Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
The instant application having Application No. 17/576,432 filed on 01/14/2022 is presented for examination by the examiner.

Examiner Notes
Examiner cites particular columns and line numbers in the references as applied to the claims below for the convenience of the applicant. Although the specified citations are representative of the teachings in the art and are applied to the specific limitations within the individual claim, other passages and figures may apply as well. It is respectfully requested that, in preparing responses, the applicant fully consider the references in entirety as potentially teaching all or part of the claimed invention, as well as the context of the passage as taught by the prior art or disclosed by the examiner.

Drawings
The applicant’s drawings submitted are acceptable for examination purposes.




Specification Objections
The disclosure is objected to because of the following informalities: under “Cross-reference to related Application” section, the status of U.S Patent Application No. 16/238,524 now is patented need to be updated.
Appropriate correction is required.

Double Patenting

The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.   A nonstatutory obviousness-type double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and  In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. 
Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer. A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b).
Initially, it should be noted that the present application and Application No. 12/427,090, have the same inventive entity.  The assignee for both applications is IBM Corporation.  
Claims 1-3, 8-10 and 14 are provisionally rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1-3, 7-9 and 10 of US patent No. 11232192.  Although the conflicting claims are not identical, they are not patentably distinct from each other.  Claims 1-3, 8-10 and 14 are compared to claim 1-3, 7-9 and 10 of US patent No. 11232192 in the following table:

Instant Application
US patent 11232192
1. A computer-implemented method in a virtualized system, comprising: 

detecting that a virtual instance has been added in the virtualized system, the virtual instance having computer-readable instructions;




opening a stored manifest for the virtual instance, the stored manifest comprising configuration settings for the virtual instance;








retrieving running services information regarding the virtual instance, the running services information including information about the virtual instance running on the virtualized system;


generating a security policy for the virtual instance, the security policy defining a set of actions for which the virtual instance can perform, the set of actions determined using the manifest and the running service information associated with the virtual instance;



blocking an action performed by the virtual instance in response to determining that the action performed by the virtual instance does not match any action in the set of actions defined in the security policy for the virtual instance; and

transmitting the security policy to a graphical user interface container for presentation to a user via a display device, the graphical user interface container presenting information about the generated security policy.

2. The computer-implemented method of claim 1, wherein detecting that the virtual instance has been added comprises periodically querying the container system for initiated virtual instances.

3. The computer-implemented method of claim 1, wherein opening a stored manifest for the virtual instance further comprises executing a command line interface instruction to cause a virtualized service of the virtualized system to output manifest data for the virtual instance.

8. A non-transitory computer readable medium configured to store computer code comprising instructions, the instructions, when executed by one or more processors, causes the one or more processors to:
detect that a virtual instance has been added in the virtualized system, the virtual instance having computer-readable instructions;



open a stored manifest for the virtual instance, the stored manifest comprising configuration settings for the virtual instance;










retrieve running services information regarding the virtual instance, the running services information including information about the virtual instance running on the virtualized system;


generate a security policy for the virtual instance, the security policy defining a set of actions for which the virtual instance can perform, the set of actions determined using the manifest and the running service information associated with the virtual instance;


block an action performed by the virtual instance in response to determining that the action performed by the virtual instance does not match any action in the set of actions defined in the security policy for the virtual instance; and

transmit the security policy to a graphical user interface container for presentation to a user via a display device, the graphical user interface container presenting information about the generated security policy.


9. The non-transitory computer readable medium of claim 8, wherein the instruction to detect that the virtual instance has been added further comprises instructions to periodically query the container system for initiated virtual instances.


10. The non-transitory computer readable medium of claim 8, wherein the instruction to open a stored manifest for the virtual instance further comprises instructions to execute a command line interface instruction to cause a virtualized service of the virtualized system to output manifest data for the virtual instance.

