Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This action is in response to the communication filed on 12/23/2020.
Claims 1-21 are examined and rejected. 

Response to Arguments
Applicant arguments, dated 12/23/2020 have been fully considered. 
Regarding USC 103 rejection, applicant argues on page 7-11 that, combination of references does not teach – 
For Claim 1 - 
A - Page 7 - OA does not teach ‘normal behavior defining capabilities of services’. 
B - Page 8 - OA does not teach ‘normal ranges’. Zoll teaches ‘desired ranges, which are not normal ranges, let alone capabilities. 
C - Page 9 – Zoll does not teach ‘model is trained to define capabilities of a service, with discrete behaviors required by the service’. 
D - Page 12 – For claim 4 - Zoll fails to teach that identifications of data as either subcomponent or component – level are provided as training data to be input to a machine learning algorithm used for training a normal behavior model as claimed. 



Examiner does not find argument persuasive. 
In view of claim terms, description of claim(s) in specification and reference teaching, examiner notes that combination of reference of Zoll and Han teaches the claimed limitation. 

Regarding, A – Examiner notes that - ‘Normal behavior model created by machine learning model’ – the term ‘normal’ is broadly interpreted as ‘accepted range of values defined by system rules’ or term ‘normal’ is universal range of values associated with task. Example for white list of data points – normal can be interpreted as authorized or verified data points or CPU utilization ratio based ‘normal’ data points can range from ratio of 55-85 % range of values, ddos attack data model can define as high risk data points with overload of 101 to 195% usage of unverified data points, network attack can define its own set of normal data points for identification of task – In summary examiner notes that due distinct definition of ‘normal’ behavior – claims are broadly interpreted to cover wide range of values for particular task in this case, ‘service by virtual machine’ which in turn covers broad range of services such as data storage, CPU utilization, white listing data analysis, webserver and much more as all are covered in reference of Zoll.
Regarding B – Examiner notes that – ‘Normal ranges’ of Zoll is similar to desired ranges. Zoll teaches high risk data points of 101 to 195% usage data as threshold to 

Regarding C Zoll teaches - 
Zoll – para 128 teaches  ‘ .. services provided by the cloud infrastructure system may include a host of services that are made available to users of the cloud infrastructure system on demand, such as online data storage and backup solutions, Web-based e-mail services, hosted office suites and document collaboration services ‘.
Zoll para 74-75 teaches ‘ .. datapoint collected from the monitored target .. values of key performance indicators with corresponding timestamp (examples of such KPI's cpu utilization, database time per user call . . . etc) ..  An interface is provided to allow users to express the desired ranges of the service quality their business would normally accept ‘. 
Zoll  para 76-79 teaches ‘ data measured for machine learning solution to administer normal limits to machine learning mode based solutions ..’ – 
Therefore in summary of above mapping of claim limitations – para 74-79 teaches machine learning model based services of data storage, backup solutions, web 
Thus, Zoll in above paragraphs distinctly teaches claimed limitation of machine learning model service and behavior with measure range of data point threshold (normal) ranges. 

Regarding D Zoll teaches - 
Zoll – paragraphs 35-37 teaches  - ‘ data collection for specific machine learning model pertaining to values at component and subcomponent level in multiple format(s) for specific task such as model behavior or activity such as CPU utilization .. ‘, where measurement of data metrics for task such as CPU utilization and other services as described in 1b is similar to claimed limitation of identification of training activity of behavior model with ‘normal’ behavior model as explained in A. 
Examiner interprets the teachings of Zoll para 35-37 as known in art to cover the following steps – In the machine learning model, data points are collected and analyzed whether the dataset or data metrics as per system defined rules associated with particular task of machine learning model. Para 57, 92 and 78 teaches normal behavior model as mapped and explained in A. 

