Alert Grouping For Noise Reduction

§101 §102 §103 §112

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Information Disclosure Statement The information disclosure statement (IDS) submitted on January 27, 2023, is in compliance with the provisions of 37 CFR 1.97 and has been considered by the examiner. Claim Objections Claim 8 is objected to because of the following informalities, on line 34, “any of the any” should be read as “any of the”. Appropriate correction is required. Claim Rejections - 35 USC § 112 The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph: The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. The term “at least some” in claim 4 is a relative term which renders the claim indefinite. The term “at least some” is not defined by the claim, the specification does not provide a standard for ascertaining the requisite degree, and one of ordinary skill in the art would not be reasonably apprised of the scope of the invention. Appropriate correction is required. The term “at least some” in claim 17 is a relative term which renders the claim indefinite. The term “at least some” is not defined by the claim, the specification does not provide a standard for ascertaining the requisite degree, and one of ordinary skill in the art would not be reasonably apprised of the scope of the invention. Appropriate correction is required. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea (mental process) without significantly more. Claim 1: Regarding claim 1, in step 1 of the 101-analysis set forth in MPEP 2106, the claim recites “A method, comprising: receiving an alert; obtaining, using a machine-learning model, an embedding for the alert, wherein the machine-learning model is trained by steps comprising: obtaining training data, wherein each training datum comprises a series of alert texts obtained from historical alerts; and training the machine-learning model using the training data to output embedding for alert texts; identifying, based on the embedding, a group of alerts; and adding the alert to the group of alerts,” and a method is one of the four statutory categories of invention. In step 2A prong 1 of the 101-analysis set forth in the MPEP 2106, the examiner has determined that the following limitations recite a process that, under the broadest reasonable interpretation, covers a mental process but for recitation of generic computer components: “identifying, based on the embedding, a group of alerts;” (mental process, a person can mentally evaluate an alert based on an embedding and sort into a group, see MPEP 2106.04(a)(2)(III)) “and adding the alert to the group of alerts” (mental process, a person can mentally evaluate and then add the alert to a group, see MPEP 2106.04(a)(2)(III)) If claim limitations, under their broadest reasonable interpretation, covers performance of the limitations as a mental process but for the recitation of generic computer components, then it falls within the mental process grouping of abstract ideas. Accordingly, the claim “recites” an abstract idea. In step 2A prong 2 of the 101-analysis set forth in MPEP 2106, the examiner has determined that the following additional elements do not integrate this judicial exception into a practical application: receiving an alert; (In step 2A, prong 2, receiving an alert recites mere data gathering, which is considered insignificant extra-solution activity – see MPEP 2106.05(g)) obtaining, using a machine-learning model, an embedding for the alert, (In step 2A, prong 2, obtaining an embedding for alert recites mere data gathering, which is considered insignificant extra-solution activity – see MPEP 2106.05(g)) wherein the machine-learning model is trained by steps comprising: obtaining training data, wherein each training datum comprises a series of alert texts obtained from historical alerts; (In step 2A, prong 2, obtaining training data recites mere data gathering, which is considered insignificant extra-solution activity – see MPEP 2106.05(g)) and training the machine-learning model using the training data to output embedding for alert texts; (Mere instructions to apply an exception using generic computer – see MPEP 2106.05(f)) Since the claim as a whole, looking at the additional elements individually and in combination, does not contain any other additional elements that are indicative of integration into a practical application, the claim is “directed” to an abstract idea. In step 2B of the 101-analysis set forth in the 2019 PEG, the examiner has determined that the claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above, additional element vi recites mere instructions to apply the judicial exception, which is not indicative of significantly more. The additional elements iii, iv, and v recite mere data gathering, and are considered insignificant extra-solution activities. In step 2B, these insignificant extra-solution activities are well understood routine and conventional activities which includes receiving or transmitting data over a network from court case Symantec, 838 F.3d at 1321, 120 USPQ2d at 1362 (utilizing an intermediary computer to forward information); TLI Communications LLC v. AV Auto. LLC, 823 F.3d 607, 610, 118 USPQ2d 1744, 1745 (Fed. Cir. 2016), – see MPEP 2106.05(d) (II)(i)), Considering the additional elements individually and in combination, and the claim as a whole, the additional elements do not provide significantly more than the abstract idea. Therefore, the claim is not patent eligible. Claim 2: Regarding claim 2, it is dependent upon claim 1, and thereby incorporates the limitations of, and corresponding analysis applied to claim 1. Further, claim 2 recites the following abstract ideas, “The method of claim 1, wherein obtaining the training data comprises: grouping the historical alerts into samples of alerts,” (this is considered a mental process, since a person can mentally evaluate and group the data of historical alerts into samples of alerts, see MPEP 2106.04(a)(2)(III)), “generating respective graphs for the samples of alerts, wherein each historical alert of a sample of alerts is connected to every other historical alert of the sample of alerts,” (this is considered a mental process, since a person can mentally evaluate samples of alert to generate respective graphs connecting an alert of a sample of alerts to every other historical alert of the sample of alerts, see MPEP 2106.04(a)(2)(III)), “combining the respective graphs into a combined graph” (this is considered a mental process, since a person can mentally evaluate to combine graphs into a combined graph, see MPEP 2106.04(a)(2)(III)), “and obtaining random walks of nodes of the combined graph, wherein each random walk corresponds to a training datum and includes respective texts of the nodes of the random walk,” (this is considered a mental process, since a person can mentally evaluate each record of training data to obtain random walks for respective texts of nodes, see MPEP 2106.04(a)(2)(III)), If claim limitations, under their broadest reasonable interpretation, covers performance of the limitations as a mathematical concept but for the recitation of generic computer components, then it falls within the mathematical concept grouping of abstract ideas. Accordingly, the claim “recites” an abstract idea. Since the claim does not recite additional elements that either integrate the judicial exception into a practical application, nor provide significantly more than the judicial exception, the claim is not patent eligible. Claim 3: Regarding claim 3, it is dependent upon claim 2, and thereby incorporates the limitations of, and corresponding analysis applied to claim 2. Further, claim 3 recites the following abstract idea: “The method of claim 2, wherein grouping the historical alerts into the samples of alerts comprises: grouping the historical alerts into the samples of alerts based on overlapping sliding windows over the historical alerts.” (This is considered a mental process, since a person can mentally evaluate and group the historical alerts into the samples of alerts based on an overlapping time window, and the time window is a predefined time interval as mentioned in specification paragraphs [0185, 0190], also see MPEP 2106.04(a)(2)(III)), If claim limitations, under their broadest reasonable interpretation, covers performance of the limitations as a mathematical concept but for the recitation of generic computer components, then it falls within the mathematical concept grouping of abstract ideas. Accordingly, the claim “recites” an abstract idea. Since the claim does not recite additional elements that either integrate the judicial exception into a practical application, nor provide significantly more than the judicial exception, the claim is not patent eligible. Claim 4: Regarding claim 4, it is dependent upon claim 2, and thereby incorporates the limitations of, and corresponding analysis applied to claim 2. Further, claim 4 recites the following abstract idea: “The method of claim 2, wherein grouping the historical alerts into the samples of alerts comprises: grouping at least some of the historical alerts into a sample associated with a historical alert of the historical alerts based on an active window associated with the historical alert.” (this is considered a mental process, since a person can mentally evaluate and group the historical alerts into the samples of alerts based on an active time window, and the time window is a predefined time interval as mentioned in specification paragraphs [0185, 0190-0191], also see MPEP 2106.04(a)(2)(III)), If claim limitations, under their broadest reasonable interpretation, covers performance of the limitations as a mathematical concept but for the recitation of generic computer components, then it falls within the mathematical concept grouping of abstract ideas. Accordingly, the claim “recites” an abstract idea. Since the claim does not recite additional elements that either integrate the judicial exception into a practical application, nor provide significantly more than the judicial exception, the claim is not patent eligible. Claim 5: Regarding claim 5, it is dependent upon claim 1, and thereby incorporates the limitations of, and corresponding analysis applied to claim 1. Further, claim 5 recites the following abstract ideas in: “determining that the second alert cannot be grouped into any other group of alerts by comparing an embedding of the second alert obtained using the machine-learning model to respective embeddings of the group of alerts,” (this is considered a mental process, since a person can mentally evaluate to determine that a second alert cannot be sorted into any group, by mentally comparing the embedding or vector value of the second alert to the embedding values of the group, see MPEP 2106.04(a)(2)(III)), “and in response to determining that the second alert cannot be grouped into any other group of alerts, adding the second alert to a new group” (this is considered a mental process, since a person can mentally evaluate to determine that a second alert cannot be sorted into any group, and subsequently mentally add that ungrouped second alert to a new group, see MPEP 2106.04(a)(2)(III)), If claim limitations, under their broadest reasonable interpretation, covers performance of the limitations as a mathematical concept but for the recitation of generic computer components, then it falls within the mathematical concept grouping of abstract ideas. Accordingly, the claim “recites” an abstract idea. Further, claim 5 recites the following additional element: “The method of claim 1, wherein the alert is a first alert, further comprising: receiving a second alert,” (In step 2A, prong 2, this recites mere data gathering, which is considered insignificant extra-solution activity – see MPEP 2106.05(g),). In step 2B, this insignificant extra-solution activity is well understood routine and conventional activity which includes receiving or transmitting data over a network from court case Symantec, 838 F.3d at 1321, 120 USPQ2d at 1362 (utilizing an intermediary computer to forward information); TLI Communications LLC v. AV Auto. LLC, 823 F.3d 607, 610, 118 USPQ2d 1744, 1745 (Fed. Cir. 2016) – see MPEP 2106.05(d) (II)(i), Since the claim does not recite additional elements that either integrate the judicial exception into a practical application, nor provide significantly more than the judicial exception, the claim is not patent eligible. Claim 6: Regarding claim 6, it is dependent upon claim 5, and thereby incorporates the limitations of, and corresponding analysis applied to claim 5. Further, claim 6 recites the following additional elements: “The method of claim 5, wherein adding the second alert to the new group comprises: triggering a new incident from the alert,” (In step 2A, prong 2, this is considered mere instructions to apply an exception using generic computer with the triggering a new incident operation performed by any generic computer, see MPEP 2106.05(f)). (In step 2B, this is also considered mere instructions to apply an exception using generic computer – see MPEP 2106.05(f)). Since the claim does not recite additional elements that either integrate the judicial exception into a practical application, nor provide significantly more than the judicial exception, the claim is not patent eligible. Claim 7: Regarding claim 7, it is dependent upon claim 1, and thereby incorporates the limitations of, and corresponding analysis applied to claim 1. Further, claim 1 recites the following additional elements: “The method of claim 1, wherein the alert is a first alert, further comprising: receiving a second alert;” (In step 2A, prong 2, this recites mere data gathering, which is considered insignificant extra-solution activity – see MPEP 2106.05(g),). In step 2B, this insignificant extra-solution activity is