DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Priority
Acknowledgment is made of applicant’s claim for foreign priority under 35 U.S.C. 119 (a)-(d). The certified copy has been filed regarding Indian parent Application No. IN202041043080, filed on 10/04/2020.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 11/6/2020 and 9/10/2022 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statements are being considered by the examiner.

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.

This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) are:
…a scoring module… an operational predictive score engine… an operational predictive score roll-up module… [Claims 1 and 30],
…predictive score engine… forecasting engine and a statistical scoring engine… [Claims 2 and 17],
…said forecasting engine… [Claims 3 and 18],
…statistical scoring engine… forecasting engine… [Claims 4 and 19],
…statistical modeling engine… forecasting engine… statistical modeling engine… [Claims 5 and 20],
…a training module… [Claims 6-7, 12 and 26],
…an operational predictive score roll-up module… [Claim 8],
…an alerting engine… [Claims 9 and 24],
…an operational predictive score quality monitor module… [Claims 11 and 25],
…a root cause analysis module… [Claims 15 and 29],
…a scoring module… an operational predictive score roll-up module… a training module… an alerting engine… and a root cause analysis module… [Claim 16].
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

Claims 1-30 rejected under 35 U.S.C. 112(a) or pre-AIA  35 U.S.C. 112, first paragraph, as based on a disclosure which is not enabling.  The disclosure does not enable one of ordinary skill in the art to practice the invention without knowing a particular structure of the following claim elements:
…a scoring module… an operational predictive score engine… an operational predictive score roll-up module… [Claims 1 and 30],
…predictive score engine… forecasting engine and a statistical scoring engine… [Claims 2 and 17],
…said forecasting engine… [Claims 3 and 18],
…statistical scoring engine… forecasting engine… [Claims 4 and 19],
…statistical modeling engine… forecasting engine… statistical modeling engine… [Claims 5 and 20],
…a training module… [Claims 6-7, 12 and 26],
…an operational predictive score roll-up module… [Claim 8],
…an alerting engine… [Claims 9 and 24],
…an operational predictive score quality monitor module… [Claims 11 and 25],
…a root cause analysis module… [Claims 15 and 29],
…a scoring module… an operational predictive score roll-up module… a training module… an alerting engine… and a root cause analysis module… [Claim 16].
The structure of these elements is considered critical or essential to the practice of the invention but is not included in the claim(s). See In re Mayhew, 527 F.2d 1229, 188 USPQ 356 (CCPA 1976). Examiner observes the original disclosure does not appear to specify whether such engines and modules are computers hardware components, software elements, or any other such structure to enable the objectives of the invention.


The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


Claims 1-30 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.

The following claim limitations invoke 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
…a scoring module… an operational predictive score engine… an operational predictive score roll-up module… [Claims 1 and 30],
…predictive score engine… forecasting engine and a statistical scoring engine… [Claims 2 and 17],
…said forecasting engine… [Claims 3 and 18],
…statistical scoring engine… forecasting engine… [Claims 4 and 19],
…statistical modeling engine… forecasting engine… statistical modeling engine… [Claims 5 and 20],
…a training module… [Claims 6-7, 12 and 26],
…an operational predictive score roll-up module… [Claim 8],
…an alerting engine… [Claims 9 and 24],
…an operational predictive score quality monitor module… [Claims 11 and 25],
…a root cause analysis module… [Claims 15 and 29],
…a scoring module… an operational predictive score roll-up module… a training module… an alerting engine… and a root cause analysis module… [Claim 16].
However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. Examiner observes the original disclosure does not appear to specify whether such engines and modules are computers hardware components, software elements, or any other such structure to enable the objectives of the invention. Therefore, the claim is indefinite and is rejected under 35 U.S.C. 112(b) or pre-AIA  35 U.S.C. 112, second paragraph.
Applicant may:
(a)        Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph; 
(b)        Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the entire claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(c)        Amend the written description of the specification such that it clearly links the structure, material, or acts disclosed therein to the function recited in the claim, without introducing any new matter (35 U.S.C. 132(a)).
If applicant is of the opinion that the written description of the specification already implicitly or inherently discloses the corresponding structure, material, or acts and clearly links them to the function so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant should clarify the record by either: 
(a)        Amending the written description of the specification such that it expressly recites the corresponding structure, material, or acts for performing the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(b)        Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181.



Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-20, 23-25 and 27-30 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more.  

Claims 21-22 and 26 are considered to amount to significantly more than the judicial exception for reasons discussed further below in the 35 USC § 101 section.

Step 1: Claims 1-20, 23-25 and 27-30 are directed to statutory categories, namely a machine (claims 1-15), a process (claims 16-20, 23-25 and 27-29) and an article of manufacture (claim 30). 