14. A system comprising: 
one or more processors; and 
memory coupled to the one or more processors, the memory configured to store computer code comprising instructions, the instructions, when executed by the one or more processors, causes the one or more processors to: 
detect that a virtual instance has been added in the virtualized system, the virtual instance having computer-readable instructions; 



open a stored manifest for the virtual instance, the stored manifest comprising configuration settings for the virtual instance; 

retrieve running services information regarding the virtual instance, the running services information including information about the virtual instance running on the virtualized system;









generate a security policy for the virtual instance, the security policy defining a set of actions for which the virtual instance can perform, the set of actions determined using the manifest and the running service information associated with the virtual instance; 



block an action performed by the virtual instance in response to determining that the action performed by the virtual instance does not match any action in the set of actions defined in the security policy for the virtual instance; and 

transmit the security policy to a graphical user interface container for presentation to a user via a display device, the graphical user interface container presenting information about the generated security policy.
1. A computer-implemented method in a container system, comprising: 
detecting that an application container has been added in the container system, the application container having computer-readable instructions, the application container initiated via a container service and isolated using operating system-level virtualization; 
opening a stored manifest for the application container, the stored manifest comprising configuration settings for the newly added application container, wherein the stored manifest for the application data further comprises information indicating an image file in which executable code for the application container is stored, incoming and outgoing ports for the application container, services to which the application container connects, and user credentials to access the services; 
retrieving running services information regarding the application container, the running services information including information provided by the container service about the application container running on the container system; 
generating a security policy for the application container, the security policy defining a set of actions for which the application container can perform, the set of actions determined using the manifest and the running service information associated with the application container; 
loading the security policy at a security container, the security container configured to, upon loading the security policy, block an action performed by the application container in response to determining that the action performed by the application container does not match any action in the set of actions defined in the security policy for the application container; and

transmitting the security policy to a graphical user interface container for presentation to a user via a display device, the graphical user interface container presenting information about the generated security policy.
2. The method of claim 1, wherein detecting that an application container has been added comprises periodically querying the container service for initiated application containers.
3. The method of claim 1, wherein opening a stored manifest for the application container further comprises executing a command line interface instruction to cause the container service to output manifest data for the application container.

7. A non-transitory computer storage readable medium comprising stored instructions, the instructions when executed by a processor, causes the processor to: 
detect that an application container has been added in the container system, the application container including computer-readable instructions, the application container able to be initiated via a container service and isolated using operating system-level virtualization; 
open a stored manifest for the application container, the stored manifest comprising configuration settings for the newly added application container, wherein the stored manifest for the application data further comprises information indicating an image file in which executable code for the application container is stored, incoming and outgoing ports for the application container, services to which the application container connects, and user credentials to access the services; 
retrieve running services information regarding the application container, the running services information including information provided by the container service about the application container running on the container system; 
generate a security policy for the application container, the security policy defining a set of actions for which the application container can perform, the set of actions determined using the manifest and the running service information associated with the application container; 
load the security policy at a security container, the security container configured to, upon loading the security policy, block an action performed by the application container in response to determining that the action performed by the application container does not match any action in the set of actions defined in the security policy for the application container; and 
transmit the security policy to a graphical user interface container for presentation to a user via a display device, the graphical user interface container presenting information about the generated security policy.

8. The non-transitory computer storage readable medium of claim 7, storing further instructions, that when executed by the processor, causes the processor to periodically query the container service for initiated application containers.

9. The non-transitory computer storage readable medium of claim 7, comprising further stored instructions, that when executed by the processor, causes the processor to execute a command line interface instruction to cause the container service to output manifest data for the application container.

10. A computer-implemented method in a container system, comprising: 



detecting that an application container has been added in the container system, the application container having computer-readable instructions, the application container initiated via a container service and isolated using operating system-level virtualization; 
opening a stored manifest for the application container, the stored manifest comprising configuration settings for the newly added application container; 
retrieving running services information regarding the application container, the running services information including information provided by the container service about the application container running on the container system, wherein retrieving the running services information regarding the application container further comprises executing a command line interface instruction to cause the container service to request a list of service descriptors for a namespace comprising the application container; 
generating a security policy for the application container, the security policy defining a set of actions for which the application container can perform, the set of actions determined using the manifest and the running service information associated with the application container;
loading the security policy at a security container, the security container configured to, upon loading the security policy, block an action performed by the application container in response to determining that the action performed by the application container does not match any action in the set of actions defined in the security policy for the application container; and
transmitting the security policy to a graphical user interface container for presentation to a user via a display device, the graphical user interface container presenting information about the generated security policy.




Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1, 3-8, 10, 12-14, 16 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over US 2017/0093921 to Duan in further view of US 2019/0081955 to Chugtu et al. (hereafter “Chugtu”).

As per claim 1, Duan discloses A computer-implemented method in a virtualized system, comprising: 
detecting that a virtual instance has been added in the virtualized system (In view of the specification, FIG. 4, paragraphs 0105 and 0108-0109 and claim 7,  a virtual instance is an application container [Wingdings font/0xE0] the container is considered as a virtual instance, therefore, Duan FIG1,  paragraphs 0015 and 0033: “Instead, the security container 150 monitors the VM 115 (or container server 110 if the container environment is the container server 110 itself) to determine if any new app containers 120 are created.” [Wingdings font/0xE0] new app container 120 (virtual instance as claimed)), the virtual instance having computer-readable instructions (paragraphs 0030-0031);
opening a stored manifest for the virtual instance (paragraphs 0069, 0071 and 0079: “Once the UI monitor 440 receives configuration settings from the UI container 165, the UI monitor 440 forwards the configuration settings to the configuration module 410 to process and distribute among the different containers.”), the stored manifest comprising configuration settings for the virtual instance (paragraphs 0047-0049 and 0061: “When the intercept module 210 receives a notification from the app state monitor 230 that a particular app container 120 is initiated, the intercept module 210 determines, according to configuration rules, whether the traffic for that app container 120 should be intercepted. These rules may be determined by the intercept module 210 dynamically, or may be preconfigured.”);
retrieving running services information regarding the virtual instance (paragraphs 0040-0043 and 0046: “In one embodiment, the app state monitor 230 may also monitor other information regarding the application containers 120, such as their performance, resources used, number of processes opened, number of file handles opened, number and status of network connections, and so on. The app state monitor 230 may determine this information using the API of the container service 130 or using system commands (e.g., "ss" for network connections in Linux).”), the running services information including information about the virtual instance running on the virtualized system (paragraphs 0040-0043 and 0046: “In one embodiment, the app state monitor 230 may also monitor other information regarding the application containers 120, such as their performance, resources used, number of processes opened, number of file handles opened, number and status of network connections, and so on. The app state monitor 230 may determine this information using the API of the container service 130 or using system commands (e.g., "ss" for network connections in Linux).”);
generating a security policy for the virtual instance (paragraphs 0036, 0048, 0069 and 0071: “The management container 155 may configure the settings and rules for the security containers 150 and the analytics container 160 in the container system 105. For example, these rules may indicate what type of network traffic to log or to filter out. The management container 155 monitors the activities of other management containers 155 and the security containers 150.”), the security policy defining a set of actions for which the virtual instance can perform (paragraphs 0084-0085 and 0087: “The security container 150 may determine, based on a particular set of rules, whether to drop the data or forward it to the intended destination. In some cases, the security container 150 may create a copy of the data while forwarding the original data, and inspect the copy instead.”), the set of actions determined using the manifest and the running service information associated with the virtual instance (paragraphs 0084-0085 and 0087: “The security container 150 may determine, based on a particular set of rules, whether to drop the data or forward it to the intended destination. In some cases, the security container 150 may create a copy of the data while forwarding the original data, and inspect the copy instead.”); and
transmitting the security policy to a graphical user interface container for presentation to a user via a display device (FIG. 4A; paragraphs 0036-0037, 0069, 0071 and 0073: “As noted above, the UI container 165 communicates with the management container 155 and via the user interface the UI container 165 may indicate to the management container 155 the various configuration options requested by a user.”), the graphical user interface container presenting information about the generated security policy (FIG. 4A; paragraphs 0036-0037, 0069, 0071 and 0073).
Duan does not explicitly disclose blocking an action performed by the virtual instance in response to determining that the action performed by the virtual instance does not match any action in the set of actions defined in the security policy for the virtual instance.
Chugtu further discloses blocking an action performed by the virtual instance (FIG. 1A; paragraph 0024: a container (virtual instance as claimed) in a server device which is a virtual machine) in response to determining that the action performed by the virtual instance does not match any action in the set of actions defined in the security policy for the virtual instance (paragraphs 0009, and 0046: “In this way, the server device can isolate the container, such that the container cannot communicate with other containers associated with a different service, application, and/or tenant (e.g., even when the containers are on the same host).” [Wingdings font/0xE0] the container cannot communicate with other containers if they are not a same service).
It would have been obvious to a person having ordinary skill in the art before the effective filling date of the claimed invention to combine a teaching of Chugtu into Duan’s teaching because it would provide for the purpose of the server device can isolate the container, such that the container cannot communicate with other containers associated with a different service, application, and/or tenant (e.g., even when the containers are on the same host) (Chugtu, paragraph 0009).

