DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
2.	This action is in response to the following communication: Non-provisional 

Application No. 17/509,289 filed on 10/25/2021.

3.	Claims 1-20 are pending.  

Claims 1, 8 and 15 are independent claims.  

Specification Objection
4.	Status of related applications listed on pg. 1 should be updated.

Allowable Subject Matter 
5.	Claims 7, 14 and 20 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all the limitation of the base claim and any intervening claims.
	The following is a statement of reasons for the indication of allowable subject matter:  As per claim 7, 14 and 20, prior art of record does not each and/or fairly suggest “identifying, through the user interface of the management service, a selection of a user interface element that indicates the anomaly is an acceptable behavior of the gateway virtual machine; generate, by the management service, an updated baseline behavior profile based on data describing the anomaly, wherein the updated baseline behavior profile permits the anomaly as an acceptable behavior; and transmit, by the management service to the gateway security process, a command to apply the updated baseline behavior profile”.

Claim Rejections - 35 USC § 103

6.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

7.	Claims 1-5, 8-10, 12, and 15-19 are rejected under 35 U.S.C. 103 as being unpatentable over Chander et al.,  U.S. Patent No. 11,457,047 (hereinafter Chander) in view of Kumar et al.,  US 2013/0298243 (hereinafter Kumar). 
   In regards to claim 1, Chander teaches: 
A system, comprising: at least one computing device comprising at least one processor; and at least one data store comprising instructions executed by the at least one processor, wherein the instructions, when executed by the at least one processor, cause the at least one computing device to at least: transmit, from a management service to a gateway security process executed in a gateway device, a baseline behavior profile for a gateway virtual machine executed by a gateway hypervisor of the gateway device (Abstract, see a computer-implemented method of managing security services for one or more cloud computing platforms is disclosed. The method comprises receiving, by a security gateway system having a processor, a digital communication related to one of one or more computing applications hosted by a virtual cluster … the security gateway system residing within the cloud computing platform, the security gateway system performing network security gateway functions for the one or more computing applications. The method also comprises storing the digital communication in association with a timestamp in a storage device) (emphasis added).
receive, by the management service from the gateway device, an anomaly notification comprising an indication that the gateway virtual machine is associated with an anomaly from the baseline behavior profile (Abstract, see the method further comprises receiving a piece of threat intelligence data indicating a security threat from a main controller residing outside the virtual cluster; storing the piece of threat intelligence data in a database; and determining whether the piece of threat intelligence data applies to any of the digital communications in the storage device).
Chander doesn’t explicitly teach:
generate, by the management service, a user interface comprising a description of the anomaly from the baseline behavior.
However, Kumar teaches such use: (p. 21, 2nd column, lines 21-33, see displaying, in the GUI, details of malware analytics comprising one or more of: infection summaries, infection diagnosis, threat categorization and identification based on a signature-less infection life-cycle model, an address and geo-location for a source or attacker, an identification of one or more infected victims, forensic evidence chain of detected malicious activities and intent, and compute, memory, storage and network level anomalies detected on the victim machine or infected system) (emphasis added). 
Chander and Kumar are analogous art because they are from the same field of endeavor, anomaly processing.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the teaching of Chander and Kumar before him or her, to modify the system of Chander to include the teachings of Kumar, as a system for orchestrating runtime integrity, and accordingly it would enhance the system of Chander, which is focused on managing computer security, because that would provide Chander with the ability to provide user interface operations, as suggested by Kumar (p. 21, 2nd column, lines 21-33, p. 21, [0334-0335]).      

   In regards to claim 2, Chander teaches: 
the anomaly notification specifies at least one remedial action that the gateway security process has performed to remediate the anomaly (column 14, lines 43-50, see in some embodiments, the main controller 102 can be programmed to execute predefined remedial procedures in accordance with the received error codes or failure indicators. For an error or a failure of one of the computing applications associated with the client device, the main controller 102 can be programmed to transmit a warning to the client device to trigger the execution of further remedial procedures) (emphasis added).