Step 2A, Prong 1: Claims 1, 16 and 30 in part, recite the following abstract idea: 
…a data pipeline configured to collect, in real-time, a plurality of time series signals comprising multiple metrics corresponding to one or more of health, performance, and functionality of each of said components of said…; a data store configured to receive a data stream comprising said collected plurality of time series signals, and store said received data stream as individual time series data; a scoring module, comprising: an operational predictive score engine configured to calculate an operational predictive score for each of said time series signals of said components of said… corresponding to said individual time series data of each of said plurality of time series signals; and an operational predictive score roll-up module configured to aggregate said calculated operational predictive score of each of said time series signals of said components of said…system into an operational predictive score for each of said components of said… [Claim 1],
…providing… comprising a data pipeline, a data store, a scoring module comprising an operational predictive score engine and an operational predictive score roll-up module, a statistical modeling engine, a training module, an alerting engine… an operational predictive score quality monitor module, and a root cause analysis module; collecting, in real-time, by said data pipeline, a plurality of time series signals comprising multiple metrics corresponding to one or more of health, performance, and functionality of each of said components of said… receiving, by said data store, a data stream comprising said collected plurality of time series signals, and storing said received data stream as individual time series data; calculating, by said operational predictive score engine of said scoring module, an operational predictive score for each of said time series signals of said components of said …; and aggregating, by said operational predictive score roll-up module of said scoring module, said calculated operational predictive score of each of said time series signals of said components of said … into an operational predictive score for each of said components of said …[Claim 16],
…collecting, in real-time, by a data pipeline, a plurality of time series signals comprising multiple metrics corresponding to one or more of health, performance, and functionality of each of said components of said…; receiving, by a data store, a data stream comprising said collected plurality of time series signals, and storing said received data stream as individual time series data; calculating, by an operational predictive score engine of a scoring module, an operational predictive score for each of said time series signals of said components of said…; and aggregating, by an operational predictive score roll-up module of said scoring module, said calculated operational predictive score of each of said time series signals of said components of said… into an operational predictive score for each of said components of said… [Claim 30].
These concepts are not meaningfully different than the following concepts identified by the MPEP:
Concepts relating to certain methods of organizing human activity. The aforementioned limitations describe steps for fundamental economic principles or practices, which includes hedging, insurance, mitigating risk. Specifically, scoring of components and services of an information technology system is considered to describe steps for mitigating the risk of failure of information technology systems. As such, claims 1, 16 and 30 recite concepts identified as abstract ideas.

The dependent claims recite limitations relative to the independent claims, including, for example: 
…wherein said operational predictive score engine comprises a forecasting engine and a statistical scoring engine [Claim 2],
…wherein said forecasting engine is configured to generate a probabilistic forecast for each of said time series signals of said components of said information technology system, using a plurality of customized machine learning models [Claim 3],
…wherein said statistical scoring engine is configured to calculate said operational predictive score for each of said time series signals of said components of said information technology system, using a statistical model on said probabilistic forecast from said forecasting engine for each of said time series signals of said components of said information technology system [Claim 4],
The limitations of these dependent claims are merely narrowing the abstract idea identified in the independent claims, and thus, the dependent claims also recite abstract ideas.

Step 2A, Prong 2: This judicial exception is not integrated into a practical application. In particular, claims 1, 16 and 30 only recite the following additional elements – 
…information technology system… [Claims 1 and 30],
…a computer implemented system… a graphical user interface… information technology system…  [Claim 16].
The apparatus and executable instructions are recited at a high-level of generality (see MPEP § 2106.05(a)), like the following MPEP example:

Furthermore, the computer implemented element is considered to amount to no more than mere instructions to apply the exception using a generic computer component (see MPEP 2106.05(f)), like the following MPEP example: 
iii. Gathering and analyzing information using conventional techniques and displaying the result, TLI Communications, 823 F.3d at 612-13, 118 USPQ2d at 1747-48; 
Accordingly, these additional elements do not integrate the abstract idea into a practical application. 
i. A commonplace business method or mathematical algorithm being applied on a general purpose computer, Alice Corp. Pty. Ltd. V. CLS Bank Int’l, 573 U.S. 208, 223, 110 USPQ2d 1976, 1983 (2014); Gottschalk v. Benson, 409 U.S. 63, 64, 175 USPQ 673, 674 (1972); Versata Dev. Group, Inc. v. SAP Am., Inc., 793 F.3d 1306, 1334, 115 USPQ2d 1681, 1701 (Fed. Cir. 2015);
Claims 6-7 and 21-22 recite the following additional elements – 
…a training module configured to train said customized machine learning models comprising autoregressive Recurrent Neural Network based forecasting models… [Claim 6],
…wherein said training module is further configured to train a common machine learned model for a set of related time series signals… [Claim 7],
… further comprising training, by said training module, said customized machine learning models comprising autoregressive Recurrent Neural Network based forecasting models… [Claim 21],
…further comprising training, by said training module, a common machine learned model for a set of related times series signals… [Claim 22].
Examiner draws a distinction between claims 6-7 and claims 21-22 because claims 21-22 include elements which positively recite the step of actively training machine learning models. In contrast, claims 6-7 merely recite that a module is configured to train machine learning models (i.e. without actually claiming the step of training said machine learning models). As such, the training steps in claims 21-22 are considered to demonstrate an improvement to the technology of scoring components and services of an information technology system, and thus are considered to recite significantly more than the judicial exception.

The remaining dependent claims do not recite any new additional elements, and thus do not integrate the abstract idea into a practical application.

Step 2B: Claims 1, 16 and 30 and their underlying limitations, steps, features and terms, considered both individually and as a whole, do not include additional elements that are sufficient to amount to significantly more than the judicial exception for the following reasons: 
…information technology system… [Claims 1 and 30],
…a computer implemented system… a graphical user interface… information technology system…  [Claim 16].
These elements do not amount to significantly more than the abstract idea for the reasons discussed in 2A prong 2 with regard to MPEP 2106.05(a) and MPEP 2106.05(f). By the failure of the elements to integrate the abstract idea into a practical application there, the additional elements likewise fail to amount to an inventive concept that is significantly more than an abstract idea here, in Step 2B. 
As such, both individually or in combination, these limitations do not add significantly more to the judicial exception.
The remaining dependent claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the dependent claims do not recite any new additional elements other than those mentioned in the independent claims, which amount to no more than mere instructions to apply the exception using a generic computer component (see MPEP 2106.05(f)). As such, these claims are not patent eligible.

	
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.


Claims 1-5, 8-11, 13-14, 16-20, 23-25, 27-28 and 30 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Muddu et al., U.S. Publication No. 2017/0063901 [hereinafter Muddu].