well understood routine and conventional activity which includes receiving or transmitting data over a network from court case Symantec, 838 F.3d at 1321, 120 USPQ2d at 1362 (utilizing an intermediary computer to forward information); TLI Communications LLC v. AV Auto. LLC, 823 F.3d 607, 610, 118 USPQ2d 1744, 1745 (Fed. Cir. 2016) – see MPEP 2106.05(d) (II)(i), “and determining whether the second alert matches any group of alerts ” (this is considered a mental process, since a person can mentally evaluate each alert and determine if a second or additional incoming alert matches any group of alerts, see MPEP 2106.04(a)(2)(III)), “using a text similarity tool,” (In step 2A, prong 2, this is considered mere instructions to apply an exception using generic computer, see MPEP 2106.05(f)). (In step 2B, this is also considered mere instructions to apply an exception using generic computer – see MPEP 2106.05(f)). If claim limitations, under their broadest reasonable interpretation, covers performance of the limitations as a mathematical concept but for the recitation of generic computer components, then it falls within the mathematical concept grouping of abstract ideas. Accordingly, the claim “recites” an abstract idea. Since the claim does not recite additional elements that either integrate the judicial exception into a practical application, nor provide significantly more than the judicial exception, the claim is not patent eligible. Claim 8: Regarding claim 8, it is dependent upon claim 7, and thereby incorporates the limitations of, and corresponding analysis applied to claim 7. Further, claim 8 recites the following additional elements: “The method of claim 7, further comprising: responsive to determining, using the text similarity tool, that the second alert does not match any group of alerts, using the machine-learning model,” (In step 2A, prong 2, this is considered mere instructions to apply an exception using generic computer with the triggering a new incident operation performed by any generic computer, see MPEP 2106.05(f)). (In step 2B, this is also considered mere instructions to apply an exception using generic computer – see MPEP 2106.05(f)), “to determine whether the second alert matches any of the any group of alerts,” (this is considered a mental process, since a person can mentally evaluate each alert and determine if a second or additional incoming alert matches any group of alerts, see MPEP 2106.04(a)(2)(III)), If claim limitations, under their broadest reasonable interpretation, covers performance of the limitations as a mathematical concept but for the recitation of generic computer components, then it falls within the mathematical concept grouping of abstract ideas. Accordingly, the claim “recites” an abstract idea. Since the claim does not recite additional elements that either integrate the judicial exception into a practical application, nor provide significantly more than the judicial exception, the claim is not patent eligible. Claim 9: Regarding claim 9, it is dependent upon claim 8, and thereby incorporates the limitations of, and corresponding analysis applied to claim 8. Further, claim 9 recites the following abstract idea: “The method of claim 8, further comprising: responsive to determining that the second alert does not match any group of alerts, adding the second alert to a new group of alerts.” (this is considered a mental process, since a person can mentally evaluate to determine that a second alert cannot be sorted into any group, and subsequently mentally add that ungrouped second alert to a new group, see MPEP 2106.04(a)(2)(III)), If claim limitations, under their broadest reasonable interpretation, covers performance of the limitations as a mathematical concept but for the recitation of generic computer components, then it falls within the mathematical concept grouping of abstract ideas. Accordingly, the claim “recites” an abstract idea. Since the claim does not recite additional elements that either integrate the judicial exception into a practical application, nor provide significantly more than the judicial exception, the claim is not patent eligible. Claim 10: Regarding claim 10, it is dependent upon claim 8, and thereby incorporates the limitations of, and corresponding analysis applied to claim 8. Further, claim 10 recites the following abstract idea: “The method of claim 8, further comprising: responsive to determining that the second alert matches a group of alerts, adding the second alert to the group of alerts.” (this is considered a mental process, since a person can mentally evaluate to determine that a second alert is sorted into a group, and subsequently mentally add that second alert to that group, see MPEP 2106.04(a)(2)(III)), If claim limitations, under their broadest reasonable interpretation, covers performance of the limitations as a mathematical concept but for the recitation of generic computer components, then it falls within the mathematical concept grouping of abstract ideas. Accordingly, the claim “recites” an abstract idea. Since the claim does not recite additional elements that either integrate the judicial exception into a practical application, nor provide significantly more than the judicial exception, the claim is not patent eligible. Claim 11: Regarding claim 11, it is dependent upon claim 10, and thereby incorporates the limitations of, and corresponding analysis applied to claim 10. Further, claim 11 recites the following abstract idea: “The method of claim 10, wherein an incident corresponds to the group of alerts, and wherein adding the second alert to the group of alerts comprises: grouping the second alert under the incident,” (this is considered a mental process, since a person can mentally evaluate to determine that a second alert is sorted into a group or incident, and subsequently mentally group that second alert under the incident, see MPEP 2106.04(a)(2)(III)), If claim limitations, under their broadest reasonable interpretation, covers performance of the limitations as a mathematical concept but for the recitation of generic computer components, then it falls within the mathematical concept grouping of abstract ideas. Accordingly, the claim “recites” an abstract idea. Since the claim does not recite additional elements that either integrate the judicial exception into a practical application, nor provide significantly more than the judicial exception, the claim is not patent eligible. Claim 12: Regarding claim 12, in step 1 of the 101-analysis set forth in MPEP 2106, the claim recites “a method, comprising: receiving an alert; determining, using a text similarly tool and based on a text of the alert, whether the alert matches a group of alerts of groups of alerts; responsive to determining that the alert does not match any of the groups of alerts, determining, using a machine-learning model, whether an embedding corresponding to the alert meets a similarity threshold to a respective embedding of any of the groups of alerts; and responsive to the embedding meeting the similarity threshold with an embedding of a group of alerts, adding the alert to the group of alerts,” which is considered a method and is one of the four statutory categories of invention. In step 2A prong 1 of the 101-analysis set forth in the MPEP 2106, the examiner has determined that the following limitations recite a process that, under the broadest reasonable interpretation, covers a mental process but for recitation of generic computer components: “determine … based on a text of the alert, whether the alert matches a group of alerts of groups of alerts,” (this is considered a mental process, since a person can mentally evaluate if an alert matches a group of alerts, see MPEP 2106.04(a)(2)(III)), “determine…whether an embedding corresponding to the alert meets a similarity threshold to a respective embedding of any of the groups of alerts”, (this is considered a mental process, since a person can mentally evaluate if an alert meets a threshold to a respective embedding of any groups of alerts, see MPEP 2106.04(a)(2)(III)), “responsive to the embedding meeting the similarity threshold with an embedding of a group of alerts, adding the alert to the group of alerts,” (this is considered a mental process, since a person can mentally evaluate and then add the alert to the group of alerts, see MPEP 2106.04(a)(2)(III)), If claim limitations, under their broadest reasonable interpretation, covers performance of the limitations as a mental process but for the recitation of generic computer components, then it falls within the mental process grouping of abstract ideas. Accordingly, the claim “recites” an abstract idea. In step 2A prong 2 of the 101-analysis set forth in MPEP 2106, the examiner has determined that the following additional elements do not integrate this judicial exception into a practical application: “A method, comprising: receiving an alert,” (In step 2A, prong 2, receiving an alert recites mere data gathering, which is considered insignificant extra-solution activity – see MPEP 2106.05(g)), “determine, using a text similarly tool”, (Mere instructions to apply an exception using generic computer – see MPEP 2106.05(f)), “responsive to determining that the alert does not match any of the groups of alerts, determining, using a machine-learning model,” (Mere instructions to apply an exception using generic computer – see MPEP 2106.05(f)), In step 2B of the 101-analysis set forth in the 2019 PEG, the examiner has determined that the claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above, additional elements v and vi recites mere instructions to apply the judicial exception, which is not indicative of significantly more. The additional element iv recites mere data gathering, and is considered insignificant extra-solution activity. In step 2B, this insignificant extra-solution activity is well understood routine and conventional activity which includes receiving or transmitting data over a network from court case Symantec, 838 F.3d at 1321, 120 USPQ2d at 1362 (utilizing an intermediary computer to forward information); TLI Communications LLC v. AV Auto. LLC, 823 F.3d 607, 610, 118 USPQ2d 1744, 1745 (Fed. Cir. 2016), – see MPEP 2106.05(d) (II)(i)). Considering the additional elements individually and in combination, and the claim as a whole, the additional elements did not provide significantly more than the abstract idea. Therefore, the claim is not patent eligible. Claim 13: Regarding claim 13, it is dependent upon claim 12, and thereby incorporates the limitations of, and corresponding analysis applied to claim 12. Further, claim 13 recites the following abstract idea: “The method of claim 12, further comprising: responsive to the embedding not meeting the similarity threshold with any respective embedding of the groups of alerts, adding the alert to a new group of alerts,” (this is considered a mental process, since a person can mentally evaluate and then judge to determine that an alert does not meet the similarity threshold value with any respective embedding of the groups of alerts, and subsequently add that alert to a new group, see MPEP 2106.04(a)(2)(III)), If claim limitations, under their broadest reasonable interpretation, covers performance of the limitations as a mathematical concept but for the recitation of generic computer components, then it falls within the mathematical concept grouping of abstract ideas. Accordingly, the claim “recites” an abstract idea. Since the claim does not recite additional elements that either integrate the judicial exception into a practical application, nor provide significantly more than the judicial exception, the claim is not patent eligible. Claim 14: Regarding claim 14, it is dependent upon claim 12, and thereby incorporates the limitations of, and corresponding analysis applied to claim 12. Further, claim 14 recites the following additional elements: “The method of claim 12, wherein the machine-learning model is trained by steps comprising: obtaining training data, wherein each training datum comprises a series of alert texts obtained from historical alerts,” (In step 2A, prong 2, obtaining training data recites mere data gathering, which is considered insignificant extra-solution activity – see MPEP 2106.05(g),). In step 2B, this insignificant extra-solution activity is well understood routine and conventional activity which includes receiving or transmitting data over a network from court case Symantec, 838 F.3d at 1321, 120 USPQ2d at 1362 (utilizing an intermediary computer to forward information); TLI Communications LLC v. AV Auto. LLC, 823 F.3d 607, 610, 118 USPQ2d 1744, 1745 (Fed. Cir. 2016) – see MPEP 2106.05(d) (II)(i), “and training the machine-learning model using the training data to output embedding for alert texts,” (In step 2A, prong 2, this is considered mere instructions to apply an exception using generic computer with the output embedding for alert texts operation performed by any generic computer, see MPEP 2106.05(f)). (In step 2B, this is also considered mere instructions to apply an exception using generic computer – see MPEP 2106.05(f)). Since the claim does not recite additional elements that either integrate the judicial exception into a practical application, nor provide significantly more than the judicial exception, the claim is not patent eligible. Claim 15: Regarding claim 15, it is dependent upon claim 14, and thereby incorporates the limitations of, and corresponding analysis applied to claim 14. Further, claim 15 recites the following abstract ideas, “The method of claim 14, wherein obtaining the training data comprises: grouping the historical alerts into samples of alerts,” (this is considered a mental process, since a person can mentally evaluate and group the data of historical alerts into samples of alerts, see MPEP 