DETAILED ACTION
Claims 1-20 are pending.  Claims 1, 19, and 20 are in independent form.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-6, 8-14, 16-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. 

Step 1
Claims 1-18 recite a method that includes specific steps.  Thus, these claims are directed to a method, which is one of the statutory categories of invention.  Claim 19 recites a computer system including a processor.  Thus, these claims are directed to a system, which is one of the statutory categories of invention.  Claim 20 recites a non-transitory computer readable storage medium on which is stored a computer program that includes specific steps.  Thus, this claim is directed to a machine, which is one of the statutory categories of invention.
Next, the claims are evaluated to determine whether the claims recite a judicial exception.  

Step 2A Prong 1
Claim 1, representative claim for claims 19-20, recites:
A method, comprising: 
receiving via an information technology service management system, a specification of an information technology change;
5analyzing the specification of the information technology change to determine features of the information technology change;
analyzing machine-generated data to identify a phenomena detected in the machine- generated data; and
providing to a machine learning model the features of the information technology change 10and features of the detected phenomena in the machine-generated data to determine a correlation between the information technology change and the detected phenomena in the machine- generated data.

The examiner submits that foregoing underlined limitations comprise a mental process because this subject matter can be completed by a person with merely the aid of a pen and paper.

Claim 2 recites:
further comprising performing a responsive action in response to the correlation.
The examiner submits that foregoing underlined limitations comprise a mental process because this subject matter can be completed by a person with merely the aid of a pen and paper.

Claim 3 recites:
wherein performing the responsive action includes automatically generating a service request ticket to resolve the detected phenomena.
The examiner submits that foregoing underlined limitations comprise a mental process because this subject matter can be completed by a person with merely the aid of a pen and paper.

Claim 4 recites:
wherein the determined correlation includes a correlation score value identifying a likelihood the information technology change is a cause of the detected phenomena.
The examiner submits that foregoing underlined limitations comprise a mental process because this subject matter can be completed by a person with merely the aid of a pen and paper.

Claim 5 recites:
wherein the determined correlation includes an identification that the information technology change matches the detected phenomena among a plurality of information technology change candidates. 
The examiner submits that foregoing underlined limitations comprise a mental process because this subject matter can be completed by a person with merely the aid of a pen and paper.

Claim 6 recites:
wherein the determined correlation includes a measure of confidence, and it is determined that the information technology change matches the detected 25phenomena based at least in part on a determination that the measure of confidence meets a threshold.
The examiner submits that foregoing underlined limitations comprise a mental process because this subject matter can be completed by a person with merely the aid of a pen and paper.

Claim 8 recites:
wherein the specification of the information technology change is associated with a change request submitted to the information technology service management system.  
The examiner submits that foregoing underlined limitations comprise a mental process because this subject matter can be completed by a person with merely the aid of a pen and paper.

Claim 9 recites:
wherein the specification of the information technology change identifies a change to a software component or a hardware component of an information technology infrastructure.  
The examiner submits that foregoing underlined limitations comprise a mental process because this subject matter can be completed by a person with merely the aid of a pen and paper.

Claim 10 recites:
wherein analyzing the specification of the information technology change includes extracting one or more identifiers from the specification of the information technology change.
The examiner submits that foregoing underlined limitations comprise a mental process because this subject matter can be completed by a person with merely the aid of a pen and paper.

Claim 11 recites:
wherein the features include identifiers associated with one or more of the following: 
a reason for the information technology change, a priority of the information technology change, a risk level or risk type of the information technology change, a change type of the information technology change, an information technology item to be changed, a requestor of the information technology change, end user(s) affected, a target hardware of the information technology change, a target software of the information technology change, a target network of the information technology change, a category of the information technology change, or a time of the information technology change.
The examiner submits that foregoing underlined limitations comprise a mental process because this subject matter can be completed by a person with merely the aid of a pen and paper.

Claim 12 recites:
wherein analyzing the specification of the information technology change includes identifying a configuration item of a configuration management database (CMDB) associated with the information technology change and obtaining one or more identifiers from the configuration item of the CMDB.
The examiner submits that foregoing underlined limitations comprise a mental process because this subject matter can be completed by a person with merely the aid of a pen and paper.

Claim 13 recites:
wherein the features of the information technology change are stored in an entry of a data structure that includes entries associated with a plurality of different information technology changes.  
The examiner submits that foregoing underlined limitations comprise a mental process because this subject matter can be completed by a person with merely the aid of a pen and paper.

Claim 14 recites:
wherein the machine-generated data includes log entries.  
The examiner submits that foregoing underlined limitations comprise a mental process because this subject matter can be completed by a person with merely the aid of a pen and paper.

Claim 16 recites:
wherein the detected phenomena is one or more of the following: an anomaly, an error, a new trend, a cessation of an identified behavior, or a change in a previously identified trend.
The examiner submits that foregoing underlined limitations comprise a mental process because this subject matter can be completed by a person with merely the aid of a pen and paper.

Claim 17 recites:
wherein the features of the detected phenomena include one or more identifiers associated with one or more of the following: 
a type or classification of the phenomena, an identification or content of one or more log entries associated with the phenomena, metadata information of the phenomena, identifying information of a network, or a hardware or a software that generated the log entries associated with the phenomena.  
The examiner submits that foregoing underlined limitations comprise a mental process because this subject matter can be completed by a person with merely the aid of a pen and paper.

Claim 18 recites:
wherein the features of the detected phenomena include one or more identifiers obtained using a configuration management database.  
The examiner submits that foregoing underlined limitations comprise a mental process because this subject matter can be completed by a person with merely the aid of a pen and paper.

Next, the claims are evaluated to determine whether the claim as a whole integrates the abstract idea into a practical application of the exception.  

