DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
                                                        
Response to Amendment
The amendments filed on February 26, 2022 have been entered.
Claims 1, 8, and 15 have been amended.

          Response to Arguments
Applicant’s arguments filed on February 26, 2022 have been considered and are moot in view of the new ground(s) in the current rejection.  


















Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-21 are rejected under 35 U.S.C. 103 as being unpatentable over Rosendahl et al. (Pub. No. US 2020/0110873), hereinafter Rosendahl, in view of Wang et al. (Pub. No. US 2015/0033336), hereinafter Wang.

Claim 1. 	Rosendahl discloses a method for a computer system to perform dynamic event processing for network diagnosis, wherein the method comprises: 
monitoring a runtime flow of multiple packets that originate from, or destined for, a virtualized computing instance supported by the computer system to detect a set of multiple events associated with the runtime flow (Parag. [0043]; (The art teaches that the network probe 124 probes the network activity 108 of the app containers 104 as well as the overall network of the container system 102 for any threats indicated in the threat database 132. Although the network probe 124 is similar to the container probe 122, the network probe 124 checks network-related activities rather than container-related activities. The network probe 122 checks the signatures for vulnerabilities and benchmark settings listed in the threat database 132 to see if there are any matches to the signatures. Parag. [0040] discloses that the threat database 132 includes a list of network attack signatures. These signatures describe network activity that may indicate a potential malicious activity on the network. The signatures may indicate some information about the network traffic, such as a source, a destination, packet type, packet header data, packet size, time of network activity, content of network data, and other information within the network data, that when detected, may indicate an attack. The signature may also indicate various patterns in the network activity, such as a pattern in the timing of data received/transmitted, a pattern in the network addresses that receive/send the data, a pattern in the types of systems or containers that send/receive the data, a pattern in the ownership of containers that are receiving/sending certain data, a pattern in the amount of data that is being sent/received, a pattern in the content of the data that is being sent/received and so on. Parag. [0089] discloses that network traffic to and from the new app container 320 flows through the security container 350. The security container 350 may be able to monitor this traffic and inspect it to determine if a network security issue exists)); 
performing a first stage of event processing by matching the set of multiple events to a set of multiple signatures (Parag. [0043-0044]; (The art teaches that the network probe 124 checks network-related activities rather than container-related activities. The network probe 122 checks the signatures for vulnerabilities and benchmark settings listed in the threat database 132 to see if there are any matches to the signatures. The network probe 122 may check a section of the threat database 132 specific to network-related activities. If any matches are found, the vulnerability/benchmark setting that had a signature matched, as well as the location/log of that match is sent to the data logger 140 to be logged in the data logger 138. The art teaches that the network probe 124 may also scan for abnormal network behavior. The network probe 124 may take a baseline scan of network activity over time for each app container 104, for the host 150 of the app container 104, and/or for the network to which the app container 104 is connected. This baseline data is verified to represent normal behavior. This data may be fed by the network probe 124 into a model, such as regression model, a neural network, etc. Once the model is trained using the baseline data, live data of network activity is fed into the model. If the model determines that the live data deviates from the baseline beyond a certain threshold, then the network probe 124 determines that abnormal network activity may be occurring. This information is send to the data logger 138. The baseline data may be recorded per app container 104, such that the abnormal network activity may be determined per app container 104. In another embodiment, the network probe 124 determines that anomalous network behavior is occurring when it detects one or more specific behaviors in the network, such as TCP (Transmission Control Protocol) flooding, ICMP (Internet Control Message Protocol) flooding, invalid packets (e.g., packets with bad headers), ping death, SSL (Secure Sockets Layer) healthbleed, HTTP (Hypertext Transport Protocol) Slowloris DDoS (Distributed Denial of Service) attacks, and so on. Parag. [0045] discloses that the network probe 124 may also scan the network traffic for the app containers 104, host 150, and other related networks for network traffic matching the signatures in the list of network attack signatures listed in the threat database 132. If a match is found, then the network probe 124 determines that abnormal network activity may be occurring)) that includes:(a) a first signature associated with a first mapping rule that is fully satisfied by the set of multiple events (Parag. [0045]; (The art teaches that the match may be found if an exact match (i.e., fully satisfied) for the information and patterns indicated in the network attack signature (i.e. first signature) is found)); and (b) a second signature associated with a second mapping rule that is partially satisfied by the set of multiple events (Parag. [0045]; (The art teaches that the match could also be found if a percentage (e.g., 80%) of the information and patterns indicated in the network attack signature (i.e., second signature) are matched (i.e., partially satisfied) in the network traffic)); 
