Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 8/11/22 has been entered.
 
Claims 1-3, 6, 8-11, 14-17, and 20-27 are pending.  Claims 1, 9, 15, 20, and 26 are amended.

Response to Amendment


Claim Objections
Claim 20’s claim objection has been withdrawn due to amendment.



Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

Claims 1-3, 6, 8-11, 14-17, and 20-27 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
As per claims 1, 9 and 15, the phrase “a result of determining whether one of more datapoints in the first and second plurality of anomaly detection data are malicious” raises the question as to whether this determining is new or if its antecedent bases are the determining performed previously by the first and second execution engines.  If the results extend from the previous determining steps, then ‘the’ should precede “determining”.  This would clarify that the monitoring component essentially generates the alert based on the work performed by the engines.  Alternatively, if this is a new or different process of determining anomalies then it should be made clear of that fact.


Response to Arguments
The previous rejection of claims 1-3, 6, 8-11, 14-17, and 20-27 under this statute has been overcome by amendments.  However, the amendments introduce a new deficiency under 35 USC §112.
Applicant's arguments filed 8/11/22 have been fully considered but they are not persuasive.  Applicant alleges the newly incorporated features of the independent claims are not taught by the cited prior art.  Upon review of the cited art, the previously cited reference, Dasgupta, teaches a monitoring component [SCA 152] that is independent from the execution engines [DLA] and generates alerts (0052) to the users.  In view of the foregoing and as explained in more detail below, respectfully the rejection must be maintained.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. 


Claims 1-3, 6, 8-11, 14-17 and 20-27 are rejected under 35 U.S.C. 103 as being unpatentable over To (US 20200136890 A1) in view of Dasgupta (US 20170279838 A1).

Regarding claim 1, To teaches a method to facilitate anomaly detection at a system, comprising:
obtaining a first plurality of performance metric messages at a database system; (To, in Para. [0044], discloses collecting MCC data (i.e. performance metric messages) which is data that describes the performance)
extracting a first plurality of anomaly detection data from the first plurality of performance metric messages; (To, in Para. [0044-0045], discloses parsing (i.e. extracting) MCC data (i.e. performance metric messages) to produce parsed data (i.e. anomaly detection messages) which is either anomalous or not)
obtaining a second plurality of performance metric messages at a database system; (To, in Para. [0043-0044], data/messages can be collected at various nodes through the network)
extracting a second plurality of anomaly detection data from the second plurality of performance metric messages; (To, in Para. [0044-0045], all of the collected MCC data is parsed)
distributing the first plurality of anomaly detection data to a first execution engine (ADF 106; 0044-45);
determining, by the first execution engine, whether one or more data points in the first plurality of anomaly detection data is anomalous by applying a machine learning model to the first plurality of anomaly detection data (To, in Para. [0044-0045], discloses feeding the parsed data (i.e. anomaly detection messages) into the Anomaly Detection Function (ADF) (i.e. machine learning model) which comprises a machine learning model, and the flagging the data points (i.e. anomaly detection messages as anomalous or normal).
To does not explicitly teach a (i) load balancer and (ii) distributing, by the load balancer, the second plurality of anomaly detection data to a second execution engine and (iii) determining, by the second execution engine, whether one or more data points in the second plurality of anomaly detection data is anomalous by applying a machine learning model to the second plurality of anomaly detection data and (iv) generating, by a monitoring component, one or more alerts according to a result of determining whether one or more datapoints in the first and second plurality of anomaly detection data are anomalous, the monitoring component operating independently from the first and second execution engines.  
To does however teach the system can be implemented in a node between the user equipment and an eNobeB as well as any point in the GSM network (0043).  While To does not explicitly teach there are multiple system 100’s in the network it at least possible because not all users would be using the same eNodeB. Regarding the claim, there are no conditions on the messages nor do they relate to each other.  The claim as written, collect a set of data and sends it to a first execution engine and collect other data that is sent to another execution engine.  In other words, the data is subject to going through multiple engines.  
Dasgupta teaches sending data to multiple anomaly detectors (nodes 504i) (0095) as a means to balance the load of machine learning when it can take advantage of the parallelization.  Dasgupta also teaches the supervisory and control agent (SCA) issues commands to the DLA’s instructed them to coordinate machine learning (0052 and 0134).  The SCA anticipates the claim’s monitoring component.  As taught in 0095, the DLA can further balance the load of the learning processing between nodes 504a..504i.    The results of the DLA are sent back to the SCA which then provides “information regarding a detected anomaly to a user interface (e.g., by providing a webpage to a display, etc.)”. The information sent to the user is mapped to the claim’s alert.  Thus, Dasgupta teaches the SCA operates independently from the actual learning devices as required by the claim.  To’s system would accommodate such features because the nodes independently collect their own messages for parsing.  Thus, the data could be driven to multiple ADF instances.  To already teaches sending alerts to network operates when anomalies are found (0044 and 0047).  The claim is obvious because one of ordinary skill in the art can combine known methods which do not produce unpredictable results.  