Step 2A Prong 2
The claims includes the following additional limitations: “one or more processors”, “A computer program product, the computer program product being embodied in a non-transitory computer readable storage medium”, “a memory”, “receiving via an information technology service management system, a specification of an information technology change”, “wherein the specification of the information technology change is associated with a change request submitted to the information technology service management system”, “wherein the specification of the information technology change identifies a change to a software component or a hardware component of an information technology infrastructure”, “wherein the features include identifiers associated with one or more of the following: a reason for the information technology change, a priority of the information technology change, a risk level or risk type of the information technology change, a change type of the information technology change, an information technology item to be changed, a requestor of the information technology change, end user(s) affected, a target hardware of the information technology change, a target software of the information technology change, a target network of the information technology change, a category of the information technology change, or a time of the information technology change”, “wherein the features of the information technology change are stored in an entry of a data structure that includes entries associated with a plurality of different information technology changes”, “wherein the machine-generated data includes log entries”, “wherein the features of the detected phenomena include one or more identifiers associated with one or more of the following: a type or classification of the phenomena, an identification or content of one or more log entries associated with the phenomena, metadata information of the phenomena, identifying information of a network, or a hardware or a software that generated the log entries associated with the phenomena”, and “wherein the features of the detected phenomena include one or more identifiers obtained using a configuration management database”.

Regarding “one or more processors”, “A computer program product, the computer program product being embodied in a non-transitory computer readable storage medium”, and “a memory” the examiner submits that these additional limitations are referencing generic computer components and merely includes instructions to implement the abstract idea on a computer, or merely uses a computer as a tool to perform the abstract idea.  
Regarding “receiving via an information technology service management system, a specification of an information technology change”, the examiner submits that this additional limitation could simply refer to as merely storing or retrieving data information in memory.  Therefore, in support of this conclusion, see MPEP 2106.05(d)(II) which states that courts have recognized storing and retrieving information in memory are claimed in a merely generic manner (e.g., at a high level of generality) or as insignificant extra-solution activity.
Regarding “wherein the specification of the information technology change is associated with a change request submitted to the information technology service management system”, “wherein the specification of the information technology change identifies a change to a software component or a hardware component of an information technology infrastructure”, “wherein the features include identifiers associated with one or more of the following: a reason for the information technology change, a priority of the information technology change, a risk level or risk type of the information technology change, a change type of the information technology change, an information technology item to be changed, a requestor of the information technology change, end user(s) affected, a target hardware of the information technology change, a target software of the information technology change, a target network of the information technology change, a category of the information technology change, or a time of the information technology change”, “wherein the features of the information technology change are stored in an entry of a data structure that includes entries associated with a plurality of different information technology changes”, “wherein the machine-generated data includes log entries”, “wherein the features of the detected phenomena include one or more identifiers associated with one or more of the following: a type or classification of the phenomena, an identification or content of one or more log entries associated with the phenomena, metadata information of the phenomena, identifying information of a network, or a hardware or a software that generated the log entries associated with the phenomena”, and “wherein the features of the detected phenomena include one or more identifiers obtained using a configuration management database”, the examiner submits that these additional limitations is merely further specifying the type of data that is merely being retrieved from memory.  Therefore, in support of this conclusion, see MPEP 2106.05(d)(II) which states that courts have recognized storing and retrieving information in memory are claimed in a merely generic manner (e.g., at a high level of generality) or as insignificant extra-solution activity.

Thus, taken alone, the additional elements do not integrate the abstract idea into a practical application of the exception.  
Looking at the limitations as an ordered combination adds nothing that is not already present when looking at the elements taken individually.  For example, there is no indication that the combination of elements improves the functioning of a computer or improves any other technology.
Next, the claims as a whole are analyzed to determine whether any element, or combination of elements, is sufficient to ensure that the claims amount to significantly more than the exception.  

Step 2B
Regarding “one or more processors”, “A computer program product, the computer program product being embodied in a non-transitory computer readable storage medium”, and “a memory” the examiner submits that these additional limitations are referencing generic computer components and merely includes instructions to implement the abstract idea on a computer, or merely uses a computer as a tool to perform the abstract idea.  
Regarding “receiving via an information technology service management system, a specification of an information technology change”, the examiner submits that this additional limitation could simply refer to as merely storing or retrieving data information in memory.  Therefore, in support of this conclusion, see MPEP 2106.05(d)(II) which states that courts have recognized storing and retrieving information in memory are claimed in a merely generic manner (e.g., at a high level of generality) or as insignificant extra-solution activity.
Regarding “wherein the specification of the information technology change is associated with a change request submitted to the information technology service management system”, “wherein the specification of the information technology change identifies a change to a software component or a hardware component of an information technology infrastructure”, “wherein the features include identifiers associated with one or more of the following: a reason for the information technology change, a priority of the information technology change, a risk level or risk type of the information technology change, a change type of the information technology change, an information technology item to be changed, a requestor of the information technology change, end user(s) affected, a target hardware of the information technology change, a target software of the information technology change, a target network of the information technology change, a category of the information technology change, or a time of the information technology change”, “wherein the features of the information technology change are stored in an entry of a data structure that includes entries associated with a plurality of different information technology changes”, “wherein the machine-generated data includes log entries”, “wherein the features of the detected phenomena include one or more identifiers associated with one or more of the following: a type or classification of the phenomena, an identification or content of one or more log entries associated with the phenomena, metadata information of the phenomena, identifying information of a network, or a hardware or a software that generated the log entries associated with the phenomena”, and “wherein the features of the detected phenomena include one or more identifiers obtained using a configuration management database”, the examiner submits that these additional limitations is merely further specifying the type of data that is merely being retrieved from memory.  Therefore, in support of this conclusion, see MPEP 2106.05(d)(II) which states that courts have recognized storing and retrieving information in memory are claimed in a merely generic manner (e.g., at a high level of generality) or as insignificant extra-solution activity.
Thus, taken alone, the additional elements do not amount to significantly more than the exception.  
Looking at the limitations as an ordered combination adds nothing that is not already present when looking at the elements taken individually.  For example, there is no indication that the combination of elements improves the functioning of a computer or improves any other technology.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 1-7, 9, 11, 13, 15-17, and 19-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by U.S. Publication No. 2020/0314128 to Hild (“Hild”).

