Obviousness

US Patent 7,593,936 describes systems and methods for automated computer support that involve collecting system "snapshots," creating an "adaptive reference model" from these snapshots, comparing new snapshots to the model to detect "anomalies," matching these anomalies to "recognition filters" to diagnose conditions, and then responding to those conditions. The patent's core innovation centers on the "adaptive" nature of the reference model, which is automatically generated and updated from a population of computers, allowing it to define "normal" in dynamic and diverse computing environments.

An analysis of obviousness under 35 U.S.C. § 103 considers whether the claimed invention would have been obvious to a person having ordinary skill in the art (PHOSITA) at the time of the invention (priority date: 2003-08-11), given the scope and content of the prior art, differences between the prior art and the claimed invention, and the level of ordinary skill in the art.

The patent's "Background" section extensively details the limitations of "Conventional problem management tools" and "Conventional automated computer support solutions" in existence prior to the invention. These conventional systems, which form the basis of the prior art for this analysis, include:

• Software distribution tools and configuration management tools: Used for "Mass-Healing" to ensure consistent PC configurations and detect known bad configurations [Background].
• Security products: Such as "anti-virus scanners, intrusion detection systems, and data integrity checkers" that relied on "known patterns to detect and eradicate a virus" (i.e., signatures) [Background].
• PC diagnostics and repair tools: Like those introduced by Peter Norton (Symantec.com), allowing users to "restore a PC to a restore point" (i.e., "Self-Healing") [Background].
• Knowledge bases and automated solutions for low-risk functions: Such as password resets (i.e., "Self-Service") [Background].
• Help desk software, online reference materials, and remote control software: (i.e., "Assisted Service") [Background].
• Specialized diagnostic tools: For "Desk-side Visits" [Background].

The patent explicitly identifies a "fundamental problem" with these conventional tools: "the difficulty in creating a reference model with sufficient scope, granularity, and flexibility to allow ‘normal’ to be reliably distinguished from ‘abnormal’" [Background]. It also notes that these conventional approaches assume known and stable configurations, which is not true in real-world, dynamic environments with "infinite number of good states and an infinite number of bad states" [Background].

Obviousness Combinations

A PHOSITA at the time of the invention would be skilled in computer systems administration, network management, software development, and statistical analysis, and would be familiar with the types of conventional support tools described. The motivation to combine prior art elements would stem directly from the acknowledged shortcomings of existing systems, particularly the need for more adaptable and automated solutions to manage complex and constantly changing computer environments.

Combination 1: Conventional Monitoring/Diagnostic Tools + Statistical Analysis/Data Mining + Pattern Matching + Automated Remediation

• Prior Art Elements:

  • Data Collection (Snapshots): Conventional configuration management tools, diagnostic tools, and even antivirus software necessarily collected information about a computer's state (e.g., installed software, file properties, running processes, registry entries, performance counters). While perhaps not as granular or comprehensive as the "detailed snapshot" described (e.g., digital signatures for every byte of a file), the concept of collecting system configuration data was well-established.
  • Reference Models (Static): Conventional systems used "known good configurations" or "restore points" as rudimentary reference models to determine a "normal" or desired state [Background].
  • Anomaly Detection (Limited): Antivirus software detected "anomalies" by identifying "known patterns" (signatures) of malicious software [Background]. Diagnostic tools would flag deviations from a restore point or expected configuration.
  • Statistical Analysis: The patent itself describes that for continuous processes (e.g., performance counters), "one embodiment of the present invention computes a mean and standard deviation. An anomaly is declared if the value of the counter falls more than a certain number of standard deviations away from the mean". This indicates that statistical measures for anomaly detection were known in the art.
  • Automated Response: "Conventional Self-Healing tools and utilities" aimed to "sense and automatically correct problems" [Background], and "virus detection and eradication software" performed automated fixes [Background].

