DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on October 15, 2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that use the word “means” or “step” but are nonetheless not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph because the claim limitation(s) recite(s) sufficient structure, materials, or acts to entirely perform the recited function.  Such claim limitation(s) is/are: “program code configured to instantiate/receive/determine/take” in claim 9; “program code is configured to generate” in claim 10, and “program code is configured to enrich“ in claim 15.
Because this/these claim limitation(s) is/are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are not being interpreted to cover only the corresponding structure, material, or acts described in the specification as performing the claimed function, and equivalents thereof.
If applicant intends to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to remove the structure, materials, or acts that performs the claimed function; or (2) present a sufficient showing that the claim limitation(s) does/do not recite sufficient structure, materials, or acts to perform the claimed function.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-24 are rejected under 35 U.S.C. 103 as being unpatentable over Herman Saffar et al in view of El Abed, EP 3805967 A1.

As per claim 1, it is taught by Herman Saffar et al of a method for intrusion detection in a run-time container environment (col. 7, lines 33-42), comprising:
instantiating a behavior model associated with a container image (col. 7, lines 46-49), the behavior model 5being a data structure of a set of nodes (col. 15, lines 62-65) represents one of:
a process, a file and a network socket, and wherein a system call made by at least one process (col. 11, lines 26-32 and col. 12, lines 22-33);
as the container image is executes, receiving system call telemetry (metrics that are representative of behavior performed by the container, col. 9, lines 18-26 and 43-63);
responsive to receipt of the telemetry, determining whether the container image is 10executing in a manner inconsistent with its associated behavior model, thereby indicating an anomaly (col. 10, lines 20-30); and
upon a determination that the container image is executing in a manner inconsistent with its associated behavior model, taking an automated action to attempt to address the anomaly (col. 11, lines 26-32).
The teachings of Herman Saffar et al fail to disclose of graph data structure having a set of nodes, and a set of edges that is used for intrusion detection of a container, wherein an edge represents a system call made by at least one process represented in the graph data structure.  In a related teachings, El Abed discloses of graph data structure having a set of nodes, and a set of edges that is used for intrusion detection (unintended behavior such as malware, paragraph 0005) of a container, wherein an edge represents a system call made by at least one process represented in the graph data structure (paragraph 0035, col. 5, line 56 through col. 6, line 8).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to have been motivated to use edge analysis as a means to build and define the behavior of a container that detects deviation from baseline operations (paragraph 0006), wherein edges are associated with identifiers of system calls of respective consecutive records (paragraph 0012), and the size of the edge is based on an average time spent in a previous node linked to the edge (paragraph 0016).  This approach disclosed by El Abed offers an automated process executed by intelligent agents to allow for visually displaying for analysts to easily interpret its findings via displayed graphs (paragraph 0010).  The teachings of El Abed offer additional benefits to the teachings of Herman Saffar et al by presenting a more in depth analysis that presents graphical results used to detect malware that are presented to an analyst for interpretation.
As per claim 2, it is disclosed by Herman Saffar et al of further including generating the behavior model (col. 7, lines 33-49).  
As per claim 3, it is taught by Herman Saffar et al wherein the behavior model is generated 20by a binary analysis that determines what library functions a given binary calls (system calls are the base block of each process, see col. 9, lines 14-28). 
As per claim 4, the teachings of Herman Saffar et al disclose wherein the binary analysis determines what library functions a given binary calls by examining inter procedural calls and finding a set of system calls reachable from the call points (col. 7, lines 42-64 and col. 9, lines 14-28).  The teachings of El Abed are relied upon for disclosing of examining an inter procedural call graph and finding a set of system calls reachable from the call graph (paragraph 0035, col. 5, line 56 through col. 6, line 8).  Please refer above for the motivational reasons of applying the teachings of El Abed with Herman Saffar et al.
As per claim 55, it is taught by Herman Saffar et al wherein the binary analysis generates the behavior model by micro-executing code reachable from an entrypoint of the container image (col. 6, lines 8-11 and col. 9, lines 14-28).
As per claim 6, it is disclosed by Herman Saffar et al wherein the behavior model is instantiated 10in a hardware node in a Container Orchestration Engine (COE), and wherein the container image executes as a micro-service (col. 6, lines 8-11 and col. 8, lines 4-10).
As per claim 7, it is taught by Herman Saffar et al of further including enriching the behavior model (various sectors of data is collected as is raw data that is collected from different sources, col. 9, lines 43-63) based on information representing one or more valid system calls seen by one or more 15other containers running on the hardware node (col. 6, lines 46-49 and col. 15, lines 62-65).
