DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In response to the Office action mailed on 1/19/2021, the applicants have filed a response: claims 1, 14 and 15 have been amended and claims 16 and 17 have been added.  Claims 1 – 17 are pending.
Examiner Notes
3.	The Examiner cites particular columns and line numbers in the references as applied to the claims below for the convenience of the Applicant(s). Although the specified citations are representative of the teachings in the art and are applied to the specific limitations within the individual claim, other passages and figures may apply as well. It is respectfully requested that, in preparing responses, the Applicant fully consider the references in their entirety as potentially teaching all or part of the claimed invention, as well as the context of the passage as taught by the prior art or disclosed by the Examiner.
Claim Rejections - 35 USC § 103
4.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
6.	This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
7.	Claims 1 and 14 - 16 are rejected under 35 U.S.C. 103 as being unpatentable over Russello et al. (U.S. Publication 2014/0137184) (Russello hereinafter) in view of Parees et al. (U.S. Publication 2017/0249374) (Parees hereinafter) and Spertus et al. (U.S. Patent 8,938,808) (Spertus hereinafter).
8.    	As per claim 1, Russello teaches a method for executing a virtualized application on a computing system that includes a user-space and a kernel-space, the method comprising:
Applications 210, fig. 3];
          executing the user-level virtualization layer in the user-space, the user-level virtualization layer including a set of rules [“a virtualization system for virtualizing an operating system on a device to provide a plurality of isolated user space instances operable on the device, the operating system comprising a Linux-based kernel, and a system architecture defined by a Linux layer associated with the kernel and the higher application layer comprising applications,” ¶ 0182], the user-level virtualization layer including a set of rules [“the monitor process is configured to enforce the retrieved security policy for its target process by implementing a security action at the Linux layer in regard to the detected system call based on the retrieved security policy. The security action may comprise any one or more of the following: allowing the system call to proceed, blocking the system call from proceeding, modifying parameters of the system call prior to execution or return values generated by the system call after execution, or prompting the user of the device to select a security action,” ¶ 0035; security policy mapped to set of rules];
          performing, via the user-level virtualization layer, user-level hooking of events that are generated by the executing application according to the set of rules to identify events of interest [“an interceptor associated with each process that is configured to intercept system and/or library function calls, and redirect them to the monitoring entity associated with the process initiating the system and/or library function calls,” ¶ 0184; “wherein the monitoring entities are configured to analyze the intercepted system and/or library function calls made by their associated processes and perform a security action based on at least a user-space control parameter indicative of the specific user-space instance currently operating on the device and a security policy associated with the process,” ¶ 0185]; and
          determining whether to allow or block a function corresponding to an event that is identified as an event of interest based on the set of rules in the user-level virtualization layer [“the monitor process is configured to enforce the retrieved security policy for its target process by implementing a security action at the Linux layer in regard to the detected system call based on the retrieved security policy. The security action may comprise any one or more of the following: allowing the system call to proceed, blocking the system call from proceeding, modifying parameters of the system call prior to execution or return values generated by the system call after execution, or prompting the user of the device to select a security action.” ¶ 0035].
          Russello does not explicitly disclose but Parees discloses wherein the application is launched from a container that includes the application and a user-level virtualization layer, the user-level virtualization layer included in the container including virtualization layer logic and virtual configuration files [“Implementations of the disclosure provide for container clustering in a container-based architecture. Implementations provide a container cluster component that is implemented as a part of a host computer system of the container-based architecture. The container-based architecture implements a containerized execution model, in which an application and its dependencies (such as binaries and/or libraries used to run the application) execute within at least one application container (also referred to herein as a "container"). The application container is an isolated process in user space of a host operating system, sharing the kernel with other containers,” ¶ 0009; “The plurality of host computer system (hosts) 150A-150Z executes applications or other processes running on one or more hosts 150A-150Z. In some implementations, these hosts are virtual machines (VMs) that are hosted on a physical machine, such as one or more hosts 150A-150Z.” ¶ 0013; “a container cluster component 120 is provided to implement discovery, provisioning, configuration, re-configuration, monitoring, and/or other management functions for containers 154 in a container cluster. Each built application image, such as application image 135 stored in image repository 130, includes the container cluster component 120. When the application image 135 is deployed to one or more running containers 154 of a container cluster, the application instance 152 causes functionality of the container cluster component 120 to execute in the respective container 154 on the respective host 150A-150Z. For example, the container cluster component 120 may include one or more processes to perform container discovery, provisioning, configuration, re-configuration, monitoring, and/or other management functions with respect to a container cluster of the containers 154 in the hosts 150A-150Z,” ¶ 0023, fig. 1; “the DNS query is generated by a container cluster component when the application image is deployed as part of the application image instance. As discussed above, an image refers to data representing executables and files of the application used to deploy functionality for a runtime instance of the application,” ¶ 0033].

