Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
	This action is in response to the communication filed on 10/31/2022.
Claims 1, 3-4, 6-11, 13, 14, 16-24 are examined and rejected. 
		Claims 2, 5, 12, 15 are cancelled. 

Information Disclosure Statement
The Information Disclosure Statement (IDS) submitted on 12/1/2021 are in compliance with the provisions of 37 CFR 1.97. Accordingly, the IDS statement has been considered by the Examiner.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s) as explained below. See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on non-statutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Double Patent Analysis of Instant application 17,539,658 and US Patent 11,366,680.
Claims 1, 3-4, 6-11, 13, 14, 16-24 are rejected on the ground of non-statutory double patenting as being unpatentable over claims 1-17 of U.S. Patent 11,366,680. Although the conflicting claims are not identical, they are not patentably distinct from each other because the subject matter claimed in the instant application is covered by the U.S. Patent 11,366,680.
This is a provisional non-statutory double patenting rejection. The assignee of the application and the patent is the same.
Exemplary claim 1 with the substantive differences between the conflicting claim 1 identified in bold / underlined is outlined below in the following comparison table.

Claim Comparison Table   
Instant Application
17,539,658
US Patent 
11,366,680
1. (Currently Amended) A method, comprising: 
training a machine learning model with a plurality of discrete behaviors at a cloud native virtual machine (VM) and indications of each of the plurality of discrete behaviors being associated with at least one of background activities and interactive activities in a plurality of activities as inputs, wherein the machine learning model is trained to detect normal behavior based on indications of each of the plurality of discrete behaviors relating to normal or abnormal behavior, wherein each of the plurality of discrete behaviors is further associated with one or more services running on the cloud native VM: 
creating a normal behavior model for a cloud native VM according to discrete behaviors indicated as normal by the trained machine learning model, wherein the normal behavior model defines capabilities of the one or more a services that indicates discrete behaviors allowed by the one or more services; and 
monitoring an execution of the cloud native VM to detect a deviation from the normal behavior model, wherein the deviation is caused by at least one abnormal behavior of one of the one or more services that is not among the discrete behaviors defined in a capability by the normal behavior model.

1. A method for cloud native virtual machine (VM) runtime protection, comprising: 
identifying each activity of a plurality of training activities as any of an interactive activity and a background activity, wherein the identification further comprises differentiating interactive activities from background activities, wherein each interactive activity involves interactions with a user, wherein each background activity does not involve interaction with the user; 
creating a normal behavior model for a cloud native VM by training a machine learning model using a training data set including a plurality of training activities performed by the cloud native VM, the cloud native VM being configured to provide at least one service, wherein the normal behavior model defines at least one capability of each of the at least one service based on a set of capabilities for respective known services stored within a library of service-to-capability mappings, wherein each capability of a service indicates a plurality of discrete behaviors required by the service, wherein the normal behavior model is created based further on the identifications of the training activities by providing the identification of each activity as training data to be input to a machine learning algorithm used for training the normal behavior model; and 
monitoring an execution of the cloud native VM to detect a deviation from the normal behavior model, wherein the deviation is caused by at least one abnormal behavior of one of the at least one service that is not among the discrete behaviors defined in the at least one capability for the service.





Claim 1 and independent claim(s) of the instant application is broader in all respects than conflicting claim 1 and independent claim(s) of Patent No. U.S. Patent 11,366,680.  It is clear that all the elements of independent claims of the instant application are to be found in the patent of independent claims. The difference between the instant application claims and claims of patent claims lies in the fact that the patented claim includes more elements and is thus more specific. 
For example, in the instant application claim 1 recites “ monitoring cloud VM (virtual machine) model and its behavior of background, discrete, normal, abnormal – behaviors with machine learning and measuring deviation from normal behavior model along with other steps” similarly in the patent claim 1 the ‘all steps of instant application claim 1 along with ‘wherein the normal behavior model defines at least one capability of each of the at least one service based on a set of capabilities for respective known services stored within a library of service-to-capability mappings; and other steps’. Thus, claim 1 and independent claim(s) of instant application are broader.
The pending claims of the instant application are generic to the species of patent
‘680. Thus, the generic invention is ‘anticipated’ by the species of the patented invention and the instant application claims are generic to the species of invention covered by the patent claim. Therefore, they are not patentably distinct from each other.
This is non-statutory obvious type double patenting rejection since the conflicting claims have been patented.  

