Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This action is responsive to the application 16/436,930 filed on June 11, 2019. Claims 1-20 are pending.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claim 20 is rejected under 35 U.S.C. 101 because the claimed invention is not directed to statutory subject matter.
Claim 20 recites a firewall; a plurality of containers executing on one or more operating systems; and at least one processor, wherein the at least one processor is programmed to carry out... Thus, applying the broadest reasonable interpretation in light of the specification, the firewall, the plurality of containers, the at least one processor can equally be implemented as hardware, software or a combination of hardware and software. Thus, the claim is directed to "an apparatus" comprising elements which solely of software alone. Because of this, claim 20 lacks the necessary structural elements to be an apparatus. Therefore, the claim fails to fall within one of the four statutory categories of invention recited in 35 U.S.C. § 101 process, machine, manufacture, and composition of matter.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over McCormick et al. (US 2020/0067801) hereinafter “McCormick” in view of Krishnamurthy et al. (US 10,698,714) hereinafter “Krishnamurthy”.
Claim 1
McCormick teaches a method of generating or maintaining a firewall rule of a firewall of a computer system, the computer system comprising a plurality of containers executing on one or more operating systems, the method comprising: 
collecting flow information of packets sent between containers of the plurality of containers [i.e. a traffic control and monitoring module is configured to control and monitor traffic flows to and from a plurality of containers in container namespaces and reports the 
associating the container identifiers with services executing from the plurality of containers, wherein the associating comprises associating the first container identifier with a first service, and associating a second container identifier with a second service [i.e. a segmentation policy may include a rule specifying that a workload 138-1 operating on an OS instance 130-1, which includes at least one/first container, is allowed to provide or receive services (first and second services) to or from a workload 138-2 operating on an OS instance 130-2, which includes at least other/second container] (McCormick, figures 1-2; 0015-0016, 0026-0027); 
based on the associating, determining whether the first service communicated with the second service (McCormick, figures 1-2; 0015-0016); and 
based on the determining, generating or maintaining a rule for the firewall to block or allow transmission of packets between the first service and the second service, wherein whether the rule is to block or allow transmission is based on whether the first service and the second service communicated [i.e. the traffic control and monitoring module includes a firewall operating in a container namespace to control and monitor traffic flow between containers. The segmentation policy is enforced by blocking any communications that are not expressly permitted by the rules. Thus, by reducing number of permitted connections/communications, the administrative domain may beneficially become better protected against malicious attacks] (McCormick, 0011, 0015, 0036-0037, 0045).  
McCormick fails to teach wherein the collecting occurs during a period of time.
Krishnamurthy teaches the collecting occurs during a period of time [i.e. rule can specify one or more criteria for distributing traffic flow(s) which are detected/collected its information/record, and each criteria can be limited to a particular time range] (Krishnamurthy, col. 25, lines 31-43).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to modify the teachings of Schafer to include the teachings of Krishnamurthy of the collecting occurs during a period of time. One ordinary skill in the art would be motivated to provide technological capability and improve performance of computing systems and virtual networks through evaluation of processes executing on virtual machines/containers in the system (Krishnamurthy, col. 46, lines 15-19). 


Claim 2
McCormick in combination with Krishnamurthy teach the method of claim 1, wherein the flow information comprises collected port numbers, wherein the rule is a rule to allow the transmission, the method further comprising:
determining, based on the collected port numbers, a first set of port numbers of the first service and a second set of port numbers of the second service [i.e. identifying ports associated with workloads 138-1 -0138N included in the OS instance 130-1 – 130-N of the plurality of provided services] (McCormick, 0015, 0027); 
wherein, based on the rule, the firewall only allows transmission of a packet between the first service and the second service if the packet comprises a port number of the first set of ports 

Claim 3
McCormick in combination with Krishnamurthy teach the method of claim 1, wherein the associating further comprises associating a third container identifier with the first service [i.e. a segmentation policy may include a rule specifying that a workload 138-1 operating on an OS instance 130-1, which includes a plurality of containers (which includes a third container), is allowed to provide or receive services (first and second services) to or from a workload 138-2 operating on an OS instance 130-2, which includes at least other container] (McCormick, figures 1-2; 0015-0016, 0026-0027).  

Claim 4
McCormick in combination with Krishnamurthy teach the method of claim 3, the method further comprising, during the collecting: 
running the first service from a first container, the first container being associated with the first container identifier [i.e. a workload identifier associated with the first container] (McCormick, 0011, 0027, 0034-0035); 
deleting the first container [i.e. the container orchestration module may remove container(s) from the OS instance 130] (McCormick, 0035); and 
instantiating a second container and launching the first service from the second container, the second container being associated with the third container identifier [i.e. the container orchestration module may control containers in a manner that terminate a particular container 

Claim 5
McCormick in combination with Krishnamurthy teach the method of claim 1, wherein the flow information of packets comprises, for each packet of the packets, a source Internet Protocol (IP) address, a source port number, a destination IP number, and a destination port number (McCormick, 0027).  