	Russello and Parees do not explicitly disclose but Spertus discloses wherein the virtualization later logic included in the container is configured to hook and interpret events that are generated by the executing application and to interact according to the set of rules with the virtual configuration files to generate virtualized events [“Application 601 may make another file access attempt 610 to access an unprotected file in base file system 614. File system filter driver 605 may intercept file access attempt 610, and virtualization module 604 may access a virtualization policy that indicates file access 610 should be allowed without being modified. File system filter driver 605 may therefore allow file access attempt 610 to pass through to base file system 614. In such embodiments, the virtualization policy may be a default policy that indicates access attempts for application 601 should be allowed unless a rule indicating an access restriction exists.” col. 12, line 62 – col. 13, line 5].
          It would have been obvious to one of ordinary skill in the art, having the teachings of Russello, Parees and Spertus available before the effective filing date of the claimed invention, to modify the capability of virtualization as disclosed by Russello and Parees to include the capability of event processing as taught by Spertus, thereby providing a 
9.	As per claim 14, it is a system claim having similar limitations as cited in claim 1.  Thus, claim 14 is also rejected under the same rationale as cited in the rejection of claim 1 above.
10.	As per claim 15, it is a media claim having similar limitations as cited in claim 1.  Thus, claim 15 is also rejected under the same rationale as cited in the rejection of claim 1 above.
11.	As per claim 16, Russello, Parees and Spertus teach the method of claim 1.  Spertus further teaches wherein the user-level virtualization layer includes a virtual file store that includes files that are within a namespace that is specific to the user-level virtualization layer and that can be accessed without operating system administration rights [“As used herein, the phrase “implement operating-system level virtualization to handle a data request' generally refers to using any virtualization process for sandboxing data associated with a request. Data access requests may be handled using an application virtualization technology, a namespace virtualization technology, and/or any other suitable operating-system-level virtualization technology. For example, Virtualization module 104(a) may handle an access request for data 212 by decrypting data 212, storing the decrypted data in a secure location, and redirecting the access request to the secure location to allow application 203 to access the decrypted data.” col. 8, lines 19 – 30].
.
12.	Claims 2 – 5 are rejected under 35 U.S.C. 103 as being unpatentable over Russello, Parees and Spertus in view of Awan et al. (U.S. Publication 2014/0173700) (Awan hereinafter).
13.    	As per claim 2, Russello, Parees and Spertus teach the method of claim 1.  Russello, Parees and Spertus do not explicitly disclose but Awan discloses wherein determining whether to allow or block a function corresponding to an event that is identified as an event of interest based on the set of rules in the user-level virtualization layer comprises extracting at least one of an internet protocol address, a hostname, and a port number from the event and comparing the extracted at least one of an internet protocol address, a hostname, and a port number to a list to determine if the at least one of an internet protocol address, a hostname, and a port number is on the list [“A policy enforcer of a wrapped application may then create a local loopback server for each blocking reason, and launch the local loopback servers when the wrapped application is launched. Then when the wrapped application attempts to access the blocked URL, the call can be intercepted, resolved to the hostname of the corresponding local loopback server, and the appropriate policy enforced. The enforcement of the policy may include rewriting the requested (blocked) URL with a new URL to custom web page and/or the reasons why the blocking has occurred,” ¶ 0200].
          It would have been obvious to one of ordinary skill in the art, having the teachings of Russello, Parees, Spertus and Awan available before the effective filing date of the claimed invention, to modify the capability of virtualization as disclosed by Russello, Parees and Spertus to include the capability of policy enforcement as taught by Awan, thereby providing a mechanism to improve system security by enforcing security access policies for system interactions [Awan ¶ 0007].
