DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
	This office action responds to the Reply filed on September 29, 2022 for application 15/733,180.  Each of the pending claims was previously presented, and claims 1-8 remain pending in the application.
Response to Arguments
	The Examiner has fully considered the Applicant’s arguments filed on September 29, 2022, and the Examiner responds as provided below.
Regarding the Applicant’s response at pages 8-10 of the Remarks that concerns the § 103 rejection of claim 1, the Applicant argues the following:  
Claim 1 requires, in combination with the other limitations of the claim, “training an hierarchical temporal memory (HTM) for each of the first set of container network traffic records, the first set of application traffic records and the first set of container resource records.”  Thus, the claims recite each of the first sets of records having a unique HTM.

Remarks at p. 8 (emphasis retained).
	The Examiner respectfully concludes this argument is not persuasive because claim 1 recites “training an hierarchical temporal memory…,” which comprises only a single HTM.  The Applicant cites the specification for support of more than one “unique” HTM as a claim limitation, see Remarks at p. 9, but claim limitations may not be imported from the specification.  See MPEP § 2111.01(II) (stating “It is improper to import claim limitations from the specification”).  Although the Applicant advances an argument for multiple HTMs, claims are afforded their broadest reasonable interpretation during prosecution.  See MPEP § 2111 (stating “Claims must be given their broadest reasonable interpretation in light of the specification”).  Accordingly, the Examiner maintains “training an hierarchical temporal memory” encompasses only a single HTM under one reasonable interpretation of claim 1.  
To expeditiously advance prosecution, the Examiner recommends an amendment consistent with the following: “a first HTM” for the “network traffic records,” “a second HTM” for the “application traffic records,” and “a third HTM” for the “container resource records.”  
	    Applicant argues at pages 7-8 of the Remarks that the rationale to combine Golan-Hawkins and Stopel is insufficient.  In response to applicant’s argument that there is no teaching, suggestion, or motivation to combine the references, the Examiner recognizes that obviousness may be established by combining or modifying the teachings of the prior art to produce the claimed invention where there is some teaching, suggestion, or motivation to do so found either in the references themselves or in the knowledge generally available to one of ordinary skill in the art.  See In re Fine, 837 F.2d 1071, 5 USPQ2d 1596 (Fed. Cir. 1988), In re Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir. 1992), and KSR International Co. v. Teleflex, Inc., 550 U.S. 398, 82 USPQ2d 1385 (2007).  
In this case, the Applicant’s arguments are not persuasive.  Essentially, the Applicant’s tactic is to provide a narrow interpretation of the references and then advance that no rationale to combine exists based upon this narrow interpretation.  The Applicant states, “The Office Action does not address why one of ordinary skill in the art would have been motivated to combine Golan-Hawkins with Stopel when Stopel reports to provide a solution for the conventional problems it identifies.”  
In the Office Action of June 29, 2022, the Examiner states, “One of ordinary skill in the art would have been motivated to incorporate the security records/profile feature because Stopel discusses the problems associated with the secure execution of containers, see Stopel ¶¶ [0015]-[0016], and Stopel teaches “a method for securing execution of software containers using security profiles,” see Stopel ¶ [0019]; see also ¶¶ [0056]-[0060].”  Here the motivation to combine is simply stated: Stopel provides a method for securing execution of software containers.  To be certain, this is not the robust explanation that Applicant seemingly desires, but this concise statement regarding the rationale to combine is legally sufficient in the computer arts due to the high level of skill imputed to the person having ordinary skill in the art.  See MPEP § 2141.03 (III) (stating “The examiner must ascertain what would have been obvious to one of ordinary skill in the art at the time the invention was made, and not to the inventor, a judge, a layman, those skilled in remote arts, or to geniuses in the art at hand.”)
Regarding the Applicant’s response at page 10 of the Remarks that concerns the § 103 rejection of independent claims 7 and 8 and dependent claims 2-6, the argument for patentability rests upon the patentability of claim 1.  Because claim 1 is not patentable over the prior art of record, claims 2-8 are similarly not allowable.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The following conventions apply to the mapping of the prior art to the claims:
Italicized text – claim language.