Therefore Zoll conclusively teaches the following – A machine learning model to collect behavior based data set, classify the data set as normal, abnormal, anomalous or fault behavior based on data analysis. Further it teaches, collection of data set and comparing the data sets against threshold value of system to differentiate normal or abnormal data based on system rules. Additionally it teaches granular level of data analysis in JVM (virtual machine) node with measurement of key performance indicators (KPI) such as CPU utilization, system calls, utilization ratio and much more to create / interpret data set as normal facet of data system. 
Any objections or rejections not set forth below have been withdrawn.  
Examiner is open for phone call interview to discuss further with applicant’s representative for the purpose of compact prosecution. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1-7 and 11-18 are rejected under 35 U.S.C. 103 as being unpatentable by U.S. Publication 2018/0083833 to Zoll et al. (hereinafter known as “Zoll”) and in view of U.S. Publication 2018/0309770 to Han et al. (hereinafter known as “Han”).
As per claim 1 Zoll teaches, a method for cloud native virtual machine (VM) runtime protection, comprising: 
creating a normal behavior model for a cloud native VM (Zoll Fig 1 element 104a-c teaches node and para 66 teaches nodes as virtual machine (java based) and further para 30 teaches normal behavior model for device in Fig 1) by training a machine learning model using a training data set including a plurality of training activities performed by the cloud native VM (Zoll para 66-67 teaches JVM java virtual machine and training data for predictive models with machine learning), the cloud native VM being configured to provide at least one service, wherein the normal behavior model defines at least one capability of each of the at least one service (Zoll para 128 and 139 teaches services of cloud infrastructure as security and identity services, integration service, enterprise repository service, virus scanning, white list service and other services. Further para 74-75, 78 teaches normal ranges and limits of cloud service9s and device (virtual machines) such as normal data of JVM (virtual machine) such as – timestamp, values of key performance, database calls and CPU utilization), which covers the claimed function), wherein each capability of a service indicates a plurality of discrete behaviors required by the service (Zoll para 128-129 teaches cloud service of secure access to storage, a hosted database, and other services which requires password protected access to remote secure storage in cloud. Examiner interprets that remote secure access (password based access) and access to storage / data is similar to function of service with discrete behavior (service is storage of data and discrete behavior is password and access to data)); and 
monitoring an execution of the cloud native VM to detect a deviation from the normal behavior model (Zoll para 67-68 teaches monitoring of data in JVM (virtual machine), para 59-60 teaches detection of model data based on threshold level compared to its established level. Examiner interprets that tracking / analysis of data in view of established level and its threshold level is similar to detection of deviation from the normal behavior model). 
Zoll does not teach however Han teaches, 
wherein the deviation is caused by at least one abnormal behavior of one of the at least one service that is not among the discrete behaviors defined in the at least one capability for the service (Han Fig 1 steps 5-8 teaches detection of abnormal activity in virtual machine and para 74 teaches detection of standard deviation in virtual machine, para 3 teaches service of data security by cloud service and detection of internal or external virus as abnormal activity in virtual machine (Step 1 para 12). In summary Han Fig 1 teaches detection of abnormal activities from data collection for the functions of virtual machine such as CPU use ratio, waiting time, memory use ratio (para 45) which covers claimed function).  
Zoll teaches context aware prognosis in monitored target in machine learning systems along with detection of normal behavior and training data models to detect 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Zoll - Han before him or her, to combine, Zoll’s target (device) monitoring in machine learning system to detect any threshold behavior with Han’s detection of abnormal activity in device in cloud service. The suggestion/motivation for doing so would have been to detect and remove the anomalies as to guarantee use of normal virtual machines in cloud system (para 5). 
As per claim 2 combination of Zoll – Han teaches, the method of claim 1, wherein the training data set further includes training services and training capabilities, wherein each training capability corresponds to one of the training services (Zoll para 29-30 teaches training data for predictive model which provides training services of decision trees, discriminant analysis, data storage, secure access and logistic regression and training capabilities of network health monitoring system including analysis of large volumes of raw data, measuring of data for events, secure access analysis and cluster health, which covers the service and function (capabilities) of cloud service). 
As per claim 3 combination of Zoll – Han teaches, the method of claim 1, wherein the normal behavior model is created based further on at least one behavioral rule, wherein each behavioral rule includes at least one of: 
(Zoll para 30 classification of behavior into normal, abnormal, anomalous or fault behavior. Examiner interprets that normal behavior is similar to allowed behavior of service) and, 
at least one explicitly denied behavior for the service (Zoll para 60 Fig 3 element 314b and c – upon identifying malware / culprit / victim in cluster – system can stop the service which is similar to claimed function of denying the service). 
As per claim 4 combination of Zoll – Han teaches, the method of claim 1, wherein creating the behavior model further comprises: 
identifying each activity of the plurality of training activities as any of an interactive activity (Zoll Fig 1 element 116, 118 and 120 where collection of data of each component and subcomponent is based on categories of data of each component (interpreted as identifying activity based on categories). Further element 120 teaches collection of data at component level. Para 35-37 teaches analysis of device data at component such as component level includes database logging or database waiting time data analysis. Examiner interprets that component level is similar to claimed function of interactive activity such as interface function or access waiting time) and 
a background activity, wherein the normal behavior model is created based further on the identifications of the training activities (Zoll Fig 1 element 116 and 118 where element 118 teaches collection of data at sub-component level. Para 35-37 teaches analysis of device data at sub-component level such as data analysis at granular level such as SQL statements, sessions etc. Examiner interprets that sub-component level is similar to claimed function of background activity or granular level such as SQL statement analysis or session level). 
by providing the identification of each activity as training data to be input to a machine learning algorithm used for training the normal behavior model (Zoll para 29-30 teaches training data for predictive model which provides training services and activities of learning model such as ‘How is learning model classifying / analyzing data based on decision trees, discriminant analysis, data storage, secure access and logistic regression’ and secondly – activities of data analysis of node such as transmission of data, measuring of data for different components of behavior model to categorize data as per system requirements which covers the service and function (capabilities) of cloud service). 
As per claim 5 combination of Zoll – Han teaches, the method of claim 4, wherein the discrete behaviors include each background activity and do not include each interactive activity (Zoll para 31 and 46 teaches rule based analysis of sub-component level data (interpreted as background activity). Further para 31 and 46 teaches association of data analysis based on association rules between each component. Examiner interprets that rule based engine to configure data analysis includes specific data analysis example only sub-component (background activity) data analysis without component level (interactive activity) as commonly known in art to one of ordinary skills). 
As per claim 6 combination of Zoll – Han teaches, the method of claim 1, wherein the training activities include at least one of: 
running at least one process, using at least one input argument for at least one process, and accessing at least one file path (Zoll para 69-71 teaches data analysis / training – para 70 teaches collection of data and transferring of data with SQL procedures. Examiner interprets that data analysis with SQL procedure (programming language) covers ‘at least one of’ claimed limitation example Zoll para 69-71 teaches SQL procesure interpreted as process, SQL statements interpreted as input argument, which covers claimed function). 
As per claim 7 combination of Zoll – Han teaches, the method of claim 1, wherein creating the normal behavior model further comprises: 
correlating among the plurality of discrete behaviors (Zoll para 31 teaches rule based association of various models for data analysis) for the service with respect to at least one of: 
at least one parameter used for a process executed as part of the discrete behaviors, at least one socket used as part of the discrete behaviors (Zoll Fig 1 elements 104a-c para 22-23 teaches nodes in system for data collection. Further para 147 includes files from communication ports which are interpreted by examiner as socket’s in claimed function, to analyze data of their behavior into normal, fault or anomaly behavior), and 
(Zoll para 44 teaches set of nodes for data collection. Para 147 teaches data collection includes files, directories, applications which cover claimed function). 
Claim 11,
Claim 11 is rejected in accordance with claim 1.
Claim 12,
Claim 12 is rejected in accordance with claim 1.
Claim 13,
Claim 13 is rejected in accordance with claim 2.
Claim 14,
Claim 14 is rejected in accordance with claim 3.
Claim 15,
Claim 15 is rejected in accordance with claim 4.
Claim 16,
Claim 16 is rejected in accordance with claim 5.
Claim 17,
Claim 17 is rejected in accordance with claim 6.
Claim 18,
Claim 18 is rejected in accordance with claim 7.

