DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 22 February 2022 has been entered.
 
Response to Arguments
Applicant's arguments filed 22 February 2022 have been fully considered but they are not persuasive.
In response to applicant’s arguments that the cited references do not teach “using inspector container…the application container,” page 13, lines 1-4, the examiner respectfully disagrees.
Duan discloses that shares data between containers and VMs (Para. 22, 30), intercepts the processes, network connections, and other resources of the app container (Para. 44, 53), and intercepts communications from app containers (Para. 35, 43, 45, 49, 51).
Duan further discloses that an operating system may support a container environment by having a kernel that has enabled operating-system-level virtualization for multiple isolated containers (Para. 26, 33, 34).  The container service facilitates the connection of the app container to the network, wherein the connection may also be tunneled using an encryption protocol (e.g., secure sockets layer (SSL)), (Para. 35), and traffic to and from the app containers may include packets, wherein characteristics of the packets may include a source network address, type of packet, contents of the packet, and headers of the packet, and protocol of network traffic (Para. 63, 86).
Ahuja discloses a system that controls data entering or exiting the device (Para. 28).  Applications within the device may be containerized, and communications between applications and the device subsystem can be facilitated via I/O system calls to /dev/binder on the kernel and the security module can interface with the kernel binder to allow for monitoring and intercepting of I/O-related system calls (Para. 34).  The system monitors and intercepts file operations including read, write, create, and other operations and attempts to access stored files, such as photograph data (Par. 36, 38, 47, 48).  Files can be inspected and tagged to indicate whether the file is sensitive and whether particular policies are applicable to the file, and data that is the subject of a particular system call can be inspected and scanned in order to determine the confidential or sensitive nature of the data (Para. 34, 36, 43).  The applicable policy is determined and an action, such as disallowance of the system call or access to the data may be constrained/blocked, may be performed (Para. 37, 47).
Ahuja further discloses encrypting, for a given application, all data used or generated by a particular application, (Para. 32), and intercepting data included in system calls and identifying that the data is of a sensitive nature and should be encrypted (Para. 43).
Evans (newly cited) discloses directing a request to a function library that includes a custom version of the function that facilitates transferring, between the application container and the external data source, an encrypted version of the data that is unintelligible to an external application running outside the application container and providing an unencrypted version of the data to the external application to enable the external application to inspect the data (Col. 7, lines 14-34; Col. 8, lines 43-65), wherein the function library may reside within the application container (Col. 9, lines 29-34).
Combining the references brings about a system that uses the inspector container, which is another container different from the application container, to gain kernel access to inspect content of the file and that the content is encapsulated outside of the application container such that the data content is obfuscated outside of the application container.  Therefore, the aforementioned limitations are taught by the combination of the cited references.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 8, 9, and 11-13 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Regarding claim 8, lines 17-18—“an application container,” it is unclear as to whether the “application container” is intended to correspond to the “one or more application containers” of line 2 or is a separate container.  For examination purposes, the examiner shall equate the application container of lines 17-18 with the one or more application containers. 

