Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
The instant application having Application No. 16/238,524 filed on 01/03/2019 is presented for examination by the examiner.

Examiner Notes
Examiner cites particular columns and line numbers in the references as applied to the claims below for the convenience of the applicant. Although the specified citations are representative of the teachings in the art and are applied to the specific limitations within the individual claim, other passages and figures may apply as well. It is respectfully requested that, in preparing responses, the applicant fully consider the references in entirety as potentially teaching all or part of the claimed invention, as well as the context of the passage as taught by the prior art or disclosed by the examiner.

Drawings

The applicant’s drawings submitted are acceptable for examination purposes.




Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows: 
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 8-14 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  
Claims 8-14  are rejected under 35 U.S.C. 101 because  the claimed invention is directed to an computer container system claims, but appearing to be comprised of software alone without claiming associated computer hardware required for execution. For example, claim 8 defines “an computer container system” in the preamble and the body of the claim recites “one or more application containers”, “a security container”, and “a graphical user interface container”. “An computer container system” in the preamble and the body of the claim recites “one or more application containers”, “a security container”, and “a graphical user interface container” appear to be software modules. Therefore, claim 8 is non-statutory because it recites a claim that comprises software per se embodiments.
Regarding claims 9-14; Claims 9-14 are also rejected under 35 U.S.C 101 as being directed to non-statutory subject matter for the same reasons.


Allowable Subject Matter
Claims 4-7, 11-14 and 18-20 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claims and any intervening claims.
Prior arts:
US 2017/0063722 to Cropper
[0017] The cloud management software can use operations supported for that container technology to monitor the resource usage for the containers for the virtual machines within the container cluster. For example, for Docker there are container level metrics available from cgroups on which Docker is based and virtual machine-wide metrics are possible from systemd-cgtop. If resource usage of a container on one virtual machine is exceeding some defined threshold, the cloud management software may initiate a container live migration of the container to another virtual machine in the container cluster or create a new virtual machine in one of the hosts in the container cluster host group and use the container live migration to move the container into the newly created container host. Likewise, new containers can be placed into existing container hosts or new container hosts based on resource monitoring of the host to determine available capacity and perform fit analysis based on the resource requirements of the container. Altogether, performance or efficiency benefits when managing a shared pool of configurable computing resources which has a set of containers may occur (e.g., speed, flexibility, load balancing, responsiveness, availability, resource usage, productivity). Aspects may save resources such as bandwidth, processing, or memory. 

US 2018/0278639 to Bernstein
[0068] At S510, a new container image in a containerized environment (e.g., the host device 310, FIG. 3) is detected. The new container image may be a newly added container image or a changed version of an existing container image such that the detection is of an addition or change of a container image in the containerized environment. Detecting the new container image may include, but is not limited to, receiving an indication that a new container is saved in the registries, an indication from a CI system (or orchestration tool), and the like. In an embodiment, S510 may further include generating an event. 

US 2019/0236370 to Man
[0207] Furthermore, network link 1120 may provide a connection through network 1122 or to other computing devices via internetworking devices and/or computers that are operated by an Internet Service Provider (ISP) 1126. ISP 1126 provides data communication services through a world-wide packet data communication network represented as internet 1128. A server computer 1130 may be coupled to internet 1128. Server 1130 broadly represents any computer, data center, virtual machine or virtual computing instance with or without a hypervisor, or computer executing a containerized program system such as DOCKER or KUBERNETES. Server 1130 may represent an electronic digital service that is implemented using more than one computer or instance and that is accessed and used by transmitting web services requests, uniform resource locator ( URL) strings with parameters in HTTP payloads, API calls, app services calls, or other service calls. Computer system 1100 and server 1130 may form elements of a distributed computing system that includes other computers, a processing cluster, server farm or other organization of computers that cooperate to perform tasks or execute applications or services. Server 1130 may comprise one or more sets of instructions that are organized as modules, methods, objects, functions, routines, or calls. The instructions may be organized as one or more computer programs, operating system services, or application programs including mobile apps. The instructions may comprise an operating system and/or system software; one or more libraries to support multimedia, programming or other functions; data protocol instructions or stacks to implement TCP/IP, HTTP or other communication protocols; file format processing instructions to parse or render files coded using HTML, XML, JPEG, MPEG or PNG; user interface instructions to render or interpret commands for a graphical user interface (GUI), command-line interface or text user interface; application software such as an office suite, internet access applications, design and manufacturing applications, graphics applications, audio applications, software engineering applications, educational applications, games or miscellaneous applications. Server 1130 may comprise a web application server that hosts a presentation layer, application layer and data storage layer such as a relational database system using structured query language (SQL) or no SQL, an object store, a graph database, a flat file system or other data storage.