   In regards to claim 3, Chander doesn’t explicitly teach:
the user interface further comprises an indication of the at least one remedial action that the gateway security process has performed to remediate the anomaly.
However, Kumar teaches such use: (p. 21, 1st column, last para. – 2nd column, line 33, see a method for presenting a data center level runtime operational integrity dashboard and remediation controls for infected systems in a display of a computing platform having a network trust agent, an endpoint trust agent, and a trust orchestrator, the method comprising: receiving, from a plurality of endpoint assessment services, runtime integrity metrics for a plurality of trust vectors; displaying, in a graphical user interface (GUI) on the display, risk indicators and impact analysis based on the confidence level of received integrity metrics; providing, manual or automated remediation controls for threat containment and risk mitigation by performing one or more of: taking a snapshot of the infected system, restoring or reimaging the infected system from a trusted baseline configuration, quarantining the infected system from a network fabric, diverting users from the infected system, diverting transactions from the infected system, and diverting traffic from the infected system; displaying, in the GUI, a status and progress of initiated remediation actions; and displaying, in the GUI, details of malware analytics comprising one or more of: infection summaries, infection diagnosis, threat categorization and identification based on a signature-less infection life-cycle model, an address and geo-location for a source or attacker, an identification of one or more infected victims, forensic evidence chain of detected malicious activities and intent, and compute, memory, storage and network level anomalies detected on the victim machine or infected system) (emphasis added).
Chander and Kumar are analogous art because they are from the same field of endeavor, anomaly processing.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the teaching of Chander and Kumar before him or her, to modify the system of Chander to include the teachings of Kumar, as a system for orchestrating runtime integrity, and accordingly it would enhance the system of Chander, which is focused on managing computer security, because that would provide Chander with the ability to provide user interface operations, as suggested by Kumar (p. 21, 2nd column, lines 21-33, p. 21, [0334-0335]).      

   In regards to claim 4, Chander doesn’t explicitly teach:
the user interface further comprises a user interface element that specifies a management action to perform to remediate the anomaly. 
However, Kumar teaches such use: (p. 21, 1st column, last para. – 2nd column, line 33, see a method for presenting a data center level runtime operational integrity dashboard and remediation controls for infected systems in a display of a computing platform having a network trust agent, an endpoint trust agent, and a trust orchestrator, the method comprising: receiving, from a plurality of endpoint assessment services, runtime integrity metrics for a plurality of trust vectors; displaying, in a graphical user interface (GUI) on the display, risk indicators and impact analysis based on the confidence level of received integrity metrics; providing, manual or automated remediation controls for threat containment and risk mitigation by performing one or more of: taking a snapshot of the infected system, restoring or reimaging the infected system from a trusted
baseline configuration, quarantining the infected system from a network fabric, diverting users from the infected system, diverting transactions from the infected system, and diverting traffic from the infected system; displaying, in the GUI, a status and progress of initiated remediation actions; and displaying, in the GUI, details of malware analytics comprising one or more of: infection summaries, infection diagnosis, threat categorization and identification based on a signature-less infection life-cycle model, an address and geo-location for a source or attacker, an identification of one or more infected victims, forensic evidence chain of detected malicious activities and intent, and compute, memory, storage and network level anomalies detected on the victim machine or infected system) (emphasis added).
Chander and Kumar are analogous art because they are from the same field of endeavor, anomaly processing.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the teaching of Chander and Kumar before him or her, to modify the system of Chander to include the teachings of Kumar, as a system for orchestrating runtime integrity, and accordingly it would enhance the system of Chander, which is focused on managing computer security, because that would provide Chander with the ability to provide user interface operations, as suggested by Kumar (p. 21, 2nd column, lines 21-33, p. 21, [0334-0335]).      