14. 	As per claim 3, Russello, Parees and Spertus teach the method of claim 1.  Russello, Parees and Spertus do not explicitly disclose but Awan discloses blocking a communication function based on an internet protocol (IP) address corresponding to an event that was identified as an event of interest [“Socket calls relating to network communication are intercepted by the wrapped application's policy enforcer to determine an IP address, hostname, network location, website, type of network communication, etc. being attempted by the wrapped application,” ¶ 0196].
          It would have been obvious to one of ordinary skill in the art, having the teachings of Russello, Parees, Spertus and Awan available before the effective filing date of the claimed invention, to modify the capability of virtualization as disclosed by Russello, Parees and Spertus to include the capability of policy enforcement as taught by Awan, thereby providing a mechanism to improve system security by enforcing security access policies for system interactions [Awan ¶ 0007].
15. 	As per claim 4, Russello, Parees and Spertus teach the method of claim 1.  Russello, Parees and Spertus do not explicitly disclose but Awan discloses blocking a Socket calls relating to network communication are intercepted by the wrapped application's policy enforcer to determine an IP address, hostname, network location, website, type of network communication, etc. being attempted by the wrapped application,” ¶ 0196].
          It would have been obvious to one of ordinary skill in the art, having the teachings of Russello, Parees, Spertus and Awan available before the effective filing date of the claimed invention, to modify the capability of virtualization as disclosed by Russello, Parees and Spertus to include the capability of policy enforcement as taught by Awan, thereby providing a mechanism to improve system security by enforcing security access policies for system interactions [Awan ¶ 0007].
16.    	As per claim 5, Russello, Parees and Spertus teach the method of claim 1.  Russello, Parees and Spertus do not explicitly disclose but Awan discloses blocking a communication function that corresponds to an event that was identified as an event of interest if the function relates to a socket call [“Socket calls relating to network communication are intercepted by the wrapped application's policy enforcer to determine an IP address, hostname, network location, website, type of network communication, etc. being attempted by the wrapped application,” ¶ 0196].
          It would have been obvious to one of ordinary skill in the art, having the teachings of Russello, Parees, Spertus and Awan available before the effective filing date of the claimed invention, to modify the capability of virtualization as disclosed by Russello, Parees and Spertus to include the capability of policy enforcement as taught by Awan, .
17.	Claims 6 and 7 are rejected under 35 U.S.C. 103 as being unpatentable over Russello, Parees and Spertus in view of Kapoor et al. (U.S. Publication 2017/0201541) (Kapoor hereinafter).
18.    	As per claim 6, Russello, Parees and Spertus teach the method of claim 1.  Russello, Parees and Spertus do not explicitly disclose but Kapoor discloses wherein determining whether to allow or block a function corresponding to an event that is identified as an event of interest based on the set of rules in the user-level virtualization layer comprises determining if the event is found in a training set and blocking the function corresponding to the event if the event is not found in the training set [“such an embodiment can also include performing remedial actions (such as disallowing an input command to an IoT device, for example) in connection with a generated alert. As noted, the techniques detailed herein include learning valid command sequences among multiple devices from historical device usage data. Also one or more embodiments of the invention include ensuring that only commands that are both valid and arrive in the correct sequence (that is, permissible to device state) are allowed,” ¶ 0016, learned valid command sequences mapped to training set].
          It would have been obvious to one of ordinary skill in the art, having the teachings of Russello, Parees, Spertus and Kapoor available before the effective filing date of the claimed invention, to modify the capability of virtualization as disclosed by Russello, Parees and Spertus to include the capability of access enforcement as taught by 
19.    	As per claim 7, Russello, Parees and Spertus teach the method of claim 1.  Russello, Parees and Spertus do not explicitly disclose but Kapoor discloses wherein determining whether to allow or block a function corresponding to an event that is identified as an event of interest based on the set of rules in the user-level virtualization layer comprises determining if the event is found on a black list and blocking the function corresponding to the event if the event is found on the black list [“FIG. 3 depicts rule list checking in accordance with one or more embodiments of the invention. As illustrated, generated sensor events 302 are transmitted to the sensor event segmenting logic 205 of the gateway component 206, and sensor event segmenting logic 205 as well as the device ontology 204 provide input to the normalization component 207 of the gateway component 206. For example, the sensor event segmenting logic 205 transmits a collection of sensor events to the normalization component. The normalization component 207 generates an output (a collection of normalized sensor events) and provides such output to a dictionary checking component 304, which also receives input from local dictionary white list 208, local dictionary black list 210, global dictionary white list 212, and global dictionary black list 214. Input provided by local dictionary white list 208, local dictionary black list 210, global dictionary white list 212, and global dictionary black list 214 to the dictionary checking component 304 can include, for example, the following: <key=sensor name, value=allowed commands of a sensor event type>.” ¶ 0024].
