DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Priority
Receipt is acknowledged of certified copies of papers required by 37 CFR 1.55.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on December 23, 2020 and July 8, 2021 except of TW Office Action dated July 2, 2021 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner. 
The TW Office Action dated July 2, 2021 filed on July 8, 2021 fails to comply with 37 CFR 1.98(a)(3)(i) because it does not include a concise explanation of the relevance, as it is presently understood by the individual designated in 37 CFR 1.56(c) most knowledgeable about the content of the information, of each reference listed that is not in the English language.  It has been placed in the application file, but the information referred to therein has not been considered.

Specification
The disclosure is objected to because of the following informalities: 
In paragraph [0030], line 2, “Step S71 and step S71” should be read as “Step S71 and step S1” ;  
In paragraph [0030], line 4, before “the target object”, “of” should be added; and 
In paragraph [0043], line 9, after “second candidate label”, “and label the target object” is not clear.
Appropriate correction is required.

Claim Objections
Claim 15 is objected to because of the following informalities:  
In line 12, “PRORAM” should be read “program”.
Appropriate correction is required.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 3, 9-14, and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Drepper (US PG Publication No. 2012/0066272, hereinafter “Drepper”) in view of Marom et al. (US Patent No. 10,417,454, hereinafter “Marom”).

Regarding claim 1, Drepper discloses a method [a method for asynchronously verifying a current file attribute setting for a requested file in a file system] for labeling object of operating system adapted to a target object [file to be verified] of a target operating system, wherein the target object has a target attribute and the method 5comprises:
generating [[0030] For example, on systems that run SELinux, all of the files in the file system are labeled in a way that represents security-relevant information, called SELinux context, and a system administrator can request SELinux to execute an asynchronous attribute system to verify that the current file labels for files which processes are requesting access to, are correct before a file is accessed by a process.] a default label [the current file labels] by a labeling tool [SELinux] according to the target attribute; 
comparing [[0037] In one embodiment, the asynchronous attribute system can execute a command that determines both the current file attribute setting and the expected file attribute setting, and compares the current file attribute setting to the expected file attribute setting, and returns a result.] whether the target attribute [current file attribute setting] and the reference attribute [expected file attribute setting] are identical and 10generating a comparison result; and 
labeling [[0038] In one embodiment, if the current file attribute setting is correct…, the asynchronous attribute system updates the tracking data at block 319 and sends a notification to the FA notification system at block 321.; [0039] If the current file attribute setting is not correct…, the asynchronous attribute system changes the current file attribute setting to a new (correct) setting at block 317. For example, the asynchronous attribute system can change the current attribute setting to comply with a policy rule, to match the expected attribute setting, etc.] the target object with the default label, the reference label, or one of a plurality of candidate labels according to the comparison result and a type of the target object.  
Drepper does not appear to explicitly disclose obtaining a reference object of a reference operating system, wherein the reference object has a reference attribute and a reference label. 
However, Marom discloses obtaining a reference object of a reference operating system, wherein the reference object has a reference attribute and a reference label [Col. 9, lines 34-45, In operation 302, once the security policy server 101 has connected to the target secure operating system resource R1, R2, or RN 103, it may upload a policy to the target secure operating system resource R1, R2, or RN 103. In some embodiments, the policy may be provided to the target secure operating system resource R1, R2, or RN 103 in the form of a data (e.g., text) file, a database record, an executable script, etc.  For example, if the policy is provided in a data or database format, the target secure operating system resource R1, R2, or RN 103 may be configured to store the policy locally and access it for making access-control decisions.; Col. 14, lines 33-56, In some embodiments, process 600 may include an operation 601 of receiving a notification from a cloud registry of one or more new resources that are spun up, uploaded, or initialized in a cloud environment. … Depending on the nature of the cloud resource being spun up, uploaded, or initialized, the notification may contain various different types of information. For example, the notification may identify the cloud resource by a unique identifier, may specify a class or group to which the resource belongs, may identify the resource as one of several copies of the same resource (e.g., based on a scaling operation), may identify a security level or tier of the resource, may identify security privileges of the resource, may identify permitted or prohibited functions of the resource, etc. As discussed further below, the cloud resource may operate in a public, private, or hybrid public-private cloud architecture.].
Drepper and Marom are considered to be analogous to the claimed invention because they are in the same field of computer security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Drepper to incorporate the teachings of Marom to provide a computing system and method to automatically perform secure operating system policy integration by accessing a database storing a plurality of secure operating system policies corresponding to a plurality of target secure operating system resources, connecting to a first target secure operating system resource from the plurality of target secure operating system resources, and automatically providing a customized policy script to the first target secure operating system resource, which improves the security and usability of SELinux and other security-enhanced operating system tools (e.g., AppArmor). [Marom, Abstract, Col. 1, line 60-Col3, line 13].

