METHOD AND APPARATUS FOR PROCESSING SECURITY EVENTS IN CONTAINER VIRTUALIZATION ENVIRONMENT

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Continued Examination Under 37 CFR 1.114 A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 11/14/2025 has been entered. Response to Amendment The amendment filed 11/14/2025 has been entered. Claims 1 and 11 have been amended. Claims 5, 7-10, 15 and 17-20 has been/remains canceled. Claims 1-4, 6, 11-14 and 16 remain pending in the application. Applicant amendments to the Claims have overcome the objections previously set forth in the Final Office Action mailed on 09/17/2025. The objection has been withdrawn in view of the amended Claims. Response to Arguments Regarding Applicant’s arguments, on page 7-10 of the remark filed on 11/14/2025, on the newly amended limitations of independent claim 1 “wherein the security events are collected based on a combination of a LSM hook and the kprobe provided by the eBPF program, and utilizing the kprobe provided by the eBPF program to monitor execution of a specific kernel function..”, arguments are persuasive. Therefore, the 35 U.S.C. 103 rejection over Borello et al. (U.S No. 10592380) and Rajasekaran et al. (U.S Pub. No. 20210029142) Wagner et al. (U.S No. 10831898) further in view of Choochotkaew et al. (U.S Pub. No. 20230052452)), has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made under 35 U.S.C. § 103 in view of the following prior art: Sommers et al. (U.S No. 11709746) in conjunction with Borello et al. (U.S No. 10592380) and Rajasekaran et al. (U.S Pub. No. 20210029142) and Wagner et al. (U.S No. 10831898)). Please refer to the 35 U.S.C. 103 section below for a detailed explanation. For the reasons stated above and the new ground(s) of rejection under 35 U.S.C. 103 below, Examiner respectfully disagrees with Applicant’s argument, see Applicant’s Remarks Page 7-10, regarding allowance of the application. Examiner asserts that claims 1-4, 6, 11-14 and 16 are rejected for the reasons stated above in conjunction with the new ground(s) of rejection under 35 U.S.C. 103 below. Conclusion: Borello-Rajasekaran-Wagner- Sommers teaches the aforementioned limitations of independent claims and 11 rendering the claim limitations obvious before the effective date of the claimed invention. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-2, 4, 11-12 and 14, is/are rejected under 35 U.S.C. 103 as being unpatentable over Borello et al. (U.S No. 10592380, hereinafter referred to as “Borello”) and Rajasekaran et al. (U.S Pub. No. 20210029142, hereinafter referred to as “Rajasekaran”) and Wagner et al. (U.S No. 10831898, hereinafter referred to as “Wagner”) further in view of Sommers et al. (U.S No. 11709746, hereinafter referred to as “Sommers”) In regards to Claim 1, Borello teaches a method for processing a security event in a container virtualization environment, comprising: (Col. 2 lines 53-67 and Col. 3 lines 1-15; monitoring trace data corresponding to containers, kernels and virtual machine, Figure 4) collecting designated security events in a kernel space; (Col. 3 lines 13-25; security events (trace data corresponding to page faults and container data with ‘invalid memory access” is saved, stored and managed by the kernel space)); storing the collected security events in a security event storage module in real time; and (Col. 3 lines 14-20; storing the collected security events (storing the trace data))(Col. 7 lines 10-22; trace data includes arguments)) (Col. 6 lines 11-37; storing the collected security events [..] in real time (in run time container application stores data associated with trace data/arguments etc.)), (Col. 7 lines 35-55; container and trace data stored associated with timestamps)), (Col. 8 lines 54-67 and Col. 9 lines 1-20; storing the collected security events in real time ( catching violations within a period of time, then receiving arguments and storing the data)) wherein collecting the security events includes: making a setting to execute a kprobe provided by an eBPF program; (Col. 5 lines 9-67; execution using eBPF corresponding to kprobes)) executing a target container process to be monitored; (Col. 9 lines 33-45; executing a monitoring process for the container)) storing a status value of the target container process; and (Col. 6 lines 11-37; storing metric and other values corresponding to eBPF and container)), (Col. 5 lines 30-62; code is checked to ensure security and translated into code, collected data is stored corresponding to metrics)) wherein the eBPF program sets a system call as a probe target of the kprobe to determine when the target container process is connected to an existing namespace. (Col. 6 lines 11-36; system call corresponding to tracepoint or kprobe and storing in container) (Col. 7 lines 10-35; system call associated with container of process with namespace (user space) to monitor (to trace)) Borello does not explicitly teach providing a security manager with a security event corresponding to a query request from a security event management module, among the security events stored in the security event storage module, detecting a privilege escalation event by comparing the status value of the target container process with a previously stored reference value, wherein the security events are collected based on a combination of a LSM hook and the kprobe provided by the eBPF