Regarding claim 1, Hild discloses:
A method, comprising: 
receiving via an information technology service management system, a specification of an information technology change (Hild: Paragraph [0050], “In block 404 of process 400, the processing device 106 can provide network information as input to one or more machine-learning models to receive as output from the one or more machine-learning models an indication of whether an anomaly occurred in the network. More specifically, the processing device 106 can instruct the model application module 124 of the anomaly detection engine 121 to apply the machine-learning model 150 to the network information 152. The SDN controller 158 may receive network information from NBIs of the virtual layer and CDPIs of the physical layer. This network information may be provided to the receiving module 122. In some aspects, additional network information in the form of network topology 154 and correlations 156 may be provided to the receiving module 122. This information may indicate expected network topology, statistics, such as rates of change of network components, and relationships between network components. The network information may be provided as input to the machine-learning model 150”);
5analyzing the specification of the information technology change to determine features of the information technology change (Hild: Paragraph [0052], “In block 408 of process 400, the processing device 106 can determine a change between at least two of the network configurations in the configuration-change behavior structure. More specifically, the processing device 106 can instruct the model application module 124 of the anomaly detection engine 121 to compare like or similar network configurations within the configuration-change behavior structure to determine whether or not a change in configuration has occurred between two configurations. For example, if two network configurations indicate the presence of a different number of IP addresses in an IP address pool or the deletion of network interfaces, a change is detected. Changes may be small or significant. All identified changes may be placed in an updated configuration-change behavior structure in preparation for classification”);
analyzing machine-generated data to identify a phenomena detected in the machine- generated data (Hild: Paragraph [0053], “In block 410 of process 400, the processing device 106 can determine whether the anomaly occurred in the network based on the change. More specifically, the processing device 106 can instruct the model application module 124 of anomaly detection engine 121 to compare the determined changes, e.g., the contents of the updated configuration-change behavior structure, to expected network to ploy and/or correlations information in order to determine whether the behavior is anomalous. The network topology information may include an expected or default network configuration along with network statistics, such as a frequency of change or rate of change of network configurations. If the determined changes occur outside of the expected frequency, then the changes are anomalous. Similarly, the correlations may indicate configuration changes that typically occur together, in parallel, or within a set time period of one another. If these events do not occur as expected, an associated change is anomalous. In some aspects the expected value may be a threshold to which the change is compared. IF the change meets the predefined threshold then the behavior is anomalous”; and Paragraph [0054], “In block 412 of process 400, the processing device 106 can generate an output indicating that one or more of the network configuration changes included in the configuration-change behavior structure are anomalous, in response to the one or more machine-learning models indicating that the anomaly occurred”); and
providing to a machine learning model the features of the information technology change 10and features of the detected phenomena in the machine-generated data to determine a correlation between the information technology change and the detected phenomena in the machine- generated data (Hild: Paragraph [0053], “In block 410 of process 400, the processing device 106 can determine whether the anomaly occurred in the network based on the change. More specifically, the processing device 106 can instruct the model application module 124 of anomaly detection engine 121 to compare the determined changes, e.g., the contents of the updated configuration-change behavior structure, to expected network to ploy and/or correlations information in order to determine whether the behavior is anomalous. The network topology information may include an expected or default network configuration along with network statistics, such as a frequency of change or rate of change of network configurations. If the determined changes occur outside of the expected frequency, then the changes are anomalous. Similarly, the correlations may indicate configuration changes that typically occur together, in parallel, or within a set time period of one another. If these events do not occur as expected, an associated change is anomalous. In some aspects the expected value may be a threshold to which the change is compared. IF the change meets the predefined threshold then the behavior is anomalous”; and Paragraph [0054], “In block 412 of process 400, the processing device 106 can generate an output indicating that one or more of the network configuration changes included in the configuration-change behavior structure are anomalous, in response to the one or more machine-learning models indicating that the anomaly occurred”; and Paragraph [0054], “In block 412 of process 400, the processing device 106 can generate an output indicating that one or more of the network configuration changes included in the configuration-change behavior structure are anomalous, in response to the one or more machine-learning models indicating that the anomaly occurred”).

Regarding claim 2, Hild discloses all of the elements of claim 1 and further discloses:
performing a responsive action in response to the correlation (Hild: Paragraph [0054], “More specifically, the processing device 106 can instruct the indicator generation module 126 of the anomaly detection engine 121 to generate an alert that may be displayed or transmitted to an SDN administrator. The alert may provide information about the machine-learning model's level of cherty that the change is anomalous, the location within the SDN network in which the change occurred, the time of the change, and any impacted network components”).

Regarding claim 3, Hild discloses all of the elements of claim 2 and further discloses:
wherein performing the responsive action includes automatically generating a service request ticket to resolve the detected phenomena (Hild: Paragraph [0054], “More specifically, the processing device 106 can instruct the indicator generation module 126 of the anomaly detection engine 121 to generate an alert that may be displayed or transmitted to an SDN administrator. The alert may provide information about the machine-learning model's level of cherty that the change is anomalous, the location within the SDN network in which the change occurred, the time of the change, and any impacted network components”).

