DETAILED ACTION
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 8/13/2020 has been entered.
Notice of Pre-AIA  or AIA  Status
2.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Examiner Notes
3.	The Examiner cites particular columns and line numbers in the references as applied to the claims below for the convenience of the Applicant(s). Although the specified citations are representative of the teachings in the art and are applied to the specific limitations within the individual claim, other passages and figures may apply as well. It is respectfully requested that, in preparing responses, the Applicant fully consider the references in their entirety as potentially teaching all or part of the claimed invention, as well as the context of the passage as taught by the prior art or disclosed by the Examiner.
Claim Rejections - 35 USC § 103
4.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:


5.	The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
6.	This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
7.	Claims 1, 14 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Russello et al. (U.S. Publication 2014/0137184) (Russello hereinafter) in view of Parees et al. (U.S. Publication 2017/0249374) (Parees hereinafter).

          executing an application in the user-space [Applications 210, fig. 3];
          executing the user-level virtualization layer in the user-space, the user-level virtualization layer including a set of rules [“a virtualization system for virtualizing an operating system on a device to provide a plurality of isolated user space instances operable on the device, the operating system comprising a Linux-based kernel, and a system architecture defined by a Linux layer associated with the kernel and the higher application layer comprising applications,” ¶ 0182], “the user-level virtualization layer including a set of rules [“the monitor process is configured to enforce the retrieved security policy for its target process by implementing a security action at the Linux layer in regard to the detected system call based on the retrieved security policy. The security action may comprise any one or more of the following: allowing the system call to proceed, blocking the system call from proceeding, modifying parameters of the system call prior to execution or return values generated by the system call after execution, or prompting the user of the device to select a security action,” ¶ 0035; security policy mapped to set of rules];
          performing, via the user-level virtualization layer, user-level hooking of events that are generated by the executing application according to the set of rules to identify events of interest [“an interceptor associated with each process that is configured to intercept system and/or library function calls, and redirect them to the monitoring entity associated with the process initiating the system and/or library function calls,” ¶ 0184; “wherein the monitoring entities are configured to analyze the intercepted system and/or library function calls made by their associated processes and perform a security action based on at least a user-space control parameter indicative of the specific user-space instance currently operating on the device and a security policy associated with the process,” ¶ 0185]; and
          determining whether to allow or block a function corresponding to an event that is identified as an event of interest based on the set of rules in the user-level virtualization layer [“the monitor process is configured to enforce the retrieved security policy for its target process by implementing a security action at the Linux layer in regard to the detected system call based on the retrieved security policy. The security action may comprise any one or more of the following: allowing the system call to proceed, blocking the system call from proceeding, modifying parameters of the system call prior to execution or return values generated by the system call after execution, or prompting the user of the device to select a security action.” ¶ 0035].
          Russello does not explicitly disclose but Parees discloses wherein the application is launched from a container that includes the application and a user-level virtualization layer, the user-level virtualization layer including virtualization layer logic and virtual configuration files [“Implementations of the disclosure provide for container clustering in a container-based architecture. Implementations provide a container cluster component that is implemented as a part of a host computer system of the container-based architecture. The container-based architecture implements a containerized execution model, in which an application and its dependencies (such as binaries and/or libraries used to run the application) execute within at least one application container (also referred to herein as a "container"). The application container is an isolated process in user space of a host operating system, sharing the kernel with other containers,” ¶ 0009; “The plurality of host computer system (hosts) 150A-150Z executes applications or other processes running on one or more hosts 150A-150Z. In some implementations, these hosts are virtual machines (VMs) that are hosted on a physical machine, such as one or more hosts 150A-150Z.” ¶ 0013; “a container cluster component 120 is provided to implement discovery, provisioning, configuration, re-configuration, monitoring, and/or other management functions for containers 154 in a container cluster. Each built application image, such as application image 135 stored in image repository 130, includes the container cluster component 120. When the application image 135 is deployed to one or more running containers 154 of a container cluster, the application instance 152 causes functionality of the container cluster component 120 to execute in the respective container 154 on the respective host 150A-150Z. For example, the container cluster component 120 may include one or more processes to perform container discovery, provisioning, configuration, re-configuration, monitoring, and/or other management functions with respect to a container cluster of the containers 154 in the hosts 150A-150Z,” ¶ 0023, fig. 1; “the DNS query is generated by a container cluster component when the application image is deployed as part of the application image instance. As discussed above, an image refers to data representing executables and files of the application used to deploy functionality for a runtime instance of the application,” ¶ 0033].
          It would have been obvious to one of ordinary skill in the art, having the teachings of Russello and Parees available before the effective filing date of the claimed invention, to modify the capability of virtualization as disclosed by Russello to include the capability of container clustering as taught by Parees, thereby providing a mechanism to improve system maintainability by facilitating system reconfigurations with minimal manual intervention [Parees ¶ 0010].