   In regards to claim 5, Chander teaches:
transmit, by the management service to the gateway security process, a command to perform the management action (column 14, lines 43-50, see in some embodiments, the main controller 102 can be programmed to execute predefined remedial procedures in accordance with the received error codes or failure indicators. For an error or a failure of one of the computing applications associated with the client device, the main controller 102 can be programmed to transmit a warning to the client device to trigger the execution of further remedial procedures).
Chander doesn’t explicitly teach:
identify, by the management service, a selection of the user interface element that specifies the management action. 
However, Kumar teaches such use: (p. 21, 1st column, last para. – 2nd column, line 33, see a method for presenting a data center level runtime operational integrity dashboard and remediation controls for infected systems in a display of a computing platform having a network trust agent, an endpoint trust agent, and a trust orchestrator, the method comprising: receiving, from a plurality of endpoint assessment services, runtime integrity metrics for a plurality of trust vectors; displaying, in a graphical user interface (GUI) on the display, risk indicators and impact analysis based on the confidence level of received integrity metrics; providing, manual or automated remediation controls for threat containment and risk mitigation by performing one or more of: taking a snapshot of the infected system, restoring or reimaging the infected system from a trusted baseline configuration, quarantining the infected system from a network fabric, diverting users from the infected system, diverting transactions from the infected system, and diverting traffic from the infected system; displaying, in the GUI, a status and progress of initiated remediation actions; and displaying, in the GUI, details of malware analytics comprising one or more of: infection summaries, infection diagnosis, threat categorization and identification based on a signature-less infection life-cycle model, an address and geo-location for a source or attacker, an identification of one or more infected victims, forensic evidence chain of detected malicious activities and intent, and compute, memory, storage and network level anomalies detected on the victim machine or infected system) (emphasis added).
Chander and Kumar are analogous art because they are from the same field of endeavor, anomaly processing.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the teaching of Chander and Kumar before him or her, to modify the system of Chander to include the teachings of Kumar, as a system for orchestrating runtime integrity, and accordingly it would enhance the system of Chander, which is focused on managing computer security, because that would provide Chander with the ability to provide user interface operations, as suggested by Kumar (p. 21, 2nd column, lines 21-33, p. 21, [0334-0335]).      

   In regards to claim 8, Chander teaches: 
A method performed by instructions executed by at least one computing device, the method comprising: transmitting, from a management service to a gateway security process executed in a gateway device, a baseline behavior profile for a gateway virtual machine executed by a gateway hypervisor of the gateway device (Abstract, see a computer-implemented method of managing security services for one or more cloud computing platforms is disclosed. The method comprises receiving, by a security gateway system having a processor, a digital communication related to one of one or more computing applications hosted by a virtual cluster … the security gateway system residing within the cloud computing platform, the security gateway system performing network security gateway functions for the one or more computing applications. The method also comprises storing the digital communication in association with a timestamp in a storage device) (emphasis added).
receiving, by the management service from the gateway device, an anomaly notification comprising an indication that the gateway virtual machine is associated with an anomaly from the baseline behavior profile (Abstract, see the method further comprises receiving a piece of threat intelligence data indicating a security threat from a main controller residing outside the virtual cluster; storing the piece of threat intelligence data in a database; and determining whether the piece of threat intelligence data applies to any of the digital communications in the storage device).
Chander doesn’t explicitly teach:
generating, by the management service, a user interface comprising a description of the anomaly from the baseline behavior.
However, Kumar teaches such use: (p. 21, 2nd column, lines 21-33, see displaying, in the GUI, details of malware analytics comprising one or more of: infection summaries, infection diagnosis, threat categorization and identification based on a signature-less infection life-cycle model, an address and geo-location for a source or attacker, an identification of one or more infected victims, forensic evidence chain of detected malicious activities and intent, and compute, memory, storage and network level anomalies detected on the victim machine or infected system) (emphasis added). 
Chander and Kumar are analogous art because they are from the same field of endeavor, anomaly processing.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the teaching of Chander and Kumar before him or her, to modify the system of Chander to include the teachings of Kumar, as a system for orchestrating runtime integrity, and accordingly it would enhance the system of Chander, which is focused on managing computer security, because that would provide Chander with the ability to provide user interface operations, as suggested by Kumar (p. 21, 2nd column, lines 21-33, p. 21, [0334-0335]).      

   In regards to claim 9, Chander teaches: 
the anomaly notification specifies at least one remedial action that the gateway security process has performed to remediate the anomaly (column 14, lines 43-50, see in some embodiments, the main controller 102 can be programmed to execute predefined remedial procedures in accordance with the received error codes or failure indicators. For an error or a failure of one of the computing applications associated with the client device, the main controller 102 can be programmed to transmit a warning to the client device to trigger the execution of further remedial procedures) (emphasis added).

