for decision tree induction taught by Nowozin. Doing so can improve predictive performance of a decision tree (Abstract, Nowozin).

Regarding Claim 12
(CLAIM 12 IS A COMPUTER PROGRAM PRODUCT CLAIM THAT CORRESPONDS TO METHOD CLAIM 5 AND IS REJECTED ON THE SAME GROUND)

Claim(s) 26 is/are rejected under 35 U.S.C. 103 as being unpatentable over Brill (US 20150205856, hereinafter "Brill") in view of Boerner (US 7818224 B2, hereinafter "Boerner") Niininen et al. (US 20180150758, hereinafter "Niininen") and Nanda et al.(US 20180101639, hereinafter "Nanda").

Regarding Claim 26
Brill in view of Boerner and Niininen discloses: The method of claim 1, 
Brill in view of Boerner and Niininen does not explicitly disclose: wherein the probability function is an inverse cumulative distribution function (INCDF).
However, Nanda discloses in the same field of endeavor: wherein the probability function is an inverse cumulative distribution function (INCDF). ([Para 0033] “Further, data mining via evolution analysis describes the trends of data points over time. Moreover, data mining via transfer function methods may analyze data to quantify relationships between the data and the events of interest. For example, a transfer function may transform modeled values into probabilities via a cumulative distribution function of the modeled value's distribution, and then may transform back the probabilities into data values using an inverse of the cumulative distribution function.”)
It would be obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to modify the method for abnormality detection taught by Brill with the method for Identifying trends in time series taught by Boerner with the method for Predicative Classification of Actionable Network alerts taught by Niininen with the method for predicative events taught by Nanda. Doing so can implement an inverse distribution function (Para 0033, Nanda).

Claim(s) 29 is/are rejected under 35 U.S.C. 103 as being unpatentable over Brill (US 20150205856, hereinafter "Brill") in view of Boerner (US 7818224 B2, hereinafter "Boerner") Niininen et al. (US 20180150758, hereinafter "Niininen") and Bernstein (US 20070022020, hereinafter "Bernstein").

Regarding Claim 29
Brill in view of Boerner and Niininen discloses: The method of claim 22, 
Brill in view of Boerner and Niininen does not explicitly disclose: wherein displaying the classification of each of the sets of significant alarm data is summarized on a one page format.
However, Bernstein discloses in the same field of endeavor: wherein displaying the classification of each of the sets of significant alarm data is summarized on a one page format ([Para 0006] “delivery data and tracking data and displaying all such data in a single page format.”).
It would be obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to modify the method for abnormality detection taught by Brill with the method for Identifying trends in time series taught by Boerner with the method for Predicative Classification of Actionable Network alerts taught by Niininen with the method for Display integrated format. Doing so can display data in a single page format (Abstract, Bernstein).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Wong et al. (US 20110320388 A1, hereinafter "Wong") also describes data trends in the positive, negative, and flat directions (Para 0040, Wong).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TEWODROS E MENGISTU whose telephone number is (571)270-7714. The examiner can normally be reached Mon-Fri 9:30-5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ABDULLAH KAWSAR can be reached on (571)270-3169. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/TEWODROS E MENGISTU/Examiner, Art Unit 2127                                                                                                                                                                                                        
/ABDULLAH AL KAWSAR/Supervisory Patent Examiner, Art Unit 2127