Regarding claim 4, Hild discloses all of the elements of claim 1 and further discloses:
wherein the determined correlation includes a correlation score value identifying a likelihood the information technology change is a cause of the detected phenomena (Hild: paragraph [0014], “In some examples, the computing device can generate an indicator (e.g., alert) upon detecting anomalous network activity. The indicator can be provided to a network administrator and may include the time of the anomaly occurrence, the portion of the network in which the anomaly occurred, and any impacted components of the network. In some aspects, the indicator may further include a level of certainty the machine-learning model has in its determination that the identified change is anomalous. An administrator may use the indicator to further assess the identified change and determine an appropriate course of action”).  

Regarding claim 5, Hild discloses all of the elements of claim 1 and further discloses:
wherein the determined correlation includes an identification that the information technology change matches the detected phenomena among a plurality of information technology change candidates (Hild: Paragraph [0053], “In block 410 of process 400, the processing device 106 can determine whether the anomaly occurred in the network based on the change. More specifically, the processing device 106 can instruct the model application module 124 of anomaly detection engine 121 to compare the determined changes, e.g., the contents of the updated configuration-change behavior structure, to expected network to ploy and/or correlations information in order to determine whether the behavior is anomalous. The network topology information may include an expected or default network configuration along with network statistics, such as a frequency of change or rate of change of network configurations. If the determined changes occur outside of the expected frequency, then the changes are anomalous. Similarly, the correlations may indicate configuration changes that typically occur together, in parallel, or within a set time period of one another. If these events do not occur as expected, an associated change is anomalous. In some aspects the expected value may be a threshold to which the change is compared. IF the change meets the predefined threshold then the behavior is anomalous”; and Paragraph [0054], “In block 412 of process 400, the processing device 106 can generate an output indicating that one or more of the network configuration changes included in the configuration-change behavior structure are anomalous, in response to the one or more machine-learning models indicating that the anomaly occurred”).

Regarding claim 6, Hild discloses all of the elements of claim 1 and further discloses:
wherein the determined correlation includes a measure of confidence (Hild: Parargaph [0026], “the machine-learning model 150 can also calculate or otherwise determine a level of certainty associated with the classification. Network configuration changes that are new to the machine-learning model may have a lesser degree of certainty associated with their classification. A percentage (e.g., 94.3%) may be assigned to indicate the level of certainty associated with the classification of a change”), and it is determined that the information technology change matches the detected 25phenomena based at least in part on a determination that the measure of confidence meets a threshold (Hild: Paragraph [0053], “In block 410 of process 400, the processing device 106 can determine whether the anomaly occurred in the network based on the change. More specifically, the processing device 106 can instruct the model application module 124 of anomaly detection engine 121 to compare the determined changes, e.g., the contents of the updated configuration-change behavior structure, to expected network to ploy and/or correlations information in order to determine whether the behavior is anomalous. The network topology information may include an expected or default network configuration along with network statistics, such as a frequency of change or rate of change of network configurations. If the determined changes occur outside of the expected frequency, then the changes are anomalous. Similarly, the correlations may indicate configuration changes that typically occur together, in parallel, or within a set time period of one another. If these events do not occur as expected, an associated change is anomalous. In some aspects the expected value may be a threshold to which the change is compared. IF the change meets the predefined threshold then the behavior is anomalous”).

Regarding claim 7, Hild discloses all of the elements of claim 1 and further discloses:
wherein the machine learning model is retrained based on a received feedback associated with the correlation (Hild: Paragraph [0016], “. Because the machine-learning model can be repeatedly retrained, the machine-learning model can become “smarter” over time to address newer or more sophisticated attacks. And because the machine-learning model does not require actual knowledge of current attack vectors, no external data (e.g., data that is external to the system, such as whitelists or blacklists) is required. Likewise, packet payloads do not require analysis. Instead, the machine-learning model can rely on normal configuration-change behavior of its own network to identify discrepancies and thereby provide anomaly detection that is efficient and evolving”).

Regarding claim 9, Hild discloses all of the elements of claim 1 and further discloses:
wherein the specification of the information technology change identifies a change to a software component or a hardware component of an information technology infrastructure (Hild: Paragraph [0050], “The SDN controller 158 may receive network information from NBIs of the virtual layer and CDPIs of the physical layer. This network information may be provided to the receiving module 122. In some aspects, additional network information in the form of network topology 154 and correlations 156 may be provided to the receiving module 122. This information may indicate expected network topology, statistics, such as rates of change of network components, and relationships between network components. The network information may be provided as input to the machine-learning model 150”).

Regarding claim 11, Hild discloses all of the elements of claim 1 and further discloses:
wherein the features include identifiers associated with one or more of the following: 
a reason for the information technology change, a priority of the information technology change, a risk level or risk type of the information technology change, a change type of the information technology change, an information technology item to be changed, a requestor of the information technology change, end user(s) affected, a target hardware of the information technology change (Hild: Paragraph [0043], “Changes to a component of one layer of the SDN network 230 may be communicated or propagated to other layers via various interfaces. As network assets are added or removed from the SDN network 230, new layer interfaces and datapaths will be created, and old ones removed. These changes may be analyzed by a machine-learning model 150 to detect whether the change is anomalous. For example, the unexpected generation of unexpected interfaces between an SDN application and the SDN controller 158 may be anomalous. If the machine-learning model 150 determines that this change is both anomalous and malicious, the interface may be quarantined to prevent the flow of network requests between the SDN application and the SDN controller 159”), a target software of the information technology change, a target network of the information technology change, a category of the information technology change, or a time of the information technology change.

