DETAILED ACTION
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 02/26/2026 has been entered.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant’s arguments with respect to claims 1, 10 and 15 have been considered but are moot in view of the new grounds and/or interpretation of the reference as detailed below.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-7, and 9-15, and 17-21 are rejected under 35 U.S.C. 103 as being unpatentable over Rungta and in view of Coffing (US 2022/0224535 A1-hereinafter Coffing).
Regarding claim 1, Rungta discloses a system, comprising:
at a first time of deploying a software product/application (at least figure 6, column 11, lines 60-67, at a time 1 (first time) of deploying software product/application),
a processor (at least figure 7, elements 710A-710N, processor); and
a memory (at least figure 7, element 720, system memory) coupled to the processor, comprising instructions that, in response to execution by the processor, cause the system to perform operations, comprising:
identifying that computer-executable code for a software product/application has been created or modified (at least figures 1 & 6, column 3, lines 58-67; column 4, lines 40-43; column 11, lines 60-65, i.e.: program code of components of software product is identified), wherein the software product/application is part of a group of software product/application that are configured to be executed in a containerized environment (at least column 3, lines 61-65; column 7, lines 23-37, software product is part of a group of software products, applications, services and so on. The software products, applications and services are configured to be deployed/executed to a development environment, test environment or pre-production environment that is isolated from real-world traffic);
determining, from the computer-executable code, policy access rules for the software product/application (at least column 5, lines 12-20, access requests are mapped to actions that are known and supported (mapped actions), is determined); and
generating an access policy based on the policy access rules according to a first format of a first target system type (at least figure 6, step 620, column 6, lines 29-45; column 12, lines 25-26, access control policy is generated for the software product/application based on the mapped actions), wherein the system is configured to generate access policies according to a group of formats that comprise the first format (at least column 5, line 40-column 6, line 38, access policies generated adhere to a principle of least privilege such that the application corresponding to the program is permitted only to perform the actions corresponding to the request identified in the code and not necessarily permitted to perform other actions); and
at a second time of executing the software product/application in the containerized environment after the deploying of the software product/application, wherein the second time is later than the first time (at least figure 6, step 630, column 7, lines 33-42, executing of the software product/application is carried out at a time 2 in a (i.e.: pre-production, test, or development environment) (second time). The time 2 when execution is carried out is after/later than the time 1 (first time) when the deploying is being carried out),
injecting the access policy into a proxy of the containerized environment (at least figure 6, step 630, column 8, line 52-column 9, line 8) the access control policy is applied/injected into a component (i.e. proxy server) that enforces rules/policies when executing the software product/application), wherein the proxy corresponds to the software product/ application (at least column 8, line 52-column 9 line 8, proxy server corresponds to the software product/application), and wherein communication between the software product/application and other software product/application of the group of software products/application occurs via the proxy (at least column 8, lines 16-31, requests to services and resources are communicated via access control policy, which is enforced by the proxy server); and
restricting and permitting, via the proxy, access to the software product/ application based on the access policy that is injected into the containerized environment (at least column 7, lines 23-37; column 8, lines 16-31; column 8, line 52-column 9 line 8, the proxy server that enforces the control access policy permits or prevents/restricts the software product from issuing request).
Rungta does not explicitly disclose a microservice.
However, Coffing discloses a microservice (at least [0017]-[0019], microservice).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to replace the software product/application in Rungta with the microservice of Coffing to provide for faster updates and more efficient management of resources.
Regarding claim 2, Rungta and Coffing disclose the system of claim 1. Rungta also the determining of the policy access rules is performed in response to the computer-executable code being created or modified (at least column 3, lines 39-45; column 4, lines 40-56; column 5, lines 12-54, control access policy is performed in response to the program code/request being created or modified), and
independently of the microservice being executed (Rungta-at least column 4, lines 43-51, the control access policy is determined without necessarily executing corresponding components of applications/software products; Coffing-at least [0017]-[0019], microservice).
Regarding claim 3, Rungta and Coffing disclose the system of claim 1. Rungta also discloses the determining, from the computer-executable code, of the policy access rules for the microservice is performed by a continuous integration and continuous deployment component (Rungta-at least figure 1, component 110, access requests are mapped to actions that are known and supported (mapped actions) is performed by static analysis; Coffing-at least [0017]-[0019], microservice).
Regarding claim 4, Rungta and Coffing disclose the system of claim 1. Rungta also discloses the determining, from the computer-executable code, of the policy access rules for the microservice comprises:
determining a functional business area of the microservice from the computer-executable code (Rungta-at least column 6, lines 46-58, business logic of the program code is determined; Coffing-[0017]-[0019], microservice).