Claims 9 and 11-13 are additionally rejected for being dependent on at least one rejected base claim.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 2, 4, 5, 8, 9, 11, 12, 15, 16, 18, 19, and 21-26 are rejected under 35 U.S.C. 103 as being unpatentable over Duan (US 2017/0093923 A1) in view of Ahuja et al. (US 2014/0194094 A1) in view of Evans et al. (US 10,447,720 B1) and further in view of Smelov et al. (US 2019/0342315 A1).
Regarding claim 1, Duan teaches a method in a container system, (Fig. 1), comprising: 
monitoring one or more activities of an application container, i.e. an App container (Fig. 1, el. 120A-120D), in the container system by intercepting data from the one or more activities of the application container, e.g. intercepting communications from app containers (Para. 35, 43, 45, 49, 51),
the application container including computer-readable instructions and initiated via a container service, i.e. a container service (Fig. 1, el. 130A, 130B), and isolated using operating system-level virtualization that is enabled by a kernel of an operating system, the kernel enabling a plurality of containers sharing the kernel, e.g. an operating system may support a container environment by having a kernel that has enabled operating-system-level virtualization for multiple isolated containers (Para. 26, 33, 34); utilizing the container service to assist with the deployment, execution, and isolation of the containers (Para. 29), 
the plurality of containers including the application container and an inspector container, i.e. a security container (Fig. 1, el. 150A, 150B), the monitoring performed by the inspector container…to access the application container, e.g. performing the monitoring by the security container located within the virtual machine/container server, wherein the security container may monitor container related events utilizing the container service (Para. 35, 41, 43, 45, 49, 51),
wherein monitoring the one or more activities comprises:
intercepting, by the inspector container, a network activity of the application container attempting to transmit a file to a network destination outside of the container system, e.g. sharing data between containers and VMs (Para. 22, 30); intercepting the processes, network connections, and other resources of the app container (Para. 44, 53); intercepting communications from app containers (Para. 35, 43, 45, 49, 51); wherein the app container may access files and may view file systems (Para. 27, 86);
wherein content of the file is encapsulated outside of the application container such that the data content is obfuscated outside of the application container, e.g. the container service facilitates the connection of the app container to the network, wherein the connection may also be tunneled using an encryption protocol (e.g., secure sockets layer (SSL)) (Para. 35); traffic to and from the app containers may include packets, wherein characteristics of the packets may include a source network address, type of packet, contents of the packet, headers of the packet, and protocol of network traffic (Para. 63, 86);
inspecting the content of the file being attempted to be transmitted to the network destination associated with the network activity, e.g. the security container may be able to monitor this traffic and inspect it to determine if a network security issue exists (Para. 37),
wherein inspecting the content of the file comprises:  retrieving…a policy that controls transmission of…data, e.g. utilizing the traffic inspector to determine to drop the packets based on the one or more rules (Para. 63, 64); utilizing a quarantine detector to determining to quarantine network traffic from the app container based on the policy (Para. 89, 90, 92, 111, 112); and
applying the policy to one or more application-container packets to find whether the policy matches exist in the one or more application-container packets, the one or more application-container packets carrying the content of the file, e.g. performing a dynamic analysis of the contents of the packets (Para. 37, 63, 64); utilizing the traffic inspector to determine to drop the packets based on the one or more rules, wherein the rules contain criteria, such as the type of packet and the packet contents, that indicates whether packets should be forwarded or dropped (Para. 63, 64); utilizing a quarantine detector to determining to quarantine network traffic from the app container based on the policy (Para. 89, 90, 92, 111, 112);
determining, in response to the policy, that the network activity attempting to transmit the file to the network destination involves an attempt to transmit the…data out of the application container; triggering an action specified in the policy in response to determining that the network activity involves the attempt to transmit the…data out of the application container, e.g. determining to drop the packets based on the one or more rules (Para. 63, 64); determining to quarantine network traffic from the app container (Para. 89, 90, 92, 111, 112).
Duan does not clearly teach the monitoring performed by the inspector container using the kernel to access the application container; obtaining, by the inspector container using the kernel to access the application container, an unobfuscated content of the file that corresponds to the network activity; wherein inspecting the content of the file comprises:  retrieving a template corresponding to a policy that controls transmission of sensitive personal data, the template comprising one or more regular expressions that represent patterns of the sensitive personal data; and applying, by the inspector container, the one or more regular expressions to the unobfuscated content of the file that is obtained using the kernel to find whether one or more regular expression matches exist in the content of the file; determining, in response to one or more regular expression matches are found, that the network activity attempting to transmit the file to the network destination involves an attempt to transmit the sensitive personal data out of the application container; triggering an action specified in the policy in response to determining that the network activity involves the attempt to transmit the sensitive personal data out of the application container.