Regarding claim 13, Hild discloses all of the elements of claim 1 and further discloses:
wherein the features of the information technology change are stored in an entry of a data structure that includes entries associated with a plurality of different information technology changes (Hild: Paragraph [0047], “The machine-learning model 150 can receive the network information 152 and generate a configuration-change behavior structure 306 based on the network information 152. A configuration-change behavior structure 306 can be a vector, matrix, list, or other data structure indicating (e.g., containing, describing, or quantifying) one or more network-configuration versions for one or more network components. Next, the machine-learning model 150 can determine a determine a change 308 between at least two of the network configurations in the configuration-change behavior structure 306, and determine whether an anomaly occurred in the network 130 based on the change 308. The machine-learning model 150 can then output an indication 310 of whether or not an anomaly occurred in the network 130. The processing device 106 can receive the indication 310 and responsively generate an output 312 (e.g., to an administrator of the network 130). The output 312 can indicate that one or more of the network configuration changes included in the configuration-change behavior structure 306 are anomalous”).

Regarding claim 15, Hild discloses all of the elements of claim 1 and further discloses:
wherein analyzing the machine-generated data to identify the phenomena detected in the machine-generated data includes using a supervised machine learning Attorney Docket No. SERVPO1626classifier to classify at least a portion of the machine-generated data as a specific type of the phenomena (Hild: Paragraph [0047], “In some examples, the processing device 106 can detect an anomaly within a network 130 by applying a machine-learning model 150 to network information 152 describing current network configurations. The machine-learning model 150 can receive the network information 152 and generate a configuration-change behavior structure 306 based on the network information 152. A configuration-change behavior structure 306 can be a vector, matrix, list, or other data structure indicating (e.g., containing, describing, or quantifying) one or more network-configuration versions for one or more network components. Next, the machine-learning model 150 can determine a determine a change 308 between at least two of the network configurations in the configuration-change behavior structure 306, and determine whether an anomaly occurred in the network 130 based on the change 308”).

Regarding claim 16, Hild discloses all of the elements of claim 1 and further discloses:
wherein the detected phenomena is one or more of the following: 
an anomaly (Hild: Paragraph [0047], “In some examples, the processing device 106 can detect an anomaly within a network 130 by applying a machine-learning model 150 to network information 152 describing current network configurations. The machine-learning model 150 can receive the network information 152 and generate a configuration-change behavior structure 306 based on the network information 152. A configuration-change behavior structure 306 can be a vector, matrix, list, or other data structure indicating (e.g., containing, describing, or quantifying) one or more network-configuration versions for one or more network components. Next, the machine-learning model 150 can determine a determine a change 308 between at least two of the network configurations in the configuration-change behavior structure 306, and determine whether an anomaly occurred in the network 130 based on the change 308”), an error, a new trend, a cessation of an identified behavior, or a change in a previously identified trend.  

Regarding claim 17, Hild discloses all of the elements of claim 1 and further discloses:
wherein the features of the detected phenomena include one or more identifiers associated with one or more of the following: 
a type or classification of the phenomena, an identification or content of one or more log entries associated with the phenomena, metadata information of the phenomena, identifying information of a network (Hild: Paragraph [0047], “A configuration-change behavior structure 306 can be a vector, matrix, list, or other data structure indicating (e.g., containing, describing, or quantifying) one or more network-configuration versions for one or more network components”), or a hardware or a software that generated the log entries associated with the phenomena.  

Regarding claim 19, Hild discloses:
A system, comprising: 
one or more processors (Hild: Paragraph [0045], “the system 300 includes a processing device 106 communicatively coupled with a memory device 304. In some examples, the processing device 106 and the memory device 304 can be part of a computing device, such as computing devices 104. The processing device 106 can include one processing device or multiple processing devices. Non-limiting examples of the processing device 106 include a Field-Programmable Gate Array (FPGA), an application-specific integrated circuit (ASIC), a microprocessor, etc. The processing device 106 can execute instructions 322 stored in the memory device 304 to perform operations”) configured to: 
is receive via an information technology service management system, a specification of an information technology change (Hild: Paragraph [0050], “In block 404 of process 400, the processing device 106 can provide network information as input to one or more machine-learning models to receive as output from the one or more machine-learning models an indication of whether an anomaly occurred in the network. More specifically, the processing device 106 can instruct the model application module 124 of the anomaly detection engine 121 to apply the machine-learning model 150 to the network information 152. The SDN controller 158 may receive network information from NBIs of the virtual layer and CDPIs of the physical layer. This network information may be provided to the receiving module 122. In some aspects, additional network information in the form of network topology 154 and correlations 156 may be provided to the receiving module 122. This information may indicate expected network topology, statistics, such as rates of change of network components, and relationships between network components. The network information may be provided as input to the machine-learning model 150”); 
analyze the specification of the information technology change to determine features of the information technology change (Hild: Paragraph [0052], “In block 408 of process 400, the processing device 106 can determine a change between at least two of the network configurations in the configuration-change behavior structure. More specifically, the processing device 106 can instruct the model application module 124 of the anomaly detection engine 121 to compare like or similar network configurations within the configuration-change behavior structure to determine whether or not a change in configuration has occurred between two configurations. For example, if two network configurations indicate the presence of a different number of IP addresses in an IP address pool or the deletion of network interfaces, a change is detected. Changes may be small or significant. All identified changes may be placed in an updated configuration-change behavior structure in preparation for classification”); 
analyze machine-generated data to identify a phenomena detected in the machine-generated data (Hild: Paragraph [0053], “In block 410 of process 400, the processing device 106 can determine whether the anomaly occurred in the network based on the change. More specifically, the processing device 106 can instruct the model application module 124 of anomaly detection engine 121 to compare the determined changes, e.g., the contents of the updated configuration-change behavior structure, to expected network to ploy and/or correlations information in order to determine whether the behavior is anomalous. The network topology information may include an expected or default network configuration along with network statistics, such as a frequency of change or rate of change of network configurations. If the determined changes occur outside of the expected frequency, then the changes are anomalous. Similarly, the correlations may indicate configuration changes that typically occur together, in parallel, or within a set time period of one another. If these events do not occur as expected, an associated change is anomalous. In some aspects the expected value may be a threshold to which the change is compared. IF the change meets the predefined threshold then the behavior is anomalous”; and Paragraph [0054], “In block 412 of process 400, the processing device 106 can generate an output indicating that one or more of the network configuration changes included in the configuration-change behavior structure are anomalous, in response to the one or more machine-learning models indicating that the anomaly occurred”); and 
provide to a machine learning model the features of the information technology change and features of the detected phenomena in the machine-generated data to determine a correlation between the information technology change and the detected phenomena in the machine-generated data (Hild: Paragraph [0053], “In block 410 of process 400, the processing device 106 can determine whether the anomaly occurred in the network based on the change. More specifically, the processing device 106 can instruct the model application module 124 of anomaly detection engine 121 to compare the determined changes, e.g., the contents of the updated configuration-change behavior structure, to expected network to ploy and/or correlations information in order to determine whether the behavior is anomalous. The network topology information may include an expected or default network configuration along with network statistics, such as a frequency of change or rate of change of network configurations. If the determined changes occur outside of the expected frequency, then the changes are anomalous. Similarly, the correlations may indicate configuration changes that typically occur together, in parallel, or within a set time period of one another. If these events do not occur as expected, an associated change is anomalous. In some aspects the expected value may be a threshold to which the change is compared. IF the change meets the predefined threshold then the behavior is anomalous”; and Paragraph [0054], “In block 412 of process 400, the processing device 106 can generate an output indicating that one or more of the network configuration changes included in the configuration-change behavior structure are anomalous, in response to the one or more machine-learning models indicating that the anomaly occurred”; and Paragraph [0054], “In block 412 of process 400, the processing device 106 can generate an output indicating that one or more of the network configuration changes included in the configuration-change behavior structure are anomalous, in response to the one or more machine-learning models indicating that the anomaly occurred”); and 
a memory coupled to at least one of the one or more processors and configured to provide the at least one of the one or more processors with instructions (Hild: Paragraph [0045], “the system 300 includes a processing device 106 communicatively coupled with a memory device 304. In some examples, the processing device 106 and the memory device 304 can be part of a computing device, such as computing devices 104. The processing device 106 can include one processing device or multiple processing devices. Non-limiting examples of the processing device 106 include a Field-Programmable Gate Array (FPGA), an application-specific integrated circuit (ASIC), a microprocessor, etc. The processing device 106 can execute instructions 322 stored in the memory device 304 to perform operations”).