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1, 3, 4, 6, 7, 10, 11, 13, 14, 16 and 17 are rejected under 35 U.S.C. 103 as being unpatentable by U.S. Publication 2018/0083833 to Zoll et al. (hereinafter known as “Zoll”) and in view of U.S. Publication 2018/0309770 to Han et al. (hereinafter known as “Han”).

As per claim 1 Zoll teaches, a method, comprising: 
training a machine learning model with a plurality of discrete behaviors at a cloud native virtual machine (VM) (Zoll para 66-67 teaches JVM java virtual machine and training data for predictive models with machine learning) and indications of each of the plurality of discrete behaviors being associated with at least one of background activities and interactive activities in a plurality of activities as inputs, wherein the machine learning model is trained to detect normal behavior based on indications of each of the plurality of discrete behaviors relating to normal or abnormal behavior (Zoll para 128 and 139 teaches services of cloud infrastructure as security and identity services, integration service, enterprise repository service, virus scanning, white list service and other services. Further para 74-75, 78 teaches normal ranges and limits of cloud service9s and device (virtual machines) such as normal data of JVM (virtual machine) such as – timestamp, values of key performance, database calls and CPU utilization), which covers the claimed function), wherein each of the plurality of discrete behaviors is further associated with one or more services running on the cloud native VM (Zoll para 128-129 teaches cloud service of secure access to storage, a hosted database, and other services which requires password protected access to remote secure storage in cloud. Examiner interprets that remote secure access (password based access) and access to storage / data is similar to function of service with discrete behavior (service is storage of data and discrete behavior is password and access to data)): 
creating a normal behavior model for a cloud native VM according to discrete behaviors indicated as normal by the trained machine learning model, wherein the normal behavior model defines capabilities of the one or more a services that indicates discrete behaviors allowed by the one or more services; and monitoring an execution of the cloud native VM to detect a deviation from the normal behavior model (Zoll para 67-68 teaches monitoring of data in JVM (virtual machine), para 59-60 teaches detection of model data based on threshold level compared to its established level. Examiner interprets that tracking / analysis of data in view of established level and its threshold level is similar to detection of deviation from the normal behavior model), 
Zoll does not teach however Han teaches, 
wherein the deviation is caused by at least one abnormal behavior of one of the one or more services that is not among the discrete behaviors defined in a capability by the normal behavior model (Han Fig 1 steps 5-8 teaches detection of abnormal activity in virtual machine and para 74 teaches detection of standard deviation in virtual machine, para 3 teaches service of data security by cloud service and detection of internal or external virus as abnormal activity in virtual machine (Step 1 para 12). In summary Han Fig 1 teaches detection of abnormal activities from data collection for the functions of virtual machine such as CPU use ratio, waiting time, memory use ratio (para 45) which covers claimed function).  
Zoll teaches context aware prognosis in monitored target in machine learning systems along with detection of normal behavior and training data models to detect behavior of device (Zoll abstract and Fig 1). Zoll does not teach however Han teaches, detecton of abnormal behavior with deviation from capacity of service (Han Fig 1 steps 5-8).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Zoll - Han before him or her, to combine, Zoll’s target (device) monitoring in machine learning system to detect any threshold behavior with Han’s detection of abnormal activity in device in cloud service. The suggestion/motivation for doing so would have been to detect and remove the anomalies as to guarantee use of normal virtual machines in cloud system (para 5). 
As per claim 3 combination of Zoll – Han teaches, the method of claim 1, wherein the normal behavior model is created based further on at least one behavioral rule, wherein each behavioral rule includes at least one of an explicitly allowed behavior for one of the one or more services (Zoll para 30 classification of behavior into normal, abnormal, anomalous or fault behavior. Examiner interprets that normal behavior is similar to allowed behavior of service), and at an explicitly denied behavior for one of the one or more services (Zoll para 60 Fig 3 element 314b and c – upon identifying malware / culprit / victim in cluster – system can stop the service which is similar to claimed function of denying the service).  

