DETAILED ACTION
This office action is in response to the correspondence filed on 10/10/2019. This has a provisional application 62/744,099 filed 10/10/2018. Claims 1-21 are pending and are examined.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

Priority
Applicant's claim for the benefit of a prior-filed application under 35 U.S.C. 119(e) or under 35 U.S.C. 120, 121, 365(c), or 386(c) is acknowledged. 

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 1-21 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention. 
Regarding claims 1-21, specifically independent claims 1, 11, and 12, a limitation recites “the inspected second traffic”, which was never recited before. There is insufficient antecedent basis for this limitation in the claim. 
 claims 10 and 21, a limitation recites “the first traffic and the second traffic”, which were never recited before. There is insufficient antecedent basis for this limitation in the claim. 
Examiner notes that for the purpose of examination, the limitations in claims 1, 11, and 12, where it mentions “the inspected second traffic”, is interpreted as “the inspected traffic”. 
Please clarify and thoroughly review the claim set for accuracy.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 10-14, and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Barnes (US Pub No. 2019/0007447 A1, referred to as Barnes), in view of Woodford et al. (US Pub No. 2019/0260794 A1, referred to as Woodford).
Regarding claims 1, 11, and 12, taking claim 12 as exemplary, Barnes discloses,
12. A system for providing network security for serverless functions, comprising:
a processing circuitry; and (Barnes: [0020])
a memory, the memory containing instructions that, when executed by the processing circuitry, configure the system to: (Barnes: [0020])
…detect a violation of a network profile created for each of the at least one …function executed in the pod based on the inspected second traffic, wherein each network profile defines a whitelist of normal network behavior of the respective …function with respect to the at least one service, wherein the normal behavior includes a plurality of properties of normal inputs and normal outputs for the …function, (Barnes: [0019]; identifying anomalous network behavior and events (detect a violation) may include comparing recorded network activity (inspecting traffic) to one or more device and/or network profiles, applying machine learning or a set of rules to network activity, evaluating the recorded activity against a list ( e.g., a white list, black list, etc.) of known devices/services or features (normal features including normal inputs and outputs).) wherein the detected violation is a deviation from the whitelist of normal network behavior; and (Barnes: [0019]; evaluating one or more network trends/analyses, evaluating recorded data values against one or more threshold values, etc. (evaluating violation).)
perform at least one mitigation action when the violation is detected. (Barnes: [0019]; initiating a remedial action, etc.)
Barnes does not explicitly disclose, however Woodford teaches,
…inspect network traffic between a pod and at least one network, wherein the pod is an instance of a software container configured to execute at least one serverless function, wherein each of the at least one serverless function accesses at least one service via the at least one network; (Woodford: [0063]; a cyber security appliance communicating with a set of probes that examines the behaviors of virtual traffic that leaves the virtual environment (pod) in the cloud infrastructure environment and then travels over a physical network; [0086]; cyber security appliance communicating with a set of probes that integrate Software-as-a-Service and cloud analysis (serverless function).)
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to implement the teachings Woodford of into the teachings of Barnes with a 


Regarding claims 2 and 13, taking claim 13 as exemplary, the combination of Barnes and Woodford discloses,
13. The system of claim 12, wherein the system is further configured to:
Barnes further discloses,
…create a network profile for each of the at least one …function based on the monitored traffic, (Barnes: [0024]; behavior profile can be built using the monitored data.) wherein the system is configured to perform network traffic inspection on the at least one …function based on the at least one network profile. (Barnes: [0019]; identifying anomalous network behavior and events may include comparing recorded network activity to one or more device and/or network profiles, applying machine learning or a set of rules to network activity, evaluating the recorded activity against a list ( e.g., a white list, black list, etc.) of known devices/services or features.)
Barnes does not explicitly disclose, however Woodford teaches,
monitor traffic between the pod and the at least one network; (Woodford: [0063]; a cyber security appliance communicating with a set of probes that examines the behaviors of virtual traffic that leaves the virtual environment (pod) in the cloud infrastructure environment and then travels over a physical network.)
…serverless function ([0086]; cyber security appliance communicating with a set of probes that integrate Software-as-a-Service and cloud analysis (serverless function).)



