Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
2.	EXAMINER’S NOTE: The claims have been reviewed and considered under the new guidance pursuant to the 2019 Revised Patent Subject Matter Eligibility Guidance (PEG 2019) issued January 7, 2019.
3.	This communication is in response to Applicant’s claims filed on 06 August 2020. Claims 1-20 remain pending. 

Information Disclosure Statement
4.	The Information Disclosure Statement respectfully submitted on 06 August 2020 has been considered by the Examiner.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Rao et al. (Pub No. 2022/0046046) in view of Liu (Pub No. 2010/0082513).
Referring to the rejection of claim 1, Rao et al. discloses a denial-of-service detection system, comprising: 
a plurality of storage systems; (See Rao et al., Figs. 1 and 5, i.e. collectors, item 106, data lake, item 130 are described as storage systems)
and a denial-of-service detection subsystem that is coupled to the plurality of storage systems via a network, wherein the denial-of-service detection subsystem is configured to: (See Rao et al., Fig. 1, i.e. distributed denial-of-service (DDoS) attack engine, item 155 is a subsystem of the analytics engine, item 110 for detecting denial-of-service attacks to a network)
receive, from a first storage system that is included in the plurality of storage systems, current first storage system data for each of a plurality of different storage system operating metrics; (See Rao et al., para. 28 and 36, i.e. receive, from a first storage system disclosed as the collectors, a plurality of different storage system operating metrics disclosed as CPU utilization or latency or the current network traffic for packets transmitted from different nodes within a certain period of time to identify the set of flows as anomalous or as an attack)
detect, based on a historical storage system data for each of the plurality of different storage system operating metrics that was previously received from the plurality of storage devices, an operating anomaly in the current first storage system data for at least one of the plurality of different storage system operating metrics; (See Rao et al., para. 36-37 and 44, i.e. an analytics engine analyzes the network traffic and corresponding data to detect when the network is under attack based upon the baseline of normal operation within a trusted period of time compared to the previous period of time. Another storage system operating metrics for detecting attacks is CPU and memory utilization, wherein a machine learning technique can be used for dynamically updating models for identifying malicious traffic patterns)
identify, in response to detecting the operating anomaly in the current first storage system data for the at least one of the plurality of different storage system operating metrics. (See Rao et al., para. 38 and 44-46, i.e. identifying in response to detecting an anomaly wherein abnormal behavior has been classified when the data is different from the previous data)
However, Rao et al. fail to explicitly disclose a time-series similarity in a subset of respective time-series of the current first storage system data for each of the plurality of different storage system operating metrics for which the operating anomaly was detected.
Liu discloses a system and method for distributed denial of service identification and prevention.
Liu discloses a time-series similarity in a subset of respective time-series of the current first storage system data for each of the plurality of different storage system operating metrics for which the operating anomaly was detected; (See Liu, para. 37, and 43-45, i.e. data collection agents classify collected time-series data as discrete values (i.e. CPU usage equals, high, medium, or low). The subset of time-series data is used to detect an anomaly based on known attack patterns wherein if memory usage is "high" and CPU usage is "medium high", this indicates a CPU attack is 60%, while if CPU usage is "high" and memory usage is "medium high", this indicates a CPU attack is 75% and may match a known attack pattern)
and perform, in response to identifying the time-series similarity in the subset of respective time-series of the current first storage system data for each of the plurality of different storage system operating metrics for which the operating anomaly was detected, a denial-of-service remediation action. (See Liu, para. 46-47, i.e. if it is determined that the observed behavior of the known attack pattern from the time-series data identifies an anomaly attack pattern as high, a remediation action is performed by alerting the corresponding node’s resources should be throttled back, removed from the distributed resource pool and protected from the predicted attack in order to prevent an attack from the neighboring nodes in the distributed system)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date the claimed invention was made to combine Rao et al.’s system and method for detecting hidden vulnerabilities in enterprise networks modified with Liu’s system and method for distributed denial of service identification and prevention. Motivation for such an implementation would enable time-series data to be used for detecting that a DDoS attack is underway or imminent. (See Liu, para. 37-38)