Regarding claim 1, Muddu anticipates …A computer implemented system for real-time operational predictive scoring of components and services of an information technology system for forecasting and assessing performance of said components of said information technology system, comprising: a data pipeline configured to collect, in real-time, a plurality of time series signals comprising multiple metrics corresponding to one or more of health, performance, and functionality of each of said components of said information technology system (Muddu, ¶ 192, the security platform introduced here includes various aspects that are specifically tailored to this data environment, including techniques for obtaining different kinds of data, preparing data, and processing data, by using different stages, to enable quick diagnosis of service problems, detection of sophisticated security threats, understanding of the health and performance of remote equipment, and demonstration of compliance), (Id., Fig. 5, Figure depicts data pipeline 316 configured to collect data in real time);

    PNG
    media_image1.png
    617
    1023
    media_image1.png
    Greyscale

a data store configured to receive a data stream comprising said collected plurality of time series signals, and store said received data stream as individual time series data (Id., Fig. 4, Figure depicts time series database 370 for collecting and storing time series data);

    PNG
    media_image2.png
    621
    930
    media_image2.png
    Greyscale

a scoring module, comprising: an operational predictive score engine configured to calculate an operational predictive score for each of said time series signals of said components of said information technology system corresponding to said individual time series data of each of said plurality of time series signals (Id., ¶ 273, embodiments introduced here include an ML-based CEP engine that utilizes distributed training and deliberation of one or more machine learning models. “Deliberation” of a machine learning model or a version of a machine learning model involves processing data through a model state of the machine learning model or version of the machine learning model. For example, deliberation can include scoring input data according to a model deliberation process logic as configured by the model state. The ML-based CEP engine processes event feature sets through the ML models to generate conclusions (e.g., security-related anomalies, security-related threat indicators, security-related threats, or any combination thereof) in real-time. “Real-time” computing, or “reactive computing”, describes computer systems subject to a processing responsiveness restriction (e.g., in a service level objective (SLO) in a service level agreement (SLA)). In real-time processing, conclusions are reached substantially immediately following the receipt of input data such that the conclusions can be used to respond the observed environment. The ML-based CEP engine continuously receives new incoming event feature sets and reacts to each new incoming event feature set by processing it through at least one machine learning model. Because of real-time processing, the ML-based CEP engine can begin to process a time slice of the unbounded stream prior to when a subsequent time slice from the unbounded stream becomes available);
and an operational predictive score roll-up module configured to aggregate said calculated operational predictive score of each of said time series signals of said components of said information technology system into an operational predictive score for each of said components of said information technology system (Id., ¶ 628, The anomaly score associated with a particular entity is based on the entity profile (including the underlying feature scores) of the particular entity. The anomaly score may be conceptualized as combination of all of the feature scores for a particular entity), (Id., ¶ 629, In some cases anomaly scores calculated or assigned by processing event data through an anomaly model to generate a numerical value. Here, the anomaly score is calculated or assigned by processing the plurality of feature scores through an anomaly model), (Id., ¶ 390, the use case described in FIGS. 31A-31B involves combining anomaly data associated with different types of anomalies, assigning a threat indicator score based on the result of the combining, and identifying a threat indicator if the threat indicator score satisfies a specified criterion).

Regarding claim 2, Muddu anticipates …the system of claim 1…
Muddu further anticipates …wherein said operational predictive score engine comprises a forecasting engine and a statistical scoring engine (Muddu, ¶ 24, FIG. 15 is a block diagram of a machine learning-based complex event processing (CEP) engine), (Id., ¶ 277, The ML-based CEP engine is further capable of condensing and summarizing historical knowledge by observing streams of events to train the machine learning models. This enables the ML-based CEP engine to include a form of historical comparison as part of its analysis without consuming too much data storage capacity. For example, the ML-based CEP engine can train a decision tree (discloses forecasting engine) based on the historical events. In this case, the trained decision tree is superior to a user-specified rule because it can make predictions based on historical sequence of events), (Id., ¶ 317, the model deliberation process thread generates a security-related conclusion based on the score. The security-related conclusion can identify the event or the sequence of events corresponding to the time slice as a security-related anomaly, threat indicator or threat. In one example, the model deliberation process compares the score against a constant threshold and makes the security-related conclusion based on the comparison. In another example, the model deliberation process (discloses statistical scoring engine) compares the score against a dynamically updated baseline (e.g., statistical baseline) and makes the security-related conclusion based on the comparison).

Regarding claim 3, Muddu anticipates …the system of claim 2…
Muddu further anticipates …wherein said forecasting engine is configured to generate a probabilistic forecast for each of said time series signals of said components of said information technology system, using a plurality of customized machine learning models (Id., ¶ 277, The ML-based CEP engine is further capable of condensing and summarizing historical knowledge by observing streams of events to train the machine learning models. This enables the ML-based CEP engine to include a form of historical comparison as part of its analysis without consuming too much data storage capacity. For example, the ML-based CEP engine can train a decision tree (discloses forecasting engine) based on the historical events. In this case, the trained decision tree is superior to a user-specified rule because it can make predictions (discloses generated probabilistic forecast) based on historical sequence of events), (Id., ¶ 150, In the context of machine-learning evaluation, historical data and third party data may be used to create and improve the machine learning models employed to perform the evaluation).

Regarding claim 4, Muddu anticipates …the system of claim 3…
Muddu further anticipates …wherein said statistical scoring engine is configured to calculate said operational predictive score for each of said time series signals of said components of said information technology system, using a statistical model on said probabilistic forecast from said forecasting engine for each of said time series signals of said components of said information technology system (Id., ¶ 317, the model deliberation process thread generates a security-related conclusion based on the score. The security-related conclusion can identify the event or the sequence of events corresponding to the time slice as a security-related anomaly, threat indicator or threat. In one example, the model deliberation process compares the score against a constant threshold and makes the security-related conclusion based on the comparison. In another example, the model deliberation process (discloses statistical scoring engine) compares the score against a dynamically updated baseline (e.g., statistical baseline) and makes the security-related conclusion based on the comparison).