   In regards to claim 10, Chander doesn’t explicitly teach:
the user interface further comprises an indication of the at least one remedial action that the gateway security process has performed to remediate the anomaly.
However, Kumar teaches such use: (p. 21, 1st column, last para. – 2nd column, line 33, see a method for presenting a data center level runtime operational integrity dashboard and remediation controls for infected systems in a display of a computing platform having a network trust agent, an endpoint trust agent, and a trust orchestrator, the method comprising: receiving, from a plurality of endpoint assessment services, runtime integrity metrics for a plurality of trust vectors; displaying, in a graphical user interface (GUI) on the display, risk indicators and impact analysis based on the confidence level of received integrity metrics; providing, manual or automated remediation controls for threat containment and risk mitigation by performing one or more of: taking a snapshot of the infected system, restoring or reimaging the infected system from a trusted baseline configuration, quarantining the infected system from a network fabric, diverting users from the infected system, diverting transactions from the infected system, and diverting traffic from the infected system; displaying, in the GUI, a status and progress of initiated remediation actions; and displaying, in the GUI, details of malware analytics comprising one or more of: infection summaries, infection diagnosis, threat categorization and identification based on a signature-less infection life-cycle model, an address and geo-location for a source or attacker, an identification of one or more infected victims, forensic evidence chain of detected malicious activities and intent, and compute, memory, storage and network level anomalies detected on the victim machine or infected system) (emphasis added).
Chander and Kumar are analogous art because they are from the same field of endeavor, anomaly processing.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the teaching of Chander and Kumar before him or her, to modify the system of Chander to include the teachings of Kumar, as a system for orchestrating runtime integrity, and accordingly it would enhance the system of Chander, which is focused on managing computer security, because that would provide Chander with the ability to provide user interface operations, as suggested by Kumar (p. 21, 2nd column, lines 21-33, p. 21, [0334-0335]).      

   In regards to claim 12, Chander teaches: 
transmitting, by the management service to the gateway security process, a command to perform the management action (column 14, lines 43-50, see in some embodiments, the main controller 102 can be programmed to execute predefined remedial procedures in accordance with the received error codes or failure indicators. For an error or a failure of one of the computing applications associated with the client device, the main controller 102 can be programmed to transmit a warning to the client device to trigger the execution of further remedial procedures).
Chander doesn’t explicitly teach:
identifying, by the management service, a selection of the user interface element that specifies the management action.
However, Kumar teaches such use: (p. 21, 1st column, last para. – 2nd column, line 33, see a method for presenting a data center level runtime operational integrity dashboard and remediation controls for infected systems in a display of a computing platform having a network trust agent, an endpoint trust agent, and a trust orchestrator, the method comprising: receiving, from a plurality of endpoint assessment services, runtime integrity metrics for a plurality of trust vectors; displaying, in a graphical user interface (GUI) on the display, risk indicators and impact analysis based on the confidence level of received integrity metrics; providing, manual or automated remediation controls for threat containment and risk mitigation by performing one or more of: taking a snapshot of the infected system, restoring or reimaging the infected system from a trusted baseline configuration, quarantining the infected system from a network fabric, diverting users from the infected system, diverting transactions from the infected system, and diverting traffic from the infected system; displaying, in the GUI, a status and progress of initiated remediation actions; and displaying, in the GUI, details of malware analytics comprising one or more of: infection summaries, infection diagnosis, threat categorization and identification based on a signature-less infection life-cycle model, an address and geo-location for a source or attacker, an identification of one or more infected victims, forensic evidence chain of detected malicious activities and intent, and compute, memory, storage and network level anomalies detected on the victim machine or infected system) (emphasis added).
Chander and Kumar are analogous art because they are from the same field of endeavor, anomaly processing.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the teaching of Chander and Kumar before him or her, to modify the system of Chander to include the teachings of Kumar, as a system for orchestrating runtime integrity, and accordingly it would enhance the system of Chander, which is focused on managing computer security, because that would provide Chander with the ability to provide user interface operations, as suggested by Kumar (p. 21, 2nd column, lines 21-33, p. 21, [0334-0335]).      

