DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-4, 7-11 and 14-20 are allowed.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 3/7/19 is being considered by the examiner.

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in an interview with Jason Poulos on 12/8/20.
The application has been amended as follows: 
 (Currently amended) A method for executing an application in one or more clouds, comprising:
receiving an application execution request from a user having a first authorization level for executing an application in one or more clouds, the application execution request comprising an application index for the requested application;	creating a runtime environment of the application for the user, retrieving data and files required for executing the application based at least in part on the application index and transmitting the data and files required for executing the application to the runtime environment, wherein creating the runtime environment, retrieving the data and files required for executing the application and transmitting the data and files required for executing the application to the runtime environment are performed at a second authorization level that is higher than the first authorization level of the user from which the application execution request is received;
in response to receiving the application execution request, uploading a monitoring module and a protection data configuration into [[a]] the runtime environment, wherein the protection data configuration defines sensitive data which are not allowed to be accessed by a user of [[low]] the first authorization level; and
monitoring, by the monitoring module, data input and data output of [[a]] the user during execution of the application based on the protection data configuration to prevent the user of [[low]] the first authorization level from accessing the sensitive data.

 (Currently amended) The method according to claim 1, wherein the monitoring data input and data output is performed at an authorization level higher than [[an]] the first authorization level at which the application execution request is received.

 (Currently amended) The method according to claim 1, wherein the uploading a monitoring module and a protection data configuration is performed at an authorization level higher than [[an]] the first authorization level at which the application execution request is received.

 (Original) The method according to claim 1, wherein the data input and the data output are performed through a predetermined port, and the monitoring data input and data output of a user during execution of the application comprises:
monitoring data input and data output on the predetermined port; and

 (Cancelled).
 (Cancelled). 
 (Original) The method according to claim 1, wherein the sensitive data comprise field programmable gate array (FPGA) binary files.
 (Currently amended) An apparatus for executing an application in one or more clouds, comprising:
a processor; and
a memory coupled to the processor, the memory having instructions stored thereon which, when executed by the processor, cause the apparatus to perform acts comprising:
receiving an application execution request from a user for executing an application in one or more clouds, the application execution request comprising an application index for the requested application;
creating a runtime environment of the application for the user, retrieving data and files required for executing the application based at least in part on the application index and transmitting the data and files required for executing the application to the runtime environment, wherein creating the runtime environment, retrieving the data and files required for executing the application and transmitting the data and files required for executing the application to the runtime environment are performed at a second authorization level that is higher than the first authorization level of the user from which the application execution request is received;
in response to receiving the application execution request, uploading a monitoring module and a protection data configuration into the [[a]] runtime environment, wherein the protection the first authorization level; and
monitoring, by the monitoring module, data input and data output of [[a]] the user during execution of the application based on the protection data configuration to prevent the user of [[low]] the first authorization level from accessing the sensitive data.

 (Currently amended) The apparatus according to claim 8, wherein the monitoring data input and data output is performed at an authorization level higher than [[an]] the first authorization level at which at which the application execution request is received.

 (Currently amended) The apparatus according to claim 8, wherein the uploading a monitoring module and a protection data configuration is performed at an authorization level higher than [[an]] the first authorization level at which the application execution request is received. 

 (Original) The apparatus according to claim 8, wherein the data input and the data output are performed through a predetermined port, and the monitoring data input and data output of a user during execution of the application comprises:
monitoring data input and data output on the predetermined port; and
in response to determining that the data input or the data output involves accessing sensitive data defined in the protection data configuration, preventing execution of the data input or the data output.
 (Cancelled).
 (Cancelled).

 (Original) The apparatus according to claim 8, wherein the sensitive data comprise field programmable gate array (FPGA) binary files.

