DETAILED ACTION

Notice of AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

The present office action is responsive to communications received on 6/4/2020. Claims 1-8 are pending.

Priority
Receipt is acknowledged of papers submitted under 35 U.S.C. 119(a)-(d), which papers have been placed of record in the file.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 5/27/2021 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Examiner’s Notes
Analysis under 35 U.S.C. 101, Double Patenting, and 35 U.S.C. 112 have been conducted, but no issues are found.

Specification
The disclosure is objected to because of the following informalities:
The abstract of the disclosure is objected to because of undue length. The abstract should be in narrative form and generally limited to a single paragraph on a separate sheet within the range of 50 to 150 words in length. Correction is required.  See MPEP § 608.01(b).
Specification and FIG. 3 recite terms “application installation path”, “application path” and “application code path”. Examiner assumes these terms are used interchangeably for compact prosecution. However, it is suggested to use consistent terminology throughout to avoid confusion, if they are intended to be synonymous; or clearly define the difference, if they are not intended to be synonymous. Moreover, the chosen term should be consistent with claim language (“application installation path” or “application path” in claim 1, 4 and 7).
Specification and FIG. 3 recite terms “application data path” and “data path”. Examiner assumes these terms are used interchangeably for compact prosecution. However, it is suggested to use consistent terminology throughout to avoid confusion, if they are intended to be synonymous; or clearly define the difference, if they are not intended to be synonymous. Moreover, the chosen term should be consistent with claim language (“data path” in claim 1, 4 and 7).
Appropriate correction is required.

Claim Objections
Claims 1-7 are objected to because of the following informalities: 
Claims 1 and 7 recite “determining an application installation path for the application...; securely communicating an identifier of the software container, the application path, the data path and the generated encryption key…; encrypting the application path and the data path using the generated encryption key;” and claim 4 recites “re-encrypting the application path and the data path using the new encryption key.”. The term “application installation path” and “application path” should be consistent to avoid possible antecedent issue. Moreover, the chosen term should be consistent with specification/drawing (“application installation path”, “application path”, “application code path”) to avoid confusion.
Independent claim 1 recites “A computer implemented method...” whereas dependent claims 2-6 recite “The method of claim…”. It is suggested to change dependent claims 2-6 to “The computer implemented method of claim…” for clarity and consistency.
Claim 2 recites “wherein the software container is a software process executable in an operating system of a computer system…”. The expression “computer system” has already been defined previously in the claims and should therefore be referred to using a definite article.
Claim 6 recites “wherein the new encryption key is generated based on an exclusive OR operation applied to a combination of previous key, a time of recommencement of execution of the software container and an identifier of the software container…”. The expression “identifier” has already been defined previously in the claims and should therefore be referred to using a definite article.
Claim 7 recites “A computer system comprising: a processor and memory storing computer program code for securing an application executing in a software container deployed in a computer system, by:…”. The expression “computer system” has already .
Appropriate correction is required.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 1, 3 and 7-8 are rejected under 35 U.S.C. 103 as being unpatentable over Levy (US 20170249472 A1) in view of Creasman (US 20150172232 A1).

Regarding claim 1, Levy teaches a computer implemented method of securing an application executing in a software container deployed in a computer system, the method comprising:
identifying at least one application executing in the software container; ([0009] generates a plurality of application containers each associated with a respective user. Each application container includes a list of files and processes that the user is authorized to access. [0118] Each executable defines an Xid, a path, and a description. The Xid is a string representing the ID of the process.) Here Levy discloses that applications being executed are identified by their Xid.
determining an application installation path for the application as a location in a container data storage facility at which code for the application at least partially resides; ([0123] The processes can include Xid: mysql, path: /usr/bin/mysql*, description: mysql and friends, Xid: splunk, path: /usr/bin/splunkd, and description: Splunk daemon.) Here Levy discloses two examples of application installation path.
generating an encryption key for the application; ([0130] The application keys are used for encrypting a file's file encryption key by the public key.) Here the encryption key is the public key of the application key.
determining a data path for the application as a location in the container data storage facility at which data processed or generated by the application at least partially resides; ([0123] The application containers can further include app_id: MySQL, description: all mysql related, files: /mysql/data/** and /logs/mysql/*.log.) Here Levy discloses examples of data path.
securely communicating an identifier of the software container, … and the generated encryption key for secure storage by a security component external to the software container; ([0119] The App_id is a string representing the ID of the application container. [0130] For each application defined in the policy, an asymmetric encryption key is generated, such as RSA 2048. Both the public and the private keys are then stored on the IVKM, indexed by the project name, volume id, and the application id. Application keys are also authenticated using IDPS authorization tokens mechanism, which allows coupling protected items with specific authorization tokens. Once this mechanism is used, access to the application keys is allowed only when an authorization token is supplied by the caller.) Here the encryption key, i.e., the public key of the application key, is stored externally to the containers, indexed by project name, volume id, and application id, hence implying storage of the application id, which identifies the application container. The security of the storage is disclosed by the authorization tokens mechanism.
securely receiving, from the security component, one or more access control rules defining computing components authorized to access the application; ([0116-0117] In one example a 20 GB disk device has been added on with /dev/sdb: mkfs −t xfs/dev/sdb, mount −t xfs/dev/sdb/mnt/my-backend, and idps_agent secure-fs/mnt/my-backend/mnt/my-secure-fs./my-policy. Now, any access to/mnt/my-secure-fs/ will be controlled by the IDPS file system 430 and the policy, although all “real” data will actually be written to /mnt/my-backend/. In one embodiment, the IDPS agent 415 depends on a user-defined policy, which describes the access-control entities and rules.) Here Levy discloses that the access-control rules of a user-defined policy are securely received from storage external to the containers.
encrypting the application path and the data path using the generated encryption key; and ([0009] The resource management module hosts a virtual file system that includes a plurality of directories, folders, and files representing the data stored in the one or more storage containers. The access control and encryption module encrypts every file in the virtual file system with a respective file encryption key.) Levy discloses that all files are encrypted; therefore, the application path contents and the data path contents are encrypted. Moreover, Levy provides details in ¶130 that this encryption is different from full disk encryption since it allows for fine-grained access control.
providing access to the application selectively in accordance with the access control rules by sharing the generated encryption key with authorized accessors. ([0100- 0106] Fig. 3, 314-320: receive, with the access control and encryption module, a request from a user to access a selected file in the virtual file system; deny, with the access control and encryption module, the request if the selected file is not listed in the application container associated with the user; decrypt, with the access control and encryption module, the selected file if the selected file is listed in the container application associated with the user; output, with the access control and encryption module, the selected file to the user after decrypting the selected file.) Here Levy discloses sharing of the encryption key with callers (i.e., 

