DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is responsive to communication received on 06/25/2022. Claims 1-23 are pending of which claims 1, 14. 20 are amended, claims 21-23 are new.  

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 3, 4, 8-14, and 19-21   are rejected under 35 U.S.C. 103 as being unpatentable over Yadav US 2016/0359872, and further in view of Liu US 2021/0389877.
Regarding claims 1, 14 and 20 Yadav teaches a computing system, computer implemented method and non-transitory CRM comprising: persistent storage configured to store a plurality of representations of a plurality of software applications, wherein the representations include textual data respectively indicative of attributes of the software applications(packet logs/ flow logs store information about devices, applications and services on a network, ¶16, 46) 
[" Sensors 104 can reside on nodes of a data center network (e.g., virtual partition, hypervisor, physical server, switch, router, gateway, other network device, other electronic device, etc.). In general, a virtual partition may be an instance of a virtual machine (VM) (e.g., VM 104a), sandbox, container (e.g., container 104c), or any other isolated environment that can have software operating within it. The software may include an operating system and application software. For software running within a virtual partition, the virtual partition may appear to be a distinct physical server. ", ¶16]
["FIG. 3 shows an example method 300 according to some embodiments. Example method 300 example interactions between analytics module 110, sensors 104 and a collector 108. Example method 300 can begin with analytics module configuring the sensors to send packet logs to the collector (step 301). This can include identifying a collector or plurality of collectors and instructing the sensors to send packet logs to the identified collectors based on a predefined rule or formula. Various sensors can be configured differently; for example, one sensor can be configured to send packet logs to one collector and another sensor can be configured to send its packet logs to a different collector. A sensor can then capture a packet (step 302). The sensor can then describe the packet in a packet log (step 304). For example, the packet log can contain the packet, metadata/header info of the packet (e.g., source address, destination address, size, protocol, sequence number, etc.), a summary of the packet (outgoing, incoming, packet type), etc. In some embodiments, a packet log can describe multiple packets, even unrelated packets.", ¶46]

and a mapping application configured to perform operations comprising: retrieving, from the persistent storage, a representation corresponding to a particular software application(logs are retrieved and a application map is created, ¶s24 49)  
["Analytics module 110 can determine dependencies of components within the network using ADM module 160. For example, if component A routinely sends data to component B but component B never sends data to component A, then analytics module 110 can determine that component B is dependent on component A, but A is likely not dependent on component B. If, however, component B also sends data to component A, then they are likely interdependent. These components can be processes, virtual machines, hypervisors, virtual local area networks (VLANs), etc. Once analytics module 110 has determined component dependencies, it can then form a component (“application”) dependency map. This map can be instructive when analytics module 110 attempts to determine a root cause of a failure (because failure of one component can cascade and cause failure of its dependent components). This map can also assist analytics module 110 when attempting to predict what will happen if a component is taken offline. Additionally, analytics module 110 can associate edges of an application dependency map with expected latency, bandwidth, etc. for that individual edge.", ¶24]

["The analytics module can then receive the flow log from the collector (step 316) and determine the status of the datacenter using the flow log (step 318). In some embodiments, step 318 utilizes other flow logs from the above referenced collector in addition to flow logs from other collectors in the datacenter. In some embodiments, step 318 includes: creating summary statistics related to the datacenter, identifying components or hosts that are at capacity, identifying components or hosts that are under-utilized or incapacitated, comparing current activity to historical or expected activity, etc. The analytics module can then detect an attack within the datacenter (step 320). An attack can include a misconfigured component that disrupts datacenter operations. In some embodiments, step 320 is informed by the status of the datacenter and the flow log(s) received from collector(s). The analytics module can then modify a security policy based on the status of the datacenter (step 322). For example, the analytics module can modify an access control list, a firewall, subnet assignments, etc. The analytics module can then present a report describing the status of the datacenter (step 324), e.g., to an administrator. Step 324 can include creating charts, graphs, illustrations, tables, notifications, etc. and presenting such aforementioned report via a web-interface, message (e.g., email, SMS, instant message, etc.), other audio-visual means, application program interface, etc. to a user, administrator, customer, client, program, etc.", ¶49]

identifying, based on the representation corresponding to the particular software application, a plurality of character strings present within particular textual data associated with the particular software application;
["The present technology automatically determines and assigns informative names to clusters in a computing network. A name of a cluster may be determined based at least upon one or more attributes shared among members of the corresponding cluster or source information. For example, the members of a cluster may share a substring in their host names or IPs. These sources of information can be used to automatically extract an informative name for the cluster. Informative names assigned to clusters may greatly enhance a user experience and improve a user-interaction efficiency and visibility to the computing network.", ¶623]

 generating, for each respective character string of the plurality of character strings, a corresponding weight based on a product of  (i) a frequency of the respective character string within the particular textual data and (ii) an inverse of a frequency of the respective character string within textual data associated with at least a subset of the plurality of software applications( tf–idf short for term frequency–inverse document frequency, is a numerical statistic that is a product TF multiplied by IDF where TF is a term frequency and IDFD is an inverse document frequency for a term, It is often used as a weighting factor in searches of information retrieval, text mining, and user modeling, ¶614-616)
["By ranking and showing only the top few (tfidf-weighted) features, the most informative of a node's (or cluster of nodes′) communications or processes (or user names, etc) can be displayed. The percentiled weight of the feature can also be displayed to provide more context on the informativeness of a feature." ¶614] 
["A similar process of percentiling can be applied to node-pair similarities, when displaying the closest (most similar) neighbors of a node in the similarity space (similarity based on communications or processes).", ¶615]
["When a user re-runs an ADM pipeline (after editing clusters, changing dates of data capture to run the pipeline on, etc), what has been changed in the final clusterings may be important for the user. Any two re-runs (their output clusterings) can be compared, where the two clusters are first matched by a matching algorithm (this can be done greedily, using matching scores such as Jaccard), and a Summary of changes in the clusters (nodes added/deleted), from one run to another, is shown in the UI.", ¶616]

 selecting, from the plurality of character strings and based on the corresponding weight determined for each respective character string, up to a predetermined number(top few, ¶614) of candidate tags for the particular software application(Informative names for clusters can be generated based combining multiple attributes names  ip address etc to generate a  meaningful name, ¶623-624);
["The present technology automatically determines and assigns informative names to clusters in a computing network. A name of a cluster may be determined based at least upon one or more attributes shared among members of the corresponding cluster or source information. For example, the members of a cluster may share a substring in their host names or IPs. These sources of information can be used to automatically extract an informative name for the cluster. Informative names assigned to clusters may greatly enhance a user experience and improve a user-interaction efficiency and visibility to the computing network.", ¶623]
["The present technology automatically determines and assigns informative names to clusters in a computing network. A name of a cluster may be determined based at least upon one or more attributes shared among members of the corresponding cluster or source information. For example, the members of a cluster may share a substring in their host names or IPs. These sources of information can be used to automatically extract an informative name for the cluster. Informative names assigned to clusters may greatly enhance a user experience and improve a user-interaction efficiency and visibility to the computing network.", ¶624]
["In some embodiments, a common long prefix from hostnames of members of a cluster can be determined using a computing algorithm. If the prefix satisfies certain criteria (e.g., a length or commonality among the members), the prefix can be extracted and used as a name for the cluster. If processing hostnames have failed to create a sufficiently long common prefix, the commonality among IP addresses of members of a cluster can be determined and used for naming the cluster.", ¶625]
 generating a mapping between the particular software application and a computing resource based on the candidate tags including at least one tag corresponding to the computing resource(generate a map of application dependencies topology maps etc); 
["Web frontend 122 can connect with serving layer 118 to present the data from serving layer 118 in a webpage. For example, web frontend 122 can present the data in bar charts, core charts, tree maps, acyclic dependency maps, line graphs, tables, etc. Web frontend 122 can be configured to allow a user to “drill down” on information sets to get a filtered data representation specific to the item the user wishes to drill down to. For example, individual traffic flows, components, etc. Web frontend 122 can also be configured to allow a user to filter by search. This search filter can use natural language processing to analyze the user's input. There can be options to view data relative to the current second, minute, hour, day, etc. Web frontend 122 can allow a network administrator to view traffic flows, application dependency maps, network topology, etc.", ¶34]