2106.04(a)(2)(III)), “generating respective graphs for the samples of alerts, wherein each historical alert of a sample of alerts is connected to every other historical alert of the sample of alerts,” (this is considered a mental process, since a person can mentally evaluate samples of alert to generate respective graphs, see MPEP 2106.04(a)(2)(III)), “combining the respective graphs into a combined graph” (this is considered a mental process, since a person can mentally evaluate to combine graphs into a combined graph, see MPEP 2106.04(a)(2)(III)), “and obtaining random walks of nodes of the combined graph, wherein each random walk corresponds to a training datum and includes respective texts of the nodes of the random walk,” (this is considered a mental process, since a person can mentally evaluate each record of training data to obtain random walks for respective texts of nodes, see MPEP 2106.04(a)(2)(III)), If claim limitations, under their broadest reasonable interpretation, covers performance of the limitations as a mathematical concept but for the recitation of generic computer components, then it falls within the mathematical concept grouping of abstract ideas. Accordingly, the claim “recites” an abstract idea. Since the claim does not recite additional elements that either integrate the judicial exception into a practical application, nor provide significantly more than the judicial exception, the claim is not patent eligible. Claim 16: Regarding claim 16, it is dependent upon claim 15, and thereby incorporates the limitations of, and corresponding analysis applied to claim 15. Further, claim 16 recites the following abstract idea: “The method of claim 15, wherein grouping the historical alerts into the samples of alerts comprises: grouping the historical alerts into the samples of alerts based on overlapping sliding windows over the historical alerts.” (this is considered a mental process, since a person can mentally evaluate and group the historical alerts into the samples of alerts based on an overlapping time window, and the time window is a predefined time interval as mentioned in specification paragraphs [0185, 0190], also see MPEP 2106.04(a)(2)(III)), If claim limitations, under their broadest reasonable interpretation, covers performance of the limitations as a mathematical concept but for the recitation of generic computer components, then it falls within the mathematical concept grouping of abstract ideas. Accordingly, the claim “recites” an abstract idea. Since the claim does not recite additional elements that either integrate the judicial exception into a practical application, nor provide significantly more than the judicial exception, the claim is not patent eligible. Claim 17: Regarding claim 17, it is dependent upon claim 15, and thereby incorporates the limitations of, and corresponding analysis applied to claim 15. Further, claim 17 recites the following additional elements: “The method of claim 15, wherein grouping the historical alerts into the samples of alerts comprises: grouping at least some of the historical alerts into a sample associated with a historical alert of the historical alerts based on an active window associated with the historical alert.” (this is considered a mental process, since a person can mentally evaluate and group the historical alerts into the samples of alerts based on an active time window, and the time window is a predefined time interval as mentioned in specification paragraphs [0185, 0190-0191], also see MPEP 2106.04(a)(2)(III)), If claim limitations, under their broadest reasonable interpretation, covers performance of the limitations as a mathematical concept but for the recitation of generic computer components, then it falls within the mathematical concept grouping of abstract ideas. Accordingly, the claim “recites” an abstract idea. Since the claim does not recite additional elements that either integrate the judicial exception into a practical application, nor provide significantly more than the judicial exception, the claim is not patent eligible. Claim 18: Regarding claim 18, in step 1 of the 101-analysis set forth in MPEP 2106, the claim recites “a device, comprising: a memory; and a processor, the processor configured to execute instructions stored in the memory to: receive an alert; obtain, using a machine-learning model, an embedding for the alert, wherein the machine-learning model is trained to: obtain training data, wherein each training datum comprises a series of alert texts obtained from historical alerts; and output embedding for alert texts; identify, based on the embedding, a group of alerts; and add the alert to the group of alerts,” and a device is a machine, which is one of the four statutory categories of invention. In step 2A prong 1 of the 101-analysis set forth in the MPEP 2106, the examiner has determined that the following limitations recite a process that, under the broadest reasonable interpretation, covers a mental process but for recitation of generic computer components: “identify, based on the embedding, a group of alerts;” (mental process, a person can mentally evaluate an alert based on an embedding and sort into a group, see MPEP 2106.04(a)(2)(III)) “and add the alert to the group of alerts” (mental process, a person can mentally evaluate and then add the alert to a group, see MPEP 2106.04(a)(2)(III)) If claim limitations, under their broadest reasonable interpretation, covers performance of the limitations as a mental process but for the recitation of generic computer components, then it falls within the mental process grouping of abstract ideas. Accordingly, the claim “recites” an abstract idea. In step 2A prong 2 of the 101-analysis set forth in MPEP 2106, the examiner has determined that the following additional elements do not integrate this judicial exception into a practical application: a device, comprising: a memory; and a processor, the processor configured to execute instructions stored in the memory, (Mere instructions to apply an exception using generic computer – see MPEP 2106.05(f)) receive an alert; (In step 2A, prong 2, receiving an alert recites mere data gathering, which is considered insignificant extra-solution activity – see MPEP 2106.05(g)) obtain, using a machine-learning model, an embedding for the alert, (In step 2A, prong 2, obtaining an embedding for alert recites mere data gathering, which is considered insignificant extra-solution activity – see MPEP 2106.05(g)) wherein the machine-learning model is trained to: obtain training data, wherein each training datum comprises a series of alert texts obtained from historical alerts; (In step 2A, prong 2, obtaining training data recites mere data gathering, which is considered insignificant extra-solution activity – see MPEP 2106.05(g)) and output embedding for alert texts; (Mere instructions to apply an exception using generic computer – see MPEP 2106.05(f)) Since the claim as a whole, looking at the additional elements individually and in combination, does not contain any other additional elements that are indicative of integration into a practical application, the claim is “directed” to an abstract idea. In step 2B of the 101-analysis set forth in the 2019 PEG, the examiner has determined that the claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above, additional elements iii and vii recite mere instructions to apply the judicial exception, which are not indicative of significantly more. The additional elements iv, v, and vi recites mere data gathering, and are considered insignificant extra-solution activities. In step 2B, these insignificant extra-solution activities are well understood routine and conventional activities which includes receiving or transmitting data over a network from court case Symantec, 838 F.3d at 1321, 120 USPQ2d at 1362 (utilizing an intermediary computer to forward information); TLI Communications LLC v. AV Auto. LLC, 823 F.3d 607, 610, 118 USPQ2d 1744, 1745 (Fed. Cir. 2016), – see MPEP 2106.05(d) (II)(i)), Considering the additional elements individually and in combination, and the claim as a whole, the additional element does not provide significantly more than the abstract idea. Therefore, the claim is not patent eligible. Claim 19: Regarding claim 19, it is dependent upon claim 18, and thereby incorporates the limitations of, and corresponding analysis applied to claim 18. Further, claim 19 recites the following additional element, “The device of claim 18,” (In step 2A, prong 2, the device here is considered mere instructions to apply an exception using a generic computer – see MPEP 2106.05(f)). (In step 2B, this is also considered mere instructions to apply an exception using generic computer – see MPEP 2106.05(f)). Claim 19 recites the following abstract ideas: “obtain the training data comprises to: group the historical alerts into samples of alerts,” (This is considered a mental process, since a person can mentally evaluate and group the data of historical alerts into samples of alerts, see MPEP 2106.04(a)(2)(III)), “generate respective graphs for the samples of alerts, wherein each historical alert of a sample of alerts is connected to every other historical alert of the sample of alerts,” (This is considered a mental process, since a person can mentally evaluate samples of alert to generate respective graphs connecting an alert of a sample of alerts to every other historical alert of the sample of alerts, see MPEP 2106.04(a)(2)(III)), “combine the respective graphs into a combined graph” (This is considered a mental process, since a person can mentally evaluate to combine graphs into a combined graph, see MPEP 2106.04(a)(2)(III)), “and obtain random walks of nodes of the combined graph, wherein each random walk corresponds to a training datum and includes respective texts of the nodes of the random walk,” (This is considered a mental process, since a person can mentally evaluate each record of training data to obtain random walks for respective texts of nodes, see MPEP 2106.04(a)(2)(III)), If claim limitations, under their broadest reasonable interpretation, covers performance of the limitations as a mathematical concept but for the recitation of generic computer components, then it falls within the mathematical concept grouping of abstract ideas. Accordingly, the claim “recites” an abstract idea. Since the claim does not recite additional elements that either integrate the judicial exception into a practical application, nor provide significantly more than the judicial exception, the claim is not patent eligible. Claim 20: Regarding claim 20, it is dependent upon claim 19, and thereby incorporates the limitations of, and corresponding analysis applied to claim 19. Further, claim 20 recites the following additional elements: “The device of claim 19, wherein to group the historical alerts into the samples of alerts comprises to: group the historical alerts into the samples of alerts based on overlapping sliding windows over the historical alerts.” (This is considered a mental process, since a person can mentally evaluate and group the historical alerts into the samples of alerts based on an overlapping time window, and the time window is a predefined time interval as mentioned in specification paragraphs [0185, 0190], also see MPEP 2106.04(a)(2)(III)), If claim limitations, under their broadest reasonable interpretation, covers performance of the limitations as a mathematical concept but for the recitation of generic computer components, then it falls within the mathematical concept grouping of abstract ideas. Accordingly, the claim “recites” an abstract idea. Since the claim does not recite additional elements that either integrate the judicial exception into a practical application, nor provide significantly more than the judicial exception, the claim is not patent eligible. Claim Rejections - 35 USC § 102 The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention. (a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention. Claims 1 and 5 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Turgeman L. et al. “Context-aware incremental clustering of alerts in monitoring systems”, Available at https://doi.org/10.1016/j.eswa.2022.118489 in December 30, 2022), (hereafter, Turgeman). Claim 1: Regarding claim 1, Turgeman teaches: “A method, comprising: receiving an alert,” See Turgeman describe in page 5, section 4.1.4 in Incremental alerts clustering, "as a new alert appears, it is compared to all existing clusters representatives by analyzing the Euclidian distance between its corresponding metric ID embedding to all existing clusters centroids, where the cluster centroid is calculated by averaging over its corresponding alerts’ embeddings, or is equal to alert’s embedding, in case of a cluster that is composed of a single alert. If this distance is smaller than a predefined threshold, it is added to that cluster, otherwise, a new cluster holding it is created." Here, Turgeman talks about receiving a record of an alert related to an information technology incident. Further, Turgeman also teaches “obtaining, using a machine-learning model, an embedding for the alert, wherein the machine-learning model is trained by steps …” See Turgeman in page 4, section 4.1.1 Contextualized metric embedding-based model (‘liberal’) mentions " the model is trained using historical data and is applied to incoming alerts…The input to the model is a history of n recent alerts corresponding metric IDs, within a time window w, e.g. {m1, m2, ..., mn}. Using the extracted metrics correlation matrix and an anomaly counter module, the suggested algorithm generates a sparse matrix containing the number of times every two alerts had co-occurred within a pre-defined time window. We train a Word2Vec model (Mikolov et al., 2013) using a 1-hidden-layer neural network based on the