Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


DETAILED ACTION
Claims 1-16 are pending in Instant Application.

Priority
Examiner acknowledges Applicant’s claim to priority benefits of Japanese Application JP2019-119373 filed on 06/27/2019.

Information Disclosure Statement
The information disclosure statement(s) (IDS) submitted on 06/23/2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement(s) is/are being considered if signed and initialed by the Examiner.

Claim Rejections - 35 USC § 101
Claims 1-14 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.
The language of claims 1-14 raises a question as to whether the claims are directed merely to an abstract idea that is not tied to a technological art, environment or machine which would result in a practical application producing a concrete, useful, and tangible result to form the basis of statutory subject matter under 35 U.S.C. 101.
The applicant claims “a data acquisition unit”, “a data transmission unit”, “an inspection unit”, “container management unit” “A route setting unit” but does not define within the body of the claim the hardware in which the invention runs. Thus, absent recitation of the server or some other hardware, claims 1-14 are not limited to a tangible embodiment, instead being sufficiently broad to encompass software, per se.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. 


Claim 1 -16 are rejected under 35 U.S.C. 103 as being unpatentable over Chou et al., “hereinafter Chou” (U.S. patent application: 20180115586) in view of Cooper et al., “hereinafter Cooper” (U.S. patent application: 20140115578).

As per Claim 1, Chou discloses an information processing apparatus that executes inspection with regard to one or more security inspection (Chou, Para.5, techniques for seamlessly updating a cloud-based security service), the information processing apparatus comprising: 
a plurality of containers which are container-type virtual terminals, where resources including a file system provided by an operating system of the information processing apparatus are isolated from each other (Chou, Para.10, Multiple docker containers execute as multi-tasking microservices within the dispatcher VM that execute in isolation of each other but can use operating system kernel resources to communicate with each other. Each docker container is provided with an abstraction of its own process space and interfaces. Because the financial cost of cloud-based services is directly proportional to the number of VMs used, executing microservices using dockers reduces the number of VMs needed to provide the cloud-based security service and hence reduces the financial cost of providing the cloud-based security service, Para.108, some or all aspects of receiving mechanism 806, storage management mechanism 808, and/or a filesystem device driver can be implemented as dedicated hardware modules in computing device 800.); 
(Chou, Para.05, This dispatcher VM manages the flow of network traffic through an initial chain of two or more security service VMs that execute in the cloud data center and analyze the contents of network traffic to and from the clients. During operation, the dispatcher VM determines that an existing security service VM in the initial chain needs to be upgraded to an updated version, and instantiates in the cloud data center an updated chain of security service VMs that includes the updated version of the security service VM.); and 
a data transmission unit that transmits the data to the destination, wherein part of the plurality of containers is an inspection container where an application for executing the inspection has been implemented (Chou, Para.62, client 204 is attempting to access an external (to the enterprise) web page, and the security service is a stateful inspection firewall and anti-virus service that inspects outgoing and incoming enterprise traffic. In this context, the URL request is forwarded by wan router 202 through dispatcher VM 212, where the request is routed to the traffic-ingesting dock processes, decrypted, routed by session router 230 to security service VM 240, adjusted by SNAT 232 so that reply traffic returns to SNAT 232, and then sent on to the outside world 250 (specifically, to the website associated with the URL request). This website then sends the content associated with the URL back to the adjusted return address (SNAT 232), and this content is then checked via the reverse path through the system, as illustrated in FIG. 2B.); and 
 the inspection container includes an inspection unit that executes the inspection with regard to the data that has been acquired (Chou, Para.15, the initial chain of security service VMs is configured to route the output of each security service VM to a distinct instance of a session router that then routes that output on to the next security service VM in the chain. An initial session router docker container routes the network request to the first security service VM in the chain, and then each successive security service VM performs a specific analysis upon the network request and sends its outputs to its respective output session router docker container which then forwards that output on to the next security service VM in the chain. The last security service VM in the chain forwards the analyzed and permitted network request to an SNAT docker container. Using multiple distinct session router docker containers to route traffic through the chain of security service VMs uses more session router docker containers and hence more resources in the dispatcher VM but reduces disruption in the chain if any individual security service needs to be updated by allowing security service VMs to be updated, replicated, or replaced individually as needed.).
However Chou does not explicitly disclose one or more security inspection items.
Cooper discloses one or more security inspection items (Cooper, Para., a virtual security appliance in a virtual server of a virtual network infrastructure to determine a utilization rate of the virtual security appliance, sending a request to a cloud manager to increase computing resources for the virtual security appliance if the utilization rate is above an upper threshold amount, and sending a request to the cloud manager to decrease computing resources for the virtual security appliance if the utilization rate is below a lower threshold amount. In the method, network packets associated with one or more virtual machines in the virtual server are routed to the virtual security appliance. In more specific embodiments, the network packets are intercepted prior to being routed to the virtual security appliance.).
It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings as in Chou with the teachings as in Cooper. The motivation for detecting a change for a virtual machine in a virtual server of a virtual network infrastructure, determining whether a virtual security appliance is configured in the virtual server, and sending a request to create the virtual security appliance in the virtual server. The method further includes allowing the virtual machine to initiate when the virtual security appliance is created in the virtual machine. (Cooper, abs).