and storing, in the persistent storage, a representation of the mapping(topology maps can be stored on the analysis device’s storage ¶57 or in an external database ¶20).
["Collectors 108 can serve as a repository for the data recorded by sensors 104. In some example embodiments, collectors 108 can be directly connected to a top of rack switch. In other example embodiments, collectors 108 can be located near an end of row switch. Collectors 108 can be located on or off premises. It will be appreciated that the placement of collectors 108 can be optimized according to various priorities such as network capacity, cost, and system responsiveness. In some example embodiments, data storage of collectors 108 is located in an in-memory database, such as dashDB by International Business Machines. This approach benefits from rapid random access speeds that typically are required for analytics software. Alternatively, collectors 108 can utilize solid state drives, disk drives, magnetic tape drives, or a combination of the foregoing according to cost, responsiveness, and size requirements. Collectors 108 can utilize various database structures such as a normalized relational database or NoSQL database.", ¶20]
["FIG. 4B illustrates an example computer system 450 having a chipset architecture that can be used in executing the described method and generating and displaying a graphical user interface (GUI). Computer system 450 is an example of computer hardware, software, and firmware that can be used to implement the disclosed technology. System 450 can include a processor 455, representative of any number of physically and/or logically distinct resources capable of executing software, firmware, and hardware configured to perform identified computations. Processor 455 can communicate with a chipset 460 that can control input to and output from processor 455. In this example, chipset 460 outputs information to output 465, such as a display, and can read and write information to storage device 470, which can include magnetic media, and solid state media, for example. Chipset 460 can also read data from and write data to RAM 475. A bridge 480 for interfacing with a variety of user interface components 485 can be provided for interfacing with chipset 460. Such user interface components 485 can include a keyboard, a microphone, touch detection and processing circuitry, a pointing device, such as a mouse, and so on. In general, inputs to system 450 can come from any of a variety of sources, machine generated and/or human generated.", ¶57]

Yadav teaches the network includes tenants(tenant spaces) but does not specifically teach a system for managing particular managed network(tenant networks/spaces, see Yadav ¶97). Thus Yadav does not teach the particular application that belongs to a particular managed network of a plurality of different managed networks;
and that comprises software applications that belong to the particular managed network, wherein the corresponding weight indicates an extent to which the respective character string is uniquely descriptive of the particular software application within the particular managed network;
Liu in the same field of endeavor teaches a similar system for network monitoring and application/service identification. Liu teaches teach the particular application that belongs to a particular managed network of a plurality of different managed networks(TF-IDF performed with respect to applications/process and other information/metadata for a particular tenant space)
["In some cases, the VMs 110 and/or hypervisors 108 can be migrated to other servers 106. For example, the VM 110A can be migrated to a server 106C and a hypervisor 108B. The servers 106 can similarly be migrated to other locations in the network environment 100. For example, a server connected to a specific leaf router can be changed to connect to a different or additional leaf router. In some cases, some or all of the servers 106, hypervisors 108, and/or VMs 110 can represent a tenant space. The tenant space can include workloads, services, applications, devices, and/or resources that are associated with one or more clients or subscribers. Accordingly, traffic in the network environment 100 can be routed based on specific tenant policies, spaces, agreements, configurations, etc. Moreover, addressing can vary between one or more tenants. In some configurations, tenant spaces can be divided into logical segments and/or networks and separated from logical segments and/or networks associated with other tenants.", ¶29]
["The sensors 116 can be configured to report data and/or metadata about one or more packets, flows, communications, processes, execution of applications, events, and/or activities observed to the collector 118. For example, the sensors 116 can capture network data as well as information about the system or host of the sensors 116 (e.g., where the sensors 116 are deployed). Such information can also include, for example, data or metadata of active or previously active processes of the system, metadata of files on the system, system alerts, networking information, operating system state, etc. Reported data from the sensors 116 can provide details or statistics particular to one or more tenants. For example, reported data from a subset of sensors 116 deployed throughout devices or elements in a tenant space can provide information about the performance, use, quality, events, processes, security status, characteristics, statistics, patterns, conditions, configurations, topology, and/or any other information for the particular tenant space.", ¶32]

and that comprises software applications that belong to the particular managed network(data includes applications running past, current etc for particular tenant space, ¶32), 
["The sensors 116 can be configured to report data and/or metadata about one or more packets, flows, communications, processes, execution of applications, events, and/or activities observed to the collector 118. For example, the sensors 116 can capture network data as well as information about the system or host of the sensors 116 (e.g., where the sensors 116 are deployed). Such information can also include, for example, data or metadata of active or previously active processes of the system, metadata of files on the system, system alerts, networking information, operating system state, etc. Reported data from the sensors 116 can provide details or statistics particular to one or more tenants. For example, reported data from a subset of sensors 116 deployed throughout devices or elements in a tenant space can provide information about the performance, use, quality, events, processes, security status, characteristics, statistics, patterns, conditions, configurations, topology, and/or any other information for the particular tenant space.", ¶32]
wherein the corresponding weight indicates an extent to which the respective character string is uniquely descriptive of the particular software application within the particular managed network(TF-IDF can be applied to determine uniqueness of processes(i.e running applications) on the tenant network, ¶50)
["The collectors 118 can be configured to aggregate data from all of the sensors 116 and/or a subset of sensors 116. Moreover, the collectors 118 can be configured to analyze some or all of the data reported by the sensors 116. For example, the collectors 118 can include analytics engines (e.g., engines 120) for analyzing collected data. The network environment 100 can also include separate analytics engines 120 configured to analyze the data reported to the collectors 118. For example, the engines 120 can be configured to receive collected data from the collectors 118 and aggregate the data, analyze the data (individually and/or aggregated), generate reports, identify conditions, compute statistics, visualize reported data, troubleshoot conditions, visualize the network and/or portions of the network (e.g., a tenant space), generate alerts, identify patterns, calculate misconfigurations, identify errors, generate suggestions, generate testing, and/or any other analytics functions.", ¶35]
[" In an example, a scoring system such as a weighted term frequency-inverse document frequency (TF-IDF) technique may be used to determine which processes are unique to a host or small set of hosts and exclude processes which may be executing on several hosts. The TF-IDF is a statistical measure that evaluates how relevant an object is to a set of objects in a collection. For example, the TF-IDF may be used to evaluate how relevant a word is to a document in a collection of documents, by multiplying two metrics: how many times a word appears in a document, and the inverse document frequency of the word across a set of documents. In the example of evaluating the processes using a weighted TF-IDF, a long-running process may be evaluated for its relevance among the identified set of long-running processes. For example, if the same process is identified as a long-running process in the snapshots from several hosts, then that process may not be a long-running process corresponding to an web server or a database server process hosted by a particular server. In some examples, long-running processes are identified from the snapshots of several hosts and ranked based on a measure of their uniqueness. In some examples, weights may be assigned to correspond to the ranks, such as a higher weight being associated with a higher priority or unique/web server or a database server process and lower weights being associated with processes of lower priority. Upon being ranked, the processes identified as long-running processes representative of being web server or a database server processes can be used to define the functionalities of servers which may host these web server or a database server processes. Such servers hosting the web server or a database server processes can be prioritized for monitoring among the numerous servers in a data center.", ¶50]