Regarding claim 5, Muddu anticipates …the system of claim 4…
Muddu further anticipates …further comprising a statistical modeling engine configured to calculate a probability of said plurality of time series signals moving into an erroneous state in near future time, using a statistical model on said probabilistic forecast from said forecasting engine for each of said time series signals of said components of said information technology system, wherein said probability calculated by said statistical modeling engine is used to derive said operational predictive score for each of said time series signals of said components of said information technology system (Id., ¶ 279, Examples of entity-specific behavioral analysis include hierarchical temporal memory processes that employ modified probabilistic suffix trees (PST), collaborative filtering, content-based recommendation analysis, statistical matches in whitelists and blacklists using text models, entropy/randomness/n-gram analysis for uniform resource locators (e.g., URLs), other network resource locators and domains (AGDs), rare categorical feature/association analysis, identity resolution models for entities, land speed violation/geo location analysis, or any combination thereof. Examples of time series analysis of event sequences include Bayesian time-series statistical foundation (discloses statistical modeling engine) for discrete time-series data (based on variable-memory Markov models and context-tree weighting), dynamic thresholding analysis with periodicity patterns at several scales, change-point detection via maximum-a-posteriori-probability (MAP) (discloses probabilistic forecasting) modeling, cross-correlation and causality analysis via variable-memory modeling and estimation of directed mutual information, outlier analysis, or any combination thereof).

Regarding claim 8, Muddu anticipates …the system of claim 1…
Muddu further anticipates …wherein said data store is further configured to receive said operational predictive score of each of said time series signals of said components of said information technology system from said operational predictive score engine, and said operational predictive score for each of said components of said information technology system from said operational predictive score roll-up module (Id., ¶ 174, The infrastructure which may operate in batch mode includes the SQL store 378 that stores information accessible by scripted query language (SQL), a time series database 370 that represents the database for storing time stamped data, an HBase 372 that can be an open-source, distributed, non-relational database system on which databases (e.g., the time serious database 370) can be implemented, and a GraphDB database 374 that stores security graphs 392, which may be based on relationship graphs generated from events. In some embodiments, the GraphDB database 374 comprises a Neo4j™ graph database), (Id., ¶ 179, The anomaly writer 402 can store the anomalies (e.g., including event data representing an anomalous event and any associated information) in the database 378. The same anomalies may also be stored in the time series database 370 and the HBase 372. The anomalies may also be stored in the graph database 374. In some embodiments, the anomalies can be stored in graph database 374 in the form of anomaly nodes in a graph or graphs), (Id., ¶ 180, The output from the analysis modules 330B, representing threats, may be stored in the database 378, the times series database 370 or the Hbase 372. As in the case of anomalies, not only are the threats themselves stored, but relevant information that exists at the time of evaluation can also be stored).

Regarding claim 9, Muddu anticipates …the system of claim 1…
Muddu further anticipates …further comprising an alerting engine configured to monitor a value of said operational predictive score for each of said time series signals and said components of said information technology system, and alert a user when said value falls below a set threshold (Id., ¶ 171, These anomalies, threat indicators and threats may be provided to a user interface (UI) system 350 for review by a human operator 352. As an example, a visualization map and a threat alert may be presented to the human operator 352 for review and possible action. The output of the analysis module 330 may also automatically trigger actions such as terminating access by a user, terminating file transfer, or any other action that may neutralize the detected threats. In certain embodiments, only notification is provided from the analysis module 330 to the UI system 350 for review by the human operator 352. The event data that underlies those notifications or that gives rise to the detection made by the analysis module 330 are persistently stored in a database 378. If the human operator decides to investigate a particular notification, he or she may access from database 378 the event data (including raw event data and any associated information) that supports the anomalies or threat detection. On the other hand, if the threat detection is a false positive, the human operator 352 may so indicate upon being presented with the anomaly or the threat. The rejection of the analysis result may also be provided to the database 378. The operator feedback information (e.g., whether an alarm is accurate or false) may be employed to update the model to improve future evaluation), (Id., ¶ 82, FIG. 82 shows a table listing example thresholds and/or parameters of a rarity criterion for various example events that can be used for determining whether an event is anomalous), (Id., ¶ 430, one of the projections is the anomaly projection 3730, which is a subset of the composite relationship graph that includes edges representing anomalous activities conducted by users. Each projection can be stored in a cluster of storage device and distributed amongst data containers (e.g., files) based on timestamps of the associated event data. The computer system can further identify events that have timestamps satisfying a specific closeness criterion (e.g., the timestamps having differences less than a threshold value), and store the edge data of these identified computer network activities in proximity to each other in the long-term non-volatile storage.

Regarding claim 10, Muddu anticipates …the system of claim 1…
Muddu further anticipates …further comprising a graphical user interface configured to provide a visualization of said operational predictive scores of each of said time series signals and said components to said user, for facilitating one or more of real-time monitoring, historical trend analysis, and system improvement (Id., ¶ 50, FIG. 39A is an illustrative home screen in a GUI of a system for monitoring potential computer network compromise).

