DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Priority
This application discloses and claims only subject matter disclosed in prior application no 16/128,662, filed 09/12/18, and names the inventor or at least one joint inventor named in the prior application. Accordingly, this application may constitute a continuation or division. Should applicant desire to claim the benefit of the filing date of the prior application, attention is directed to 35 U.S.C. 120, 37 CFR 1.78, and MPEP § 211 et seq.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 03/26/21.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Claim Objections
Claim 6 is objected to because of the following informalities:  Claim 6 recite as “6. The computer-implemented method of claim 6, comprising salting the discovered credentials, hashing the discovered credentials, or both, prior to storing the discovered credentials in the discovered credential repository”.  It should be reference back to claim 1.  Appropriate correction is required.
Double Patenting


The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Instant Application
US 11017074 B2
1. A computer-implemented method of providing security for a software container, comprising:
 discovering credentials that a software container is expected to use at runtime, the discovering performed prior to instantiation of the software container from a container image, the discovering based on one or more of credentials stored in the container image, credentials stored in runtime configuration data for the software container, and credentials from a secrets management service;

 determining an unsafe credential set that includes one or more of the discovered credentials that do not meet predefined credential safety criteria;

 intercepting a runtime request from the software container; detecting a credential violation based on the intercepted runtime request attempting to use a credential from the unsafe credential set; and
 







performing a corrective action for the software container based on the detected credential violation.
1. A computer-implemented method of providing security for a software container, comprising:
 discovering credentials that a software container is expected to use at runtime, the discovering performed prior to instantiation of the software container from a container image, the discovering based on one or more of credentials stored in the container image, credentials stored in runtime configuration data for the software container, and credentials from a secrets management service; 

determining an unsafe credential set that includes one or more of the discovered credentials that do not meet predefined credential safety criteria;
 
intercepting a runtime request from the software container; detecting a credential violation based on the intercepted runtime request attempting to use a credential from the unsafe credential set, 
wherein said detecting a credential violation based on the intercepted runtime request attempting to use a credential from the unsafe credential set comprises detecting that one of the discovered credentials that meets the predefined credential safety criteria has been overridden with a runtime credential that does not meet the predefined credential safety criteria; and 
performing a corrective action for the software container based on the detected credential violation





Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. US 11017074 B2. Although the claims at issue are not identical, they are not patentably distinct from each other because of similar limitations with obvious variation.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-16 are rejected under 35 U.S.C. 103 as being unpatentable over Dolby et al(US 20180039774 A1) in view of Nazarov (US 20110083181 A1).

With regards to claim 1, 16 Nazarov discloses, A computer-implemented method of providing security for a software container, comprising: 
discovering credentials that a software is expected to use at runtime (FIG 1A 101-105 and associated text; [004] An alternative to offline analysis is online enforcement. Pursuant to online enforcement, analysis is replaced by runtime monitors and/or code-level hooking mechanisms configured for detecting potential attacks in real time.),
 the discovering performed prior to instantiation of the software (FIG 1A 107 and associated text), credentials stored in runtime configuration data for the software ([0019] The program progresses to block 109 where the analysis agent analyzes the quarantined set of resources to determine whether or not at least one of a potential security threat or a security misconfiguration exists. A security misconfiguration refers to selecting inappropriate settings in one or more built-in security measures that are utilized in production-ready software applications. These built-in security measures comprise one or more tasks such as setting up firewall rules and exceptions, denying access by default, requiring passwords where appropriate, changing default passwords, and making sure that the latest security updates and patches have been downloaded and installed.), and credentials from a secrets management service ([0019] These built-in security measures comprise one or more tasks such as setting up firewall rules and exceptions, denying access by default, requiring passwords where appropriate, changing default passwords, and making sure that the latest security updates and patches have been downloaded and installed. Note: examiner interpret default password as credentials from secret management service); 
determining an unsafe credential set that includes one or more of the discovered credentials that do not meet predefined credential safety criteria (FIG 1A 109-111 and associated text;); 
intercepting a runtime request from the software (FIG 1A 105 with “yes” and associated text; [004] An alternative to offline analysis is online enforcement. Pursuant to online enforcement, analysis is replaced by runtime monitors and/or code-level hooking mechanisms configured for detecting potential attacks in real time.); 
detecting a credential violation based on the intercepted runtime request attempting to use a credential from the unsafe credential set (FIG 1A 111 with  “yes” and associated text;); and
performing a corrective action for the software container based on the detected credential violation (FIG 1A 115 and associated text;).
Dolby does not exclusively discloses, the discovering performed from a container image, the discovering based on one or more of credentials stored in the container image,
However NAZAROV teaches, the discovering performed from a container image, the discovering based on one or more of credentials stored in the container image ([0012] [0012] According to one type of embodiment, a computer-implemented process and apparatus are provided for screening data for malware. Received data stored in at least one data store includes at least: (i) a first protected item of data containing contents that are generally inaccessible without specific access credential information, and (ii) specific access credential information corresponding to the first protected item of data…. …In response to a detection of the specific access credential information in the at least one data store, the specific access credential information is stored in the at least one data store in a grouping arrangement with other access credential information. [0013] In another related type of embodiment, the access credential information stored in the grouping arrangement is grouped with user-generated access credential information for a variety of different programs or services in a secure arrangement of at least one data structure.) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify Dolby’s method with teaching of NZAROV in order to secure from inhibit "bots" or automated computing devices tasked with the proliferation of malware, spam or other harmful payloads (NAZAROV [0004-9]