.
20.	Claims 8 – 10 are rejected under 35 U.S.C. 103 as being unpatentable over Russello, Parees and Spertus in view of Shavell et al. (U.S. Patent 10,097,560) (Shavell hereinafter).
21.  	As per claim 8, Russello, Parees and Spertus teach the method of claim 1.  Russello, Parees and Spertus do not explicitly disclose but Shavell discloses wherein determining whether to allow or block a function corresponding to an event that is identified as an event of interest based on the set of rules in the user-level virtualization layer comprises determining if the function relates to a resource that is outside of a pre-established location [“Various devices, such as network-enabled device 208, may present signed information 404 to server 206 as proof that they are within proximity to secure beacon 210. Determination module 108 may receive and verify the authenticity of signed information 404 from network-enabled device 208, such as by comparing signed information 404 received from network-enabled device 208 with a set of expected signed information derived from beacon registry 402. Establishing module 110 may then establish an access level at which network-enabled device 208 may access network resource 214 in accordance with security policy 216,” col. 8, lines 30 – 41].

22.    	As per claim 9, Russello, Parees, Spertus and Shavell teach the method of claim 8.  Shavell further discloses blocking the function corresponding to an event if the function relates to a resource that is outside of the pre-established location [“use a result of the verification to determine a security policy associated with the secure beacon, use a result of the determination to grant and/or deny the network-enabled device access to a network resource, and/or output a result of the analysis and/or determination to a database,” col, 17, lines 41 – 45].
          It would have been obvious to one of ordinary skill in the art, having the teachings of Russello, Parees, Spertus and Shavell available before the effective filing date of the claimed invention, to modify the capability of virtualization as disclosed by Russello, Parees and Spertus to include the capability of access management by resource location as taught by Shavell, thereby providing a mechanism to improve system security by enforcing access policies for system interactions based on physical location of resources.
23.    	As per claim 10, Russello, Parees, Spertus and Shavell teach the method of claim 8.  Shavell further discloses blocking the function corresponding to an event if the the access level at which the network-enabled device is allowed to access the network resource based at least in part on the network-enabled device being within range of the short-range wireless signal from the secure beacon. For example, establishing module 110 may, as part of server 206 in FIG. 2, establish, according to security policy 216, the access level at which network-enabled device 208 is allowed to access network resource 214 based at least in part on network-enabled device 208 being within range of wireless signal 212,” col. 9, line 64 – col. 10, line 7].
          It would have been obvious to one of ordinary skill in the art, having the teachings of Russello, Parees, Spertus and Shavell available before the effective filing date of the claimed invention, to modify the capability of virtualization as disclosed by Russello, Parees and Spertus to include the capability of access management by resource location as taught by Shavell, thereby providing a mechanism to improve system security by enforcing access policies for system interactions based on physical location of resources.
24.	Claims 11 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Russello, Parees and Spertus in view of Joslin et al. (U.S. Publication 2008/0106404) (Joslin hereinafter).
