Cross-Environment Event Correlation Using Domain-Space Exploration and Machine Learning Techniques

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments Applicant contends the combination of Roundy and Muddu fails to teach or suggest “determining, using one or more machine learning techniques, one or more correlated events” relating to an issue/incident across a plurality of computing domains of a cloud-native environment, and further contends the combination fails to teach “domain-space exploration” that includes “a combining of entities” including “linking information regarding similar nodes that connect across the technical problem or the incident.” This is not persuasive because Applicant’s position relies on conclusory assertions and an unduly narrow reading of the applied references. As set forth in the Office Action, Roundy teaches correlating events related to an issue/incident occurring to computing network elements across a plurality of computing domains/environments (see, e.g., Roundy, col. 5, ll. 49–56 as previously applied). Roundy further teaches building and using relationships among entities representing the relevant telemetry/event information in order to perform cross-environment correlation and drive remediation/corrective action based on the correlation results. Under the broadest reasonable interpretation, Roundy’s correlation framework necessarily involves establishing associations between like entities (e.g., nodes/components/resources/event sources) spanning domains/environments to support the correlation task. Applicant does not identify any claim requirement that Roundy affirmatively excludes; instead, Applicant simply restates the claim language and asserts the references do not teach it. With respect to the “machine learning techniques” aspect, Muddu explicitly teaches ML-based complex event processing with a plurality of machine learning models configured to process event data and detect anomalies/correlated conditions from event feature sets (see, e.g., Muddu, col. 19, ll. 4–8; col. 43, ll. 26–32; col. 43, ll. 46–53 as cited by Applicant). Thus, Muddu provides the very ML-based event processing mechanism Applicant alleges is missing. The rejection’s combination is a straightforward substitution/augmentation: applying Muddu’s ML-based CEP/anomaly detection to Roundy’s cross-domain event-correlation context to improve correlation accuracy, robustness, and automation. A person of ordinary skill would have had a reasonable expectation of success because both references operate on event/telemetry data streams to identify higher-level conditions (correlation/anomaly) from lower-level events. Applicant’s emphasis that Muddu discusses models “related to a respective user” is not persuasive. Muddu’s teaching is not limited to “user” as a special technical constraint; rather, Muddu teaches partitioning/grouping input data and applying corresponding ML models to those partitions. Under the broadest reasonable interpretation, “user groups” in Muddu are an example of partitioning criteria, and the same ML-based CEP architecture would have been predictably applicable to other partitioning dimensions, including by computing domain, environment, cluster, namespace, node group, service boundary, tenant, or other cloud-native segmentation. The claims do not require that correlation be performed across domains in a manner that is incompatible with Muddu’s partitioned modeling; indeed, partitioning by domain and then correlating across domains is a known and predictable design choice in distributed monitoring/observability systems, especially where cross-domain correlation must be performed at scale. Applicant also asserts the combination fails to teach the claimed “domain-space exploration” that “includes a combining of entities” and “linking information regarding similar nodes that connect across the technical problem or the incident.” This is not persuasive for at least two reasons. First, Roundy’s cross-environment correlation necessarily entails exploring relationships among entities (events/sources/components) across environments to determine correlated conditions; that is “domain-space exploration” under a broad, reasonable construction. Second, even assuming arguendo that Applicant is importing a narrower notion of “domain-space exploration,” Muddu teaches processing event feature sets within a CEP/ML framework in which events/entities are collected, grouped, and compared against learned patterns/thresholds to detect higher-level conditions. Incorporating Muddu’s ML-based event processing into Roundy’s cross-domain correlation yields the claimed “combining” and “linking” of entities/nodes/information to support correlation and corrective action, because the combined system necessarily ingests events from multiple domains, represents them as entities/features, and forms relationships/similarities used to output correlated events that drive remediation. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-2, 10-14, and 18-19 are rejected under 35 U.S.C. 103 as being unpatentable over US Patent 9,256,739 (Roundy et al; Roundy) in view of US Patent 10,116, 670 (Muddu et al; Muddu). Regarding claim 1 and analogous claims 14 and 19: Roundy teaches: 1. A computer-implemented method for cross-environment event correlation, the computer-implemented method comprising: determining, [using one or more machine learning techniques,] one or more correlated events about an issue related to a technical problem or an incident occurring to computing network elements across a plurality of computing domains of a cloud native environment, to facilitate a corrective action to the technical problem or incident; (Roundy, col. 5: 49-56) “As illustrated in FIG. 1, exemplary system 100 may also include one or more databases, such as database 120. In one example, database 120 may store information about one or more suspicious events (e.g., suspicious events 122) [i.e. A computer-implemented method for cross-environment event correlation, the method comprising:], information about suspiciousness scores associated with actors and/or suspicious events (e.g., suspiciousness scores 124), and/or information about one or more correlation graphs (e.g., event-correlation graphs 126) [i.e. determining one or more correlated events about an issue related to a technical problem or an incident occurring to computing network elements across a plurality of computing domains].” (Roundy, col. 20: 20-22) “In some examples, all or a portion of exemplary system 100 in FIG. 1 may represent portions of a cloud-computing or network-based environment [i.e. of a cloud native environment,].” 2. wherein the determining of the one or more correlated events controls to facilitate a corrective action to the technical problem or the incident; (Roundy, col. 13: 4-7) “In some examples, upon generating a procedure for remediating an effect of an attack on a computing system, remediating module 108 may automatically apply the procedure to remediate the effect of the attack [i.e. wherein the determining of the one or more correlated events controls to facilitate a corrective action to the technical problem or the incident;].” 3. extracting a set of knowledge data of the technical problem or the incident of the computing network elements, determined from the one or more correlated events; (Roundy, col. 5: 49-56) “As illustrated in FIG. 1, exemplary system 100 may also include one or more databases, such as database 120. In one example, database 120 may store information about one or more suspicious events (e.g., suspicious events 122), information about suspiciousness scores associated with actors and/or suspicious events (e.g., suspiciousness scores 124) [i.e. extracting a set of knowledge data of the technical problem or an incident issue of the computing network elements, determined from the one or more correlated events;], and/or information about one or more correlation graphs (e.g., event-correlation graphs 126).” 3. grouping the one or more correlated events into one or more event groups to represent a relationship with the technical problem or the incident issue of the computing network elements; (Roundy, col. 8: 48-55) “For example, constructing module 106 may, as part of server 206 in FIG. 2, construct, in response to the detection of suspicious event 222 involving the first actor, event-correlation graph 230 that includes node 232 that represents the first actor, node 234 that represents a second actor, and edge 236 that interconnects node 232 and node 234 and represents suspicious event 224 involving the first actor and the second actor [i.e. grouping the correlated events into one or more event groups to represent a relationship with the technical problem].” 4. and improving computing operation in the plurality of computing domains by providing the one or more event groups of the one or more correlated events with an explanation about a cause of the technical problem or an incident issue of the computing network elements for the one or more correlated events, wherein the providing of the one or more event groups with the explanation is based on the logical reasoning description. (Roundy, col. 10:14-25) “Upon constructing event-correlation graph 500 in FIG. 5, constructing module 106 may construct event-correlation graph 600 in FIG. 6 from event-correlation graph 500 by (1) identifying additional suspicious events that involve the actors represented in event-correlation graph 500 (e.g., “viux.exe” and “wscntfy.exe”) [i.e. for the one or more correlated events based on the logical reasoning description.] and (2) adding, for each identified suspicious event, a representation of the suspicious event to event-correlation graph 600. For example, constructing module 106 may identify, for “viux.exe” represented by node 402 in event-correlation graph 500, a set of suspicious events that involve “viux.exe” and one of executables “iexplorer.exe,” “bot.exe,” and “explorer.exe. [i.e. and improving computing operation in the plurality of computing domains by providing the one or more event groups of correlated events with an explanation about a cause of the technical problem].” Examiner notes that the claim language states that the explanation is about “a cause” of the technical problem, which can be interpreted as including merely the potential executables under BRI. Roundy does not explicitly teach: 1. [A computer-implemented method for cross-environment event correlation, the computer-implemented method comprising: determining,] using one or more machine learning techniques, [one or more correlated events about an issue related to a technical problem or an incident occurring to computing network elements across a plurality of computing domains to facilitate