As per claim 3, Duan discloses wherein opening a stored manifest for the virtual instance (paragraphs 0037, 0069, 0071 and 0079: “Once the UI monitor 440 receives configuration settings from the UI container 165, the UI monitor 440 forwards the configuration settings to the configuration module 410 to process and distribute among the different containers.”), the manifest comprising configuration settings for the newly added application container (paragraphs 0047-0049 and 0061: “When the intercept module 210 receives a notification from the app state monitor 230 that a particular app container 120 is initiated, the intercept module 210 determines, according to configuration rules, whether the traffic for that app container 120 should be intercepted. These rules may be determined by the intercept module 210 dynamically, or may be preconfigured.”) further comprises executing a command line interface instruction to cause a virtualized service of the virtualized system to output manifest data for the virtual instance (paragraph 0037: “The container system 105, in one embodiment, also includes a user interface (UI) container 165 to provide a user interface to a user. The UI container 165 may interface with a user using a graphical user interface (GUI) or a command line interface (CLI)”).

As per claim 5, Duan discloses wherein generating the security policy for the virtual instance (paragraphs 0036, 0048, 0069 and 0071: “The management container 155 may configure the settings and rules for the security containers 150 and the analytics container 160 in the container system 105. For example, these rules may indicate what type of network traffic to log or to filter out. The management container 155 monitors the activities of other management containers 155 and the security containers 150.”) further comprises generating one or more network rules (paragraphs 0084-0085 and 0087: “The security container 150 may determine, based on a particular set of rules, whether to drop the data or forward it to the intended destination. In some cases, the security container 150 may create a copy of the data while forwarding the original data, and inspect the copy instead.”) which allow the virtual instance to make one or more network connections indicated in at least one of the manifest and the running service information associated with the virtual instance (paragraphs 0084-0085 and 0087: “The security container 150 may determine, based on a particular set of rules, whether to drop the data or forward it to the intended destination. In some cases, the security container 150 may create a copy of the data while forwarding the original data, and inspect the copy instead.”).

As per claim 6, Duan discloses wherein retrieving the running services information regarding the virtual instance further comprises executing a command line interface instruction to to request a list of service descriptors for a namespace comprising the virtual instance (paragraph 0037: “The container system 105, in one embodiment, also includes a user interface (UI) container 165 to provide a user interface to a user. The UI container 165 may interface with a user using a graphical user interface (GUI) or a command line interface (CLI)”)

As per claim 7, Duan discloses wherein the virtual instance is an application container (FIGs. 1 and 3A-B) initiated via a container service (paragraphs 0043-0044, 0047, 0066, 0074 and 0083) and isolated using operating system-level virtualization (paragraphs 0024 and 0030) and the virtualized system is a container system (FIG. 1-4).