Ahuja teaches the monitoring performed by the security module using the kernel to access the application container, e.g. applications are containerized, and communications between applications and the device subsystem can be facilitated via I/O system calls to /dev/binder on the kernel and the security module can interface with the kernel binder to allow for monitoring and intercepting of I/O-related system calls (Para. 34);
 wherein monitoring the one or more activities comprises:  intercepting, by the security module, a network activity of the application container attempting to transmit a file to a network destination outside of the container system, e.g. controlling data entering or exiting the device (Para. 28); applications are containerized, and communications between applications and the device subsystem can be facilitated via I/O system calls (Para. 34); monitoring file operations including read, write, create, and other operations (Par. 36, 38, 48); intercepting an attempt to access or share photograph data (Para. 47),
wherein content of the file is encapsulated outside of the application container such that the data content is obfuscated outside of the application container, e.g. encrypting, for a given application, all data used or generated by a particular application (Para. 32); intercepting data included in system calls and identifying that the data is of a sensitive nature and should be encrypted (Para. 43);
inspecting the content of the file being attempted to be transmitted to the network destination associated with the network activity, wherein inspecting the content of the file comprises:  retrieving a template corresponding a policy that controls transmission of sensitive personal data, the template comprising…patterns of the sensitive personal data, e.g. inspecting intercepted system calls (Para. 34, 43); files can be inspected and tagged to indicate whether the file is sensitive and whether particular policies are applicable to the file, and data that is the subject of a particular system call can be inspected and scanned to check for patterns in order to determine the confidential or sensitive nature of the data (Para. 34, 36, 43); and
applying, by the security module, the one or more policies and patterns to the…content of the file that is obtained using the kernel to find whether…matches exist in the content of the file, e.g. files can be inspected and tagged to indicate whether the file is sensitive and whether particular policies are applicable to the file, and data that is the subject of a particular system call can be inspected and scanned to check for patterns in order to determine the confidential or sensitive nature of the data (Para. 34, 36, 43); determining the applicable policy and performing an action, such as disallowance of the system call (Para. 37); determining that access to data should be constrained or blocked based on a policy (Para. 47);
determining, in response to one or more…matches are found, that the network activity attempting to transmit the file to the network destination involves an attempt to transmit the sensitive personal data out of the application container; triggering an action specified in the policy in response to determining that the network activity involves the attempt to transmit the sensitive personal data out of the application container, e.g. files can be inspected and tagged to indicate whether the file is sensitive and whether particular policies are applicable to the file, and data that is the subject of a particular system call can be inspected and scanned to check for patterns in order to determine the confidential or sensitive nature of the data (Para. 34, 36, 43); determining the applicable policy and performing an action, such as disallowance of the system call (Para. 37); determining that access to data should be constrained or blocked based on a policy (Para. 47).
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify Duan to include the monitoring performed by the inspector container using the kernel to access the application container; wherein inspecting the content of the file comprises:  retrieving a template corresponding to a policy that controls transmission of sensitive personal data; and determining, in response to matches are found, that the network activity attempting to transmit the file to the network destination involves an attempt to transmit the sensitive personal data out of the application container; triggering an action specified in the policy in response to determining that the network activity involves the attempt to transmit the sensitive personal data out of the application container, using the known method of controlling data entering or exiting the device by intercepting and inspecting I/O system calls for files, as taught by Ahuja, in combination with the app container activity interception and inspection system of Duan, for the purpose of providing a flexible policy framework and preserving configurations of applications and subsystems (Ahuja-Para. 13).
Duan in view of Ahuja does not clearly teach obtaining, by the inspector container using the kernel to access the application container, an unobfuscated content of the file that corresponds to the network activity; the template comprising one or more regular expressions that represent patterns of the sensitive personal data; and  applying, by the inspector container, the one or more regular expressions to the unobfuscated content of the file that is obtained using the kernel to find whether one or more regular expression matches exist in the content of the file; determining, in response to one or more regular expression matches are found, that the network activity attempting to transmit the file to the network destination involves an attempt to transmit the sensitive personal data out of the application container.