a corrective action to the technical problem or incident;] 2. generating a correlation graph comprising a knowledge graph of the extracted set of knowledge data to trace the technical problem or an incident issue of the computing network elements; 3. constructing a logical reasoning description based on the generated correlation graph for a domain-space exploration, wherein: the domain-space exploration includes a combining of entities which includes linking information regarding similar nodes that connect across the technical problem or the incident, the extracting of the set of knowledge data, and the generating of the knowledge graph, and the logical reasoning description comprises 4. the logical reasoning description comprises how the technical problem or the incident in a first computing domain of the plurality of computing domains affects a second computing domain of the plurality of computing domains Muddu teaches: 1. [A computer-implemented method for cross-environment event correlation, the computer-implemented method comprising: determining,] using one or more machine learning techniques, [one or more correlated events about an issue related to a technical problem or an incident occurring to computing network elements across a plurality of computing domains to facilitate a corrective action to the technical problem or incident;] 2. generating a correlation graph comprising a knowledge graph of the extracted set of knowledge data to trace the technical problem or an incident issue of the computing network elements; (Muddu, col. 24: 27-37) “FIGS. 9A and 9B show an example event relationship discovery and recordation technique, which can be implemented in the data intake and preparation stage. To facilitate description, FIGS. 9A and 9B are explained below with reference to FIG. 8. The relationship discovery and recordation technique can be performed by, for example, the relationship graph generator 810. Specifically, after the entities are identified in the tokens, the relationship graph generator 810 is operable to identify a number of relationships between the entities, and to explicitly record these relationships between the entities [i.e. generating a correlation graph comprising a knowledge graph of the extracted set of knowledge data] (Muddu, col. 24: 57-64) “Such a table of identifiable relationship may be customizable and provides the flexibility to the administrator to tailor the system to his data sources (described above). Possible relationships can include, for example, “connects to,” “uses,” “runs on,” “visits,” “uploads,” “downloads,” “successfully logs onto,” “restarts,” “shuts down,” “unsuccessfully attempts to log onto,” “attacks,” and “infects [i.e. to trace the technical problem or an incident issue of the computing network elements;].”” 3. constructing a logical reasoning description based on the generated correlation graph for a domain-space exploration related to how the technical problem or an incident issue in one domain affects another domain of the plurality of domains; (Muddu, col. 24: 52-54) “In some implementations, the graph generator 810 can identify a relationship between entities involved in an event based on the actions that are performed by one entity with respect to another entity [i.e. constructing a logical reasoning description based on the generated correlation graph]. For example, the graph generator 810 can identify a relationship based on comparing the action with a table of identifiable relationships [i.e. for a domain-space exploration related to how the technical problem or an incident issue in one domain affects another domain of the plurality of domains;].” 4. the logical reasoning description comprises how the technical problem or the incident in a first computing domain of the plurality of computing domains affects a second computing domain of the plurality of computing domains (Muddu, col. 24:57-65-col. 25:1-2; col. 25:7-10) “Such a table of identifiable relationship may be customizable and provides the flexibility to the administrator to tailor the system to his data sources (described above). Possible relationships can include, for example, “connects to,” “uses,” “runs on,” “visits,” “uploads,” “downloads,” “successfully logs onto,” “restarts,” “shuts down,” “unsuccessfully attempts to log onto,” “attacks,” and “infects [i.e. the logical reasoning description comprises how the technical problem].” Also, the identified relationship between the entities can be indicative of the action, meaning that the identifiable relationship can include the action and also any suitable inference that can be made from the action…[i.e. in a first computing domain of the plurality of computing domains]. Also, identifiable relationships can include a relationship between entities of the same type (e.g., two users) or entities of different types (e.g., user and device) [i.e. affects a second computing domain of the plurality of computing domains].” One of ordinary skill in the art, at the time the invention was filed, would have been motivated to modify Roundy with Muddu. The motivation is to substitute Roundy’s generic correlation graph input with an internally generated knowledge-graph representation as taught by Muddu, which would have predictably improved Roundy’s analysis of a knowledge graph by incorporating the graph within the system as a whole, because: “The