DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
EXAMINER’S AMENDMENT
2.	An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
          Authorization for this examiner’s amendment was given in a telephone interview with Mark Wilson on 10/19/2021.
IN THE CLAIMS
(Currently amended) A method for executing a virtualized application on a computing system that includes a user-space and a kernel-space, the method comprising:
executing an application in the user-space of a stateless computing environment, wherein the application is provided within a container that includes a user-level virtualization layer;
executing the user-level virtualization layer in the user-space of the stateless computing environment, the user-level virtualization layer including a set of rules;
performing, via the user-level virtualization layer, user-level hooking of events that are generated by the executing application according to the set of rules to identify events of interest;

applying, at the user-level virtualization layer, a pattern recognition process to the events that are stored in the machine learning patterns database that is maintained at the user-level virtualization layer of the stateless computing environment;
generating, at the user-level virtualization layer, a new rule based on the pattern recognition process and adding the new rule to the set of rules for use in the user-level virtualization layer; and
applying, through the user-level virtualization layer, the set of rules, including the new rule that has been added to the set of rules, to subsequent events that are generated by the executing application;
wherein the pattern recognition process involves;
generating a training set while executing the application in a controlled environment that is free from malicious activity;
 storing the training set in the machine learning patterns database that is maintained at the user-level virtualization layer of the stateless computing environment;
determining that a hooked event has not been seen before relative to the training set; and
wherein generating a new rule based on the pattern recognition process involves generating a new rule in response to determining that a hooked event has not been seen before relative to the training set
(Original) The method of claim 1 wherein generating a rule for the set of rules in the user-level virtualization layer based on the pattern recognition process comprises updating an existing rule.
(Canceled) 
(Original) The method of claim 1 further comprising determining whether to allow or block a function corresponding to an event that is identified as an event of interest based on the set of rules in the user-level virtualization layer.
(Previously presented) The method of claim 4 wherein determining whether to allow or block a function corresponding to an event that is identified as an event of interest based on the set of rules in the user-level virtualization layer comprises extracting at least one of an internet protocol address, a hostname, and a port number from the event and comparing the extracted at least one of an internet protocol address, a hostname, and a port number to a list to determine if the at least one of an internet protocol address, a hostname, and a port number is on the list.
(Original) The method of claim 1 further comprising blocking a communication function based on an internet protocol (IP) address corresponding to an event that was identified as an event of interest.
(Original) The method of claim 1 further comprising blocking a communication function based on a hostname corresponding to an event that was identified as an event of interest.
(Original) The method of claim 1 further comprising blocking a communication function that corresponds to an event that was identified as an event of interest if the function relates to a socket call.
(Previously presented) The method of claim 4 wherein determining whether to allow or block a function corresponding to an event that is identified as an event of interest based on the set of rules in the user-level virtualization layer comprises determining if the event is found in a training set and blocking the function corresponding to the event if the event is not found in the training set.
(Previously presented) The method of claim 4 wherein determining whether to allow or block a function corresponding to an event that is identified as an event of interest based on the set of rules in the user-level virtualization layer comprises determining if the event is found on a black list and blocking the function corresponding to the event if the event is found on the black list.
(Previously presented) The method of claim 4 wherein determining whether to allow or block a function corresponding to an event that is identified as an event of interest based on the set of rules in the user-level virtualization layer comprises determining if the function relates to a resource that is outside of a pre-established location.
(Original) The method of claim 11 further comprising blocking the function corresponding to an event if the function relates to a resource that is outside of the pre-established location.
(Original) The method of claim 11 further comprising blocking the function corresponding to an event if the function relates to a resource that is outside of the pre-established location unless the function corresponds to a resource that is on an allowed list.
(Currently amended) A system for running an application via an operating system executing on a computing device, the system comprising:
at least one processing unit and memory;
an operating system stored on the memory; and
a container stored on memory, the container including an application and a user-level application virtualization layer;
wherein execution of the application and the user-level application virtualization layer on the operating system involves;
executing the application in user-space of a stateless computing environment;
executing the user-level virtualization layer in the user-space of the stateless computing environment, the user-level virtualization layer including a set of rules;
performing, via the user-level virtualization layer, user-level hooking of events that are generated by the executing application according to the set of rules to identify events of interest;
storing events, which are identified from the user-level hooking at the user-level virtualization layer as events of interest, in a machine learning patterns database that is maintained at the user-level virtualization layer of the stateless computing environment;

