DETAILED ACTION
	Claims 1-15 are presented on 10/10/2019 for examination on merits.  Claims 1, 8, and 9 are independent base claims.  

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Examiner's Instructions for filing Response to this Office Action
When the Applicant submits amendments regarding to the claims in response the Office Action, the Examiner would prefer that Applicant submit two sets of claims: 
Set #1 that includes indicators for the status of claim and all marked amendments to the claims; and 
Set #2 comprising a clean version of the claims with all the markups removed for entry, as an appendix to the Set #1.

Claim Objections
Claims 1, 8, and 9 are objected to because of the following informalities:
Claims 1, 8 and 9 each recite a limitation “operation of the serverless function” (in singular form) to be monitored in the generating step.  When compared to the limitation “defines allowable operations for the serverless function,” it appears that there should have been a plurality of operations of the serverless function to be monitored in the generating step for consistency reasons.  Even if there is a particular operation of the serverless function, the claims should specify a particular operation of the serverless function.  The Examienr suggests amending the limitation to “one or more operations of the serverless function.” Appropriate correction is required.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):

(B)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. 


Claims 2-3 and 10-11 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.

The rejection(s) under 35 U.S.C. 112(b) is/are determined by the following reasons:
Claims 2 and 10 each recite the limitation "a plurality of sets of policies" followed by a second instance of “sets of policies” in the same generating process.  There is insufficient antecedent basis for the second instance of “sets of policies” in the respective claims.  The Examiner suggests amending second instance of “sets of policies” to “the plurality of sets of policies.”
Claims 3 and 11 are also rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph because they depend from the rejected claims 2 and 10, respectively.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.


In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Claims 1-4 and 8-12 are rejected under 35 U.S.C. 103 as being unpatentable over Shulman (US 20190007458 A1) in view of Pearce (US 10983901 B1).

As per claim 1, Shulman teaches a method for protecting against flow manipulation of serverless functions, comprising: 
creating a profile for a serverless function, wherein the profile is created as an empty profile (Shulman, par. 0018 and 0031: an account with service policy, which inherently created Shulman also discloses an account profile or the equivalent; par. 0030-0032: stored results from previous scans are used … to identify a strict set of security permissions required by the serverless function); 
updating the profile based on the plurality of policies to create a final profile, wherein the final profile includes at least one of the plurality of policies (Shulman, par. 0084 and 0102-0104: the policy is compiled according to the rules of the policy… Each least-privileged role defines a list of policies that grant least privilege permissions to a specific resource with the minimum required actions. A role may include two separate policies.  Here Shulman’s security policy is mapped to the final policy, which is compiled according to the rules); 
monitoring operation of the serverless function to detect at least one violation of the profile, wherein the at least one violation includes a deviation from the allowable operations (Shulman, par. 0013-0016 and 0052-0053: identify a strict set of security permissions required by the serverless function; comparing security permissions granted to the serverless function with the strict set of security permissions.  The violation is overly privileged permissions); and 
performing at least one mitigation action when the at least one violation of the profile is detected (Shulman, par. 0021 and 0053: generating an alert … and preventing building or deployment of the serverless function).
While Shulman discloses generating a security policy, the security policy including the strict set of security permissions (par. 0014), Shulman does not explicitly disclose generating a plurality of policies based on a plurality of log entries, which are recorded during monitoring of operation of the serverless function; 
generating a plurality of policies based on a plurality of log entries, wherein the plurality of policies defines allowable operations for the serverless function, wherein the plurality of log entries is recorded during monitoring of operation of the serverless function (Pearce, col. 11, lines 24-35: analyze log data 128 generated by the serverless application 106 for log data Pearce discloses generates log data that is collected by a logging service 120, which is configured with one or more rules that are used to analyze log data 128 generated by the serverless application 106 for log data entries indicating runtime errors; col. 11, lines 18-28); 
Shulman and Pearce are analogous art, because they are in a similar field of endeavor in improving the protection of serverless functions.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and to use Pearce’s log to modify Shulman to associate policies to the log for detecting the violation of allowable operations.  For this combination, the motivation would have been to improve the level of security with log records that are created with policies.