It would have been obvious to a person of ordinary skill in the art at the time of the effective filing of the instant application to modify performing mapping of application/process in a network to mapping of particular tenant spaces as taught by Liu. The reason for this modification would be to provide for a system that allows for a tenant to map and view the topology of their own network or allow an administrator of a service provider of the tenant to view the topology their tenants.
The combination of Yadav/Liu is discussed above, such a combination teaches generating a mapping between the particular software application and a computing resource that belongs to the particular managed network based on the network-specific candidate tags including at least one tag corresponding to the computing resource; and storing, in the persistent storage, a representation of the mapping(Yadav, ¶s 20 , 614-617 teaches a mapping i.e ranking features to nodes and clusters, and in combination with Liu , ¶32 teaches that TF-IDF analysis is done with respect to particular tenant space ).
Regarding claim 3, Yadav teaches wherein generating the mapping between the particular software application and the computing resource comprises: obtaining, from the persistent storage, a plurality of tags corresponding to a plurality of computing resources; 
comparing the network specific network-specific candidate tagss to the plurality of tags; 
[“Nodes and clusters in a computing network can be summarized by displaying their ‘attributes’ (features) in a ranked list. Each node can have one or more vector types, i.e. vectors extracted from network communications and/or process-based features. A tfidf computation (tfidf is an information retrieval technique) can be performed to reweight attributes by a measure of their informativeness for a node. A similar algorithm can be performed on clusters (each cluster can be represented by a single vector, then tfidf post-processing can be performed on such set of vectors).”, ¶613]
[“By ranking and showing only the top few (tfidf-weighted) features, the most informative of a node's (or cluster of nodes′) communications or processes (or user names, etc) can be displayed. The percentiled weight of the feature can also be displayed to provide more context on the informativeness of a feature.”, ¶ 614]
 	[“A similar process of percentiling can be applied to node-pair similarities, when displaying the closest (most similar) neighbors of a node in the similarity space (similarity based on communications or processes). “. ¶615] 
[“ When a user re-runs an ADM pipeline (after editing clusters, changing dates of data capture to run the pipeline on, etc), what has been changed in the final clusterings may be important for the user. Any two re-runs (their output clusterings) can be compared, where the two clusters are first matched by a matching algorithm (this can be done greedily, using matching scores such as Jaccard), and a Summary of changes in the clusters (nodes added/deleted), from one run to another, is shown in the UI.”, ¶616]
[“Some embodiments extract an informative attributes from nodes and clusters and present the top few (or in ranked order) to a user as a means for summarizing an entity (node or cluster of nodes). In some embodiments, what has been changed in the clustering from one run to another run, can be summarized by matching clusterings and reporting a Summary of the changes.”, ¶617]

and determining, based on comparing the network-specific candidate tagss to the plurality of tags, that the at least one tag corresponding to the computing resource of the plurality of computing resources matches a particular tag of the network-specific candidate tags(mapping is generated  from monitored data retrieved from sensor or via database, ¶20, such data is used to generate mapping, ¶448).
["Collectors 108 can serve as a repository for the data recorded by sensors 104. In some example embodiments, collectors 108 can be directly connected to a top of rack switch. In other example embodiments, collectors 108 can be located near an end of row switch. Collectors 108 can be located on or off premises. It will be appreciated that the placement of collectors 108 can be optimized according to various priorities such as network capacity, cost, and system responsiveness. In some example embodiments, data storage of collectors 108 is located in an in-memory database, such as dashDB by International Business Machines. This approach benefits from rapid random access speeds that typically are required for analytics software. Alternatively, collectors 108 can utilize solid state drives, disk drives, magnetic tape drives, or a combination of the foregoing according to cost, responsiveness, and size requirements. Collectors 108 can utilize various database structures such as a normalized relational database or NoSQL database. ¶20]

["Additionally, the search UI is customizable to a specific datatype search. For example, the search query can be just for hosts, or just for flow, or just for applications. Depending on the searched data type, the UI can have a specific visualization tied to the datatype searched. For example, the host search will visually look different from the flow search and from the application search. This is to create immediate visual recognition of the searched data type. Furthermore datatypes can be filtered out after generation of the search results or as a parameter before the search results are generated.", ¶448]

Regarding claim 4, Yadav teaches wherein the operations further comprise: determining that the particular textual data has been updated; based on determining that the particular textual data has been updated, identifying a second plurality of character strings present within the particular textual data as updated; generating, for each given character string of the second plurality of character strings, a corresponding weight based on product of  (i) a frequency of the given character string within the particular textual data as updated and (ii)and  inverse of a frequency of the given character string within the textual data associated with at least a subset of the plurality of software applications that belong to the particular managed network; selecting, from the second plurality of character strings and based on the corresponding weight determined for each given character string, up to the predetermined number of updated network-specific candidate tags for the particular software application; generating an updated mapping between the particular software application and a second computing resource based on the updated network-specific candidate tags including at least one tag corresponding to the second computing resource; and storing, in the persistent storage, a representation of the mapping as updated( monitoring is performed continuously thus as applications and the corresponding VM upon which they are deployed move and change the above  mapping of network topology and determination of informative names as in claim 1  is performed on newly collected data, ¶242,407 see also ¶s 16, 24, 46, 49, 614-616, 623-624, TD-IDF is  a product of term freq and inverse term freq).
[“ The network data observed by a sensor A inside a VM is a subset of the network data observed by a sensor B inside the hypervisor on which the VM is running. Further, the network data observed by a sensor B running inside a Hypervisor is again a subset of the network data observed by a sensor C running either inside or as part of the networking gear to which the hypervisor or the physical machine is connected to. The relationship information about whether sensor B in placed in a hypervisor which contains the VM where sensor A is placed, is very important for a lot of algorithms that do analysis on the captured data. This relationship about sensor placement can be constructed manually by a person who has deployed the sensors. It might be possible to query the hypervisor environment using hypervisor specific APIs, and management interfaces provided by various hypervisor environments like Xen, Vmware, KVM, etc. A new way of figuring out this relationship from the captured flow data is presented in this disclosure. The technique is not dependent on a hypervisor environments or specific management solutions provided by various environments. The technique also enables detection of VM movements, and thus updating the relationship automatically.”, ¶242]
["This flow analysis occurs continuously, and the traffic monitoring system allows a user to specify a window of time (e.g., time of day, day of week or month, month(s) in a year, etc.) to determine the number of non-compliant events that occurred during that period.", ¶407]

