ETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office Action is in response to Application 16607747 filed on 10/24/2019. Claims 1 and 13 are independent claims. Claims 2, 4-6, 8, 10-11 and 16-19 was currently amended via the preliminary amendments. Claims 1-20 have been examined and are pending in this application. This Office Action is made Non-Final.
	

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-2, 6-14 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Shen et al. (“Shen,” US 20220038368, filed on 08/30/2020) in view of Smith et al. (“Smith,” US 11277436, filed on 06/24/2019)
Regarding Claim 1;	
a method executed by circuitry for monitoring a software platform including multiple pods that manage, deploy, and execute micro services, the method comprising (par 0007; the module maps the source and destination addresses to specific Kubernetes concepts (e.g., pods executing on that container host); par 0048; receives updates from the CNI controller when network policies are created, removed, or modified (again, either by monitoring for updates at the CNI controller, or by the controller pushing such updates to all of the agents that require the updates). The agent generates and installs new flow entries in OVS to implement these network policies for the local pods): 
identifying using the circuitry at least one pod of interest of the software platform (par 0056; Kubernetes supports multiple platforms for the nodes; par 0061; identifying flow entries used by the forwarding element of the particular node related to a particular container cluster concept (e.g., a Kubernetes abstraction, such as a pod) requested by a user); 
generating at least one monitoring pod (par 0047; the CNI agent generates and installs the necessary networking flow entries for this network address in one of the OVS daemons; par 0062; CNI agent executing on a node (e.g., the agent executing within a daemonset pod on a node));
for each of the at least one pod of interest, positioning one of the at least one monitoring pod in association with the pod of interest using the circuitry, such that: transactions received by the pod of interest are first received by the monitoring pod; and/or transactions sent by the pod of interest to a peer pod are first received by the monitoring pod before reaching the peer pod (par 0061; figs. 3 and 4; identifying flow entries used by the forwarding element of the particular node related to a particular container cluster concept (e.g., such as a pod) requested by a user; par 0062; CNI agent executing on a node (e.g., the agent executing within a daemonset pod on a node) [] the data transfer involved in different scenarios of one or more agents responding to requests (either directly from the command line interface or via the controller); par 0064; execute within the daemonset and the OVS bridge executes outside of the pods and provides connectivity for the pods [] mapping data stores data about the Kubernetes cluster that can be used for responding to flow entry requests. For instance, the mapping data include network addresses associated with specific pods, which network policies apply to which pods);
identifying using the circuitry at least one sending pod from the at least one monitoring pod (par 0064; the mapping data include network addresses associated with specific pods, which network policies apply to which pods; par 0066; the process uses the data stored regarding the locally installed flow entries to identify flow entries realized on the node that relate to the particular Kubernetes concept specified in the request; par 0093; the process is performed by a connection exporter operating on a node (e.g., the flow exporter module executing within a daemonset pod on a node)), 
wherein the sending pod is configured to communicate with a security program executed by a processor (par 0086; figs. 8 and 11; the flow exporter exports this connection information with mapping data to the flow aggregation, monitoring, and visualization components; par 0087; forwards this aggregated data to one or more collectors and/or visualizers outside of the cluster that are accessed by users); and 
for each transaction received by a monitoring pod: determining if the received transaction includes a unique identifier (par 0064; provides connectivity for the pods [] mapping data stores data about the Kubernetes cluster that can be used for responding to flow entry requests; par 0109; identify the flow entries [] determine whether actual data messages with similar characteristics are being properly processed by the cluster and correctly reaching their destinations); 
when the received transaction does not include a unique identifier, adding a unique identifier to identifying information attached to the received transaction (par 0088; add Kubernetes mapping data if that data is not available at the CNI agent [] for example, the CNI agent only has the pod names for each IP address, but does not store information mapping every pod in the cluster to the node on which that pod executes [] the aggregator adds its own Kubernetes concepts mapping data in addition to the mapping data received from the flow exporters);  
adding a defined characteristic for the monitoring pod to the identifying information of the transaction (par 0088; the aggregator adds its own Kubernetes concepts mapping data in addition to the mapping data received from the flow exporters; par 0107; flow tracing operations allow one or more forwarding elements in the cluster to simulate the processing of a data message with pre specified characteristics in order for an administrator or application developer to determine which flow entries act upon the data message); and 
when the monitoring pod is one of the at least one sending pods, sending the identifying information of the transaction to the security program (par 0062; CNI agent executing on a node (e.g., the agent executing within a daemonset pod on a node); par 0064; execute within the daemonset and the OVS bridge executes outside of the pods and provides connectivity for the pods [] mapping data stores data about the Kubernetes cluster that can be used for responding to flow entry requests. For instance, the mapping data include network addresses associated with specific pods, which network policies apply to which pods; par 0086; the flow exporter exports this connection information with mapping data to the flow aggregation, monitoring, and visualization components).
Shen disclose sending the identifying information of the transaction to components as recited above, but do not explicitly disclose sending to the security program.
However, in an analogous art, Smith discloses identifying and mitigating harm from malicious network connections by a container system/method that includes:
sending to the security program (Smith: Col 7, lines 41-46; send and the security application receive, notifications of all network connections that a container has sought to establish through a shim, which may include an IP address of another device with which the container seeks to communicate over the network connection).
 Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Smith with the method/system of Shen to include sending to the security program. One would have been motivated to monitor all actual network connections established by the container for comparing the notifications to the actual network connections to determine whether any actual network connection established by the container (Smith: abstract).
	