The prior art of record (Duan in view of Chugtu, Wagner, Cropper, Bernstein, and Man) does not disclose and/or fairly suggest at least claimed limitations recited in such manners in claim 4-7, 11-14 and 18-20.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1, 3, 8, 10, 15 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over US 2017/0093921 to Duan in further view of US 2019/0081955 to Chugtu et al. (hereafter “Chugtu”).

As per claim 1, Duan discloses a computer-implemented method in a container system, comprising:
detecting that an application container has been added in the container system (paragraphs 0015 and 0033: “Instead, the security container 150 monitors the VM 115 (or container server 110 if the container environment is the container server 110 itself) to determine if any new app containers 120 are created.”), the application container having computer-readable instructions (paragraphs 0030-0031), the application container initiated via a container service (paragraphs 0043-0044, 0047, 0066, 0074 and 0083) and isolated using operating system-level virtualization (paragraphs 0024 and 0030);
opening a stored manifest for the application container (paragraphs 0069, 0071 and 0079: “Once the UI monitor 440 receives configuration settings from the UI container 165, the UI monitor 440 forwards the configuration settings to the configuration module 410 to process and distribute among the different containers.”), the manifest comprising configuration settings for the newly added application container (paragraphs 0047-0049 and 0061: “When the intercept module 210 receives a notification from the app state monitor 230 that a particular app container 120 is initiated, the intercept module 210 determines, according to configuration rules, whether the traffic for that app container 120 should be intercepted. These rules may be determined by the intercept module 210 dynamically, or may be preconfigured.”); 
retrieving running services information regarding the application container (paragraphs 0040-0043 and 0046: “In one embodiment, the app state monitor 230 may also monitor other information regarding the application containers 120, such as their performance, resources used, number of processes opened, number of file handles opened, number and status of network connections, and so on. The app state monitor 230 may determine this information using the API of the container service 130 or using system commands (e.g., "ss" for network connections in Linux).”), the running services information including information provided by the container service about the application container running on the container system (paragraphs 0040-0043 and 0046: “In one embodiment, the app state monitor 230 may also monitor other information regarding the application containers 120, such as their performance, resources used, number of processes opened, number of file handles opened, number and status of network connections, and so on. The app state monitor 230 may determine this information using the API of the container service 130 or using system commands (e.g., "ss" for network connections in Linux).”); 
generating a security policy for the application container (paragraphs 0036, 0048, 0069 and 0071: “The management container 155 may configure the settings and rules for the security containers 150 and the analytics container 160 in the container system 105. For example, these rules may indicate what type of network traffic to log or to filter out. The management container 155 monitors the activities of other management containers 155 and the security containers 150.”), the security policy defining a set of actions for which the application container can perform (paragraphs 0084-0085 and 0087: “The security container 150 may determine, based on a particular set of rules, whether to drop the data or forward it to the intended destination. In some cases, the security container 150 may create a copy of the data while forwarding the original data, and inspect the copy instead.”), the set of actions determined using the manifest and the running service information associated with the application container (paragraphs 0084-0085 and 0087: “The security container 150 may determine, based on a particular set of rules, whether to drop the data or forward it to the intended destination. In some cases, the security container 150 may create a copy of the data while forwarding the original data, and inspect the copy instead.”);
loading the security policy at a security container (paragraph 0036: “The management container 155 may configure the settings and rules for the security containers 150 and the analytics container 160 in the container system 105. For example, these rules may indicate what type of network traffic to log or to filter out. The management container 155 monitors the activities of other management containers 155 and the security containers 150. Activities monitored may include start/stop activities, statistics, and so on. The management container 155 may also listen for reports and other information from the analytics container 160. Additionally, the management container 155 may receive instructions from the user interface (UI) container 165 regarding the configuration of rules in the security containers 150 and other options.”); and
transmitting the security policy to a graphical user interface container for presentation to a user via a display device (FIG. 4A; paragraphs 0036-0037, 0069, 0071 and 0073: “As noted above, the UI container 165 communicates with the management container 155 and via the user interface the UI container 165 may indicate to the management container 155 the various configuration options requested by a user.”), the graphical user interface container presenting information about the generated security policy (FIG. 4A; paragraphs 0036-0037, 0069, 0071 and 0073).
Duan does not explicitly disclose the security container configured to, upon loading the security policy, block an action performed by the application container in response to determining that the action performed by the application container does not match any action in the set of actions defined in the security policy for the application container.
Chugtu further discloses the security container configured to, upon loading the security policy (paragraphs 0009, and 0046), block an action performed by the application container in response to determining that the action performed by the application container does not match any action in the set of actions defined in the security policy for the application container (paragraphs 0009, and 0046: “In this way, the server device can isolate the container, such that the container cannot communicate with other containers associated with a different service, application, and/or tenant (e.g., even when the containers are on the same host).” [Wingdings font/0xE0] the container cannot communicate with other containers if they are not a same service).
It would have been obvious to a person having ordinary skill in the art before the effective filling date of the claimed invention to combine a teaching of Chugtu into Duan’s teaching because it would provide for the purpose of the server device can isolate the container, such that the container cannot communicate with other containers associated with a different service, application, and/or tenant (e.g., even when the containers are on the same host) (Chugtu, paragraph 0009).