Regarding claim 8 Yadav, teaches wherein the operations further comprise: updating the representation corresponding to the particular software application based on the network-specific candidate tags; and storing, in the persistent storage, the representation as updated(topology maps can be stored on the analysis device’s storage ¶57 or in an external database ¶20).
["Collectors 108 can serve as a repository for the data recorded by sensors 104. In some example embodiments, collectors 108 can be directly connected to a top of rack switch. In other example embodiments, collectors 108 can be located near an end of row switch. Collectors 108 can be located on or off premises. It will be appreciated that the placement of collectors 108 can be optimized according to various priorities such as network capacity, cost, and system responsiveness. In some example embodiments, data storage of collectors 108 is located in an in-memory database, such as dashDB by International Business Machines. This approach benefits from rapid random access speeds that typically are required for analytics software. Alternatively, collectors 108 can utilize solid state drives, disk drives, magnetic tape drives, or a combination of the foregoing according to cost, responsiveness, and size requirements. Collectors 108 can utilize various database structures such as a normalized relational database or NoSQL database.", ¶20]
["FIG. 4B illustrates an example computer system 450 having a chipset architecture that can be used in executing the described method and generating and displaying a graphical user interface (GUI). Computer system 450 is an example of computer hardware, software, and firmware that can be used to implement the disclosed technology. System 450 can include a processor 455, representative of any number of physically and/or logically distinct resources capable of executing software, firmware, and hardware configured to perform identified computations. Processor 455 can communicate with a chipset 460 that can control input to and output from processor 455. In this example, chipset 460 outputs information to output 465, such as a display, and can read and write information to storage device 470, which can include magnetic media, and solid state media, for example. Chipset 460 can also read data from and write data to RAM 475. A bridge 480 for interfacing with a variety of user interface components 485 can be provided for interfacing with chipset 460. Such user interface components 485 can include a keyboard, a microphone, touch detection and processing circuitry, a pointing device, such as a mouse, and so on. In general, inputs to system 450 can come from any of a variety of sources, machine generated and/or human generated.", ¶57]

Regarding claims 9 and 19, Yadav teaches  wherein the particular textual data associated with the particular software application comprises software process data generated by an operating system in connection with execution of the particular software application, and wherein the software process data comprises one or more of: (i) a name of an executable file used to cause execution of the particular software application, (ii) a file system path indicative of a location of the executable file, (iii) a command used to cause execution of the particular software application, or (iv) one or more arguments provided as input to the particular software application(commands executed can be analyzed to monitor and determine the flow of processes between applications, ¶286-289)
["In this context, we can capture data from sensors and use the data to develop a lineage for every process. The lineage can then be used to identify anomalies as further described below.", ¶286]
["Solution—Every process in a network can have some type of lineage. The current disclosure performs an analysis of commands and processes in the network to identify a lineage of a process. The lineage can be specifically important and relevant with endpoint groups (EPGs). The lineage can help identify certain types of patterns which may indicate anomalies or malicious events.", ¶287]

["For example, the system can identify a process at system Y when command X is executed. Command X may have been observed to be triggered by command Z. We then know that the lineage for the process at system Y is command Z followed by command X. This information can be compared with processes and commands as they are executed and initialized to identify any hidden command-in-control or other anomalies.", ¶288]

["To detect anomalies, other factors can also be taken into account. For example, factors which are inherently dubious can be used in the calculus. To illustrate, a process for running a scan on the network is inherently dubious. Thus, we can use the process lineage (i.e., lineage of the process for scanning the network) to determine if the scan was executed by a malicious command or malware. For example, if the scan follows the expected lineage mapped out for that process then we may be able to determine that the scan is legitimate or an accident/fluke. On the other hand, if the scan was triggered by an external command (i.e., command from the outside), then we can infer that this scan is part of an attack or malicious event. Similarly, if the scan does not follow the previously-established lineage (e.g., scan was started by a parent process that is not in the lineage), we can determine that the scan is part of a malicious event.", ¶289]

Regarding claim 10, Yadav teaches wherein the computing resource comprises at least one of: (i) a software service provided at least in part by the particular software application or (ii) a server device configured to execute at least part of the particular software application.
[“Endpoints 210 can include any communication device or component, such as a computer, server, hypervisor, virtual machine, container, process (e.g., running on a virtual machine), switch, router, gateway, host, device, external network, etc. In some example embodiments, endpoints 210 can include a server, hypervisor, process, or switch configured with virtual tunnel endpoint (VTEP) functionality which connects an overlay network with network fabric 212. The overlay network may allow virtual networks to be created and layered over a physical network infrastructure. Overlay network protocols, such as Virtual Extensible LAN (VXLAN), Network Virtualization using Generic Routing Encapsulation (NVGRE), Network Virtualization Overlays (NVO3), and Stateless Transport Tunneling (STT), can provide a traffic encapsulation scheme which allows network traffic to be carried across L2 and L3 networks over a logical tunnel. Such logical tunnels can be originated and terminated through VTEPs. The overlay network can host physical devices, such as servers, applications, endpoint groups, virtual segments, virtual workloads, etc. In addition, endpoints 210 can host virtual workload(s), clusters, and applications or services, which can connect with network fabric 212 or any other device or network, including an internal or external network. For example, endpoints 210 can host, or connect to, a cluster of load balancers or an EPG of various applications.", ¶43]

Regarding claim 11, Yadav teaches wherein each software application of the plurality of software applications is associated with a corresponding managed network, wherein the particular software application is associated with a particular managed network, 
["The disclosure can be directed to an application dependency map visualized in a collapsible tree flow chart. The tree flow chart is collapsible and displays the policies/relationships between each logical entity that carries a multi-tier application. The collapsible multi-tier application UI displays the data flows of a multi-tier application. A multi-tier application can have various aspects of the application running on various hosts. The UI displays the hierarchy and policies or dependencies between each logical entity running the application. The UI is collapsible allowing the user to drill down on any node/logical-entity representing hosts, databases or application tier. By making the UI collapsible, it allows for a more consumable UI.", ¶542]

and wherein the subset of the plurality of software applications comprises software applications associated with the particular managed network.
["Network connectivity in network fabric 212 can flow through leaf switches 204. Here, leaf switches 204 can provide servers, resources, VMs, or other electronic devices (e.g., endpoints 210), internal networks (e.g., L2 network 206), or external networks (e.g., L3 network 208), access to network fabric 212, and can connect leaf switches 204 to each other. In some example embodiments, leaf switches 204 can connect endpoint groups (EPGs) to network fabric 212, internal networks (e.g., L2 network 206), and/or any external networks (e.g., L3 network 208). EPGs can be used in network environment 200 for mapping applications to the network. In particular, EPGs can use a grouping of application endpoints in the network to apply connectivity and policy to the group of applications. EPGs can act as a container for buckets or collections of applications, or application components, and tiers for implementing forwarding and policy logic. EPGs also allow separation of network policy, security, and forwarding from addressing by instead using logical application boundaries. For example, each EPG can connect to network fabric 212 via leaf switches 204.", ¶40]

["The disclosure can be directed to an application dependency map visualized in a collapsible tree flow chart. The tree flow chart is collapsible and displays the policies/relationships between each logical entity that carries a multi-tier application. The collapsible multi-tier application UI displays the data flows of a multi-tier application. A multi-tier application can have various aspects of the application running on various hosts. The UI displays the hierarchy and policies or dependencies between each logical entity running the application. The UI is collapsible allowing the user to drill down on any node/logical-entity representing hosts, databases or application tier. By making the UI collapsible, it allows for a more consumable UI.", ¶542]