With respect to Claim 15 and 16 is substantially similar to Claim 1 and are rejected in the same manner, the same art and reasoning applying.

As per Claim 2, Chou in view of Cooper discloses the information processing apparatus according to claim 1, wherein the inspection container is constructed for each of the security inspection items (Chou, Para.05, This dispatcher VM manages the flow of network traffic through an initial chain of two or more security service VMs that execute in the cloud data center and analyze the contents of network traffic to and from the clients. During operation, the dispatcher VM determines that an existing security service VM in the initial chain needs to be upgraded to an updated version, and instantiates in the cloud data center an updated chain of security service VMs that includes the updated version of the security service VM. The dispatcher VM then seamlessly transfers the flow of network traffic from the initial chain to the updated chain to update the cloud-based security service without interrupting the operation of the cloud-based security service. Upon determining that the updated version of the security service VM is operating correctly, the dispatcher VM halts and deallocates the previous security service VM as well as any unneeded portions of the initial chain.).

As per Claim 3, Chou in view of Cooper discloses the information processing apparatus according to claim 2, further comprising: A route setting unit that decides a transfer route for the data to be transferred to the data transmission unit through an inspection container corresponding to each inspection, such that one or more inspections necessary for the data are executed, wherein, in conjunction with updating of the application, the route setting unit sets an inspection container which is not running and in which the application after updating has been implemented, constructed separately from an inspection container being used on the transfer route and in which the application before updating has been implemented, as an inspection container to be used on the transfer route of the data (Chou, Para.15, the initial chain of security service VMs is configured to route the output of each security service VM to a distinct instance of a session router that then routes that output on to the next security service VM in the chain. An initial session router docker container routes the network request to the first security service VM in the chain, and then each successive security service VM performs a specific analysis upon the network request and sends its outputs to its respective output session router docker container which then forwards that output on to the next security service VM in the chain. The last security service VM in the chain forwards the analyzed and permitted network request to an SNAT docker container. Using multiple distinct session router docker containers to route traffic through the chain of security service VMs uses more session router docker containers and hence more resources in the dispatcher VM but reduces disruption in the chain if any individual security service needs to be updated by allowing security service VMs to be updated, replicated, or replaced individually as needed.).