Levy teaches securely communicating an identifier of the software container, and the generated encryption key for secure storage by a security component external to the software container, but does not explicitly teach securely communicating the application path, the data path for secure storage by a security component external to the software container. This aspect of the claim is identified as a difference.
However, Creasman in an analogous art explicitly teaches
securely communicating the application path, the data path for secure storage by a security component external to the software container. ([0036] install module 352 may invoke certain feedback prompts/requests in response to a "custom" installation being selected by a user. The "custom" installation may include providing the user/installer with various options for the installation and/or otherwise enabling the user to customize the installation of product 350 (e.g., installing only select modules/components, selecting certain directories for files/components, selecting various installation/operating parameters, etc.). Feedback data 360 is delivered to server 302 for analysis by install module 320. The modification information for the installation path for product 350 may be stored as install path data 324.) Here Creasman discloses “securely communicating the application path for external storage” by reciting that installation path for product 350 (in client) may be stored as install path data 324 (in server). Creasman discloses “securely communicating the data path for external storage” by reciting that feedback data 360 (in client, which can be directories for files/components) is delivered to server 302.
It would have been prima facie obvious to one of ordinary skill in the art before the effective (Creasman [0036]).

Regarding claim 3, Levy in view of Creasman teaches all the features with respect to claim 1, as outlined above. The combination further teaches 
periodically securely receiving updates to the access control rules from the security component; and ([Levy 0114, 0134] once an IDPS agent 415 is installed, a new user “idps_admin” is created. the main role of the idps_admin is to update the policy according to the warnings issued on would-be-denied access attempts.)
responsive to receiving updated rules, providing access to the application selectively in accordance with the updated access control rules. ([Levy 0134] the new policy is evaluated, accepted and updated (assuming it's valid).)

Regarding claims 7-8, the scope of the claims are similar to that of claim 1, respectively. Accordingly, the claims are rejected using a similar rationale.

Claim 2 is rejected under 35 U.S.C. 103 as being unpatentable over Levy (US 20170249472 A1) in view of Creasman (US 20150172232 A1) and Martel (US 20150347746 A1).

Regarding claim 2, Levy in view of Creasman teaches all the features with respect to claim 1, as outlined above. But the combination does not teach wherein the software container is a software process executable in an operating system of a computer system in which operating system software processes are prevented from accessing resources of other second processes executing in the operating system. This aspect of the claim is identified as a difference.
However, Martel in an analogous art explicitly teaches 
wherein the software container is a software process executable in an operating system of a computer system in which operating system software processes are prevented from accessing resources of other second processes executing in the operating system. ([0033] Sandboxing of an application or process can be achieved using operating system level protection to provide containment and to enforce security policies, such as policies that restrict the ability of the application to take actions beyond those functions needed for it to provide its intended functionalities. When an application has been sandboxed during execution, the application is executed as a sandboxed process or thread within the system that is contained within a sandbox (also referred to as an application container), in which it cannot access certain system resources or another territory (e.g., sandbox) of another application.)
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the “access control encryption” concept of Levy, and the “restricting resources used by application” approach of Martel. One of ordinary skill in the art would have been motivated to perform such a modification to provide security. An application may be contained by restricting its functionality to a subset of operations and only allowing operations that are (Martel [0033, 0002]).