Regarding claim 2, the combined system of To and Dasgupta teaches wherein storing the first plurality of anomaly detection data and second plurality of anomaly detection data (To, in Para. [0044], discloses storing the parsed data in data storage 114).
Regarding claim 3, To teaches generating a first request to process the first plurality of anomaly detection data; transmitting the first requests to the first execution engin (To, in Para. [0044], discloses an operator initiating (i.e. requesting) data collection from all of the nodes (i.e. plurality of machine instances), which is then submitted to ADF (i.e. process anomaly detection messages)).  The combination of To and Dasgupta would perform the same steps on the second plurality of anomaly detection data.
As per claim 6, the combined system of To and Dasgupta teaches the first plurality of anomaly detection data and the second plurality of anomaly detection data are processed in parallel by the first execution engine and second execution engine [Dasgupta: 0095).
Regarding claim 8, generating an incident alert upon detection of anomalous usage within the anomaly detection messages. (To, in Para. [0047], discloses alerting operators of the detected anomaly).
As per claims 9-11, these claims have limitations that are similar to those of claims 1-3, thus is rejected with the same rationale applied against claims 1-3.
As per claim 14, it is rejected for the same reasons as claim 6.
As per claims 15-17, these claims have limitations that are similar to those of claims 1-3, thus is rejected with the same rationale applied against claims 1-3.
As per claim 20, it is rejected for the same reasons as claim 6.
As per claim 21, the combined system of To and Dasgupta teaches a load balancer is configured to perform distribution of a plurality of sets of anomaly detection data (0095).
As per claims 22 and 26, the combined system of To and Dasgupta teaches storing the first plurality of anomaly detection data and the second plurality of anomaly detection data by a queueing system between the monitoring module and the execution engines includes the first and second execution engines.  Dasgupta teaches the traffic flows are sent to instance of 504 until 506 can handle the computations itself (0098).  The nature of how the data is sent to available resources constitutes a queueing system.  DLA is between the Device 504a..i and the SCA (see Fig. 7A).
As per claims 23 and 27, To teaches the first plurality of anomaly detection data and the second plurality of anomaly detection data comprising one or more of: request latency metrics or resource utilization percentage metrics (0034 and 0044).
As per claim 24, To teaches the first plurality of anomaly detection data and second plurality of anomaly detection data comprising metrics pertaining to requests received from a plurality of client devices (0034 and 0044), the client devices being associated with a plurality of tenants of a multi-tenant database system [To teaches the system if a cloud system hosting customers (users) of that network (0039).  To explicitly mentions auditing call logs in the database system of the network (0038)].
As per claim 25, To teaches the first plurality of anomaly detection data being associated with a first Point of Development (POD) of the database system and the second plurality of anomaly detection data being associated with a second POD of the database system [To teaches many facets to the anomalies, such as latency (0033), call records (0037) and resource usage (0039). BRI has been used to interpret this term as it not well defined in the specification and suggest it is similar to an instance machine.  To teaches multiple machines and categories of anomaly types.  All of the collected data is associated with the machine it originated from and the type of anomaly].

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL R. VAUGHAN whose telephone number is (571)270-7316.  The examiner can normally be reached on Monday - Friday, 9:30am - 5:30pm, EST.  If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/MICHAEL R VAUGHAN/
Primary Examiner, Art Unit 2431