Evans teaches wherein content of the file is encapsulated outside of the application container, i.e. an application container (Fig. 2, el. 212), such that the data content is obfuscated outside of the application container, e.g. transferring, between the application container and the external data source, an encrypted version of the data that is unintelligible to an external application running outside the application container (Col. 7, lines 14-34; Col. 8, lines 43-65); and
 obtaining, by the external application…to access the application container, an unobfuscated content of the file that corresponds to the network activity, e.g. directing a request to a function library that includes a custom version of the function that facilitates providing an unencrypted version of the data to the external application to enable the external application to inspect the data (Col. 8, lines 43-65), wherein the function library may reside within the application container (Col. 9, lines 29-34).
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify Duan in view of Ahuja to include obtaining, by the inspector container using the kernel to access the application container, an unobfuscated content of the file that corresponds to the network activity, using the known method of determining directing a request to a function library that includes a custom version of the function that facilitates providing an unencrypted version of the data to the external application to enable the external application to inspect the data, wherein the function library may reside within the application container, as taught by Evans, in combination with the app container activity interception, inspection, and reporting system of Duan in view of Ahuja, for the purpose of enabling a host operating system and/or other software running outside the application container to efficiently monitor and inspect data transferred between the application container and an external data source and strengthening the security of the computing device that includes the application container (Evans-Col. 4, lines 12-28).
Duan in view of Ahuja in view of Evans does not clearly teach the template comprising one or more regular expressions that represent patterns of the sensitive personal data; and applying, by the inspector container, the one or more regular expressions to the unobfuscated content of the file that is obtained using the kernel to find whether one or more regular expression matches exist in the content of the file; determining, in response to one or more regular expression matches are found, that the network activity attempting to transmit the file to the network destination involves an attempt to transmit the sensitive personal data out of the application container.
Smelov teaches inspecting the content of a file being attempted to be transmitted to a network destination associated with network activity, wherein inspecting the content of the file comprises: retrieving a template corresponding a policy that controls transmission of sensitive personal data, the template comprising one or more regular expressions that represent patterns of the sensitive personal data, e.g. determining whether to restrict data using an administrative policy, wherein the policy may specify packets containing potentially sensitive data are not to leave the client device via the embedded browser, and the potentially sensitive data may be defined using regular expressions (Para. 173, 186); and 
applying…the one or more regular expressions to the unobfuscated content of the file…to find whether one or more regular expression matches exist in the content of the file, e.g. determining whether to restrict data using an administrative policy, wherein the policy may specify packets containing potentially sensitive data are not to leave the client device via the embedded browser, and the potentially sensitive data may be defined using regular expressions (Para. 173, 186); the client application/CEB can include or be associated with a secure container and the container may include documents (Para. 103, 106); 
determining, in response to one or more regular expression matches are found, that the network activity attempting to transmit the file to the network destination involves an attempt to transmit the sensitive personal data out of the application container; triggering an action specified in the policy in response to determining that the network activity involves the attempt to transmit the sensitive personal data out of the application container, e.g. determining whether to restrict data using an administrative policy, wherein the policy may specify packets containing potentially sensitive data are not to leave the client device via the embedded browser, and the potentially sensitive data may be defined using regular expressions (Para. 173, 180, 186); the client application/CEB can include or be associated with a secure container and the container may include documents (Para. 103, 106).
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify Duan in view of Ahuja in view of Evans to include the template comprising one or more regular expressions that represent patterns of the sensitive personal data; and applying, by the inspector container, the one or more regular expressions to the unobfuscated content of the file that is obtained using the kernel to find whether one or more regular expression matches exist in the content of the file; determining, in response to one or more regular expression matches are found, that the network activity attempting to transmit the file to the network destination involves an attempt to transmit the sensitive personal data out of the application container, using the known method of determining whether to restrict data using an administrative policy, wherein the policy may specify packets containing potentially sensitive data are not to leave the client device via the embedded browser, and the potentially sensitive data may be defined using regular expressions, as taught by Smelov, in combination with the app container activity interception, inspection, and reporting system of Duan in view of Ahuja in view of Evans, for the purpose of improving the security of sensitive files and aiding in the Data Loss Prevention of the files.