As per claim 8, Duan discloses a non-transitory computer readable medium configured to store computer code comprising instructions, the instructions, when executed by one or more processors, causes the one or more processors to:
detect that a virtual instance has been added in the virtualized system (In view of the specification, FIG. 4, paragraphs 0105 and 0108-0109 and claim 7,  a virtual instance is an application container [Wingdings font/0xE0] the container is considered as a virtual instance, therefore, Duan FIG1,  paragraphs 0015 and 0033: “Instead, the security container 150 monitors the VM 115 (or container server 110 if the container environment is the container server 110 itself), the virtual instance having computer-readable instructions (paragraphs 0030-0031);
open a stored manifest for the virtual instance (paragraphs 0069, 0071 and 0079: “Once the UI monitor 440 receives configuration settings from the UI container 165, the UI monitor 440 forwards the configuration settings to the configuration module 410 to process and distribute among the different containers.”), the stored manifest comprising configuration settings for the virtual instance (paragraphs 0047-0049 and 0061: “When the intercept module 210 receives a notification from the app state monitor 230 that a particular app container 120 is initiated, the intercept module 210 determines, according to configuration rules, whether the traffic for that app container 120 should be intercepted. These rules may be determined by the intercept module 210 dynamically, or may be preconfigured.”);
retrieve running services information regarding the virtual instance (paragraphs 0040-0043 and 0046: “In one embodiment, the app state monitor 230 may also monitor other information regarding the application containers 120, such as their performance, resources used, number of processes opened, number of file handles opened, number and status of network connections, and so on. The app state monitor 230 may determine this information using the API of the container service 130 or using system commands (e.g., "ss" for network connections in Linux).”), the running services information including information about the virtual instance running on the virtualized system (paragraphs 0040-0043 and 0046: “In one embodiment, the app state monitor 230 may also monitor other information regarding the application containers 120, such as their performance, resources used, number of processes opened, number of file handles opened, number and status of network connections, and so on. The app state monitor 230 may determine this information using the API of the container service 130 or using system commands (e.g., "ss" for network connections in Linux).”);
generate a security policy for the virtual instance (paragraphs 0036, 0048, 0069 and 0071: “The management container 155 may configure the settings and rules for the security containers 150 and the analytics container 160 in the container system 105. For example, these rules may indicate what type of network traffic to log or to filter out. The management container 155 monitors the activities of other management containers 155 and the security containers 150.”), the security policy defining a set of actions for which the virtual instance can perform (paragraphs 0084-0085 and 0087: “The security container 150 may determine, based on a particular set of rules, whether to drop the data or forward it to the intended destination. In some cases, the security container 150 may create a copy of the data while forwarding the original data, and inspect the copy instead.”), the set of actions determined using the manifest and the running service information associated with the virtual instance (paragraphs 0084-0085 and 0087: “The security container 150 may determine, based on a particular set of rules, whether to drop the data or forward it to the intended destination. In some cases, the security container 150 may create a copy of the data while forwarding the original data, and inspect the copy instead.”); and
transmit the security policy to a graphical user interface container for presentation to a user via a display device (FIG. 4A; paragraphs 0036-0037, 0069, 0071 and 0073: “As noted above, the UI container 165 communicates with the management container 155 and via the user interface the UI container 165 may indicate to the management container 155 the various configuration options requested by a user.”), the graphical user interface container presenting information about the generated security policy (FIG. 4A; paragraphs 0036-0037, 0069, 0071 and 0073).
Duan does not explicitly disclose block an action performed by the virtual instance in response to determining that the action performed by the virtual instance does not match any action in the set of actions defined in the security policy for the virtual instance.
Chugtu further discloses block an action performed by the virtual instance (FIG. 1A; paragraph 0024: a container (virtual instance as claimed) in a server device which is a virtual machine) in response to determining that the action performed by the virtual instance does not match any action in the set of actions defined in the security policy for the virtual instance (paragraphs 0009, and 0046: “In this way, the server device can isolate the container, such that the container cannot communicate with other containers associated with a different service, application, and/or tenant (e.g., even when the containers are on the same host).” [Wingdings font/0xE0] the container cannot communicate with other containers if they are not a same service).
It would have been obvious to a person having ordinary skill in the art before the effective filling date of the claimed invention to combine a teaching of Chugtu into Duan’s teaching because it would provide for the purpose of the server device can isolate the container, such that the container cannot communicate with other containers associated with a different service, application, and/or tenant (e.g., even when the containers are on the same host) (Chugtu, paragraph 0009).

