DETAILED ACTION
This office action is in response to the amendments filed on 08/18/2022.
Claims 1, 3-7 are presented for examination.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Objections
Claim 1 is objected to because of the following informalities:  Claim 1 recites in part “the captured data based upon a set of heurustics”, however heurustics should be spelled heuristics.
Appropriate correction is required.
 
Response to Arguments
Applicant’s arguments with respect to the 35 USC 103 rejection of the claims filed 08/18/2022 in Remarks pg. 8-11 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Applicant further agues in essence:
[a] “With regards to the cited references, and starting with the primary reference Gates, Applicant recognizes it teaches, among other things, generating help desk tickets responsive to detecting performance issues occurring in multiple layers of a networked computing environment. (See Gates, Abstract). Applicant submits Gates has no teachings or suggestions (nor would there be any reason to do so other then use of impermissible hindsight) relating to utilizing a network monitoring probe to A) "create Call Detail Records (CDRs) by categorizing messages in the captured data packets, via a call trace application, wherein related packets are correlated using a 5-tuple association mechanism"; and B) "create Call Detail Records (CDRs) by categorizing messages in the captured data packets, via a call trace application, into calls belonging to one or more scenarios", as currently recited in Applicant's independent claim 1.”
In response to [a], firstly, examiner relies upon a few reference to teach the 5 tuple association mechanism, however still relies upon Sater to show “create Call Detail Records (CDRs) by categorizing messages in the captured data packets, via a call trace application”
In response to applicant's argument that the examiner's conclusion of obviousness is based upon improper hindsight reasoning, it must be recognized that any judgment on obviousness is in a sense necessarily a reconstruction based upon hindsight reasoning.  But so long as it takes into account only knowledge which was within the level of ordinary skill at the time the claimed invention was made, and does not include knowledge gleaned only from the applicant's disclosure, such a reconstruction is proper.  See In re McLaughlin, 443 F.2d 1392, 170 USPQ 209 (CCPA 1971).
In response to applicant’s argument that there is no teaching, suggestion, or motivation to combine the references, the examiner recognizes that obviousness may be established by combining or modifying the teachings of the prior art to produce the claimed invention where there is some teaching, suggestion, or motivation to do so found either in the references themselves or in the knowledge generally available to one of ordinary skill in the art.  See In re Fine, 837 F.2d 1071, 5 USPQ2d 1596 (Fed. Cir. 1988), In re Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir. 1992), and KSR International Co. v. Teleflex, Inc., 550 U.S. 398, 82 USPQ2d 1385 (2007). 
In this case, Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date to combine Gates with Sater in order to incorporate network monitoring probe coupled to a telecommunications network configured to capture data packets from the telecommunications network, and combine related data packets into generated session records, wherein each session record includes multiple segments; analyze and generate alarms regarding a segment of a generated session record while the session record is active, store user preconfigured Service Level Objectives (SLOs) specific to a plurality of network services in one or more databases; identify a plurality of services provided by a network operator based upon analysis of a segment of a session record while the session record is active, create Call Detail Records (CDRs) by categorizing messages in the captured data packets, via a call trace application, into calls belonging to one or more scenarios; analyze the captured data to categorize between high-value captured network traffic and low-value network traffic present in the captured data based upon a set of heuristics.
One of ordinary skill in the art would have been motivated to combine because of the expected benefit of improving service performance and user experience (Sater: para.0002 and para.0039)

[b] “With regards to the secondary references, and after acknowledging that Gates does not disclose a "network monitoring probe coupled to a telecommunications network" (see, page 6 of Office Action), the Examiner cites Sater for its purported teachings relating to a " network monitoring probe coupled to a telecommunications network" (see, pages 6-7 of Office Action), and "creat[ing] Call Detail Records (CDRs) by categorizing messages in the captured data packets, via a call trace application, into calls belonging to one or more scenarios" with alleged support being provided by ¶[0043] of Sater (see, p. 9 of Office Action). Applicant respectfully disagrees. ¶[0043] of Sater explicitly discloses: 
....An aspect of the system 200 subject disclosure includes extending the monitoring capabilities of the base protocols, including the application layer, to support the IMS. In another aspect of the subject disclosure, monitoring at Cx on the path from CSCF to HSS, supporting call trace to ensure call detail record generation and supporting H. 248 on Mp if MRFP and MRFC are not integrated. (Emphasis added). 