As per claim 8, it is disclosed by Herman Saffar et al wherein the automated action is one of: mitigation, notification, sandboxing and logging (col. 8, lines 38-44).
As per claim 9, it is taught by Herman Saffar et al of an apparatus, comprising:
at least one hardware processor (col. 16, lines 24-25);
computer memory holding computer program instructions executed by the at least one hardware processor (col. 16, lines 24-25 and 30-33) to perform intrusion detection in association with a container 5environment (col. 7, lines 33-42), the computer program instructions comprising program code configured to:
instantiating a behavior model associated with a container image (col. 7, lines 46-49), the behavior model 5being a data structure of a set of nodes (col. 15, lines 62-65) represents one of:
a process, a file and a network socket, and wherein a system call made by at least one process (col. 11, lines 26-32 and col. 12, lines 22-33);
as the container image is executes, receive system call telemetry (metrics that are representative of behavior performed by the container, col. 9, lines 18-26 and 43-63);
responsive to receipt of the telemetry, determine whether the container image is executing in a manner inconsistent with its associated behavior model, thereby indicating an anomaly (col. 10, lines 20-30); and
15upon a determination that the container image is executing in a manner inconsistent with its associated behavior model, take an automated action to attempt to address the anomaly (col. 11, lines 26-32).
The teachings of Herman Saffar et al fail to disclose of graph data structure having a set of nodes, and a set of edges that is used for intrusion detection of a container, wherein an edge represents a system call made by at least one process represented in the graph data structure.  In a related teachings, El Abed discloses of graph data structure having a set of nodes, and a set of edges that is used for intrusion detection (unintended behavior such as malware, paragraph 0005) of a container, wherein an edge represents a system call made by at least one process represented in the graph data structure (paragraph 0035, col. 5, line 56 through col. 6, line 8).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to have been motivated to use edge analysis as a means to build and define the behavior of a container that detects deviation from baseline operations (paragraph 0006), wherein edges are associated with identifiers of system calls of respective consecutive records (paragraph 0012), and the size of the edge is based on an average time spent in a previous node linked to the edge (paragraph 0016).  This approach disclosed by El Abed offers an automated process executed by intelligent agents to allow for visually displaying for analysts to easily interpret its findings via displayed graphs (paragraph 0010).  The teachings of El Abed offer additional benefits to the teachings of Herman Saffar et al by presenting a more in depth analysis that presents graphical results used to detect malware that are presented to an analyst for interpretation.
As per claim 10, it is disclosed by Herman Saffar et al wherein the computer program code is 20further configured to generate the behavior model (col. 7, lines 33-49).
As per claim 11, it is taught by Herman Saffar et al wherein the behavior model is generated by a binary analysis that determines what library functions a given binary calls (system calls are the base block of each process, see col. 9, lines 14-28).
As per claim 12, the teachings of Herman Saffar et al disclose wherein the binary analysis determines what library functions a given binary calls by examining inter procedural calls and finding a set of system calls reachable from the call points (col. 7, lines 42-64 and col. 9, lines 14-28).  The teachings of El Abed are relied upon for disclosing of examining an inter procedural call graph and finding a set of system calls reachable from the call graph (paragraph 0035, col. 5, line 56 through col. 6, line 8).  Please refer above for the motivational reasons of applying the teachings of El Abed with Herman Saffar et al.
As per claim 513, it is taught by Herman Saffar et al wherein the binary analysis generates the behavior model by micro-executing code reachable from an entrypoint of the container image (col. 6, lines 8-11 and col. 9, lines 14-28).
As per claim 14, it is disclosed by Herman Saffar et al wherein the behavior model is 10instantiated in a hardware node in a Container Orchestration Engine (COE), and wherein the container image executes as a micro-service (col. 6, lines 8-11 and col. 8, lines 4-10).
As per claim 15, it is taught by Herman Saffar et al wherein the program code is further configured to enrich the behavior model (various sectors of data is collected as is raw data that is collected from different sources, col. 9, lines 43-63) based on information representing one or more valid 15system calls seen by one or more other containers running on the hardware node (col. 6, lines 46-49 and col. 15, lines 62-65).
As per claim 16, it is disclosed by Herman Saffar et al wherein the automated action is one of: mitigation, notification, sandboxing and logging (col. 8, lines 38-44).