As per claim 10, it is a medium claim, which recite(s) the same limitations as those of claim 3. Accordingly, claim 10 is rejected for the same reasons as set forth in the rejection of claim 3.

As per claim 12, it is a medium claim, which recite(s) the same limitations as those of claim 5. Accordingly, claim 12 is rejected for the same reasons as set forth in the rejection of claim 5.

As per claim 13, it is a medium claim, which recite(s) the same limitations as those of claim 6. Accordingly, claim 13 is rejected for the same reasons as set forth in the rejection of claim 6.

As per claim 14, Duan discloses a system comprising: 
one or more processors (FIG. 6); and 
memory coupled to the one or more processors (FIG. 6), the memory configured to store computer code comprising instructions (FIG. 6), the instructions, when executed by the one or more processors (FIG. 6), causes the one or more processors to: 
detect that a virtual instance has been added in the virtualized system (In view of the specification, FIG. 4, paragraphs 0105 and 0108-0109 and claim 7,  a virtual instance is an application container [Wingdings font/0xE0] the container is considered as a virtual instance, therefore, Duan FIG1,  paragraphs 0015 and 0033: “Instead, the security container 150 monitors the VM 115 (or container server 110 if the container environment is the container server 110 itself), the virtual instance having computer-readable instructions (paragraphs 0030-0031); 
open a stored manifest for the virtual instance (paragraphs 0069, 0071 and 0079: “Once the UI monitor 440 receives configuration settings from the UI container 165, the UI monitor 440 forwards the configuration settings to the configuration module 410 to process and distribute among the different containers.”), the stored manifest comprising configuration settings for the virtual instance (paragraphs 0047-0049 and 0061: “When the intercept module 210 receives a notification from the app state monitor 230 that a particular app container 120 is initiated, the intercept module 210 determines, according to configuration rules, whether the traffic for that app container 120 should be intercepted. These rules may be determined by the intercept module 210 dynamically, or may be preconfigured.”); 
retrieve running services information regarding the virtual instance (paragraphs 0040-0043 and 0046: “In one embodiment, the app state monitor 230 may also monitor other information regarding the application containers 120, such as their performance, resources used, number of processes opened, number of file handles opened, number and status of network connections, and so on. The app state monitor 230 may determine this information using the API of the container service 130 or using system commands (e.g., "ss" for network connections in Linux).”), the running services information including information about the virtual instance running on the virtualized system (paragraphs 0040-0043 and 0046: “In one embodiment, the app state monitor 230 may also monitor other information regarding the application containers 120, such as their performance, resources used, number of processes opened, number of file handles opened, number and status of network connections, and so on. The app state monitor 230 may determine this information using the API of the container service 130 or using system commands (e.g., "ss" for network connections in Linux).”);
generate a security policy for the virtual instance (paragraphs 0036, 0048, 0069 and 0071: “The management container 155 may configure the settings and rules for the security containers 150 and the analytics container 160 in the container system 105. For example, these rules may indicate what type of network traffic to log or to filter out. The management container 155 monitors the activities of other management containers 155 and the security containers 150.”), the security policy defining a set of actions for which the virtual instance can perform (paragraphs 0084-0085 and 0087: “The security container 150 may determine, based on a particular set of rules, whether to drop the data or forward it to the intended destination. In some cases, the security container 150 may create a copy of the data while forwarding the original data, and inspect the copy instead.”), the set of actions determined using the manifest and the running service information associated with the virtual instance (paragraphs 0084-0085 and 0087: “The security container 150 may determine, based on a particular set of rules, whether to drop the data or forward it to the intended destination. In some cases, the security container 150 may create a copy of the data while forwarding the original data, and inspect the copy instead.”); 
transmit the security policy to a graphical user interface container for presentation to a user via a display device (FIG. 4A; paragraphs 0036-0037, 0069, 0071 and 0073: “As noted above, the UI container 165 communicates with the management container 155 and via the user interface the UI container 165 may indicate to the management container 155 the various configuration options requested by a user.”), the graphical user interface container presenting information about the generated security policy (FIG. 4A; paragraphs 0036-0037, 0069, 0071 and 0073).
Duan does not explicitly disclose block an action performed by the virtual instance in response to determining that the action performed by the virtual instance does not match any action in the set of actions defined in the security policy for the virtual instance.
Chugtu further discloses block an action performed by the virtual instance (FIG. 1A; paragraph 0024: a container (virtual instance as claimed) in a server device which is a virtual machine) in response to determining that the action performed by the virtual instance does not match any action in the set of actions defined in the security policy for the virtual instance (paragraphs 0009, and 0046: “In this way, the server device can isolate the container, such that the container cannot communicate with other containers associated with a different service, application, and/or tenant (e.g., even when the containers are on the same host).” [Wingdings font/0xE0] the container cannot communicate with other containers if they are not a same service).
It would have been obvious to a person having ordinary skill in the art before the effective filling date of the claimed invention to combine a teaching of Chugtu into Duan’s teaching because it would provide for the purpose of the server device can isolate the container, such that the container cannot communicate with other containers associated with a different service, application, and/or tenant (e.g., even when the containers are on the same host) (Chugtu, paragraph 0009).