Regarding claim 3, the combination of Drepper and Marom discloses the method for labeling object of operating system of claim 1, wherein each of the target attribute and the reference attribute is at least one of a file path, a file name and a file type [Drepper, [0023] The notification manager 205 can receive a notification from the FA notification system that includes data to uniquely identify the file being requested, such as a pathname of the requested file, a file name of the requested file, etc. The notification can optionally also contain data that identifies which file attribute to verify (e.g., a file label, a file ownership attribute, a file access permission, a file access control list, etc.).].  

Regarding claim 9, the combination of Drepper and Marom disclose a method for generating security policy of operating system adapted a plurality of target objects of a target operating system, wherein each of the target object has a target 30attribute, and the method comprises: 
20labeling each of the plurality of target objects with the default label, the reference label, or said one of the plurality of candidate label according to the method for labeling object of operating system of claim 1; 
performing a booting testing script by the target operating system to generate a plurality 5of system audit messages [Marom, Col. 11, lines 55-61, Once the security policy server 101 has connected to a target secure operating system resource R1, R2, or RN 103, an audit log may be generated in operation 402. ]; and 
converting the plurality of system audit messages to a plurality of rules respectively according to a policy generator and collecting the plurality of rules to form a security policy [Marom, Col. 12, lines 11-29, In additional embodiments, parsing the audit log may involve extracting activity information from the log, and then performing an assessment of whether the activity violates a particular policy (e.g., a policy stored in database 104 or 206) in an operation 404. In this manner, policies may be tested and optimized with actual activity data from a target secure operating system resource R1, R2, or RN 103. … If updates to a policy are created, the updated policy may be sent to the target secure operating system resource R1, R2, or RN 103 for use, as discussed above.].   

Regarding claim 10, the combination of Drepper and Marom disclose the method for generating security policy of operating system of claim 9, wherein the booting testing script comprises a plurality of program behaviors corresponding to a 10plurality of programs of the target operating system and a plurality of sources used by the plurality of programs [Marom, Col. 12, lines 54-67, In an operation 502, the security policy server 101 may determine whether the audit log reflects any policy violations. For example, one or more applicable polices for a target secure operating system resource R1, R2, or RN 103 may be stored in a database 104 or 206 and may be accessed by the security policy server 101. The security policy server 101 may determine whether a policy, or any specific rule within a policy, has been violated based on the audit data. As discussed above, policy violations may involve numerous types of activities by target secure operating system resources R1, R2, or RN 103, such as connection activity, reading activity, writing activity, deleting activity, copying activity, moving activity, activities specific to particular identities, activities occurring at particular times, etc.].  

Regarding claim 11, the combination of Drepper and Marom disclose the method for generating security policy of operating system of claim 10, wherein one of the plurality of program behaviors corresponds to a program of system kernel mode [Marom, Col. 13, lines 19-27, Similarly, operation 504 may involve gathering system activity information regarding the target secure operating system resource R1, R2, or RN 103. This may include an IP address or MAC address of the target secure operating system resource R1, R2, or RN 103, other applications or processes being run by the target secure operating system resource R1, R2, or RN 103, and other connections made concurrently by the target secure operating system resource R1, R2, or RN 103.].  

Regarding claim 12, the combination of Drepper and Marom disclose the method for generating security policy of operating system of claim 10, wherein 15one of the plurality of program behaviors corresponds to a program of system user mode [Marom, Col. 13, lines 7-19, Operation 503 may involve analyzing a system usage log associated with the target secure operating system resource R1, R2, or RN 103 that has the associated policy violation. For example, a system usage log may identify what identities were connected to the target secure operating system resource R1, R2, or RN 103 at the time of the policy violation, what time the violation occurred, the IP address or MAC address of the identity, what other activities were being taken concurrently by the identity, what other applications or processes the identity was running concurrently with the violation, keystroke activity of the identity on a machine concurrently with the violation, etc.].  

Regarding claim 13, the combination of Drepper and Marom disclose the method for generating security policy of operating system of claim 9, before collecting the plurality of rules to form the security policy, further comprising: 
repeatedly performing [Drepper, [0015] To prevent incorrectly labeled and unlabeled files from causing problems, an operating system 109 can employ measures to ensure that every file in a file system 140 is correctly labeled before any file is accessed by a user process, such as Process_1 101A and Process_2 101B. … The sequential attribute system 107 can correct the current file attribute setting (e.g., file label setting) if it missing or incorrect. The sequential attribute system 107 can walk through a file system 140 tree, file by file, and as a security measure, the sequential attribute system 107 can delay all of processes (e.g., Process_1 101A and Process_2 101B) from accessing files until one or more attributes for all of the files are verified.] the booting testing script by the target operating system until target operating system does not generate any system audit messages.    