Thus, at best, Sater teaches that the Cx path from CSCF to HSS is monitored to support call trace while supporting call detail record generation. Applicant respectfully submits this is not a teaching of "creat[ing] Call Detail Records (CDRs) by categorizing messages in the captured data packets, via a call trace application" (e.g., there is no teaching of any "categorizing messages in the captured data packets"), let alone "wherein related packets are correlated using a 5-tuple association mechanism", as currently recited in Applicant's independent claim 1.”
In response to [b], below is the citation used to teach this limitation in Sater in the previous rejection:
create Call Detail Records (CDRs) by categorizing messages in the captured data packets, via a call trace application, (Sater: para.0043 “In another aspect of the subject disclosure, monitoring at Cx on the path from CSCF to HSS, supporting call trace to ensure call detail record generation and supporting H.248 on Mp if MRFP and MRFC are not integrated.” para.0039 “Call detail records such as OMA/3GPP reporting bearers, protocols, QoS profile, expected throughput, failure cause code, etc. Another aspect correlates call detail records by subscriber or multiple subscribers for performance reporting on multi-party sessions/calls. Metrics may also be aggregated by enterprise, service, traffic class, etc. Extended data records may be used to provide an intermediate check of message reliability and processing status.” call detail records are created via call trace application, which call under various scenarios based on metrics and subscribers.); 
Arguments do not seem to address the majority of the citation in para.0039, which show that call detail records are generated, and categorized by at least enterprise, service, traffic, class and subscriber.  Examiner does not rely upon Sater to teach the 5 tuple association, and is rejected using a new reference in updated rejection below.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 3-7, are rejected under 35 U.S.C. 103 as being unpatentable over Gates et al. (hereinafter Gates, US 2015/0288557 A1) in view of Sater et al. (hereinafter Sater, US 2009/0181665 A1) further in view of Sainini et al. (hereinafter Sainini, US 2016/0103838 A1) further in view of Kakadia et al. (hereinafter Kakadia, US 2015/0281004 A1) further in view of Wilkinson (US 2013/0166730 A1).
Regarding Claim 1, Gates discloses a network monitoring system for detecting service failures by mobile devices in a telecommunications network (Gates: para.0043 “In one embodiment, the network-level monitor 304 may monitor the performance of a network connecting an end user device (e.g., a mobile device or workstation) with an application server.”), comprising: 
a network monitoring probe (Gates: Fig.3 330, Fig.1 158, para.0045 “The root cause identification manager 330may comprise an application running on a server, such as server 158 in FIG. 1.” The server 158 is the probe); 
a network monitoring device (Gates: Fig.1:160, para.0034, server 160) coupled to the network monitoring probe (Gates: Fig.1:160, para.0034 server 158, which has the root cause identification manager 330, is in communication with server 160, a networking monitoring device) configured to analyze and generate alarms (Gates: para.0069), the network monitoring probe including:
a processor; and a memory coupled to the processor (Gates: Fig.3, para.0024, para.0027, para.0039,para.0042 the root cause identification tool may run on a server such as server 158 in Fig.1), the memory configured to store program instructions executable by the processor to cause the network monitoring system to : 
calculate a plurality of Key Performance Indicators (KPIs) (Gates: para.0052 service level data, and application status data i.e. running halted terminated) associated with a plurality of services on a per service basis (Gates: para.0052 “In some embodiments, a root cause identification tool, such as root cause identification manager 330, may aggregate data from a plurality of information technology management software tools periodically or in response to a service-level performance issue being detected (e.g., a service is no longer available to an end user of the service). The aggregated data may include service-level data related to a service provided by a networked computing environment, such as the availability of the service and response times associated with the service.,,,, The aggregated data may include application-level data related to the plurality of applications, such as a status of each of the plurality of applications (e.g., currently running, halted, or terminated) and an identification of a first set of servers which are running the plurality of applications.” para.0052 “The aggregated data may include networking-level data associated with networks connected to the first set of servers, such as the resources available in the network and network utilization metrics.” service level data for individual services, individual applications being monitored, and utilization is collected.  para.0085 further shows an application performance metric as well.); 