As per claim 16, it is a system claim, which recite(s) the same limitations as those of claim 3. Accordingly, claim 16 is rejected for the same reasons as set forth in the rejection of claim 3.

As per claim 18, it is a system claim, which recite(s) the same limitations as those of claim 5. Accordingly, claim 18 is rejected for the same reasons as set forth in the rejection of claim 5.

As per claim 19, it is a system claim, which recite(s) the same limitations as those of claim 6. Accordingly, claim 19 is rejected for the same reasons as set forth in the rejection of claim 6.

As per claim 20, it is a system claim, which recite(s) the same limitations as those of claim 7. Accordingly, claim 20 is rejected for the same reasons as set forth in the rejection of claim 7.

Claims 2, 9 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Duan and Chugtu, as applied to claims 1, 8 and 14, and in further view of US 2016/0092251 to Wagner.


As per claim 2, Duan does not explicitly disclose wherein detecting that the virtual instance has been added comprises periodically querying the container system for initiated virtual instances.
Wagner further discloses wherein detecting that the virtual instance has been added comprises periodically querying the container system for initiated virtual instances (paragraph 0055).
It would have been obvious to a person having ordinary skill in the art before the effective filling date of the claimed invention to combine a teaching of Wagner into Duan’s teaching and Chugtu’s teaching because it would provide for the purpose of by maintaining a pool of pre-initialized virtual machine instances that are ready for use as soon as a user request is received, delay (sometimes referred to as latency) associated with executing the user code (e.g., instance and language runtime startup time) can be significantly reduced (Wagner, paragraph 0013).

As per claim 9, it is a medium claim, which recite(s) the same limitations as those of claim 2. Accordingly, claim 9 is rejected for the same reasons as set forth in the rejection of claim 2.

As per claim 15, it is a system claim, which recite(s) the same limitations as those of claim 2. Accordingly, claim 15 is rejected for the same reasons as set forth in the rejection of claim 2.

Claims 4, 11 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Duan and Chugtu, as applied to claims 1, 8 and 14, and in further view of US 2015/0101042 to Yang.

As per claim 4, Duan does not explicitly disclose wherein the running services information indicates a network connection between the virtual instance and another virtual instance within a namespace containing the virtual instance and the another virtual instance.
Yang further discloses wherein the running services information indicates a network connection between the virtual instance and another virtual instance within a namespace containing the virtual instance and the another virtual instance (FIG. 1; paragraph 0017).
It would have been obvious to a person having ordinary skill in the art before the effective filling date of the claimed invention to combine a teaching of Yang into Duan’s teaching and Chugtu’s teaching because it would provide for the purpose of managing permissions in a virtualized computing system, where the virtualized computing systems has a plurality of inventory objects and an access control subsystem that manages permissions to perform actions on the inventory objects using corresponding access control labels of the inventory objects (Yang, paragraph 0004).