Regarding claim 5, Rungta and Coffing disclose the system of claim 1. Rungta also discloses the determining, from the computer-executable code, of the policy access rules for the microservice comprises:
determining an application programming interface of the microservice from the computer-executable code (Rungta-at least column 11, line 60-column 12, line 14, API; Coffing-[0017]-[0022][0026], API of associated microservice).
Regarding claim 6, Rungta and Coffing disclose the system of claim 1. Rungta also discloses the determining, from the computer-executable code, of the policy access rules for the microservice comprises:
determining a message handler of the microservice from the computer-executable code (Rungta-at least column 11, line 60-column 12, line 24, i.e.: component that handles the request to map to known actions; Coffing-at least [0017]-[0019], microservice).
Regarding claim 7, Rungta and Coffing disclose the system of claim 1. Rungta also discloses the determining, from the computer-executable code, of the policy access rules for the microservice comprises:
determining a read, write, or execute operation of the microservice from the computer-executable code (Rungta-at least column 6, lines 10-22, i.e.: read action/operation; Coffing-at least [0017]-[0019], microservice).
Regarding claim 9, Rungta and Coffing disclose the system of claim 1. Rungta and Coffing also disclose the determining, from the computer-executable code, for the policy access rules for the microservice comprises:
Identifying a rule file that is associated with the computer-executable code (Coffing-at least [0028][0035][0055], rules for policy associated with microservice code), wherein the rule file is expressed in a second format (Coffing-at least [0028][0035][0055], rules for policy), and the compute-executable code is expressed in a third format (Rungta-at least column 4, lines 1-11, i.e.: program code is converted to an intermediate representation format; Coffing-at least [0017]-[0019], microservice).
Regarding claim 10, Rungta discloses a method, comprising:
at a first time of deploying a software product/application (at least figure 6, column 11, lines 60-67, at a time 1 (first time) of deploying software product/ application),
determining, by a system comprising at least a processor, policy access rules for a software product/application based on computer-executable code for the software product/application (at least column 5, lines 12-20, access requests are mapped to actions that are known and supported (mapped actions), is determined);
generating, by the system, an access policy based on the policy access rules according to a first format of a first target system type (at least figure 6, step 620, column 6, lines 29-45; column 12, lines 25-26, access control policy is generated for the software product/application based on the mapped actions), wherein the system is configured to generate access policies according to a group of formats that comprise the first format (at least column 5, line 40-column 6, line 38, access policies generated adhere to a principle of least privilege such that the application corresponding to the program is permitted only to perform the actions corresponding to the request identified in the code and not necessarily permitted to perform other actions) and
at a second time of executing the software product/application (at least figure 6, step 630, executing of the software product/application is carried out at a time 2 in a production environment (second time). The time 2 when execution is carried out is after/later than the time 1 (first time) when the deploying is being carried out),
inserting, by the system, the access policy into a proxy of the containerized environment in which the software product/application executes (at least figure 6, step 630, column 7, lines 23-37; column 8, line 52-column 9, line 8, the access control policy is inserted/injected into a component (i.e.: proxy server) that enforces rules/policy when executing the software product/application), wherein communication between the software product/application and other software products/applications of the group of software products/application occurs via the proxy (at least column 8, lines 16-31, requests to services and resources are communicated via access control policy, which is enforced by the proxy server);
restricting, using the proxy, access to the software product/application based on the access policy that is injected into the containerized environment (at least column 7, lines 23-37; column 8, lines 16-31, the proxy server that enforces the control access policy permits or prevents/restricts the software product from issuing request).
Rungta does not explicitly disclose a microservice.
However, Coffing discloses a microservice (at least [0017]-[0019], microservice).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to replace the software product/application in Rungta with the microservice of Coffing to provide for faster updates and more efficient management of resources.
Claim 11 is rejected for the same rationale as claim 2 above.
Regarding claim 12, Rungta and Coffing disclose the method of claim 10. Rungta also discloses the inserting of the access policy into the containerized environment is performed at a time that the microservice is executed (Rungta-at least figure 6, step 630, column 7, lines 23-37, the access control policy is implicitly inserted/injected into a component that enforces/applies rules/policy when executing the software product/application; Coffing-at least [0017]-[0019], microservice).
Claim 13 is rejected for the same rationale as claim 3 above.
Regarding claim 14, Rungta and Coffing disclose the method of claim 10. Coffing also discloses the format comprises a format for a rule engine (at least [0028] [0035][0055], rules for policy) or a container for a service mesh (at least [0019], security sidecar).