Regarding claim 14, Drepper discloses a system [a computer system for asynchronously configuring file attributes in a file system] of labeling object of operating system adapted to a target object [file to be verified] of a target operating system, wherein the target object has a target attribute and the system comprises: 
a non-transitory machine readable storage medium [a machine-readable storage medium 424; [0046] The secondary memory 416 may include a machine-readable storage medium (or more specifically a computer-readable storage medium) 424 on which is stored one or more sets of instructions (e.g., the asynchronous attribute system 426) embodying any one or more of the methodologies or functions described herein.] storing a plurality of instructions; and 
at least one processing device [Processing device 402; [0044] Processing device 402 is configured to execute the asynchronous attribute system 426 for performing the operations and steps discussed herein.] electrically connecting to the non-transitory machine 25readable storage medium, wherein said at least one processing device performs the plurality of instructions and triggers a plurality of operations, and the plurality of operations comprises: 
generating [[0030] For example, on systems that run SELinux, all of the files in the file system are labeled in a way that represents security-relevant information, called SELinux context, and a system administrator can request SELinux to execute an asynchronous attribute system to verify that the current file labels for files which processes are requesting access to, are correct before a file is accessed by a process.] a default label [the current file labels] by a labeling tool [SELinux] according to the target attribute; 
21comparing [[0037] In one embodiment, the asynchronous attribute system can execute a command that determines both the current file attribute setting and the expected file attribute setting, and compares the current file attribute setting to the expected file attribute setting, and returns a result.] whether the target attribute [current file attribute setting] and the reference attribute [expected file attribute setting] are identical and generating a comparison result; and 
labeling [[0038] In one embodiment, if the current file attribute setting is correct (e.g., file2 has a current attribute setting that matches the expected attribute setting), the asynchronous attribute system updates the tracking data at block 319 and sends a notification to the FA notification system at block 321.; [0039] If the current file attribute setting is not correct (e.g., file1 does not have a current file attribute setting that matches the expected attribute setting), the asynchronous attribute system changes the current file attribute setting to a new (correct) setting at block 317. For example, the asynchronous attribute system can change the current attribute setting to comply with a policy rule, to match the expected attribute setting, etc.] the target object with the default label, the reference label, or one of a plurality of candidate labels according to the comparison result and a type of the target object.  
Drepper does not appear to explicitly disclose a reference object of a reference operating system, wherein the reference object has a reference attribute and a reference label. 
However, Marom discloses obtaining a reference object of a reference operating system, wherein the reference object has a reference attribute and a reference label [Col. 9, lines 34-45, In operation 302, once the security policy server 101 has connected to the target secure operating system resource R1, R2, or RN 103, it may upload a policy to the target secure operating system resource R1, R2, or RN 103. In some embodiments, the policy may be provided to the target secure operating system resource R1, R2, or RN 103 in the form of a data (e.g., text) file, a database record, an executable script, etc.  For example, if the policy is provided in a data or database format, the target secure operating system resource R1, R2, or RN 103 may be configured to store the policy locally and access it for making access-control decisions.; Col. 14, lines 33-56, In some embodiments, process 600 may include an operation 601 of receiving a notification from a cloud registry of one or more new resources that are spun up, uploaded, or initialized in a cloud environment. … Depending on the nature of the cloud resource being spun up, uploaded, or initialized, the notification may contain various different types of information. For example, the notification may identify the cloud resource by a unique identifier, may specify a class or group to which the resource belongs, may identify the resource as one of several copies of the same resource (e.g., based on a scaling operation), may identify a security level or tier of the resource, may identify security privileges of the resource, may identify permitted or prohibited functions of the resource, etc. As discussed further below, the cloud resource may operate in a public, private, or hybrid public-private cloud architecture.].
Drepper and Marom are considered to be analogous to the claimed invention because they are in the same field of computer security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Drepper to incorporate the teachings of Marom to provide a computing system and method to automatically perform secure operating system policy integration by accessing a database storing a plurality of secure operating system policies corresponding to a plurality of target secure operating system resources, connecting to a first target secure operating system resource from the plurality of target secure operating system resources, and automatically providing a customized policy script to the first target secure operating system resource, which improves the security and usability of SELinux and other security-enhanced operating system tools (e.g., AppArmor). [Marom, Abstract, Col. 1, line 60-Col3, line 13].