With regards to claim 2, Dolby teaches, wherein said discovering credentials comprises performing pre-runtime scanning for credentials (Dolby FIG 1A 105-107 and associated text; [0019]). Nazarob further discloses,  wherein said discovering credentials comprises performing scanning for credentials in expected credential storage locations of the container image (FIG 1 104 and associated text;). Motivation would be same as stated in claim 1. 

With regards to claim 3, Dolby in view of Nazarov teaches, wherein said discovering credentials comprises: querying a container orchestrator for credentials stored in the runtime configuration data (Nazarov FIG 4 404 and associated text), wherein the container orchestrator is configured to control resource management for a plurality of host computing devices that are configured to run the software container and a plurality of additional software containers (Nazarov [0049] FIGS. 6A and 6B depict information payloads according to various embodiments of the invention. FIG. 6A depicts a payload containing several protected archives compressed utilizing the RAR format and an ASCII-format access credential information file. In various embodiments, the system described in FIG. 5 above, would analyze the payload and attempt to extract the access credential information from the access credential information file. First, the message playload is scanned to determine whether there are any image files, textual descriptions or access credential files in the playload. In the embodiment presented by FIG. 6A, the scan detects an access credential file after searching the playload utilizing a keyword such as "*Pass*", "*key*", or the like. Second, the access credential information is extracted from the access credential file "Password.txt" and is utilized in an attempt to authenticate or gain access to the data stored within the protected archives Archive1.rar, Archive2.rar and Archive3.rar.). Motivation would be same as stated in claim 1.

With regards to claim 4, Dolby in view of Nazarov further discloses, wherein said discovering credentials comprises: querying the secrets management service for credentials for the container image, wherein the secrets management service is configured to provide credentials for a plurality of container images (Nazarov FIG 5 516 and associated text; [0049]). Motivation would be same as stated in claim 1.

With regards to claim 5, Dolby in view of Nazarov further discloses, comprising storing the discovered credentials in a discovered credential repository along with an identifier of the container image to which they correspond, wherein the discovered credential repository is separate from the container image (Nazarov FIG 6A and associated text;). Motivation would be same as stated in claim 1.

With regards to claim 6, Dolby in view of Nazarov teaches , comprising salting the discovered credentials, hashing the discovered credentials, or both, prior to storing the discovered credentials in the discovered credential repository (   [0036] The application server 304 may include a database component and an application/web server component. In this embodiment, client computers 308, 310 and 312 may connect to application server 304 to obtain access credential and malicious code information. Further, the application servers 304 may utilize database software such as MySQL.RTM., Microsoft.RTM. SQLServer.RTM., Oracle.RTM., PostgreSQL.RTM., Ingres.RTM., hash files or a combination thereof, to store access credential information.).

With regards to claim 7, Dolby in view of Nazarov do not but well known in the art, wherein the predefined credential safety criteria indicates that a credential is unsafe if the credential has been in use for longer than a predefined allowable usage period, or is derived from a credential that has been in use for longer than the predefined allowable usage period (Pruthi [0006] In some embodiments, the at least one security score definition file may specify one or more weighted criteria for evaluating customer security preferences. In some embodiments, the one or more weighted criteria may include at least one of: an indication of password strength; an indication of an amount of time elapsed since a password change event;).