Regarding claims 3 and 14, taking claim 14 as exemplary, the combination of Barnes and Woodford discloses,
14. The system of claim 12, 
Barnes further discloses,
wherein the network traffic is intercepted by the system. (Barnes: [0023]; monitoring agent 204 may be configured to monitor the communications and behaviors of one or more devices.)

Regarding claims 10 and 21, taking claim 21 as exemplary, the combination of Barnes and Woodford discloses,
21. The system of claim 12, 
Barnes further discloses,
wherein the first traffic and the second traffic each include at least one of: input data, and output data. (Barnes: [0019]; evaluating the recorded activity against a list (e.g., a white list, black list, etc.) of known devices/services or features (normal features including normal inputs and outputs).)


Claims 6-7, and 17-18 are rejected under 35 U.S.C. 103 as being unpatentable over Barnes, in view of Woodford, further in view of David et al. (US Pub No. 2018/0307840 A1, referred to as David).
Regarding claims 6 and 17, taking claim 17 as exemplary, the combination of Barnes and Woodford discloses,
17. The system of claim 14, wherein the system is further configured to:
Barnes does not explicitly disclose, however Woodford teaches,
…serverless function ([0086]; cyber security appliance communicating with a set of probes that integrate Software-as-a-Service and cloud analysis (serverless function).)
The same motivation that was utilized for combining Barnes and Woodford as set forth in claim 1 is equally applicable to claim 17.
Barnes does not explicitly disclose, however David teaches,
insert at least one hook into the at least one …function, wherein the at least one hook redirects traffic to the system. (David: [0011]; one or more hooks can be used to cause calls to the one or more processes to be forwarded to the security layer (system); [0017]; hooks are used to redirect network function calls to a process verification function (hooks can be used to redirect traffic).)
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to implement the teachings of David into the combination of Barnes and Woodford with a motivation to prevent malware in processes by launching a security layer using hooks (David abstract and [0011]).


Regarding claims 7 and 18, taking claim 18 as exemplary, the combination of Barnes, Woodford and David discloses,
18. The system of claim 17, 
Barnes does not explicitly disclose, however David teaches,
wherein the at least one hook replaces at least one network call. (David: hooks are used to redirect network function calls to a process verification function (hooks are replacing the original network calls).)
.


Allowable Subject Matter
Claims 4-5, 8-9, 15-16, and 19-20 contains allowable subject matter but remain rejected under 112 rejection. It is also objected to as being dependent upon rejected base claims, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims; and the stated rejection(s) are resolved.
The following is an examiner’s statement of reasons for allowance: 
Although prior arts Barnes, Woodford and David above disclose all the limitations of the prior claims (see rejections above), none of the prior arts of record alone or in combination discloses a virtual private cloud (VPC) deployed between the system and the network, wherein the VPC is configured to redirect traffic to the system or at least one of the at least one hook replaces at least one call related to creation of new processes as described in the claims.
At the effective filing date of the application, the above limitations would not have been obvious over the prior arts of record. 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The listed references disclose relevant inventions of protecting serverless/cloud applications.
Shulman; Avraham et al. (US 20190312899 A1) 
DORON; Ehud et al. (US 20180288091 A1) 
Lieberman; Amit et al. (US 10685115 B1) 


Any inquiry concerning this communication or earlier communications from the examiner should be directed to KA SHAN CHOY whose telephone number is (571) 272-1569.  The examiner can normally be reached on MON - FRI: 9AM-5:30PM EST Alternate Fridays.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on (571) 272-3685.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/KA SHAN CHOY/Examiner, Art Unit 2435 

/JOSEPH P HIRL/Supervisory Patent Examiner, Art Unit 2435