characterize one or more service levels of individual services provided by the network operator based on the stored plurality of KPIs (Gates: para.0042-para.0044, para.0068, when the monitoring applications detect a problem when monitoring, it creates an alarm regarding this issue, thereby characterizing the service levels of the services)
and comparing the calculated KPI values with target values (Gates: para.0085 baseline or acceptable range) to render off-target KPIs (Gates: para.0085 “The alert may be acquired from an application-level monitor, such as application-level monitor 306 in FIG. 3. In some embodiments, the alert may be generated by the application-level monitor if a current performance metric is outside an acceptable range. As an acceptable range of application performance may vary over time due to varying conditions, such as server loads, end user usage patterns, day of the week or month (e.g., weekend days, weekdays, and holidays), time of day (e.g., during working hours vs. non-working hours), and load patterns (e.g., batch mode processing may be performed at a particular time of day), different baselines of application performance may be determined for the varying conditions.” it is determined when collected metrics and monitored data go outside of an acceptable range or a baseline of application performance.); and 
identify a root cause of service level failures for one or more of the plurality of services (Gates: para.0066 Fig. 5B “As depicted in FIG. 5B, the failure graph 560 includes a leaf node corresponding with the alarm regarding power failure 584 and a root node corresponding with the alarm regarding service response time 572. A path from the leaf node of the failure graph to the root node of the failure graph including the nodes 584, 580, 576, and 572 comprises a chain of failures. “ the failures are mapped and used to find the root node, the root cause of these failures.)
in response to determining that at least one of the characterized service levels does not meet predefined service level objectives for the one or more of the plurality of services (Gates: para.0067, para.0068, Fig.6a:602, the process for determining the cause of the failure occurs when an alarm regarding service level issue is detected);
and generate an alarm message having an alarm indication pertaining to the one or more of the plurality of services based on the identified root cause and the calculated plurality of KPIs (Gates: para.0085 “In step 702… In some embodiments, the alert may be generated by the application-level monitor if a current performance metric is outside an acceptable range.”, para.0086 “In step 704, data from a plurality of performance management tools monitoring the networked computing environment is aggregated.” Para.0088 “In step 712, a first leaf node of the plurality of nodes is identified. The first leaf node may correspond with a root cause of the performance issue.” Para.0088 “ step 718, a consolidated alarm corresponding with the first chain of failures is outputted. The consolidated alarm may comprise a report or other message specifying the leaf node of the first chain of failures. The message specifying a failure associated with the leaf node may be transmitted to a target recipient.” In steps 702-712, the KPI are collected when the performance metric is outside an acceptable range, and compiled into a consolidated alarm, the alarm message, which contains information pertaining to the failure and the first leaf node, which is the root cause, all of which is created from analysis of performance issues  ), 
However Gates does not explicitly disclose network monitoring probe coupled to a telecommunications network configured to capture data packets from the telecommunications network, and combine related data packets into generated session records, wherein each session record includes multiple segments; analyze and generate alarms regarding a segment of a generated session record while the session record is active, store user preconfigured Service Level Objectives (SLOs) specific to a plurality of network services in one or more databases; identify a plurality of services provided by a network operator based upon analysis of a segment of a session record while the session record is active, which includes assigning a unique service identifier to each calculated KPI value of the plurality of KPIs, wherein each KPI value and assigned unique identifier is stored together with the associated data event in a data repository, characterize one or more service levels of individual services provided by the network operator based on the stored plurality of KPIs by correlating the preconfigured SLOs with historical data and with the calculated KPI values; create Call Detail Records (CDRs) by categorizing messages in the captured data packets, via a call trace application, wherein related packets are correlated using a 5-tuple association mechanism; analyze the captured data to categorize between high-value captured network traffic and low-value network traffic present in the captured data based upon a set of heuristics wherein the service level failures comprise one or more failures to meet predefined SLOs stored in the one or more databases such that service levels are characterized by correlating SLOs with collected historical data and with the calculated KPI values.
