DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 05/14/2019, 07/17/2020 and 02/09/2021 have been considered. The submission is in compliance with the provisions of 37 CFR 1.97. Form PTO-1449 is signed and attached hereto.

Drawings
	The drawings filed on May 14, 2019 are accepted. 

Specification
	The specification filed May 14, 2019 is accepted.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


s 1-3, 5, 7-12, 14-17, 19 and 20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Stopel et al. US 2017/0116415 A1 [hereinafter Stopel].
As per claim 1, Stopel teaches an operation method of a system for generating a security profile of a security instance, comprising: 
extracting executable code and a library file from a container, thereby identifying a target to be analyzed [paragraphs 0044, 0045 and 0079-0082]; 
performing binary static analysis for the executable code and the library file in order to generate a system call list [paragraphs 0045-0048 and 0087-0089]; and 
generating a Secure Computing Mode (SECCOMP) security profile based on the system call list [paragraphs 0049-0053 and 0088-0090].

As per claim 11, Stopel teaches a system for generating a security profile of a security instance, comprising:
at least one processor [figure 3]; and 
memory for storing at least one instruction executed by the at least one processor [figure 3],
wherein the at least one instruction is configured such that an analysis target identification subsystem identifies an analysis target by extracting executable code and a library file from a container [paragraphs 0044, 0045 and 0079-0082], 
such that a binary static analysis subsystem performs binary static analysis for the executable code and the library file in order to generate a system call list [paragraphs 0045-0048 and 0087-0089], and 

wherein the analysis target identification subsystem, the binary static analysis subsystem, and the security profile generation subsystem are virtualized systems [figure 3, paragraphs 0037 and 0101].

As per claim 16, Stopel teaches a container virtualization system, comprising: 
a container host [fig 3]; and 
a security profile generation system, wherein the security profile generation system comprises: at least one processor [fig 3]; and 
memory for storing at least one instruction executed by the at least one processor,
wherein the at least one instruction is configured such that an analysis target identification subsystem identifies an analysis target by extracting executable code and a library file from a container [paragraphs 0045-0048 and 0087-0089],
such that a binary static analysis subsystem performs binary static analysis for the executable code and the library file in order to generate a system call list [paragraphs 0045-0048 and 0087-0089], and 
such that a security profile generation subsystem generates a Secure Computing Mode (SECCOMP) security profile based on the system call list [paragraphs 0049-0053 and 0088-0090].
	


	As per claim 3, Stopel further teaches the method wherein identifying the target to be analyzed further comprises: identifying the executable code and the library file, which are loaded with the container when the container is run; and extracting the identified executable code and library file [paragraphs 0045-0048 and 0087-0089].

	As per claim 5, Stopel further teaches the method wherein performing the binary static analysis comprises: identifying a dynamic linking relationship between the executable code and the library file, identifying direct or indirect system calls invoked in the executable code or the library file and generating the system call list for the identified system calls [paragraphs 0049-0053 and 0088-0090].

	As per claim 7, Stopel further teaches the method wherein generating the SECCOMP security profile comprises: generating a whitelist for system calls using the system call list [paragraphs 0049-0053 and 0089-0090].

	As per claim 9, Stopel further teaches the method further comprising: adding the generated SECCOMP security profile in a security profile save location in a container host [paragraphs 0049-0053 and 0089-0090]. 
	As per claim 10, Stopel further teaches the method wherein, when the container is run, the container host filters system calls invoked by the container based on the SECCOMP security profile [paragraphs 0049-0053 and 0089-0090].

	As per claims 12 and 17, Stopel further teaches the system wherein the analysis target identification subsystem comprises: 
a container instance execution module for running the container after acquiring an image corresponding to the container from container image storage [paragraphs 0044, 0045 and 0079-0082];  
	an information collection module for collecting information about an application and a shared library executed inside the container [paragraphs 0045-0048 and 0087-0089]; and 
	an analysis target identification module for extracting the executable code and the library file from a filesystem of the container based on the collected information [paragraphs 0049-0053 and 0088-0090].
	

	a security profile conversion module for receiving the system call list and generating a security profile in a format used in a container host [paragraphs 0049-0053 and 0088-0090];  
	a security profile delivery module for saving the security profile in a security profile save location in the container host [paragraphs 0049-0053 and 0088-0090];  and 
	a security profile database for storing the security profile [paragraphs 0049-0053 and 0088-0090].

	As per claims 15 and 20, Stopel further teaches the system wherein a record of the security profile database includes container instance information, information about an installed application, and the security profile [paragraphs 0049-0053 and 0088-0090]. 

Allowable Subject Matter
Claims 4, 6, 13 and 18 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion


Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on 571-272-3685.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


BEEMNET W. DADA
Primary Examiner
Art Unit 2435