With regards to claim 8, Dolby in view of Nazarov discloses,  wherein the predefined credential safety criteria indicates that a credential is unsafe if the credential is stored in the container image (Nazarov [0056]; If the access credential information is considered strong, the AST will then check the information against the local access credential data store in process block 808. The local access credential data store may be a MySQL.RTM., PostgreSQL.RTM., Oracle.RTM., MSSQL.RTM., or other relational database having tables for storing and associating access credential information. If the access credential information already exists in the data store, this means the user has utilized the access credential information in some other service. ). Motivation would be same as stated in claim 1.

With regards to claim 9, Dolby in view of Nazarov discloses, wherein the predefined credential safety criteria indicates that a credential is unsafe if the credential is discoverable through a dictionary attack (Nazarov [0056]; For example, if a user on another system was infected with the Antigen Trojan and the password information stolen was later recovered, it may be uploaded to the remote access credential data store. In this situation, process block 810 would flag the user submitted access credential information as compromised and prompt the user to enter in new access credential information in process block 806. Further, the remote access credential data store may contain common password strings utilized in many brute-force and dictionary-type attacks utilized by access credential hacking programs. Thus, the remote data store may include passwords such as "QWERTY", "1234" and other frequently utilized, "weak" or otherwise compromised passwords. ). Motivation would be same as stated in claim 1.

With regards to claim 10, Dolby in view of Nazarov do not but it is well known that, wherein the predefined credential safety criteria indicates that a credential is unsafe if the credential is stored in a publicly-accessible source code repository .

With regards to claim 11, Dolby in view of Nazarov discloses,, wherein the predefined credential safety criteria indicates that a credential is unsafe if the credential is not obtained from the secrets management service for the software container ([0047] In various embodiments, the system will utilize a web service, HTTP request, email or other networked messaging format to communicate with the remote access credential data store. The metadata may be encrypted utilizing a hash cipher, block cipher, public-key encryption or other method of cryptography, before transmittal. By encrypting the metadata information before transmittal, the information is protected from manipulation while being transferred the remote access credential data store. Note: remote credential access is encrypted for security purpose).

With regards to claim 12, Dolby further discloses,, wherein said performing a corrective action based on the detected credential violation comprises preventing execution of the intercepted runtime request ([0027]; The negative branch from block 117 leads to block 121 where the new application is not installed.  ). 

With regards to claim 13, Dolby in view of Nazarov discloses, wherein said performing a corrective action based on the detected credential violation comprises substituting the credential from the unsafe credential set with a safe credential, (Nazarov [0056]; For example, process block 804 will parse the access credential information and determine the letter, case, repeat and consecutive count of all letter characters. Further, the sequential nature of any numbers will be determined along with overall count, repeat and consecutive number count. Access credential information will be designated strong if criteria relating to the length, case, non-consecutive, non-sequential and lack of repeat character requirements are met. For example, a password that contains all-lowercase letters such as "rufus" would not be considered a strong password, while a password with lowercase and uppercase letters along with numbers and punctuation would be considered strong ("qU8b2Di!E$"). In the event that the access credential information is determined to not meet the threshold requirements of a strong determination, the AST will prompt the user to enter in new access credential information in process block 806.). and executing the intercepted runtime request with the safe credential (Dolby FIG 1A 113) Motivation would be same as stated in claim 1.

With regards to claim 14, Dolby in view of Nazarov discloses, wherein said substituting the credential comprises dynamically obtaining a credential for the software container from the secrets management service, and utilizing the credential from the secrets management service as the safe credential (Nazarov [0056]; For example, if the user utilized the AST to determine the strength of access credential information potentially utilized for eBay.com, they can store the access credential information with additional metadata describing the eBay.com service. In this way, the process 800 may check for the strength of access credential information and store additional access credential information in order to facilitate further access credential management services such as auto-insert of credentials when associated service is utilized, password change reminders, and password use counts. ) Motivation would be same as stated in claim 1.

With regards to claim 15, Dolby further discloses, wherein said performing a corrective action based on the detected credential violation comprises providing an alert that the software container is attempting to use an unsafe credential (Dolby FIG 1A 115 and associated text;).
Allowable Subject Matter
Claims 17-20 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure (US 10298577 B1:container Image definition; pls see col 2 line 50-67;).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOHAMMED WALIULLAH whose telephone number is (571)270-7987.  The examiner can normally be reached on 8.30 to 430 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached on 1-571-272-8878.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/MOHAMMED WALIULLAH/Primary Examiner, Art Unit 2498