DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on July 22, 2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an 
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: “host is configured to implement”, “communication module is configured to collect”, and “interface being configured to transmit” in claim 1; “data communication module is configured to collect” and “interface being configured to transmit” in claim 2; “data communication module is configured to collect” and “interface is configured to transmit” in claim 4; “system is configured implement”, “data communication module is configured to collect”, and “interface being configured to transmit” in claim 5; “malicious detection module is configured to analyse” in claim 6; “malicious detection module is configured to perform” in claim 7; “system is configured to trigger” in claim 8; and “malicious detection module is configured to provide” in claim 9.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.
This application includes one or more claim limitations that use the word “means” or “step” but are nonetheless not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph because the claim limitation(s) recite(s) sufficient structure, materials, or acts to entirely perform the recited function.  Such claim limitation(s) is/are: “communication module is configured to transmit” in claim 1.
Because this/these claim limitation(s) is/are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are not being interpreted to cover only the corresponding structure, material, or acts described in the specification as performing the claimed function, and equivalents thereof.
If applicant intends to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to remove the structure, materials, or acts that performs the claimed function; or (2) present a sufficient showing that the claim limitation(s) does/do not recite sufficient structure, materials, or acts to perform the claimed function.



Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-20 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Herman Saffar et al, U.S. Patent 10,936,717.

As per claim 1, it is taught of a system including at least one host, wherein the host is configured to implement:
at least one container group including:
a first container (items 106-1 to 106-N in figure 1),
a data communication module (container host device, item 160 sends collected data to the enterprise security operations center, item 102 in figure 1),
an interface (communication means of the container host device, item 160 in figure 1),
a malicious detection module (anomaly detection module, item 116 in figure 1),
wherein the data communication module is configured to:
collect data based on data communication of the container group, and transmit collected data, or data representative thereof, to the interface (col. 3, line 65 through col. 4, line 9), the interface being configured to transmit collected data, or data representative thereof, to the malicious detection module, for detecting malicious data (col. 5, lines 26-43).
As per claim 2, it is disclosed wherein the host implements a plurality of container groups, wherein each container group includes:
a first container, a data communication module, wherein the data communication module of each container group (items 106-1 to 106-N in figure 1) is configured to:
collect data based on data communication of the container group, transmit collected data to the interface, the interface being configured to transmit collected data, or data representative thereof, to the malicious detection module, for detecting malicious data (col. 3, line 65 through col. 4, line 9 and col. 5, lines 26-43).

(i) the host implements a single interface common for a plurality of container groups (container host device, item 160 sends collected data to the enterprise security operations center, item 102 in figure 1); (ii) for each container group of plurality of container groups of the host, the data communication module is a single module (container host device, item 160 sends collected data to the enterprise security operations center, item 102 in figure 1); and (iii) the host implements a single malicious detection module (anomaly detection module, item 116 in figure 1).
As per claim 4, it is disclosed wherein including a plurality of hosts, wherein each host implements:
at least one container group including:
a first container (items 106-1 to 106-N in figure 1),
a data communication module (container host device(s), item 160 sends collected data to the enterprise security operations center, item 102 in figure 1),
an interface (communication means of the container host device, item 160 in figure 1),
a malicious detection module (anomaly detection module, item 116 in figure 1),
wherein the data communication module is configured to:
collect data based on data communication of the container group, and transmit collected data to the interface of the host (col. 3, line 65 through col. 4, line 9), the interface being configured to transmit collected data, or data representative thereof, to the malicious detection module of the host, for detecting malicious data (col. 5, lines 26-43).
As per claim 5, it is taught wherein it is configured to, upon implementation of a new first container on a new host, implement, on the new host:
a group of containers including the new first container and a data communication module (col. 9, lines 45-51),

a malicious detection module (anomaly detection module, item 116 in figure 1),
wherein the data communication module is configured to:
collect data based on data communication of the container group (col. 3, line 65 through col. 4, line 9), and
transmit collected data to the interface of the host, the interface being configured to transmit collected data, or data representative thereof, to the malicious detection module of the host, for detecting malicious data (col. 5, lines 26-43).
As per claim 6, it is disclosed wherein the malicious detection module of the host is configured to analyse collected data, or data representative thereof, according to a set of rules, wherein the set of rules is updatable based on instructions of an external server (col. 3, lines 3-7 and col. 5, lines 26-43).
As per claim 7, it is taught wherein: the malicious detection module of the host is configured to perform a first analysis of whether collected data, or data representative thereof, is malicious; if the first analysis indicates that collected data, or data representative thereof, is malicious, at least part of the collected data, or data representative thereof is sent to a third party for a second analysis (col. 5, lines 26-43 and col. 7, lines 52-60).
As per claim 8, it is disclosed wherein: if malicious data has been detected based on least on an output of the malicious detection module, the system is configured to trigger performing an action for the malicious data (col. 7, lines 52-60).
As per claim 9, it is taught wherein the malicious detection module of the host is configured to provide, upon detection of malicious data, at least one of:
one or more sequences of source code of data identified as malicious; data representative of time of malicious data; data representative of a source of malicious data; data representative of a 
As per claim 10, it is disclosed wherein:
the data communication module (container host device, item 160 sends collected data to the enterprise security operations center, item 102 in figure 1) is implemented in a second container within the container group, distinct from the first container, or the data communication module is implemented within the first container (items 106-1 to 106-N in figure 1, col. 3, line 65 through col. 4, line 9, and col. 9, lines 45-51).
As per claim 11, it is taught of a method including, by at least one processing unit and memory:
collecting data based on data communication of a container group (container host device, item 160 sends collected data to the enterprise security operations center, item 102 in figure 1) including at least one container, the container group being implemented on a host (items 106-1 to 106-N in figure 1)(col. 3, line 65 through col. 4, line 9),
wherein the collecting is performed at least partially by a data communication module located within the container group (col. 3, line 65 through col. 4, line 9),
transmitting collected data, or data representative thereof to an interface implemented on the host (col. 3, line 65 through col. 4, line 9), and
transmitting collected data, or data representative thereof from the interface to a malicious detection module implemented on the host, for detecting malicious data (col. 5, lines 26-43).
As per claim 12, it is disclosed for each of a plurality of container groups each including a plurality of containers:
collecting data based on data communication of the container group, wherein the collecting is performed at least partially by a data communication module located within the container group (items 106-1 to 106-N in figure 1),