performing a second stage of event processing by comparing predefined characteristic information specified by the first signature against runtime characteristic information associated with the runtime flow, wherein the second signature is disregarded during the second stage of event processing (Parag. [0045]; (The art teaches that the match may be found if an exact match for the information and patterns indicated in the network attack signature is found, or if a percentage (e.g., 80%) of the information and patterns indicated in the network attack signature are matched in the network traffic (i.e., only one signature is being matched from the list of network attack signatures. Therefore, when the match is found through the first signature that is fully satisfied (i.e., fully satisfied)). Once the network probe 124 finds the match, it may send a log and/or the contents of the network traffic that matches the signature to the data logger 138, and also transmit an indicator of the network attack signature that was matched. Parag. [0040] discloses that the threat database 132 includes a list of network attack signatures. These signatures describe network activity that may indicate a potential malicious activity on the network. The signatures may indicate some information about the network traffic, such as a source, a destination, packet type, packet header data, packet size, time of network activity, content of network data, and other information within the network data, that when detected, may indicate an attack. The signature may also indicate various patterns in the network activity, such as a pattern in the timing of data received/transmitted, a pattern in the network addresses that receive/send the data, a pattern in the types of systems or containers that send/receive the data, a pattern in the ownership of containers that are receiving/sending certain data, a pattern in the amount of data that is being sent/received, a pattern in the content of the data that is being sent/received and so on. Each signature may indicate multiple patterns and information about the network traffic. When the patterns and information for a signature are detected in the network traffic (i.e., comparing the information specified by the signature against runtime flow), then malicious activity may be indicated. For example, an amount of traffic that has a pattern exceeding a certain data rate, to a particular destination, may indicate an attack (e.g., a denial of service attack). i.e., the second stage is associated with the comparing the information of the specific signature)).
Rosendahl doesn’t explicitly disclose in response to diagnosing an issue associated with the runtime flow based on the second stage of event processing, performing one or more remediation actions. 
		However, Wang discloses in response to diagnosing an issue associated with the runtime flow based on the second stage of event processing, performing one or more remediation actions (Parag. [0015]; (The art teaches that the intrusion prevention module can also be configured to correct Cyclic Redundancy Check (CRC) errors, unfragment packet streams, prevent TCP sequencing issues, clean up unwanted transport and network layer options, among other such functionalities)).
		It would be obvious to one of ordinary skill in the art at the time before the effective filling date of the claimed invention to modify Rosendahl to incorporate the teaching of Wang. This would be convenient for logging data to facilitate capturing and understanding of the context of an attack (Parag. [0003]).
Claim 2. 	Rosendahl in view of Wang discloses the method of claim 1,   
Rosendahl further discloses wherein performing the first stage of event processing comprises: matching the set of multiple events to the first mapping rule to determine whether a first compound event has occurred, wherein the first mapping rule specifies the first compound event as a logical combination of at least two events (Parag. [0043-0044]; (The art teaches that the network probe 124 checks network-related activities rather than container-related activities. The network probe 122 checks the signatures for vulnerabilities and benchmark settings listed in the threat database 132 to see if there are any matches to the signatures. The network probe 122 may check a section of the threat database 132 specific to network-related activities. If any matches are found, the vulnerability/benchmark setting that had a signature matched, as well as the location/log of that match is sent to the data logger 140 to be logged in the data logger 138. The art teaches that the network probe 124 may also scan for abnormal network behavior. The network probe 124 may take a baseline scan of network activity over time for each app container 104, for the host 150 of the app container 104, and/or for the network to which the app container 104 is connected. This baseline data is verified to represent normal behavior. This data may be fed by the network probe 124 into a model, such as regression model, a neural network, etc. Once the model is trained using the baseline data, live data of network activity is fed into the model. If the model determines that the live data deviates from the baseline beyond a certain threshold, then the network probe 124 determines that abnormal network activity may be occurring. This information is send to the data logger 138. The baseline data may be recorded per app container 104, such that the abnormal network activity may be determined per app container 104. In another embodiment, the network probe 124 determines that anomalous network behavior is occurring when it detects one or more specific behaviors in the network, such as TCP (Transmission Control Protocol) flooding, ICMP (Internet Control Message Protocol) flooding, invalid packets (e.g., packets with bad headers), ping death, SSL (Secure Sockets Layer) healthbleed, HTTP (Hypertext Transport Protocol) Slowloris DDoS (Distributed Denial of Service) attacks, and so on. Parag. [0045] discloses that the network probe 124 may also scan the network traffic for the app containers 104, host 150, and other related networks for network traffic matching the signatures in the list of network attack signatures listed in the threat database 132. If a match is found, then the network probe 124 determines that abnormal network activity may be occurring)).  
Claim 3. 	Rosendahl in view of Wang discloses the method of claim 2,    
Rosendahl further discloses wherein performing the first stage of event processing comprises: in response to determination that the first compound event has occurred, determining that the first mapping rule is fully satisfied by the set of the multiple events (Parag. [0043-0045]; (The art teaches that the network probe 124 checks network-related activities rather than container-related activities. The network probe 122 checks the signatures for vulnerabilities and benchmark settings listed in the threat database 132 to see if there are any matches to the signatures. The network probe 122 may check a section of the threat database 132 specific to network-related activities. The art teaches that the match may be found if an exact match (i.e., fully satisfied) for the information and patterns indicated in the network attack signature (i.e. first signature) is found)).   
 