Regarding claim 20, Hild discloses:
A computer program product, the computer program product being embodied in a non-transitory computer readable storage medium (Hild: Paragraph [0019], “The computing device 104 includes a non-transitory computer readable medium 120 with software applications and software code, such as an anomaly detection engine 121, software modules 122-126, and an SDN controller 158. Each of these is described in greater detail below. The computing device 104 may be a dedicated device or computer having a combination of computer hardware and software (fixed in capability or programmable) specifically designed for executing a specialized function”) and comprising computer instructions for: 
Attorney Docket No. SERVPO1627receiving via an information technology service management system, a specification of an information technology change (Hild: Paragraph [0050], “In block 404 of process 400, the processing device 106 can provide network information as input to one or more machine-learning models to receive as output from the one or more machine-learning models an indication of whether an anomaly occurred in the network. More specifically, the processing device 106 can instruct the model application module 124 of the anomaly detection engine 121 to apply the machine-learning model 150 to the network information 152. The SDN controller 158 may receive network information from NBIs of the virtual layer and CDPIs of the physical layer. This network information may be provided to the receiving module 122. In some aspects, additional network information in the form of network topology 154 and correlations 156 may be provided to the receiving module 122. This information may indicate expected network topology, statistics, such as rates of change of network components, and relationships between network components. The network information may be provided as input to the machine-learning model 150”); 
analyzing the specification of the information technology change to determine features of the information technology change (Hild: Paragraph [0052], “In block 408 of process 400, the processing device 106 can determine a change between at least two of the network configurations in the configuration-change behavior structure. More specifically, the processing device 106 can instruct the model application module 124 of the anomaly detection engine 121 to compare like or similar network configurations within the configuration-change behavior structure to determine whether or not a change in configuration has occurred between two configurations. For example, if two network configurations indicate the presence of a different number of IP addresses in an IP address pool or the deletion of network interfaces, a change is detected. Changes may be small or significant. All identified changes may be placed in an updated configuration-change behavior structure in preparation for classification”); 
sanalyzing machine-generated data to identify a phenomena detected in the machine- generated data (Hild: Paragraph [0053], “In block 410 of process 400, the processing device 106 can determine whether the anomaly occurred in the network based on the change. More specifically, the processing device 106 can instruct the model application module 124 of anomaly detection engine 121 to compare the determined changes, e.g., the contents of the updated configuration-change behavior structure, to expected network to ploy and/or correlations information in order to determine whether the behavior is anomalous. The network topology information may include an expected or default network configuration along with network statistics, such as a frequency of change or rate of change of network configurations. If the determined changes occur outside of the expected frequency, then the changes are anomalous. Similarly, the correlations may indicate configuration changes that typically occur together, in parallel, or within a set time period of one another. If these events do not occur as expected, an associated change is anomalous. In some aspects the expected value may be a threshold to which the change is compared. IF the change meets the predefined threshold then the behavior is anomalous”; and Paragraph [0054], “In block 412 of process 400, the processing device 106 can generate an output indicating that one or more of the network configuration changes included in the configuration-change behavior structure are anomalous, in response to the one or more machine-learning models indicating that the anomaly occurred”); and 
providing to a machine learning model the features of the information technology change and features of the detected phenomena in the machine-generated data to determine a correlation between the information technology change and the detected phenomena in the machine-10generated data (Hild: Paragraph [0053], “In block 410 of process 400, the processing device 106 can determine whether the anomaly occurred in the network based on the change. More specifically, the processing device 106 can instruct the model application module 124 of anomaly detection engine 121 to compare the determined changes, e.g., the contents of the updated configuration-change behavior structure, to expected network to ploy and/or correlations information in order to determine whether the behavior is anomalous. The network topology information may include an expected or default network configuration along with network statistics, such as a frequency of change or rate of change of network configurations. If the determined changes occur outside of the expected frequency, then the changes are anomalous. Similarly, the correlations may indicate configuration changes that typically occur together, in parallel, or within a set time period of one another. If these events do not occur as expected, an associated change is anomalous. In some aspects the expected value may be a threshold to which the change is compared. IF the change meets the predefined threshold then the behavior is anomalous”; and Paragraph [0054], “In block 412 of process 400, the processing device 106 can generate an output indicating that one or more of the network configuration changes included in the configuration-change behavior structure are anomalous, in response to the one or more machine-learning models indicating that the anomaly occurred”; and Paragraph [0054], “In block 412 of process 400, the processing device 106 can generate an output indicating that one or more of the network configuration changes included in the configuration-change behavior structure are anomalous, in response to the one or more machine-learning models indicating that the anomaly occurred”).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 8 and 10 are rejected under 35 U.S.C. 103 as being unpatentable over Hild and further in view of U.S. Patent No. 9,288,117 to Angrish et al. ("Angrish").