Sater discloses network monitoring probe coupled to a telecommunications network (Sater: para.0001 “The subject invention relates generally to the telecommunications industry, and more particularly to the management of a mobile telephone system with respect to the service assurance domain with regards to availability, performance and root cause analysis”) configured to capture data packets from the telecommunications network (Sater: para.0026 “Passive monitoring is implemented without interfering with the flow of information in the service path and is made available through capabilities such as management information bases, usage records, log files or strategically placed probes that passively measure key process indicators. In another aspect of the subject disclosure, active monitoring is accomplished by emulating service usage in the service and control planes. Typically, strategically placed probes actively measure key process indicators of interest.” para.0024 and para.0044 disclose packet analysis “An additional aspect includes further localizing network impairments by extending support for noting and tracking delay between nodes, for example latency, jitter and packet loss. In another aspect of the subject disclosure, network based packet inspection is implemented.” network probes are used to analyze packets in the telecommunications network), and 
combine related data packets into generated session records, wherein each session record includes multiple segments (Sater: para.0039 “For example, GSM enhanced measurement reports covering call setup delay with coverage metrics every 480 milliseconds. Call detail records such as OMA/3GPP reporting bearers, protocols, QoS profile, expected throughput, failure cause code, etc. Another aspect correlates call detail records by subscriber or multiple subscribers for performance reporting on multi-party sessions/calls. Metrics may also be aggregated by enterprise, service, traffic class, etc. Extended data records may be used to provide an intermediate check of message reliability and processing status. Another aspect includes device metrics reported to indicate perceived customer experience and end-to-end metrics including round trip time, jitter, setup delay, bandwidth usage, number of concurrent incoming and outgoing streams by subscriber and other metrics that are most accurate when measured from the device.”  para.0024 “In another aspect of the subject disclosure, service categories are implemented for base protocol analysis, multimedia mean opinion scores and applications or devices involving logic and context. In the base protocol analysis, functionality for monitoring, managing and reporting on latency, jitter, dropped packets and service availability is included. This information may be transmitted across layers and retained for subsequent historical analysis” Call detail records are generated from information obtained from the probes of para.0026,  and it can be seen in para.0024 that packet specific information is included information stored for historical analysis.); 
analyze and generate alarms regarding a segment of a generated session record while the session record is active (Sater: para.0032 “State changes in the indicated areas will generate automatic notification to all applicable parties as well as update audit and non-performance compensation reports including performance issues such as root cause and maintenance issues such as down time. For example, service performance degradation can generate an email or an short message service (SMS) notice to internal and/or applicable third parties advising them of the degradation in performance.” para.0039 “Another aspect of the subject disclosure includes monitoring and collection of data for analysis and reporting. For example, GSM enhanced measurement reports covering call setup delay with coverage metrics every 480 milliseconds. Call detail records such as OMA/3GPP reporting bearers, protocols, QoS profile, expected throughput, failure cause code, etc. Another aspect correlates call detail records by subscriber or multiple subscribers for performance reporting on multi-party sessions/calls.” para.0024 “In the base protocol analysis, functionality for monitoring, managing and reporting on latency, jitter, dropped packets and service availability is included.” performance can be monitored and performance can be reported, i.e. alarms, regarding these degradations.  It should be noted that all comparisons done using collected data is done both historically and in real time, thereby showing while the record is active para.0007 “The collected data is compared in both a real-time and historical analysis to determine if the instantaneous and trended values of the collected data meet the specifications of the key performance indicators as defined for the network system.”), 
store user preconfigured Service Level Objectives (SLOs) specific to a plurality of network services in one or more databases (Sater: para.0033 “Initially, generic per service SLOs/SLAs are established during service on-boarding then customer specific performance baselines are established after the validation period.” system maintains SLOs per service therefore stored in at least one of the databases of the system for example storage 110 in Fig.3 and para.0047.); 