Claim 4. 	Rosendahl in view of Wang discloses the method of claim 3,    
Rosendahl further discloses wherein performing the second stage of event processing comprises: comparing the predefined characteristic information associated with the first compound event against the characteristic information associated with the runtime flow (Parag. [0040]; (The art discloses that the threat database 132 includes a list of network attack signatures. These signatures describe network activity that may indicate a potential malicious activity on the network. The signatures may indicate some information about the network traffic, such as a source, a destination, packet type, packet header data, packet size, time of network activity, content of network data, and other information within the network data, that when detected, may indicate an attack. The signature may also indicate various patterns in the network activity, such as a pattern in the timing of data received/transmitted, a pattern in the network addresses that receive/send the data, a pattern in the types of systems or containers that send/receive the data, a pattern in the ownership of containers that are receiving/sending certain data, a pattern in the amount of data that is being sent/received, a pattern in the content of the data that is being sent/received and so on. Each signature may indicate multiple patterns and information about the network traffic. When the patterns and information for a signature are detected in the network traffic (i.e., comparing the information specified by the signature against runtime flow), then malicious activity may be indicated. For example, an amount of traffic that has a pattern exceeding a certain data rate, to a particular destination, may indicate an attack (e.g., a denial of service attack). i.e., the second stage is associated with the comparing the information of the specific signature))

Claim 5. 	Rosendahl in view of Wang discloses the method of claim 3, 
Rosendahl doesn’t explicitly disclose wherein performing the first stage of event processing comprises: identifying the predefined characteristic information that is specified by the first signature and includes at least one of the following: medium access control (MAC) information, network layer information, transport layer information and application layer information.
		
		However, Wang discloses wherein performing the first stage of event processing comprises: identifying the predefined characteristic information that is specified by the first signature and includes at least one of the following: medium access control (MAC) information, network layer information, transport layer information and application layer information (Parag. [0015] and Parag. [0036]; (The art teaches that an attack packet, can include a packet that has a spoofed address, indicates malicious activity, contains information about malicious activity, or has any other undesired characteristic as defined by network security policy, for example. It should be appreciated that terms such as blocking packets and suspending packets are to be interpreted widely as the enforcement of a defensive rule that is defined by the system based on the feedback it receives from IDS. Such feedback can include, for example, discarding, logging, or rate limiting traffic from a particular source address or set of source addresses (i.e. MAC address); discarding, logging, or rate limiting traffic to a particular destination address or set of destination addresses; discarding, logging, or rate limiting UDP traffic from the Internet 110 to a particular subnet or set of subnets; discarding, logging, or rate limiting UDP traffic from the Internet 110 to a subnet with a particular UDP destination port or set of UDP destination ports; and so forth)).  
		It would be obvious to one of ordinary skill in the art at the time before the effective filling date of the claimed invention to modify Rosendahl to incorporate the teaching of Wang. This would be convenient for logging data to facilitate capturing and understanding of the context of an attack (Parag. [0003]).