As per claim 3, Duan discloses wherein opening a stored manifest for the application container (paragraphs 0037, 0069, 0071 and 0079: “Once the UI monitor 440 receives configuration settings from the UI container 165, the UI monitor 440 forwards the configuration settings to the configuration module 410 to process and distribute among the different containers.”), the manifest comprising configuration settings for the newly added application container (paragraphs 0047-0049 and 0061: “When the intercept module 210 receives a notification from the app state monitor 230 that a particular app container 120 is initiated, the intercept module 210 determines, according to configuration rules, whether the traffic for that app container 120 should be intercepted. These rules may be determined by the intercept module 210 dynamically, or may be preconfigured.”) further comprises executing a command line interface instruction to cause the container service to output manifest data for the application container (paragraph 0037: “The container system 105, in one embodiment, also includes a user interface (UI) container 165 to provide a user interface to a user. The UI container 165 may interface with a user using a graphical user interface (GUI) or a command line interface (CLI)”).

As per claim 8, Duan discloses an computer container system comprising:
one or more application containers (FIGs. 1 and 3A-B), each application container including computer-readable instructions (paragraphs 0030-0031) and initiated via a container service (paragraphs 0043-0044, 0047, 0066, 0074 and 0083) and isolated using operating system-level virtualization; a policy interpreter configured to (paragraphs 0024 and 0030):
detect that an application container of the one or more application containers has been added in the container system (paragraphs 0015 and 0033: “Instead, the security container 150 monitors the VM 115 (or container server 110 if the container environment is the container server 110 itself) to determine if any new app containers 120 are created.”);
open a stored manifest for the application container (paragraphs 0069, 0071 and 0079: “Once the UI monitor 440 receives configuration settings from the UI container 165, the UI monitor 440 forwards the configuration settings to the configuration module 410 to process and distribute among the different containers.”), the manifest comprising configuration settings for the newly added application container (paragraphs 0047-0049 and 0061: “When the intercept module 210 receives a notification from the app state monitor 230 that a particular app container 120 is initiated, the intercept module 210 determines, according to configuration rules, whether the traffic for that app container 120 should be intercepted. These rules may be determined by the intercept module 210 dynamically, or may be preconfigured.”); 
retrieve running services information regarding the application container (paragraphs 0040-0043 and 0046: “In one embodiment, the app state monitor 230 may also monitor other information regarding the application containers 120, such as their performance, resources used, number of processes opened, number of file handles opened, number and status of network connections, and so on. The app state monitor 230 may determine this information using the API of the container service 130 or using system commands (e.g., "ss" for network connections in Linux).”), the running services information including information provided by the container service about the application container running on the container system (paragraphs 0040-0043 and 0046: “In one embodiment, the app state monitor 230 may also monitor other information regarding the application containers 120, such as their performance, resources used, number of processes opened, number of file handles opened, number and status of network connections, and so on. The app state monitor 230 may determine this information using the API of the container service 130 or using system commands (e.g., "ss" for network connections in Linux).”); and
generate a security policy for the application container (paragraphs 0036, 0048, 0069 and 0071: “The management container 155 may configure the settings and rules for the security containers 150 and the analytics container 160 in the container system 105. For example, these rules may indicate what type of network traffic to log or to filter out. The management container 155 monitors the activities of other management containers 155 and the security containers 150.”), the security policy defining a set of actions for which the application container can perform (paragraphs 0084-0085 and 0087: “The security container 150 may determine, based on a particular set of rules, whether to drop the data or forward it to the intended destination. In some cases, the security container 150 may create a copy of the data while forwarding the original data, and inspect the copy instead.”), the set of actions determined using the manifest and the running service information associated with the application container (paragraphs 0084-0085 and 0087: “The security container 150 may determine, based on a particular set of rules, whether to drop the data or forward it to the intended destination. In some cases, the security container 150 may create a copy of the data while forwarding the original data, and inspect the copy instead.”);
a security container operating to load the security policy (paragraph 0036: “The management container 155 may configure the settings and rules for the security containers 150 and the analytics container 160 in the container system 105. For example, these rules may indicate what type of network traffic to log or to filter out. The management container 155 monitors the activities of other management containers 155 and the security containers 150. Activities monitored may include start/stop activities, statistics, and so on. The management container 155 may also listen for reports and other information from the analytics container 160. Additionally, the management container 155 may receive instructions from the user interface (UI) container 165 regarding the configuration of rules in the security containers 150 and other options.”); and
a graphical user interface container operating to present information about the generated security policy to a user via a display device (FIG. 4A; paragraphs 0036-0037, 0069, 0071 and 0073).
Duan does not explicitly disclose the security container configured to block an action performed by the application container in response to determining that the action performed by the application container does not match any action in the set of actions defined in the security policy for the application container.
Chugtu further discloses the security container configured to block an action performed by the application container in response to determining that the action performed by the application container does not match any action in the set of actions defined in the security policy for the application container (paragraphs 0009, and 0046: “In this way, the server device can isolate the container, such that the container cannot communicate with other containers associated with a different service, application, and/or tenant (e.g., even when the containers are on the same host).” [Wingdings font/0xE0] the container cannot communicate with other containers if they are not a same service).
It would have been obvious to a person having ordinary skill in the art before the effective filling date of the claimed invention to combine a teaching of Chugtu into Duan’s teaching because it would provide for the purpose of the server device can isolate the container, such that the container cannot communicate with other containers associated with a different service, application, and/or tenant (e.g., even when the containers are on the same host) (Chugtu, paragraph 0009).

