Virtual Machine Firewall

§101 §102 §103 §112

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . DETAILED ACTION Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more. Regarding independent claims the limitations initiating monitoring, comparing an event, and generating an alert, as drafted, recites functions that, under its broadest reasonable interpretation, covers a function that could reasonably be performed in the mind, including with the aid of pen and paper, but for the recitation of generic computer components. That is, the limitations as cited above as drafted, are functions that, under its broadest reasonable interpretation, recite the abstract idea of a mental process. Thus, these limitation falls within the “Mental Processes” grouping of abstract ideas under Prong 1. Under Prong 2, this judicial exception is not integrated into a practical application. The claim recites the following additional limitations: a firewall, VM application, processors, and memory. The additional elements are recited at a high-level of generality such that it amounts no more than mere instructions to apply the exception using generic computer, and/or mere computer components, MPEP 2106.05(f), and steps of receiving do nothing more than add insignificant extra solution activity to the judicial exception of merely gathering data. Accordingly, the additional elements do not integrate the recited judicial exception into a practical application and the claim is therefore directed to the judicial exception. See MPEP 2106.05(g) (Ex. v. Consulting and updating an activity log, Ultramercial, 772 F.3d at 715, 112 USPQ2d at 1754). Under Step 2B, the claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements of a firewall, VM application, processors, and memory, amount to no more than mere instructions, or generic computer/computer components to carry out the exception. Furthermore, the limitations directed to receiving, the courts have identified mere data gathering is well-understood, routine and conventional activity. See MPEP 2106.05(d) (Ex. iv. Storing and retrieving information in memory, Versata Dev. Group, Inc. v. SAP Am., Inc., 793 F.3d 1306, 1334, 115 USPQ2d 1681, 1701 (Fed. Cir. 2015); OIP Techs., 788 F.3d at 1363, 115 USPQ2d at 1092-93;). The recitation of generic computer instruction and computer components to apply the judicial exception, and mere data gathering do not amount to significantly more, thus, cannot provide an inventive concept. Accordingly, the claims are not patent eligible under 35 USC 101. Regarding claim 2-4, 6-8, 10-12, 14-16, 18-20 the limitations of VM descriptions, monitoring performed by a Java Flight Recorder, a firewall and VM location, what a profile comprises are considered mere instructions, or generic computer/computer components to carry out the exception Accordingly, the additional element recited in claim 3 fails to provide a practical application under prong 2, or amount to significantly more under step 2B. Regarding claim 5, 13 the limitations of isolating a VM are nothing more than insignificant extra solution activity which is not a practical application under prong 2. Claim Rejections - 35 USC § 112 The following is a quotation of 35 U.S.C. 112(b):(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph: The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. Claims 17-20 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA the applicant regards as the invention. Claims 17-20 recites “the system” and is unclear if the reference is “firewall system”. Appropriate clarification required. Claim Rejections - 35 USC § 102 The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for therejections under this section made in this Office action: A person shall be entitled to a patent unless - (a)(2) the claimed invention was described in a patent issued under section 151, or in anapplication for patent published or deemed published under section 122(b), in which the patent orapplication, as the case may be, names another inventor and was effectively filed before the effectivefiling date of the claimed invention. Claims 1, 2, 5, 6, 7, 9, 10, 13, 14, 15, 17, 18 rejected under 35 U.S.C. 102(a)(2) as being unpatentable by Thomas (Pub. No. US 2024/0214420). Claim 1, 9, 17 Thomas teaches “a method of operating a firewall for a virtual machine (VM) application, the method comprising: initiating event monitoring of the VM application ([0070] the computing device 210 may be implemented using hardware (e.g., in a desktop computer), software (e.g., in a virtual machine or the like), [0052] Remedial action may be provided as a result of a detection of a threat or violation. The detection techniques facility 130 may include monitoring the enterprise facility 102 network or endpoint devices, such as by monitoring streaming data through the gateway, across the network, through routers and hubs, and the like. [0093] In general, the endpoint 402 may include any number of computing objects such as an object 418 labeled with a descriptor 420. While the term object has a number of specific meanings in the art, and in particular in object-oriented programming, it will be understood that the term ‘object’ as used herein is intended to be significantly broader, and may include any data, process, file or combination of these including without limitation any process, application,); receiving an event ([0094] The object 418 may be an item that is performing an action or causing an event, or the object 418 may be