As per claim 4 combination of Zoll – Han teaches, the method of claim 1, wherein training the machine learning model further comprises: associating each of the plurality of discrete behaviors with one of the plurality of activities at the cloud native VM: and identifying each activity of the plurality of  activities as at least one of an interactive activity (Zoll Fig 1 element 116, 118 and 120 where collection of data of each component and subcomponent is based on categories of data of each component (interpreted as identifying activity based on categories). Further element 120 teaches collection of data at component level. Para 35-37 teaches analysis of device data at component such as component level includes database logging or database waiting time data analysis. Examiner interprets that component level is similar to claimed function of interactive activity such as interface function or access waiting time) and a background activity (Zoll Fig 1 element 116 and 118 where element 118 teaches collection of data at sub-component level. Para 35-37 teaches analysis of device data at sub-component level such as data analysis at granular level such as SQL statements, sessions etc. Examiner interprets that sub-component level is similar to claimed function of background activity or granular level such as SQL statement analysis or session level).  

As per claim 6 combination of Zoll – Han teaches, the method of claim 1, wherein the plurality of discrete behaviors include at least one of running a process, using an input argument for a process, and accessing a file path (Zoll para 69-71 teaches data analysis / training – para 70 teaches collection of data and transferring of data with SQL procedures. Examiner interprets that data analysis with SQL procedure (programming language) covers ‘at least one of’ claimed limitation example Zoll para 69-71 teaches SQL procedure interpreted as process, SQL statements interpreted as input argument, which covers claimed function). 
As per claim 7 combination of Zoll – Han teaches, the method of claim 1, wherein creating the normal behavior model further comprises: correlating among the plurality of discrete behaviors (Zoll para 31 teaches rule based association of various models for data analysis) for the one or more services with respect to at least one of a parameter used for a process executed as part of the plurality of discrete behaviors (Zoll para 44 teaches set of nodes for data collection. Para 147 teaches data collection includes files, directories, applications which cover claimed function), a socket used as part of the plurality of discrete behaviors, and a type of file created as part of the plurality of discrete behaviors; and indicating correlated discrete behaviors in capabilities for corresponding ones of the one or more services (Zoll Fig 1 elements 104a-c para 22-23 teaches nodes in system for data collection. Further para 147 includes files from communication ports which are interpreted by examiner as socket’s in claimed function, to analyze data of their behavior into normal, fault or anomaly behavior).  
Claim 10,
Claim 10 is rejected in accordance with claim 1.
Claim 11,
Claim 11 is rejected in accordance with claim 1.

Claim 13,
Claim 13 is rejected in accordance with claim 3.
Claim 14,
Claim 14 is rejected in accordance with claim 4.
Claim 16,
Claim 16 is rejected in accordance with claim 6.
Claim 17,
Claim 17 is rejected in accordance with claim 7.

As per claim 20 combination of Zoll-Han teaches, the method of claim 1, wherein the capabilities of the one or more services comprises hierarchical structure indicating an identifier of the cloud native VM at a top level, an identifier of one of the one or more services at a sub-level, an identifier of a capability at a further sub-level, and a list of allowed behaviors at a further sub-level  (Zoll Fig 1 element 116, 118 and 120 where collection of data of each component and subcomponent is based on categories of data of each component (interpreted as identifying activity based on categories). Further element 120 teaches collection of data at component level. Para 35-37 teaches analysis of device data at component such as component level includes database logging or database waiting time data analysis. Examiner interprets that component level is similar to claimed function of interactive activity such as interface function or access waiting time. Para 44 teaches set of nodes for data collection. Para 147 teaches data collection includes files, directories, applications which cover claimed function).  