25. 	As per claim 11, Russello, Parees and Spertus teach the method of claim 1.  Russello, Parees and Spertus do not explicitly disclose but Joslin discloses storing events that are identified as events of interest in a database [“The sensor layer 410 is adapted to generate data based at least in part on one or more events. The data may include, for example, data, signals, events, and/or reports.  The data may be stored, for example, in a database.” ¶ 0031];
          applying a pattern recognition process to the events that are stored in the database [“a control center node 435 may receive data from a plurality of sensor nodes 415 and/or a plurality of gateway nodes 425 and automatically alert a user when the data matches a pattern recognition template. The rule set may include, for example, ordered/unordered events and/or analog/digital signatures,” ¶ 0042]; 
          generating a rule for the set of rules in the user-level virtualization layer based on the pattern recognition process [“The rule set may be configured “on the fly', for example, by the system 400 and/or a user of the system 400. The rule set may be configured remotely, for example, from any node in the system 400,” ¶ 0042]; and
          applying the generated rule through the user-level virtualization layer [“a user may create a pattern recognition template that matches on relative left to right movement of a vehicle reported first from SENSOR NODEA and then from SENSOR NODE B within 5 minutes. The control center layer 430 may query a database and alert the user when the data in the database matches the pattern recognition template,” ¶ 0042].
          It would have been obvious to one of ordinary skill in the art, having the teachings of Russello, Parees, Spertus and Joslin available before the effective filing date of the claimed invention, to modify the capability of virtualization as disclosed by Russello, Parees and Spertus to include the capability of pattern recognition of events as taught by Joslin, thereby providing a mechanism to improve system performance and efficiency by streamlining the process of event processing.
The rule set may be configured “on the fly', for example, by the system 400 and/or a user of the system 400. The rule set may be configured remotely, for example, from any node in the system 400,” ¶ 0042].
          It would have been obvious to one of ordinary skill in the art, having the teachings of Russello, Parees, Spertus and Joslin available before the effective filing date of the claimed invention, to modify the capability of virtualization as disclosed by Russello, Parees and Spertus to include the capability of pattern recognition of events as taught by Joslin, thereby providing a mechanism to improve system performance and efficiency by streamlining the process of event processing.
27.	Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Russello, Joslin, Parees and Spertus in further view of Bourdev et al. (U.S. Publication 2015/0036919) (Bourdev hereinafter).
28. 	As per claim 13, Russello, Parees, Spertus and Joslin teach the method of claim 11.  Russello, Parees, Spertus and Joslin do not explicitly disclose but Bourdev discloses wherein generating a rule for the set of rules in the user-level virtualization layer based on the pattern recognition process comprises generating a new rule [“To create the visual pattern template, the visual pattern creation module 502 may implement a visual pattern recognition algorithm, such as a bag-of-words model in computer vision or technique that counts the occurrence of a vocabulary of local image features in each of the training set of images,” ¶ 0083].
.
29.	Claim 17 is rejected under 35 U.S.C. 103 as being unpatentable over Russello, Parees and Spertus in further view of Kulkarni (U.S. Patent 8,904,081) (Kulkarni hereinafter).
30.	As per claim 17, Russello, Parees and Spertus teach the method of claim 1.  Russello, Parees and Spertus do not explicitly disclose but Kulkarni discloses wherein the user-level virtualization layer is invoked as a separate application at the user-level, and wherein the user-level virtualization layer spawns the application and hooks into the application without requiring operating system admin rights [“When the user launches the runtime engine or component associated with the application container (e.g., from the file system of the guest OS of the virtual desktop), the runtime component executes the code of the application itself (which is embedded in the application container) and intercepts and redirects any requests by the application code to access registry settings and/or files to those within the application container itself, to the extent that the accessed registry values and/or files are stored in the application container,” col. 5, lines 21 – 29; monitoring by the runtime component of code itself executes suggests that no OS-level privileges are needed].
          It would have been obvious to one of ordinary skill in the art, having the teachings of Russello, Parees, Spertus and Kulkarni available before the effective filing date of the claimed invention, to modify the capability of virtualization as disclosed by Russello, Parees and Spertus to include the capability of process monitoring as taught by Kulkarni, thereby providing a mechanism to improve system performance and efficiency by monitoring containerized code execution within user-space constraints.
Response to Arguments
31.	Applicant’s arguments have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Conclusion
32.	Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 
33.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to WILLIAM C WOOD whose telephone number is (571)272-5285. The examiner can normally be reached Monday - Friday, 8:00 am - 4:30 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Chat C Do can be reached on 571-272-3721. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/WILLIAM C WOOD/Examiner, Art Unit 2193                                                                                                                                                                                                        

/Chat C Do/Supervisory Patent Examiner, Art Unit 2193