information stored may include the anomalies themselves and also relevant information that exists at the time of evaluation. These databases allow rapid reconstruction of the anomalies and all of their supporting data (Muddu, col. 18: 8-11).” Regarding claim 2: Roundy and Muddu teach the method of claim 1. Muddu teaches: 1. wherein the determining of the correlated events across the plurality of domains is based on a set of historical data or a set of synthetic data, and the extracting of the set of knowledge data includes extracting one or more of a set of semantic knowledge data or a set of meta-knowledge data. (Muddu, col. 37:56-63) “The ML-based CEP engine continuously receives new incoming event feature sets and reacts to each new incoming event feature set by processing it through at least one machine learning model. Because of real-time processing, the ML-based CEP engine can begin to process a time slice of the unbounded stream prior to when a subsequent time slice from the unbounded stream becomes available [i.e. wherein the determining of the correlated events across the plurality of domains is based on a set of historical data].” (Muddu, col. 38: 10-16) “The event feature set can include at least a subset of the raw event data; metadata associated with the raw event data; transformed, summarized, and/or normalized representation of portions of the raw event data; derived attributes from portions of the raw event data; labels for portions of the raw event data; or any combination thereof [i.e. and the extracting of the set of knowledge data includes extracting one or more of a set of semantic knowledge data].” One of ordinary skill in the art, at the time the invention was filed, would have been motivated to modify Roundy with Muddu. The motivation is the same as claim 1. Regarding claim 10: Roundy and Muddu teach the method of claim 1. Muddu teaches: 1. further comprising constructing one or more semantic relationships between the plurality of computing domains. (Muddu, col. 24: 57-64) “Such a table of identifiable relationship may be customizable and provides the flexibility to the administrator to tailor the system to his data sources (described above). Possible relationships can include, for example, “connects to,” “uses,” “runs on,” “visits,” “uploads,” “downloads,” “successfully logs onto,” “restarts,” “shuts down,” “unsuccessfully attempts to log onto,” “attacks,” and “infects [i.e. further comprising constructing one or more semantic relationships between the plurality of domains].” One of ordinary skill in the art, at the time the invention was filed, would have been motivated to modify Roundy with Muddu. The motivation is the same as claim 1. Regarding claim 11: Roundy and Muddu teach the method of claim 1. Muddu teaches: 1. wherein the determining of one or more correlated events about an issue comprises: collecting one or more events, one or more logs, or one or more change records from at least some of the plurality of one or more computing domains; (Muddu, col. 43: 3-6) “The ML-based CEP engine 1500 can provide (e.g., stream via a data pipeline) the selected and formatted event feature sets to a model-related process thread of the model type 1602 [i.e. wherein the determining of one or more correlated events about an issue comprises: collecting one or more of an event,... the plurality of one or more computing domains;]” 2. and producing normalized formats of the one or more collected events, one or more logs, or one or more change records. (Muddu, col. 43: 14-17) “In some embodiments, the ML-based CEP engine 1500 groups and divides the input data for the model-specific process threads into mutually exclusive partitions [i.e. and producing normalized formats of the one or more collected events,].” Examiner notes that the term “normalized” is not defined in the specification. One of ordinary skill in the art, at the time the invention was filed, would have been motivated to modify Roundy and Muddu. The motivation is the same as claim 3. Regarding claim 12: Roundy and Muddu teach the method of claim 1. Muddu teaches: 1. wherein the collecting of the one or more events, the one or more logs, or the one or more change records is performed offline using a simulation. (Muddu, col. 44: 13-15) “The model training process logic 1616 defines how the model training process thread 1606 is to transform input data (e.g., one or more event feature sets) into a model state or an update to the model state [i.e. wherein the collecting of the one or more events, the one or more logs, or the one or more change records is performed offline using a simulation.].” Examiner interprets the “update to a model state” as training data validation, which is a simulation. One of ordinary skill in the art, at the time the invention was filed, would have been motivated to modify Roundy and Muddu. The motivation is the same as claim 1. Regarding claim 13: Roundy and Muddu teach the method of claim 1. Muddu teaches: 1. wherein the collecting of the one or more events, the one or more logs, or the one or more change record is performed offline using a set of history data. (Muddu, col. 39: 18-21) “These run-time states (different from a “model state” as used in this disclosure) represent the history of the entity without having to track every historical event involving the entity [i.e. wherein the collecting of the one or