Claim 6. 	Rosendahl in view of Wang discloses the method of claim 1,    
Rosendahl doesn’t explicitly disclose wherein performing the first stage of event processing comprises: matching the set of multiple events to the second mapping rule to determine whether a second compound event has occurred, wherein the second mapping rule specifies the second compound event as a logical combination of at least two events (Parag. [0043-0044]; (The art teaches that the network probe 124 checks network-related activities rather than container-related activities. The network probe 122 checks the signatures for vulnerabilities and benchmark settings listed in the threat database 132 to see if there are any matches to the signatures. The network probe 122 may check a section of the threat database 132 specific to network-related activities. If any matches are found, the vulnerability/benchmark setting that had a signature matched, as well as the location/log of that match is sent to the data logger 140 to be logged in the data logger 138. The art teaches that the network probe 124 may also scan for abnormal network behavior. The network probe 124 may take a baseline scan of network activity over time for each app container 104, for the host 150 of the app container 104, and/or for the network to which the app container 104 is connected. This baseline data is verified to represent normal behavior. This data may be fed by the network probe 124 into a model, such as regression model, a neural network, etc. Once the model is trained using the baseline data, live data of network activity is fed into the model. If the model determines that the live data deviates from the baseline beyond a certain threshold, then the network probe 124 determines that abnormal network activity may be occurring. This information is send to the data logger 138. The baseline data may be recorded per app container 104, such that the abnormal network activity may be determined per app container 104. In another embodiment, the network probe 124 determines that anomalous network behavior is occurring when it detects one or more specific behaviors in the network, such as TCP (Transmission Control Protocol) flooding, ICMP (Internet Control Message Protocol) flooding, invalid packets (e.g., packets with bad headers), ping death, SSL (Secure Sockets Layer) healthbleed, HTTP (Hypertext Transport Protocol) Slowloris DDoS (Distributed Denial of Service) attacks, and so on. Parag. [0045] discloses that the network probe 124 may also scan the network traffic for the app containers 104, host 150, and other related networks for network traffic matching the signatures in the list of network attack signatures listed in the threat database 132. If a match is found, then the network probe 124 determines that abnormal network activity may be occurring)). 
		 
Claim 7. 	Rosendahl in view of Wang discloses the method of claim 6, 
Rosendahl further discloses wherein the method further comprises: in response to determination that the second compound event has not occurred or partially occurred (i.e.. 80%), determining that the second mapping rule is not fully satisfied (Parag. [0045]; (The art teaches that the match could also be found if a percentage (e.g., 80%) of the information and patterns indicated in the network attack signature are matched (i.e., not fully satisfied) in the network traffic)).   