Regarding claim 16, Drepper discloses a system for generating security policy of operating system adapted a plurality of 20target objects of a target operating system, wherein each of the target object has a target attribute, and the system comprises: 
a non-transitory machine readable storage medium [a machine-readable storage medium 424; [0046] The secondary memory 416 may include a machine-readable storage medium (or more specifically a computer-readable storage medium) 424 on which is stored one or more sets of instructions (e.g., the asynchronous attribute system 426) embodying any one or more of the methodologies or functions described herein.] storing a plurality of instructions; and 
at least one processing device [Processing device 402; [0044] Processing device 402 is configured to execute the asynchronous attribute system 426 for performing the operations and steps discussed herein.] electrically connecting to the non-transitory machine 25readable storage medium, wherein said at least one processing device performs the plurality of instructions and triggers a plurality of operations, and the plurality of operations comprises: 
generating [[0030] For example, on systems that run SELinux, all of the files in the file system are labeled in a way that represents security-relevant information, called SELinux context, and a system administrator can request SELinux to execute an asynchronous attribute system to verify that the current file labels for files which processes are requesting access to, are correct before a file is accessed by a process.] a default label [the current file labels] by a labeling tool [SELinux] according to the target attribute; 
21comparing [[0037] In one embodiment, the asynchronous attribute system can execute a command that determines both the current file attribute setting and the expected file attribute setting, and compares the current file attribute setting to the expected file attribute setting, and returns a result.] whether the target attribute [current file attribute setting] and the reference attribute [expected file attribute setting] are identical and generating a comparison result; and 
labeling [[0038] In one embodiment, if the current file attribute setting is correct (e.g., file2 has a current attribute setting that matches the expected attribute setting), the asynchronous attribute system updates the tracking data at block 319 and sends a notification to the FA notification system at block 321.; [0039] If the current file attribute setting is not correct (e.g., file1 does not have a current file attribute setting that matches the expected attribute setting), the asynchronous attribute system changes the current file attribute setting to a new (correct) setting at block 317. For example, the asynchronous attribute system can change the current attribute setting to comply with a policy rule, to match the expected attribute setting, etc.] the target object with the default label, the reference label, or one of a plurality of candidate labels according to the comparison result and a type of the target object.
Drepper does not appear to explicitly disclose obtaining a reference object of a reference operating system, wherein the reference object has a reference attribute and a reference label; performing a booting testing script by the target operating system to generate a plurality of system audit messages; and converting the plurality of system audit messages to a plurality of rules according to a policy generator and collecting the plurality of rules to form a security policy. 
However, Marom discloses obtaining a reference object of a reference operating system, wherein the reference object has a reference attribute and a reference label [Col. 9, lines 34-45, In operation 302, once the security policy server 101 has connected to the target secure operating system resource R1, R2, or RN 103, it may upload a policy to the target secure operating system resource R1, R2, or RN 103. In some embodiments, the policy may be provided to the target secure operating system resource R1, R2, or RN 103 in the form of a data (e.g., text) file, a database record, an executable script, etc.  For example, if the policy is provided in a data or database format, the target secure operating system resource R1, R2, or RN 103 may be configured to store the policy locally and access it for making access-control decisions.; Col. 14, lines 33-56, In some embodiments, process 600 may include an operation 601 of receiving a notification from a cloud registry of one or more new resources that are spun up, uploaded, or initialized in a cloud environment. … Depending on the nature of the cloud resource being spun up, uploaded, or initialized, the notification may contain various different types of information. For example, the notification may identify the cloud resource by a unique identifier, may specify a class or group to which the resource belongs, may identify the resource as one of several copies of the same resource (e.g., based on a scaling operation), may identify a security level or tier of the resource, may identify security privileges of the resource, may identify permitted or prohibited functions of the resource, etc. As discussed further below, the cloud resource may operate in a public, private, or hybrid public-private cloud architecture.];
performing a booting testing script by the target operating system to generate a plurality of system audit messages [Col. 11, lines 55-61, Once the security policy server 101 has connected to a target secure operating system resource R1, R2, or RN 103, an audit log may be generated in operation 402. ]; and 
converting the plurality of system audit messages to a plurality of rules according to a policy generator and collecting the plurality of rules to form a security policy [Col. 12, lines 11-29, In additional embodiments, parsing the audit log may involve extracting activity information from the log, and then performing an assessment of whether the activity violates a particular policy (e.g., a policy stored in database 104 or 206) in an operation 404. In this manner, policies may be tested and optimized with actual activity data from a target secure operating system resource R1, R2, or RN 103. … If updates to a policy are created, the updated policy may be sent to the target secure operating system resource R1, R2, or RN 103 for use, as discussed above.].  
Drepper and Marom are considered to be analogous to the claimed invention because they are in the same field of computer security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Drepper to incorporate the teachings of Marom to provide a computing system and method to automatically perform secure operating system policy integration by accessing a database storing a plurality of secure operating system policies corresponding to a plurality of target secure operating system resources, connecting to a first target secure operating system resource from the plurality of target secure operating system resources, and automatically providing a customized policy script to the first target secure operating system resource, which improves the security and usability of SELinux and other security-enhanced operating system tools (e.g., AppArmor). [Marom, Abstract, Col. 1, line 60 - Col3, line 13].