more events, the one or more logs, or the one or more change record is performed offline using a set of history data].” One of ordinary skill in the art, at the time the invention was filed, would have been motivated to modify Roundy and Muddu. The motivation is the same as claim 1. Regarding claim 17: Roundy and Muddu teach the machine of claim 14. Muddu teaches: 1. the method further comprising constructing one or more semantic relationships between the plurality of computing domains, and wherein the determining one or more correlated events about an issue comprises: (Muddu, col. 24: 57-64) “Such a table of identifiable relationship may be customizable and provides the flexibility to the administrator to tailor the system to his data sources (described above). Possible relationships can include, for example, “connects to,” “uses,” “runs on,” “visits,” “uploads,” “downloads,” “successfully logs onto,” “restarts,” “shuts down,” “unsuccessfully attempts to log onto,” “attacks,” and “infects [i.e. i.e. further comprising constructing one or more semantic relationships between the plurality of domains, and wherein the determining one or more correlated events about an issue comprises:]” 2. collecting one or more of events, one or more logs, one or more metrics, or one or more change records from at least some of the plurality of domains; (Muddu, col. 43: 3-6) “The ML-based CEP engine 1500 can provide (e.g., stream via a data pipeline) the selected and formatted event feature sets to a model-related process thread of the model type 1602 [i.e. wherein the determining of one or more correlated events about an issue comprises: collecting one or more of an event,... from at least some of the plurality of domains;]” 3. determining one or more correlated events about the issue by using machine learning techniques; (Muddu, col. 43: 23-26) “In one specific example, if the model type topology 1714 specifies users as the entity type, the ML-based CEP engine 1500 groups the selected event feature sets by user groups [i.e. determining one or more correlated events about the issue by using one or more machine learning techniques;].” 4. and producing normalized formats of the one or more collected events, logs, or change records. (Muddu, col. 43: 14-17) “In some embodiments, the ML-based CEP engine 1500 groups and divides the input data for the model-specific process threads into mutually exclusive partitions [i.e. and producing normalized formats of the one or more collected events,].” Examiner notes that the term “normalized” is not defined in the specification. (Muddu, col. 43: 3-6) “The ML-based CEP engine 1500 can provide (e.g., stream via a data pipeline) the selected and formatted event feature sets to a model-related process thread of the model type 1602 [i.e. by using machine learning techniques;] One of ordinary skill in the art, at the time the invention was filed, would have been motivated to modify Roundy and Muddu. The motivation is the same as claim 1. Regarding claim 18: Roundy and Muddu teach the machine of claim 14. 1. wherein the collecting of one or more events, one or more logs, one or more metrics, or one or more change records is performed offline using a simulation or a set of historical data. (Muddu, col. 39: 18-21) “These run-time states (different from a “model state” as used in this disclosure) represent the history of the entity without having to track every historical event involving the entity [i.e. wherein at least the collecting of the event, the log, the metric, or the change record is performed offline using… a set of historical data].” One of ordinary skill in the art, at the time the invention was filed, would have been motivated to modify Roundy and Muddu. The motivation is the same as claim 1. Regarding claim 20: Roundy and Muddu teach the machine of claim 19. 1. the extracting of the set of knowledge data includes extracting one or more of a set of semantic knowledge data or a set of meta-knowledge data, (Muddu, col. 37:56-63) “The ML-based CEP engine continuously receives new incoming event feature sets and reacts to each new incoming event feature set by processing it through at least one machine learning model. Because of real-time processing, the ML-based CEP engine can begin to process a time slice of the unbounded stream prior to when a subsequent time slice from the unbounded stream becomes available [i.e. the extracting of the set of knowledge data includes extracting one or more of a set of semantic knowledge data].” One of ordinary skill in the art, at the time the invention was filed, would have been motivated to modify Roundy and Muddu. The motivation is the same as claim 1. Claims 3-9, and 15-16 are rejected under 35 U.S.C. 103 as being unpatentable over US Patent 9,256,739 (Roundy et al; Roundy) in view of US Patent 10,116,670 (Muddu et al; Muddu) further in view of US Pre-Grant Patent 2015/0317337 (Edgar). Regarding claim 3: Roundy and Muddu teach the method of claim 1. Edgar teaches: 1. wherein the using of one or more machine learning technique includes training by an unsupervised learning technique using an association rule learning algorithm or a clustering algorithm. (Edgar, ¶0029) “Alternatively or in addition, one or more data mining and/or machine learning algorithms such as support vector machines, artificial neural networks, hierarchical clustering, linear discriminant