SYSTEMS AND METHODS FOR EXTRACTING AND PROCESSING AUDITABLE METADATA

DETAILED ACTION This Office Action has been issued in response to Applicant's RCE filed December 18, 2025. Claims 1, 3, 8, 10, 15, and 17 have been amended. Claims 1-20 have been examined and are pending. The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Continued Examination Under 37 CFR 1.114 A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on December 18, 2025 has been entered. Response to Arguments Applicant's arguments filed December 18, 2025 have been fully considered but they are moot in view of the new grounds of rejection. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention. Claims 1-5, 8-12, and 15-18 are rejected under 35 U.S.C. 103 as being unpatentable over US Pub. No. 2016/0261611 to Heilig (hereinafter “Heilig”) and further in view of US Pub. No. 2020/0252376 to Feng et al. (hereinafter “Feng”) and further in view of US Pub. No. 2018/0367422 to Raney et al. (hereinafter “Raney”). As to Claim 1, Heilig discloses a system, comprising: one or more processors; and one or more computer-readable non-transitory storage media comprising instructions that, when executed by the one or more processors, cause one or more components of the system to perform operations comprising: receiving incoming signals communicated from at least one application service [to a first pod associated with a user space of a node] via a listener module [at least partially deployed within the user space], wherein the listener module is communicatively coupled to a metadata analysis module [deployed in an operational space of the node], [wherein the metadata analysis module is operable to adjust a sampling mode, a sampling rate, and a start/stop function of the listener module] (Paragraph [0008] of Heilig discloses receive entering network packets and exiting network packets corresponding to one or more network devices. Paragraph [0053] of Heilig discloses the network device monitor server 102 receives outbound packets from the LAN side tap 106 at the server module 201. In step 402, the network device monitor server 102 receives outbound packets from the WAN side tap 105 at the server module 201); extracting metadata associated with data provided by the received incoming signals via the listener module (Paragraph [0085] of Heilig discloses all the information required for detecting stealth network traffic is in the packet header or with payload metadata or a hash on the payload. Paragraph [0053] of Heilig discloses the network device monitor server 102 receives outbound packets from the LAN side tap 106 at the server module 201); transmitting the extracted metadata to the metadata analysis module for storage as an auditable record (Paragraph [0053] of Heilig discloses the network device monitor server 102 receives outbound packets from the LAN side tap 106 at the server module 201. Paragraph [0075] of Heilig discloses the network device monitor server 102 collects IP packets from the network traffic and stores them with the database module 203) receiving outgoing signals communicated from the first pod to an external entity via the listener module, (Paragraph [0008] of Heilig discloses a first network monitor server configured to: receive entering network packets and exiting network packets corresponding to one or more network devices. Paragraph [0053] of Heilig discloses the network device monitor server 102 receives outbound packets from the LAN side tap 106 at the server module 201. In step 402, the network device monitor server 102 receives outbound packets from the WAN side tap 105 at the server module 201); comparing the incoming signals to the outgoing signals to detect a variation (Paragraph [0007] of Heilig discloses comparing incoming and outgoing network traffic on a particular network device); and determining that the data has been transmitted to the external entity based on a determination that there is no detected variation from the comparison between the incoming signals and the outgoing signals (Paragraph [0008] of Heilig discloses determine matching packets between said entering network packets and said exiting network packets, generate an alert when no matching entering packet can be determined for one or more exiting packets). Heilig does not explicitly disclose to a first pod associated with a user space of a node and at least partially deployed within the user space and deployed in an operational space of the node. However, Feng discloses this. Paragraph [0012] of Feng discloses a security monitor to monitor network communications at a loopback interface of a pod in the container system. Paragraph [0026] of Feng discloses the security monitor 130 captures these incoming and outgoing packets for the ingress connection and correlates different packets together by matching the source network address and port number of incoming packets with destination network address and ports of outgoing packets. Figure 3 of Feng discloses the security monitor being in the VM. It would have been obvious to one of ordinary skill in the art before the effective filing of the invention to combine the traffic monitoring system as disclosed by Heilig, with traffic monitoring in pods as disclosed by Feng. One of ordinary skill in the art would have been motivated to combine to apply a known technique to a known device. Heilig and Feng are directed toward traffic monitoring systems and as such it would be obvious to use the techniques of one in the other. Feng discloses that pods also use traffic monitoring systems and it would be obvious to use similar traffic monitoring techniques to improve