As per claim 13, it is taught wherein including at least one of (i), (ii) and (iii): (i) a single interface is implemented on a host implementing the plurality of container groups (container host device, item 160 sends collected data to the enterprise security operations center, item 102 in figure 1); (ii) for each container group of a plurality of container groups, the data communication module is a single module (container host device, item 160 sends collected data to the enterprise security operations center, item 102 in figure 1); and (iii) a single malicious detection module is implemented on a host implementing the container group (anomaly detection module, item 116 in figure 1).
As per claim 14, it is disclosed wherein including, for each host of a plurality of hosts:
collecting data based on data communication of a container group including at least one container (items 106-1 to 106-N in figure 1),
wherein the collecting is performed at least partially by a data communication module located within the container group of the host (col. 3, line 65 through col. 4, line 9),
transmitting collected data, or data representative thereof, to an interface of the host (col. 3, line 65 through col. 4, line 9), and
transmitting collected data, or data representative thereof from the interface to a malicious detection module of the host, for detecting malicious data (col. 5, lines 26-43).
As per claim 15, it is taught wherein including, upon implementation of a new container, implementing a new container group including the new container and a data communication module configured to collect data based on data communication of the new container group (col. 9, lines 45-51).

a new container group including the new container and a data communication module (col. 9, lines 45-51),
an interface (communication means of the container host device, item 160 in figure 1),
a malicious detection module (anomaly detection module, item 116 in figure 1),
wherein the data communication module is configured to:
collect data based on data communication of the new container group (col. 3, line 65 through col. 4, line 9), and
transmit collected data to the interface of the new host, the interface being configured to transmit collected data, or data representative thereof to the malicious detection module of the new host, for detecting malicious data (col. 5, lines 26-43).
As per claim 17, it is taught wherein including:
performing, by the malicious detection module, a first analysis of whether collected data, or data representative thereof, is malicious; if the first analysis indicates that collected data, or data representative thereof, is malicious, transmitting at least part of the collected data, or data representative thereof to a third party for a second analysis (col. 5, lines 26-43 and col. 7, lines 52-60).
As per claim 18, it is disclosed wherein: if malicious data has been detected based on least on an output of the malicious detection module, the method includes at least one of:
preventing at least one of transmission of the malicious data, reception of the malicious data, and connection to the malicious data, deleting malicious data, and putting malicious data in quarantine (col. 7, lines 52-60).

one or more sequences of source code of data identified as malicious; data representative of time of malicious data; data representative of a source of malicious data, data representative of a container group for which malicious data has been detected; data representative of a host for which malicious data has been detected (col. 5, lines 26-43 and col. 7, lines 49-60).
As per claim 20, it is disclosed of a non-transitory storage device readable by a machine, tangibly embodying a program of instructions executable by the machine to perform operations including:
collecting data based on data communication of a container group (container host device, item 160 sends collected data to the enterprise security operations center, item 102 in figure 1) including at least one container, the container group being implemented on a host (items 106-1 to 106-N in figure 1)(col. 3, line 65 through col. 4, line 9),
wherein the collecting is performed at least partially by a data communication module located within the container group (container host device, item 160 sends collected data to the enterprise security operations center, item 102 in figure 1)(col. 3, line 65 through col. 4, line 9),
transmitting collected data, or data representative thereof, to an interface implemented on the host (col. 3, line 65 through col. 4, line 9), and
transmitting collected data, or data representative thereof from the interface to a malicious detection module implemented on the host, for detecting malicious data (col. 5, lines 26-43).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.

Morello et al, US 2018/0260574 is relied upon for monitoring application software containers for anomalous behavior, see paragraph 0020.
Bernstein et al, US 2018/0278639 is relied upon for disclosing of monitoring a containerized environment and inspecting for malicious activity, see paragraph 0023. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER A REVAK whose telephone number is (571)272-3794.  The examiner can normally be reached on 5:30am - 3:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, LYNN FEILD can be reached on 571-272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/CHRISTOPHER A REVAK/Primary Examiner, Art Unit 2431