    PNG
    media_image3.png
    459
    699
    media_image3.png
    Greyscale


Regarding claim 11, Muddu anticipates …the system of claim 1…
Muddu further anticipates …further comprising an operational predictive score quality monitor module configured to monitor a quality and an effectiveness of said operational predictive score of each of said time series signals and said components (Id., ¶ 327, in some embodiments, certain kinds of log files are preferably to be processed before others, and the HDFS connector (discloses score quality module) can select to retrieve those log files that need to be processed first. Typically, data of events that have richer information can be retrieved first in order to increase the accuracy of the overall security analysis. For example, to enable identity resolution, device resolution, and session tracking, those log files with device information (e.g., DHCP) are preferably processed first, followed by log files which associate user data with devices (e.g., AD or VPN), followed by all other files. Additionally or alternatively, the query that is sent by the connector can specify that the retrieved files (e.g., representing events) should be ordered by their formats (e.g., DHCP, then AD/VPN, then others)), (Id., ¶ 224, As the number of events received by the security platform increases, so does the size of this composite relationship graph. Therefore, even though a relation graph from a single event may not carry much meaning from a security detection and decision standpoint, when there are enough events and all the relationship graphs from those events are combined into a composite relationship graph, the composite relationship graph can provide a good indication of the behavior of many entities, and the quality/accuracy of this indication increases over time as the composite relationship graph grows. Then, the subsequent processing stages (e.g., the complex processing engine) can use models to perform analytics on the composite relationship graph or on any particular portion (i.e., “projection”, discussed further below) of the composite relationship graph. In some embodiments, the composite relationship graph is persistently stored using a distributed file system such as HDFS™).

Regarding claim 13, Muddu anticipates …the system of claim 1…
Muddu further anticipates …further comprising calculating an operational predictive score for said services implemented using said components of said information technology system (Id., ¶ 273, embodiments introduced here include an ML-based CEP engine that utilizes distributed training and deliberation of one or more machine learning models. “Deliberation” of a machine learning model or a version of a machine learning model involves processing data through a model state of the machine learning model or version of the machine learning model. For example, deliberation can include scoring input data according to a model deliberation process logic as configured by the model state. The ML-based CEP engine processes event feature sets through the ML models to generate conclusions (e.g., security-related anomalies, security-related threat indicators, security-related threats, or any combination thereof) in real-time. “Real-time” computing, or “reactive computing”, describes computer systems subject to a processing responsiveness restriction (e.g., in a service level objective (SLO) in a service level agreement (SLA)). (discloses scoring relative to a service level) In real-time processing, conclusions are reached substantially immediately following the receipt of input data such that the conclusions can be used to respond the observed environment. The ML-based CEP engine continuously receives new incoming event feature sets and reacts to each new incoming event feature set by processing it through at least one machine learning model. Because of real-time processing, the ML-based CEP engine can begin to process a time slice of the unbounded stream prior to when a subsequent time slice from the unbounded stream becomes available).

Regarding claim 14, Muddu anticipates …the system of claim 13…
Muddu further anticipates …further comprising calculating an operational predictive score for said components in said services implemented using said components of said information technology system  (Id., ¶ 273, embodiments introduced here include an ML-based CEP engine that utilizes distributed training and deliberation of one or more machine learning models. “Deliberation” of a machine learning model or a version of a machine learning model involves processing data through a model state of the machine learning model or version of the machine learning model. For example, deliberation can include scoring input data according to a model deliberation process logic as configured by the model state. The ML-based CEP engine processes event feature sets through the ML models to generate conclusions (e.g., security-related anomalies, security-related threat indicators, security-related threats, or any combination thereof) in real-time. “Real-time” computing, or “reactive computing”, describes computer systems subject to a processing responsiveness restriction (e.g., in a service level objective (SLO) (discloses scoring objective components in services relative to a service level)  in a service level agreement (SLA)). In real-time processing, conclusions are reached substantially immediately following the receipt of input data such that the conclusions can be used to respond the observed environment. The ML-based CEP engine continuously receives new incoming event feature sets and reacts to each new incoming event feature set by processing it through at least one machine learning model. Because of real-time processing, the ML-based CEP engine can begin to process a time slice of the unbounded stream prior to when a subsequent time slice from the unbounded stream becomes available).

Regarding claim 15, Muddu anticipates …the system of claim 14…
Muddu further anticipates …further comprising a root cause analysis module configured to decompose said operational predictive score for any of said components of said information technology system into a responsibility matrix when said operational predictive score for any of said components of said information technology system deteriorates during a user transaction journey within said services implemented using said components of said information technology system, to locate one or more of said components that are contributing to said deterioration (Id., ¶ 279, Examples of time series analysis of event sequences include Bayesian time-series statistical foundation for discrete time-series data (based on variable-memory Markov models and context-tree weighting), dynamic thresholding analysis with periodicity patterns at several scales, change-point detection via maximum-a-posteriori-probability (MAP) modeling, cross-correlation and causality analysis via variable-memory modeling (discloses root cause analysis) and estimation of directed mutual information, outlier analysis, or any combination thereof), (Id., ¶ 640, If an anomaly indicating malware in the computer network is detected, and indication of that anomaly can be outputted for display to a user via a user interface of a computing device. FIG. 71 shows an example incident response output 7100 based on entity profiles configured for display to a user. The incident response output 7100 is represented in simplified form for clarity as a table including a plurality of entity identifiers 7102 with associated feature scores 7104a-7104d and a recommended response 7106 based on the plurality of feature scores. The particular arrangement of information should not be construed as limiting. In this example, the entity identifier is a domain name, however, the entity identifier associated with the entity can be any identifier, such as a domain name, a uniform resource locater (URL), uniform resource identifier (URI), an Internet Protocol (IP) address, a unique identifier (UID), a device identification, or a user identification. As shown in FIG. 71, the plurality of feature scores 7104a-7104d are displayed as classifications, i.e. no risk, moderate risk, and high risk, instead of numerical values. These classifications can be based on the underlying numerical feature scores. In some embodiments, the numerical feature score values (e.g. 0 to 10) are displayed to the user via the incident response output. The analyst recommendation 7106 provides information guiding the user to take action based on the raised anomaly associated with entity 7102. For example, the domain “www.evil.com” has a communication feature score indicative of a high risk to network security due to ongoing unblocked communications. The recommendation 7106, accordingly lists this as a critical priority due to the ongoing and unblocked nature of the communications. In some embodiments, the analyst recommendation 7106 is provided by a human security analyst based on an assessment of the feature scores associated with the entity. In some embodiments, the analyst recommendation is automatically generated by the system based on the feature scores and or the anomaly score, for example through the use of established network security rules), (Id., Fig. 71, Figure depicts a responsibility matrix with component scores).