Parenthetical plain text – Examiner’s citation and explanation.
Quotation marks – language quoted from a prior art reference.
Underlining – language quoted from a claim.
Brackets – material altered from either a prior art reference or a claim, which includes the Examiner’s explanation that relates a claim limitation to the quoted material of a reference.
Braces – a limitation taught by another reference, but the limitation is presented with the mapping of the instant reference for context.
Numbered footnote – a first phrase to be moved upwards to the primary reference analysis.
Lettered footnote – a second phrase to be moved after the movement of the first phrase from which it was lifted, or more succinctly, move numbered material first, lettered material last.
A.	Claims 1-8 are rejected under 35 U.S.C. 103 as being unpatentable over Golan et al. (US 10,951,651, “Golan”) in view of Hawkins et al. (US 2016/0321557, “Hawkins”), and further in view of Stopel et al. (US 2017/0116415, “Stopel”).
Regarding Claim 1
Golan discloses
A computer implemented method (abstract, Figs. 8 & 9) to detect anomalous behavior of a software container having a software application executing therein (Col. 6:40-7:3, “Validation of a [software] container may refer to determining whether the container includes computer readable program code [as a software application] consistent with malicious activity, and/or whether the container exhibits anomalous behavior;” and Col. 12:19-29, “One or more embodiments of the disclosure provide methods and apparatus for managing the life cycle of containers related to one or more containerized applications.”), 
the method comprising: 
receiving a …1 data representation (Fig. 8, Col. 10:43-54, “…machine learning techniques are applied during step 840 to obtain a baseline model of the selected container,” i.e., a data representation comprising a first set of … records for the container is receiv[ed] to enable the machine learning to “obtain a baseline model of the selected container”) of each of: 
a first set of container network traffic records (Col. 8:34-60, “During step 470, while generating/feeding the emulated network traffic to the Honeypot, the RMS kernel 230 maintains and monitors the selected container 140 as a Honeypot. In one embodiment of the disclosure, a Honeypot container may be a decoy container utilized for trapping (e.g., engaging and deceiving) hackers and/or attackers. By luring in and trapping such malicious or anomalous users, a Honeypot container may be employed to study the activities of the trapped user(s) in order to track and identify [via container network traffic records] how hackers and/or attackers intrude and/or infect a container 140 (e.g., the selected container 140);” see also Stopel ¶¶ [0056]-[0058], “In another embodiment, the detector container 315 is configured to profile [to obtain a set of container records as] the network actions (activity) permissible by the container image 301-C. The permissible network actions are determined based on the context of the application executing the container. Each such action defines which network resources can be accessed by the APP container during runtime and which network resources can be access the APP container during runtime. A network resource may include an IP address, a URL, a domain, a connection port, an inbound connection, an outbound connection, and so on;” and Fig. 4, ¶¶ [0059]-[0060], “An example diagram of a security profile 400 [as a set of … records] is illustrated in FIG. 4,” and “The permissible network actions field 440 includes a list of permissible network actions [involving network traffic] <Net_action>.”),
2 …,
3 …, 
wherein the first set of container network traffic records (Col. 8:34-60, Stopel ¶ [0060]) correspond to network traffic communicated with the software container (Col. 8:34-60, “During step 470, while generating/feeding [and thereby communicat[ing] the emulated network traffic to the Honeypot [container], the RMS kernel 230 maintains and monitors the selected container 140 as a Honeypot. In one embodiment of the disclosure, a Honeypot container may be a decoy container utilized for trapping (e.g., engaging and deceiving) hackers and/or attackers.”),
4 …; 
receiving a …1 data representation (Fig. 9, Col. 10:55-11:4, “FIG. 9 is a flow chart illustrating an exemplary implementation of an RMS container anomaly detection process 900, according to an embodiment of the disclosure. As shown in FIG. 9, a container is initially selected during step 910, and the behavior of the selected container is monitored [via receiving a … data representation that comprises a second set of … records] during step 920.”) of each of: 