Regarding claim 12, Yadav teaches wherein each software application of the plurality of software applications is associated with a corresponding managed network, wherein the particular software application is associated with a particular managed network(application are tun on VMs/containers ¶16 and  multiple different applications are distributed across a network, ¶40) 
[" Sensors 104 can reside on nodes of a data center network (e.g., virtual partition, hypervisor, physical server, switch, router, gateway, other network device, other electronic device, etc.). In general, a virtual partition may be an instance of a virtual machine (VM) (e.g., VM 104a), sandbox, container (e.g., container 104c), or any other isolated environment that can have software operating within it. The software may include an operating system and application software. For software running within a virtual partition, the virtual partition may appear to be a distinct physical server. In some example embodiments, a hypervisor (e.g., hypervisor 104b) may be a native or “bare metal” hypervisor that runs directly on hardware, but that may alternatively run under host software executing on hardware. ", ¶16]
["Network connectivity in network fabric 212 can flow through leaf switches 204. Here, leaf switches 204 can provide servers, resources, VMs, or other electronic devices (e.g., endpoints 210), internal networks (e.g., L2 network 206), or external networks (e.g., L3 network 208), access to network fabric 212, and can connect leaf switches 204 to each other. In some example embodiments, leaf switches 204 can connect endpoint groups (EPGs) to network fabric 212, internal networks (e.g., L2 network 206), and/or any external networks (e.g., L3 network 208). EPGs can be used in network environment 200 for mapping applications to the network. In particular, EPGs can use a grouping of application endpoints in the network to apply connectivity and policy to the group of applications. EPGs can act as a container for buckets or collections of applications, or application components, and tiers for implementing forwarding and policy logic. EPGs also allow separation of network policy, security, and forwarding from addressing by instead using logical application boundaries. For example, each EPG can connect to network fabric 212 via leaf switches 204.", ¶40]
 
and wherein the subset of the plurality of software applications comprises software applications associated with at least one managed network other than the particular managed network.
[" Although analytics module 110 is shown to be a standalone network appliance in FIG. 2, it will be appreciated that analytics module 110 can also be implemented as a VM image that can be distributed onto a VM, a cluster of VMs, a software as a service (SaaS), or other suitable distribution model in various other example embodiments. In some example embodiments, sensors 104 can run on endpoints 210, leaf switches 204, spine switches 202, in-between network elements (e.g., sensor 104h), etc. In some example embodiments, leaf switches 204 can each have an associated collector 108. For example, if leaf switch 204 is a top of rack switch then each rack can contain an assigned collector 108.", ¶44]

Regarding claim 13, Yadav teaches wherein the particular software application and the subset of the plurality of software applications are configured to be executed by one or more computing resources disposed in a particular managed network, and(application are tun on VMs/containers ¶16 and  multiple different applications are distributed across a network, ¶40) 
[" Sensors 104 can reside on nodes of a data center network (e.g., virtual partition, hypervisor, physical server, switch, router, gateway, other network device, other electronic device, etc.). In general, a virtual partition may be an instance of a virtual machine (VM) (e.g., VM 104a), sandbox, container (e.g., container 104c), or any other isolated environment that can have software operating within it. The software may include an operating system and application software. For software running within a virtual partition, the virtual partition may appear to be a distinct physical server. In some example embodiments, a hypervisor (e.g., hypervisor 104b) may be a native or “bare metal” hypervisor that runs directly on hardware, but that may alternatively run under host software executing on hardware. ", ¶16]
["Network connectivity in network fabric 212 can flow through leaf switches 204. Here, leaf switches 204 can provide servers, resources, VMs, or other electronic devices (e.g., endpoints 210), internal networks (e.g., L2 network 206), or external networks (e.g., L3 network 208), access to network fabric 212, and can connect leaf switches 204 to each other. In some example embodiments, leaf switches 204 can connect endpoint groups (EPGs) to network fabric 212, internal networks (e.g., L2 network 206), and/or any external networks (e.g., L3 network 208). EPGs can be used in network environment 200 for mapping applications to the network. In particular, EPGs can use a grouping of application endpoints in the network to apply connectivity and policy to the group of applications. EPGs can act as a container for buckets or collections of applications, or application components, and tiers for implementing forwarding and policy logic. EPGs also allow separation of network policy, security, and forwarding from addressing by instead using logical application boundaries. For example, each EPG can connect to network fabric 212 via leaf switches 204.", ¶40]

 wherein the mapping application is configured to be executed by a computational instance of a remote network management platform configured to manage the particular managed network.
[" Although analytics module 110 is shown to be a standalone network appliance in FIG. 2, it will be appreciated that analytics module 110 can also be implemented as a VM image that can be distributed onto a VM, a cluster of VMs, a software as a service (SaaS), or other suitable distribution model in various other example embodiments. In some example embodiments, sensors 104 can run on endpoints 210, leaf switches 204, spine switches 202, in-between network elements (e.g., sensor 104h), etc. In some example embodiments, leaf switches 204 can each have an associated collector 108. For example, if leaf switch 204 is a top of rack switch then each rack can contain an assigned collector 108.", ¶44]


Regarding claim 21, Yadav/Liu teaches wherein generating the mapping between the particular software application and the computing resource comprises: obtaining, from the persistent storage, a plurality of tags corresponding to a plurality of computing resources(data from sensors is sent to data collectors for storage and retrieval an analysis, such as TF-IDF collected data, ¶s20, 21)  
["Collectors 108 can serve as a repository for the data recorded by sensors 104. In some example embodiments, collectors 108 can be directly connected to a top of rack switch. In other example embodiments, collectors 108 can be located near an end of row switch. Collectors 108 can be located on or off premises. It will be appreciated that the placement of collectors 108 can be optimized according to various priorities such as network capacity, cost, and system responsiveness. In some example embodiments, data storage of collectors 108 is located in an in-memory database, such as dashDB by International Business Machines. This approach benefits from rapid random access speeds that typically are required for analytics software. Alternatively, collectors 108 can utilize solid state drives, disk drives, magnetic tape drives, or a combination of the foregoing according to cost, responsiveness, and size requirements. Collectors 108 can utilize various database structures such as a normalized relational database or NoSQL database.", ¶20]

["In some example embodiments, collectors 108 may only serve as network storage for network traffic monitoring system 100. In other example embodiments, collectors 108 can organize, summarize, and preprocess data. For example, collectors 108 can tabulate how often packets of certain sizes or types are transmitted from different nodes of a data center. Collectors 108 can also characterize the traffic flows going to and from various nodes. In some example embodiments, collectors 108 can match packets based on sequence numbers, thus identifying traffic flows and connection links. In some example embodiments, collectors 108 can flag anomalous data. Because it would be inefficient to retain all data indefinitely, in some example embodiments, collectors 108 can periodically replace detailed network traffic flow data with consolidated summaries. In this manner, collectors 108 can retain a complete dataset describing one period (e.g., the past minute or other suitable period of time), with a smaller dataset of another period (e.g., the previous 2-10 minutes or other suitable period of time), and progressively consolidate network traffic flow data of other periods of time (e.g., day, week, month, year, etc.). By organizing, summarizing, and preprocessing the network traffic flow data, collectors 108 can help network traffic monitoring system 100 scale efficiently. Although collectors 108 are generally referred to herein in the plurality, it will be appreciated that collectors 108 can be implemented using a single machine, especially for smaller datacenters.", ¶21]

comparing the network-specific network-specific candidate tags to the plurality of tags(Liu teaches features of nodes and processes in nodes are performed for particular tenant space, ¶29) and determining, based on comparing the network-specific network-specific candidate tags to the plurality of tags, that the at least one tag corresponding to the computing resource of the plurality of computing resources matches a particular tag of the network-specific network-specific candidate tags(using TF-IDF weightings of a computing node features…. i.e. descriptive labels/tags are compared ranked to find the few highest ranked features that are most descriptive of the node or cluster, ¶s 613-617, 623-624 nodes features are for particular tenant per combination with Liu).
[Liu, "In some cases, the VMs 110 and/or hypervisors 108 can be migrated to other servers 106. For example, the VM 110A can be migrated to a server 106C and a hypervisor 108B. The servers 106 can similarly be migrated to other locations in the network environment 100. For example, a server connected to a specific leaf router can be changed to connect to a different or additional leaf router. In some cases, some or all of the servers 106, hypervisors 108, and/or VMs 110 can represent a tenant space. The tenant space can include workloads, services, applications, devices, and/or resources that are associated with one or more clients or subscribers. Accordingly, traffic in the network environment 100 can be routed based on specific tenant policies, spaces, agreements, configurations, etc. Moreover, addressing can vary between one or more tenants. In some configurations, tenant spaces can be divided into logical segments and/or networks and separated from logical segments and/or networks associated with other tenants.", ¶29]