As per claim 2, the references as combined above teach the method of claim 1, wherein generating the plurality of policies further comprises: 
iteratively generating a plurality of sets of policies, wherein the final profile is created when a threshold number of iterations of sets of policies have been generated, wherein the final profile is created based on the last generated set of policies (Shulman, par. 0086: In preferred embodiments, there is provided a threshold according to which it is determined whether the actual security permissions are overly privileged relative to the strict set of security permissions. If the security permissions are less strict (i.e. more privileged) than the identified strict set by the threshold value then the security permissions are not overly privileged).

As per claim 3, the references as combined above teach the method of claim 2, wherein iteratively generating the plurality of sets of policies includes generalizing at least one of Shulman, par. 0084: a list of policies that grant least privilege permissions to a specific resource with the minimum required actions. The policy may include a definition to allow, deny, or restrict an action on a resource. In an example embodiment, the policy is compiled according to the rules of the policy language required by the cloud provider. Note that the complied policy is a generalized one from the list).

As per claim 4, the references as combined above teach the method of claim 1, wherein the serverless function is configured to execute at least one sub-process, wherein the final profile defines at least one allowable operation of the at least one sub-process (Shulman, par. 0084: The policy may include a definition to allow… an action on a resource).

As per claim 8, Shulman teaches a non-transitory computer readable medium having stored thereon instructions for causing a processing circuitry to execute a process, the process comprising: 
creating a profile for a serverless function, wherein the profile is created as an empty profile (Shulman, par. 0018 and 0031: an account with service policy, which inherently created for a serverless function in the cloud for a cloud-hosted applications of the client; see also par. 0028 and 0031. Shulman also discloses an account profile or the equivalent; par. 0030-0032: stored results from previous scans are used … to identify a strict set of security permissions required by the serverless function); 
updating the profile based on the plurality of policies to create a final profile, wherein the final profile includes at least one of the plurality of policies (Shulman, par. 0084 and 0102-0104: the policy is compiled according to the rules of the policy… Each least-privileged role defines a list of policies that grant least privilege permissions to a specific resource with the minimum required actions. A role may include two separate policies.  Here Shulman’s security policy is mapped to the final policy, which is compiled according to the rules); 
Shulman, par. 0013-0016 and 0052-0053: identify a strict set of security permissions required by the serverless function; comparing security permissions granted to the serverless function with the strict set of security permissions.  The violation is overly privileged permissions); and 
performing at least one mitigation action when the at least one violation of the profile is detected (Shulman, par. 0021 and 0053: generating an alert … and preventing building or deployment of the serverless function).
While Shulman discloses generating a security policy, the security policy including the strict set of security permissions (par. 0014), Shulman does not explicitly disclose generating a plurality of policies based on a plurality of log entries, which are recorded during monitoring of operation of the serverless function; 
generating a plurality of policies based on a plurality of log entries, wherein the plurality of policies defines allowable operations for the serverless function, wherein the plurality of log entries is recorded during monitoring of operation of the serverless function (Pearce, col. 11, lines 24-35: analyze log data 128 generated by the serverless application 106 for log data entries indicating runtime errors and, in response to identifying such log data, the rules cause the logging service 120 to generate an event message or other notification that is obtained by the serverless monitor application 110; log data entries indicating that the runtime error occurred. In an embodiment, the serverless monitor application 110 can verify that the identified runtime error.  Pearce discloses generates log data that is collected by a logging service 120, which is configured with one or more rules that are used to analyze log data 128 generated by the serverless application 106 for log data entries indicating runtime errors; col. 11, lines 18-28); 
Shulman and Pearce are analogous art, because they are in a similar field of endeavor in improving the protection of serverless functions.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them Pearce’s log to modify Shulman to associate policies to the log for detecting the violation of allowable operations.  For this combination, the motivation would have been to improve the level of security with log records that are created with policies.