Regarding claim 15, Rungta discloses a non-transitory computer-readable medium comprising instructions that, in response to execution, cause a system comprising a processor to perform operations, comprising:
based on deploying a software product/application (at least figure 6, column 11, lines 60-67, column 2, lines 53-60; column 4, lines 38-47, before/based on deploying a software product)
determining policy access rules for a software product/application based on computer-executable code for the software product/application (at least column 5, lines 12-20, access requests are mapped to actions that are known and supported (mapped actions), is determined);
generating an access policy based on the policy access rules according to a format of a first target system type (at least figure 6, step 620, column 6, lines 29-45; column 12, lines 25-26, access control policy is generated for the software product/application based on the mapped actions); and
based on executing the software product/application (at least figure 6, step 630, column 7, lines 33-42, based on executing of the software product/application),
loading the access policy into a proxy of a containerized environment in which the software product/application executes (at least figure 6, step 630, column 7, lines 23-37, column 8, line 52-column 9, line 8, the access control policy is applied/injected into a component (i.e.: proxy server) that enforces/applies rules/policy when executing the software product/ application), and wherein communication between the software product/application and other software product/application of the group of software product/application occurs via the proxy (at least column 8, lines 16-31, requests to services and resources are communicated via access control policy, which is enforced by the component)
restricting, via the proxy, access to the software product/application (at least column 7, lines 23-37; column 8, lines 16-31, the component that enforces the control access policy permits or prevents/restricts the software product from issuing request).
Rungta does not explicitly disclose a microservice.
However, Coffing discloses a microservice (at least [0017]-[0019], microservice).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to replace the software product/application in Rungta with the microservice of Coffing to provide for faster updates and more efficient management of resources.
Regarding claim 17, Rungta and Coffing disclose the non-transitory computer-readable medium of claim 15. Rungta and Coffing also disclose the loading of the access policy comprises:
distributing the access policy to a control plane of a target container orchestrator or a service mesh, wherein the target container orchestrator or the service mesh is configured to apply the access policy (Rungta-at least figure 6, step 630, column 7, lines 23-37, control access policy is applied; Coffing-at least [0017]-[0019][0028][0035][0055], i.e.: sidecar applies rules to grant access).
Regarding claim 18, Rungta and Coffing disclose the non-transitory computer-readable medium of claim 15. Coffing also discloses wherein a group of microservices comprises the microservice, wherein the group of microservices is configured to collectively provide a computing service (at least [0018]-[0019][0022][0026], i.e.: provide financial services), and wherein respective microservices of the group of microservices are configured to inter-communicate according to a protocol (at least [0024][0028]-[0029], i.e.: HTTP protocol is used).
Regarding claim 19, Rungta and Coffing disclose the non-transitory computer-readable medium of claim 15. Coffing also discloses wherein a group of microservices comprises the microservice, wherein respective microservices of the group of microservices execute within respective containers (at least [0019], i.e.: service pod), and wherein the respective containers store respective libraries or dependencies utilized by the respective microservices, independently of storing an operating system (at least [0019], service pod, which inherently storing libraries or dependencies utilized by the respective microservices).
Regarding claim 20, Rungta and Coffing disclose the non-transitory computer-readable medium of claim 15. Rungta and Coffing also disclose the determining of the policy access rules and generating the access policy is performed by a continuous integration and continuous deployment component that is configured to deploy the microservice (Rungta-at least figure 1, static analysis; Coffing-at least [0017]-[0019], microservice), and wherein the continuous integration and continuous deployment component is configured to integrate code changes from multiple sources and to deploy code to production (Rungta-at least column 11, lines 50-59, change in program code results in updated policy).
Regarding claim 21, Rungta and Coffing disclose the system of claim 1. Rungta and Coffing also disclose wherein the injecting of the access policy into the proxy of the containerized environment comprises:
sending, via a continuous integration and continuous deployment component that is configured to deploy the microservice to the containerized environment and to a policy distributor component that operates within a data plane of the containerized policy, the access policy (Rungta-at least figure 6, step 630, column 7, lines 23-37, the control access policy is deployed/sent; Coffing-at least [0025][0028][0034] [0048], policy rule); and
receiving, via the proxy from the policy distributor component, the access policy (at least Rungta figure 6, step 630, column 7, lines 23-37, the access control policy is implicitly received; Coffing-at least [0055], policy information is received).
Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Rungta, Coffing and in view of Zang et al. (US 2020/0401502 A1-hereinafter Zang).
Regarding claim 8, Rungta and Coffing disclose the system of claim 1. Rungta and Coffing do not explicitly disclose the determining, from the computer-executable code, of the policy access rules for the microservice comprises: identifying an expression in an expression markup language from the computer-executable code, wherein the expression is separate from a computer-executable instruction of the computer-executable code.
However, Zang discloses scanning source code to identify various syntactic constructs (i.e.: expressions) (at least [0076]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include the teachings of Zang into the system of Rungta and Coffing to prevent vulnerabilities.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to PHY ANH TRAN VU whose telephone number is (571)270-7317. The examiner can normally be reached Monday-Friday 7 am-1 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T Arani can be reached at (571) 272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/PHY ANH T VU/Primary Examiner, Art Unit 2438