a second set of container network traffic records (Fig. 9, Col. 10:55-11:4, i.e., a second set of … records is received to detect an anomaly; and Col. 8:34-60, Stopel ¶¶ [0056]-[0060], i.e., the second set of … records is for detecting an anomaly with respect to network traffic, which was previously mapped with respect to the first set of … records),
5 …; 
executing the trained …6 based on each respective second set of container network traffic records, second set of application traffic records, and second set of container resource records to determine a degree of recognition of each of the second 5Attorney Docket No. 4359.313WOUS01set of container network traffic records, the second set of application traffic records, and the second set of container resource records (Figs. 8-9, Col. 10:43-11:4, i.e., after conducting the “learning mode,” the trained model is execut[ed] … based on each respective second set of … records “to determine if the selected container exhibits anomalous behavior [based upon a degree of recognition of the second set … of records] relative to the baseline model determined by the RMS container learning process 800 of FIG. 8. When it is determined during step 930 that the selected container exhibits anomalous behavior,…”); and 
responsive to an identification of a coincidence of a degree of recognition of each of the second set of container network traffic records, the second set of application traffic records, and the second set of container resource records…7, identifying anomalous behavior of the software container (Fig. 9, Col. 10:61-11:4, “When it is determined during step 930 that the selected container exhibits anomalous behavior [based upon a coincidence of a degree of recognition],”). 
Golan doesn’t disclose
1 … sparse {data representation}… 
2 a first set of application traffic records, and a first set of container resource records,
3 and training an hierarchical temporal memory (HTM) for each of the first set of container network traffic records, the first set of application traffic records, and the first set of container resource records,
4 wherein … the first set of application traffic records correspond to network traffic communicated with the software application, and the first set of container resource records correspond to the use of computer resources by the software container;
5 a second set of container network traffic records, a second set of application traffic records, and a second set of container resource records;
6 …HTMs…
7 …being below a threshold degree in each of the trained HTMs…
Hawkins, however, discloses
1 … sparse {data representation}… (¶¶ [0042]-[0043], “Spatial pooler 320 performs spatial pooling by producing sparse vector 342 in sparse distributed representation. In sparse distributed representation, a majority of elements in the sparse vector 342 are inactive (e.g., assigned a value of zero) while the remaining elements are active (e.g., assigned a value of one).”)
3 and training an hierarchical temporal memory (HTM) (¶ [0039], “FIG. 3 is a block diagram illustrating processing node 300 and user interface device 344 in a spatial and temporal memory system, according to one embodiment. The processing node 300 may be a stand-alone node for operating without other processing nodes. Alternatively, the processing node 300 may be part of a hierarchy of processing nodes, for example, as described above in detail with reference to FIGS. 1B and 2.”) for each of the {first set of container network traffic records} (Stopel ¶¶ [0059]-[0060]), the {first set of application traffic records} (Stopel ¶¶ [0059]-[0060]), and the {first set of container resource records} (Stopel ¶¶ [0059]-[0060]); Hawkins (¶¶ [0042]-[0044], “If the processing node 300 is a node at intermediate level or a top level of a hierarchical system, the input data 338 [comprising the records as disclosed by Stopel] may be an output from a child node or children nodes,” and “Spatial pooler 320 performs spatial pooling by producing sparse vector 342 in sparse distributed representation.”),
6 … {trained} HTMs… (¶ [0058], “Alternatively, the anomaly may simply be caused by insufficient number of training data or deficiency in the predictive model. Such deficiency may be rectified by training the spatial and temporal memory system with more data. After further training, the spatial and temporal memory system may no longer generate the same anomaly when exposed to the same or similar patterns or sequences that previously resulted in an anomaly.”)
7 …being below a threshold degree in each of the trained HTMs… (Fig. 5, ¶¶ [0060]-[0063], “If the tallied score indicates inaccurate prediction over the multiple time steps, analyzer 524 determines that an anomaly has occurred and sends anomaly information 304 to user interface device 344. For example, if the average of the accuracy scores over the time window drops below a threshold, analyzer 524 determines that the anomaly has occurred.”)