[Yadav,“Nodes and clusters in a computing network can be summarized by displaying their ‘attributes’ (features) in a ranked list. Each node can have one or more vector types, i.e. vectors extracted from network communications and/or process-based features. A tfidf computation (tfidf is an information retrieval technique) can be performed to reweight attributes by a measure of their informativeness for a node. A similar algorithm can be performed on clusters (each cluster can be represented by a single vector, then tfidf post-processing can be performed on such set of vectors).”, ¶613]
[Yadav, “By ranking and showing only the top few (tfidf-weighted) features, the most informative of a node's (or cluster of nodes′) communications or processes (or user names, etc) can be displayed. The percentiled weight of the feature can also be displayed to provide more context on the informativeness of a feature.”, ¶ 614]
 	[Yadav, “A similar process of percentiling can be applied to node-pair similarities, when displaying the closest (most similar) neighbors of a node in the similarity space (similarity based on communications or processes). “. ¶615] 
[Yadav, “ When a user re-runs an ADM pipeline (after editing clusters, changing dates of data capture to run the pipeline on, etc), what has been changed in the final clusterings may be important for the user. Any two re-runs (their output clusterings) can be compared, where the two clusters are first matched by a matching algorithm (this can be done greedily, using matching scores such as Jaccard), and a Summary of changes in the clusters (nodes added/deleted), from one run to another, is shown in the UI.”, ¶616]
[Yadav, “Some embodiments extract an informative attributes from nodes and clusters and present the top few (or in ranked order) to a user as a means for summarizing an entity (node or cluster of nodes). In some embodiments, what has been changed in the clustering from one run to another run, can be summarized by matching clusterings and reporting a Summary of the changes.”, ¶617]
[Yadav," The present technology automatically determines and assigns informative names to clusters in a computing network. A name of a cluster may be determined based at least upon one or more attributes shared among members of the corresponding cluster or source information. For example, the members of a cluster may share a substring in their host names or IPs. These sources of information can be used to automatically extract an informative name for the cluster. Informative names assigned to clusters may greatly enhance a user experience and improve a user-interaction efficiency and visibility to the computing network.", ¶623]
["The present technology automatically determines and assigns informative names to clusters in a computing network. A name of a cluster may be determined based at least upon one or more attributes shared among members of the corresponding cluster or source information. For example, the members of a cluster may share a substring in their host names or IPs. These sources of information can be used to automatically extract an informative name for the cluster. Informative names assigned to clusters may greatly enhance a user experience and improve a user-interaction efficiency and visibility to the computing network.", ¶624]


Claims 2, 7, 15 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Yadav as applied to claim 1 and 14 above, and further in view of Deshpande US 2015/0006531.
Regarding claims 2 and 15, Yadav teaches automatic selection of candidate task and thus Yadav/Liu does not teach wherein the predetermined number of network-specific candidate tags comprises a plurality of network-specific candidate tags, and wherein the operations further comprise: displaying, by way of a user interface, the plurality of network-specific candidate tags for the particular software application;
and receiving, by way of the user interface and for the particular software application, a selection of a particular tag of the plurality of network-specific candidate tags, wherein the mapping between the particular software application and the computing resource is generated based on the particular tag matching the at least one tag corresponding to the computing resource. Deshpande being reasonably pertinent of work cluster label determination teaches suggesting labels for word clusters. Deshpande teaches wherein the predetermined number of network-specific candidate tags comprises a plurality of network-specific candidate tags, and wherein the operations further comprise: displaying, by way of a user interface, the plurality of network-specific candidate tags for the particular software application(list of candidate terms is displayed based on frequency with respect to the cluster is displayed, ¶30);
["In accordance with an exemplary embodiment, the documents or the records in the first cluster are accessed to create candidate items list of most frequent word or phrases. System uses n-gram technique for selecting candidate items. The system can take any value of n as configured by the user and perform candidate items selection. In one embodiment, system uses value of n from 1 to 5. It is observed empirically that going beyond 5-gram provides only marginal improvement in labeling survey responses. Further, the frequency of occurrence of each n-gram within the records in a given cluster is calculated. Further, a list of candidate items (n-grams) along with frequency of occurrence of each n-gram is created. Further, the list of candidate items (n-gram) is sorted in descending order. In another embodiment, the list of candidate items (n-gram) may be sorted in ascending order of the frequency of occurrence.", ¶30]

and receiving, by way of the user interface and for the particular software application, 
a selection of a particular tag of the plurality of network-specific candidate tags, wherein the mapping between the particular software application and the computing resource is generated based on the particular tag matching the at least one tag corresponding to the computing resource. 
[“ System and method for creating labels for cluster are described. System generates one or more descriptive labels that cover important themes discussed in a given set of documents of similar nature and are called as cluster. The label generated by the system for a cluster of documents could be formed using a single word or a single phrase and/or combination of them. System and method may use n-gram technique to select the candidate items occurring repetitively in the input set of documents. Further the candidate items are selected based on the frequency of occurrence of the candidate items. A two-dimensional array is generated by using the selected candidate items. Each element of the two-dimensional array represents a pair of the n-gram. Coverage value for each pair of the n-gram in the two-dimensional array is used to select the candidate pairs from the two-dimensional array. Further unique words occurring in each candidate pairs are determined. Further, cluster labels are selected based on the coverage value and the number of unique words in each of the candidate pairs.:, ¶14]
[“The system and method identifies predefined number of labels for example three, and user then selects one of the labels as appropriate descriptor of the set of documents. The system and method disclosed herein may also find application in labeling the collection of documents that are to be clustered to give cluster centers.”, ¶15]