9.	As per claim 14, it is a system claim having similar limitations as cited in claim 1.  Thus, claim 14 is also rejected under the same rationale as cited in the rejection of claim 1 above.
10.	As per claim 15, it is a media claim having similar limitations as cited in claim 1.  Thus, claim 15 is also rejected under the same rationale as cited in the rejection of claim 1 above.
11.	Claims 2 – 5 are rejected under 35 U.S.C. 103 as being unpatentable over Russello and Parees in view of Awan et al. (U.S. Publication 2014/0173700) (Awan hereinafter).
12.    	As per claim 2, Russello and Parees teach the method of claim 1.  Russello and Parees do not explicitly disclose but Awan discloses wherein determining whether to allow or block a function corresponding to an event that is identified as an event of interest based on the set of rules in the user-level virtualization layer comprises extracting at least one of an internet protocol address, a hostname, and a port number from the event and comparing the extracted at least one of an internet protocol address, A policy enforcer of a wrapped application may then create a local loopback server for each blocking reason, and launch the local loopback servers when the wrapped application is launched. Then when the wrapped application attempts to access the blocked URL, the call can be intercepted, resolved to the hostname of the corresponding local loopback server, and the appropriate policy enforced. The enforcement of the policy may include rewriting the requested (blocked) URL with a new URL to custom web page and/or the reasons why the blocking has occurred,” ¶ 0200].
          It would have been obvious to one of ordinary skill in the art, having the teachings of Russello, Parees and Awan available before the effective filing date of the claimed invention, to modify the capability of virtualization as disclosed by Russello and Parees to include the capability of policy enforcement as taught by Awan, thereby providing a mechanism to improve system security by enforcing security access policies for system interactions [Awan ¶ 0007].
13. 	As per claim 3, Russello and Parees teach the method of claim 1.  Russello and Parees do not explicitly disclose but Awan discloses blocking a communication function based on an internet protocol (IP) address corresponding to an event that was identified as an event of interest [“Socket calls relating to network communication are intercepted by the wrapped application's policy enforcer to determine an IP address, hostname, network location, website, type of network communication, etc. being attempted by the wrapped application,” ¶ 0196].

14. 	As per claim 4, Russello and Parees teach the method of claim 1.  Russello and Parees do not explicitly disclose but Awan discloses blocking a communication function based on a hostname corresponding to an event that was identified as an event of interest [“Socket calls relating to network communication are intercepted by the wrapped application's policy enforcer to determine an IP address, hostname, network location, website, type of network communication, etc. being attempted by the wrapped application,” ¶ 0196].
          It would have been obvious to one of ordinary skill in the art, having the teachings of Russello, Parees and Awan available before the effective filing date of the claimed invention, to modify the capability of virtualization as disclosed by Russello and Parees to include the capability of policy enforcement as taught by Awan, thereby providing a mechanism to improve system security by enforcing security access policies for system interactions [Awan ¶ 0007].
15.    	As per claim 5, Russello and Parees teach the method of claim 1.  Russello and Parees do not explicitly disclose but Awan discloses blocking a communication function that corresponds to an event that was identified as an event of interest if the function relates to a socket call [“Socket calls relating to network communication are intercepted by the wrapped application's policy enforcer to determine an IP address, hostname, network location, website, type of network communication, etc. being attempted by the wrapped application,” ¶ 0196].
          It would have been obvious to one of ordinary skill in the art, having the teachings of Russello and Awan available before the effective filing date of the claimed invention, to modify the capability of virtualization as disclosed by Russello to include the capability of policy enforcement as taught by Awan, thereby providing a mechanism to improve system security by enforcing security access policies for system interactions [Awan ¶ 0007].
16.	Claims 6 and 7 are rejected under 35 U.S.C. 103 as being unpatentable over Russello and Parees in view of Kapoor et al. (U.S. Publication 2017/0201541) (Kapoor hereinafter).
17.    	As per claim 6, Russello and Parees teach the method of claim 1.  Russello and Parees do not explicitly disclose but Kapoor discloses wherein determining whether to allow or block a function corresponding to an event that is identified as an event of interest based on the set of rules in the user-level virtualization layer comprises determining if the event is found in a training set and blocking the function corresponding to the event if the event is not found in the training set [“such an embodiment can also include performing remedial actions (such as disallowing an input command to an IoT device, for example) in connection with a generated alert. As noted, the techniques detailed herein include learning valid command sequences among multiple devices from historical device usage data. Also one or more embodiments of the invention include ensuring that only commands that are both valid and arrive in the correct sequence (that is, permissible to device state) are allowed,” ¶ 0016, learned valid command sequences mapped to training set].