security. Heilig does not explicitly disclose wherein the metadata analysis module is operable to adjust a sampling mode, a sampling rate, and a start/stop function of the listener module. However, Raney discloses this. Paragraph [0014] of Raney discloses the agent controller generates and sends reconfiguration messages to the tap agents. The tap agents adjust their operations based upon the reconfiguration messages. Paragraph [0019] of Raney discloses the adjusting includes at least one of decreasing sampling rates or truncating payloads for subsequent captured packets. In further embodiments, the adjusting includes generating metadata for subsequent captured packets and forwarding the metadata rather than payload data to the tool agent. Paragraph [0056] of Raney discloses the agent controller 252 sends configuration rules 302 to the tap agent 212 and to tool agent 232. The configuration rules provided to the tap agent 212 determine how the tap agent 212 will operate to monitor, capture, and forward packets associated with packet traffic communicated with respect to one or more network applications that the tap agent 212 is monitoring. It would have been obvious to one of ordinary skill in the art before the effective filing of the invention to combine the traffic monitoring system as disclosed by Heilig, with adjusting the taps as disclosed by Raney. One of ordinary skill in the art would have been motivated to combine to apply a known technique to a known device ready for improvement to yield predictable results. Heilig and Raney are directed toward traffic monitoring systems and as such it would be obvious to use the techniques of one in the other. Paragraph [0014] of Raney discloses the tap agents adjust their operations based upon the reconfiguration messages and/or the drop detection messages to reduce packet drops within subsequent tap packets communications. As to Claim 2, Heilig-Feng-Raney discloses the system of claim 1, the operations further comprising storing the extracted metadata in a local database as an auditable record (Paragraph [0055] of Heilig discloses the packets and hash computation results are stored with the database module 203). As to Claim 3, Heilig-Feng-Raney discloses the system of claim 1, the operations further comprising configuring the sampling rate of the listener module (Paragraph [0075] of Heilig discloses the delta time value can also be adjusted dynamically based on current load conditions on the network device). As to Claim 4, Heilig-Feng-Raney discloses the system of claim 1, the operations further comprising filtering the incoming signals and the outgoing signals based on a type of pod used as the first pod, a scanner of the first pod, a collector of the first pod, or a combination thereof (Paragraph [0023] of Heilig discloses comparing at least one of source IP address, source port, destination IP address, and destination port of an exiting packet to corresponding header information of an entering packet). As to Claim 5, Heilig-Feng-Raney discloses the system of claim 1, the operations further comprising: in response to a determination that the data has been transmitted to the external entity and a determination that the external entity was not authorized to receive the data, flagging and/or filtering out the data (Paragraph [0042] of Heilig discloses the network device monitor server can also detect unauthorized inbound network traffic and illegally modified packets). As to Claim 8, Heilig discloses a method for storing auditable metadata, comprising: receiving incoming signals communicated from at least one application service [to a first pod associated with a user space of a node] via a listener module [at least partially deployed within the user space], wherein the listener module is communicatively coupled to a metadata analysis module [deployed in an operational space of the node], [wherein the metadata analysis module is operable to adjust a sampling mode, a sampling rate, and a start/stop function of the listener module] (Paragraph [0008] of Heilig discloses receive entering network packets and exiting network packets corresponding to one or more network devices. Paragraph [0053] of Heilig discloses the network device monitor server 102 receives outbound packets from the LAN side tap 106 at the server module 201. In step 402, the network device monitor server 102 receives outbound packets from the WAN side tap 105 at the server module 201); extracting metadata associated with data provided by the received incoming signals via the listener module (Paragraph [0085] of Heilig discloses all the information required for detecting stealth network traffic is in the packet header or with payload metadata or a hash on the payload. Paragraph [0053] of Heilig discloses the network device monitor server 102 receives outbound packets from the LAN side tap 106 at the server module 201); transmitting the extracted metadata to the metadata analysis module for storage as an auditable record (Paragraph [0053] of Heilig discloses the network device monitor server 102 receives outbound packets from the LAN side tap 106 at the server module 201. Paragraph [0075] of Heilig discloses the network device monitor server 102 collects IP packets from the network traffic and stores them with the database module 203) receiving outgoing signals communicated from the first pod to an external entity via the listener module (Paragraph [0008] of Heilig discloses a first network monitor server configured to: receive entering network packets and exiting network packets corresponding to one or more network devices. Paragraph [0053] of