synthetic task of given an input metric. The network is trained by feeding the extracted metric pairs co-occurrence data, to learn statistics from the number of times each pairing occurs. The output is the conditional probability distribution, Pr[mt|w], describing the probability for each metric ID to appear nearby a given one from w. A virtual one-hot encoding of metrics goes through a ‘projection layer’ to the hidden layer; these projection weights are later interpreted as a distributed representation of the metrics (e.g., “embeddings”), which are then utilized by a tailored incremental clustering algorithm to dynamically cluster incoming alerts in real time." Here, Turgeman describes using a machine learning model to obtain embeddings for incoming alerts. Further, Turgeman describes in page 6, section 5.2. Experimental setup "in what follows, we describe the experimental setup that is used to evaluate the performance and effectiveness of the suggested approach. We perform the experiments by using the system described in section 3.1.1. The data set is split into train and test sets; The train set spans the date range of between 22/1/2020 to 21/3/2020 and is composed of 27,109 alerts,” Here, Turgeman in section 5.2 talks about creating pair-wise proximity models (i.e. machine learning model) as well as a contextualized metric embedding (i.e. embedding for the alert). Further, Turgeman also teaches “obtaining training data, wherein each training datum comprises a series of alert texts obtained from historical alerts,” See Turgeman in page 4, section 4.1.1. Contextualized metric embedding-based model (‘liberal’) teaches “the model is trained using historical data and is applied to incoming alerts. The suggested modeling approach is influenced by several recent advances in Natural Language Processing (NLP).” Here, Turgeman teaches that the model is using training data, where the data comprises of historical alert data records. Further, Turgeman also teaches “training the machine-learning model using the training data to output embedding for alert texts,” See Turgeman in section 5.2 Experimental setup, page 6, where Turgeman describes that training the model involves "4. Based on alert history, the algorithm generates pair-wise proximity models, by using both the contextualized metric embedding-based model (section 4.1.1), and the frequency-based model (section 4.1.2). 5. The post-processing algorithm is applied to metric embedding outcomes (section 4.1.3). 6. The incremental clustering algorithm is then applied to the testing set alerts, yielding a set of cluster outcomes. 7. The parameters used for training and testing are shown in Table 1." Here, Turgeman illustrates that the outputs are the metric embedding outcomes or embeddings from the model. Further, Turgeman also teaches “identifying, based on the embedding, a group of alerts” See Turgeman in section 4.1.4 on page 5 describing that "as a new alert appears, it is compared to all existing clusters representatives by analyzing the Euclidian distance between its corresponding metric ID embedding to all existing clusters centroids, where the cluster centroid is calculated by averaging over its corresponding alerts’ embeddings, or is equal to alert’s embedding, in case of a cluster that is composed of a single alert." Here, Turgeman describes that based on the average of the corresponding alerts' embeddings (i.e. embedding), Turgeman was able to identify cluster centroid which correspond to a group of alerts. Further, Turgeman also teaches “adding the alert to the group of alerts,” See Turgeman in section 4.1.4 on page 5 describing that "as a new alert appears, it is compared to all existing clusters representatives by analyzing the Euclidian distance between its corresponding metric ID embedding to all existing clusters centroids, where the cluster centroid is calculated by averaging over its corresponding alerts’ embeddings, or is equal to alert’s embedding, in case of a cluster that is composed of a single alert. If this distance is smaller than a predefined threshold, it is added to that cluster, otherwise, a new cluster holding it is created." See Turgeman in page 3, section 2.2, where Turgeman describes that "as a new alert enters the system, it is identified in real-time and placed under the right cluster. The results are then presented to end users, thus helping them immediately surface useful information from large volumes of alerts." Here, Turgeman shows that as a new alert enters the system, the alert is immediately identified and placed under the right cluster, which relates to adding the alert to the group of alerts. Claim 5: Regarding claim 5, Turgeman teaches the elements of claim 1 as outlined above. Turgeman also teaches: “the method of claim 1, wherein the alert is a first alert, further comprising: receiving a second alert;” See page 3, section 2.1. Related work and challenges, where Turgeman describes “as a new alert enters the system, it is identified in real-time and placed under the right cluster. The results are then presented to end users, thus helping them immediately surface useful information from large volumes of alerts, use those findings to effectively remove noise from the alerts being managed, and focus on actual production issues.” Here, Turgeman teaches receiving a second alert, where the second alert include new alerts or incoming alerts. Note here, the examiner construes that a second alert to mean an additional or new incoming alert. For more information, see Turgeman in page 5, section 4.1.4 Incremental alerts clustering. Turgeman further teaches “determining that the second alert cannot be grouped into any other group of alerts by comparing an embedding of the second alert obtained using the machine-learning model to respective embeddings of the group of alerts; and in response to determining that the second alert cannot be grouped into any other group of alerts, adding the second alert to a new group,” See Turgeman in page 5, section 4.1.4 Incremental alerts clustering, where Turgeman describes " as a new alert appears, it is compared to all existing clusters representatives by analyzing the Euclidian distance between its corresponding metric ID embedding to all existing clusters centroids, where the cluster centroid is calculated by averaging over its corresponding alerts’ embeddings, or is equal to alert’s embedding, in case of a cluster that is composed of a single alert. If this distance is smaller than a predefined threshold, it is added to that cluster, otherwise, a new cluster holding it is created." Here, Turgeman mentions that if a new alert (i.e. second alert), after comparing to an embedding of that new alert with embeddings of the groups of alerts, did not match the embeddings with the groups. Then, that new alert is not classified into a group of the existing group of alerts from the model, and subsequently add the new alert (i.e. second alert) into a new cluster (i.e. new group). For more information, See Turgeman also in page 4, section 4.1., Metric ID definition. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. Claim 2 is rejected under 35 U.S.C. 103 as being unpatentable over Turgeman, in view of Chen Z. et al., “Graph-based Incident Aggregation for Large-Scale Online Service Systems”, available at https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=9678746, published on November 2021, (hereafter, Chen Z.). Claim 2: Regarding claim 2, Turgeman teaches the limitations in claim 1. Referring to claim 2, Turgeman did not teach the following: “The method of claim 1, wherein obtaining the training data comprises: grouping the historical alerts into samples of alerts,” “generating respective graphs for the samples of alerts, wherein each historical alert of a sample of alerts is connected to every other historical alert of the sample of alerts,” “combining the respective graphs into a combined graph,” “obtaining random walks of nodes of the combined graph, wherein each random walk corresponds to a training datum and includes respective texts of the nodes of the random walk.” However, in an analogous system, Chen Z. teaches “The method of claim 1, wherein obtaining the training data comprises: grouping the historical alerts into samples of alerts,” See Chen Z. in page 435, sections D. Graph-based Incident Representation Learning and E. Online Incident Aggregation, describes where the graph "set the walk length as 40, i.e., each incident sequence will contain 40 samples… Each group of aggregated incidents represents a specific type of service issue, such as hardware issue, network traffic issue, network interface down, etc." Here, Chen Z. teaches that the incident sequence contains grouping the historical alerts into samples of alerts. Further, Chen Z. teaches “generating respective graphs for the samples of alerts, wherein each historical alert of a sample of alerts is connected to every other historical alert of the sample of alerts,” See Chen Z in pages 430 - 431, section I. Introduction, describes proposing a method called "GRLIA (stands for Graph Representation Learning-based Incident Aggregation), which is an incident aggregation framework to assist engineers in failure understanding and diagnosis...to learn a feature representation for each unique type of incident, which can appear in multiple places of the graph. The representation encodes the historical co-occurrence of incidents and their topological structure. Thus, they can be naturally used for incident aggregation in online scenarios. To track the impact graph of a failure (i.e., the incidents triggered by the failure)." Here, Chen Z. teaches creating graphs for organizing each unique type of incident and historical co-occurrence of incidents (i.e. the samples of alerts where they are connected to every other historical alert of the sample). Further, Chen Z. teaches “combining the respective graphs into a combined graph,” See Chen Z. in page 431, section I. Introduction, describes a method they "propose to identify service failures’ impact graph, which consists of the incidents that originate from the same failures. Such an impact graph helps us obtain a complete picture of failures’ cascading effect. To this end, we combine incidents with KPIs to measure the behavioral similarity between services." In figures 1 and 2, Chen Z. further illustrates combining graphs of the groups of incidents or alerts. Here, Chen Z. teaches combining incidents to group them into an impact graph, which relates to combining the respective graphs into a combined graph. PNG media_image1.png 546 638 media_image1.png Greyscale d. Further, Chen Z. teaches “obtaining random walks of nodes of the combined graph, wherein each random walk corresponds to a training datum and includes respective texts of the nodes of the random walk.” See Chen Z. in page 435, section D. Graph-based Incident Representation Learning, describes a method called “DeepWalk belongs to the class of shallow embedding approaches that learn the node embeddings based on random walk statistics… the training data generated by sampling random walks starting from each node…. For each failure-impact graph, incident sequences are generated through random walk starting from every node inside. In reality, each node usually generates more than one incident when failures happen. Our tailored random walk strategy therefore contains two hierarchical steps. In the first step, a node is chosen by performing random walks on node level; in the second step, an incident will be randomly selected from those reported by the chosen node.” In addition, Chen Z. describes in page 435, section D, that “a typical graph representation learning algorithm learns an embedding vector for all nodes of a graph”. Chen Z. also illustrates the visual appearance of a combined graph in figure 3. Here, Chen Z. teaches obtaining random walks of nodes of the combined graph, where the training data generated by sampling random walks starting from each node (i.e. each random walk corresponds to a training datum) and includes node embeddings (i.e. respective texts of the nodes) of the random walk. See Chen Z. in pages 432 and 440 for more information. PNG media_image2.png 422 1482 media_image2.png Greyscale It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the base reference of Turgeman along with the teachings of Chen Z. by using the teachings of Turgeman in organizing alert texts with historical alerts into groups and graphs, with the teaching of Chen Z. in incorporating grouping by graphs with random walks of nodes as text into the organized graphs. One of ordinary skill in the art would be motivated to do so because by integrating the framework of Chen Z. into the methods of Turgeman, one with ordinary skill in the art would achieve the goal of providing “When a service failure occurs, aggregating related incidents can greatly reduce the number of incidents that need to be investigated,” (Chen Z., page 1, I. Introduction section), and having “such an impact graph helps us obtain a complete picture of failures’ cascading effect. To this end, we combine incidents with KPIs to measure the behavioral similarity between services. Community detection algorithms are then applied to determine the failure impact graph of different failures automatically.” (Chen Z., page 2, I. Introduction section). Claims 3 and 4 are rejected under 35 U.S.C. 103 as being unpatentable over Turgeman, in view of Chen Z., and in further view of Sun J. et al. “An Efficient Alert Aggregation Method Based on Conditional Rough Entropy and Knowledge Granularity”, available at https://doi.org/10.3390/e22030324 in March 12, 2020), (hereafter, Sun). Claim 3: Regarding claim 3, Turgeman in view of Chen Z. teaches the limitations in claim 2. Turgeman in view of Chen Z. did not teach “The method of claim 2, wherein grouping the