an item that is receiving the action or result of an event (i.e., the item in the system 400 being acted upon).); comparing the event to a plurality of events stored in a baseline profile of the VM application ([0099] An object coloring system 414 may apply descriptors 420 to objects 418 on the endpoint 402. This may be performed continuously by a background process on the endpoint 402, or it may occur whenever an object 418 is involved in an action, such as when a process makes a call to an application programming interface (API) or takes some other action, or when a URL is used to initiate a network request, or when a read or a write is performed on data in a file. This may also or instead include a combination of these approaches as well as other approaches, such as by labeling a file or application when it is moved to the endpoint 402, or when the endpoint 402 is started up or instantiated. In general, the object coloring system 414 may add, remove or change a color at any location and at any moment that can be practicably instrumented on a computer system.); and when the event differs from any of the plurality of events, automatically generating an alert and/or performing an action corresponding to the VM application ([0112] In general, the IOC monitor 421 applies rules to determine when there is an IOC 422 suitable for reporting to a threat management facility 404. It will be understood that an endpoint 402 may, in suitable circumstances and with appropriate information, take immediate local action to remediate a threat. However, the monitor 421 may advantageously accumulate a sequence of actions, and still more advantageously may identify inconsistencies or unexpected behavior within a group of actions with improved sensitivity by comparing descriptors 420 for various objects 418 involved in relevant actions and events. In this manner, rules may be applied based upon the descriptors 420 that better discriminate malicious activity while reducing the quantity and frequency of information that must be communicated to a remote threat management facility 404. At the same time, all of the relevant information provided by the descriptors 420 can be sent in an IOC 422 when communicating a potential issue to the threat management facility 404. For example, during the course of execution, a specific process (as evidenced by its observed actions) may be assigned color descriptors indicating that it is a browser process. Further, the specific process may be assigned an attribute indicating that it has exposed itself to external URLs or other external data. Subsequently, the same process may be observed to be taking an action suitable for an internal or system process, such as opening up shared memory to another process that has coloring descriptions indicating that it is a system process. When this last action is observed, an inconsistency in the various color descriptors between the subject of the action—the externally exposed browser process- and the target of the action may result in a well-defined IOC, which may be directly processed with immediate local action taken. The IOC may also or instead be reported externally as appropriate.)”. Claim 2, 10, 18 Thomas teaches “the method of claim 1, wherein the VM application is executing within a VM ([0070] the computing device 210 may be implemented using hardware (e.g., in a desktop computer), software (e.g., in a virtual machine or the like), [0052] Remedial action may be provided as a result of a detection of a threat or violation. The detection techniques facility 130 may include monitoring the enterprise facility 102 network or endpoint devices, such as by monitoring streaming data through the gateway, across the network, through routers and hubs, and the like. [0093] In general, the endpoint 402 may include any number of computing objects such as an object 418 labeled with a descriptor 420. While the term object has a number of specific meanings in the art, and in particular in object-oriented programming, it will be understood that the term ‘object’ as used herein is intended to be significantly broader, and may include any data, process, file or combination of these including without limitation any process, application,)”. Claim 5, 13, Thomas teaches “the method of claim 2, wherein the action comprises at least one of: isolating the VM, stopping the VM, making an Hypertext Transfer Protocol (HTTP) call, loading a class/method or running a function ([0116] The threat management facility 404 may provide a variety of threat management or monitoring tools 424, any of which may be deployed in response to IOCs 422 collected by the IOC collector 426. These tools 424 may include without limitation a scanning engine, whitelisting/blacklisting, reputation analysis, web filtering, an emulator, protection architecture, live protection, runtime detection, APT detection, network antivirus products, IOC detection, access logs, a heartbeat, a sandbox or quarantine system, and so forth.)”