• Motivation for Combination: A PHOSITA would be motivated to address the limitations of conventional systems, specifically their inability to adapt to the "infinite number of good and bad configurations" and constant changes [Background]. Recognizing the successful application of statistical analysis to numerical performance data and the need for a more flexible "reference model," it would have been obvious to extend statistical pattern recognition techniques (e.g., data mining algorithms) to all collected system state data (asset names and values) from multiple machines. This would allow the creation of a dynamic, "adaptive" definition of "normal" for a population, rather than relying on static, predefined configurations. Once statistically derived "anomalies" were identified, it would be a straightforward and obvious step to apply known pattern-matching techniques (generalized from antivirus signatures to "recognition filters") to diagnose specific conditions and trigger existing automated remediation capabilities (generalized from virus eradication to "response agents").

• How this combination renders the independent claims obvious:

  • Claim 1 (Method):

    • Receiving a plurality of snapshots from a plurality of computers & Storing the plurality of snapshots in a data store: Conventional configuration management and diagnostic tools routinely collected and stored system data from multiple machines.
    • Creating an adaptive reference model based at least in part on the plurality of snapshots: Applying known statistical analysis and data mining techniques (which existed independently) to the collected system data (snapshots) from a population of computers to learn common patterns would result in an "adaptive reference model." The "adaptive" aspect naturally arises from continuously updating the statistical patterns with new snapshots.
    • Comparing at least one of the plurality of snapshots to the adaptive reference model & Identifying at least one anomaly based on the comparison: This is a direct application of the statistically derived "normal" to detect deviations, analogous to comparing a system state against a restore point or a golden image, but with an adaptive reference.
    • Matching at least one of the identified anomalies to a recognition filter to diagnose a condition: This is a generalization of signature-based detection (from antivirus) to a broader set of "patterns of anomalies" for diagnosing various conditions.
    • Responding to the diagnosed condition: Conventional self-healing and virus eradication tools already demonstrated automated responses to detected problems. The "response agent library" is an obvious extension of storing automated repair procedures.

  • Claim 20 (System): The components (Collector, Analytic, Database) are well-known architectural elements for data collection, processing, and storage. Configuring them to implement the aforementioned method steps would be an obvious engineering task for a PHOSITA.

  • Claim 25 (Method for creating adaptive reference model):

    • Accessing a plurality of snapshots... each comprising asset names and asset values: Standard practice for configuration data.
    • Automatically creating an adaptive reference model: As described above, by applying known statistical analysis/data mining.
    • Finding unique asset names/occurrences & Determining unique asset values: Basic data profiling steps inherent in any data mining process.
    • If an asset name has a statistically unstable or non-unique string asset value, stopping further evaluation... for defining normal: The patent notes that "log files don't have a legal value since they change frequently" and are "eliminated from the adaptive reference model". A PHOSITA attempting to build a reliable statistical model from noisy, dynamic system data would recognize the need to filter out or ignore highly variable or unique data elements that do not contribute to a stable definition of "normal" across a population. This is a common and obvious data preprocessing step in statistical modeling to improve model accuracy and efficiency.
    • Determining a statistical measure associated with one or more unique numerical values: The use of "mean and standard deviation" for numerical values was a known statistical technique for anomaly detection.

Conclusion on Obviousness:

The independent claims of US Patent 7,593,936, when viewed in light of the prior art explicitly described within the patent's background, would have been obvious to a PHOSITA. The patent itself articulates the problems (static reference models, inability to cope with dynamic environments and infinite states) that would have motivated a PHOSITA to seek improvements. The solutions proposed—namely, an "adaptive reference model" built through statistical analysis of "snapshots" from a "plurality of computers," combined with generalized pattern matching ("recognition filters") and automated responses—are logical extensions and combinations of well-known technologies (configuration management, diagnostic tools, antivirus, statistical analysis, data mining, and automated scripting) to address those identified problems. The specific steps for handling unstable asset values during model creation are also obvious optimizations for building robust statistical models from real-world data.