analysis, contrast set mining, separating hyperplanes, decision trees, Bayesian analysis, linear classifiers, association rules [i.e. wherein the using of one or more machine learning technique includes training by an unsupervised learning technique using an association rule learning algorithm], self-organizing maps, random forests, etc., can be used to identify pattern(s) in the data.” One of ordinary skill in the art, at the time the invention was filed, would have been motivated to modify Roundy and Muddu with Edgar. One of ordinary skill in the art, at the time the invention was filed, would have been motivated to modify Roundy and Muddu with Edgar. The motivation is to incorporate well-known machine learning techniques into the evaluation of correlations as “…machine learning algorithm…can be used to identify a set of rules that describe what makes a group different (e.g., what is different about things that are defective) (Edgar, ¶0087).” Regarding claim 4: Roundy and Muddu teach the method of claim 1. Edgar teaches: 1. wherein the using of the one or more machine learning techniques includes training by a supervised learning technique using a set of labeled data associated with a data correlation. (Edgar, ¶0029) “Alternatively or in addition, one or more data mining and/or machine learning algorithms such as support vector machines [i.e. wherein using the machine learning includes training by a supervised learning technique using a set of labeled data associated with a data correlation.], artificial neural networks, hierarchical clustering, linear discriminant analysis, contrast set mining, separating hyperplanes, decision trees, Bayesian analysis, linear classifiers, association rules, self-organizing maps, random forests, etc., can be used to identify pattern(s) in the data.” Examiner notes “A support vector machine (SVM) is a supervised machine learning algorithm that classifies data by finding an optimal line or hyperplane that maximizes the distance between each class in an N-dimensional space.” See attached NPL: What are SVMs? One of ordinary skill in the art, at the time the invention was filed, would have been motivated to modify Roundy and Muddu with Edgar. The motivation is the same as claim 3. Regarding claim 5: Roundy and Muddu teach the method of claim 1. Edgar teaches: 1. further comprising configuring the one or more machine learning techniques by a supervised learning technique selected from a group consisting of a support vector machine (SVM), a convolutional neural network (CNN), or a long-short term memory (LSTM) based on a size of the set of correlation data. (Edgar, ¶0029) “Alternatively or in addition, one or more data mining and/or machine learning algorithms such as support vector machines [i.e. further comprising configuring the machine learning by a supervised learning technique using a support vector machine (SVM)… based on a size of the set of correlation data], artificial neural networks, hierarchical clustering, linear discriminant analysis, contrast set mining, separating hyperplanes, decision trees, Bayesian analysis, linear classifiers, association rules, self-organizing maps, random forests, etc., can be used to identify pattern(s) in the data.” Examiner notes that the SVM algorithm is reliant on data points or features for determining separation margins. Under BRI, this qualifies as being “based on a size of the set of correlation data.” See attached NPL: What are SVMs? One of ordinary skill in the art, at the time the invention was filed, would have been motivated to modify Roundy and Muddu with Edgar. The motivation is the same as claim 3. Regarding claim 6: Roundy and Muddu teach the method of claim 1. Edgar teaches: 1. recommending a most probable event among the one or more event groups to users with an explanation about the cause of the technical problem or the incident. (Edgar, ¶0115) “Using knowledge-driven analytics, denial cost and return on investment can be characterized, pattern(s) can automatically be discovered in denials, and root cause(s) can be identified. A user can be notified when a difference can be made, and the system can 1) recommend action to be taken to fix a current situation and/or 2) recommend change to avoid future problem [i.e. recommending a most probable event group of correlated events of the one or more event groups to user]. Additionally, emerging trend(s) can be identified, and the system can facilitate response to those trend(s) [i.e. with an explanation about the cause of the incident].” One of ordinary skill in the art, at the time the invention was filed, would have been motivated to modify Roundy and Muddu with Edgar. The motivation is the same as claim 3. Regarding claim 7 and analogous claim 16: Roundy and Muddu teach the method of claim 1. Edgar teaches: 1. wherein the recommending of the most probable event group, with the explanation of the cause of the technical problem or the incident, is based on performing in a runtime a creating, reading, updating, and deleting (CRUD) of data. (Edgar, ¶0029) “Further, one or more database structured query language (SQL) methods such as aggregation, online analytical processing (OLAP) cubes, etc. can be used to identify pattern(s) in the data [i.e. wherein the recommending of the most probable event group, with the explanation of the cause of the technical problem or the incident, is