 (Currently amended) An apparatus for executing an application in one or more clouds, comprising:
a processor; and
a memory coupled to the processor, the memory having instructions stored thereon which, when executed by the processor, cause the apparatus to implement:
		an executor frontend configured to receive an application execution request from a user for executing an application in one or more clouds, the application execution request comprising an application index for the requested application;		
		an executor backend configured:
			to create a runtime environment of the application for the user, retrieving data and files required for executing the application based at least in part on the application index and transmitting the data and files required for executing the application to the runtime environment, wherein creating the runtime environment, retrieving the data and files required for executing the application and transmitting the data and files required for executing the application to the runtime environment are performed at a second authorization level that is higher than the first authorization level of the user from which the application execution request is received; and
			to, in response to receiving the application execution request from the executor frontend, upload a monitoring module and a protection data configuration into [[a]] the runtime environment, wherein the protection data configuration defines sensitive data which are not allowed to be accessed by a user of [[low]] the first authorization level; and
the monitoring module configured to monitor data input and data output of [[a]] the user during execution of the application based on the protection data configuration to prevent the user of [[low]] the first authorization level from accessing the sensitive data.

 (Original) The apparatus according to claim 15, wherein at least one of:
an authorization level of the monitoring module is higher than that of the executor frontend; and
an authorization level of the executor backend is higher than that of the executor frontend.

 (Original) The apparatus according to claim 15, wherein the data input and the data output are performed via a predetermined port, and the monitoring module is further configured to:
monitor data input and data output on the predetermined port; and
in response to determining that the data input or the data output involves accessing of sensitive data defined in the protection data configuration, prevent execution of the data input or the data output. 

 (Original) The apparatus according to claim 15, wherein at least one of:
the application execution request comprises an application index for the requested application; and
the sensitive data comprise field programmable gate array (FPGA) binary files.

 (Original) The apparatus according to claim 18, wherein the executor backend is further configured to:

wherein the executor backend creates the runtime environment, retrieves data and files required for executing the application and transmits data and files required for executing the application at an authorization level higher than that of the executor frontend. 

 (Currently amended) A computer program product tangibly stored on a non-transitory computer readable medium and comprising machine executable instructions which, when executed, cause a machine to perform the method according to claim 1.


Allowable Subject Matter
The following is an examiner’s statement of reasons for allowance:
The closest prior art of record, Baskaran U.S. Pub. No. 20100146269 discloses a system for managing electronic content security and access within a networked environment, wherein a security client application is provided on the computing device in response to a request for accessing the electronic content and a local software component employed for accessing the electronic content is embedded within the security client application; the user is granted controlled access to the electronic content by enforcing the content usage policies through the wrapper file.
The prior art of record does not explicitly disclose, in light of other features recited in independent claims, the application execution request comprising an application index for the requested application; creating a runtime environment of the application for the user, retrieving data and files required for executing the application based at least in part on the application index and transmitting the data and files required for executing the application to the runtime environment, wherein creating the runtime environment, retrieving the data and files required for executing the application and transmitting the data and files required for executing the application to the runtime environment are performed at a second authorization level that is higher than the first authorization level of the user from which the application execution request is received.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Hulick, Jr. U.S. Pub. No. 20190236282 discloses application component auditor.
Hulick, Jr. U.S. Pub. No. 20190132289 discloses application-context-aware firewall.
Jung et al. U.S. Pat. No. 6308208 discloses method for monitoring network distributed computing resources using a distributed cellular agents.
McCorkendale et al. U.S. Pub. No. 20100058431 discloses agentless enforcement of application management through virtualized block I/O redirection.
Roth et al. U.S. Pub. No. 20180232517 discloses posture assessment in a secure execution environment.
Odom et al. U.S. Pub. No. 20180025135 discloses method for delivering communications and storing and delivering data.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHIN HON (ERIC) CHEN whose telephone number is (571)272-3789.  The examiner can normally be reached on Monday to Thursday 9am- 7pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on 571-272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/SHIN-HON (ERIC) CHEN/               Primary Examiner, Art Unit 2431