generating, at the user-level virtualization layer, a new rule based on the pattern recognition process and adding the new rule to the set of rules for use in the user-level virtualization layer; and
applying, through the user-level virtualization layer, the set of rules, including the new rule that has been added to the set of rules, to subsequent events that are generated by the executing application;
wherein the pattern recognition process involves;
generating a training set while executing the application in a controlled environment that is free from malicious activity;
 storing the training set in the machine learning patterns database that is maintained at the user-level virtualization layer of the stateless computing environment;
determining that a hooked event has not been seen before relative to the training set; and
wherein generating a new rule based on the pattern recognition process involves generating a new rule in response to determining that a hooked event has not been seen before relative to the training set.
(Currently amended) A non-transitory computer readable medium that stores computer-executable code, the computer-executable code comprising:
a container that includes an application and a user-level virtualization layer;

executing the application in user-space of a stateless computing environment;
executing the user-level virtualization layer in the user-space of the stateless computing environment, the user-level virtualization layer including a set of rules;
performing, via the user-level virtualization layer, user-level hooking of events that are generated by the executing application according to the set of rules to identify events of interest;
storing events, which are identified from the user-level hooking at the user-level virtualization layer as events of interest, in a machine learning patterns database that is maintained at the user-level virtualization layer of the stateless computing environment;
applying, at the user-level virtualization layer, a pattern recognition process to the events that are stored in the machine learning patterns database that is maintained at the user-level virtualization layer of the stateless computing environment;
generating, at the user-level virtualization layer, a new rule based on the pattern recognition process and adding the new rule to the set of rules for use in the user-level virtualization layer; and
applying, through the user-level virtualization layer, the set of rules, including the new rule that has been added to the set of rules, to subsequent events that are generated by the executing application;
wherein the pattern recognition process involves;
generating a training set while executing the application in a controlled environment that is free from malicious activity;
storing the training set in the machine learning patterns database that is maintained at the user-level virtualization layer of the stateless computing environment;
determining that a hooked event has not been seen before relative to the training set; and
wherein generating a new rule based on the pattern recognition process involves generating a new rule in response to determining that a hooked event has not been seen before relative to the training set.
(Canceled)
Allowable Subject Matter
3.	Claims 1, 2 and 4 – 15 are allowed.
4.	The following is an examiner’s statement of reasons for allowance: 
          Regarding claim 1, the closest prior art is Russello et al. (U.S. Publication 2014/0137184), Parees et al. (U.S. Publication 2017/0249374), Chen (U.S. Patent 8,826,273), Citeau (U.S. Publication 2009/0228421) and Bansal et al. (U.S. Publication 2018/0176102).  Russello teaches a method for executing a virtualized application on a computing system that includes a user-space and a kernel-space, the method comprising: executing an application in the user-space; executing the user-level virtualization layer in the user-space, the user-level virtualization layer including a set of rules; performing, via the user-level virtualization layer, user-level hooking of events that are generated by the executing application according to the set of rules to identify events of interest.  Parees discloses wherein the application is provided within a container that includes a user-level virtualization layer.  Chen discloses storing events that are identified at the user-level virtualization layer as events of interest in a stateless 
However, the art of record does not teach, nor render obvious A method for executing a virtualized application on a computing system that includes a user-space and a kernel-space, the method comprising: executing an application in the user-space of a stateless computing environment, wherein the application is provided within a container that includes a user-level virtualization layer; executing the user-level virtualization layer in the user-space of the stateless computing environment, the user-level virtualization layer including a set of rules; performing, via the user-level virtualization layer, user-level hooking of events that are generated by the executing application according to the set of rules to identify events of interest; storing events, which are identified from the user-level hooking at the user-level virtualization layer as events of interest, in a machine learning patterns database that is maintained at the user-level virtualization layer of the stateless computing environment; applying, at the user-level virtualization layer, a pattern recognition process to the events that are stored in the machine learning patterns database that is maintained at the user-level virtualization layer of the stateless computing environment; generating, at the user-level virtualization layer, a new rule based on the pattern recognition process and adding the new rule to the set of rules for use in the user-level virtualization layer; and applying, through the user-level virtualization layer, the set of rules, including the new rule that has been added to the set of rules, to subsequent events that are generated by the wherein the pattern recognition process involves; generating a training set while executing the application in a controlled environment that is free from malicious activity; storing the training set in the machine learning patterns database that is maintained at the user-level virtualization layer of the stateless computing environment; determining that a hooked event has not been seen before relative to the training set; and wherein generating a new rule based on the pattern recognition process involves generating a new rule in response to determining that a hooked event has not been seen before relative to the training set.
	Claims 2 and 4 - 13 are allowed for at least the reasons of claim 1.  Claims 14 
and 15 are variants of claim 1 and are allowed for the same reasons.
          Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”
Conclusion
5.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to WILLIAM C WOOD whose telephone number is (571)272-5285.  The examiner can normally be reached on Monday - Friday, 8:00 am - 4:30 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/WILLIAM C WOOD/
Examiner, Art Unit 2193               


/Chat C Do/Supervisory Patent Examiner, Art Unit 2193