. Claim 6, 14 Thomas teaches “the method of claim 1, wherein the firewall is executed by a first cloud based infrastructure and the VM application is executed by a second cloud based infrastructure that is different then the first cloud based infrastructure ([Fig. 604 and 602] in respective cloud based infrastructure)”. Claim 7, 15, Thomas teaches “the method of claim 1, wherein the firewall is executed by a cloud based infrastructure and the VM application is executed on-premise ([Fig. 604 and 602] in respective cloud based infrastructure, application on-premise of endpoint)”. Claim Rejections - 35 USC §103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim/s 3, 11, 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Thomas in view of Giral (Pub. No. US 2018/0052759). Claim 3, 11, 19, Thomas may not explicitly teach the limitation. Giral teaches “the method of claim 2, wherein the VM application is a Java application, and the VM is a Java VM ([0020] The JVM 106 can also include various application components (e.g., servlets) for execution therein. In this example, in response to loading an application X, an application component 170 and an application component 188 are instantiated in the JVM 106 for execution therein.)”. It would have been obvious to one of ordinary skill in the art at the time the invention was filed to apply the teachings of Giral with the teachings of Thomas in order to provide a system that teaches details of different environments. The motivation for applying Giral teaching with Thomas teaching is to provide a system that allows for design choice. Thomas, Giral are analogous art directed towards virtual environments. Together Thomas, Giral teaches every limitation of the claimed invention. Since the teachings were analogous art known at the filing time of invention, one of ordinary skill could have applied the teachings of Giral with the teachings of Thomas by known methods before the effective filing date of the claimed invention and gained expected results. Claim/s 4, 12, 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Thomas, Giral in view of Larsen (Pub. No. US 2013/0111273). Claim 4, 12, 20, Thomas may not explicitly teach the limitation. Larsen teaches “the method of claim 3, wherein the event monitoring is implemented by a Java Flight Recorder ([0013] As described above, an important aspect of any environment that includes an application server and a virtual machine is the ability to identify problems that may manifest at the application level, down to any underlying issues in the virtual machine. To address this, disclosed herein is a system and method for providing virtual machine diagnostic information. In accordance with an embodiment, a "flight recorder" (referred to herein in some instances as "JRockit Flight Recorder", "Java Flight Recorder", or "Flight Recorder"), for use with a virtual machine, such as a Java virtual machine (JVM), allows a system administrator, software developer or other user experiencing a system problem to "go back in time" and analyze what happened right before a particular problem occurred in their system, and/or obtain an extremely detailed level of profiling without impacting system performance.)”. It would have been obvious to one of ordinary skill in the art at the time the invention was filed to apply the teachings of Larsen with the teachings of Thomas, Giral in order to provide a system that teaches details of monitoring tools. The motivation for applying Larsen teaching with Thomas, Giral teaching is to provide a system that allows for design choice. Thomas, Giral, Larsen are analogous art directed towards monitoring environments. Together Thomas, Giral, Larsen teaches every limitation of the claimed invention. Since the teachings were analogous art known at the filing time of invention, one of ordinary skill could have applied the teachings of Larsen with the teachings of Thomas, Giral by known methods before the effective filing date of the claimed invention and gained expected results. Claim/s 8, 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Thomas in view of Higashiyama (Pub. No. US 2021/0049275). Claim 8, 16, Thomas may not explicitly teach the limitation. Higashiyama teaches “the method of claim 1, wherein the baseline profile comprises one or more of central processing unit (CPU) usage ([0084] According to the resource monitoring, an execution profile of the program is monitored, and the execution of the program can be limited when the monitored execution profile shows the abnormal behavior, thus it is possible to counteract the execution of the unauthenticated program. The monitored execution profile is the usage rate of the CPU cores 1020, 1021, 1022, and 1023 and the used amount of the inter-core shared memory 1160, for example.), memory usage, garbage collection or thread activity”. It would have been obvious to one of ordinary skill in the art at the time the invention was filed to apply the teachings of Higashiyama with the teachings of Thomas in order to provide a system that teaches details of monitoring. The motivation for applying Higashiyama teaching with Thomas teaching is to provide a system that allows for design choice. Thomas, Higashiyama are analogous art directed towards virtual environments. Together Thomas, Higashiyama teaches every limitation of the claimed invention. Since the teachings were analogous art known at the filing time of invention, one of ordinary skill could have applied the teachings of Higashiyama with the teachings of Thomas by known methods before the effective filing date of the claimed invention and gained expected results. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to WYNUEL S AQUINO whose telephone number is (571)272-7478. The examiner can normally be reached 9AM-5PM EST M-F. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lewis Bullock can be reached at 571-272-3759. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /WYNUEL S AQUINO/ Primary Examiner, Art Unit 2199