identify a plurality of services provided by a network operator based upon analysis of a segment of a session record while the session record is active (Sater: para.0039 “For example, GSM enhanced measurement reports covering call setup delay with coverage metrics every 480 milliseconds. Call detail records such as OMA/3GPP reporting bearers, protocols, QoS profile, expected throughput, failure cause code, etc. Another aspect correlates call detail records by subscriber or multiple subscribers for performance reporting on multi-party sessions/calls. Metrics may also be aggregated by enterprise, service, traffic class, etc.”  call detail records include metrics that are aggregated by service, therefore a plurality of services are identified by the system during analysis of measurements.), 
create Call Detail Records (CDRs) by categorizing messages in the captured data packets, via a call trace application, (Sater: para.0043 “In another aspect of the subject disclosure, monitoring at Cx on the path from CSCF to HSS, supporting call trace to ensure call detail record generation and supporting H.248 on Mp if MRFP and MRFC are not integrated.” para.0039 “Call detail records such as OMA/3GPP reporting bearers, protocols, QoS profile, expected throughput, failure cause code, etc. Another aspect correlates call detail records by subscriber or multiple subscribers for performance reporting on multi-party sessions/calls. Metrics may also be aggregated by enterprise, service, traffic class, etc. Extended data records may be used to provide an intermediate check of message reliability and processing status.” call detail records are created via call trace application, which call under various scenarios based on metrics and subscribers.); 
analyze the captured data to categorize between high-value captured network traffic and low-value network traffic present in the captured data based upon a set of heuristics (Sater: para.0039 “Call detail records such as OMA/3GPP reporting bearers, protocols, QoS profile, expected throughput, failure cause code, etc. Another aspect correlates call detail records by subscriber or multiple subscribers for performance reporting on multi-party sessions/calls. Metrics may also be aggregated by enterprise, service, traffic class, etc. Extended data records may be used to provide an intermediate check of message reliability and processing status. Another aspect includes device metrics reported to indicate perceived customer experience and end-to-end metrics including round trip time, jitter, setup delay, bandwidth usage, number of concurrent incoming and outgoing streams by subscriber and other metrics that are most accurate when measured from the device.” para.0032 “For example, service performance degradation can generate an email or an short message service (SMS) notice to internal and/or applicable third parties advising them of the degradation in performance.” data is captured and analyzed to categorize between normal data and data that indicate delays, jitter, and other metrics that could reduce user experience, which would be the difference between high value and low value traffic depending on what is being measured, for example high value can detect high amounts of jitter or high bandwidth.).
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date to combine Gates with Sater in order to incorporate network monitoring probe coupled to a telecommunications network configured to capture data packets from the telecommunications network, and combine related data packets into generated session records, wherein each session record includes multiple segments; analyze and generate alarms regarding a segment of a generated session record while the session record is active, store user preconfigured Service Level Objectives (SLOs) specific to a plurality of network services in one or more databases; identify a plurality of services provided by a network operator based upon analysis of a segment of a session record while the session record is active, create Call Detail Records (CDRs) by categorizing messages in the captured data packets, via a call trace application, into calls belonging to one or more scenarios; analyze the captured data to categorize between high-value captured network traffic and low-value network traffic present in the captured data based upon a set of heuristics.
One of ordinary skill in the art would have been motivated to combine because of the expected benefit of improving service performance and user experience (Sater: para.0002 and para.0039)
However Gates-Sater does not explicitly disclose which includes assigning a unique service identifier to each calculated KPI value of the plurality of KPIs, wherein each KPI value and assigned unique identifier is stored together with the associated data event in a data repository, characterize one or more service levels of individual services provided by the network operator based on the stored plurality of KPIs by correlating the preconfigured SLOs with historical data and with the calculated KPI values; wherein related packets are correlated using a 5-tuple association mechanism; wherein the service level failures comprise one or more failures to meet predefined SLOs stored in the one or more databases such that service levels are characterized by correlating SLOs with collected historical data and with the calculated KPI values.