program, and utilizing the kprobe provided by the eBPF program to monitor execution of a specific kernel function. Wherein Rajasekaran teaches providing a security manager with a security event corresponding to a query request from a security event management module, among the security events stored in the security event storage module. (Par. (0029); request sent to manager corresponding to security incident; incident and data stored in container)), (Par. (0032); event records with occurrences stored in secure log storage)) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Borello to incorporate the teaching of Rajasekaran to utilize the above feature because of the analogous concept of monitoring malicious activities in containers using virtual machines , with the motivation of utilizing container virtualization and management services to identify security threats earlier on to prevent compromise or data leaks on the system, this proves important with source code or sensitive information. This is vital in container based environment to detect abnormal behavior and securely protect the system that malware that may go unidentified and lead to significant damages. (Rajasekaran Par. (0003-0007)) Borello and Rajasekaran do not explicitly teach detecting a privilege escalation event by comparing the status value of the target container process with a previously stored reference value, wherein the security events are collected based on a combination of a LSM hook and the kprobe provided by the eBPF program, and utilizing the kprobe provided by the eBPF program to monitor execution of a specific kernel function. Wherein Wagner teaches detecting a privilege escalation event by comparing the status value of the target container process with a previously stored reference value, (Col. 26 lines 64-67 and Col. 27 lines 1-35; privilege escalation detected and comparing of parameter values)) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Borello and Rajasekaran to incorporate the teaching of Wagner to utilize the above feature because of the analogous concept of access control policies using Linux based container to detect malware and harmful activities, with the motivation of securely protecting kernel data and Linux based code associated with container and regulating access by comparing trustworthy and authentic values already stored. This helps mitigate vulnerabilities and safeguards code that is transmitted and in return delegates the appropriate access to individuals authorized based on the comparison. (Wagner Col. 1 lines 20-45)) Borello, Rajasekaran and Wagner does not explicitly teach wherein the security events are collected based on a combination of a LSM hook and the kprobe provided by the eBPF program, and utilizing the kprobe provided by the eBPF program to monitor execution of a specific kernel function. Wherein Sommers teaches wherein the security events are collected based on a combination of a LSM hook and the kprobe provided by the eBPF program, and (Col. 13 lines 24-60; monitoring agent captures processing information using eBPF, Linux kprobe and hooks to sent traffic related responses and test system)), (Col. 14 lines 40-67; security events (test system detecting issues using test packets and through traffic)), (Col. 16 lines 4-25; monitoring agent with hooks, Linux kprobe used to monitor or trace application events)) utilizing the kprobe provided by the eBPF program to monitor execution of a specific kernel function. (Col. 16 lines 4-25; kprobe in correlation with eBPF logic and program used to monitor and trace specific kernel functions such as session layer events, kernel layer events etc.)) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Borello, Rajasekaran and Wagner to incorporate the teaching of Sommers to utilize the above feature because of the analogous concept of Linux based systems and probing of security events, with the motivation of using probing and tracing as well as collecting of security events by implementing LSM hooks to increase the overall security of the Linux systems and protect the integrity of the kernel code by fixing bugs, identifying issues in performance etc. (Sommer Col. 10 lines 35-50)) In regards to Claim 2, the combination of Borello, Rajasekaran, Wagner and Sommers teach the method of claim 1, Borello further teaches the method of claim 1, wherein the security events include at least one of a containerized-process execution event, a network access event, or a privilege escalation event, or a combination thereof. (Col. 3 lines 5-40; trace data associated with container application/process and container data/execution point)) In regards to Claim 4, the combination of Borello, Rajasekaran, Wagner and Sommers teach the method of claim 1, Borello further teaches the method of claim 1, wherein the security events are collected based on at least one of an LSM hook, a kprobe, or a tracepoint, or a combination thereof provided by an eBPF program. (Col. 5 lines 9-25; eBPF, kprobe and tracepoint to catch violations and input argument space)) In regards to Claim 11, claims 11 is an apparatus claims that recite similar limitations to claims 1-2 and 4 and the teachings of Borello, Rajasekaran, Wagner and Sommers address all the limitations discussed in claims 1 and is thereby rejected under the same grounds. In regards to Claim 12, the combination of Borello, Rajasekaran, Wagner