Claims 9, 10, 20 and 21 are rejected under 35 U.S.C. 103 as being unpatentable by U.S. Publication 2018/0083833 to Zoll et al. (hereinafter known as “Zoll”) and in view of U.S. Publication 2018/0309770 to Han et al. (hereinafter known as “Han”) and further in view of U.S. Publication 2016/0350173 to Ahad et al. (hereinafter known as “Ahad”).
As per claim 9 combination of Zoll-Han teaches, the method of claim 1. 
Zoll-Han does not teach however Ahad teaches,  
uploading the normal behavior model to a cloud service, wherein the normal behavior model is accessible to installations accessing the cloud service when uploaded to the cloud service (Ahad para 88 teaches user defining attributes of system behavior and updating the configuration to cloud system element 100. Para 88 teaches that system attributes and bounds for metrics for normal system behavior are updated by user in cloud infrastructure system. Further para 142 teaches installation of configured / updated parameters in system, which covers claimed function).  
Zoll-Han teaches monitoring of target in machine learning systems with detection of abnormal behavior with deviation from capacity of service.  Zoll-Han does not teach however Ahad uploading the normal behavior model to a cloud service (para 43). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Zoll-Han before him or her, to combine, Zoll-Han’s device monitoring in machine learning system with abnormal detection with Ahad’s updated of normal behavior model to cloud service. The suggestion/motivation for doing so would have been to correct potential anomalies in timely manner (para 7). 
As per claim 10 combination of Zoll – Han – Ahad teaches, the method of claim 9, wherein the uploaded normal behavior model is manually curated for use with respect to a common service executed by at least one other cloud native VM, wherein the common service is one of the at least one service (Ahad para 88 teaches updates of normal system metrics of system data such as user access data in cloud system. Ahad para 10 and 149 teaches manual updates to system policies by authorized personnel. Para 6 and 7 teaches cloud computing modules and virtual machine(s) which covers the claimed limitation of manual curation of common service). 
Zoll – Han teaches monitoring of target in machine learning systems with detection of abnormal behavior with deviation from capacity of service.  Zoll-Han does not teach however Ahad teaches manual updates to system policies / profiles (para 88). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Zoll-Han before him or her, to combine, Zoll-Han’s device monitoring in machine learning system with abnormal detection with Ahad’s manual updates to system policies / profiles. The suggestion/motivation for doing so would have been to fine-grain detection of anomalies to identify precursor events and to reduce corrective action latency (para 10). 
Claim 20,
Claim 20 is rejected in accordance with claim 9.
Claim 21,
Claim 21 is rejected in accordance with claim 10.