Regarding claim 2, Duan in view of Ahuja in view of Evans in view of Smelov teaches wherein the network activity is associated with providing network data from the application container to a virtual switch, i.e. a virtual switch (Duan-Fig. 1, el. 135A, 135B), of the container system, e.g. intercepting connections between the app containers and the virtual switch (Duan-Para. 46, 49, 52); inserting the security container within the flow of the connection between the app container and the virtual switch (Duan-Para. 59).

Regarding claim 4, Duan in view of Ahuja in view of Evans in view of Smelov teaches wherein monitoring the one or more activities further comprises: intercepting file system activity from the application container to capture data written and read from a virtual storage, e.g. a virtual machine (Duan-Fig. 1, el. 115A-115N), of the container system, e.g. sharing data between containers and VMs (Duan-Para. 22, 30); intercepting the processes, network connections, and other resources of the app container (Duan-Para. 44, 53); 
Also note Ahuja discloses controlling data entering or exiting the device (Ahuja-Para. 28); communications between applications and the device subsystem can be facilitated via I/O system calls (Ahuja-Para. 34); monitoring file operations including read, write, create, and other operations (Ahuja-Par. 36, 38, 48); intercepting an attempt to access or share photograph data (Ahuja-Para. 47).

Regarding claim 5, Duan in view of Ahuja in view of Evans in view of Smelov teaches all elements of claim 4.
Duan does not explicitly teach wherein the file system activity is intercepted by monitoring system call requests from the application container.
Ahuja teaches wherein the file system activity is intercepted by monitoring system call requests from the application container, e.g. communications between applications and the device subsystem can be facilitated via I/O system calls (Ahuja-Para. 34); monitoring file operations including read, write, create, and other operations (Ahuja-Par. 36, 38, 48).
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify Duan to include wherein the file system activity is intercepted by monitoring system call requests from the application container, using the same motivation as in claim 1.