historical alerts into the samples of alerts comprises: grouping the historical alerts into the samples of alerts based on overlapping sliding windows over the historical alerts,” In an analogous system of organizing information technology incidents, Sun teaches “the method of claim 2, wherein grouping the historical alerts into the samples of alerts comprises: grouping the historical alerts into the samples of alerts based on overlapping sliding windows over the historical alerts”, See Sun in page 15, section 4.4: Alert Similarity Calculation, where the researchers "calculated the corresponding important attributes and their weights according to different attack classifications. In order to aggregate similar alerts, we also need to calculate the similarity value of each important attribute between the two alerts and weight the total similarity. The two alerts are aggregated if the total similarity of the two alerts is greater than the set threshold. It should be noted that we only need to forcibly reduce the alerts whose total similarity is greater than the threshold for a certain period of time, so the setting of the time threshold is necessary. Therefore, we use sliding time windows to slice alert sequences and aggregate alerts within the same time window." Here, Sun describes using a sliding time window interval to group alerts to classify them. It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to combine the references of Turgeman, Chen Z. and incorporate into the teachings of Sun because all references teach using grouping methods on text data for information management alerts. One of ordinary skill in the art would be motivated to do so because using the grouping methods on text alert data from the teachings of Turgeman and Chen Z., and combine with sorting the groups of text alert data by sliding time windows from the teachings of Sun since using “a suitable similarity threshold can effectively eliminate duplicate alerts and provide higher quality data for the next data fusion layer” (Sun, page 18, section 5.3. Experimental Results), and Sun’s method “can effectively reduce redundant alerts and help network security administrators to find real attacks” (page 21, section 6. Discussion and Conclusions). Claim 4: Regarding claim 4, Turgeman in view of Chen Z. teaches the limitations in claim 2. However, Turgeman in view of Chen Z. did not teach “the method of claim 2, wherein grouping the historical alerts into the samples of alerts comprises: grouping at least some of the historical alerts into a sample associated with a historical alert of the historical alerts based on an active window associated with the historical alert.” In an analogous system, Sun teaches “the method of claim 2, wherein grouping the historical alerts into the samples of alerts comprises: grouping at least some of the historical alerts into a sample associated with a historical alert of the historical alerts based on an active window associated with the historical alert,” See Sun in page 15, section 4.4: Alert Similarity Calculation that the researchers "calculated the corresponding important attributes and their weights according to different attack classifications. In order to aggregate similar alerts, we also need to calculate the similarity value of each important attribute between the two alerts and weight the total similarity. The two alerts are aggregated if the total similarity of the two alerts is greater than the set threshold. It should be noted that we only need to forcibly reduce the alerts whose total similarity is greater than the threshold for a certain period of time, so the setting of the time threshold is necessary. Therefore, we use sliding time windows to slice alert sequences and aggregate alerts within the same time window." Here, Sun describes a certain period of time to mean any interval of time that contains an alert or incident and this corresponds to an active time window. It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to combine the references of Turgeman, Chen Z. and incorporate into the teachings of Sun because all references teach using grouping methods on text data for information management alerts. One of ordinary skill in the art would be motivated to do so because using the grouping methods on text alert data from the teachings of Turgeman, and Chen Z., and combine with sorting the groups of text alert data by active windows from the teachings of Sun since using “a suitable similarity threshold can effectively eliminate duplicate alerts and provide higher quality data for the next data fusion layer” (Sun, page 18, section 5.3. Experimental Results), and Sun’s method “can effectively reduce redundant alerts and help network security administrators to find real attacks” (page 21, section 6. Discussion and Conclusions). Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Turgeman, in view of Chen J. et al. “Online summarizing alerts through semantic and behavior information”, Available at https://dl.acm.org/doi/pdf/10.1145/3510003.3510055, published on May 21, 2022), (hereafter, Chen J.). Claim 6: Regarding claim 6, Turgeman teaches the limitations in claim 5. However, Turgeman did not teach “the method of claim 5, wherein adding the second alert to the new group comprises: triggering a new incident from the alert.” In an analogous system, Chen J. teaches “The method of claim 5, wherein adding the second alert to the new group comprises: triggering a new incident from the alert,” See Chen J. in page 1652, section 7: Online summarizing, where Chen describes that " for the newly reported alert, 𝑒𝑖, and the previously reported alert, 𝑒𝑗, in the time window, [𝑡𝑖 − 𝑤,𝑡𝑖], we can easily represent their semantic information and behavior information by ASR and ABR, respectively. Then, according to ACT, we can obtain the correlation degree between the two alerts straightforwardly, which is defined as 𝑃ˆ 𝑖,𝑗 = [𝑝ˆ 𝑖,𝑗 1 , 𝑝ˆ 𝑖,𝑗 2 ]. Specifically, 𝑝ˆ 𝑖,𝑗 1 indicates the probability that the alerts are correlated, and 𝑝ˆ 𝑖,𝑗 2 indicates the probability that the alerts are uncorrelated. If 𝑝ˆ 𝑖,𝑗 1 > 𝑝ˆ 𝑖,𝑗 2 , 𝑒𝑖 and 𝑒𝑗 may belong to the same system failure." Later, Chen mentions "Then, as shown in Figure 6, if 𝑞𝑖 exists, we add 𝑒𝑖 into the incident of 𝑒𝑞𝑖. Otherwise, we form a new incident for 𝑒𝑖" Here, Chen shows that if qi, or the alert most correlated to the newly reported alert ei, exists, then the process involves adding the newly reported alert to the alert log record. However, if qi does not exist, then a new incident is created. This corresponds with the claim language adding a newly reported alert that this not matched with any of the previous groups of alerts (i.e. second alert) comprises of triggering a new incident from the alert. See Chen J. also in figure 6, and in page 1652, section 7: Online Summarizing, where here the figure that Chen J. mentions in the study shows if a newly reported alert did not match any of the previous groups of alerts, then a new incident is triggered. PNG media_image3.png 318 624 media_image3.png Greyscale It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to combine the base reference of Turgeman and incorporate into the teachings of Chen J. because both references teach grouping information technology alerts into groups called incidents using models that organize text data. One of ordinary skill in the art would be motivated to do so because incorporating the method of Turgeman of comparing text embeddings of incoming alerts to existing groups of alerts with the method of Chen J. would bring an approach to “efficiently summarize alerts online” (Chen J., page 1656, section 8, Conclusion), and with designing “three deep learning approaches, [the models] ASR, ABR and ACT … automatically summarize alerts, and experimental results show that our approaches can achieve the best effectiveness” (Chen J., page 1647, section 1, Introduction). Claims 7, 12, 13, 14, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Turgeman, in view of Alikiaamiri S. et al. (US PG Pub. No. US-20220067295-A1), published on March 3, 2022, (hereafter, Alikiaamiri). Claim 7: Regarding claim 7, Turgeman teaches the limitations in claim 1. Referring to claim 7, Turgeman teaches “the method of claim 1, wherein the alert is a first alert, further comprising: receiving a second alert,” See page 5, section 4.1.4 Incremental alerts clustering, where Turgeman describes "as a new alert appears, it is compared to all existing clusters representatives by analyzing the Euclidian distance between its corresponding metric ID embedding to all existing clusters centroids, where the cluster centroid is calculated by averaging over its corresponding alerts’ embeddings, or is equal to alert’s embedding, in case of a cluster that is composed of a single alert. If this distance is smaller than a predefined threshold, it is added to that cluster, otherwise, a new cluster holding it is created." Here, Turgeman mentions that if a new alert (i.e. second alert) is not classified into a group of the existing group of alerts from the model, However, Turgeman did not teach “and determining whether the second alert matches any group of alerts using a text similarity tool,” In an analogous system, Alikiaamiri teaches “determining whether the second alert matches any group of alerts using a text similarity tool” See in paragraph [0115], where Alikiaamiri describes "a correlation microservice may be configured to pull two weeks (or another duration) of Moogsoft™ Alert data and may correlate with the incoming incident (ticket) data. The correlation microservice then sends the incident data with Moogsoft™ alert identification tags or other identification (identifiers), appended as fields, to the back-end to be written into the database." Here, Alikiaamiri teaches that the alert data includes incoming incident data and is considered additional or new alerts. Further, Alikiaamiri talks about in paragraph [0132] that "in reference to FIGS. 15 and 16, in some embodiments, the correlation engine may correlate descriptions using natural language processing. For example, this may include extracting top 10 keywords using a Rapid Automatic Keyword Extraction (RAKE) process, taking out stop words for alerts & incidents, removing words not in a GloVe (Global Vectors for Word Representation) word embedding vocabulary, measuring cosine similarities between alert & incident descriptions, and ranking correlated alerts based on description cosine similarities and time differences for each incident. GloVe is an unsupervised learning algorithm for obtaining vector representations for words, by mapping words into a vector space where the metric distance between words is related to semantic similarity. Other machine learning algorithms may be utilized as well for natural language processing." See Alikiaamiri in paragraph [0135] describes "the correlation of the description is carried out by associating an alert-specific description with a ticket-specific description if a cosine similarity between the alert-specific description and the ticket-specific description is below a description-correlation threshold." Further, Alikiaamiri elaborates in paragraph [0151] "in some embodiments, the correlation engine may rank correlations. For example, correlation based on app codes may have the highest priority, followed by correlation based on descriptions, followed by correlation based on time (time-stamp). In various embodiments, the app codes may be correlated if they match exactly, the descriptions may be correlated based on GloVe embedding (cosine) similarity (being above a predefined threshold), and the time may be correlated based on differences in time (being below a predefined threshold." Here, Alikiaamiri provides examples of how to use the correlation engine tool in paragraph [0132] that uses word embeddings and the cosine similarity measurements (i.e. text similarity tool) for evaluating alerts in information technology tickets. This information along with the information Alikiaamiri discusses from paragraph [0115] shows determining if an incoming alert (i.e. second alert) matches any group of alerts using a text similarity tool. In paragraph [0151], Alikiaamiri explains that there may be a matching of the incoming alert if the embedding cosine similarity is above a predefined threshold, then using the correlation engine (i.e. text similarity tool) that new alert matches a group of alerts. See Alikiaamiri in paragraph [0237] for more information. It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to combine the base reference of Turgeman and incorporate into the teachings of Alikiaamiri because both references teach grouping information technology alerts into groups called incidents using models that organize text data. One of ordinary skill in the art would be motivated to do so because incorporating the method of Turgeman of comparing text embeddings of incoming alerts to existing groups of alerts with a text similarity tool of Alikiaamiri, “is cohesive and coherent to allow rapid association of incident tickets and alerts and to glean insights into broader topics or categories of issues being faced by the technology infrastructure” (paragraph [0015], Alikiaamiri), and “these solutions issue service alerts accessible to one or more levels of the IT support system and may often be associated with incident tickets logged by a customer or a device in the IT support system… such solutions may monitor IT incident tickets and their historical patterns” (paragraph [0079], Alikiaamiri). Claim 12: Referring to claim 12, Turgeman teaches “A method, comprising: receiving an alert;” See Turgeman on page 5, section 4.1.4 in the section Incremental alerts clustering, that "as a new alert appears, it is compared to all existing clusters representatives by analyzing the Euclidian distance between its