DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given Jay Anderson on March 10, 2022.
The application has been amended as follows: 
In the claims:
1. (Currently amended) A device comprising: 
	a processing system including a processor; and 
	a memory storing executable instructions that, when executed by the processing system, facilitate performance of operations comprising: 
	determining that a first virtual machine (VM) has a malfunction; 
	obtaining, at a first period, logs of data traffic at the first VM, wherein the data traffic to the first VM at the first period passes through a first VM shell; 
	assigning the data traffic to a plurality of groups of data traffic; 

	generating a second VM shell, wherein the second VM shell is an interface to the plurality of sub VMs, wherein second data traffic at a second period passes through the second VM shell before being directed to each respective sub VM; 
	redirecting data traffic for the first VM shell and the first VM to the second VM shell and the plurality of sub VMs, wherein each sub VM receives incoming data traffic associated with its respective assigned group;
	evaluating the second data traffic to determine a confidence score for each of the plurality of sub VMs indicating a likelihood that a portion of the second data traffic associated with a respective sub VM has not caused the malfunction;
	 in accordance with the evaluating, consolidating the sub VMs  into a single sub VM; 
	subsequent to the consolidating based on data traffic associated with sub VMs having a confidence score that does not meet ; and 
	restricting the sub VMs having a confidence score that does not meet the first threshold confidence level in accordance with a predetermined restriction policy, the restricting including at least one of: limiting access to one or more predefined folders or prohibiting requests for executing one or more predefined commands.



3. (Previously Presented) The device of claim 1, wherein the first threshold confidence level corresponds to a 90% likelihood.

4. (Previously Presented) The device apparatus of claim 1, wherein the data traffic causing the malfunction is identified based on the confidence score for that data traffic being less than a second threshold confidence level.

5. (Previously Presented) The device of claim 1, wherein the assigning of the data traffic to the plurality of groups of data traffic is based on a monitored behavior, the monitored behavior comprising an average number of processes engaged of the data traffic at the first period.

6. (Previously Presented) The device apparatus of claim 1, wherein the assigning of the data traffic to the plurality of groups of data traffic is based on monitored behavior, the monitored behavior comprising an average number of failed authentications of the data traffic at the first period.

7. (Previously Presented) The device apparatus of claim 1, wherein the assigning of the data traffic to the plurality of groups of data traffic is based on monitored behavior, the monitored behavior comprising an origin or destination of the data traffic at the first period.

1 wherein the second threshold confidence level corresponds to a 50% likelihood.

9. (Currently amended) A non-transitory machine-readable medium comprising executable instructions that, when executed by a processing system including a processor, facilitate performance of computing device cause said computing device to effectuate operations comprising: 
	determining that a first virtual machine (VM) has a malfunction; 
	obtaining, at a first period, logs of data traffic at the first VM that has malfunctioned, wherein the data traffic to the first VM at the first period passes through a first VM shell; 
	assigning the data traffic to a plurality of groups of data traffic; 
	generating a sub VM for each group of the plurality of groups of data traffic, resulting in a plurality of sub VMs;
	generating a second VM shell, wherein the second VM shell is an interface to the plurality of sub VMs, wherein second data traffic at a second period passes through the second VM shell before being directed to each respective sub VM; 
	redirecting data traffic for the first VM shell and the first VM to the second VM shell and the plurality of sub VMs, wherein each sub VM receives incoming data traffic associated with its respective assigned group;
	evaluating the second data traffic of each sub VM of the plurality of sub VMs to determine a confidence score for each of the plurality of sub VMs indicating a likelihood that a portion of the second associated with a respective sub VM has not caused the malfunction; 
consolidating the sub VMs r into a single sub VM;
	subsequent to the consolidating based on data traffic associated with sub VMs having a confidence score that does not meet; and
	restricting the sub VMs having a confidence score that does not meet the first threshold confidence level in accordance with a predetermined restriction policy, the restricting including at least one of: limiting access to one or more predefined folders or prohibiting requests for executing one or more predefined commands.

10. (Previously Presented) The non-transitory machine-readable computer readable storage
medium of claim 9 wherein the operations further comprise assigning a confidence
score to the data traffic through the first VM at the first period.

11. (Previously Presented) The non-transitory machine-readable computer readable storage medium of claim 9, wherein the first threshold confidence level corresponds to a 90% likelihood.

12. (Previously Presented) The non-transitory machine-readable computer readable storage medium of claim 9, wherein the data traffic causing the malfunction is identified based on the confidence score for that data traffic being less than a second threshold confidence level.

13. (Previously Presented) The non-transitory machine-readable computer readable storage medium of claim 9 wherein the assigning of the data traffic to the plurality of groups of data traffic is based on monitored behavior, the monitored behavior comprising average number of failed authentications of the data traffic at the first period.

14. (Previously Presented) The non-transitory machine-readable computer readable storage medium of claim 9 wherein the assigning of the data traffic to the plurality of groups of data traffic is based on a monitored behavior, the monitored behavior comprising average number of processes engaged of the data traffic at the first period.

15. (Previously Presented) The non-transitory machine-readable computer readable storage medium of claim 9 wherein the second threshold confidence level corresponds to a 50% likelihood.

16. (Currently amended) A method comprising:
	determining, by a processing system, that a first virtual machine (VM) has a malfunction; 
	obtaining, by the processing system, at a first period, logs of data traffic at the first VM, wherein the data traffic to the first VM at the first period passes through a first VM shell; 
	assigning, by the processing system, the data traffic to a plurality of groups of data traffic; 
	generating, by the processing system, a sub VM for each group of the plurality of groups of data traffic, resulting in a plurality of sub VMs;
second data traffic at a second period passes through the second VM shell before being directed to each respective sub VM; 
	redirecting, by the processing system, data traffic for the first VM shell and the first VM to the second VM shell and the plurality of sub VMs, wherein each sub VM receives incoming data traffic associated with its respective assigned group;
	evaluating, by the processing system, the second data traffic of each sub VM of the plurality of sub VMs to determine a confidence score for each of the plurality of sub VMs indicating a likelihood that a portion of the second the data traffic of that associated with a respective sub VM has not caused the malfunction; 
	in accordance with the evaluating, consolidating, by the processing system, the sub VMs  into a single sub VM; and 
consolidating based on data traffic associated with sub VMs having a confidence score that does not meet; and
	restricting, by the processing system, the sub VMs having a confidence score that does not meet the first threshold confidence level in accordance with a predetermined restriction policy, the restricting including at least one of: limiting access to one or more predefined folders or prohibiting requests for executing one or more predefined commands.

17. (Previously Presented) The method of claim 16, wherein the assigning of the data traffic to the plurality of groups of data traffic is based on a monitored behavior, the monitored behavior comprising an average number of processes engaged of the data traffic at the first period. 

18. (Previously Presented) The method of claim 16, wherein the assigning of the data traffic to the plurality of groups of data traffic is based on monitored behavior, the monitored behavior comprising an average number of failed authentications of the data traffic at the first period. 

19. (Previously Presented) The method of claim 16, wherein the assigning of the data traffic to the plurality of groups of data traffic is based on monitored behavior, the monitored behavior comprising an origin or destination of the data traffic at the first period.



Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MELISSA A HEADLY whose telephone number is (571)272-1972. The examiner can normally be reached Monday- Friday 9-5:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lewis Bullock can be reached on 571-272-3759. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

MELISSA A. HEADLY
Examiner
Art Unit 2199