Regarding claim 8, Hild teaches all of the elements of claim 1. However, Hild does not appear to teach:
wherein the specification of the information technology change is associated with a change request submitted to the information technology service management system.

However, in the same field of endeavor, Angrish teaches:
wherein the specification of the information technology change is associated with a change request submitted to the information technology service management system (Angrish: Col. 18, lines 19-29, “After retrieving the change request from the queue 1305, the remote management system 1040 translates the change request to a create message. In some embodiments, the request processor 1315 translates the change request by identifying several pieces of information related to the server configuration. As mentioned above, the server configuration may include customer identification, machine specification, image specification, and network details. When dedicated servers are hosted on multiple datacenters, the request processor 1315 may also identify a location of the datacenter (e.g., U.S. West)”).  

	It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the method disclosed by Hild by having a specification associated with a change request, as taught by Angrish.  One of ordinary skill in the art would have been motivated to make this modification because it will improve scalability of a system’s topology. (Angrish: Col. 5, lines 26-39).

Regarding claim 10, Hild teaches all of the elements of claim 1. However, Hild does not appear to teach:
wherein analyzing the specification of the information technology change includes extracting one or more identifiers from the specification of the information technology change.

However, in the same field of endeavor, Angrish teaches:
wherein analyzing the specification of the information technology change includes extracting one or more identifiers from the specification of the information technology change (Angrish: Col. 18, lines 19-29, “After retrieving the change request from the queue 1305, the remote management system 1040 translates the change request to a create message. In some embodiments, the request processor 1315 translates the change request by identifying several pieces of information related to the server configuration. As mentioned above, the server configuration may include customer identification, machine specification, image specification, and network details. When dedicated servers are hosted on multiple datacenters, the request processor 1315 may also identify a location of the datacenter (e.g., U.S. West)”).  

	It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the method disclosed by Hild by receiving identifiers from the specification for analysis, as taught by Angrish.  One of ordinary skill in the art would have been motivated to make this modification because it will improve scalability of a system’s topology. (Angrish: Col. 5, lines 26-39).

Claims 12 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Hild and further in view of U.S. Publication No. 2017/0116091 to Anderson et al. ("Anderson").

Regarding claim 12, Hild teaches all of the elements of claim 1. However, Hild does not appear to teach:
wherein analyzing the specification of the information technology change includes identifying a configuration item of a configuration management database (CMDB) associated with the information technology change and obtaining one or more identifiers from the configuration item of the CMDB.

However, in the same field of endeavor, Anderson teaches:
wherein analyzing the specification of the information technology change includes identifying a configuration item of a configuration management database (CMDB) associated with the information technology change and obtaining one or more identifiers from the configuration item of the CMDB (Anderson: Paragraph [0037], “The inputs to the event management engine 140 can include, for example, information from a Change and Configuration Management Database (“CCMDB”) 150. According to the embodiment, the CCMDB 150 is a repository of information technology assets called Configuration Items (“CI”), as well as the relationships between those assets. The CIs can be, for example, software, hardware, facilities, people, products, and/or services, among many other things. The CCMDB is utilized to track the assets and their relationships, which allows for the reconstruction of those CIs if necessary. Each CI in the CCMDB may comprise a unique identifier, a description, and relationship information, among other elements. Within the framework of the present invention, the CCMDB 150 can be utilized, for example, to determine and/or assign relationships between events and individual CIs within the primary environment 110”).  

It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the method disclosed by Hild by identifying a configuration item from a CMDB and obtaining an identifier from the item, as taught by Anderson.  One of ordinary skill in the art would have been motivated to make this modification because it will improve accuracy of predictions. (Anderson: Paragraph [0051]).

Regarding claim 18, Hild teaches all of the elements of claim 1. However, Hild does not appear to teach:
wherein the features of the detected phenomena include one or more identifiers obtained using a configuration management database.

However, in the same field of endeavor, Anderson teaches:
wherein the features of the detected phenomena include one or more identifiers obtained using a configuration management database (Anderson: Paragraph [0029], “In view of the foregoing, a system and method is provided that utilizes an event management analysis engine along with a knowledge base of previous events and a Change and Configuration Management Database (“CCMDB”) to learn what events may lead up to an incident and, based on the probability of failure from the incident, begin to take steps to auto-provision a cloud-based disaster recovery environment”).  