corresponding metric ID embedding to all existing clusters centroids, where the cluster centroid is calculated by averaging over its corresponding alerts’ embeddings, or is equal to alert’s embedding, in case of a cluster that is composed of a single alert. If this distance is smaller than a predefined threshold, it is added to that cluster, otherwise, a new cluster holding it is created." Here, Turgeman teaches receiving a record of an alert related to an information technology incident. Further, Turgeman teaches “responsive to determining that the alert does not match any of the groups of alerts, determining, using a machine-learning model, whether an embedding corresponding to the alert meets a similarity threshold to a respective embedding of any of the groups of alerts,” See Turgeman on page 5, section 4.1.4 in section Incremental alerts clustering, that "as a new alert appears, it is compared to all existing clusters representatives by analyzing the Euclidian distance between its corresponding metric ID embedding to all existing clusters centroids, where the cluster centroid is calculated by averaging over its corresponding alerts’ embeddings, or is equal to alert’s embedding, in case of a cluster that is composed of a single alert. If this distance is smaller than a predefined threshold, it is added to that cluster, otherwise, a new cluster holding it is created." Here, Turgeman describes sorting a new alert to a group of alerts using a threshold to evaluate an alert to see if an embedding that relates to the alert matches the threshold or not. Additionally, Turgeman teaches using a cosine similarity threshold value, either thp or thc on table 1, page 6. PNG media_image4.png 506 750 media_image4.png Greyscale Here, Turgeman further specifies of using the model to see if an embedding that corresponds to the alert meets a similarity threshold to a respective embedding of any of the groups of alerts. Further, Turgeman teaches “responsive to the embedding meeting the similarity threshold with an embedding of a group of alerts, adding the alert to the group of alerts.” See Turgeman in section 4.1.4 on page 5 describing that "as a new alert appears, it is compared to all existing clusters representatives by analyzing the Euclidian distance between its corresponding metric ID embedding to all existing clusters centroids, where the cluster centroid is calculated by averaging over its corresponding alerts’ embeddings, or is equal to alert’s embedding, in case of a cluster that is composed of a single alert. If this distance is smaller than a predefined threshold, it is added to that cluster, otherwise, a new cluster holding it is created." See Turgeman in page 3, section 2.2, where Turgeman describes that "as a new alert enters the system, it is identified in real-time and placed under the right cluster. The results are then presented to end users, thus helping them immediately surface useful information from large volumes of alerts." See Turgeman on page 2, section 2. Objective & motivation, where Turgeman describes “alerts are typically composed of two components: a metric-based condition or threshold, and an action to perform when the values fall outside of the acceptable conditions”, and table 1, page 6, and the algorithms 1 and 3 on page 5 for more information. Here, Turgeman shows that as a new alert enters the system, the alert is immediately identified by comparing with a similarity threshold and placed under the right cluster, which relates to adding the alert to the group of alerts. However, Turgeman did not explicitly teach “determining, using a text similarly tool and based on a text of the alert, whether the alert matches a group of alerts of groups of alerts;” In an analogous system, Alikiaamiri teaches “determining, using a text similarly tool and based on a text of the alert, whether the alert matches a group of alerts of groups of alerts;” See Alikiaamiri describe in in paragraph [0015] that "aspects disclosed herein are directed to approaches to have alerts generated by analytics solutions automatically integrated with incident tickets, and delivered to a remote user (IT staff) as support information. The support information is cohesive and coherent to allow rapid association of incident tickets and alerts and to glean insights into broader topics or categories of issues being faced by the technology infrastructure." Here, Alikiaamiri teaches the use of clustering methods for text data especially for organizing alert incidents. Additionally, Alikiaamiri describes in paragraph [0132] “the correlation engine may correlate descriptions using natural language processing. For example, this may include extracting top 10 keywords using a Rapid Automatic Keyword Extraction (RAKE) process, taking out stop words for alerts & incidents, removing words not in a GloVe (Global Vectors for Word Representation) word embedding vocabulary, measuring cosine similarities between alert & incident descriptions, and ranking correlated alerts based on description cosine similarities and time differences for each incident. GloVe is an unsupervised learning algorithm for obtaining vector representations for words, by mapping words into a vector space where the metric distance between words is related to semantic similarity. Other machine learning algorithms may be utilized as well for natural language processing. Some embodiments may include converting Gensim KeyedVectors and Word2Vec word embeddings to GloVe word embeddings." Here, Alikiaamiri teaches the use of similarity tools, such as semantic similarity or cosine similarity, for organizing text data. This corresponds with using a text similarly tool to determine if an alert matches a group of alerts. See Alikiaamiri in paragraph [0151] for more information. It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to combine the base reference of Turgeman and incorporate into the teachings of Alikiaamiri because both references teach grouping information technology alerts into groups called incidents using models that organize text data. One of ordinary skill in the art would be motivated to do so because incorporating the method of Turgeman of comparing text embeddings of incoming alerts to existing groups of alerts with a text similarity tool of Alikiaamiri “is cohesive and coherent to allow rapid association of incident tickets and alerts and to glean insights into broader topics or categories of issues being faced by the technology infrastructure” (paragraph [0015], Alikiaamiri), and “these solutions issue service alerts accessible to one or more levels of the IT support system and may often be associated with incident tickets logged by a customer or a device in the IT support system… such solutions may monitor IT incident tickets and their historical patterns” (paragraph [0079], Alikiaamiri). Claim 13: Regarding claim 13, Turgeman in view of Alikiaamiri, teaches the limitations in claim 12. Further, Turgeman teaches “The method of claim 12, further comprising: responsive to the embedding not meeting the similarity threshold with any respective embedding of the groups of alerts, adding the alert to a new group of alerts,” See Turgeman in page 9, section 6.22 Trade-off control, Turgeman talks about "Fig. 5 (a) shows the resulted clusters number and mean size, as a function of thdist. Clearly, the number of clusters decreases as thdist increases, and, on the other hand, the mean cluster size increases, as the algorithm tends to merge new alerts to existing clusters. For very low thdist values, the algorithm yields similar clusters to those obtained by the ‘conservative’ model (Fig. 5 (b)), indicating that a lower threshold based clustering mechanism yields results that are similar to those obtained by the pair-wise similarity-based mechanism (section 4.1.2)." See Turgeman in page 5, section 4.1.4. Incremental alerts clustering describing "The process starts by initializing a set of cluster representatives, where incoming alerts are processed sequentially. As a new alert appears, it is compared to all existing clusters representatives by analyzing the Euclidian distance between its corresponding metric ID embedding to all existing clusters centroids, where the cluster centroid is calculated by averaging over its corresponding alerts’ embeddings, or is equal to alert’s embedding, in case of a cluster that is composed of a single alert. If this distance is smaller than a predefined threshold, it is added to that cluster, otherwise, a new cluster holding it is created." Here, Turgeman shows that if the text embedding of the alert did not meet a similarity threshold value, thdist in this case, from those of the other embeddings in the existing groups of alerts, then the algorithm initially attempts to find a place for the new alert in the existing groups of alerts. However, if the algorithm cannot, then Turgeman mentions in page 5, section 4.1.4, " a new cluster holding it is created", which corresponds to the new alert gets added to a new group. Claim 14: Regarding claim 14, Turgeman in view of Alikiaamiri, teaches the limitations in claim 12. Further, Turgeman teaches “The method of claim 12, wherein the machine-learning model is trained by steps comprising: obtaining training data, wherein each training datum comprises a series of alert texts obtained from historical alerts;” See Turgeman in page 2, section 2 Objective & motivation, where Turgeman describes “the primary objective of this research is to develop a high-performance mechanism that provides quick insights into the overall system state, by utilizing alert historical data to group continuous alert streams in real-time.” Further, Turgeman in page 4, section 4.1.1. Contextualized metric embedding-based model (‘liberal’) teaches “the model is trained using historical data and is applied to incoming alerts. The suggested modeling approach is influenced by several recent advances in Natural Language Processing (NLP).” Here, Turgeman teaches that the model is using training data, where the data comprises of historical alert data records. PNG media_image5.png 564 1004 media_image5.png Greyscale In figure 1, Turgeman shows that the training data is comprises of historical data which includes previous historical alerts. From figure 1, Turgeman illustrates that the historical data is later used for model training into an ML model and later grouped by various programs. Further, Turgeman teaches “and training the machine-learning model using the training data to output embedding for alert texts.” See Turgeman in page 6, section 5.2, where Turgeman describes "1. The data set is split into train and test sets; The train set spans the date range of between 22/1/2020 to 21/3/2020 and is composed of 27,109 alerts, and the test set spans the date range of between 22/3/2020 to 28/3/2020 and is composed of 2963 alerts. 2. We train the model using a python implementation of Gensim word2vec. 3. Data for training is in a data frame format; Metric ID is generated using the definitions in section 4.1. 4. Based on alert history, the algorithm generates pair-wise proximity models, by using both the contextualized metric embedding-based model (section 4.1.1), and the frequency-based model (section 4.1.2). 5. The post-processing algorithm is applied to metric embedding outcomes (section 4.1.3). 6. The incremental clustering algorithm is then applied to the testing set alerts, yielding a set of cluster outcomes. 7. The parameters used for training and testing are shown in Table 1." Here, Turgeman describes that training the model involves the steps of splitting the data into a training set and a testing set, then later let the model create embeddings for the text alert data and group the alert data based on embeddings. See Turgeman in page 4, section 4.1.1. Contextualized metric embedding-based model for more information. Claim 18: Regarding claim 18, Turgeman teaches the following limitations: “to: receive an alert,” See Turgeman describe in page 5, section 4.1.4 in Incremental alerts clustering, "as a new alert appears, it is compared to all existing clusters representatives by analyzing the Euclidian distance between its corresponding metric ID embedding to all existing clusters centroids, where the cluster centroid is calculated by averaging over its corresponding alerts’ embeddings, or is equal to alert’s embedding, in case of a cluster that is composed of a single alert. If this distance is smaller than a predefined threshold, it is added to that cluster, otherwise, a new cluster holding it is created." Here, Turgeman talks about receiving a record of an alert related to an information technology incident. “obtain, using a machine-learning model, an embedding for the alert, wherein the machine-learning model is trained to: obtain training data, wherein each training datum comprises a series of alert texts obtained from historical alerts;” See Turgeman in page 4, section 4.1.1 Contextualized metric embedding-based model (‘liberal’) mentions " the model is trained using historical data and is applied to incoming alerts…The input to the model is a history of n recent alerts corresponding metric IDs, within a time window w, e.g. {m1, m2, ..., mn}. Using the extracted metrics correlation matrix and an anomaly counter module, the suggested algorithm generates a sparse matrix containing the number of times every two alerts had co-occurred within a pre-defined time window. We train a Word2Vec model (Mikolov et al., 2013) using a 1-hidden-layer neural network based on the synthetic task of given an input metric. The network is trained by feeding the extracted metric pairs co-occurrence data, to learn statistics from the number of times each pairing occurs. The output is the conditional probability distribution, Pr[mt|w], describing the probability for each metric ID to appear nearby a given one from w. A virtual one-hot encoding of metrics goes through a ‘projection layer’ to the hidden layer; these projection weights are later interpreted as a distributed representation of the metrics (e.g., “embeddings”), which are then utilized by a tailored incremental clustering algorithm to dynamically cluster incoming alerts in real time." Here, Turgeman describes using a machine learning model, where training data comprises of a series of recent alerts from historical data (i.e. a series of alert texts obtained from historical alerts) to obtain embeddings for incoming alerts. Further, Turgeman in page 4, section 4.1.1. Contextualized metric embedding-based model (‘liberal’) also teaches “the model is trained using historical data and is applied to incoming alerts. The suggested modeling approach is influenced by several recent advances in Natural Language Processing (NLP).” Here, Turgeman teaches that the model is using training data, where the data comprises of historical alert data records. See Turgeman in page 6, section 5.2. Experimental setup and in page 2, section 2 Objective & motivation for more information . “and output embedding for alert texts;” See Turgeman in section 5.2 Experimental setup, page 6, where Turgeman describes that training the model involves "4. Based on alert history, the algorithm generates pair-wise proximity models, by using both the contextualized metric embedding-based model (section 4.1.1), and the frequency-based model (section 4.1.2). 