Claim 8. 	Rosendahl discloses a non-transitory computer-readable storage medium that includes a set of instructions which, in response to execution by a processor of a computer system, cause the processor to perform dynamic event processing for network diagnosis (Parag. [0099]), wherein the method comprises: 
monitoring a runtime flow of multiple packets that originate from, or destined for, a virtualized computing instance supported by the computer system to detect a set of multiple events associated with the runtime flow (Parag. [0043]; (The art teaches that the network probe 124 probes the network activity 108 of the app containers 104 as well as the overall network of the container system 102 for any threats indicated in the threat database 132. Although the network probe 124 is similar to the container probe 122, the network probe 124 checks network-related activities rather than container-related activities. The network probe 122 checks the signatures for vulnerabilities and benchmark settings listed in the threat database 132 to see if there are any matches to the signatures. Parag. [0040] discloses that the threat database 132 includes a list of network attack signatures. These signatures describe network activity that may indicate a potential malicious activity on the network. The signatures may indicate some information about the network traffic, such as a source, a destination, packet type, packet header data, packet size, time of network activity, content of network data, and other information within the network data, that when detected, may indicate an attack. The signature may also indicate various patterns in the network activity, such as a pattern in the timing of data received/transmitted, a pattern in the network addresses that receive/send the data, a pattern in the types of systems or containers that send/receive the data, a pattern in the ownership of containers that are receiving/sending certain data, a pattern in the amount of data that is being sent/received, a pattern in the content of the data that is being sent/received and so on. Parag. [0089] discloses that network traffic to and from the new app container 320 flows through the security container 350. The security container 350 may be able to monitor this traffic and inspect it to determine if a network security issue exists));  
performing a first stage of event processing by matching the set of multiple events to a set of multiple signatures (Parag. [0043-0044]; (The art teaches that the network probe 124 checks network-related activities rather than container-related activities. The network probe 122 checks the signatures for vulnerabilities and benchmark settings listed in the threat database 132 to see if there are any matches to the signatures. The network probe 122 may check a section of the threat database 132 specific to network-related activities. If any matches are found, the vulnerability/benchmark setting that had a signature matched, as well as the location/log of that match is sent to the data logger 140 to be logged in the data logger 138. The art teaches that the network probe 124 may also scan for abnormal network behavior. The network probe 124 may take a baseline scan of network activity over time for each app container 104, for the host 150 of the app container 104, and/or for the network to which the app container 104 is connected. This baseline data is verified to represent normal behavior. This data may be fed by the network probe 124 into a model, such as regression model, a neural network, etc. Once the model is trained using the baseline data, live data of network activity is fed into the model. If the model determines that the live data deviates from the baseline beyond a certain threshold, then the network probe 124 determines that abnormal network activity may be occurring. This information is send to the data logger 138. The baseline data may be recorded per app container 104, such that the abnormal network activity may be determined per app container 104. In another embodiment, the network probe 124 determines that anomalous network behavior is occurring when it detects one or more specific behaviors in the network, such as TCP (Transmission Control Protocol) flooding, ICMP (Internet Control Message Protocol) flooding, invalid packets (e.g., packets with bad headers), ping death, SSL (Secure Sockets Layer) healthbleed, HTTP (Hypertext Transport Protocol) Slowloris DDoS (Distributed Denial of Service) attacks, and so on. Parag. [0045] discloses that the network probe 124 may also scan the network traffic for the app containers 104, host 150, and other related networks for network traffic matching the signatures in the list of network attack signatures listed in the threat database 132. If a match is found, then the network probe 124 determines that abnormal network activity may be occurring)) that includes:(a) a first signature associated with a first mapping rule that is fully satisfied by the set of multiple events (Parag. [0045]; (The art teaches that the match may be found if an exact match (i.e., fully satisfied) for the information and patterns indicated in the network attack signature (i.e. first signature) is found)); and (b) a second signature associated with a second mapping rule (Parag. [0045]; (The art teaches that the match could also be found if a percentage (e.g., 80%) of the information and patterns indicated in the network attack signature (i.e., second signature) are matched (i.e., partially satisfied) in the network traffic));  
F953-3-performing a second stage of event processing by comparing predefined characteristic information specified by the first signature against runtime characteristic information associated with the runtime flow, wherein the second signature is disregarded during the second stage of event processing (Parag. [0045]; (The art teaches that the match may be found if an exact match for the information and patterns indicated in the network attack signature is found, or if a percentage (e.g., 80%) of the information and patterns indicated in the network attack signature are matched in the network traffic (i.e., only one signature is being matched from the list of network attack signatures. Therefore, when the match is found through the first signature that is fully satisfied (i.e., fully satisfied)). Once the network probe 124 finds the match, it may send a log and/or the contents of the network traffic that matches the signature to the data logger 138, and also transmit an indicator of the network attack signature that was matched. Parag. [0040] discloses that the threat database 132 includes a list of network attack signatures. These signatures describe network activity that may indicate a potential malicious activity on the network. The signatures may indicate some information about the network traffic, such as a source, a destination, packet type, packet header data, packet size, time of network activity, content of network data, and other information within the network data, that when detected, may indicate an attack. The signature may also indicate various patterns in the network activity, such as a pattern in the timing of data received/transmitted, a pattern in the network addresses that receive/send the data, a pattern in the types of systems or containers that send/receive the data, a pattern in the ownership of containers that are receiving/sending certain data, a pattern in the amount of data that is being sent/received, a pattern in the content of the data that is being sent/received and so on. Each signature may indicate multiple patterns and information about the network traffic. When the patterns and information for a signature are detected in the network traffic (i.e., comparing the information specified by the signature against runtime flow), then malicious activity may be indicated. For example, an amount of traffic that has a pattern exceeding a certain data rate, to a particular destination, may indicate an attack (e.g., a denial of service attack). i.e., the second stage is associated with the comparing the information of the specific signature)).
Rosendahl doesn’t explicitly disclose in response to diagnosing an issue associated with the runtime flow based on the second stage of event processing, performing one or more remediation actions. 
		However, Wang discloses in response to diagnosing an issue associated with the runtime flow based on the second stage of event processing, performing one or more remediation actions (Parag. [0015]; (The art teaches that the intrusion prevention module can also be configured to correct Cyclic Redundancy Check (CRC) errors, unfragment packet streams, prevent TCP sequencing issues, clean up unwanted transport and network layer options, among other such functionalities)). 
		It would be obvious to one of ordinary skill in the art at the time before the effective filling date of the claimed invention to modify Rosendahl to incorporate the teaching of Wang. This would be convenient for logging data to facilitate capturing and understanding of the context of an attack (Parag. [0003]). 