Regarding claim 8, Duan teaches a container system, (Fig. 1), comprising: 
one or more application containers, i.e. an App container (Fig. 1, el. 120A-120D), each application container including computer-readable instructions and initiated via a container service, i.e. a container service (Fig. 1, el. 130A, 130B), and isolated using operating system-level virtualization that is enabled by a kernel of an operating system, the kernel enabling a plurality of containers sharing the kernel, the plurality of containers including the one or more application containers, e.g. an operating system may support a container environment by having a kernel that has enabled operating-system-level virtualization for multiple isolated containers (Para. 26, 33, 34); utilizing the container service to assist with the deployment, execution, and isolation of the containers (Para. 29), 
an inspector container, i.e. a security container (Fig. 1, el. 150A, 150B), that is enabled by the kernel and shares the kernel with the one or more application containers, e.g. an operating system may support a container environment by having a kernel that has enabled operating-system-level virtualization for multiple isolated containers (Para. 26, 33, 34), 
the inspector container configured to:
monitor one or more activities of the one or more application containers by intercepting data from the one or more activities of the one or more application containers, e.g. intercepting communications from app containers (Para. 35, 43, 45, 49, 51),
the monitoring performed by the inspector container…to access the one or more application containers, e.g. performing the monitoring by the security container located within the virtual machine/container server, wherein the security container may monitor container related events utilizing the container service (Para. 35, 41, 43, 45, 49, 51),
wherein monitoring the one or more activities comprises:
intercepting, by the inspector container, a network activity of the application container attempting to transmit a file to a network destination outside of the container system, e.g. sharing data between containers and VMs (Para. 22, 30); intercepting the processes, network connections, and other resources of the app container (Para. 44, 53); intercepting communications from app containers (Para. 35, 43, 45, 49, 51); wherein the app container may access files and may view file systems (Para. 27, 86);
wherein content of the file is encapsulated outside of the application container such that the data content is obfuscated outside of the application container, e.g. the container service facilitates the connection of the app container to the network, wherein the connection may also be tunneled using an encryption protocol (e.g., secure sockets layer (SSL)) (Para. 35); traffic to and from the app containers may include packets, wherein characteristics of the packets may include a source network address, type of packet, contents of the packet, and headers of the packet, and protocol of network traffic (Para. 63, 86);
inspect the content of the file being attempted to be transmitted to the network destination associated with the network activity network activity, e.g. the security container may be able to monitor this traffic and inspect it to determine if a network security issue exists (Para. 37),
wherein inspecting the content of the file comprises:  retrieving…a policy that controls transmission of…data, e.g. utilizing the traffic inspector to determine to drop the packets based on the one or more rules (Para. 63, 64); utilizing a quarantine detector to determining to quarantine network traffic from the app container based on the policy (Para. 89, 90, 92, 111, 112); and
applying the policy to one or more application-container packets to find whether the policy matches exist in the one or more application-container packets, the one or more application-container packets carrying the content of the file, e.g. performing a dynamic analysis of the contents of the packets (Para. 37, 63, 64); utilizing the traffic inspector to determine to drop the packets based on the one or more rules, wherein the rules contain criteria, such as the type of packet and the packet contents, that indicates whether packets should be forwarded or dropped (Para. 63, 64); utilizing a quarantine detector to determining to quarantine network traffic from the app container based on the policy (Para. 89, 90, 92, 111, 112);
determining, in response to the policy, that the network activity attempting to transmit the file to the network destination involves an attempt to transmit the…data out of the application container; triggering an action specified in the policy in response to determining that the network activity involves the attempt to transmit the…data out of the application container, e.g. determining to drop the packets based on the one or more rules (Para. 63, 64); determining to quarantine network traffic from the app container (Para. 89, 90, 92, 111, 112).
Duan does not clearly teach the monitoring performed by the inspector container using the kernel to access the one or more application containers; obtaining, by the inspector container using the kernel to access the application container, an unobfuscated content of the file that corresponds to the network activity; wherein inspecting the content of the file comprises:  retrieving a template corresponding to a policy that controls transmission of sensitive personal data, the template comprising one or more regular expressions that represent patterns of the sensitive personal data; and applying, by the inspector container, the one or more regular expressions to the unobfuscated content of the file that is obtained using the kernel to find whether one or more regular expression matches exist in the content of the file; determining, in response to one or more regular expression matches are found, that the network activity attempting to transmit the file to the network destination involves an attempt to transmit the sensitive personal data out of the application container; triggering an action specified in the policy in response to determining that the network activity involves the attempt to transmit the sensitive personal data out of the application container.
Ahuja teaches the monitoring performed by the security module using the kernel to access the one or more application containers, e.g. applications are containerized, and communications between applications and the device subsystem can be facilitated via I/O system calls to /dev/binder on the kernel and the security module can interface with the kernel binder to allow for monitoring and intercepting of I/O-related system calls (Para. 34);
 wherein monitoring the one or more activities comprises:  intercepting, by the security module, a network activity of the application container attempting to transmit a file to a network destination outside of the container system, e.g. controlling data entering or exiting the device (Para. 28); applications are containerized, and communications between applications and the device subsystem can be facilitated via I/O system calls (Para. 34); monitoring file operations including read, write, create, and other operations (Par. 36, 38, 48); intercepting an attempt to access or share photograph data (Para. 47),
wherein content of the file is encapsulated outside of the application container such that the data content is obfuscated outside of the application container, e.g. encrypting, for a given application, all data used or generated by a particular application (Para. 32); intercepting data included in system calls and identifying that the data is of a sensitive nature and should be encrypted (Para. 43);
inspecting the content of the file being attempted to be transmitted to the network destination associated with the network activity, wherein inspecting the content of the file comprises:  retrieving a template corresponding a policy that controls transmission of sensitive personal data, the template comprising…patterns of the sensitive personal data, e.g. inspecting intercepted system calls (Para. 34, 43); files can be inspected and tagged to indicate whether the file is sensitive and whether particular policies are applicable to the file, and data that is the subject of a particular system call can be inspected and scanned to check for patterns in order to determine the confidential or sensitive nature of the data (Para. 34, 36, 43); and
applying, by the security module, the one or more policies and patterns to the…content of the file that is obtained using the kernel to find whether…matches exist in the content of the file, e.g. files can be inspected and tagged to indicate whether the file is sensitive and whether particular policies are applicable to the file, and data that is the subject of a particular system call can be inspected and scanned to check for patterns in order to determine the confidential or sensitive nature of the data (Para. 34, 36, 43); determining the applicable policy and performing an action, such as disallowance of the system call (Para. 37); determining that access to data should be constrained or blocked based on a policy (Para. 47);