Claims 8 and 19 are rejected under 35 U.S.C. 103 as being unpatentable by U.S. Publication 2018/0083833 to Zoll et al. (hereinafter known as “Zoll”) and in view of U.S. Publication 2018/0309770 to Han et al. (hereinafter known as “Han”) and further in view of U.S. Publication 2017/0353477 to Faigon et al. (hereinafter known as “Faigon”).
As per claim 8 combination of Zoll – Han teaches, the method of claim 1, wherein the normal behavior model is created based further on a wherein the at least one capability of each of the at least one service of the cloud native VM includes the at least one capability indicated for a corresponding service of the plurality of known services (Zoll para 29-30 teaches training data for predictive model which provides training services of decision trees, discriminant analysis, data storage, secure access and logistic regression and training capabilities of network health monitoring system including analysis of large volumes of raw data, measuring of data for events, secure access analysis and cluster health). 
Zoll – Han does not teach however Faigon teaches, 
library of service-to-capability mappings, wherein the library indicates at least one capability of each of a plurality of known services (Faigon teaches para 43 teaches machine learning model with library based functions – such as SOA, JSON, REST API’s with functions and routines to access file, connection of user interface with system interface. Examiner interprets library of functions to include code libraries as tools to carry out function such as file access, which is similar to claimed function). 

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Zoll-Han before him or her, to combine, Zoll-Han’s device monitoring in machine learning system with abnormal detection with Faigon’s library of service to capability mappings in machine learning / cloud service. The suggestion/motivation for doing so would have been to protect sensitive information and reduce risk to organizations (para 9-10). 
Claim 19,
Claim 19 is rejected in accordance with claim 8.

Conclusion 

Claims 1 - 20 have been rejected. 
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  

A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 



Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on 571-272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/VIRAL S LAKHIA/Examiner, Art Unit 2431                                                                                                                                                                                                        

/LYNN D FEILD/Supervisory Patent Examiner, Art Unit 2431