Claim 9 is taught by Rosendahl in view of Wang s as described for claim 2.

Claim 10 is taught by Rosendahl in view of Wang as described for claim 3.  

Claim 11 is taught by Rosendahl in view of Wang as described for claim 4.  

Claim 12 is taught by Rosendahl in view of Wang as described for claim 5.  

Claim 13 is taught by Rosendahl in view of Wang as described for claim 6.  

Claim 14 is taught by Rosendahl in view of Wang as described for claim 7.   

Claim 15. 	Rosendahl discloses a computer system, comprising: a processor; and a non-transitory computer-readable medium having stored thereon instructions that, when executed by the processor (Parag. [0099]), cause the processor to perform the following: 
monitor a runtime flow of multiple packets that originate from, or destined for, a virtualized computing instance supported by the computer system to detect a set of multiple events associated with the runtime flow (Parag. [0043]; (The art teaches that the network probe 124 probes the network activity 108 of the app containers 104 as well as the overall network of the container system 102 for any threats indicated in the threat database 132. Although the network probe 124 is similar to the container probe 122, the network probe 124 checks network-related activities rather than container-related activities. The network probe 122 checks the signatures for vulnerabilities and benchmark settings listed in the threat database 132 to see if there are any matches to the signatures. Parag. [0040] discloses that the threat database 132 includes a list of network attack signatures. These signatures describe network activity that may indicate a potential malicious activity on the network. The signatures may indicate some information about the network traffic, such as a source, a destination, packet type, packet header data, packet size, time of network activity, content of network data, and other information within the network data, that when detected, may indicate an attack. The signature may also indicate various patterns in the network activity, such as a pattern in the timing of data received/transmitted, a pattern in the network addresses that receive/send the data, a pattern in the types of systems or containers that send/receive the data, a pattern in the ownership of containers that are receiving/sending certain data, a pattern in the amount of data that is being sent/received, a pattern in the content of the data that is being sent/received and so on. Parag. [0089] discloses that network traffic to and from the new app container 320 flows through the security container 350. The security container 350 may be able to monitor this traffic and inspect it to determine if a network security issue exists));   
perform a first stage of event processing by matching the set of multiple events to a set of multiple signatures (Parag. [0043-0044]; (The art teaches that the network probe 124 checks network-related activities rather than container-related activities. The network probe 122 checks the signatures for vulnerabilities and benchmark settings listed in the threat database 132 to see if there are any matches to the signatures. The network probe 122 may check a section of the threat database 132 specific to network-related activities. If any matches are found, the vulnerability/benchmark setting that had a signature matched, as well as the location/log of that match is sent to the data logger 140 to be logged in the data logger 138. The art teaches that the network probe 124 may also scan for abnormal network behavior. The network probe 124 may take a baseline scan of network activity over time for each app container 104, for the host 150 of the app container 104, and/or for the network to which the app container 104 is connected. This baseline data is verified to represent normal behavior. This data may be fed by the network probe 124 into a model, such as regression model, a neural network, etc. Once the model is trained using the baseline data, live data of network activity is fed into the model. If the model determines that the live data deviates from the baseline beyond a certain threshold, then the network probe 124 determines that abnormal network activity may be occurring. This information is send to the data logger 138. The baseline data may be recorded per app container 104, such that the abnormal network activity may be determined per app container 104. In another embodiment, the network probe 124 determines that anomalous network behavior is occurring when it detects one or more specific behaviors in the network, such as TCP (Transmission Control Protocol) flooding, ICMP (Internet Control Message Protocol) flooding, invalid packets (e.g., packets with bad headers), ping death, SSL (Secure Sockets Layer) healthbleed, HTTP (Hypertext Transport Protocol) Slowloris DDoS (Distributed Denial of Service) attacks, and so on. Parag. [0045] discloses that the network probe 124 may also scan the network traffic for the app containers 104, host 150, and other related networks for network traffic matching the signatures in the list of network attack signatures listed in the threat database 132. If a match is found, then the network probe 124 determines that abnormal network activity may be occurring)) that includes:(a) a first signature associated with a first mapping rule that is fully satisfied by the set of multiple events (Parag. [0045]; (The art teaches that the match may be found if an exact match (i.e., fully satisfied) for the information and patterns indicated in the network attack signature (i.e. first signature) is found)); and (b) a second signature associated with a second mapping rule (Parag. [0045]; (The art teaches that the match could also be found if a percentage (e.g., 80%) of the information and patterns indicated in the network attack signature (i.e., second signature) are matched (i.e., partially satisfied) in the network traffic));   
perform a second stage of event processing by comparing predefined characteristic information specified by the first signature against runtime characteristic information associated with the runtime flow, wherein the second signature is disregarded during the second stage of event processing (Parag. [0045]; (The art teaches that the match may be found if an exact match for the information and patterns indicated in the network attack signature is found, or if a percentage (e.g., 80%) of the information and patterns indicated in the network attack signature are matched in the network traffic (i.e., only one signature is being matched from the list of network attack signatures. Therefore, when the match is found through the first signature that is fully satisfied (i.e., fully satisfied)). Once the network probe 124 finds the match, it may send a log and/or the contents of the network traffic that matches the signature to the data logger 138, and also transmit an indicator of the network attack signature that was matched. Parag. [0040] discloses that the threat database 132 includes a list of network attack signatures. These signatures describe network activity that may indicate a potential malicious activity on the network. The signatures may indicate some information about the network traffic, such as a source, a destination, packet type, packet header data, packet size, time of network activity, content of network data, and other information within the network data, that when detected, may indicate an attack. The signature may also indicate various patterns in the network activity, such as a pattern in the timing of data received/transmitted, a pattern in the network addresses that receive/send the data, a pattern in the types of systems or containers that send/receive the data, a pattern in the ownership of containers that are receiving/sending certain data, a pattern in the amount of data that is being sent/received, a pattern in the content of the data that is being sent/received and so on. Each signature may indicate multiple patterns and information about the network traffic. When the patterns and information for a signature are detected in the network traffic (i.e., comparing the information specified by the signature against runtime flow), then malicious activity may be indicated. For example, an amount of traffic that has a pattern exceeding a certain data rate, to a particular destination, may indicate an attack (e.g., a denial of service attack). i.e., the second stage is associated with the comparing the information of the specific signature)). 
Rosendahl doesn’t explicitly disclose in response to diagnosing an issue associated with the runtime flow based on the second stage of event processing, performing one or more remediation actions.  
However, Wang discloses in response to diagnosing an issue associated with the runtime flow based on the second stage of event processing, perform one or more remediation actions (Parag. [0015]; (The art teaches that the intrusion prevention module can also be configured to correct Cyclic Redundancy Check (CRC) errors, unfragment packet streams, prevent TCP sequencing issues, clean up unwanted transport and network layer options, among other such functionalities)). 
		It would be obvious to one of ordinary skill in the art at the time before the effective filling date of the claimed invention to modify Rosendahl to incorporate the teaching of Wang. This would be convenient for logging data to facilitate capturing and understanding of the context of an attack (Parag. [0003]). 