It would have been obvious to a person of ordinary skill in the art at the time of the filing to modify Yadav/Liu with the ability to present a set of candidate terms that the user can select as the label/name for an application cluster. The reason for this modification would be to allow a user to override or change automatic naming as automatic naming can sometime be undescriptive (see Deshpande¶4).
Regarding claims 7 and 18, Yadav/Liu does not teach wherein the predetermined number of network-specific candidate tags comprises N network-specific candidate tags, and wherein selecting up to the predetermined number of network-specific candidate tags for the particular software application comprises: selecting a subset of the plurality of character strings, wherein each respective character string of the subset is associated with a corresponding weight that exceeds a threshold weight; and selecting, from the subset of the plurality of character string, up to N character strings associated with up to N highest corresponding frequencies within the particular textual data. Deshpande being reasonably pertinent of work cluster label determination teaches suggesting labels for word clusters. Deshpande teaches wherein the predetermined number of candidate tags comprises N network-specific candidate tags, and wherein selecting up to the predetermined number of network-specific candidate tags for the particular software application comprises(n-gram comprises n candidate tags/terms, ¶7): 
[“In one implementation, a system for at least one label for at least one cluster in a computing environment is disclosed. The system comprises a processor and a memory coupled to the processor, wherein the processor is capable of executing a plurality of modules stored in the memory, and wherein the plurality of modules comprise: a receiving module configured to receive an input data; a candidate items selector configured to select a plurality of candidate items occurring repetitively in the input data using a n-gram selection technique for a predefined value of n to generate a sorted list of the plurality of candidate items with a frequency of occurrence of the plurality of candidate items based on the input data; a combination array generator configured to select a predefined number of the plurality of candidate items from the sorted list of the plurality of candidate items to populate a two-dimensional array having a plurality of elements, wherein each element of the plurality of elements of the two-dimensional array represents a pair of the plurality of candidate items; a coverage value analyzer configured to determine a coverage value for each pair of the plurality of candidate items present in the two-dimensional array to further populate a sorted two-dimensional array; a candidate pair selector configured to select a predefined number of pairs of the plurality of candidate items from the sorted two-dimensional array to further process and generate a list of the pairs of the plurality of candidate items; a unique word filter configured to accept the list of the pairs of the plurality of candidate items to determine a number of unique words in each of the pairs of the plurality of candidate items; and a cluster label selector configured to sort the list of the pairs of the plurality of candidate items using the coverage value and the number of unique words to create a sorted list of the pairs of the plurality of candidate items for selecting a cluster label from the sorted list of the pairs of the plurality of candidate items.”, ¶7]
selecting a subset of the plurality of character strings, 
[" selecting a predefined number of pairs of the plurality of candidate items from the sorted two-dimensional array to further process and generate a list of the pairs of the plurality of candidate items; accepting the list of the pairs of the plurality of candidate items to determine a number of unique words in each of the pairs of the plurality of candidate items; and sorting the list of the pairs of the plurality of candidate items using the coverage value and the number of unique words to create a sorted list of the pairs of the plurality of candidate items for selecting a cluster label form the sorted list of the pairs of the plurality of candidate items; wherein the receiving, the selecting the plurality of candidates, the selecting the predefined number of the plurality of candidate items, the determining the coverage value, the selecting the predefined number of pairs, the accepting the list, and the sorting the list are performed by a processor of a computerized device.", ¶8]
wherein each respective character string of the subset is associated with a corresponding weight that exceeds a threshold weight(low frequency words are excluded);
[“System and method of the present disclosure uses unique word filtration mechanism which assures that low frequency words are not a part of the label.”, ¶54]
 and selecting, from the subset of the plurality of character string, up to N character strings associated with up to N highest corresponding frequencies within the particular textual data.
["The system 102 further comprises the combination array generator 216 configured to select foremost predefined number of the candidate items from the sorted list of candidate items and to populate a two-dimensional array. Each element of the two-dimensional array represents a pair of the n-gram. In accordance with an exemplary embodiment, the candidate items list created by candidate items selector is accessed by the combination array generator and the combination array generator selects top 5 n-grams for each n as candidate items for further processing. The list of candidate items is sorted in descending order, hence a predefined number of foremost candidate items are selected. In another embodiment, the list of candidate items is sorted in ascending order of the frequency of occurrence, hence predefined number of bottommost candidate items may be selected. The predefined number of candidate items/n-gram selected may be three, four, five or more. By way of an example, top five n-grams for each n as candidates are selected for further processing after completion of candidate items (n-grams) selection, system has 25 n-grams along with frequencies of occurrence. The combination array generator generates a two-dimensional array can be matrix of 25.times.25 cells wherein each cell represents a coverage value for a pair of n-gram.", ¶32]

It would have been obvious to a person of ordinary skill in the art at the time of the filing to modify Yadav/Liu with the ability to present a set of candidate terms that the user can select as the label/name for an application cluster. The reason for this modification would be to allow a user to override or change automatic naming as automatic naming can sometime be undescriptive (see Deshpande¶4).

Claims 5 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Yadav as applied to claims 1 and 14 above, and further in view of Chakerian US 2016/0004764.
Regarding claim 5 and 16,  Yadav/Liu do not teach wherein identifying the plurality of character strings present within the particular textual data comprises: removing, from the particular textual data, one or more occurrences of one or more predetermined characters; adjusting a letter case of one or more characters in the particular textual data; and generating a root form of one or more words in the particular textual data by processing the particular textual data by way of one or more of: (i) a stemming algorithm or (ii) a lemmatization algorithm. Chakerian in the analogous area of data mining teaches an event visualization system. Chakerian teaches wherein identifying the plurality of character strings present within the particular textual data comprises: removing, from the particular textual data, one or more occurrences of one or more predetermined characters; adjusting a letter case of one or more characters in the particular textual data; and generating a root form of one or more words in the particular textual data by processing the particular textual data by way of one or more of: (i) a stemming algorithm or (ii) a lemmatization algorithm.
[“At step 220, the electronic device can preprocess the obtained document. For example, the electronic device can obtain the text of the document and break it down into tokens. In some embodiments, each token can include one word. In other embodiments, each token can include parts of word, a transformed or a canonicalized word, or sequences of two or more words. In some embodiments, the electronic device can discard any tokens that do not correspond to predetermined types of speech. For example, the electronic device can keep only those tokens that correspond to nouns and verbs, and discard all other tokens such as adjectives, adverbs, prepositions, articles, etc. In some embodiments, the electronic device can also normalize the document by reducing each token to its morphological root or lemma, using any suitable stemming and/or lemmatization methods.”, ¶30]
[“At step 230, the electronic device can calculate a document vector representing the document. In some embodiments, the electronic device calculates the document vector by analyzing the preprocessed tokens and calculates, for each preprocessed token, a frequency value. In some embodiments, the frequency value can be calculated as a term frequency-inverse document frequency ratio (TF/IDF) where TF can reflect the number of times a token occurs in the obtained document. TF can be represented as a frequency, a Boolean frequency, a logarithmically scaled frequency, or an augmented frequency. IDF can reflect how common or rare the term is across a large corpus of documents. Accordingly, the TF/IDF measure can reflect how important a particular token is to a document because it increases proportionally to the number of times a token appears in the document, but is offset by the frequency of the token in the corpus, which helps to control for the fact that some tokens are generally more common than others.”, ¶31]

It would have been obvious to a person of ordinary skill in the art at the time of the filing to modify Yadav/Liu use of tf-idf to create cluster maps with lemmatizing and stemming terms/words as taught by Chakerian. The reason for this modification would be to normalize terms in collected data into root words to determine true frequency of a word that may have multiple variations.

Claims 22 is rejected under 35 U.S.C. 103 as being unpatentable over Yadav/Liu as applied to claim 20 above, and further in view of Gentile US 2021/0248105.
Regarding claim 22, Yadav teaches wherein the predetermined number(top few, ¶614) of network-specific candidate tags comprises a plurality of network-specific candidate tags, and wherein the operations further comprise: displaying, by way of a user interface, the plurality of network-specific candidate tags for the particular software application(ranked list of top few attributes are displayed, ¶s613-617); 
wherein the mapping between the particular software application and the computing resource is generated based on the particular tag matching the at least one tag corresponding to the computing resource(ranking one or more feature attributes regarding processes i.e. applications on a node selecting top few out of all the features descriptive of a node/host¶s613-617).
[“Nodes and clusters in a computing network can be summarized by displaying their ‘attributes’ (features) in a ranked list. Each node can have one or more vector types, i.e. vectors extracted from network communications and/or process-based features. A tfidf computation (tfidf is an information retrieval technique) can be performed to reweight attributes by a measure of their informativeness for a node. A similar algorithm can be performed on clusters (each cluster can be represented by a single vector, then tfidf post-processing can be performed on such set of vectors).”, ¶613]
[“By ranking and showing only the top few (tfidf-weighted) features, the most informative of a node's (or cluster of nodes′) communications or processes (or user names, etc) can be displayed. The percentiled weight of the feature can also be displayed to provide more context on the informativeness of a feature.”, ¶ 614]
 	[“A similar process of percentiling can be applied to node-pair similarities, when displaying the closest (most similar) neighbors of a node in the similarity space (similarity based on communications or processes). “. ¶615] 
[“ When a user re-runs an ADM pipeline (after editing clusters, changing dates of data capture to run the pipeline on, etc), what has been changed in the final clusterings may be important for the user. Any two re-runs (their output clusterings) can be compared, where the two clusters are first matched by a matching algorithm (this can be done greedily, using matching scores such as Jaccard), and a Summary of changes in the clusters (nodes added/deleted), from one run to another, is shown in the UI.”, ¶616]
[“Some embodiments extract an informative attributes from nodes and clusters and present the top few (or in ranked order) to a user as a means for summarizing an entity (node or cluster of nodes). In some embodiments, what has been changed in the clustering from one run to another run, can be summarized by matching clusterings and reporting a Summary of the changes.”, ¶617]