    PNG
    media_image4.png
    292
    543
    media_image4.png
    Greyscale


Regarding claim 16, Muddu anticipates …A computer implemented method for real-time operational predictive scoring of components and services of an information technology system for forecasting and assessing performance of said components of said information technology system, comprising: providing a computer implemented system comprising a data pipeline, a data store, a scoring module comprising an operational predictive score engine and an operational predictive score roll-up module, a statistical modeling engine, a training module, an alerting engine, a graphical user interface, an operational predictive score quality monitor module, and a root cause analysis module; Muddu, ¶ 192, the security platform introduced here includes various aspects that are specifically tailored to this data environment, including techniques for obtaining different kinds of data, preparing data, and processing data, by using different stages, to enable quick diagnosis of service problems, detection of sophisticated security threats, understanding of the health and performance of remote equipment, and demonstration of compliance), (Id., ¶ 273, embodiments introduced here include an ML-based CEP engine that utilizes distributed training and deliberation of one or more machine learning models. “Deliberation” of a machine learning model or a version of a machine learning model involves processing data through a model state of the machine learning model or version of the machine learning model. For example, deliberation can include scoring input data according to a model deliberation process logic as configured by the model state), (Id., ¶ 430, one of the projections is the anomaly projection 3730, which is a subset of the composite relationship graph that includes edges representing anomalous activities conducted by users. Each projection can be stored in a cluster of storage device and distributed amongst data containers (e.g., files) based on timestamps of the associated event data. The computer system can further identify events that have timestamps satisfying a specific closeness criterion (e.g., the timestamps having differences less than a threshold value), and store the edge data of these identified computer network activities in proximity to each other in the long-term non-volatile storage), (Id., ¶ 640, If an anomaly indicating malware in the computer network is detected, and indication of that anomaly can be outputted for display to a user via a user interface of a computing device. FIG. 71 shows an example incident response output 7100 based on entity profiles configured for display to a user), (Id., ¶ 279, Examples of entity-specific behavioral analysis include hierarchical temporal memory processes that employ modified probabilistic suffix trees (PST), collaborative filtering, content-based recommendation analysis, statistical matches in whitelists and blacklists using text models, entropy/randomness/n-gram analysis for uniform resource locators (e.g., URLs), other network resource locators and domains (AGDs), rare categorical feature/association analysis, identity resolution models for entities, land speed violation/geo location analysis, or any combination thereof. Examples of time series analysis of event sequences include Bayesian time-series statistical foundation (discloses statistical modeling engine) for discrete time-series data (based on variable-memory Markov models and context-tree weighting), (Id., ¶ 327, in some embodiments, certain kinds of log files are preferably to be processed before others, and the HDFS connector (discloses score quality module) can select to retrieve those log files that need to be processed first. Typically, data of events that have richer information can be retrieved first in order to increase the accuracy of the overall security analysis), (Id., ¶ 233, a machine learning model can have different phases, for example, a training phase (discloses training module) (after initiation and before ready) and an active phase (after ready and before expiration). In a training phase of a machine learning model, if an event that is received involves both a user and a machine identifier (e.g., if the event data representing the event has both a user identifier and a machine identifier), then machine learning model that is employed by the identity resolution module 812 can use this event to create or update the probability of association between the user and the machine identifier), (Id., Fig. 5, Figure depicts a data store, and a data pipeline 316 configured to collect data in real time);

    PNG
    media_image1.png
    617
    1023
    media_image1.png
    Greyscale

collecting, in real-time, by said data pipeline, a plurality of time series signals comprising multiple metrics corresponding to one or more of health, performance, and functionality of each of said components of said information technology system  (Id., ¶ 192, the security platform introduced here includes various aspects that are specifically tailored to this data environment, including techniques for obtaining different kinds of data, preparing data, and processing data, by using different stages, to enable quick diagnosis of service problems, detection of sophisticated security threats, understanding of the health and performance of remote equipment, and demonstration of compliance), (Id., Fig. 4, Figure depicts time series database 370 for collecting and storing time series data);

    PNG
    media_image2.png
    621
    930
    media_image2.png
    Greyscale

 receiving, by said data store, a data stream comprising said collected plurality of time series signals, and storing said received data stream as individual time series data (Id., Fig. 4, Figure depicts time series database 370 for collecting and storing time series data);
calculating, by said operational predictive score engine of said scoring module, an operational predictive score for each of said time series signals of said components of said information technology system (Id., ¶ 273, embodiments introduced here include an ML-based CEP engine that utilizes distributed training and deliberation of one or more machine learning models. “Deliberation” of a machine learning model or a version of a machine learning model involves processing data through a model state of the machine learning model or version of the machine learning model. For example, deliberation can include scoring input data according to a model deliberation process logic as configured by the model state. The ML-based CEP engine processes event feature sets through the ML models to generate conclusions (e.g., security-related anomalies, security-related threat indicators, security-related threats, or any combination thereof) in real-time. “Real-time” computing, or “reactive computing”, describes computer systems subject to a processing responsiveness restriction (e.g., in a service level objective (SLO) in a service level agreement (SLA)). In real-time processing, conclusions are reached substantially immediately following the receipt of input data such that the conclusions can be used to respond the observed environment. The ML-based CEP engine continuously receives new incoming event feature sets and reacts to each new incoming event feature set by processing it through at least one machine learning model. Because of real-time processing, the ML-based CEP engine can begin to process a time slice of the unbounded stream prior to when a subsequent time slice from the unbounded stream becomes available);
and aggregating, by said operational predictive score roll-up module of said scoring module, said calculated operational predictive score of each of said time series signals of said components of said information technology system into an operational predictive score for each of said components of said information technology system (Id., ¶ 628, The anomaly score associated with a particular entity is based on the entity profile (including the underlying feature scores) of the particular entity. The anomaly score may be conceptualized as combination of all of the feature scores for a particular entity), (Id., ¶ 629, In some cases anomaly scores calculated or assigned by processing event data through an anomaly model to generate a numerical value. Here, the anomaly score is calculated or assigned by processing the plurality of feature scores through an anomaly model), (Id., ¶ 390, the use case described in FIGS. 31A-31B involves combining anomaly data associated with different types of anomalies, assigning a threat indicator score based on the result of the combining, and identifying a threat indicator if the threat indicator score satisfies a specified criterion).