As per Claim 4, Chou in view of Cooper discloses the information processing apparatus according to claim 3, further comprising: a container management unit that performs updating processing with regard to the application, wherein a plurality of the inspection containers are constructed for each of the security (Chou, Para.18, the chain of security services includes one or more of a firewall service; an anti-virus service; an anti-malware service; an internet protocol filtering service; an intrusion detection service; a unified threat management service; a spam detection service; a packet filtering service; an application-specific analysis service; a data loss prevention service; and a traffic flow analysis service., Para.68, The cloud service provider automatically keeps this provided infrastructure up-to-date (e.g., applying infrastructure application updates as they become available), thereby reducing some of the maintenance overhead for the client/site using the service. In-cloud platform services can also allow for more efficient collaboration across multiple sites (e.g., serving as a central point of collaboration for multiple distributed sites)., Para.87, This dispatcher VM manages the flow of network traffic through an initial chain of two or more security service VMs that execute in the cloud data center and analyze the contents of network traffic to and from the clients. During operation, the dispatcher VM determines that an existing security service VM in the initial chain needs to be upgraded to an updated version (operation 1010), and instantiates in the cloud data center an updated chain of security service VMs that includes the updated version of the security service VM (operation 1020).).

As per Claim 5, Chou in view of Cooper discloses the information processing apparatus according to claim 3, wherein each of the plurality of containers is a virtual terminal, where network resources provided by the operating system of the information processing apparatus are isolated from each other, and wherein the inspection container that is not running is an inspection container not being used on the transfer route of the data (Chou, Para.10, Multiple docker containers execute as multi-tasking microservices within the dispatcher VM that execute in isolation of each other but can use operating system kernel resources to communicate with each other. Each docker container is provided with an abstraction of its own process space and interfaces. Because the financial cost of cloud-based services is directly proportional to the number of VMs used, executing microservices using dockers reduces the number of VMs needed to provide the cloud-based security service and hence reduces the financial cost of providing the cloud-based security service, Para.11, the initial chain of one or more security service VMs comprises multiple security services each of which executes in its own separate VM. The security service VMs are chained together such that the network request is serially processed by each security service in the chain in a specified order. ); 


As per Claim 6, Chou in view of Cooper discloses the information processing apparatus according to claim 4, wherein the inspection container further includes an updating unit that receives the update request and updates the application, and wherein the route setting unit sets the inspection container in which the application updated by the updating unit has been implemented as the inspection container to be used on the transfer route of the data (Chou, Para.18, the chain of security services includes one or more of a firewall service; an anti-virus service; an anti-malware service; an internet protocol filtering service; an intrusion detection service; a unified threat management service; a spam detection service; a packet filtering service; an application-specific analysis service; a data loss prevention service; and a traffic flow analysis service., Para.68, The cloud service provider automatically keeps this provided infrastructure up-to-date (e.g., applying infrastructure application updates as they become available), thereby reducing some of the maintenance overhead for the client/site using the service. In-cloud platform services can also allow for more efficient collaboration across multiple sites (e.g., serving as a central point of collaboration for multiple distributed sites)., Para.87, This dispatcher VM manages the flow of network traffic through an initial chain of two or more security service VMs that execute in the cloud data center and analyze the contents of network traffic to and from the clients. During operation, the dispatcher VM determines that an existing security service VM in the initial chain needs to be upgraded to an updated version (operation 1010), and instantiates in the cloud data center an updated chain of security service VMs that includes the updated version of the security service VM (operation 1020).).


(Chou, Para.73, Stored traffic 280 can then be re-analyzed at subsequent times, for instance when new or updated versions of security services become available, to determine if there were any previous intrusions or attacks that were not detected at the time they were originally sent. While such capabilities do not undo the effects of previous attacks, the knowledge that such attacks did happen, knowledge of what (if anything) was compromised, and any preserved information (e.g., source of the traffic, and the specific type of attack, etc.) may still be beneficial in determining a subsequent course of action, Para.76, FIG. 3A illustrates an architecture in which the dispatcher VM 312 routes traffic through multiple security services 340-348 that are directly chained together; when instantiating security services 340-348, session router 230 and/or other processes executing in dispatcher VM 312 configure the routes in each security service VM so that they send traffic that they have processed on to the next VM in the chain (for the direction that the traffic is traveling) and then on to session router 230 or SNAT 232 (based on the direction that the traffic is traveling). Routing traffic directly between VMs is more efficient, but also means that the entire chain has to be serviced (and/or restarted/reconfigured) as a single unit if any of the individual security services need to be upgraded ).