Sainini discloses which includes assigning a unique service identifier (stored service definition, para.0296 “the computing machine receives input of an identifying name for referencing the entity definition for an entity. … The identifying name can be a unique name”) to each calculated KPI value of the plurality of KPIs (Sainin: para.0797 “The value may be indicative of the performance of a service at a point in time or over a period of time and the service may be represented by a stored service definition associating one or more entities that provide the service.”), 
wherein each KPI value (Sainini: para.0982 “aggregate KPI or aspect KPI”) and assigned unique identifier (associated services) is stored together with the associated data event (notable event) in a data repository (Sainini: para.0982 “Since the KPI correlation search, whether an aggregate KPI or aspect KPI, indicates a state of a service at a point in time or during a period of time and derives values from corresponding machine data for the one or more entities that make up the service, the service associated with the notable event generated from the KPI correlation search is known. When the notable event is stored, one piece of associated information is the associated service(s) of the correlation search from which the notable event is generated. In one implementation, other services having a dependency relationship with the KPI may also be stored as part of the notable event record.” ).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date to combine Gates-Sater with Sainini in order to incorporate assigning a unique service identifier to each calculated KPI value of the plurality of KPIs, wherein each KPI value and assigned unique identifier is stored together with the associated data event in a data repository.
One of ordinary skill in the art would have been motivated to combine because of the expected benefit of improving user experience when troubleshooting service related issues (Sainini: para.0234).
However Gates-Sater-Sainini does not explicitly disclose characterize one or more service levels of individual services provided by the network operator based on the stored plurality of KPIs by correlating the preconfigured SLOs with historical data and with the calculated KPI values; wherein related packets are correlated using a 5-tuple association mechanism; wherein the service level failures comprise one or more failures to meet predefined SLOs stored in the one or more databases such that service levels are characterized by correlating SLOs with collected historical data and with the calculated KPI values.
Kakadia discloses characterize one or more service levels of individual services provided by the network operator based on the stored plurality of KPIs by correlating the preconfigured SLOs with historical data and with the calculated KPI values (Kakadia: para.0048 “For example, network configuration engine 420 may identify KPIs that are trending towards a potential SLA violation, and may make network modifications based on the identified trends. For instance, assume that a threshold latency, indicated by a particular SLA, is 40 ms. Further assume that network configuration engine 420 identifies that four data points, for a particular set of traffic (e.g., traffic associated with a particular segment, traffic associated with a particular QCI, traffic associated with a particular service, etc.), indicate latencies of 20 ms, 25 ms, 30 ms, and 35 ms. In this situation, even though the latencies are all below the 40 ms threshold, network configuration engine 420 may identify that an upward trend of the latencies indicates that the SLA may be violated if the trend continues, and may take corrective action based on the identified trend.” the service levels of the individual services are characterized as trending towards a failure, based on a correlation between the historical data, 20ms 25ms and 30ms, the most recent reading, 35ms, to the preconfigured SLO of 40ms threshold.)
wherein the service level failures comprise one or more failures to meet predefined SLOs stored in the one or more databases (Kakadia: para.0048 “In this situation, even though the latencies are all below the 40 ms threshold, network configuration engine 420 may identify that an upward trend of the latencies indicates that the SLA may be violated if the trend continues, and may take corrective action based on the identified trend.” if the service level rises above the threshold, then the SLA would be violated.)
such that service levels are characterized by correlating SLOs with collected historical data and with the calculated KPI values (Kakadia: para.0048 “For example, network configuration engine 420 may identify KPIs that are trending towards a potential SLA violation, and may make network modifications based on the identified trends. For instance, assume that a threshold latency, indicated by a particular SLA, is 40 ms. Further assume that network configuration engine 420 identifies that four data points, for a particular set of traffic (e.g., traffic associated with a particular segment, traffic associated with a particular QCI, traffic associated with a particular service, etc.), indicate latencies of 20 ms, 25 ms, 30 ms, and 35 ms. In this situation, even though the latencies are all below the 40 ms threshold, network configuration engine 420 may identify that an upward trend of the latencies indicates that the SLA may be violated if the trend continues, and may take corrective action based on the identified trend.” the current service level in this case is measured by correlating the threshold for SLA, 40ms, with historical data, 20ms, 25ms, and 30ms, with the current KPI reading, 35 ms.  ).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date to combine Gates-Sater-Sainini with Kakadia in order to incorporate characterize one or more service levels of individual services provided by the network operator based on the stored plurality of KPIs by correlating the preconfigured SLOs with historical data and with the calculated KPI values; wherein the service level failures comprise one or more failures to meet predefined SLOs stored in the one or more databases such that service levels are characterized by correlating SLOs with collected historical data and with the calculated KPI values.