based on performing in a runtime a creating, reading, updating, and deleting (CRUD) of data].” Examiner notes “The reader may remember these four basic types of action with the memorable acronym C.R.U.D.: Create, Read, Update, Delete. High-level data-base languages have operators which permit these four types of actions.” As the teaching of C.R.U.D. is at a basic level, database languages in general teach this acronym. See attached NPL: Managing the data-base environment, Martin, Ch. 21, pg. 381. One of ordinary skill in the art, at the time the invention was filed, would have been motivated to modify Roundy and Muddu with Edgar. The motivation is the same as claim 3. Regarding claim 8: Roundy and Muddu teach the method of claim 1. Edgar teaches: 1. wherein the using of the one or more machine learning techniques further includes a training of one or more machine learning algorithms based on receiving feedback to train for the determining of the one or more correlated events. (Edgar, ¶0029) “Alternatively or in addition, one or more data mining and/or machine learning algorithms such as support vector machines, artificial neural networks, hierarchical clustering, linear discriminant analysis, contrast set mining, separating hyperplanes, decision trees, Bayesian analysis, linear classifiers, association rules, self-organizing maps, random forests, etc., can be used to identify pattern(s) in the data [i.e. wherein the using of the one or more machine learning techniques further includes a training of one or more machine learning algorithms based on receiving feedback to train for the determining of the one or more correlated events].” Examiner notes that the majority of these listed methods include training operations based on receiving some form of feedback. One of ordinary skill in the art, at the time the invention was filed, would have been motivated to modify Roundy and Muddu with Edgar. The motivation is the same as claim 3. Regarding claim 9: Roundy and Muddu teach the method of claim 1. Muddu teaches: 1. further comprising receiving feedback for the determining of the one or more correlated events by an active learning methodology, wherein the active learning methodology which interactively queries a user or an information source to label new data points with desired outputs. (Muddu, col. 42: 55-59) “The model input type configuration 1712 specifies what event views (e.g., described in this disclosure) that the model type 1602 subscribes to [i.e. further comprising receiving feedback for the determining of the one or more correlated events by an active learning methodology]. The event feature sets from the unbounded stream 1502 can be labeled with event view labels corresponding to the event views [i.e. wherein the active learning methodology which interactively queries a user or an information source to label new data points with desired outputs].” One of ordinary skill in the art, at the time the invention was filed, would have been motivated to modify Roundy and Muddu with Edgar. The motivation is the same as claim 3. Regarding claim 15: Roundy and Muddu teach the machine of claim 14. Muddu teaches: 1. the extracting of the set of knowledge data includes extracting one or more of a set of semantic knowledge data or a set of meta-knowledge data, (Muddu, col. 37:56-63) “The ML-based CEP engine continuously receives new incoming event feature sets and reacts to each new incoming event feature set by processing it through at least one machine learning model. Because of real-time processing, the ML-based CEP engine can begin to process a time slice of the unbounded stream prior to when a subsequent time slice from the unbounded stream becomes available [i.e. the extracting of the set of knowledge data includes extracting one or more of a set of semantic knowledge data].” Edgar teaches: 1. and the method further comprises recommending a most probable event group of correlated events of the one or more event groups to users with an explanation about the technical problem or the incident. (Edgar, ¶0115) “Using knowledge-driven analytics, denial cost and return on investment can be characterized, pattern(s) can automatically be discovered in denials, and root cause(s) can be identified. A user can be notified when a difference can be made, and the system can 1) recommend action to be taken to fix a current situation and/or 2) recommend change to avoid future problem [i.e. and the method further comprises recommending a most probable event group of correlated events of the one or more event groups to user]. Additionally, emerging trend(s) can be identified, and the system can facilitate response to those trend(s) [i.e. with an explanation about the cause of the incident].” One of ordinary skill in the art, at the time the invention was filed, would have been motivated to modify Roundy and Muddu with Edgar. The motivation is the same as claim 3. Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to PAUL JUSTIN BREENE whose telephone number is (571)272-6320. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web- based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Michael J Huntley can be reached on 303-297-4307. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786 9199 (IN USA OR CANADA) or 571-272-1000. /P.J.B./ Examiner, Art Unit 2129 /MICHAEL J HUNTLEY/Supervisory Patent Examiner, Art Unit 2129