Stopel, however, discloses
2/5 a first/second set of application traffic records (Fig. 4, ¶¶ [0056]-[0058], “Each such action defines which network resources can be accessed by the APP container [that thereby creates traffic] during runtime and which network resources can [] access the APP container during runtime. A network resource may include an IP address, a URL, a domain, a connection port, an inbound connection, an outbound connection, and so on;” and Fig. 4, ¶¶ [0059]-[0060], “An example diagram of a security profile 400 [comprising a record] is illustrated in FIG. 4.”), and 
a first/second set of container resource records (Fig. 4, ¶¶ [0058]-[0060], “Each such action defines which filesystem resources can be accessed by the APP container during runtime. A filesystem resource may include a file, a directory, a sub directory, a memory page, a cache section, and so on;” and Fig. 4, ¶¶ [0059]-[0060], “An example diagram of a security profile 400 [comprising a record] is illustrated in FIG. 4.”),
4 wherein…, the first set of application traffic records (¶ [0060]) correspond to network traffic communicated with the software application (Fig. 4, ¶¶ [0056]-[0058], “Each such action defines which network resources can be accessed [and thereby communicate[]] by the [software] APP container [that thereby creates traffic] during runtime and which network resources can [] access the APP container during runtime. A network resource may include an IP address, a URL, a domain, a connection port, an inbound connection, an outbound connection, and so on;”), and 
the first set of container resource records (¶ [0060]) correspond to the use of computer resources by the software container (Fig. 4, ¶¶ [0058]-[0060], “Each such action defines which filesystem resources [as computer resources] can be accessed by the APP container during runtime. A filesystem resource may include a file, a directory, a sub directory, a memory page, a cache section, and so on;”);
Regarding the combination of Golan and Hawkins, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Golan to arrive at the claimed invention.  KSR establishes that a rationale for obviousness is proven by showing a “use of [a] known technique to improve similar devices in the same way.”  See MPEP § 2143(I)(C).
To substantiate the conclusion of obviousness under this KSR rationale, the Examiner finds pursuant to MPEP § 2143(I)(C):
1) the prior art contained a base method, namely the anomaly detection system of Golan, upon which the claimed invention can be seen as an “improvement” through the use of sparse data for an HTM;
2) the prior art contained a “comparable” method, namely the use of the sparse data representation for an HTM of Hawkins, that has been improved in the same way as the claimed invention through the use of the sparse data representation; and
3) one of ordinary skill in the art could have applied the known improvement technique of applying the sparse data representation for an HTM to the base method, or the anomaly detection system of Golan, and the results would have been predictable to one of ordinary skill in the art.
	Regarding the combination of Golan-Hawkins and Stopel, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the anomaly detection system of Golan-Hawkins to have included the security records/profile feature of Stopel. One of ordinary skill in the art would have been motivated to incorporate the security records/profile feature because Stopel discusses the problems associated with the secure execution of containers, see Stopel ¶¶ [0015]-[0016], and Stopel teaches “a method for securing execution of software containers using security profiles,” see Stopel ¶ [0019]; see also ¶¶ [0056]-[0060].  
Regarding Claim 2
Golan in view of Hawkins, and further in view of Stopel (“Golan-Hawkins-Stopel”) discloses the method of claim 1, and Golan further discloses
wherein the software container is a software process executable in an operating system of a computer system (Col. 3:59-4:7, “A container 140 may be an isolated, lightweight virtualization mechanism (or software construct) that allows for the running [as a process] of an application or an operating system within the container 140 without the overhead of executing a hypervisor (as is needed for executing virtual machines on underlying hardware).”) in which operating system software processes are prevented from accessing resources of other second processes executing in the operating system (Col. 3:59-4:7, “A container 140 may be an isolated [that thereby prevent[s] … accessing to or from other resources of other second processes executing in the operating system], lightweight virtualization mechanism (or software construct) that allows for the running of an application or an operating system within the container 140 without the overhead of executing a hypervisor (as is needed for executing virtual machines on underlying hardware).”).  