Claim 16 is taught by Rosendahl in view of Wang as described for claim 2.
  
Claim 17 is taught by Rosendahl in view of Wang as described for claim 3.
  
Claim 18 is taught by Rosendahl in view of Wang as described for claim 4.   

Claim 19 is taught by Rosendahl in view of Wang as described for claim 5.   

Claim 20 is taught by Rosendahl in view of Wang as described for claim 6.   

Claim 21 is taught by Rosendahl in view of Wang as described for claim 7. 









Conclusion
		The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Hart et al. (US 10,262,137) – Related art in the area of security recommendations based on incidents of malware (Col. 6 lines 20-33,  the present systems and methods may analyze a correlation between malware signatures on a first machine and malware incident detection on the first machine in relation to a correlation between malware signatures on a second machine and malware incident detection on the second machine. For example, the first machine may include a first signature while the second machine includes the same first signature and a second signature. The present systems and methods may analyze the first and second signatures in relation to the malware incident detection on both the first and second machines. The analysis may indicate a context the second signature provides to malware detection in order to clarify one or more aspects of the malware such as a severity of detected malware).
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ABDELBASST TALIOUA whose telephone number is (571)272-4061.  The examiner can normally be reached on Monday-Thursday 7:30 am - 5:30 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, William Trost can be reached on 571-272-7872.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/A.T./Examiner, Art Unit 2442      

/WILLIAM G TROST IV/Supervisory Patent Examiner, Art Unit 2442