Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Remarks
	Applicant’s amendment dated December 2, 2021 responding to September 13, 2021 Office Action provided in the rejection of claims 1-20; wherein claims 5 and 15 have been canceled. Claims 1-4, 6-14, 16-20 remain pending in the application and which have been fully considered by the examiner.
Applicant’s arguments, December 2, 2021, with respect to the rejection of claims 1-20 under 35 U.S.C. 103 have been fully considered and are persuasive.  However, upon further consideration, a new ground(s) of rejection is made in view of McCormick and Finn, II et al. (US 2020/0296007). Please see below for details.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-4, 6-14, 16-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over McCormick et al. (US 2020/0067801) hereinafter “McCormick” in view of Finn, II et al. (US 2020/0296007) hereinafter “Finn”.
Claim 1
McCormick teaches a method of generating or maintaining a firewall rule of a firewall of a computer system, the computer system comprising a plurality of containers executing on one or more operating systems, the method comprising: 
collecting flow information of packets sent between containers of the plurality of containers [i.e. a traffic control and monitoring module is configured to control and monitor traffic flows to and from a plurality of containers in container namespaces and reports the detected traffic flows to a traffic flow reporting module], wherein the flow information comprises information is associated with the plurality of containers  [i.e. the detected traffic flows comprise workload identifiers for the different containers] (McCormick, abstract, 0011, 0027, 0031, 0034-0035); 
determining whether the first service communicated with the second service (McCormick, figures 1-2; 0015-0016); and 
based on the determining, generating or maintaining a rule for the firewall to block or allow transmission of packets between the first service and the second service, wherein whether the rule is to block or allow transmission is based on whether the first service and the second 
McCormick fails to teach the flow information comprises a source Internet Protocol (IP) address, a source port number, a destination IP address, and a destination port number, wherein the source IP address, the source port number, the destination IP number, and the destination port number are associated with at least a first service and a second service, wherein the first service is associated with a first container and the second service is associated with a second container, and wherein the collecting occurs during a period of time; obtaining an association between the flow information and the first and second services from a container orchestrator of the first and second containers, wherein the associating comprises associating the source IP address and source port number with the first service, and associating the destination IP address and the destination port number with the second service; based on the association, generating a service communication graph mapping communication between the first service and the second service during the period of time; and the first and/or second service is determined based on the based on the service communication graph.
However, in an analogous art, Finn teaches the flow information comprises a source Internet Protocol (IP) address, a source port number, a destination IP address, and a destination port number, wherein the source IP address, the source port number, the destination IP number, and the destination port number are associated with at least a first service and a second service, 
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to modify the teachings of Schafer to include the teachings of Finn of the flow information comprises a source Internet Protocol (IP) address, a source port number, a destination IP address, and a destination port number, wherein the source IP address, the source port number, the destination IP number, and the destination port number are associated with at least a first service and a second service, wherein the first service is 


Claim 2
McCormick in combination with Finn teach the method of claim 1, wherein the rule is allow the transmission, and wherein, based on the rule, the firewall only allows transmission of a packet between the first service and the second service [i.e. the segmentation policy is set forth using permission rules that specify the communications that are permitted] (McCormick, 0015, 0027) if the packet comprises a port number associated with the first service or the second service (Finn, 0015, 0057, 0059).  Motivation to combine provided with reference to claim 1.

Claim 3
McCormick in combination with Finn teach the method of claim 1, wherein the first service is further associated with a third container [i.e. a segmentation policy may include a rule specifying that a workload 138-1 operating on an OS instance 130-1, which includes a plurality 

Claim 4
McCormick in combination with Finn teach the method of claim 3, the method further comprising, during the collecting: 
running the first service from the first container, the first container being associated with a first container identifier [i.e. a workload identifier associated with the first container] (McCormick, 0011, 0027, 0034-0035); 
deleting the first container [i.e. the container orchestration module may remove container(s) from the OS instance 130] (McCormick, 0035); and 
instantiating the third container and launching the first service from the third container, the third container being associated with a second container identifier [i.e. the container orchestration module may control containers in a manner that terminate a particular container when it is not being used and later instantiate/re-instantiate a container configured to perform essentially the same function as the original workload] (McCormick, 0002, 0044).  

Claim 6
McCormick in combination with Finn teach the method of claim 1, wherein the first container is executing within a virtual machine, and wherein the one or more operating systems include a guest operating system of the virtual machine [i.e. the first workload identifier associated with first container from which the first OS instance, which provide a first service, 

Claim 7
McCormick in combination with Finn teach the method of claim 1, wherein the first container is instantiated from a container image, and wherein the container image comprises the first service’s executable code, system tools, configurations, settings, system libraries, and file system (McCormick, 0035-0036).  

Claim 8
McCormick in combination with Finn teach the method of claim 1, wherein the containers of the plurality of containers are executing on a plurality of host machines [i.e. the containers executing on the OS instance 130 which executing on one or more computing devices], and wherein collecting the flow information comprises extracting the flow information from the packets by a device [i.e. Admin client 160] located outside of the plurality of host machines [i.e. the Admin client execute an interface to obtain/extract various information about OS instances, workloads on the network and traffic flows between the workloads] (McCormick, 0014, 0023, 0045).  