5. The post-processing algorithm is applied to metric embedding outcomes (section 4.1.3). 6. The incremental clustering algorithm is then applied to the testing set alerts, yielding a set of cluster outcomes. 7. The parameters used for training and testing are shown in Table 1." Here, Turgeman illustrates that the outputs are the metric embedding outcomes or embeddings from the model. “identify, based on the embedding, a group of alerts;” See Turgeman in section 4.1.4 on page 5 describing that "as a new alert appears, it is compared to all existing clusters representatives by analyzing the Euclidian distance between its corresponding metric ID embedding to all existing clusters centroids, where the cluster centroid is calculated by averaging over its corresponding alerts’ embeddings, or is equal to alert’s embedding, in case of a cluster that is composed of a single alert." Here, Turgeman describes that based on the average of the corresponding alerts' embeddings (i.e. embedding), Turgeman was able to identify cluster centroid which correspond to a group of alerts. “and add the alert to the group of alerts,” See Turgeman in page 3, section 2.2, where Turgeman describes that "demonstrating that the suggested approach can adequately model various types of environments and that it is updatable and flexible. As a new alert enters the system, it is identified in real-time and placed under the right cluster. The results are then presented to end users, thus helping them immediately surface useful information from large volumes of alerts," Here, Turgeman shows that as a new alert enters the system, the alert is immediately identified and placed under the right cluster, which relates to adding the alert to the group of alerts. However, Turgeman does not teach “a device, comprising: a memory; and a processor, the processor configured to execute instructions stored in the memory…” In an analogous art, Alikiaamiri teaches “a device, comprising: a memory; and a processor, the processor configured to execute instructions stored in the memory…” See Alikiaamiri describes in paragraph [0088] that "the technology support and monitoring system can include one of more computer processors (e.g., microprocessors) which operate in conjunction with computer memory (e.g., RAM, ROM) to provide an improved ticket clustering system as described in various embodiments herein." Further, Alikiaamiri describes in paragraphs [0089-0091] that "the technology support monitoring system, in some embodiments, can be a computer server or a special purpose computer appliance, which resides within a data center and can couple to a message bus to receive various data sets from upstream IT service ticket systems, and generate one or more output data structures based on clustered information derived from conducting natural language processing operations. FIG. 2 shows schematic examples 200 of incident tickets (tickets). Incident reports are generated and can include incident tickets that are represented in the form of data objects that have underlying data fields and data values. These fields, include, for example, a textual brief description of the issue (e.g., a subject line of the incident report), followed by a longer full description of the issue (e.g., reproducibility steps, error codes, core dumps, additional explanation by the user)." Here, Alikiaamiri talks about using a system with a memory and processor shown in figure 2 to process the data received from the information technology incident tickets (i.e. alerts). PNG media_image6.png 1703 1073 media_image6.png Greyscale It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to combine the base reference of Turgeman and incorporate into the teachings of Alikiaamiri because both references teach grouping information technology alerts into groups called incidents using models that organize text data. One of ordinary skill in the art would be motivated to do so because incorporating the method of Turgeman of comparing text embeddings of incoming alerts to existing groups of alerts with a text similarity tool of Alikiaamiri “is cohesive and coherent to allow rapid association of incident tickets and alerts and to glean insights into broader topics or categories of issues being faced by the technology infrastructure” (paragraph [0015], Alikiaamiri), and “these solutions issue service alerts accessible to one or more levels of the IT support system and may often be associated with incident tickets logged by a customer or a device in the IT support system… such solutions may monitor IT incident tickets and their historical patterns” (paragraph [0079], Alikiaamiri). Claims 8, 9, 10, and 11 are rejected under 35 U.S.C. 103 as being unpatentable over Turgeman, in view of Alikiaamiri, and further in view of Chen J. Claim 8: Regarding claim 8, Turgeman in view of Alikiaamiri, teaches the limitations in claim 7. Referring to claim 8, Turgeman in view of Alikiaamiri did not teach “the method of claim 7, further comprising: responsive to determining, using the text similarity tool, that the second alert does not match any group of alerts, using the machine-learning model to determine whether the second alert matches any of the any group of alerts,” In an analogous field, Chen J. teaches “the method of claim 7, further comprising: responsive to determining, using the text similarity tool, that the second alert does not match any group of alerts, using the machine-learning model to determine whether the second alert matches any of the any group of alerts,” See in page 1648, Chen J. in section 3 Motivation describes "our study aims to automatically summarize such alerts into a group, named as incident, thereby reducing the number of alerts analyzed by maintenance engineers. To mine the correlation between alerts, in this paper, we leverage two types of alert information, semantic information and behavior information." In page 1647, Chen describes "Two deep learning models, ASR and ABR, are proposed to extract these information respectively. ASR (Alert Semantics Representation) extracts the semantics of alerts, which aggregates the contextual information of alert words according their importance. Meanwhile, ABR (Alert Behavior Representation) mines the common behavior pattern between alerts from the alert occurrence series. Then, to deal with the complexity of the alert correlation, instead of determining the correlation by simply setting a fixed threshold, we design a deep learning model, ACT (Alert CorrelaTion), to combine above two types of alert information and determine the correlation between alerts automatically." Here, Chen J. describes using a machine learning models ASR (Alert Semantics Representation) and ABR (Alert Behavior Representation) to understand the types of alert information and group them by similar text content. Additionally, see page 1649, section 3,3 Combining Semantic and Behavior Information, where Chen J. also talks about “given two alerts, computing the similarity between their semantic information or behavior information, as long as one similarity exceeds the threshold, these two alerts are considered as correlated.” Chen J. here teaches using a similarity tool that incorporates the above machine learning models ASR and ABR to match a second or incoming alert to any of the existing groups of alerts. See Chen J. in figure 6 on page 1652 for more information. It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to combine the base reference of Turgeman and Alikiaamiri and incorporate into the teachings of Chen J. because all references teach grouping information technology alerts into groups called incidents using models that organize text data. One of ordinary skill in the art would be motivated to do so because incorporating the methods of Turgeman and Alikiaamiri of comparing text data of incoming alerts to existing groups of alerts with the method of Chen J. would bring an approach to “efficiently summarize alerts online” (Chen J., page 1656, section 8, Conclusion), and with designing “three deep learning approaches, [the models] ASR, ABR and ACT … automatically summarize alerts, and experimental results show that our approaches can achieve the best effectiveness” (Chen J., page 1647, section 1, Introduction). Claim 9: Regarding claim 9, Turgeman in view of Alikiaamiri, and further in view of Chen J. teaches the limitations in claim 8. Referring to claim 9, Turgeman further teaches the limitation “the method of claim 8, further comprising: responsive to determining that the second alert does not match any group of alerts, adding the second alert to a new group of alerts”, See Turgeman in page 5, section 4.1.4, Incremental alerts clustering, where Turgeman describes "as a new alert appears, it is compared to all existing clusters representatives by analyzing the Euclidian distance between its corresponding metric ID embedding to all existing clusters centroids, where the cluster centroid is calculated by averaging over its corresponding alerts’ embeddings, or is equal to alert’s embedding, in case of a cluster that is composed of a single alert. If this distance is smaller than a predefined threshold, it is added to that cluster, otherwise, a new cluster holding it is created." Here, Turgeman teaches that if the incoming new alert (i.e. second alert) does not match any of the group of alerts, then the second alert is added to a new cluster (i.e. new group of alerts). Turgeman also teaches that the matching process here is comparing an alert’s embedding with a predefined threshold. Claim 10: Regarding claim 10, Turgeman in view of Alikiaamiri, and further in view of Chen J. teaches the limitations in claim 8. Referring to claim 10, Turgeman further teaches “the method of claim 8, further comprising: responsive to determining that the second alert matches a group of alerts, adding the second alert to the group of alerts,” See Turgeman in page 5, section 4.1.4, Incremental alerts clustering, where Turgeman describes "as a new alert appears, it is compared to all existing clusters representatives by analyzing the Euclidian distance between its corresponding metric ID embedding to all existing clusters centroids, where the cluster centroid is calculated by averaging over its corresponding alerts’ embeddings, or is equal to alert’s embedding, in case of a cluster that is composed of a single alert. If this distance is smaller than a predefined threshold, it is added to that cluster, otherwise, a new cluster holding it is created." Here, Turgeman teaches that if the incoming new alert (i.e. second alert) matches any of the group of alerts, then the second alert is added to that group. Turgeman teaches that the matching process here is comparing an alert’s embedding with a predefined threshold. Claim 11: Regarding claim 11, Turgeman in view of Alikiaamiri, and further in view of Chen J. teaches the limitations in claim 10. Turgeman in view of Alikiaamiri did not teach “the method of claim 10, wherein an incident corresponds to the group of alerts, and wherein adding the second alert to the group of alerts comprises: grouping the second alert under the incident.” However, in an analogous system, Chen J. teaches “the method of claim 10, wherein an incident corresponds to the group of alerts, and wherein adding the second alert to the group of alerts comprises: grouping the second alert under the incident,” See Chen J. in page 1653, section 8.2 describes "since Jaccard [13, 31],Word2Vec[19], and LDA [2, 33] are widely used to measure the semantic relevance of alerts, we thus compare our approaches with such three approaches. In addition, we also individually evaluate the ability of ASR and ABR, respectively. Specifically, to summarize alerts online by ASR, we adopt the online summarizing strategy in Section 7. For the newly generated alert, 𝑒𝑖 , instead of ACT, we find its most relevant alert during [𝑡𝑖 −𝑤, 𝑡𝑖 ] by the cosine similarity between semantic representations. Then, if the maximum cosine similarity is larger than a fixed threshold, we then add 𝑒𝑖 into the incident of the most relevant alert. Otherwise, we form a new incident for 𝑒𝑖 ." Additionally, Chen J. in section 3 Motivation, page 1648, explicitly mentions "our study aims to automatically summarize such alerts into a group, named as incident, thereby reducing the number of alerts analyzed by maintenance engineers. To