determining, in response to one or more…matches are found, that the network activity attempting to transmit the file to the network destination involves an attempt to transmit the sensitive personal data out of the application container; triggering an action specified in the policy in response to determining that the network activity involves the attempt to transmit the sensitive personal data out of the application container, e.g. files can be inspected and tagged to indicate whether the file is sensitive and whether particular policies are applicable to the file, and data that is the subject of a particular system call can be inspected and scanned to check for patterns in order to determine the confidential or sensitive nature of the data (Para. 34, 36, 43); determining the applicable policy and performing an action, such as disallowance of the system call (Para. 37); determining that access to data should be constrained or blocked based on a policy (Para. 47).
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify Duan to include the monitoring performed by the inspector container using the kernel to access the one or more application containers; wherein inspecting the content of the file comprises:  retrieving a template corresponding to a policy that controls transmission of sensitive personal data; and determining, in response to matches are found, that the network activity attempting to transmit the file to the network destination involves an attempt to transmit the sensitive personal data out of the application container; triggering an action specified in the policy in response to determining that the network activity involves the attempt to transmit the sensitive personal data out of the application container, using the known method of controlling data entering or exiting the device by intercepting and inspecting I/O system calls for files, as taught by Ahuja, in combination with the app container activity interception and inspection system of Duan, for the purpose of providing a flexible policy framework and preserving configurations of applications and subsystems (Ahuja-Para. 13).
Duan in view of Ahuja does not clearly teach obtaining, by the inspector container using the kernel to access the application container, an unobfuscated content of the file that corresponds to the network activity; the template comprising one or more regular expressions that represent patterns of the sensitive personal data; and  applying, by the inspector container, the one or more regular expressions to the unobfuscated content of the file that is obtained using the kernel to find whether one or more regular expression matches exist in the content of the file; determining, in response to one or more regular expression matches are found, that the network activity attempting to transmit the file to the network destination involves an attempt to transmit the sensitive personal data out of the application container.
Evans teaches wherein content of the file is encapsulated outside of the application container, i.e. an application container (Fig. 2, el. 212), such that the data content is obfuscated outside of the application container, e.g. transferring, between the application container and the external data source, an encrypted version of the data that is unintelligible to an external application running outside the application container (Col. 7, lines 14-34; Col. 8, lines 43-65); and
 obtaining, by the external application…to access the application container, an unobfuscated content of the file that corresponds to the network activity, e.g. directing a request to a function library that includes a custom version of the function that facilitates providing an unencrypted version of the data to the external application to enable the external application to inspect the data (Col. 8, lines 43-65), wherein the function library may reside within the application container (Col. 9, lines 29-34).
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify Duan in view of Ahuja to include obtaining, by the inspector container using the kernel to access the application container, an unobfuscated content of the file that corresponds to the network activity, using the known method of determining directing a request to a function library that includes a custom version of the function that facilitates providing an unencrypted version of the data to the external application to enable the external application to inspect the data, wherein the function library may reside within the application container, as taught by Evans, in combination with the app container activity interception, inspection, and reporting system of Duan in view of Ahuja, for the purpose of enabling a host operating system and/or other software running outside the application container to efficiently monitor and inspect data transferred between the application container and an external data source and strengthening the security of the computing device that includes the application container (Evans-Col. 4, lines 12-28).
Duan in view of Ahuja in view of Evans does not clearly teach the template comprising one or more regular expressions that represent patterns of the sensitive personal data; and applying, by the inspector container, the one or more regular expressions to the unobfuscated content of the file that is obtained using the kernel to find whether one or more regular expression matches exist in the content of the file; determining, in response to one or more regular expression matches are found, that the network activity attempting to transmit the file to the network destination involves an attempt to transmit the sensitive personal data out of the application container.
Smelov teaches inspecting the content of a file being attempted to be transmitted to a network destination associated with network activity, wherein inspecting the content of the file comprises: retrieving a template corresponding a policy that controls transmission of sensitive personal data, the template comprising one or more regular expressions that represent patterns of the sensitive personal data, e.g. determining whether to restrict data using an administrative policy, wherein the policy may specify packets containing potentially sensitive data are not to leave the client device via the embedded browser, and the potentially sensitive data may be defined using regular expressions (Para. 173, 186); and 
applying…the one or more regular expressions to the unobfuscated content of the file…to find whether one or more regular expression matches exist in the content of the file, e.g. determining whether to restrict data using an administrative policy, wherein the policy may specify packets containing potentially sensitive data are not to leave the client device via the embedded browser, and the potentially sensitive data may be defined using regular expressions (Para. 173, 186); the client application/CEB can include or be associated with a secure container and the container may include documents (Para. 103, 106); 
determining, in response to one or more regular expression matches are found, that the network activity attempting to transmit the file to the network destination involves an attempt to transmit the sensitive personal data out of the application container; triggering an action specified in the policy in response to determining that the network activity involves the attempt to transmit the sensitive personal data out of the application container, e.g. determining whether to restrict data using an administrative policy, wherein the policy may specify packets containing potentially sensitive data are not to leave the client device via the embedded browser, and the potentially sensitive data may be defined using regular expressions (Para. 173, 180, 186); the client application/CEB can include or be associated with a secure container and the container may include documents (Para. 103, 106).
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify Duan in view of Ahuja in view of Evans to include the template comprising one or more regular expressions that represent patterns of the sensitive personal data; and applying, by the inspector container, the one or more regular expressions to the unobfuscated content of the file that is obtained using the kernel to find whether one or more regular expression matches exist in the content of the file; determining, in response to one or more regular expression matches are found, that the network activity attempting to transmit the file to the network destination involves an attempt to transmit the sensitive personal data out of the application container, using the known method of determining whether to restrict data using an administrative policy, wherein the policy may specify packets containing potentially sensitive data are not to leave the client device via the embedded browser, and the potentially sensitive data may be defined using regular expressions, as taught by Smelov, in combination with the app container activity interception, inspection, and reporting system of Duan in view of Ahuja in view of Evans, for the purpose of improving the security of sensitive files and aiding in the Data Loss Prevention of the files.