As per claim 9, Shulman teaches a system for protecting against flow manipulation of serverless functions, comprising: 
a processing circuitry (Shulman, par. 0106-0107: a processing circuitry 410); and 
a memory, the memory containing instructions that, when executed by the processing circuitry (Shulman, par. 0108-0109: the memory 420 … storing the instructions, when executed by the one or more processors, cause the processing circuitry 410 to perform the various processes described herein), configure the system to: 
create a profile for a serverless function, wherein the profile is created as an empty profile (Shulman, par. 0018 and 0031: an account with service policy, which inherently created for a serverless function in the cloud for a cloud-hosted applications of the client; see also par. 0028 and 0031. Shulman also discloses an account profile or the equivalent; par. 0030-0032: stored results from previous scans are used … to identify a strict set of security permissions required by the serverless function); 
update the profile based on the plurality of policies to create a final profile, wherein the final profile includes at least one of the plurality of policies (Shulman, par. 0084 and 0102-0104: the policy is compiled according to the rules of the policy… Each least-privileged role defines a list of policies that grant least privilege permissions to a specific resource with the minimum required actions. A role may include two separate policies.  Here Shulman’s security policy is mapped to the final policy, which is compiled according to the rules);
monitor operation of the serverless function to detect at least one violation of the profile, wherein the at least one violation includes a deviation from the allowable operations (Shulman, par. 0013-0016 and 0052-0053: identify a strict set of security permissions required by the 
perform at least one mitigation action when the at least one violation of the profile is detected (Shulman, par. 0021 and 0053: generating an alert … and preventing building or deployment of the serverless function).

While Shulman discloses generating a security policy, the security policy including the strict set of security permissions (par. 0014), Shulman does not explicitly disclose generating a plurality of policies based on a plurality of log entries, which are recorded during monitoring of operation of the serverless function; 
generate a plurality of policies based on a plurality of log entries, wherein the plurality of policies defines allowable operations for the serverless function, wherein the plurality of log entries is recorded during monitoring of operation of the serverless function (Pearce, col. 11, lines 24-35: analyze log data 128 generated by the serverless application 106 for log data entries indicating runtime errors and, in response to identifying such log data, the rules cause the logging service 120 to generate an event message or other notification that is obtained by the serverless monitor application 110; log data entries indicating that the runtime error occurred. In an embodiment, the serverless monitor application 110 can verify that the identified runtime error.  Pearce discloses generates log data that is collected by a logging service 120, which is configured with one or more rules that are used to analyze log data 128 generated by the serverless application 106 for log data entries indicating runtime errors; col. 11, lines 18-28); 
Shulman and Pearce are analogous art, because they are in a similar field of endeavor in improving the protection of serverless functions.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and to use Pearce’s log to modify Shulman to associate policies to the log for detecting the 

Regarding claims 10-12, they are rejected for the same reasons as those of claims 2-4.
Claim 10 is directed to the system of claim 9, reciting the same limitations as claim 2. Therefore, claim 10 is rejected the same as claim 2.

Claim 11 is directed to the system of claim 10, reciting the same limitations as claim 3. Therefore, claim 11 is rejected the same as claim 3.

Claim 12 is directed to the system of claim 9, reciting the same limitations as claim 4. Therefore, claim 12 is rejected the same as claim 4.


Allowable Subject Matter
Claim 5-7 and 13-15 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

The claims 5 and 13 each recite a limitation “the final profile is created based further on at least one user input with respect to the plurality of log entries”.  This limitation, in combination with the other limitations in the claims 1 and 9, respectively, is not anticipated by, nor made obvious over the prior art of record.  Claims 6-7 and 14-15 are allowable by virtue of their dependency from the claims 5 and 13, respectively.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure as the prior art additionally discloses certain parts of the claim features (See “PTO-892 Notice of Reference Cited”).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DON ZHAO whose telephone number is (571)272.9953.  The examiner can normally be reached on Monday to Friday, 7:30 A.M to 5:00 P.M EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl G Colin can be reached on 571.272.3862.  The fax phone number for the organization where this application or proceeding is assigned is 571.273.8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866.217.9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800.786.9199 (IN USA OR CANADA) or 571.272.1000.


/Don G Zhao/Primary Examiner, Art Unit 2493                                                                                                                                                                                                        11/24/2021