As per claim 10, it is a system claim, which recite(s) the same limitations as those of claim 3. Accordingly, claim 10 is rejected for the same reasons as set forth in the rejection of claim 3.

As per claim 15, it is medium claim, which recite(s) the same limitations as those of claim 1. Accordingly, claim 15 is rejected for the same reasons as set forth in the rejection of claim 1.

As per claim 17, it is medium claim, which recite(s) the same limitations as those of claim 3. Accordingly, claim 17 is rejected for the same reasons as set forth in the rejection of claim 3.


Claims 2, 9 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Duan and Chugtu, as applied to claims 1, 8 and 15, and in further view of US 2016/0092251 to Wagner.

As per claim 2, Duan does not explicitly disclose wherein detecting that an application container has been added comprises periodically querying the container service for initiated application containers.
Wagner further discloses wherein detecting that an application container has been added comprises periodically querying the container service for initiated application containers (paragraph 0055).
It would have been obvious to a person having ordinary skill in the art before the effective filling date of the claimed invention to combine a teaching of Wagner into Duan’s teaching and Chugtu’s teaching because it would provide for the purpose of by maintaining a pool of pre-initialized virtual machine instances that are ready for use as soon as a user request is received, delay (sometimes referred to as latency) associated with executing the user code (e.g., instance and language runtime startup time) can be significantly reduced (Wagner, paragraph 0013).

As per claim 9, it is a system claim, which recite(s) the same limitations as those of claim 2. Accordingly, claim 9 is rejected for the same reasons as set forth in the rejection of claim 2.

As per claim 16, it is medium claim, which recite(s) the same limitations as those of claim 2. Accordingly, claim 16 is rejected for the same reasons as set forth in the rejection of claim 2.


Conclusion
Any inquiry concerning this communication should be directed to examiner Tuan Dao, whose telephone/fax numbers are (571) 270 3387 and (571) 270 4387, respectively. The examiner can normally be reached on every Monday-Thursday, and the second Friday of the bi-week from 7:30AM to 5:00PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Chat Do, can be reached at (571) 272 3721.
The fax phone number for the organization where this application or proceeding is assigned is (571) 273 8300.
Any inquiry of a general nature of relating to the status of this application or proceeding should be directed to the TC 2100 Group receptionist whose telephone number is (571) 272 2100.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/TUAN C DAO/Primary Examiner, Art Unit 2193