Claims 2, 4, 5, 8, 15, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Drepper in view of Marom further in view of Chen (Chen, Difference between revisions of "SELinux/Tutorials/Controlling file contexts yourself”, August 13, 2020, hereinafter “Chen”).

Regarding claim 2, the combination of Drepper and Marom discloses the method for labeling object of operating system of claim 1, wherein labeling the target object with the default label, the reference label, or said one of the plurality of candidate 15labels according to the comparison result and the type of the target object comprises: 
labeling [Marom, Col. 15, lines 13 – 35, Accordingly, when one known target secure operating system resource R1, R2, or RN 103 has a policy for its security-enhanced operating system tool, the same policy may be applied to one or more other cloud resources that are deemed similar to it (e.g., in operation 603). Further, as discussed above in connection with FIGS. 3-5, various updates may be made to policies based on system learning and optimization.] the target object with the reference label when the comparison result shows that the target attribute and the reference attribute are identical; 
determining [Drepper, [0038] In one embodiment, if the current file attribute setting is correct (e.g., file2 has a current attribute setting that matches the expected attribute setting), the asynchronous attribute system updates the tracking data at block 319 and sends a notification to the FA notification system at block 321.] whether the type of the target object is program when the comparison result shows that the target attribute and the reference attribute are different; 
20labeling [Drepper, [0028] When the current attribute setting for the requested file is not correct, the attribute manager 207 can change the current attribute setting in the current attribute data 251 to a new setting (e.g., a correct setting), for example, to comply with a policy rule, to match the expected attribute setting determined by the query utility 209, to match a default setting, etc.] the target object with the default label when the type of the target object is not program; and
performing [Drepper, [036] At block 313, the asynchronous attribute system determines the expected (correct) setting for a file attribute for a file. The system can execute a command to run a utility that generates and returns the expected file attribute setting. The utility can use expected attribute data, such as policy rules, templates, configuration files, etc., that is stored in a data store that is coupled to the asynchronous attribute system to determine the expected file attribute setting. The expected attribute data can be a data structure which the utility can query. For example, the asynchronous attribute system can execute a ‘matchpathcon’ command, which queries the expected attribute data, generate the expected attribute setting, and return the expected attribute setting (e.g., the expected file label setting) for the file.] an analysis procedure to generate the plurality of candidate labels when the type of the target object is program, and 25to label the target object.  
Drepper in view of Marom does not appear to explicitly disclose selecting said one of the plurality of candidate labels according to an accessed number corresponding to each of the plurality of candidate labels 25to label the target object.  
However, Chen discloses selecting [The restorecon utility will check the contexts of the files and match those against the contexts that are defined in the SELinux policy. It uses a special mapping algorithm to make sure that it matches the expression that is most likely applicable to the file, checks its should-be context against the existing context and, if it doesn't match, changes the context of the file. … Although there are a few more rules to it, the above ones are the simplest to explain for now and suffice in 99.9% of the cases where you need to know this. You can also use the findcon utility to display all matching expressions. As far as we can tell, the lowest returned value is the one that will be picked (but I'm not sure, so use matchpathcon in these cases if you really want to be sure).] said one of the plurality of candidate labels according to an accessed number corresponding to each of the plurality of candidate labels 25to label the target object.  
Drepper and Chen are considered to be analogous to the claimed invention because they are in the same field of computer security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Drepper to incorporate the teachings of Chen to provide a method to build file context definitions and apply context on file [Chen, page 2].