As per Claim 8, Chou in view of Cooper discloses the information processing apparatus according to claim 7, wherein each of the plurality of containers is a virtual terminal, where network resources provided by the operating system of the information processing apparatus are isolated from each other; the inspection container that is not running is an inspection container not being used on the transfer route of the data; and the route setting unit sets the inspection container in which the application after updating has been implemented as the inspection container to be used on the transfer route of the data (Chou, Para.17, the updated security service VM executes in parallel with the original security service VM and receives and outputs network traffic to the same pair of session router docker containers as the original security service. Isolating security service VMs in the initial chain between session routers facilitates instantiating the updated chain without having to instantiate duplicate instances of any of the other security service VMs in the initial chain, thereby reducing the number of additional VMs needed for the cloud-based security service during updates, Para.59, Allowing independent containers to run within a single virtual machine avoids the cost and overhead of starting and maintaining multiple virtual machines. Note that such docker containers run in isolation and leverage operating system kernel resources to communicate; containers can be provisioned and provided with an abstraction of their own process space and interfaces, and can be constrained to use a specific defined amount of resources (e.g., CPU, memory, and network or other I/O bandwidth).  ).

As per Claim 9, Chou in view of Cooper discloses the information processing apparatus according to claim 3, wherein, with regard to the data relating to an already-established connection when updating the application, the route setting unit sets the transfer route to continue to use the existing transfer route passing through the inspection container where the application before updating has been implemented and which is in use in the already-established connection, for a certain period (Chou, Para.09, the previous version of the security service VM executes using an original license and the updated version is executed using a temporary license. After the previous version has been deallocated, the original license is free. At this point, the dispatcher VM can execute a second instance of the updated version of the security service VM using the original license. Upon determining that the second instance is executing correctly, the dispatcher VM drains all of the network traffic from the updated version to the second instance, deallocates the updated version, and frees the temporary license, Para.86, upgrading security services may involve some additional steps to accommodate licensing requirements. For example, an original version of a service that is being upgraded may be associated with a license. In this case, an upgraded version of the service may be instantiated in a second instance using a temporary license, for testing and upgrade purposes. After the upgraded version has been validated, traffic can be transferred to the upgraded version, the original version can be drained and stopped, and then a third instance can be instantiated using the initial (now available) license. Traffic flows can then be smoothly transferred over to this third instance in the same way. ).

As per Claim 10, Chou in view of Cooper discloses the information processing apparatus according to claim 1, wherein the plurality of containers further include a database container provided with an inspection condition database, where an inspection condition regarding security is stored; the database container includes a determination unit that determines whether or not a part of data that is an object of inspection matches the inspection condition, and the inspection unit executes the inspection by commissioning the database container to perform determination by the determination unit (Chou, Para.05, This dispatcher VM manages the flow of network traffic through an initial chain of two or more security service VMs that execute in the cloud data center and analyze the contents of network traffic to and from the clients. During operation, the dispatcher VM determines that an existing security service VM in the initial chain needs to be upgraded to an updated version, and instantiates in the cloud data center an updated chain of security service VMs that includes the updated version of the security service VM. The dispatcher VM then seamlessly transfers the flow of network traffic from the initial chain to the updated chain to update the cloud-based security service without interrupting the operation of the cloud-based security service. Upon determining that the updated version of the security service VM is operating correctly, the dispatcher VM halts and deallocates the previous security service VM as well as any unneeded portions of the initial chain.).