Claim 9
McCormick in combination with Finn teach the method of claim 1, the method further comprising:

processing the packet to extract packet attributes [i.e. processing and controlling the monitored/collected traffic flows of containers] (McCormick, 0040); 
comparing the packet attributes to the rule; and based on the comparing, allowing or blocking transmission of the packet [i.e. using the rules that specify the communications that are permitted or blocked based on the monitored and collected information of the traffic flows. For instance, the rules specifying whether certain workloads are allowed to provide service to or receive service from other workloads, and my place restrictions on how those workloads are allowed to communicate when providing or consuming the services] (McCormick, 0015, 0037, 0045).  

Claim 10
McCormick in combination with Finn teach the method of claim 1, wherein the determining whether the first service communicated with the second service comprises: determining that the first service did not communicate with the second service, and maintaining the rule, wherein the rule is a pre-generated default rule [i.e. determining a container, associated with a service, when it is not being used] (McCormick, 0002, 0021, 0044); and during the period of time [i.e. the inventory monitor can periodically take snapshots of network devices, other elements of the network, and the flow monitor can detect, analyze the flow data, compliant or non-compliant traffic, etc.] (Finn, 0002, 0015, 0057, 0059). Motivation to combine provided with reference to claim 1.

Claim 20
McCormick teaches a computer system comprising:
a firewall (McCormick, 0003, 0011); 
a plurality of containers [i.e. containers 224-1 – 224-N] executing on one or more operating systems [OS instance 130-1 – 130-N] (McCormick, figure 2); and 
at least one hardware processor, wherein the at least one hardware processor is configured to (McCormick, 0011, 0015, 0048): 
collect flow information of packets sent between containers of the plurality of containers [i.e. a traffic control and monitoring module is configured to control and monitor traffic flows to and from a plurality of containers in container namespaces and reports the detected traffic flows to a traffic flow reporting module], wherein the flow information comprises information is associated with the plurality of containers  [i.e. the detected traffic flows comprise workload identifiers for the different containers] (McCormick, abstract, 0011, 0027, 0031, 0034-0035); 
determining whether the first service communicated with the second service (McCormick, figures 1-2; 0015-0016); and 
based on the determining, generating or maintaining a rule for the firewall to block or allow transmission of packets between the first service and the second service, wherein whether the rule is to block or allow transmission is based on whether the first service and the second service communicated [i.e. the traffic control and monitoring module includes a firewall operating in a container namespace to control and monitor traffic flow between containers. The segmentation policy is enforced by blocking any communications that are not expressly permitted by the rules. Thus, by reducing number of permitted connections/communications, the 
McCormick fails to teach the flow information comprises a source Internet Protocol (IP) address, a source port number, a destination IP address, and a destination port number, wherein the source IP address, the source port number, the destination IP number, and the destination port number are associated with at least a first service and a second service, wherein the first service is associated with a first container and the second service is associated with a second container, and wherein the collecting occurs during a period of time; obtaining an association between the flow information and the first and second services from a container orchestrator of the first and second containers, wherein the associating comprises associating the source IP address and source port number with the first service, and associating the destination IP address and the destination port number with the second service; based on the association, generating a service communication graph mapping communication between the first service and the second service during the period of time; and the first and/or second service is determined based on the based on the service communication graph.
However, in an analogous art, Finn teaches the flow information comprises a source Internet Protocol (IP) address, a source port number, a destination IP address, and a destination port number, wherein the source IP address, the source port number, the destination IP number, and the destination port number are associated with at least a first service and a second service, wherein the first service is associated with a first container and the second service is associated with a second container, and wherein the collecting occurs during a period of time [i.e. conventional telemetry can obtain network traffic information such as: source and destination IP addresses, source and destination ports, virtual machines, containers, etc.; and the inventory 
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to modify the teachings of Schafer to include the teachings of Finn of the flow information comprises a source Internet Protocol (IP) address, a source port number, a destination IP address, and a destination port number, wherein the source IP address, the source port number, the destination IP number, and the destination port number are associated with at least a first service and a second service, wherein the first service is associated with a first container and the second service is associated with a second container, and wherein the collecting occurs during a period of time; obtaining an association between the flow information and the first and second services from a container orchestrator of the first and second containers, wherein the associating comprises associating the source IP address and source port 

Claims 11-14, 16-19 do not teach or define any new limitation other than above claims 1-4, 6-9. Therefore, claims 11-14, 16-19 are rejected for similar reasons. 
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Correspondence Information



Any inquiry concerning this communication or earlier communications from the examiner should be directed to MINH CHAU N NGUYEN whose telephone number is (571)272-4242.  The examiner can normally be reached on M-F 8am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, TONIA DOLLINGER can be reached on (571)272-4170.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/MINH CHAU NGUYEN/Primary Examiner, Art Unit 2459