Claim 6
McCormick in combination with Krishnamurthy teach the method of claim 1, wherein the first container identifier is associated with a first container from which the first service runs, and wherein the first container is executing within a virtual machine, and wherein the one or more operating systems includes a guest operating system of the virtual machine [i.e. the first workload identifier associated with first container from which the first OS instance, which provide a first service, run; and the first OS instance, which includes the first container, executing within a virtual machine] (McCormick, figures 1-2, 0014).  

Claim 7
McCormick in combination with Krishnamurthy teach the method of claim 1, wherein the first container identifier is associated with a first container from which the first service runs, wherein the first container is instantiated from a container image, and wherein the 

Claim 8
McCormick in combination with Krishnamurthy teach the method of claim 1, wherein the containers of the plurality of containers are executing on a plurality of host machines [i.e. the containers executing on the OS instance 130 which executing on one or more computing devices], and extracting the flow information from the packets is performed by a device [i.e. Admin client 160] located outside of the plurality of host machines [i.e. the Admin client execute an interface to obtain/extract various information about OS instances, workloads on the network and traffic flows between the workloads] (McCormick, 0014, 0023, 0045).  

Claim 9
McCormick in combination with Krishnamurthy teach the method of claim 1, the method further comprising:
receiving, by the firewall, a packet from the first container, the second container, or a third container [i.e. the firewall receives packets of the communications from a plurality of containers] (McCormick, 0011, 0027); 
processing the packet to extract packet attributes [i.e. processing and controlling the monitored/collected traffic flows of containers] (McCormick, 0040); 
comparing the packet attributes to the rule; and based on the comparing, allowing or blocking transmission of the packet [i.e. using the rules that specify the communications that are permitted or blocked based on the monitored and collected information of the traffic flows. For 

Claim 10
McCormick in combination with Krishnamurthy teach the method of claim 1, wherein the determining whether the first service communicated with the second service comprises: determining that the first service did not communicate with the second service, and maintaining the rule, wherein the rule is a pre-generated default rule [i.e. determining a container, associated with a service, when it is not being used] (McCormick, 0002, 0021, 0044); and during the period of time [i.e. one or more criteria, which can be limited to a particular time range, for distributing traffic flow(s) which are detected/collected its information/record] (Krishnamurthy, col. 25, lines 31-43). Therefore, it would have been obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to modify the teachings of Schafer to include the teachings of Krishnamurthy of during a period of time. One ordinary skill in the art would be motivated to provide technological capability and improve performance of computing systems and virtual networks through evaluation of processes executing on virtual machines/containers in the system (Krishnamurthy, col. 46, lines 15-19).

Claim 20
McCormick teaches a computer system comprising:
a firewall (McCormick, 0003, 0011); 

at least one processor, wherein the at least one processor is programmed to carry out a method of generating or maintaining a firewall rule of the firewall (McCormick, 0011, 0015, 0048), the method comprising: 
collecting flow information of packets sent between containers of the plurality of containers [i.e. a traffic control and monitoring module is configured to control and monitor traffic flows to and from a plurality of containers in container namespaces and reports the detected traffic flows to a traffic flow reporting module], wherein the flow information comprises container identifiers, wherein the container identifiers comprise a first container identifier and a second container identifier [i.e. the detected traffic flows comprise workload identifiers for the different containers] (McCormick, abstract, 0011, 0027, 0031, 0034-0035); 
associating the container identifiers with services executing from the plurality of containers, wherein the associating comprises associating the first container identifier with a first service, and associating a second container identifier with a second service [i.e. a segmentation policy may include a rule specifying that a workload 138-1 operating on an OS instance 130-1, which includes at least one/first container, is allowed to provide or receive services (first and second services) to or from a workload 138-2 operating on an OS instance 130-2, which includes at least other/second container] (McCormick, figures 1-2; 0015-0016, 0026); 
based on the associating, determining whether the first service communicated with the second service (McCormick, figures 1-2; 0015-0016); and 
based on the determining, generating or maintaining a rule for the firewall to block or allow transmission of packets between the first service and the second service, wherein whether 
McCormick fails to teach wherein the collecting occurs during a period of time.
However, in an analogous art, Krishnamurthy teaches the collecting occurs during a period of time [i.e. rule can specify one or more criteria for distributing traffic flow(s) which are detected/collected its information/record, and each criteria can be limited to a particular time range] (Krishnamurthy, col. 25, lines 31-43).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to modify the teachings of Schafer to include the teachings of Krishnamurthy of the collecting occurs during a period of time. One ordinary skill in the art would be motivated to provide technological capability and improve performance of computing systems and virtual networks through evaluation of processes executing on virtual machines/containers in the system (Krishnamurthy, col. 46, lines 15-19). 

Claims 11-19 do not teach or define any new limitation other than above claims 1-9. Therefore, claims 11-19 are rejected for similar reasons. 
Correspondence Information



Any inquiry concerning this communication or earlier communications from the examiner should be directed to MINH CHAU N NGUYEN whose telephone number is (571)272-4242.  The examiner can normally be reached on M-F 8am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, TONIA DOLLINGER can be reached on (571)272-4170.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.