Regarding Claim 2;
The combination of Shen and Smith disclose the method of claim 1, 
Shen discloses performing a security review of the identifying information received, the security review including: identifying any matched rules from a set of predefined rules that are satisfied by the defined characteristics included in the received identifying information (Shen: par 0106; fig. 7; received from the flow exporters and provide the connection and mapping data to additional monitoring and/or visualization components in the cluster [] these components visualize all of the connections and applied network policies within the cluster; par 0107; simulate the processing of a data message with pre-specified characteristics; par 0127; defines the parameters of the simulated packet to be used for flow tracing. The flow tracing operation, simulates the processing of a sample data message to enable a user to identify the flow entries installed on one or more forwarding elements that would be matched by an actual data message having the same characteristics); and generating and outputting a security report based on the identified matched rules (Shen: par 0107; simulate the processing of a data message with pre-specified characteristics; par 0127; defines the parameters of the simulated packet [] to identify the flow entries installed on one or more forwarding elements that would be matched by an actual data message having the same characteristics; par 0137; the process aggregates this information and mapping data from the one or more nodes into a report and provides the report to the user interface. this report may be a summary of the operations that each of the forwarding elements performs, while in other embodiments the report includes all of the raw flow entries as well as mapping data for some or all of the elements of the flow entries).   
Smith further discloses received by the security program (Smith: Col 7, lines 41-46; send and the security application receive, notifications of all network connections that a container has sought to establish through a shim, which may include an IP address of another device with which the container seeks to communicate over the network connection).
One would have been motivated to monitor all actual network connections established by the container. The method may further include comparing the notifications to the actual network connections to determine whether any actual network connection established by the container (Smith: abstract).


Regarding Claim 6; 
The combination of Shen and Smith disclose the method of Claim 1,
Shen discloses wherein the at least one sending pod is identified based on properties of the identifying information of the transaction (Shen: par 0064; execute within the daemonset and the OVS bridge executes outside of the pods and provides connectivity for the pods [] mapping data stores data about the Kubernetes cluster that can be used for responding to flow entry requests. For instance, the mapping data include network addresses associated with specific pods, which network policies apply to which pods);.  