One of ordinary skill in the art would have been motivated to combine in order to guarantee a level of quality of service to users, which has the expected benefit of improving user experience  (Kakadia: para.0001).
However Gates-Sater-Sainini-Kakadia does not explicitly disclose wherein related packets are correlated using a 5-tuple association mechanism.
Wilkinson discloses wherein related packets are correlated using a 5-tuple association mechanism (Wilkinson: para.0034, “In some embodiments, related packets may be correlated and combined into a record for a particular flow, session or call on network 115. These data packets or messages may be captured in capture files. A call trace application may be used to categorize messages into calls and to create Call Detail Records (CDRs). These calls may belong to scenarios that are based on or defined by the underlying network. In an illustrative, non-limiting example, related packets can be correlated using a 5-tuple association mechanism. Such a 5-tuple association process may use an IP correlation key that includes 5 parts: server IP address, client IP address, source port, destination port, and Layer 4 Protocol (Transmission Control Protocol (TCP), User Datagram Protocol (UDP) or Stream Control Transmission Protocol (SCTP)).” call detail records are generated by correlating related packets using 5 tuple association.).
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Gates-Sater-Sainini-Kakadia with Wilkinson in order to incorporate wherein related packets are correlated using a 5-tuple association mechanism.
One of ordinary skill in the art would have been motivated to combine because of the expected benefit of accurately correlating packets to generate Call detail records (Wilkinson: para.0034).

Regarding Claim 3, Gates-Sater-Sainini-Kakadia-Wilkinson discloses The network monitoring system of claim 1.
Gates further discloses wherein the plurality of services provided by the network operator include business-to-business (b2b), business-to-consumer (b2c), consumer- to-business (c2b) or consumer-to-consumer (c2c) services or events (Gates: para.0006, the services include services such as web-based work productivity applications, or business tools, it also includes services that are provided to end users. Therefore, the monitoring of services includes b2b, b2c and b2b).

Regarding Claim 4, Gates-Sater-Sainini-Kakadia-Wilkinson discloses the network monitoring system of claim 1.  
However Gates does not explicitly disclose wherein to identify a plurality of services provided by a network operator, the program instructions are further executable by the processor to cause the network monitoring system to automatically detect the plurality of services provided by the network operator.
Sater discloses wherein to identify a plurality of services provided by a network operator, the program instructions are further executable by the processor to cause the network monitoring system to automatically detect the plurality of services provided by the network operator (Sater: para.0039 “For example, GSM enhanced measurement reports covering call setup delay with coverage metrics every 480 milliseconds. Call detail records such as OMA/3GPP reporting bearers, protocols, QoS profile, expected throughput, failure cause code, etc. Another aspect correlates call detail records by subscriber or multiple subscribers for performance reporting on multi-party sessions/calls. Metrics may also be aggregated by enterprise, service, traffic class, etc.”  call detail records include metrics that are aggregated by service, therefore a plurality of services are identified by the system during analysis of measurements. ).
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date to combine Gates-Sater-Sainini-Kakadia-Wilkinson in order to incorporate wherein to identify a plurality of services provided by a network operator, the program instructions are further executable by the processor to cause the network monitoring system to automatically detect the plurality of services provided by the network operator.
One of ordinary skill in the art would have been motivated to combine because of the expected benefit of improving service performance and user experience (Sater: para.0002 and para.0039)

Regarding Claim 5, Gates-Sater-Sainini-Kakadia-Wilkinson discloses the network monitoring system of claim 1 as set forth above. 
Gates further discloses wherein to calculate a plurality of KPIs associated with the identified plurality of services, the program instructions are further executable by the processor to cause the network monitoring system to identify a set of KPIs that indicate quality of the identified plurality of services (Gates: col.18 lines 58-col.19 line 7 “Session flow report 400 may also include response time 480 indicating the total time for the network to process a transaction. For example, the network was able to process login transaction 420 in 224.456 milliseconds while it took 1111.312 milliseconds to process account transaction 430. In some embodiments, response time 480 may be the cumulative response times for each of the transaction reports comprising the specific transaction. In some embodiments, response time 480 may be the duration field 322 reported by the transaction report for the entry level device. Response time 480 may allow a troubleshooter to quickly identify transactions that have timed out or are operating inefficiently. When combined with other data fields, this may allow the troubleshooter to identify network devices 140 that are malfunctioning or operating slowly.” in this case, the response times for a login and account transaction are reported, each of which is a service.  Para.0108 and Fig.9 “In step 902, an alert corresponding with a performance issue in a networked computing environment is detected. In step 904, data from a plurality of performance management tools monitoring the networked computing environment is aggregated. The aggregated data may include a plurality of alarms, as well as log files generated by devices within the networked computing environment.” based on a detected alert in 902, associated alarms from the same networked computing environment are aggregated.).