Regarding claim 4, the combination of Drepper, Marom, and Chen discloses the method for labeling object of operating system of claim 2, wherein the target object is a first target object, the default label is a first default label, the target operating system further comprises a plurality of second target objects, and 
before performing the analysis procedure, the method further comprises: 
5labeling [Drepper, [0030] For example, on systems that run SELinux, all of the files in the file system are labeled in a way that represents security-relevant information, called SELinux context, and a system administrator can request SELinux to execute an asynchronous attribute system to verify that the current file labels for files which processes are requesting access to, are correct before a file is accessed by a process.] the plurality of second target objects with a plurality of second default labels respectively by the labeling tool; 
analyzing [Drepper, [0013] An operating system 109 can use a file's extended attributes to control access to the file. Examples of extended file attributes can include a file ownership attribute, a file access permission, a file label, a file access control list, etc. For example, a security enhanced operating system, such as Security Enhanced Linux® (SELinux), adds Mandatory Access Control (MAC) to a Linux® kernel, and can enforce an administratively-set security policy over all processes and files in a file system, basing decisions on extended file attributes, such as a file label that contains a variety of security-relevant information. In SELinux, all of the files in a file system must be labeled appropriately in order for the correct security policy to be applied when the files are being used.] a plurality of behavior data of the plurality of second target objects respectively; and 
establishing [Drepper, [0012] One way in which files can be stored on a data store 140 (e.g., disk) is called a file system, which enables files to have names and extended file attributes (file attributes) and also allows the files to be stored in a hierarchy of directories or folders arranged in a directory tree.] a behavior database [data store 140 and 250] according to a plurality of file names of the plurality 10of second target objects, the plurality of second default labels and the plurality of behavior data; and 
the analysis procedure comprises a static stage and a dynamic stage, 
wherein the static stage comprises: 
generating [Drepper, [0026]  The attribute manager 207 can determine the expected attribute setting for the requested file by utilizing a query utility 209 and expected attribute data 243. An example of expected attribute data 243 is a mapping (labeling) file, such as a file_contexts file in SELinux. The attribute manager 207 can specify the file (e.g., specify a path name, specify a filename) of the requested file to the query utility 209. The query utility 209 can use the expected attribute data 243 to determine the expected attribute setting for the requested file. ] a first candidate label according to a file name of the target object; and 
15generating [Drepper, [0026] In one embodiment, the attribute manager 207 can also specify the file attribute to be verified to the query utility 209. The query utility 209 can use the expected attribute data 243 to determine the expected attribute setting for the requested file.] a second candidate label according to a target behavior and a target context of the target object; and 
the dynamic stage comprises: 
generating [Marom, Col. 9, lines 34-45, In operation 302, once the security policy server 101 has connected to the target secure operating system resource R1, R2, or RN 103, it may upload a policy to the target secure operating system resource R1, R2, or RN 103. … Accordingly, if the policy is provided as a script, the script may execute in an operation 303 to install or compile the policy on the target secure operating system resource R1, R2, or RN 103.; Col. 10, lines 18-28, Based on the policy, the target secure operating system resource R1, R2, or RN 103 may determine whether certain functions are in compliance with the policy or not.; Col. 10, lines 41-49, In an operation 304, the security policy server 101 may be configured to receive a notification or alert from the target secure operating system resource R1, R2, or RN 103. The notification may be of various types, such as a confirmation of policy-compliant activity on the target secure operating system resource R1, R2, or RN 103, policy-violative activity on the target secure operating system resource R1, R2, or RN 103, idle time or non-use of the target secure operating system resource R1, R2, or RN 103, etc.] a third candidate label according to the target object and a testing script.  

Regarding claim 5, the combination of Drepper, Marom, and Chen discloses the method for labeling object of operating system of claim 4, wherein generating 20the first candidate label according to the file name of the target object comprises: 
searching [[0026]  The attribute manager 207 can determine the expected attribute setting for the requested file by utilizing a query utility 209 and expected attribute data 243. An example of expected attribute data 243 is a mapping (labeling) file, such as a file_contexts file in SELinux. The attribute manager 207 can specify the file (e.g., specify a path name, specify a filename) of the requested file to the query utility 209. The query utility 209 can use the expected attribute data 243 to determine the expected attribute setting for the requested file.], by the labeling tool, a label database [expected attribute data 243] according to the file name to obtain a first candidate label.  