and Sommers teach the apparatus of claim 11, Borello further teaches the apparatus of claim 11, wherein the security events include at least one of a containerized-process execution event, a network access event, or a privilege escalation event, or a combination thereof. (Col. 3 lines 5-40; trace data associated with container application/process and container data/execution point)) In regards to Claim 14, the combination of Borello, Rajasekaran, Wagner and Sommers teach the apparatus of claim 11, Borello further teaches the apparatus of claim 11, wherein the security events are collected based on at least one of an LSM hook, a kprobe, or a tracepoint, or a combination thereof provided by an eBPF program. (Col. 5 lines 9-25; eBPF, kprobe and tracepoint to catch violations and input argument space)) Claims 3 and 13, is/are rejected under 35 U.S.C. 103 as being unpatentable over Borello et al. (U.S No. 10592380, hereinafter referred to as “Borello”), Rajasekaran et al. (U.S Pub. No. 20210029142, hereinafter referred to as “Rajasekaran”) Wagner et al. (U.S No. 10831898, hereinafter referred to as “Wagner”) and Sommers et al. (U.S No. 11709746, hereinafter referred to as “Sommers”) further in view of Gladstone et al. (U.S No. 7290266, hereinafter referred to as “Gladstone”) In regards to Claim 3, the combination of Borello, Rajasekaran, Wagner and Sommers teach the method of claim 1, Borello further teaches the method of claim 1, further comprising: further collecting argument values of a kernel routine and kernel data observed at an observation target point in the kernel space; and (Col. 6 lines 51-67; receiving arguments attached to execution points directly in the kernel)) (Col. 8 lines 4-25 and Col. 9 lines 5-30; arguments associated with kernel data and catching violations monitored)) Borello, Rajasekaran, Wagner and Sommers do not explicitly teach controlling the security event by allowing or blocking the security event according to predefined rules based on information about whether the security event occurs, the argument values, and the kernel data. Wherein Gladstone teaches controlling the security event by allowing or blocking the security event according to predefined rules based on information about whether the security event occurs, the argument values, and the kernel data. (Col. 5 lines 6-27;monitoring events and allowing or blocking request), (Claim 9; policy defined rules based on predetermined pattern that allow or block security events based on rule set)), (Col. 8 lines 25-25; argument values (integer beginning with one corresponding to opcodes))(Col. 9 lines 63-67 and Col. 10 lines 1-45; arguments are checked entry point to kernel is determined and error code security event is detected before allowing to proceed)) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Borello, Rajasekaran, Wagner and Sommers to incorporate the teaching of Gladstone to utilize the above feature because of the analogous concept of monitoring malware and potential malicious activities on security events associated with Linux operating systems and code, with the motivation of access controls to deny or grant access after a security event or incident has been determined. This proves important to not create back log or slow the system down after every security event is detected. Events with low risk can warn users and having a predefined rule based criteria allows the systems to communicate freely with a filter that is credible and maintains high integrity. (Gladstone Col. 3 lines 1-40)) In regards to Claim 13, the combination of Borello, Rajasekaran, Wagner and Sommers teach the method of claim 1, Borello further teaches the apparatus of claim 11, wherein the processor further collects argument values of a kernel routine and kernel data observed at an observation target point in the kernel space and (Col. 6 lines 51-67; receiving arguments attached to execution points directly in the kernel)) (Col. 8 lines 4-25 and Col. 9 lines 5-30; arguments associated with kernel data and catching violations monitored)) Borello, Rajasekaran, Wagner and Sommers do not explicitly teach controls the security event to allow or block the security event according to predefined rules based on information about whether the security event occurs, the argument values, and the kernel data. Wherein Gladstone teaches controls the security event to allow or block the security event according to predefined rules based on information about whether the security event occurs, the argument values, and the kernel data. (Col. 5 lines 6-27;monitoring events and allowing or blocking request), (Claim 9; policy defined rules based on predetermined pattern that allow or block security events based on rule set)), (Col. 8 lines 25-25; argument values (integer beginning with one corresponding to opcodes))(Col. 9 lines 63-67 and Col. 10 lines 1-45; arguments are checked entry point to kernel is determined and error code security event is detected before allowing to proceed)) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Borello, Rajasekaran, Wagner and Sommers to incorporate the teaching of Gladstone to utilize the above feature because of the analogous concept of monitoring malware and potential malicious activities on security events associated with Linux operating systems and code, with the motivation of access controls to deny or grant access after a