Referring to the rejection of claims 2, 8, and 15, (Rao et al. modified with Liu) discloses wherein the denial-of-service detection subsystem is configured to: receive, from each of the plurality of storage systems prior to receiving the current first storage system data from the first storage system, the historical storage system data for each of the plurality of different storage system operating metrics; (See Rao et al., para. 28 and 43-44, i.e. receive, from a first storage system disclosed as the collectors, a plurality of different storage system operating metrics disclosed as CPU utilization or latency or memory utilization) and generate, using the historical storage system data, a multi-variate anomaly detection model, wherein the operating anomaly is detected in the current first storage system data for the at least one of the plurality of different storage system operating metrics using the multi-variate anomaly detection model. (See Rao et al., para. 34 and 36-38, i.e. generate, using the historical storage system data disclosed as the packets wherein the current network traffic for packets transmitted from different nodes within a certain period of time to identify the set of flows as anomalous or as an attack and detecting an anomaly wherein abnormal behavior has been classified when the data is different from the previous data)
Referring to the rejection of claims 3, 9, and 16, (Rao et al. modified with Liu) discloses wherein the multi-variate anomaly detection model is generated using a machine-learning algorithm that is included in the denial-of-service detection subsystem. (See Rao et al., para. 37 and 46, i.e. the DDoS attack engine uses machine learning to identify security threats to a network)
Referring to the rejection of claims 4, 10, and 17, (Rao et al. modified with Liu) discloses wherein the identifying the time-series similarity in the subset of respective time-series of the current first storage system data for each of the plurality of different storage system operating metrics for which the operating anomaly was detected includes: identifying at least one first storage system performance time-series similarity; and identifying at least one first storage system network time-series similarity. (See Liu, para. 37-39 and 70-71, i.e. the time-series of the storage system data comprising storage system performance metric disclosed as CPU utilization, disk utilization, memory utilization, I/O resource utilization, I/O ratio, network packet ratio, or state packet ratio and the storage system network metric is disclosed as fiber channel link or Ethernet packets)
The rationale for combining Rao et al. in view of Liu is the same as claim 1.
Referring to the rejection of claims 5, 11, and 18, (Rao et al. modified with Liu) discloses wherein the plurality of different storage system operating metrics include at least one storage system performance metric and at least one storage system network metric. (See Rao et al., para. 28, 30, 42 and 44, i.e. storage system performance metric is disclosed as CPU utilization or latency and the storage system network metric is disclosed as bandwidth and number of packets or packet loss)
Referring to the rejection of claims 6, 12, and 19, (Rao et al. modified with Liu) wherein the detecting the operating anomaly in the current first storage system data for the at least one of the plurality of different storage system operating metrics includes detecting that the current first storage system data is outside of a threshold storage system operating metric region. (See Liu, para. 37 and 58, i.e. data collection agents reports an event in response to detecting a threshold value or a threshold rate of change (e.g., a sudden change, CPU usage from “medium high” to “high”) by sending messages to an information layer)
The rationale for combining Rao et al. in view of Liu is the same as claim 1.
Referring to the rejection of claim 7, (Rao et al. modified with Liu) discloses an Information Handling System (IHS), comprising: 
a processing system; (See Rao et al., Fig. 5A, i.e. a computing system comprises a processing unit (CPU or processor, item 510)
and a memory system that is coupled to the processing system and that includes instructions that, when executed by the processing system, cause the processing system to provide a denial-of-service detection engine that is configured to: (See Rao et al., Fig. 5, i.e. a system memory, item 515 is coupled to the processing unit, item 510 via a system bus, item 505)
receive, from a first storage system that is included in a plurality of storage systems, current first storage system data for each of a plurality of different storage system operating metrics; (See Rao et al., para. 28 and 36, i.e. receive, from a first storage system disclosed as the collectors, a plurality of different storage system operating metrics disclosed as CPU utilization or latency or the current network traffic for packets transmitted from different nodes within a certain period of time to identify the set of flows as anomalous or as an attack)
detect, based on a historical storage system data for each of the plurality of different storage system operating metrics that was previously received from the plurality of storage devices, an operating anomaly in the current first storage system data for at least one of the plurality of different storage system operating metrics; (See Rao et al., para. 36-37 and 44, i.e. an analytics engine analyzes the network traffic and corresponding data to detect when the network is under attack based upon the baseline of normal operation within a trusted period of time compared to the previous period of time. Another storage system operating metrics for detecting attacks is CPU and memory utilization, wherein a machine learning technique can be used for dynamically updating models for identifying malicious traffic patterns)
identify, in response to detecting the operating anomaly in the current first storage system data for the at least one of the plurality of different storage system operating metrics. (See Rao et al., para. 38 and 44-46, i.e. identifying in response to detecting an anomaly wherein abnormal behavior has been classified when the data is different from the previous data)
However, Rao et al. fail to explicitly disclose a time-series similarity in a subset of respective time-series of the current first storage system data for each of the plurality of different storage system operating metrics for which the operating anomaly was detected.
Liu discloses a system and method for distributed denial of service identification and prevention.