Claim 21,
Claim 21 is rejected in accordance with claim 7.
Claim 22,
Claim 22 is rejected in accordance with claim 4.
Claim 23,
Claim 23 is rejected in accordance with claim 6.
Claim 24,
Claim 24 is rejected in accordance with claim 7.

Claims 8, 9, 18 and 19 are rejected under 35 U.S.C. 103 as being unpatentable by U.S. Publication 2018/0083833 to Zoll et al. (hereinafter known as “Zoll”) and in view of U.S. Publication 2018/0309770 to Han et al. (hereinafter known as “Han”) and further in view of U.S. Publication 2016/0350173 to Ahad et al. (hereinafter known as “Ahad”).
As per claim 8 combination of Zoll-Han teaches, the method of claim 1. 
Zoll-Han does not teach however Ahad teaches, 
uploading the normal behavior model to a cloud service, wherein the normal behavior model is accessible to installations accessing the cloud service when uploaded to the cloud service (Ahad para 88 teaches user defining attributes of system behavior and updating the configuration to cloud system element 100. Para 88 teaches that system attributes and bounds for metrics for normal system behavior are updated by user in cloud infrastructure system. Further para 142 teaches installation of configured / updated parameters in system, which covers claimed function).  
Zoll-Han teaches monitoring of target in machine learning systems with detection of abnormal behavior with deviation from capacity of service.  Zoll-Han does not teach however Ahad uploading the normal behavior model to a cloud service (para 43). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Zoll-Han before him or her, to combine, Zoll-Han’s device monitoring in machine learning system with abnormal detection with Ahad’s updated of normal behavior model to cloud service. The suggestion/motivation for doing so would have been to correct potential anomalies in timely manner (para 7). 
As per claim 9 combination of Zoll-Han - Ahad teaches, the method of claim 8, wherein the uploaded normal behavior model is manually curated for use with respect to a common service executed by at least one other cloud native VM, wherein the common service is one of the one or more services  (Ahad para 88 teaches updates of normal system metrics of system data such as user access data in cloud system. Ahad para 10 and 149 teaches manual updates to system policies by authorized personnel. Para 6 and 7 teaches cloud computing modules and virtual machine(s) which covers the claimed limitation of manual curation of common service). 
Zoll – Han teaches monitoring of target in machine learning systems with detection of abnormal behavior with deviation from capacity of service.  Zoll-Han does not teach however Ahad teaches manual updates to system policies / profiles (para 88). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Zoll-Han before him or her, to combine, Zoll-Han’s device monitoring in machine learning system with abnormal detection with Ahad’s manual updates to system policies / profiles. The suggestion/motivation for doing so would have been to fine-grain detection of anomalies to identify precursor events and to reduce corrective action latency (para 10). 
Claim 18,
Claim 18 is rejected in accordance with claim 8.
Claim 19,
Claim 19 is rejected in accordance with claim 9.

Conclusion
	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Zoll et al US Publication 2018/0083833
Han et al US Publication 2018/0309770
Ahad et al US Publication 2016/0350173 
Levin et al US Patent 11,366,680
Mesdaq et al US Patent 9,294,501
Weinstein et al US Patent 8,935,793
Tora et al US Patent 10,776,487 
Malik et al US Patent 10,210,329

Any inquiry concerning this communication or earlier communications from the examiner should be directed to VIRAL S LAKHIA whose telephone number is (571)270-3363.  The examiner can normally be reached on 8 am - 6 pm.

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on 571-272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/VIRAL S LAKHIA/Examiner, Art Unit 2431