   In regards to claim 15, Chander teaches: 
A non-transitory computer-readable medium comprising instructions executed by at least one processor, wherein the instructions, when executed by the at least one processor, cause the at least one computing device to at least; transmit, from a management service to a gateway security process executed in a gateway device, a baseline behavior profile for a gateway virtual machine executed by a gateway hypervisor of the gateway device (Abstract, see a computer-implemented method of managing security services for one or more cloud computing platforms is disclosed. The method comprises receiving, by a security gateway system having a processor, a digital communication related to one of one or more computing applications hosted by a virtual cluster … the security gateway system residing within the cloud computing platform, the security gateway system performing network security gateway functions for the one or more computing applications. The method also comprises storing the digital communication in association with a timestamp in a storage device) (emphasis added).
receive, by the management service from the gateway device, an anomaly notification comprising an indication that the gateway virtual machine is associated with an anomaly from the baseline behavior profile (Abstract, see the method further comprises receiving a piece of threat intelligence data indicating a security threat from a main controller residing outside the virtual cluster; storing the piece of threat intelligence data in a database; and determining whether the piece of threat intelligence data applies to any of the digital communications in the storage device).
Chander doesn’t explicitly teach:
generate, by the management service, a user interface comprising a description of the anomaly from the baseline behavior.
However, Kumar teaches such use: (p. 21, 2nd column, lines 21-33, see displaying, in the GUI, details of malware analytics comprising one or more of: infection summaries, infection diagnosis, threat categorization and identification based on a signature-less infection life-cycle model, an address and geo-location for a source or attacker, an identification of one or more infected victims, forensic evidence chain of detected malicious activities and intent, and compute, memory, storage and network level anomalies detected on the victim machine or infected system) (emphasis added). 
Chander and Kumar are analogous art because they are from the same field of endeavor, anomaly processing.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the teaching of Chander and Kumar before him or her, to modify the system of Chander to include the teachings of Kumar, as a system for orchestrating runtime integrity, and accordingly it would enhance the system of Chander, which is focused on managing computer security, because that would provide Chander with the ability to provide user interface operations, as suggested by Kumar (p. 21, 2nd column, lines 21-33, p. 21, [0334-0335]).      

   In regards to claim 16, Chander teaches: the anomaly notification specifies at least one remedial action that the gateway security process has performed to remediate the anomaly (column 14, lines 43-50, see in some embodiments, the main controller 102 can be programmed to execute predefined remedial procedures in accordance with the received error codes or failure indicators. For an error or a failure of one of the computing applications associated with the client device, the main controller 102 can be programmed to transmit a warning to the client device to trigger the execution of further remedial procedures) (emphasis added).

   In regards to claim 17, Chander doesn’t explicitly teach:
the user interface further comprises an indication of the at least one remedial action that the gateway security process has performed to remediate the anomaly.
However, Kumar teaches such use: (p. 21, 1st column, last para. – 2nd column, line 33, see a method for presenting a data center level runtime operational integrity dashboard and remediation controls for infected systems in a display of a computing platform having a network trust agent, an endpoint trust agent, and a trust orchestrator, the method comprising: receiving, from a plurality of endpoint assessment services, runtime integrity metrics for a plurality of trust vectors; displaying, in a graphical user interface (GUI) on the display, risk indicators and impact analysis based on the confidence level of received integrity metrics; providing, manual or automated remediation controls for threat containment and risk mitigation by performing one or more of: taking a snapshot of the infected system, restoring or reimaging the infected system from a trusted baseline configuration, quarantining the infected system from a network fabric, diverting users from the infected system, diverting transactions from the infected system, and diverting traffic from the infected system; displaying, in the GUI, a status and progress of initiated remediation actions; and displaying, in the GUI, details of malware analytics comprising one or more of: infection summaries, infection diagnosis, threat categorization and identification based on a signature-less infection life-cycle model, an address and geo-location for a source or attacker, an identification of one or more infected victims, forensic evidence chain of detected malicious activities and intent, and compute, memory, storage and network level anomalies detected on the victim machine or infected system) (emphasis added).
Chander and Kumar are analogous art because they are from the same field of endeavor, anomaly processing.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the teaching of Chander and Kumar before him or her, to modify the system of Chander to include the teachings of Kumar, as a system for orchestrating runtime integrity, and accordingly it would enhance the system of Chander, which is focused on managing computer security, because that would provide Chander with the ability to provide user interface operations, as suggested by Kumar (p. 21, 2nd column, lines 21-33, p. 21, [0334-0335]).      