Regarding Claim 7;
The combination of Shen and Smith disclose the method of claim 6, 
Shen discloses wherein a receiving pod that receives the transaction self identifies as one of the at least one sending pods when at least one of: a size of the identifying information of the received transaction surpasses a size threshold; or the identifying information of the received transaction includes a predetermined defined characteristic (Shen: par 0107; the agents on the nodes in a cluster also enable flow tracing and relate flow entries matched in a flow tracing operation to Kubernetes concepts. Flow tracing operations allow one or more forwarding elements in the cluster to simulate the processing of a data message with pre- specified characteristics in order for an administrator or application developer to determine which flow entries act upon the data message (a flow tracing data message having the specified characteristics).

Regarding Claim 8;
The combination of Shen and Smith disclose the method of claim 1,
Shen discloses wherein the at least one sending pod is identified based on a position of the at least one sending pod within the software platform (par 0061; figs. 3 and 4; identifying flow entries used by the forwarding element of the particular node related to a particular container cluster concept (e.g., such as a pod) requested by a user; par 0062; CNI agent executing on a node (e.g., the agent executing within a daemonset pod on a node) [] the data transfer involved in different scenarios of one or more agents responding to requests (either directly from the command line interface or via the controller); par 0064; execute within the daemonset and the OVS bridge executes outside of the pods and provides connectivity for the pods [] mapping data stores data about the Kubernetes cluster that can be used for responding to flow entry requests. For instance, the mapping data include network addresses associated with specific pods, which network policies apply to which pods);
  
Regarding Claim 9
The combination of Shen and Smith disclose the method of claim 8, 
Shen discloses wherein a receiving pod that receives the transaction self identifies as one of the at least one sending pods when the received transaction will not be sent to any additional pods in the software platform after the received transaction is processed by the receiving pod (Shen: par 0063; fig. 2; receiving a request for information about flow entries associated with a particular Kubernetes concept in a cluster. The request may relate to a particular network policy (i.e., a declared Kubernetes network policy), or a specific entity in the cluster (e.g., a particular pod, node, or service); par 0066; the process uses the data stored regarding the locally installed flow entries to identify flow entries realized on the node that relate to the particular Kubernetes concept specified in the request. That is, the agent identifies flow entries realized by the OVS instance executing on the node that match the request. As mentioned, the request could relate to a specific network policy, a specific pod, etc.; par 0068; determines whether additional identified flow entries remain. If more flow entries remain, the process returns to select another flow entry identified as responsive to the request for processing).

Regarding Claim 10;
The combination of Shen and Smith disclose the method of claim 1, 
Shen discloses wherein the transaction is a network packet and the identifying information is stored in a header of the network packet (Shen: par 0121; The forwarding element on the node receives the flow trace data packet and also processes the packet. The agent on this node also generated and installed modified flow entries for the flow tracing operation on the forwarding element. Using these flow entries, the forwarding element processes the flow trace data packet having identified the packet as a flow trace packet based on the flow trace characters embedded in the encapsulating tunnel header of the packet as received). 

Regarding Claim 11;
The combination of Shen and Smith disclose the method of claim 1, 
Shen discloses wherein the identifying information is predefined codes associated with characteristics of the transaction (Shen: par 0106; received from the flow exporters and provide the connection and mapping data to additional monitoring and/or visualization components in the cluster; par 0107; simulate the processing of a data message with pre-specified characteristics; par 0127; defines the parameters of the simulated packet to be used for flow tracing. The flow tracing operation, simulates the processing of a sample data message to enable a user to identify the flow entries installed on one or more forwarding elements that would be matched by an actual data message having the same characteristics)

Regarding Claim 12;
The combination of Shen and Smith disclose the method of claim 11, 
Shen discloses wherein the characteristics include at least one of: source address and port, destination address and port, source protocol, destination protocol, source micro service application, destination micro service application, source micro service type, destination micro service type, source data classification, destination data classification, order and time interval of flow in various sidecars in the software platform, or credentials used to process and execute the transaction by the micro service (Shen: par 0109; receiving a flow tracing operation request from a controller specifying characteristics of a flow tracing packet [] identify the flow entries installed on one or more forwarding elements that are matched by the sample data message. This enables a user to determine whether actual data messages with similar characteristics are being properly processed by the cluster and correctly reaching their destinations; par 0112; These flow trace characters are, e.g., a specific marker that is included in the flow tracing packet so that the flow entries identify the packet as a flow trace packet for the particular trace operation).