As per claim 17, it is taught by Herman Saffar et al of a computer program product in a non-transitory computer-readable medium for use in a data processing system, the computer program product holding computer program instructions executed by the data processing system (col. 16, lines 24-25 and 30-33) to perform intrusion detection in association with a container environment (col. 7, lines 33-42), the computer program instructions comprising 5program code configured to:
instantiating a behavior model associated with a container image (col. 7, lines 46-49), the behavior model 5being a data structure of a set of nodes (col. 15, lines 62-65) represents one of:
a process, a file and a network socket, and wherein a system call made by at least one process (col. 11, lines 26-32 and col. 12, lines 22-33);
10as the container image is executes, receive system call telemetry (metrics that are representative of behavior performed by the container, col. 9, lines 18-26 and 43-63);
responsive to receipt of the telemetry, determine whether the container image is executing in a manner inconsistent with its associated behavior model, thereby indicating an anomaly (col. 10, lines 20-30); and
upon a determination that the container image is executing in a manner inconsistent 15with its associated behavior model, take an automated action to attempt to address the anomaly (col. 11, lines 26-32).
The teachings of Herman Saffar et al fail to disclose of graph data structure having a set of nodes, and a set of edges that is used for intrusion detection of a container, wherein an edge represents a system call made by at least one process represented in the graph data structure.  In a related teachings, El Abed discloses of graph data structure having a set of nodes, and a set of edges that is used for intrusion detection (unintended behavior such as malware, paragraph 0005) of a container, wherein an edge represents a system call made by at least one process represented in the graph data structure (paragraph 0035, col. 5, line 56 through col. 6, line 8).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to have been motivated to use edge analysis as a means to build and define the behavior of a container that detects deviation from baseline operations (paragraph 0006), wherein edges are associated with identifiers of system calls of respective consecutive records (paragraph 0012), and the size of the edge is based on an average time spent in a previous node linked to the edge (paragraph 0016).  This approach disclosed by El Abed offers an automated process executed by intelligent agents to allow for visually displaying for analysts to easily interpret its findings via displayed graphs (paragraph 0010).  The teachings of El Abed offer additional benefits to the teachings of Herman Saffar et al by presenting a more in depth analysis that presents graphical results used to detect malware that are presented to an analyst for interpretation.
As per claim 18, it is disclosed by Herman Saffar et al wherein the computer program code is further configured to generate the behavior model (col. 7, lines 33-49).
As per claim 19, it is taught by Herman Saffar et al wherein the behavior model is generated by a binary analysis that determines what library functions a given binary calls (system calls are the base block of each process, see col. 9, lines 14-28).
As per claim 20, the teachings of Herman Saffar et al disclose wherein the binary analysis determines what library functions a given binary calls by examining inter procedural calls and finding a set of system calls reachable from the call points (col. 7, lines 42-64 and col. 9, lines 14-28).  The teachings of El Abed are relied upon for disclosing of examining an inter procedural call graph and finding a set of system calls reachable from the call graph (paragraph 0035, col. 5, line 56 through col. 6, line 8).  Please refer above for the motivational reasons of applying the teachings of El Abed with Herman Saffar et al.
As per claim 521, it is taught by Herman Saffar et al wherein the binary analysis generates the behavior model by micro-executing code reachable from an entrypoint of the container image (col. 6, lines 8-11 and col. 9, lines 14-28).
As per claim 22, it is disclosed wherein the behavior 10model is instantiated in a hardware node in a Container Orchestration Engine (COE), and wherein the container image executes as a micro-service (col. 6, lines 8-11 and col. 8, lines 4-10).
As per claim 23, it is taught by Herman Saffar et al wherein the program code is further configured to enrich the behavior model (various sectors of data is collected as is raw data that is collected from different sources, col. 9, lines 43-63) based on information representing 15one or more valid system calls seen by one or more other containers running on the hardware node (col. 6, lines 46-49 and col. 15, lines 62-65).
As per claim 24, it is disclosed by Herman Saffar et al wherein the automated action is one of: mitigation, notification, sandboxing and logging (col. 8, lines 38-44).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Mookiah et al, U.S. Patent 10,726,123 is relied upon for disclosing of determining if requests to data objects are malicious based upon data object definitions, see column 38, lines 1-13.
The teachings of Joglekar et al, WO 2020/060537 A1 is relied upon for disclosing of evaluating system call and commands on a microservice level to determine if abnormal conditions exists, see page 4, lines 7-11.
Lei et al, “Speaker: Split-Phase Execution of Application Containers” is relied upon for disclosing of container security that includes using a sandbox to intercept system calls, see pages 19-20.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER A REVAK whose telephone number is (571)272-3794. The examiner can normally be reached 5:30am - 3:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, LYNN FEILD can be reached on 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.










/CHRISTOPHER A REVAK/Primary Examiner, Art Unit 2431