Heilig discloses the network device monitor server 102 receives outbound packets from the LAN side tap 106 at the server module 201. In step 402, the network device monitor server 102 receives outbound packets from the WAN side tap 105 at the server module 201); comparing the incoming signals to the outgoing signals to detect a variation (Paragraph [0007] of Heilig discloses comparing incoming and outgoing network traffic on a particular network device); and determining that the data has been transmitted to the external entity based on a determination that there is no detected variation from the comparison between the incoming signals and the outgoing signals (Paragraph [0008] of Heilig discloses determine matching packets between said entering network packets and said exiting network packets, generate an alert when no matching entering packet can be determined for one or more exiting packets). Heilig does not explicitly disclose to a first pod associated with a user space of a node and at least partially deployed within the user space and deployed in an operational space of the node. However, Feng discloses this. Paragraph [0012] of Feng discloses a security monitor to monitor network communications at a loopback interface of a pod in the container system. Paragraph [0026] of Feng discloses the security monitor 130 captures these incoming and outgoing packets for the ingress connection and correlates different packets together by matching the source network address and port number of incoming packets with destination network address and ports of outgoing packets. Figure 3 of Feng discloses the security monitor being in the VM. Examiner recites the same rationale to combine used for claim 1. Heilig does not explicitly disclose wherein the metadata analysis module is operable to adjust a sampling mode, a sampling rate, and a start/stop function of the listener module. However, Raney discloses this. Paragraph [0014] of Raney discloses the agent controller generates and sends reconfiguration messages to the tap agents. The tap agents adjust their operations based upon the reconfiguration messages. Paragraph [0019] of Raney discloses the adjusting includes at least one of decreasing sampling rates or truncating payloads for subsequent captured packets. In further embodiments, the adjusting includes generating metadata for subsequent captured packets and forwarding the metadata rather than payload data to the tool agent. Paragraph [0056] of Raney discloses the agent controller 252 sends configuration rules 302 to the tap agent 212 and to tool agent 232. The configuration rules provided to the tap agent 212 determine how the tap agent 212 will operate to monitor, capture, and forward packets associated with packet traffic communicated with respect to one or more network applications that the tap agent 212 is monitoring. Examiner recites the same rationale to combine used for claim 1. As to Claim 9, Heilig-Feng-Raney discloses the method of claim 8, further comprising storing the extracted metadata in a local database as an auditable record (Paragraph [0055] of Heilig discloses the packets and hash computation results are stored with the database module 203). As to Claim 10, Heilig-Feng-Raney discloses the method of claim 8, further comprising configuring the sampling rate of the listener module (Paragraph [0075] of Heilig discloses the delta time value can also be adjusted dynamically based on current load conditions on the network device). As to Claim 11, Heilig-Feng-Raney discloses the method of claim 8, further comprising filtering the incoming signals and the outgoing signals based on a type of pod used as the first pod, a scanner of the first pod, a collector of the first pod, or a combination thereof (Paragraph [0023] of Heilig discloses comparing at least one of source IP address, source port, destination IP address, and destination port of an exiting packet to corresponding header information of an entering packet). As to Claim 12, Heilig-Feng-Raney discloses the method of claim 8, further comprising: in response to a determination that the data has been transmitted to the external entity and a determination that the external entity was not authorized to receive the data, flagging and/or filtering out the data (Paragraph [0042] of Heilig discloses the network device monitor server can also detect unauthorized inbound network traffic and illegally modified packets). As to Claim 15, Heilig discloses a non-transitory computer-readable medium comprising instructions that are configured, when executed by a processor, to: receive incoming signals communicated from at least one application service [to a first pod associated with a user space of a node] via a listener module [at least partially deployed within the user space], wherein the listener module is communicatively coupled to a metadata analysis module [deployed in an operational space of the node], [wherein the metadata analysis module is operable to adjust a sampling mode, a sampling rate, and a start/stop function of the listener module] (Paragraph [0008] of Heilig discloses receive entering network packets and exiting network packets corresponding to one or more network devices. Paragraph [0053] of Heilig discloses the network device monitor server 102 receives outbound packets from the LAN side tap 106 at the server module 201. In step 402, the network device monitor server 102 receives outbound packets from the WAN side tap 105 at the server module 201); extract metadata associated with data provided by the received incoming signals via the listener module (Paragraph [0085] of Heilig discloses all