   In regards to claim 18, Chander doesn’t explicitly teach:
the user interface further comprises a user interface element that specifies a management action to perform to remediate the anomaly.
However, Kumar teaches such use: (p. 21, 1st column, last para. – 2nd column, line 33, see a method for presenting a data center level runtime operational integrity dashboard and remediation controls for infected systems in a display of a computing platform having a network trust agent, an endpoint trust agent, and a trust orchestrator, the method comprising: receiving, from a plurality of endpoint assessment services, runtime integrity metrics for a plurality of trust vectors; displaying, in a graphical user interface (GUI) on the display, risk indicators and impact analysis based on the confidence level of received integrity metrics; providing, manual or automated remediation controls for threat containment and risk mitigation by performing one or more of: taking a snapshot of the infected system, restoring or reimaging the infected system from a trusted baseline configuration, quarantining the infected system from a network fabric, diverting users from the infected system, diverting transactions from the infected system, and diverting traffic from the infected system; displaying, in the GUI, a status and progress of initiated remediation actions; and displaying, in the GUI, details of malware analytics comprising one or more of: infection summaries, infection diagnosis, threat categorization and identification based on a signature-less infection life-cycle model, an address and geo-location for a source or attacker, an identification of one or more infected victims, forensic evidence chain of detected malicious activities and intent, and compute, memory, storage and network level anomalies detected on the victim machine or infected system) (emphasis added).
Chander and Kumar are analogous art because they are from the same field of endeavor, anomaly processing.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the teaching of Chander and Kumar before him or her, to modify the system of Chander to include the teachings of Kumar, as a system for orchestrating runtime integrity, and accordingly it would enhance the system of Chander, which is focused on managing computer security, because that would provide Chander with the ability to provide user interface operations, as suggested by Kumar (p. 21, 2nd column, lines 21-33, p. 21, [0334-0335]).      

   In regards to claim 19, Chander teaches: 
transmit, by the management service to the gateway security process, a command to perform the management action (column 14, lines 43-50, see in some embodiments, the main controller 102 can be programmed to execute predefined remedial procedures in accordance with the received error codes or failure indicators. For an error or a failure of one of the computing applications associated with the client device, the main controller 102 can be programmed to transmit a warning to the client device to trigger the execution of further remedial procedures).
Chander doesn’t explicitly teach:
the instructions, when executed by the at least one processor, cause the at least one computing device to at least: identify, by the management service, a selection of the user interface element that specifies the management action.
However, Kumar teaches such use: (p. 21, 1st column, last para. – 2nd column, line 33, see a method for presenting a data center level runtime operational integrity dashboard and remediation controls for infected systems in a display of a computing platform having a network trust agent, an endpoint trust agent, and a trust orchestrator, the method comprising: receiving, from a plurality of endpoint assessment services, runtime integrity metrics for a plurality of trust vectors; displaying, in a graphical user interface (GUI) on the display, risk indicators and impact analysis based on the confidence level of received integrity metrics; providing, manual or automated remediation controls for threat containment and risk mitigation by performing one or more of: taking a snapshot of the infected system, restoring or reimaging the infected system from a trusted baseline configuration, quarantining the infected system from a network fabric, diverting users from the infected system, diverting transactions from the infected system, and diverting traffic from the infected system; displaying, in the GUI, a status and progress of initiated remediation actions; and displaying, in the GUI, details of malware analytics comprising one or more of: infection summaries, infection diagnosis, threat categorization and identification based on a signature-less infection life-cycle model, an address and geo-location for a source or attacker, an identification of one or more infected victims, forensic evidence chain of detected malicious activities and intent, and compute, memory, storage and network level anomalies detected on the victim machine or infected system) (emphasis added).
Chander and Kumar are analogous art because they are from the same field of endeavor, anomaly processing.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the teaching of Chander and Kumar before him or her, to modify the system of Chander to include the teachings of Kumar, as a system for orchestrating runtime integrity, and accordingly it would enhance the system of Chander, which is focused on managing computer security, because that would provide Chander with the ability to provide user interface operations, as suggested by Kumar (p. 21, 2nd column, lines 21-33, p. 21, [0334-0335]).      