Regarding Claim 6, Gates-Sater-Sainini-Kakadia-Wilkinson discloses the network monitoring system of claim 2 as set forth above. 
Gates further discloses wherein the alarm message includes information related to at least one of network elements, network applications or devices that influence quality of the one or more of the plurality of services (Gates: para.0068, Fig.6a:616 when a service level alarm is detected, the issue may correspond to an individual application, so in steps 604 and 606, the applications associated with the service level failure is identified, and the root cause of the application is identified and outputted.  Additionally, in Fig.7A:718, 7B:744 the report can include a node, or even a chain of nodes that are related to the problem as well. Fig.4 para.0053, para.0054 shows what the chain could look like, which includes applications, as well as network elements and devices).

Regarding Claim 7, Gates-Sater-Sainini-Kakadia-Wilkinson discloses the network monitoring system of claim 1, however Gates does not explicitly disclose wherein to identify a plurality of services provided by a network operator, the program instructions are further executable by the processor to cause the network monitoring system to classify the plurality of services based on Internet Protocol (IP) addresses, Access Point Names (APN), Quality of Service (QoS) or combination thereof.
Sater discloses wherein to identify a plurality of services provided by a network operator, the program instructions are further executable by the processor to cause the network monitoring system to classify the plurality of services based on Internet Protocol (IP) addresses, Access Point Names (APN), Quality of Service (QoS) or combination thereof (Sater: para.0039 “For example, GSM enhanced measurement reports covering call setup delay with coverage metrics every 480 milliseconds. Call detail records such as OMA/3GPP reporting bearers, protocols, QoS profile, expected throughput, failure cause code, etc. Another aspect correlates call detail records by subscriber or multiple subscribers for performance reporting on multi-party sessions/calls. Metrics may also be aggregated by enterprise, service, traffic class, etc.”  call detail records include metrics that are aggregated by service and can also be associated with failure cause codes and Qos profiles, both of which classify the service associated with the CDR based on a quality of service.).
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date to combine Gates-Sater-Sainini-Kakadia-Wilkinson in order to incorporate wherein to identify a plurality of services provided by a network operator, the program instructions are further executable by the processor to cause the network monitoring system to classify the plurality of services based on Internet Protocol (IP) addresses, Access Point Names (APN), Quality of Service (QoS) or combination thereof.
One of ordinary skill in the art would have been motivated to combine because of the expected benefit of improving service performance and user experience (Sater: para.0002 and para.0039)


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Rijnders et al. US 2016/0080248 A1, Network Service Restoration-on-Demand, determining cause of network degradation, see para.0057.
Oliveira et al. US 9,729,414 B1, Monitoring Service Availability Using Distributed BGP Routing Feeds. See fig. 9 that shows root cause analysis
Benner et al. US 9,667,476 B2 Isolating the Sources of Faults/Potential Faults Within Computing Networks.  See Fig.4 and abstract, that shows using historical data for alerts of network faults.
Bernardini et al. US 2008/0317217 A1 SYSTEM AND METHOD FOR DETERMINING AND OPTIMIZING RESOURCES OF A DATA PROCESSING SYSTEM UTILIZED BY A SERVICE REQUEST, correlations between data from different sources, fig. 4a, para.0066.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to EUI H KIM whose telephone number is (571)272-8133.  The examiner can normally be reached on 7:30-5 M-R, M-F alternating.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kamal B Divecha can be reached on 5712725863.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/EUI H KIM/             Examiner, Art Unit 2453                                                                                                                                                                                           
/KAMAL B DIVECHA/             Supervisory Patent Examiner, Art Unit 2453