the information required for detecting stealth network traffic is in the packet header or with payload metadata or a hash on the payload. Paragraph [0053] of Heilig discloses the network device monitor server 102 receives outbound packets from the LAN side tap 106 at the server module 201); transmit the extracted metadata to the metadata analysis module for storage as an auditable record (Paragraph [0053] of Heilig discloses the network device monitor server 102 receives outbound packets from the LAN side tap 106 at the server module 201. Paragraph [0075] of Heilig discloses the network device monitor server 102 collects IP packets from the network traffic and stores them with the database module 203) receive outgoing signals communicated from the first pod to an external entity via the listener module, (Paragraph [0008] of Heilig discloses a first network monitor server configured to: receive entering network packets and exiting network packets corresponding to one or more network devices. Paragraph [0053] of Heilig discloses the network device monitor server 102 receives outbound packets from the LAN side tap 106 at the server module 201. In step 402, the network device monitor server 102 receives outbound packets from the WAN side tap 105 at the server module 201); compare the incoming signals to the outgoing signals to detect a variation (Paragraph [0007] of Heilig discloses comparing incoming and outgoing network traffic on a particular network device); and determine that the data has been transmitted to the external entity based on a determination that there is no detected variation from the comparison between the incoming signals and the outgoing signals (Paragraph [0008] of Heilig discloses determine matching packets between said entering network packets and said exiting network packets, generate an alert when no matching entering packet can be determined for one or more exiting packets). Heilig does not explicitly disclose to a first pod associated with a user space of a node and at least partially deployed within the user space and deployed in an operational space of the node. However, Feng discloses this. Paragraph [0012] of Feng discloses a security monitor to monitor network communications at a loopback interface of a pod in the container system. Paragraph [0026] of Feng discloses the security monitor 130 captures these incoming and outgoing packets for the ingress connection and correlates different packets together by matching the source network address and port number of incoming packets with destination network address and ports of outgoing packets. Figure 3 of Feng discloses the security monitor being in the VM. Examiner recites the same rationale to combine used for claim 1. Heilig does not explicitly disclose wherein the metadata analysis module is operable to adjust a sampling mode, a sampling rate, and a start/stop function of the listener module. However, Raney discloses this. Paragraph [0014] of Raney discloses the agent controller generates and sends reconfiguration messages to the tap agents. The tap agents adjust their operations based upon the reconfiguration messages. Paragraph [0019] of Raney discloses the adjusting includes at least one of decreasing sampling rates or truncating payloads for subsequent captured packets. In further embodiments, the adjusting includes generating metadata for subsequent captured packets and forwarding the metadata rather than payload data to the tool agent. Paragraph [0056] of Raney discloses the agent controller 252 sends configuration rules 302 to the tap agent 212 and to tool agent 232. The configuration rules provided to the tap agent 212 determine how the tap agent 212 will operate to monitor, capture, and forward packets associated with packet traffic communicated with respect to one or more network applications that the tap agent 212 is monitoring. Examiner recites the same rationale to combine used for claim 1. As to Claim 16, Heilig-Feng-Raney discloses the non-transitory computer-readable medium of claim 15, wherein the instructions are further configured to: store the extracted metadata in a local database as an auditable record (Paragraph [0055] of Heilig discloses the packets and hash computation results are stored with the database module 203). As to Claim 17, Heilig-Feng-Raney discloses the non-transitory computer-readable medium of claim 15, wherein the instructions are further configured to: configure the sampling rate of the listener module (Paragraph [0075] of Heilig discloses the delta time value can also be adjusted dynamically based on current load conditions on the network device). As to Claim 18, Heilig-Feng-Raney discloses the non-transitory computer-readable medium of claim 15, wherein the instructions are further configured to: filter the incoming signals and the outgoing signals based on a type of pod used as the first pod, a scanner of the first pod, a collector of the first pod, or a combination thereof (Paragraph [0023] of Heilig discloses comparing at least one of source IP address, source port, destination IP address, and destination port of an exiting packet to corresponding header information of an entering packet). Claims 6, 13, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Heilig-Feng-Raney and further in view of US Pat. No. 11606339 to Kotas et al. (hereinafter “Kotas”). As to Claim 6, Heilig-Feng-Raney discloses the system of claim 1. Heilig-Feng-Raney does not explicitly disclose the operations further comprising: monitoring the identification of one or more instances of a searched query in one or more pods, the searched query being anonymized