Regarding claim 8, the combination of Drepper, Marom, and Chen discloses the method for labeling object of operating system of claim 4, 15wherein generating the third candidate label according to target object and the testing script comprises: 
assigning [Marom, Col. 9, lines 34-51, In operation 302, once the security policy server 101 has connected to the target secure operating system resource R1, R2, or RN 103, it may upload a policy to the target secure operating system resource R1, R2, or RN 103. In some embodiments, the policy may be provided to the target secure operating system resource R1, R2, or RN 103 in the form of a data (e.g., text) file, a database record, an executable script, etc. …   Accordingly, if the policy is provided as a script, the script may execute in an operation 303 to install or compile the policy on the target secure operating system resource R1, R2, or RN 103.] a testing label to the target object; 
performing [Marom, Col. 11, lines 55 - 65, Once the security policy server 101 has connected to a target secure operating system resource R1, R2, or RN 103, an audit log may be generated in operation 402.  Alternatively, in some embodiments the audit log may be generated independent of the security policy server 101 having connected to a target secure operating system resource R1, R2, or RN 103. As discussed above, the audit log may be created by the target secure operating system resource R1, R2, or RN 103 and stored in a database (e.g., database 206), or may be created by the security policy server 101 and stored in a database (e.g., database 104 or 206).] the testing script [script] to generate a plurality of audit messages [audit log] according to the target object assigned the testing label; 
20converting [Marom, Col. 11, lines 66 – Col. 12, line 9, In an operation 403, process 400 may involve parsing the audit log to extract or summarize relevant information. For example, the security policy server 101 may search the audit log to identify all policy violations involving a target secure operating system resource R1, R2, or RN 103. As another example, the security policy server may search for all access denials performed by the target secure operating system resource R1, R2, or RN 103 based on a policy. Further, the security policy server 101 may search for all policy violations, or access denials, involving a specific rule from a policy that encompasses multiple rules.] the plurality of audit messages to a policy with a plurality of interfaces by a policy convertor; and 
according to the target behavior or each of the plurality of interfaces, obtaining [[036] At block 313, the asynchronous attribute system determines the expected (correct) setting for a file attribute for a file. The system can execute a command to run a utility that generates and returns the expected file attribute setting. The utility can use expected attribute data, such as policy rules, templates, configuration files, etc., that is stored in a data store that is coupled to the asynchronous attribute system to determine the expected file attribute setting. The expected attribute data can be a data structure which the utility can query. For example, the asynchronous attribute system can execute a ‘matchpathcon’ command, which queries the expected attribute data, generate the expected attribute setting, and return the expected attribute setting (e.g., the expected file label setting) for the file.] one label to serve as the third candidate label by selecting said one label from a plurality of labels of a label database [expected attribute data 243] or from the plurality of second default labels of the behavior database [data store 140 and 250], wherein 25the plurality of labels of the label database [expected attribute data 243] corresponds to the plurality of interfaces [policy rules] respectively, or the plurality of behavior data [configuration files] corresponds to the plurality of interfaces respectively.  

Regarding claim 515, the combination of Drepper and Marom discloses the system of labeling object of operating system of claim 14, wherein, in the plurality of operations, labeling the target object with the default label, the reference label, or said one of a plurality of candidate labels according to the comparison result and the type of the target object comprises: 
labeling [Marom, Col. 15, lines 13 – 35, Accordingly, when one known target secure operating system resource R1, R2, or RN 103 has a policy for its security-enhanced operating system tool, the same policy may be applied to one or more other cloud resources that are deemed similar to it (e.g., in operation 603). Further, as discussed above in connection with FIGS. 3-5, various updates may be made to policies based on system learning and optimization.] the target object with the reference label when the comparison result shows that 10the target attribute and the reference attribute are identical; 
determining [Drepper, [0035] If the file name and the file attribute are not included in the tracking data (block 309), the asynchronous attribute system determines the current setting for the file attribute at block 311. The asynchronous attribute system can execute a command or system call to access the file in the file system to determine the current attribute setting for the requested file.] whether the type of the target object is program when the comparison result shows that the target attribute and the reference attribute are different; 
labeling [Drepper, [0038] In one embodiment, if the current file attribute setting is correct (e.g., file2 has a current attribute setting that matches the expected attribute setting), the asynchronous attribute system updates the tracking data at block 319 and sends a notification to the FA notification system at block 321.] the target object with the default label when the type of the target object is not program; and 
15performing [Drepper, [036] At block 313, the asynchronous attribute system determines the expected (correct) setting for a file attribute for a file. The system can execute a command to run a utility that generates and returns the expected file attribute setting. The utility can use expected attribute data, such as policy rules, templates, configuration files, etc., that is stored in a data store that is coupled to the asynchronous attribute system to determine the expected file attribute setting. The expected attribute data can be a data structure which the utility can query. For example, the asynchronous attribute system can execute a ‘matchpathcon’ command, which queries the expected attribute data, generate the expected attribute setting, and return the expected attribute setting (e.g., the expected file label setting) for the file.] an analysis procedure to generate the plurality of candidate labels [the expected file label setting]  when the type of the target object is PRORAM, 
Drepper in view of Marom does not appear to explicitly disclose labeling the target object with said one from the plurality of candidate labels according to an accessed number corresponding to each of the plurality of candidate labels.  
However, Chen discloses labeling [Once we've established the security context for files in the SELinux policy, we still need to actually apply the context to the files by storing it in their extended attributes. This is where the restorecon utility comes into play. The restorecon utility will check the contexts of the files and match those against the contexts that are defined in the SELinux policy. It uses a special mapping algorithm to make sure that it matches the expression that is most likely applicable to the file, checks its should-be context against the existing context and, if it doesn't match, changes the context of the file. … Although there are a few more rules to it, the above ones are the simplest to explain for now and suffice in 99.9% of the cases where you need to know this. You can also use the findcon utility to display all matching expressions. As far as we can tell, the lowest returned value is the one that will be picked (but I'm not sure, so use matchpathcon in these cases if you really want to be sure).] the target object with said one from the plurality of candidate labels according to an accessed number corresponding to each of the plurality of candidate labels.  
Drepper and Chen are considered to be analogous to the claimed invention because they are in the same field of computer security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Drepper to incorporate the teachings of Chen to provide a method to build file context definitions and apply context on file [Chen, page 2].