Regarding Claim 3
Golan-Hawkins-Stopel discloses the method of claim 1, and Golan further discloses 
in response to the identification of anomalous behavior (Fig. 9, Col. 10:61-11:4), implementing a responsive measure to the anomalous behavior (Fig. 9, Col. 10:61-11:4, “During step 950, the selected container is terminated [as a responsive measure] or the role of the selected container is adjusted to a Honeypot container.”).  
Regarding Claim 4
Golan-Hawkins-Stopel discloses the method of claim 4, and Golan further discloses 
wherein the responsive measure includes one or more of: interrupting operation of the software container (Fig. 9, Col. 10:61-11:4, “During step 950, the selected container is terminated [and thereby interrupt[s] operation of the software container] or the role of the selected container is adjusted to a Honeypot container.”); identifying software components in communication with the application in the software container as potentially compromised; identifying a definition of the software container as anomalous; and effecting at least one of a redeployment, a reinstallation or a reconfiguration of the software container.  
Regarding Claim 5
Golan-Hawkins-Stopel discloses the method of claim 1, and Golan further discloses 
wherein in the training mode of operation…1 (Fig. 8, Col. 10:43-54), 
Hawkins further discloses
1 …each HTM evaluates an anomaly score for records in a respective first set of records and the HTM is trained until the anomaly score meets a predetermined threshold degree of anomaly (¶ [0058], “Alternatively, the anomaly may simply be caused by insufficient number of training data [comprising a respective first set of records] or deficiency in the predictive model. Such deficiency may be rectified by training the spatial and temporal memory system with more data. After further training [at which point the anomaly score meets a predetermined threshold degree of anomaly], the spatial and temporal memory system may no longer generate the same anomaly when exposed to the same or similar patterns or sequences that previously resulted in an anomaly;” and ¶¶ [0062]-[0063], “Comparator 514 generates accuracy score 520 indicating the accuracy of prediction output 404 relative to sparse vector 342. In one embodiment, a higher accuracy score 520 indicates higher accuracy of the prediction.”).  
Regarding the combination of Golan and Hawkins, the rationale to combine is the same as provided for claim 1 due to the overlapping subject matter of claims and 1 and 5. 
Regarding Claim 6
Golan-Hawkins-Stopel discloses the method of claim 1, and Golan further discloses 
wherein the coincidence…1 (Fig. 9, Col. 10:61-11:4, i.e., the coincidence associated with the “base model”)
Hawkins further discloses
1 …occurs within a time window having a predetermined maximum duration (Fig. 5, ¶¶ [0063]-[0065], “In one embodiment, analyzer 524 tallies accuracy score 520 over a time window covering multiple time steps,” and “Further, depending on the accuracy of the predictive model as implemented by processing node 300, the length of the time window can be increased or decreased dynamically. If the prediction of the processing node 300 tends to be accurate, a shorter time window can be used,” i.e., alternatively, the time window can have a predetermined maximum duration for the cases where “the prediction of the processing node 300 tends [not] to be accurate,” or a maximum duration is employed to achieve greater accuracy).
Regarding the combination of Golan and Hawkins, the rationale to combine is the same as provided for claim 1 due to the overlapping subject matter of claims and 1 and 5.
Regarding Independent Claims 7 and 8
With respect to independent claims 7 and 8, a corresponding reasoning as given earlier for independent claim 1 applies, mutatis mutandis, to the subject matter of claims 7 and 8. Therefore, claims 7 and 8 are rejected, for similar reasons, under the grounds set forth for claim 1. 
Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to D'ARCY WINSTON STRAUB whose telephone number is (303)297-4405. The examiner can normally be reached Monday-Friday 9:00-5:00 Mountain Time.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ASHOKKUMAR B PATEL can be reached on (571)272-3972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/D'Arcy Winston Straub/Examiner, Art Unit 2491                                                                                                                                                                                                        
/DANIEL B POTRATZ/Primary Examiner, Art Unit 2491