Liu discloses a time-series similarity in a subset of respective time-series of the current first storage system data for each of the plurality of different storage system operating metrics for which the operating anomaly was detected; (See Liu, para. 37, and 43-45, i.e. data collection agents classify collected time-series data as discrete values (i.e. CPU usage equals, high, medium, or low). The subset of time-series data is used to detect an anomaly based on known attack patterns wherein if memory usage is "high" and CPU usage is "medium high", this indicates a CPU attack is 60%, while if CPU usage is "high" and memory usage is "medium high", this indicates a CPU attack is 75% and may match a known attack pattern)
and perform, in response to identifying the time-series similarity in the subset of respective time-series of the current first storage system data for each of the plurality of different storage system operating metrics for which the operating anomaly was detected, a denial-of-service remediation action. (See Liu, para. 46-47, i.e. if it is determined that the observed behavior of the known attack pattern from the time-series data identifies an anomaly attack pattern as high, a remediation action is performed by alerting the corresponding node’s resources should be throttled back, removed from the distributed resource pool and protected from the predicted attack in order to prevent an attack from the neighboring nodes in the distributed system)
The rationale for combining Rao et al. in view of Liu is the same as claim 1.
Referring to the rejection of claims 13 and 20, (Rao et al. modified with Liu) discloses wherein the detecting the operating anomaly in the current first storage system data for the at least one of the plurality of different storage system operating metrics includes: detecting the operating anomaly in the current first storage system data for each of the plurality of different storage system operating metrics. (See Rao et al., para. 36-38, i.e. the analytics engine used to identify observations which differ from the current wherein a supervised anomaly technique can be applied to labeling normal and abnormal behavior within the period of time for CPU usage)
Referring to the rejection of claim 14, (Rao et al. modified with Liu) discloses a method for detecting denial-of-service situations, comprising: 
receiving, by a denial-of-service subsystem from a first storage system that is included in a plurality of storage systems, current first storage system data for each of a plurality of different storage system operating metrics; (See Rao et al., para. 28 and 36, i.e. receive, from a first storage system disclosed as the collectors, a plurality of different storage system operating metrics disclosed as CPU utilization or latency or the current network traffic for packets transmitted from different nodes within a certain period of time to identify the set of flows as anomalous or as an attack)
detecting, by the denial-of-service subsystem based on a historical storage system data for each of the plurality of different storage system operating metrics that was previously received from the plurality of storage devices, an operating anomaly in the current first storage system data for at least one of the plurality of different storage system operating metrics; (See Rao et al., para. 36-37 and 44, i.e. an analytics engine analyzes the network traffic and corresponding data to detect when the network is under attack based upon the baseline of normal operation within a trusted period of time compared to the previous period of time. Another storage system operating metrics for detecting attacks is CPU and memory utilization, wherein a machine learning technique can be used for dynamically updating models for identifying malicious traffic patterns)
identifying, by the denial-of-service subsystem in response to detecting the operating anomaly in the current first storage system data for the at least one of the plurality of different storage system operating metrics. (See Rao et al., para. 38 and 44-46, i.e. identifying in response to detecting an anomaly wherein abnormal behavior has been classified when the data is different from the previous data)
However, Rao et al. fail to explicitly disclose a time-series similarity in a subset of respective time-series of the current first storage system data for each of the plurality of different storage system operating metrics for which the operating anomaly was detected.
Liu discloses a system and method for distributed denial of service identification and prevention.
Liu discloses a time-series similarity in a subset of respective time-series of the current first storage system data for each of the plurality of different storage system operating metrics for which the operating anomaly was detected; (See Liu, para. 37, and 43-45, i.e. data collection agents classify collected time-series data as discrete values (i.e. CPU usage equals, high, medium, or low). The subset of time-series data is used to detect an anomaly based on known attack patterns wherein if memory usage is "high" and CPU usage is "medium high", this indicates a CPU attack is 60%, while if CPU usage is "high" and memory usage is "medium high", this indicates a CPU attack is 75% and may match a known attack pattern)
and performing, by the denial-of-service subsystem in response to identifying the time-series similarity in the subset of respective time-series of the current first storage system data for each of the plurality of different storage system operating metrics for which the operating anomaly was detected, a denial-of-service remediation action. (See Liu, para. 46-47, i.e. if it is determined that the observed behavior of the known attack pattern from the time-series data identifies an anomaly attack pattern as high, a remediation action is performed by alerting the corresponding node’s resources should be throttled back, removed from the distributed resource pool and protected from the predicted attack in order to prevent an attack from the neighboring nodes in the distributed system)
The rationale for combining Rao et al. in view of Liu is the same as claim 1.


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to COURTNEY D FIELDS whose telephone number is (571)272-3871. The examiner can normally be reached IFP M-F 8am-4:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SHEWAYE GELAGAY can be reached on (571)272-4219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/COURTNEY D FIELDS/Examiner, Art Unit 2436                                                                                                                                                                                                        July 27, 202286

/KENDALL DOLLY/Primary Examiner, Art Unit 2436