Regarding claim 1017,  the combination of Drepper and Marom discloses the system for generating security policy of operating system of claim 16, wherein, in the plurality of operations, labeling the target object with the default label, the reference label, or said one of the plurality of candidate labels according to the comparison result and the type of the target object comprises: 
labeling [Marom, Col. 15, lines 13 – 35, Accordingly, when one known target secure operating system resource R1, R2, or RN 103 has a policy for its security-enhanced operating system tool, the same policy may be applied to one or more other cloud resources that are deemed similar to it (e.g., in operation 603). Further, as discussed above in connection with FIGS. 3-5, various updates may be made to policies based on system learning and optimization.] the target object with the reference label when the comparison result shows that 15the target attribute and the reference attribute are identical; 
determining [Drepper, [0035] If the file name and the file attribute are not included in the tracking data (block 309), the asynchronous attribute system determines the current setting for the file attribute at block 311. The asynchronous attribute system can execute a command or system call to access the file in the file system to determine the current attribute setting for the requested file.] whether the type of the target object is program when the comparison result shows that the target attribute and the reference attribute are different; 
labeling [Drepper, [0038] In one embodiment, if the current file attribute setting is correct (e.g., file2 has a current attribute setting that matches the expected attribute setting), the asynchronous attribute system updates the tracking data at block 319 and sends a notification to the FA notification system at block 321.] the target object with the default label when the type of the target object is not program; and 
20performing [Drepper, [036] At block 313, the asynchronous attribute system determines the expected (correct) setting for a file attribute for a file. The system can execute a command to run a utility that generates and returns the expected file attribute setting. The utility can use expected attribute data, such as policy rules, templates, configuration files, etc., that is stored in a data store that is coupled to the asynchronous attribute system to determine the expected file attribute setting. The expected attribute data can be a data structure which the utility can query. For example, the asynchronous attribute system can execute a `matchpathcon` command, which queries the expected attribute data, generate the expected attribute setting, and return the expected attribute setting (e.g., the expected file label setting) for the file.] an analysis procedure to generate the plurality of candidate labels when the type of the target object is program, and 
Drepper in view of Marom does not appear to explicitly disclose labeling the target object with said one from the plurality of candidate labels according to an accessed number corresponding to each of the plurality of candidate labels.
However, Chen discloses labeling [Once we've established the security context for files in the SELinux policy, we still need to actually apply the context to the files by storing it in their extended attributes. This is where the restorecon utility comes into play. The restorecon utility will check the contexts of the files and match those against the contexts that are defined in the SELinux policy. It uses a special mapping algorithm to make sure that it matches the expression that is most likely applicable to the file, checks its should-be context against the existing context and, if it doesn't match, changes the context of the file. … Although there are a few more rules to it, the above ones are the simplest to explain for now and suffice in 99.9% of the cases where you need to know this. You can also use the findcon utility to display all matching expressions. As far as we can tell, the lowest returned value is the one that will be picked (but I'm not sure, so use matchpathcon in these cases if you really want to be sure).] the target object with said one from the plurality of candidate labels according to an accessed number corresponding to each of the plurality of candidate labels.
Drepper and Chen are considered to be analogous to the claimed invention because they are in the same field of computer security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Drepper to incorporate the teachings of Chen to provide a method to build file context definitions and apply context on file [Chen, page 2].

Conclusion
Claims 6 and 7 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JEONGSOOK YI whose telephone number is (571)272-9407. The examiner can normally be reached Monday-Friday 8:00 am - 4:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge Ortiz-Criado can be reached on (571)272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/J.Y./Examiner, Art Unit 2496                                                                                                                                                                                                        

/JORGE L ORTIZ CRIADO/Supervisory Patent Examiner, Art Unit 2496