post-classification by the external entity; and monitoring the communication of instructions to delete the identified one or more instances of the searched query. However, Kotas discloses this. Column 2 lines 30-40 of Kotas disclose scans that data for private information and, in response to detecting private information, performs one or more of: (i) deleting the private information within the cloud provider network. It would have been obvious to one of ordinary skill in the art before the effective filing of the invention to combine the traffic monitoring system as disclosed by Heilig, with deleting private data as disclosed by Kotas. One of ordinary skill in the art would have been motivated to combine to apply a known technique to a known device. Heilig and Kotas are directed toward traffic monitoring systems and as such it would be obvious to use the techniques of one in the other. Heilig’s security would be improved by deleting private data. As to Claim 13, Heilig-Feng-Raney discloses the method of claim 8. Heilig-Feng-Raney does not explicitly disclose further comprising: monitoring the identification one or more instances of a searched query in one or more pods, the searched query being anonymized post-classification by the external entity; and monitoring the communication instructions to delete the identified one or more instances of the searched query. However, Kotas discloses this. Column 2 lines 30-40 of Kotas disclose scans that data for private information and, in response to detecting private information, performs one or more of: (i) deleting the private information within the cloud provider network. Examiner recites the same rationale to combine used for claim 1. As to Claim 19, Heilig-Feng-Raney discloses the non-transitory computer-readable medium of claim 15. Heilig-Feng-Raney does not explicitly disclose wherein the instructions are further configured to: monitor the identification one or more instances of a searched query in one or more pods, the searched query being anonymized post-classification by the external entity; and monitor the communication instructions to delete the identified one or more instances of the searched query. However, Kotas discloses this. Column 2 lines 30-40 of Kotas disclose scans that data for private information and, in response to detecting private information, performs one or more of: (i) deleting the private information within the cloud provider network. Examiner recites the same rationale to combine used for claim 1. Claims 7, 14, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Heilig-Feng-Raney and further in view of US Pub. No. 20080056487 to Akyol et al. (hereinafter “Akyol”). As to Claim 7, Heilig-Feng-Raney discloses the system of claim 1. Heilig-Feng-Raney does not explicitly disclose the operations further comprising: inhibiting traffic flow to and from the first pod in response to a determination that the data has been transmitted to the external entity and a determination that the external entity was not authorized to receive the data. However, Akyol discloses this. Paragraph [0044] of Akyol discloses if malware is detected (decision 450), the system can be quarantined from the network (step 460), and if malware is not detected the data traffic can be transmitted from the system to the network. It would have been obvious to one of ordinary skill in the art before the effective filing of the invention to combine the traffic monitoring system as disclosed by Heilig, with quarantining affected systems as disclosed by Akyol. One of ordinary skill in the art would have been motivated to combine to apply a known technique to a known device. Heilig and Akyol are directed toward traffic monitoring systems and as such it would be obvious to use the techniques of one in the other. Heilig’s security would be improved by isolating the malware. As to Claim 14, Heilig-Feng-Raney discloses the method of claim 8. Heilig-Feng-Raney does not explicitly disclose further comprising inhibiting traffic flow to and from the first pod in response to a determination that the data has been transmitted to the external entity and a determination that the external entity was not authorized to receive the data. However, Akyol discloses this. Paragraph [0044] of Akyol discloses if malware is detected (decision 450), the system can be quarantined from the network (step 460), and if malware is not detected the data traffic can be transmitted from the system to the network. Examiner recites the same rationale to combine used for claim 1. As to Claim 20, Heilig-Feng-Raney discloses the non-transitory computer-readable medium of claim 15. Heilig-Feng-Raney does not explicitly disclose wherein the instructions are further configured to: inhibit traffic flow to and from the first pod in response to a determination that the data has been transmitted to the external entity and a determination that the external entity was not authorized to receive the data. However, Akyol discloses this. Paragraph [0044] of Akyol discloses if malware is detected (decision 450), the system can be quarantined from the network (step 460), and if malware is not detected the data traffic can be transmitted from the system to the network. Examiner recites the same rationale to combine used for claim 1. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to Kevin S Mai whose telephone number is (571)270-5001. The examiner can normally be reached Monday to Friday 9AM to 5PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Philip Chea can be reached on 5712723951. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /KEVIN S MAI/Primary Examiner, Art Unit 2499