security event or incident has been determined. This proves important to not create back log or slow the system down after every security event is detected. Events with low risk can warn users and having a predefined rule based criteria allows the systems to communicate freely with a filter that is credible and maintains high integrity. (Gladstone Col. 3 lines 1-40)) Claims 6 and 16, is/are rejected under 35 U.S.C. 103 as being unpatentable over Borello et al. (U.S No. 10592380, hereinafter referred to as “Borello”) Rajasekaran et al. (U.S Pub. No. 20210029142, hereinafter referred to as “Rajasekaran”) Wagner et al. (U.S No. 10831898, hereinafter referred to as “Wagner”) Sommers et al. (U.S No. 11709746, hereinafter referred to as “Sommers”) further in view of Jeffries et al. (U.S Pub. No. 20180336351, hereinafter referred to as “Jefferies”) In regards to Claim 6, the combination of Borello, Rajasekaran, Wagner and Sommers do not explicitly teach wherein, when the status value of the target container process is less than the previously stored reference value, it is determined that privilege escalation is attempted, and a kill signal is sent to the target container process. Wherein Jeffries teaches wherein, when the status value of the target container process is less than the previously stored reference value, it is determined that privilege escalation is attempted, and (Par. (0023); threshold level not satisfied corresponding to container, malicious activity identified and terminating of process)), (Par. (0043); threshold level compared with information stored to determine malicious activity)) a kill signal is sent to the target container process. (Par.(0023); terminating efficiently based on unintentional privilege escalation))(Par. (0073); terminating the container process based on malicious activity)) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Borello, Rajasekaran, Wagner and Sommers to incorporate the teaching of Jeffries to utilize the above feature because of the analogous concept of detecting malware and harmful activities in container based environments, with the motivation of identifying early on before compromise or alteration of the container that an escalation of unauthorized privileges is being conducted and then follow with a kill signal to impeded any forgery or illegitimate entities attempting to modify or intercept code. This maintains the integrity of the system and assures users that private data stored is not at risk based on a comparison. (Jeffries Par. (0003-0005)) In regards to Claim 6, the combination of Borello, Rajasekaran, Wagner and Sommers do not explicitly teach wherein, when the status value of the target container process is less than the previously stored reference value, the processor determines that privilege escalation is attempted and performs control to send a kill signal to the target container process. Wherein Jeffries teaches wherein, when the status value of the target container process is less than the previously stored reference value, the processor determines that privilege escalation is attempted and (Par. (0023); threshold level not satisfied corresponding to container, malicious activity identified and terminating of process)), (Par. (0043); threshold level compared with information stored to determine malicious activity)) performs control to send a kill signal to the target container process. (Par.(0023); terminating efficiently based on unintentional privilege escalation))(Par. (0073); terminating the container process based on malicious activity)) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Borello, Rajasekaran, Wagner and Sommers to incorporate the teaching of Jeffries to utilize the above feature because of the analogous concept of detecting malware and harmful activities in container based environments, with the motivation of identifying early on before compromise or alteration of the container that an escalation of unauthorized privileges is being conducted and then follow with a kill signal to impeded any forgery or illegitimate entities attempting to modify or intercept code. This maintains the integrity of the system and assures users that private data stored is not at risk based on a comparison. (Jeffries Par. (0003-0005)) Relevant Prior Art The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Watanabe; Yuji (U.S Pub. No. 20220342997) “ASSESSING LATENT SECURITY RISKS IN KUBERNETES CLUSTER”. Considered this reference because it addressed privilege escalation and container system and deleting of permissions. Walsh; Daniel (U.S Pub. No. 20220129539) “EMBEDDING SECURITY REQUIREMENTS IN CONTAINER IMAGES”. Considered this application because it relates comparing levels of access for containers using Linux capabilities Brown; Darren (U.S Pub. No. 20210141900) “METHODS AND SYSTEMS FOR TROUBLESHOOTING APPLICATIONS USING STREAMING ANOMALY DETECTION”. Considered this application because it addressed access request to security managers and storing events. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to HASSAN A HUSSEIN whose telephone number is (571)272-3554. The examiner can normally be reached on 7:30am-5pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni Shiferaw can be reached on (571)272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /H.A.H./Examiner, Art Unit 2497 /ELENI A SHIFERAW/Supervisory Patent Examiner, Art Unit 2497