          It would have been obvious to one of ordinary skill in the art, having the teachings of Russello, Parees and Kapoor available before the effective filing date of the claimed invention, to modify the capability of virtualization as disclosed by Russello and Parees to include the capability of access enforcement as taught by Kapoor, thereby providing a mechanism to improve system security by enforcing access policies for system interactions.
18.    	As per claim 7, Russello and Parees teach the method of claim 1.  Russello and Parees do not explicitly disclose but Kapoor discloses wherein determining whether to allow or block a function corresponding to an event that is identified as an event of interest based on the set of rules in the user-level virtualization layer comprises determining if the event is found on a black list and blocking the function corresponding to the event if the event is found on the black list [“FIG. 3 depicts rule list checking in accordance with one or more embodiments of the invention. As illustrated, generated sensor events 302 are transmitted to the sensor event segmenting logic 205 of the gateway component 206, and sensor event segmenting logic 205 as well as the device ontology 204 provide input to the normalization component 207 of the gateway component 206. For example, the sensor event segmenting logic 205 transmits a collection of sensor events to the normalization component. The normalization component 207 generates an output (a collection of normalized sensor events) and provides such output to a dictionary checking component 304, which also receives input from local dictionary white list 208, local dictionary black list 210, global dictionary white list 212, and global dictionary black list 214. Input provided by local dictionary white list 208, local dictionary black list 210, global dictionary white list 212, and global dictionary black list 214 to the dictionary checking component 304 can include, for example, the following: <key=sensor name, value=allowed commands of a sensor event type>.” ¶ 0024].
          It would have been obvious to one of ordinary skill in the art, having the teachings of Russello, Parees and Kapoor available before the effective filing date of the claimed invention, to modify the capability of virtualization as disclosed by Russello and Parees to include the capability of access enforcement as taught by Kapoor, thereby providing a mechanism to improve system security by enforcing access policies for system interactions.
19.	Claims 8 – 10 are rejected under 35 U.S.C. 103 as being unpatentable over Russello in view of Shavell et al. (U.S. Patent 10,097,560) (Shavell hereinafter).
20.  	As per claim 8, Russello and Parees teach the method of claim 1.  Russello and Parees do not explicitly disclose but Shavell discloses wherein determining whether to allow or block a function corresponding to an event that is identified as an event of interest based on the set of rules in the user-level virtualization layer comprises determining if the function relates to a resource that is outside of a pre-established location [“Various devices, such as network-enabled device 208, may present signed information 404 to server 206 as proof that they are within proximity to secure beacon 210. Determination module 108 may receive and verify the authenticity of signed information 404 from network-enabled device 208, such as by comparing signed information 404 received from network-enabled device 208 with a set of expected signed information derived from beacon registry 402. Establishing module 110 may then establish an access level at which network-enabled device 208 may access network resource 214 in accordance with security policy 216,” col. 8, lines 30 – 41].
          It would have been obvious to one of ordinary skill in the art, having the teachings of Russello, Parees and Shavell available before the effective filing date of the claimed invention, to modify the capability of virtualization as disclosed by Russello and Parees to include the capability of access management by resource location as taught by Shavell, thereby providing a mechanism to improve system security by enforcing access policies for system interactions based on physical location of resources.
21.    	As per claim 9, Russello, Parees and Shavell teach the method of claim 8.  Shavell further discloses blocking the function corresponding to an event if the function relates to a resource that is outside of the pre-established location [“use a result of the verification to determine a security policy associated with the secure beacon, use a result of the determination to grant and/or deny the network-enabled device access to a network resource, and/or output a result of the analysis and/or determination to a database,” col, 17, lines 41 – 45].
          It would have been obvious to one of ordinary skill in the art, having the teachings of Russello, Parees and Shavell available before the effective filing date of the claimed invention, to modify the capability of virtualization as disclosed by Russello and Parees to include the capability of access management by resource location as taught by 
22.    	As per claim 10, Russello, Parees and Shavell teach the method of claim 8.  Shavell further discloses blocking the function corresponding to an event if the function relates to a resource that is outside of the pre-established location unless the function corresponds to a resource that is on an allowed list [“the access level at which the network-enabled device is allowed to access the network resource based at least in part on the network-enabled device being within range of the short-range wireless signal from the secure beacon. For example, establishing module 110 may, as part of server 206 in FIG. 2, establish, according to security policy 216, the access level at which network-enabled device 208 is allowed to access network resource 214 based at least in part on network-enabled device 208 being within range of wireless signal 212,” col. 9, line 64 – col. 10, line 7].
          It would have been obvious to one of ordinary skill in the art, having the teachings of Russello, Parees and Shavell available before the effective filing date of the claimed invention, to modify the capability of virtualization as disclosed by Russello and Parees to include the capability of access management by resource location as taught by Shavell, thereby providing a mechanism to improve system security by enforcing access policies for system interactions based on physical location of resources.