Regarding claims 17-20 and 23-24 these claims recite limitations substantially similar to those in claims 2-5 and 9-10, respectively, and are rejected for the same reasons as stated above.

Regarding claim 25, Muddu anticipates …the method of claim 16…
Muddu further anticipates …further comprising one or more of: providing, on said graphical user interface, a visualization of said operational predictive score of each of said time series signals and said components to said user, for facilitating one or more of real-time monitoring, historical trend analysis, and system improvement; and monitoring, by said operational predictive score quality monitor module, a quality and an effectiveness of said operational predictive score of each of said time series signals and said components  (Id., ¶ 327, in some embodiments, certain kinds of log files are preferably to be processed before others, and the HDFS connector (discloses score quality module) can select to retrieve those log files that need to be processed first. Typically, data of events that have richer information can be retrieved first in order to increase the accuracy of the overall security analysis. For example, to enable identity resolution, device resolution, and session tracking, those log files with device information (e.g., DHCP) are preferably processed first, followed by log files which associate user data with devices (e.g., AD or VPN), followed by all other files. Additionally or alternatively, the query that is sent by the connector can specify that the retrieved files (e.g., representing events) should be ordered by their formats (e.g., DHCP, then AD/VPN, then others)), (Id., ¶ 224, As the number of events received by the security platform increases, so does the size of this composite relationship graph. Therefore, even though a relation graph from a single event may not carry much meaning from a security detection and decision standpoint, when there are enough events and all the relationship graphs from those events are combined into a composite relationship graph, the composite relationship graph can provide a good indication of the behavior of many entities, and the quality/accuracy of this indication increases over time as the composite relationship graph grows. Then, the subsequent processing stages (e.g., the complex processing engine) can use models to perform analytics on the composite relationship graph or on any particular portion (i.e., “projection”, discussed further below) of the composite relationship graph. In some embodiments, the composite relationship graph is persistently stored using a distributed file system such as HDFS™).

Regarding claims 27-29, these claims recite limitations substantially similar to those in claims 13-15, respectively, and are rejected for the same reasons as stated above.

Regarding claim 30, Muddu anticipates …A non-transitory computer readable storage medium having embodied thereon, computer program codes comprising instructions executable by at least one processor for real-time operational predictive scoring of components and services of an information technology system for forecasting and assessing performance of said components of said information technology system, the instructions when executed by the at least one processor cause the processor to perform a method comprising: collecting, in real-time, by a data pipeline, a plurality of time series signals comprising multiple metrics corresponding to one or more of health, performance, and functionality of each of said components of said information technology system (Muddu, ¶ 192, the security platform introduced here includes various aspects that are specifically tailored to this data environment, including techniques for obtaining different kinds of data, preparing data, and processing data, by using different stages, to enable quick diagnosis of service problems, detection of sophisticated security threats, understanding of the health and performance of remote equipment, and demonstration of compliance), (Id., ¶ 746, Embodiments of the techniques introduced here may be implemented, at least in part, by a computer program product which may include a non-transitory machine-readable medium having stored thereon instructions that may be used to program/configure a computer or other electronic device to perform some or all of the operations described above), (Id., Fig. 5, Figure depicts data pipeline 316 configured to collect data in real time);

    PNG
    media_image1.png
    617
    1023
    media_image1.png
    Greyscale

receiving, by a data store, a data stream comprising said collected plurality of time series signals, and storing said received data stream as individual time series data (Id., Fig. 4, Figure depicts time series database 370 for collecting and storing time series data);

    PNG
    media_image2.png
    621
    930
    media_image2.png
    Greyscale

calculating, by an operational predictive score engine of a scoring module, an operational predictive score for each of said time series signals of said components of said information technology system (Id., ¶ 273, embodiments introduced here include an ML-based CEP engine that utilizes distributed training and deliberation of one or more machine learning models. “Deliberation” of a machine learning model or a version of a machine learning model involves processing data through a model state of the machine learning model or version of the machine learning model. For example, deliberation can include scoring input data according to a model deliberation process logic as configured by the model state. The ML-based CEP engine processes event feature sets through the ML models to generate conclusions (e.g., security-related anomalies, security-related threat indicators, security-related threats, or any combination thereof) in real-time. “Real-time” computing, or “reactive computing”, describes computer systems subject to a processing responsiveness restriction (e.g., in a service level objective (SLO) in a service level agreement (SLA)). In real-time processing, conclusions are reached substantially immediately following the receipt of input data such that the conclusions can be used to respond the observed environment. The ML-based CEP engine continuously receives new incoming event feature sets and reacts to each new incoming event feature set by processing it through at least one machine learning model. Because of real-time processing, the ML-based CEP engine can begin to process a time slice of the unbounded stream prior to when a subsequent time slice from the unbounded stream becomes available);
and aggregating, by an operational predictive score roll-up module of said scoring module, said calculated operational predictive score of each of said time series signals of said components of said information technology system into an operational predictive score for each of said components of said information technology system (Id., ¶ 628, The anomaly score associated with a particular entity is based on the entity profile (including the underlying feature scores) of the particular entity. The anomaly score may be conceptualized as combination of all of the feature scores for a particular entity), (Id., ¶ 629, In some cases anomaly scores calculated or assigned by processing event data through an anomaly model to generate a numerical value. Here, the anomaly score is calculated or assigned by processing the plurality of feature scores through an anomaly model), (Id., ¶ 390, the use case described in FIGS. 31A-31B involves combining anomaly data associated with different types of anomalies, assigning a threat indicator score based on the result of the combining, and identifying a threat indicator if the threat indicator score satisfies a specified criterion).