Regarding claim 9, the claim is analyzed with respect to claim 2. 

Regarding claim 11, the claim is analyzed with respect to claim 4. 

Regarding claim 12, the claim is analyzed with respect to claim 5. 

Regarding claim 15, the claim is analyzed with respect to claim 1.  Duan in view of Ahuja in view of Evans in view of Smelov further teaches a non-transitory computer storage readable medium configured to store instructions, e.g. processor instructions, main memory instructions, or machine-readable medium instructions (Duan-Fig. 7, el. 704, 722, 724), the instructions that when executed by a processor, i.e. a processor (Duan-Fig. 7, el. 702), cause the processor to perform the steps.

Regarding claim 16, the claim is analyzed with respect to claim 2. 

Regarding claim 18, the claim is analyzed with respect to claim 4. 

Regarding claim 19, the claim is analyzed with respect to claim 5. 

Regarding claim 21, Duan in view of Ahuja in view of Evans in view of Smelov teaches wherein monitoring the one or more activities further comprises:  monitoring file system activity of the application container by intercepting file system calls by the application container to virtual storage associated with the application container, e.g. a virtual machine (Duan-Fig. 1, el. 115A-115N), e.g. sharing data between containers and VMs (Duan-Para. 22, 30); intercepting the processes, network connections, and other resources of the app container (Duan-Para. 44, 53); 
Also note Ahuja discloses controlling data entering or exiting the device (Ahuja-Para. 28); communications between applications and the device subsystem can be facilitated via I/O system calls (Ahuja-Para. 34); monitoring file operations including read, write, create, and other operations (Ahuja-Par. 36, 38, 48); intercepting an attempt to access or share photograph data (Ahuja-Para. 47).

Regarding claim 22, the claim is analyzed with respect to claim 21. 

Regarding claim 23, the claim is analyzed with respect to claim 21. 

Regarding claim 24, Duan in view of Ahuja in view of Evans in view of Smelov teaches wherein the sensitive personal data includes credit card information or a social security number, e.g. sensitive information may be credit card numbers, social security numbers, or PIN numbers (Ahuja-Para. 41).

Regarding claim 25, the claim is analyzed with respect to claim 24. 

Regarding claim 26, the claim is analyzed with respect to claim 24. 

Claims 6 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Duan in view of Ahuja in view of Evans in view of Smelov in view of Cravo de Almeida et al. (US 2002/0169871).
Regarding claim 6, Duan in view of Ahuja in view of Evans in view of Smelov teaches all elements of claim 1.
Duan in view of Ahuja in view of Evans in view of Smelov further teaches transmitting a report that is a graphical interface, the report discussing the network activity, e.g. sending logs and statistics regarding intercepted traffic to an analytics container (Duan-Para. 39); utilizing a traffic inspector to inspect the intercepted traffic from the intercept module (Duan-Para. 63-66); the traffic inspector logs the traffic information and may forward to the analytics container (Duan-Para. 67); utilizing a quarantine detector to monitor app container traffic and behavior (Duan-Para. 86, 109, 110).
Duan in view of Ahuja in view of Evans in view of Smelov does not clearly teach the graphical interface presented on a web page by a web server.
Cravo de Almeida teaches wherein a report is a graphical interface presented on a web page by a web server, e.g. generating a web page corresponding to a report and providing the web page to a web server, wherein the web server may provide the report as the web page (Para. 46).
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify Duan in view of Ahuja in view of Evans in view of Smelov to include transmitting a report that is a graphical interface presented on a web page by a web server, the report discussing the network activity, using the known method of generating a web page corresponding to a report and providing the web page to a web server, wherein the web server may provide the report as the web page, as taught by Cravo de Almeida, in combination with the app container activity interception, inspection, and reporting system of Duan in view of Ahuja in view of Evans in view of Smelov, for the purpose of enabling an administrator to log onto the web server from a remote computer and view the report as a web page (Cravo de Almeida-Para. 46).

Regarding claim 13, the claim is analyzed with respect to claim 6. 

Relevant Prior Art
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Bernstein et al. (US 2018/0278639 A1) – Bernstein discloses a detector container is configured to inspect and filter encrypted traffic directed to the protected APP container, wherein the detector container interfaces with the APP container and the host operating system to retrieve one or more keys for decrypting the encrypted traffic (Para. 35).

Kumar (US 2016/0373251 A1) – Kumar discloses retrieving the encrypted file at the loopback server and instructing the loopback server to generate unencrypted content (Para. 115, 116).


Abi Antoun et al. (US 2018/0218170 A1) – Abi Antoun discloses a system that uses regular expression pattern matching to identify whether text has sensitive information (Para. 62).

Jones et al. (US 2018/0063182 A1) – Jones discloses a system that uses regular expression pattern matching to identify whether text has sensitive information (Para. 57, 67, 70).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JEREMY DUFFIELD whose telephone number is (571)270-1643. The examiner can normally be reached Monday - Friday, 7:00 AM - 3:00 PM (ET).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached on (571) 272-8878. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




19 August 2022
/Jeremy S Duffield/Primary Examiner, Art Unit 2498