As per Claim 11,Chou  in view of Cooper discloses the information processing apparatus according to claim 10, wherein the inspection unit determines whether or not transfer to the destination is permissible, on the basis of a result of determination by the determination unit (Chou, Para.87, the dispatcher VM determines that an existing security service VM in the initial chain needs to be upgraded to an updated version (operation 1010), and instantiates in the cloud data center an updated chain of security service VMs that includes the updated version of the security service VM (operation 1020). The dispatcher VM then seamlessly transfers the flow of network traffic from the initial chain to the updated chain to update the cloud-based security service without interrupting the operation of the cloud-based security service (operation 1030). Upon determining that the updated version of the security service VM is operating correctly, the dispatcher VM halts and deallocates the existing security service VM as well as any unneeded portions of the initial chain (operation 1040).).

As per Claim 12, Chou in view of Cooper discloses the information processing apparatus according to claim 2, further comprising: a route setting unit that decides, for each user terminal that is a transmission source or destination of the data, a transfer route for the data to be transferred to the data transmission unit through the inspection container corresponding to each inspection, such that one or more inspections necessary for the user terminal are executed (Chou, Para.16, the session router docker container determines that the amount of network traffic being sent through the chain of security service VMs exceeds the processing capacity of one or more of the security service VMs in the chain, and instantiates additional instances of the specific security service VMs that are overloaded. The individual session routers that bracket multiple instances of a security service VM then load balance across the multiple instances of the security service VM to increase the traffic processing capabilities of the cloud-based security service, Para.18, the chain of security services includes one or more of a firewall service; an anti-virus service; an anti-malware service; an internet protocol filtering service; an intrusion detection service; a unified threat management service; a spam detection service; a packet filtering service; an application-specific analysis service; a data loss prevention service; and a traffic flow analysis service.  ).

As per Claim 13, Chou in view of Cooper discloses the information processing apparatus according to claim 12, further comprising: a contract information setting unit that sets contract information indicating the one or more inspections that the user terminal requires, wherein the route setting unit decides the transfer route on the basis of the contract information that is set (Chou, Para.63, router 202 may be configured to only accept traffic from specific trusted sources such as cloud system hardware 210 and/or only accept traffic that has been secured using credentials and/or protocols that are associated with remote sites that are known to implement the desired security stack. Note also that the source IP address, the destination IP address, and other identifying information that are associated with the network request may be retained throughout the flow of traffic through the dispatcher and security service(s), to ensure that the system can identify and properly route both incoming and outgoing traffic correctly.).

As per Claim 14, Chou in view of Cooper discloses the information processing apparatus according to claim 12, further comprising: a routing table where a next transfer destination of the data is stored, wherein the inspection container further includes a container routing table where a next transfer destination of the data is stored; and the route setting unit sets the transfer route decided regarding the user terminal in the routing table and the container routing table (Chou, Para.77, he dispatcher VM 314 configures each security service VM (340-348) in the chain to output traffic flows to an intermediate session router (e.g., session routers 332-338)., Para.61, Dispatcher VM 212 comprises a set of docker containers (220-232) that route and manage traffic flows through a security service VM 240. More specifically, proxy 220 and proxy 222 (e.g., NGINX proxies) provide common front ends that receive traffic and further forward incoming traffic to traffic-ingesting docker processes, such as SOCKS docker 224 or IPSEC docker 226, which handle packets that use the SOCKS or IPSec security protocols, respectively; note that the disclosed techniques can incorporate a range of security protocols, and that additional dockers can be instantiated to handle any desired packet security protocol. These traffic-ingesting docker process (e.g., decrypt and/or otherwise unpack) the incoming packets and forward them to session router 230, which routes the traffic to a security service VM 240 that then performs the desired analysis upon the packets).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to NORMIN ABEDIN whose telephone number is (571)270-5970. The examiner can normally be reached Monday to Friday from 10 am to 6 pm.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Vivek Srivastava can be reached on 5712727304. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/NORMIN ABEDIN/Primary Examiner, Art Unit 2449