23.	Claims 11 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Russello and Parees in view of Joslin et al. (U.S. Publication 2008/0106404) (Joslin hereinafter).
The sensor layer 410 is adapted to generate data based at least in part on one or more events. The data may include, for example, data, signals, events, and/or reports.  The data may be stored, for example, in a database.” ¶ 0031];
          applying a pattern recognition process to the events that are stored in the database [“a control center node 435 may receive data from a plurality of sensor nodes 415 and/or a plurality of gateway nodes 425 and automatically alert a user when the data matches a pattern recognition template. The rule set may include, for example, ordered/unordered events and/or analog/digital signatures,” ¶ 0042]; 
          generating a rule for the set of rules in the user-level virtualization layer based on the pattern recognition process [“The rule set may be configured “on the fly', for example, by the system 400 and/or a user of the system 400. The rule set may be configured remotely, for example, from any node in the system 400,” ¶ 0042]; and
          applying the generated rule through the user-level virtualization layer [“a user may create a pattern recognition template that matches on relative left to right movement of a vehicle reported first from SENSOR NODEA and then from SENSOR NODE B within 5 minutes. The control center layer 430 may query a database and alert the user when the data in the database matches the pattern recognition template,” ¶ 0042].
          It would have been obvious to one of ordinary skill in the art, having the teachings of Russello, Parees and Joslin available before the effective filing date of the claimed 
25. 	As per claim 12, Russello, Parees and Joslin teach the method of claim 11.  Joslin further teaches wherein generating a rule for the set of rules in the user-level virtualization layer based on the pattern recognition process comprises updating an existing rule [“The rule set may be configured “on the fly', for example, by the system 400 and/or a user of the system 400. The rule set may be configured remotely, for example, from any node in the system 400,” ¶ 0042].
          It would have been obvious to one of ordinary skill in the art, having the teachings of Russello, Parees and Joslin available before the effective filing date of the claimed invention, to modify the capability of virtualization as disclosed by Russello and Parees to include the capability of pattern recognition of events as taught by Joslin, thereby providing a mechanism to improve system performance and efficiency by streamlining the process of event processing.
26.	Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Russello and Joslin and Parees in further view of Bourdev et al. (U.S. Publication 2015/0036919) (Bourdev hereinafter).
27. 	As per claim 13, Russello, Parees and Joslin teach the method of claim 11.  Russello, Parees and Joslin do not explicitly disclose but Bourdev discloses wherein generating a rule for the set of rules in the user-level virtualization layer based on the pattern recognition process comprises generating a new rule [“To create the visual pattern template, the visual pattern creation module 502 may implement a visual pattern recognition algorithm, such as a bag-of-words model in computer vision or technique that counts the occurrence of a vocabulary of local image features in each of the training set of images,” ¶ 0083].
          It would have been obvious to one of ordinary skill in the art, having the teachings of Russello, Parees, Joslin and Bourdev available before the effective filing date of the claimed invention, to modify the capability of virtualization as disclosed by Russello, Parees and Joslin to include the capability of template creation based on pattern recognition as taught by Bourdev, thereby providing a mechanism to improve system performance and efficiency by streamlining the process of event processing.
Response to Arguments
28.	Applicant’s arguments have been carefully considered but are not persuasive.
29.	Applicant argues on page 7 that “While Parees teaches that a containerized application includes ‘an application and its dependencies (such as binaries and/or libraries used to run the application,” Applicant asserts that “dependencies” does not teach or suggest an application virtualization layer as recited in amended claim 1,” without further explanation of what “as recited” refers to.  First, amended claim 1 does not recite an “application virtualization layer.”  It is assumed that Applicant is referring to the “user-level virtualization layer” recited in amended claim 1, which is further assumed to be the equivalent of the “user-level application virtualization layer” recited in independent claims 14 and 15.  Second, the “user-level virtualization layer,” per amended claim 1, includes “virtualization layer logic” which is not defined in the specification and “virtual configuration files” which, per the specification are used to Parees discloses in fig. 1, ¶ 0009, 0013, 0033 and elsewhere containers operating on virtual host in user-space comprising application image instances containing executables and files of the application used to deploy functionality for a runtime instance of the application and container cluster components which implement discovery, provisioning, configuration, reconfiguration, monitoring, etc., for each container.
Conclusion
30.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to WILLIAM C WOOD whose telephone number is (571)272-5285.  The examiner can normally be reached on Monday - Friday, 8:00 am - 4:30 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Chat C Do can be reached on 571-272-3721.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  






/WILLIAM C WOOD/Examiner, Art Unit 2193                                                                                                                                                                                                        
/Chat C Do/Supervisory Patent Examiner, Art Unit 2193