It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the method disclosed by Hild by having features of a phenomena including an identifier from a cmdb, as taught by Anderson.  One of ordinary skill in the art would have been motivated to make this modification because it will improve accuracy of predictions. (Anderson: Paragraph [0051]).

Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Hild and further in view of U.S. Publication No. 2020/0326913 to Ying et al. ("Ying").

Regarding claim 14, Hild teaches all of the elements of claim 1. However, Hild does not appear to teach:
wherein the machine-generated data includes log entries.

However, in the same field of endeavor, Ying teaches:
wherein the machine-generated data includes log entries (Shimizu: Paragraph [0084], “The log collection system 1 in the embodiment may promptly provide the log LG desired by the user U compared to a configuration of changing a program such as firmware or software installed in the projector 10”).    

It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the method disclosed by Hild by having machine-generated data include log entries, as taught by Ying.  One of ordinary skill in the art would have been motivated to make this modification because it will improve confidence that the system will perform as intended. (Ying: Paragraph [0002]).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.  (US 11245614 B1, US 20210409271 A1, US 20210342125 A1, US 11146599 B1).
US 11245614 B1: The present disclosure generally relates to a network configuration management service that aids in identifying and remediating suboptimal configuration settings affecting network communications to, from, and/or within a network environment. The service obtains a formal specification of the current state of the network environment representing the rules and other configuration settings that are used to make network traffic routing decisions within the network environment. Based on an analysis of the formal specification, the service can identify one or more sub-optimal configuration settings (e.g., redundant, lenient, and/or unused security group rules). Use of the formal specification allows the service to perform this analysis “statically,” without first sending packets through the network environment to test the possible paths. The service determines the manner in which modification, replacement, or removal of the sub-optimal configuration setting(s) changes the possible communication paths within the network environment. If the change to the network configuration setting(s) produces a desirable change in the possible communication paths within the network, or if the change reduces the complexity of network configuration settings while preserving the desired set of possible communication paths, the change may be implemented. In some cases, the process may be repeated in an iterative manner to test various changes to the configuration settings until one or more criteria are met, such as finding the smallest set of configuration settings that produces the same set of possible communication paths as currently available within the network environment, finding the set of configuration settings that provides only a desired set of possible communication paths, etc.
US 20210409271 A1: The method of FIG. 7 differs from the method of FIG. 4 in that comparing (450), by the analytics engine, the first network snapshot and the second network snapshot further includes determining (720) whether the state information from the second network snapshot indicates anomalous behavior in the network. Determining (720) whether the state information from the second network snapshot indicates anomalous behavior in the network may be carried out by the analytics engine (301) determining whether an increase in switch resource utilization or error messages, in the second network snapshot as compared to the first network snapshot, for some or all of the network switches is indicative of a problem or performance deterioration in the network that may have been caused by the configuration change. For example, the analytics engine (301) may determine that anomalous behavior is indicated by changes to the values of one or more state attributes for one or more switches (303). The analytics engine may use thresholds, weighted averages, trend analysis, machine learning, and combinations thereof, as well as other techniques that will be appreciated by those of skill in the art for identifying whether anomalous conditions are present in a network switch. By way of example and not limitation, a network configuration change may result in a network topology change that concentrates network traffic on one switch, thus causing a spike in resource utilization and/or packet drops on that switch. A comparison of the second network snapshot to the first network snapshot would reveal that the resource utilization on that switch is abnormally high, and thus the configuration change has potentially created a problem in the network.
US 20210342125 A1: The method of claim 1 further comprising, after receiving specification of at least one node in the one or more nodes, causing output of information regarding options for additional nodes to add to the one or more nodes, wherein the options for the additional nodes are identified by using a trained machine learning model to analyze nodes currently in the pipeline and output a recommendation for at least one additional node.
US 11146599 B1: A method for processing data streams to selectively transmit content to endpoint devices to facilitate conferencing, the method comprising: receiving, via one or more networks, a plurality of electronic communications from endpoint devices; segregating and routing electronic communications of the plurality of electronic communications to facilitate a plurality of conferencing environments based at least in part on a configuration of each conferencing environment of the plurality of conferencing environments being mapped to a digital identifier corresponding to a patient and a particular population of two or more resource identifiers, each resource identifier of the particular population of two or more resource identifiers corresponding to authenticated access to at least one of the electronic communications addressed to the conferencing environment; listening for data changes in one or more data streams, each data stream of the one or more data streams comprising medical data that is generated by a medical device; detecting a load condition from the data changes based on one or more trigger events that specify criteria for detecting the load condition; mapping the load condition to a particular digital identifier and a particular conferencing environment corresponding to the particular digital identifier; identifying a resource specification that corresponds to the load condition; and consequent to determining that the resource specification corresponds to the load condition, automatically identifying at least one resource identifier that corresponds to the resource specification, and automatically updating the particular conferencing environment, the automatically updating comprising: reconfiguring the configuration of the particular conferencing environment to grant authenticated access to the identified at least one resource identifier such that the identified at least one resource identifier is added to the particular population of two or more resource identifiers corresponding to the particular conferencing environment; composing content based at least in part on the load condition; and transmitting the content to a plurality of endpoint devices mapped to the particular population of three or more resource identifiers corresponding to the particular conferencing environment.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Matthew N Putaraksa whose telephone number is (303)297-4365.  The examiner can normally be reached on Monday-Thursday 7:00am-5:00pm MT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Matt Kim can be reached on 571-272-4182.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MATTHEW N PUTARAKSA/Examiner, Art Unit 2114                                                                                                                                                                                                        

/MATTHEW M KIM/Supervisory Patent Examiner, Art Unit 2114