Regarding Claim 13;
This Claim recites an electronic device that perform the same steps as method of Claim 1, and has limitations that are similar to Claim 1, thus are rejected with the same rationale applied against claim 1.  

Regarding Claim 14;
This Claim recites an electronic device that perform the same steps as method of Claim 2, and has limitations that are similar to Claim 2, thus are rejected with the same rationale applied against claim 2.  




Regarding Claim 18;
This Claim recites an electronic device that perform the same steps as method of Claim 8, and has limitations that are similar to Claim 8, thus are rejected with the same rationale applied against claim 8.  

Regarding Claim 19;
This Claim recites an electronic device that perform the same steps as method of Claim 11, and has limitations that are similar to Claim 11, thus are rejected with the same rationale applied against claim 11.  

Regarding Claim 20;
This Claim recites an electronic device that perform the same steps as method of Claim 12, and has limitations that are similar to Claim 12, thus are rejected with the same rationale applied against claim 12.  

Claims 3 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Shen et al. (US 20220038368) in view of Smith et al. (US 11,277,436) and further in view of Zhang et al. (“Zhang,” US 20150249684, published on 09/03/2015)

Regarding Claim 3;
The combination of Shen and Smith disclose the method of claim 2, 
The combination of Shen and Smith disclose all the limitations as recited above, but do not explicitly disclose wherein: the predefined rules include at least one sequential rule; the at least one sequential rule includes an ordered sequence of defined characteristics; and the received identifying information matches the at least one sequential rule when the received identifying information includes the defined characteristics of the at least one sequential rule in a same order as the at least one sequential rule.  
However, in an analogous art, Zhang discloses policy updates system/method that includes:
wherein: the predefined rules include at least one sequential rule (Zhang: par 0107; matching component then sorts the rules in the identified policies that are to be applied to this compliance item. It then compares the predicates and conditions in the selected rule against the compliance item to see whether they match); the at least one sequential rule includes an ordered sequence of defined characteristics (Zhang: par 0107; matching component then sorts the rules in the identified policies); and the received identifying information matches the at least one sequential rule when the received identifying information includes the defined characteristics of the at least one sequential rule in a same order as the at least one sequential rule (Zhang: par 0107; matching component then sorts the rules in the identified policies that are to be applied to this compliance item. It then compares the predicates and conditions in the selected rule against the compliance item to see whether they match [] if the predicates and conditions do match the compliance item, then the actions associated with the matching rules are identified and applied).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Zhang with the method/system of Shen and Smith to include wherein: the predefined rules include at least one sequential rule; the at least one sequential rule includes an ordered sequence of defined characteristics; and the received identifying information matches the at least one sequential rule when the received identifying information includes the defined characteristics of the at least one sequential rule in a same order as the at least one sequential rule. One would have been motivated to generate a compliance policy update. This can be to add one or more new compliance policies or rules, to delete them or to modify them. In any case, policy CRUD system provides functionality that allows user 150 to do that. The policies are represented by a unified schema that is the same across all different workloads (Zhang: par 0030).
	
Regarding Claim 15;
This Claim recites an electronic device that perform the same steps as method of Claim 3, and has limitations that are similar to Claim 3, thus are rejected with the same rationale applied against claim 3.  