Claim 4-5 are rejected under 35 U.S.C. 103 as being unpatentable over Levy (US 20170249472 A1) in view of Creasman (US 20150172232 A1) and Walrath (US 20120017097 A1).

Regarding claim 4, Levy in view of Creasman teaches all the features with respect to claim 1, as outlined above. But the combination does not teach in response to a restart, a redeployment or resumption of execution of the software container following a cessation of execution, generating a new encryption key for the application and re-encrypting the application path and the data path using the new encryption key. This aspect of the claim is identified as a difference.
However, Walrath in an analogous art explicitly teaches 
in response to a restart, a redeployment or resumption of execution of the software container following a cessation of execution, generating a new encryption key for the application and re-encrypting the application path and the data path using the new encryption key. ([0015] a secure communication path may be initiated by generating a random encryption key when the computer system 100 is rebooted or otherwise receives a system reset. Secure communication could be initiated by generating a random encryption key when the computer system 100 resumes operation after hibernation, whether a system reset is needed to resume operation or not. Similarly, a random encryption key could be generated when the computer system 100 resumes operation following a standby state. [0017] the random encryption key is used to encrypt data that is written to the system memory 106.) Here reference Walrath discloses generating an encryption key which can be used to 
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the “access control encryption” concept of Levy, and the “securely storing data” approach of Walrath. One of ordinary skill in the art would have been motivated to perform such a modification to protect system memory from a wide range of hacker attacks. In particular, the modification is adapted to protect system memory from physical attacks and boot attacks. Moreover the modification provides system memory security without significantly impacting system performance and without impacting operating system and software application performance. Finally, the modification may be implemented with minimal impact on overall system cost and complexity (Walrath [0031]).

Regarding claim 5, Levy in view of Creasman and Walrath teaches all the features with respect to claim 4, as outlined above. The combination further teaches securely communicating the new encryption key to the security component. ([Walrath 0015-0016] a secure communication path may be initiated by generating a random encryption key when the computer system 100 is rebooted or otherwise receives a system reset. a random encryption key is generated and transmitted to the memory controller 104.) In addition, reference Levy also discloses securely communicating the new encryption key to the security component in ¶130.

Allowable Subject Matter
Claim 6 is objected to over prior art as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims and further amended to overcome claim objections set forth in this office action.
The following is an examiner's statement of reasons for allowance: Claim 6 defines the distinct features, wherein the new encryption key is generated based on an exclusive OR operation applied to a combination of previous key, a time of recommencement of execution of the software container and an identifier of the software container, and the method further comprising communicating the time of recommencement to the security component so as to permit the security component to separately determine the new encryption key.

In interpreting the claim, in light of the specification, the examiner finds the claimed invention to be patentably distinct from the prior art of record.

Walrath (US 20120017097 A1) teaches that a secure communication path may be initiated by generating a random encryption key when the computer system 100 is rebooted or otherwise receives a system reset. Random encryption keys could additionally be generated based on dates and/or time such as at a specific time of day or after a preset time period has expired. In addition, a simple encryption algorithm such as an XOR algorithm may be used by the encryption block 210 to minimize the impact on throughput of the memory subsystem 200. An exemplary XOR algorithm comprises performing an XOR operation using the data written to system memory and the random encryption key.

Xing (US 20170024569 A1) teaches that the encryption key may be derived using a processor instruction with random seed values, which ties the derived keys to the identity of the CEE 304. If the 

Grube (US 20180329834 A1) teaches that the generate masked keys module 110 generates a first masked key by performing the exclusive OR function on a first encryption key and a 10th deterministic value when the data intermingling pattern 126 indicates to select the 10th deterministic value for the first encryption key.

Although Grube, Xing, and Walrath disclose generating keys by performing the exclusive OR function on a first encryption key, deriving keys to the identity of the CEE, generating keys based on dates and/or time, the prior art of record fails to teach or suggest, individually or in combination, each and every limitation of the claimed invention. Thus, the examiner finds that the prior art does not provide sufficient teaching or motivation for anticipating or rendering obvious, within the claimed invention as a whole, without the usage of impermissible hindsight reasoning. Therefore, the above features in conjunction with all other limitations of the claim are hereby allowed.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 20200387599 A1, "Software container application security", by Du, teaches a computer implemented method to detect anomalous behavior of a software container having a software application executing therein.
US 20190171811 A1, "Software container profiling", by Daniel, teaches a method in a computer system having an operating system providing isolation between software processes executable in the operating system such that a first process executing in the operating system is prevented from accessing resources of a second process executing in the operating system.
US 20190156047 A1, "Software container access control", by Daniel, teaches an access control method for a restricted resource in a computer system having an operating system providing isolation between software processes executable in the operating system such that a first process executing in the operating system is prevented from accessing resources of a second process executing in the operating system.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to HAN YANG whose telephone number is (408)918-7638.  The examiner can normally be reached on Monday to Friday, 9:00-5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on 571-272-3862.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available 




/HAN YANG/Examiner, Art Unit 2493