8.	Claims 6, 11 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Chander in view of Kumar in view of Rao et al., US  2004/0103412 (hereinafter Rao).
In regards to claims 1 and 8 the rejections above are incorporated respectively.
In regards to claim 6, Chander and Kumar, in particular Chander doesn’t explicitly teach:
identify, through the user interface of the management service, a selection of a user interface element that indicates the anomaly is an acceptable behavior of the gateway virtual machine.
However, Rao teaches such use: (p. 4, [0032], see the fact that an error was encountered in a previous invocation may be displayed when a feature is invoked, along with a prompt to the user to either retrieve an update package that fixes the bug, or to ignore the message and invoke the application or feature despite the warning).
Chander, Kumar and Rao are analogous art because they are from the same field of endeavor, anomaly processing.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the teaching of Chander, Kumar and Rao before him or her, to modify the system of Chander and Kumar, in particular Chander to include the teachings of Rao, as a system for self-repair, and accordingly it would enhance the system of Chander, which is focused on managing computer security, because that would provide Chander with the ability to provide override user interface functionality as suggested by Rao ((p. 4, [0032], p. 6, [0047]).      

   In regards to claim 11, Chander and Kumar, in particular Chander doesn’t explicitly teach:
identifying, through the user interface of the management service, a selection of a user interface element that indicates the anomaly is an acceptable behavior of the gateway virtual machine.
However, Rao teaches such use: (p. 4, [0032], see the fact that an error was encountered in a previous invocation may be displayed when a feature is invoked, along with a prompt to the user to either retrieve an update package that fixes the bug, or to ignore the message and invoke the application or feature despite the warning).
Chander, Kumar and Rao are analogous art because they are from the same field of endeavor, anomaly processing.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the teaching of Chander, Kumar and Rao before him or her, to modify the system of Chander and Kumar, in particular Chander to include the teachings of Rao, as a system for self-repair, and accordingly it would enhance the system of Chander, which is focused on managing computer security, because that would provide Chander with the ability to provide override user interface functionality as suggested by Rao ((p. 4, [0032], p. 6, [0047]).      

   In regards to claim 13, Chander and Kumar, in particular Chander doesn’t explicitly teach:
the user interface further comprises a user interface element that indicates to permit the anomaly. 
However, Rao teaches such use: (p. 4,  [0032], see the fact that an error was encountered in a previous invocation may be displayed when a feature is invoked, along with a prompt to the user to either retrieve an update package that fixes the bug, or to ignore the message and invoke the application or feature despite the warning).
Chander, Kumar and Rao are analogous art because they are from the same field of endeavor, anomaly processing.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the teaching of Chander, Kumar and Rao before him or her, to modify the system of Chander and Kumar, in particular Chander to include the teachings of Rao, as a system for self-repair, and accordingly it would enhance the system of Chander, which is focused on managing computer security, because that would provide Chander with the ability to provide override user interface functionality as suggested by Rao ((p. 4, [0032], p. 6, [0047]).      
Conclusion

9.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US Patent Application Publications

Liao et al., 		US 2013/0060524

Artman et al., 	US 2017/0286670

10.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to Evral Bodden whose telephone number is 571-272-3455.  The examiner can normally be reached on Monday to Friday, 8:30 to 5:00.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Chat Do can be reached on 571-272-3721.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/EVRAL E BODDEN/Primary Examiner, Art Unit 2193