Claims 4 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Shen et al. (US 20220038368) in view of Smith et al. (US 11,277,436) and further in view of Oppenheim et al. (“Oppenheim,” US 20160294800, published on 10/06/2016)

Regarding Claim 4;
The combination of Shen and Smith disclose the method of claim 2, 
The combination of Shen and Smith disclose all the limitations as recited above, but do not explicitly disclose wherein the generating of the report includes adding to the report remedial security measures associated with the matched rules.  
However, in an analogous art, Oppenheim discloses infrastructure analyzer system/method that includes:
wherein the generating of the report includes adding to the report remedial security measures associated with the matched rules (Oppenheim: par 0021; generate operational risk reports [] reports may include descriptions of current operational risk issues, aggregations and prioritizations of risk issues for various systems, calculations of severity and probability, and remedial information and recommendations relating to the operational risk issues; par 0105; remedial information associated with the rule)
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Zhang with the method/system of Shen and Smith to include wherein the generating of the report includes adding to the report remedial security measures associated with the matched rules. One would have been motivated to risk analyses and reports include description of current operational risk issues, aggregations and prioritizations of risk issues for various systems, calculations of severity and probability, and remedial information and recommendations relating to the operational risk issues (Oppenheim: abstract).

Regarding Claim 16;
This Claim recites an electronic device that perform the same steps as method of Claim 4, and has limitations that are similar to Claim 4, thus are rejected with the same rationale applied against claim 4.  

Claims 5 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Shen et al. (US 20220038368) in view of Smith et al. (US 11,277,436) and further in view of Nilton et al. (Leveraging the Serverless Architecture for Securing Linux Containers, 2017 IEEE 37th International Conference on Distributed Computing Systems Workshop)

Regarding Claim 5;
The combination of Shen and Smith disclose the method of claim 2, 
The combination of Shen and Smith disclose all the limitations as recited above, but do not explicitly disclose identifying an unsecure monitoring pod based on the security report and either: passing instructions to the unsecure monitoring pod to secure the software platform, such that the unsecure monitoring pod no longer passes along transactions received by the unsecure monitoring pod; or injecting an attack configured to be detected by a security mechanism of the software platform, such that the security mechanism limits the transactions received by the pod associated with the unsecure monitoring pod.  
However, in an analogous art, Nilton discloses securing linux container system/method that includes:
identifying an unsecure monitoring pod based on the security report and either: passing instructions to the unsecure monitoring pod to secure the software platform, such that the unsecure monitoring pod no longer passes along transactions received by the unsecure monitoring pod; or injecting an attack configured to be detected by a security mechanism of the software platform, such that the security mechanism limits the transactions received by the pod associated with the unsecure monitoring pod (Nilton: pages 2-3; fig. 2; agents are deployed across all kubernetes cluster nodes. VS periodically ingests threat data from industry knowledge bases and evaluates them against the packages, files and configurations found in scanned containers. The scanner produces reports that identify specific software package versions in the container with disclosed vulnerabilities, and specific issues with the container configurations (e.g. insecure remote shell set up in the container []vulnerability findings and may trigger action invocations to the OpenWhisk API endpoints registered for the kubernetes cluster []provides a platform on which to implement ad hoc policies that automate remediation of newly discovered vulnerabilities or security issues in containers).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Zhang with the method/system of Shen and Smith to include identifying an unsecure monitoring pod based on the security report and either: passing instructions to the unsecure monitoring pod to secure the software platform, such that the unsecure monitoring pod no longer passes along transactions received by the unsecure monitoring pod; or injecting an attack configured to be detected by a security mechanism of the software platform, such that the security mechanism limits the transactions received by the pod associated with the unsecure monitoring pod. One would have been motivated to scan the containers and their images for potential threats so that when a threat is detected, an event may be generated to (1) quarantine or terminate the compromised container(s) and optionally (2) remedy the vulnerability by rebuilding a secure image (Nilton: abstract).

Regarding Claim 17;
This Claim recites an electronic device that perform the same steps as method of Claim 5, and has limitations that are similar to Claim 5, thus are rejected with the same rationale applied against claim 5.  




Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHAO WANG whose telephone number is (313)446-6644.  The examiner can normally be reached on Monday-Friday 7:30-4:30PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571)270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/C.W./Examiner, Art Unit 2439  


/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439