As per claim 11, it is a medium claim, which recite(s) the same limitations as those of claim 4. Accordingly, claim 11 is rejected for the same reasons as set forth in the rejection of claim 4.

As per claim 17, it is a system claim, which recite(s) the same limitations as those of claim 4. Accordingly, claim 17 is rejected for the same reasons as set forth in the rejection of claim 4.

Conclusion
The following prior art made of record and not relied upon is cited to establish the level of skill in the applicant’s art and those arts considered reasonably pertinent to applicant’s disclosure. See MPEP 707.05(c).
Prior arts:
US 2006/0265508 to Angel
[0285] In another implementation, the application can be started through user interaction with the edge device, such as using a mouse device to click on an icon wherein the operating system starts the application (such as with a Microsoft Windows operating system). This application process can send a request to the Namespace Management System to be registered as a callable service (connectivity information can be a default connection such as http://localhost:80 or discovered through initialization files, system registry entries, command line parameters, or through environment variables). Once registered, the Namespace Management System can direct a request intended for the service provided by the application to the appropriate compoint on which the application process can receive such a request. In one implementation, the application process includes connectivity in its registration request, while a second implementation receives connectivity information from the Namespace Management System as part of the registration request response.

US 2007/0081197 to Omoigui
[0443] 4) Shell: The request is handed off to the presenter: [0444] a) A registry request GUID entry is created containing (namespace path that generated the request, and SQML file URL). [0445] b) Browser is initialized and opened with command line [http] ://PresenterPage.html#RequestGUID[http]://presenterpage.html/. The Presenter loads default Chrome contained in the page. [0446] c) Presenter page loads presenter binary behavior and Semantic Runtime OCX.

US 2019/0386891 to Chitalia
[0059] Policy controller 23 may also analyze internal processor metrics received from policy agents 35, and classify one or more virtual machines 36 based on the extent to which each virtual machine uses shared resources of servers 12 (e.g., classifications could be CPU-bound, cache-bound, memory-bound). Policy controller 23 may interact with orchestration engine 130 to cause orchestration engine 130 to adjust, based on the classifications of virtual machines 36 executing on servers 12, the deployment of one or more virtual machines 36 on servers 12. Policy controller 23 may be further configured to report information about whether the conditions of a rule are met to a client interface associated with user interface device 129. Alternatively, or in addition, policy controller 23 may be further configured to report information about whether the conditions of a rule are met to one or more policy agents 35 and/or orchestration engine 130.

[0060] Policy controller 23 may be implemented as or within any suitable computing device, or across multiple computing devices. Policy controller 23, or components of policy controller 23, may be implemented as one or more modules of a computing device. In some examples, policy controller 23 may include a number of modules executing on a class of compute nodes (e.g., “infrastructure nodes”) included within data center 10A. Such nodes may be OpenStack infrastructure service nodes or Kubernetes master nodes, and/or may be implemented as virtual machines. In some examples, policy controller 23 may have network connectivity to some or all other compute nodes within data center 10A, and may also have network connectivity to other infrastructure services that manage data center 10A.

Any inquiry concerning this communication should be directed to examiner Tuan Dao, whose telephone/fax numbers are (571) 270 3387 and (571) 270 4387, respectively. The examiner can normally be reached on every Monday-Thursday, and the second Friday of the bi-week from 7:30AM to 5:00PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Chat Do, can be reached at (571) 272 3721.
The fax phone number for the organization where this application or proceeding is assigned is (571) 273 8300.
Any inquiry of a general nature of relating to the status of this application or proceeding should be directed to the TC 2100 Group receptionist whose telephone number is (571) 272 2100.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/TUAN C DAO/Primary Examiner, Art Unit 2193