Yadav teaches receiving input to affect the labeling of network nodes/cluster(¶s 464,465) but does not teach and receiving, by way of the user interface and for the particular software application, a selection of a particular tag of the plurality of network-specific candidate tags. Gentile in the same filed of endeavor with respect to user of tf-idf teaches generating label/attributes of network nodes. Gentile teaches receiving, by way of the user interface and for the particular software application, a selection of a particular tag of the plurality of network-specific candidate tags(determined labeled are displayed and a user.i.e SME subject matter expert can accept/reject labels  helps validate the recommended labels an helps with training of the label generator, ¶78, 86).
["Additionally, in one embodiment, each node within the data center may be represented within a visual representation of the data center (e.g., a graph, etc.). In another embodiment, the graph may be presented visually to one or more users. In yet another embodiment, upon identifying a selection of a node within the graph, all applications running on the node may be provided (e.g., as a visual list, etc.). For example, the applications may be the labels of one or more software applications determined to be running on the node, based on the most recent snapshot data for the node. In still another embodiment, upon identifying a selection of a label of a software application, all nodes within the graph for which that label has been identified may be visually presented.", ¶78]

[In another embodiment, a semantic representation of a data center may be produced. Knowledge extraction is performed with a human-in-the-loop model by (i) collecting available knowledge about software processes from a Linked Open Data (LOD) cloud, (ii) using the knowledge in a distant supervision fashion to generate initial tags for each node in the data center, (iii) validating (e.g., accepting/rejecting/correcting) the proposed tags, (iv) using the validated tags to train several learning models, and (v) labeling all the processes from each node in the data center, using the trained models. One or more SMEs may validate new annotations and the process can be repeated until desired coverage is obtained.", ¶86]

It would have been obvious to a person of ordinary skill in the art at the time of the effective filing of the instant application to modify Yadav/Liu with the use of human selection for validation/ confirmation of the top attributes/features identified in the system of Yadav. The reason for this modification would be to improve the system’s ability to identify the top few features/attributes of nodes.
	
Claim 23 is rejected under 35 U.S.C. 103 as being unpatentable over Yadav/Liu as applied to claim 20 above, and further in view of Stevens US 2021/0157858.
Regarding claim 23, Yadav teaches wherein the predetermined number of network-specific candidate tags comprises N(top few  represents a certain number N) network-specific candidate tags, 
["By ranking and showing only the top few (tfidf-weighted) features, the most informative of a node's (or cluster of nodes′) communications or processes (or user names, etc) can be displayed. The percentiled weight of the feature can also be displayed to provide more context on the informativeness of a feature." ¶614] 

and wherein selecting up to the predetermined number of network-specific candidate tags for the particular software application comprises: selecting a subset of the plurality of character strings(using td-idf top few(N) weighted features are selected from all the possible features of a node, ¶614-617) , 
["By ranking and showing only the top few (tfidf-weighted) features, the most informative of a node's (or cluster of nodes′) communications or processes (or user names, etc) can be displayed. The percentiled weight of the feature can also be displayed to provide more context on the informativeness of a feature." ¶614] 

Yadav teaches selecting top few ranked or a certain percentile but does not specifically relate such a selection to a threshold and thus does not teach wherein each respective character string of the subset is associated with a corresponding weight that exceeds a threshold weight; 
and selecting, from the subset of the plurality of character strings, up to N character strings associated with up to N highest corresponding frequencies within the particular textual data. Stevens in the analogous area of labelling of group of data using TF-IDF teaches wherein each respective character string of the subset is associated with a corresponding weight that exceeds a threshold weight(terms above certain wright to select a certain percentage of terms, ¶s303,308) ;  and selecting, from the subset of the plurality of character strings, up to N character strings associated with up to N highest corresponding frequencies within the particular textual data(selected  with weight above threshold a certain number/percentage of terms, ¶303-305 and 308)  .

["In some implementations, selecting the plurality of candidate terms according to the predetermined criteria includes using a weighting methodology. In a weighting methodology, the Topic Discovery HyperEngine 586 assigns a weighting (e.g., a score) to each of the candidate terms. These weightings can later be used to select a trimmed lexicon based on additional predetermined criteria (e.g., a predetermined threshold). In some implementations, candidate term weighting is based on a frequency with which the candidate terms appear in the corpus divided by the total number of candidate terms that appear in the corpus (e.g., a local weighting). In some implementations, candidate term weighting is based on one of: total frequency inverse document frequency (“TFIDF”), point-wise or paired mutual information (“PMI”), and entropy.", ¶303]

[" In the TFIDF weighting methodology, a weighting for a candidate term is equal to the local weighting of a candidate term divided by the global weighting of the candidate term. The local weighting (e.g., the frequency of the term appearing in the corpus) is equal to the number of times the term appears in the corpus divided by the total number of words in the corpus. For example, if the word “President” appears five times out of one hundred total words, the frequency of the term “President” appearing in the corpus is five percent. The global weighting (e.g., the frequency of the term appearing in the global corpus) is calculated using the same calculation above for local weighting, except a global corpus (e.g., a larger collection of electronic posts as compared to the corpus) is used instead of the corpus. The Topic Discovery HyperEngine 586 can use the TFIDF methodology to discriminate against words that appear frequently in the corpus but also appear frequently in the global corpus and prioritize words that do not appear frequently in the corpus but also do not appear frequently in global corpus.", ¶304]

[" The PMI and entropy weighting methodologies are similar to TFIDF except that they calculate weightings for proximity n-grams. For the PMI weighting methodology, the weighting for a proximity n-gram is equal to the log of the frequency of the proximity n-gram appearing in the corpus divided by the product of the frequency of each word that comprises the proximity n-gram individually appearing in the corpus. For example, the equation for calculating the frequency of a bigram appearing in the corpus using the PMI weighting methodology is as follows:" ¶305]

["In some implementations, after the Topic Discovery HyperEngine 586 calculates the weightings, the Topic Discovery HyperEngine 586 selects a predefined number of candidate terms with the best weightings (e.g., scores) to include in the trimmed lexicon used by the topic discovery model. In some implementations, the Topic Discovery HyperEngine 586 may select a predefined number (e.g., a number between 100 and 1000) or predefined percentage (e.g., top 1/100 or top ¼) of candidate terms that have the highest weighting or score. In other implementations, the Topic Discovery HyperEngine 586 may select candidate terms having a weighting that exceeds a predetermined threshold. In other implementations, the Topic Discovery HyperEngine 586 normalizes the weightings for each candidate term by applying a normal distribution with a mean of zero and a variance of one to the candidate term weightings before selecting candidate terms that exceed a predetermined threshold.", ¶308]

It would have been obvious to a person of ordinary skill in the art at the time of the effective filing of the instant application to modify Yadav/Liu with use of a threshold weight to select the highest number of terms to meet the “top few” determine features of Yadav. The reason for this modification would be to select the most meaningful attributes/features to label nodes.
	








Applicant Remarks
Applicant’s arguments with respect to claim1-23 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TOM Y. CHANG whose telephone number is (571)270-5938.  The examiner can normally be reached on Monday - Thursday from 9am to 5pm.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, William Trost , can be reached on (571)272-7872. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through 
Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
/TOM Y CHANG/
Primary Examiner, Art Unit 2456