mine the correlation between alerts, in this paper, we leverage two types of alert information, semantic information and behavior information." Here, Chen J. in page 1653 teaches that adding a new alert 𝑒𝑖 (i.e. second alert) into the incident of the most relevant alert (i.e. add second alert to the group of alerts). Further, Chen J. in page 1648 that a new alert (i.e. second alert) will be grouped under the incident. Here, Chen states that the new alert will be sorted into a group called an incident, therefore, corresponds to the grouping the second alert under the incident. It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to combine the references of Turgeman and Alikiaamiri, and incorporate into the teachings of Chen J. because these references teach grouping information technology alerts into groups called incidents using models that organize text data. One of ordinary skill in the art would be motivated to do so because incorporating the method of Turgeman and Alikiaamiri of comparing text embeddings of incoming alerts to existing groups of alerts with the method of Chen J. would bring an approach to “efficiently summarize alerts online” (Chen J., page 1656, section 8, Conclusion), and with designing “three deep learning approaches, [the models] ASR, ABR and ACT … automatically summarize alerts, and experimental results show that our approaches can achieve the best effectiveness” (Chen J., page 1647, section 1, Introduction). Claims 15 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Turgeman, in view of Alikiaamiri, and in further view of Chen Z. Claim 15: Regarding claim 15, Turgeman in view of Alikiaamiri, teaches the limitations in claim 14. Referring to claim 15, Turgeman in view of Alikiaamiri did not teach the following: “The method of claim 14, wherein obtaining the training data comprises: grouping the historical alerts into samples of alerts,” “generating respective graphs for the samples of alerts, wherein each historical alert of a sample of alerts is connected to every other historical alert of the sample of alerts,” “combining the respective graphs into a combined graph,” “obtaining random walks of nodes of the combined graph, wherein each random walk corresponds to a training datum and includes respective texts of the nodes of the random walk.” In an analogous system, Chen Z. teaches “the method of claim 14, wherein obtaining the training data comprises: grouping the historical alerts into samples of alerts,” See Chen Z. in page 435, sections D. Graph-based Incident Representation Learning and E. Online Incident Aggregation, describes where the graph "set the walk length as 40, i.e., each incident sequence will contain 40 samples… Each group of aggregated incidents represents a specific type of service issue, such as hardware issue, network traffic issue, network interface down, etc." Here, Chen Z. teaches that the incident sequence contains grouping the historical alerts into samples of alerts. Further, Chen Z. teaches “generating respective graphs for the samples of alerts, wherein each historical alert of a sample of alerts is connected to every other historical alert of the sample of alerts,” See Chen Z in pages 430 - 431, section I. Introduction, describes proposing a method called "GRLIA (stands for Graph Representation Learning-based Incident Aggregation), which is an incident aggregation framework to assist engineers in failure understanding and diagnosis...to learn a feature representation for each unique type of incident, which can appear in multiple places of the graph. The representation encodes the historical co-occurrence of incidents and their topological structure. Thus, they can be naturally used for incident aggregation in online scenarios. To track the impact graph of a failure (i.e., the incidents triggered by the failure)." Here, Chen Z. teaches creating graphs for organizing each unique type of incident and historical co-occurrence of incidents (i.e. the samples of alerts where they are connected to every other historical alert of the sample). Further, Chen Z teaches “combining the respective graphs into a combined graph,” See Chen Z. in page 431, section I. Introduction, describes a method they "propose to identify service failures’ impact graph, which consists of the incidents that originate from the same failures. Such an impact graph helps us obtain a complete picture of failures’ cascading effect. To this end, we combine incidents with KPIs to measure the behavioral similarity between services." In figures 1 and 2, Chen Z. further illustrates combining graphs of the groups of incidents or alerts. Here, Chen Z. teaches combining incidents to group them into an impact graph, which relates to combining the respective graphs into a combined graph. PNG media_image1.png 546 638 media_image1.png Greyscale Further, Chen Z. teaches “obtaining random walks of nodes of the combined graph, wherein each random walk corresponds to a training datum and includes respective texts of the nodes of the random walk,” See Chen Z. in page 435, section D. Graph-based Incident Representation Learning, describes a method called “DeepWalk belongs to the class of shallow embedding approaches that learn the node embeddings based on random walk statistics… the training data generated by sampling random walks starting from each node…. For each failure-impact graph, incident sequences are generated through random walk starting from every node inside. In reality, each node usually generates more than one incident when failures happen. Our tailored random walk strategy therefore contains two hierarchical steps. In the first step, a node is chosen by performing random walks on node level; in the second step, an incident will be randomly selected from those reported by the chosen node.” In addition, Chen Z. describes in page 435, section D, that “a typical graph representation learning algorithm learns an embedding vector for all nodes of a graph”. Chen Z. also illustrates the visual appearance of a combined graph in figure 3. Here, Chen Z. teaches obtaining random walks of nodes of the combined graph, where the training data generated by sampling random walks starting from each node (i.e. each random walk corresponds to a training datum) and includes node embeddings (i.e. respective texts of the nodes) of the random walk. See Chen Z. in pages 432 and 440 for more information. PNG media_image2.png 422 1482 media_image2.png Greyscale It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the base reference of Turgeman along with the teachings of Chen Z. by using the teachings of Turgeman in organizing alert texts with historical alerts into groups and graphs, with the teaching of Chen Z. in incorporating graphs with random walks of nodes as text into the organized graphs. One of ordinary skill in the art would be motivated to do so because by integrating the framework of Chen Z. into the methods of Turgeman, one with ordinary skill in the art would achieve the goal of providing “When a service failure occurs, aggregating related incidents can greatly reduce the number of incidents that need to be investigated,” (Chen Z., page 1, I. Introduction section), and having “such an impact graph helps us obtain a complete picture of failures’ cascading effect. To this end, we combine incidents with KPIs to measure the behavioral similarity between services. Community detection algorithms are then applied to determine the failure impact graph of different failures automatically.” (Chen Z., page 2, I. Introduction section). Claim 19: Regarding claim 19, Turgeman teaches the limitations in claim 18. Referring to claim 19, the claim recites similar limitations as corresponding claim 15 and is rejected for similar reasons as claim 15 using similar teachings and rationale. Claims 16, 17, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Turgeman in view of Alikiaamiri, in further view of Chen Z., and in further view of Sun. Claim 16: Referring to claim 16, Turgeman in view of Alikiaamiri, in further view of Chen Z. teaches the limitations in claim 15. However, regarding claim 16, Turgeman in view of Alikiaamiri, in further view of Chen Z. did not teach the limitation, “the method of claim 15, wherein grouping the historical alerts into the samples of alerts comprises: grouping the historical alerts into the samples of alerts based on overlapping sliding windows over the historical alerts.” In an analogous system, Sun teaches “the method of claim 15, wherein grouping the historical alerts into the samples of alerts comprises: grouping the historical alerts into the samples of alerts based on overlapping sliding windows over the historical alerts,” See Sun in page 15, section 4.4: Alert Similarity Calculation, that the researchers "calculated the corresponding important attributes and their weights according to different attack classifications. In order to aggregate similar alerts, we also need to calculate the similarity value of each important attribute between the two alerts and weight the total similarity. The two alerts are aggregated if the total similarity of the two alerts is greater than the set threshold. It should be noted that we only need to forcibly reduce the alerts whose total similarity is greater than the threshold for a certain period of time, so the setting of the time threshold is necessary. Therefore, we use sliding time windows to slice alert sequences and aggregate alerts within the same time window." Here, Sun describes using a sliding time window interval to group alerts to classify them. It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to combine the references of Turgeman, Alikiaamiri, Chen Z. and incorporate into the teachings of Sun because all references teach using grouping methods on text data for information management alerts. One of ordinary skill in the art would be motivated to do so because using the grouping methods on text alert data from the teachings of Turgeman, Alikiaamiri, and Chen Z., and combine with sorting the groups of text alert data by sliding time windows from the teachings of Sun since using “a suitable similarity threshold can effectively eliminate duplicate alerts and provide higher quality data for the next data fusion layer” (Sun, page 18, section 5.3. Experimental Results), and Sun’s method “can effectively reduce redundant alerts and help network security administrators to find real attacks” (page 21, section 6. Discussion and Conclusions). Claim 17: Regarding claim 17, Turgeman in view of Alikiaamiri, in further view of Chen Z. teaches the limitations in claim 15. However, regarding claim 17, Turgeman in view of Alikiaamiri, in further view of Chen Z. did not teach the limitation, “the method of claim 15, wherein grouping the historical alerts into the samples of alerts comprises: grouping at least some of the historical alerts into a sample associated with a historical alert of the historical alerts based on an active window associated with the historical alert.” In an analogous system, Sun teaches “the method of claim 15, wherein grouping the historical alerts into the samples of alerts comprises: grouping at least some of the historical alerts into a sample associated with a historical alert of the historical alerts based on an active window associated with the historical alert,” See Sun in page 15, section 4.4: Alert Similarity Calculation, where the researchers "calculated the corresponding important attributes and their weights according to different attack classifications. In order to aggregate similar alerts, we also need to calculate the similarity value of each important attribute between the two alerts and weight the total similarity. The two alerts are aggregated if the total similarity of the two alerts is greater than the set threshold. It should be noted that we only need to forcibly reduce the alerts whose total similarity is greater than the threshold for a certain period of time, so the setting of the time threshold is necessary. Therefore, we use sliding time windows to slice alert sequences and aggregate alerts within the same time window." Here, Sun describes a certain period of time to mean any interval of time that contains an alert or incident and this corresponds to an active time window. It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to combine the references of Turgeman, Alikiaamiri, Chen Z. and incorporate into the teachings of Sun because all references teach using grouping methods on text data for information management alerts. One of ordinary skill in the art would be motivated to do so because using the grouping methods on text alert data from the teachings of Turgeman, Alikiaamiri, and Chen Z., and combine with sorting the groups of text alert data by active windows from the teachings of Sun since using “a suitable similarity threshold can effectively eliminate duplicate alerts and provide higher quality data for the next data fusion layer” (Sun, page 18, section 5.3. Experimental Results), and Sun’s method “can effectively reduce redundant alerts and help network security administrators to find real attacks” (page 21, section 6. Discussion and Conclusions). Claim 20: Regarding claim 20, Turgeman in view of Alikiaamiri, in further view of Chen Z. teaches the limitations in claim 19. Regarding claim 20, the claim recites similar limitations as corresponding claim 16 and is rejected for similar reasons as claim 16 using similar teachings and rationale. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to WENWEI ZENG whose telephone number is (571)272-7111. The examiner can normally be reached Monday-Friday, 8am-5pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Usmaan Saeed can be reached at (571) 272-4046. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /WenWei Zeng/Examiner, Art Unit 2146 /USMAAN SAEED/Supervisory Patent Examiner, Art Unit 2146