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 6-7, 12, 21-22, and 26 are rejected under 35 U.S.C. 103 as being unpatentable over Muddu in view of Yang et al., U.S. Patent No. 11,258,825 [hereinafter Yang].

Regarding claim 6, Muddu anticipates …the system of claim 3…
While suggested in at least Fig. 7 and related text, Muddu does not explicitly disclose …further comprising a training module configured to train said customized machine learning models comprising autoregressive Recurrent Neural Network based forecasting models.
However, Yang discloses …further comprising a training module configured to train said customized machine learning models comprising autoregressive Recurrent Neural Network based forecasting models (Yang, column 3, lines 50-64, In the example of FIG. 1, the SOC server 201 includes an event repository 202 and a prediction model 203. The event repository 202, which may be on a data storage device of the SOC server 201, may comprise a database or other module for logging and retrieving event data. In one embodiment, the SOC server 201 is configured to group related events into state sequences, group related events within a state sequence into states, and transform the states within a state sequence into time-series data by arranging the states in sequential, chronological order. The prediction model 203 may be, but not necessarily, generated using a Long Short-Term Memory (LSTM) Recurrent Neural Network (RNN) algorithm, with the state sequences as training data. Other suitable algorithms for generating a model for time-series prediction may also be employed).
At the time the invention was filed it would have been obvious to a person of ordinary skill in the art to have modified the IT health and performance scoring elements of Muddu to include the recurrent neural network elements of Yang in the analogous art of computer network monitoring with event prediction.
 The motivation for doing so would have been to improve the ability to “perform a response action to stop or prevent the cyberattack, such as by blocking malicious network traffic, deleting malware files, stopping execution of a malicious process, preventing unauthorized entry, etc.” [Yang, column 4, lines 40-45], wherein such improvements would benefit Muddu’s method which seeks to “scope, disrupt, contain and/or recover from the attack” [Yang, column 4, lines 40-45; Muddu, ¶ 138].
	

Regarding claim 7, the combination of Muddu and Yang discloses …the system of claim 6…
Muddu further discloses …wherein said training module is further configured to train a common machine learned model for a set of related time series signals (Muddu, ¶ 233, a machine learning model can have different phases, for example, a training phase (discloses training module) (after initiation and before ready) and an active phase (after ready and before expiration). In a training phase of a machine learning model, if an event that is received involves both a user and a machine identifier (e.g., if the event data representing the event has both a user identifier and a machine identifier), then machine learning model that is employed by the identity resolution module 812 can use this event to create or update the probability of association between the user and the machine identifier. For example, when an authentication event is received (e.g., when a user logs into a particular machine) and involves a user (e.g., identified by a user identifier such as a username) and a machine identifier, the model learns that the user is now associated with the machine identifier, at least for a period of time until the user logs out or times out from the particular machine.).

Regarding claim 12, the combination of Muddu and XXX discloses …the system of claim 6…
Muddu further discloses …further comprising automatic triggering of said training module for retraining said customized machines learning models when a quality and an effectiveness of said operational predictive score of any of said time series signals and said components falls below a pre-defined value (Muddu, ¶ 236, The models can be trained and, in some implementations, continually updated (discloses retraining) after their activation, by relevant events when the events are received. An example of a relevant event is an authentication event, which inherently involves a user (e.g., which may be represented by a user identifier) and a number of machine identifiers (e.g., an IP address or a MAC address). Depending on the model, other criteria for an event to be considered relevant for model training and/or updating purposes may include, for example, when a new event includes a particular machine identifier, a particular user identifier, and/or the recency of the new event. Moreover, some models may assign a different weight to the new event based on what type of event it is. For example, given that the new event is an authentication event, some models assign more weight to a physical login type of authentication event than to any other type of authentication event (e.g., a remote login)), (Id., ¶ 233, a machine learning model can have different phases, for example, a training phase (discloses training module) (after initiation and before ready) and an active phase (after ready and before expiration)), (Id., ¶ 428, Each projection can be stored in a cluster of storage device and distributed amongst data containers (e.g., files) based on timestamps of the associated event data. The computer system can further identify events that have timestamps satisfying a specific closeness criterion (e.g., the timestamps having differences less than a threshold value), and store the edge data of these identified computer network activities in proximity to each other in the long-term non-volatile storage).

Regarding claims 21-22 and 26, these claims recite limitations substantially similar to those in claims 6-7 and 12, respectively, and are rejected for the same reasons as stated above.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Sobhani Tehrani et al., U.S. Publication No. 2008/0082470 discloses infrastructure health monitoring and analysis.
Radibratovic et al., U.S. Publication No. 2010/0049494 discloses a method for predicting power usage effectiveness and data center infrastructure efficiency within a real-time monitoring system.
Gao et al., U.S. Publication No. 221/0012238 discloses a method and system for verifying state monitor reliability in hyper-converged infrastructure appliances.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to NICHOLAS D BOLEN whose telephone number is (408)918-7631. The examiner can normally be reached Monday - Friday 8:00 AM - 5:00 PM PST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Patty Munson can be reached on (571) 270-5396. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/NICHOLAS D BOLEN/               Examiner, Art Unit 3624                                                                                                                                                                                         /PATRICIA H MUNSON/Supervisory Patent Examiner, Art Unit 3624