DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Status of Claims
The following is a Non-Final Office Action in response to applicant’s filing on June 25, 2024. Claims 21-40 are pending, of which claims 21, 28, and 35 are in independent form.
Information Disclosure Statement
The information disclosure statements (IDS) submitted on June 24, 2025 and June 25, 2025. The submissions are in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statements are being considered by the examiner.
Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.
The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.
Claims 25, 32, and 39 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.
Claim 25 recites “wherein the machine learning operation comprises one or more of (a) training of one or more models or (b) an inference operation.”.
Claim 25 is rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. Claim 25 recites “wherein the machine learning operation comprises one or more of (a) training of one or more models or (b) an inference operation;”. (i.e., To run a particular application at the MAES, e.g., in order to perform one or more machine learning operations (such as training/re-training one or more models, obtaining one or more predictions/inferences from a previously-trained version of a model, tuning model hyperparameters, and so on) or other types of operations, one or more programmatic requests may be submitted from a client device 195 via interfaces 170 in the depicted embodiment, see paragraph [0029]). The specification refers generally to machine learning applications and ML models being executed within isolated runtime environments. However, the specification fails to describe any formulas or algorithm by which a machine learning model is trained or updated.
The level of detail required to satisfy the written description requirement varies depending on the nature and scope of the claims and on the complexity and predictability of the relevant technology. Ariad, 598 F.3d at 1351, 94 USPQ2d at 1172; Capon v. Eshhar, 418 F.3d 1349, 1357-58, 76 USPQ2d 1078, 1083-84 (Fed. Cir. 2005). Computer-implemented inventions are often disclosed and claimed in terms of their functionality. For computer-implemented inventions, the determination of the sufficiency of disclosure will require an inquiry into the sufficiency of both the disclosed hardware and the disclosed software due to the interrelationship and interdependence of computer hardware and software. The critical inquiry is whether the disclosure of the application relied upon reasonably conveys to those skilled in the art that the inventor had possession of the claimed subject matter as of the filing date. Vasudevan Software, Inc. v. MicroStrategy, Inc., 782 F.3d 671, 682. 114 USPQ2d 1349, 1356 (citing Ariad Pharm., Inc. V. Eli Lilly & Co, 598 F.3d 1336, 1351, 94 USPQ2d 1161, 1172 (Fed. Cir. 2010) in the context of determining possession of a claimed means of accessing disparate databases).
Same reasons apply to the dependent claims 32 and 39.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 21-23, 26-30, 33-37, and 40 are rejected under 35 U.S.C. 103 as being unpatentable over Martz et al . (US 2019/0097977 A1), hereinafter Martz in view of Joshi et al. (US 7,694,328 B2), hereinafter Joshi.
Regarding claim 21, Martz discloses a computer-implemented method, comprising:
determining, at a network-accessible service of a cloud computing environment via one or more programmatic interfaces, an isolation requirement of an application (Martz, Para. 0058, In a cloud computing environment, program modules may be located in both local and remote memory storage devices) and (Martz, Para. 0052, the sandbox firewall 511 prevents non-allowed data or data requests between the host computer system trusted memory space, including the operating system of the host computer system and the sandbox. All other connectivity between the sandbox and other memory() space of the host computer system is blocked. In examples, non-allowed data or data requests comprises any data or data requests that are not explicitly initiated and/or allowed by user action. For example, in examples, applications, such as a browser, that run within the container must access certain system resources (e.g., memory management APIs, user-interface APIs, etc.));
applying, by the network-accessible service, configuration settings at a computing resource in accordance with the isolation requirement such that (Martz, Para. 0021, the sandbox container process may include an internal isolation firewall. The internal isolation firewall may enforce the segregation of the first and second memory spaces)(a) a networking intermediary associated with the application is permitted to obtain, at the computing resource via a network from one or more entities external to the computing resource, data which is to be processed by the application at the computing resource (Martz, Para. 0047, The sandbox implements web proxy authentication, which allows access to the open internet. Moreover, internet access is permitted (e.g., only permitted) through proxy device 506 using an, application operating in the sandbox 517, such as an untrusted browser. If requests come to the proxy device 506 that are not properly authenticated or are from an application in the trusted memory space (e.g., outside of sandbox 517) and not explicitly permitted, the requests will be denied. If requests come to the web proxy listing a network destination that has been identified on a blacklist as a forbidden destination, the requests will be blocked by the web proxy 506. On the other hand, if requests come to the web proxy 506 listing a network destination that is identified on a whitelist as preapproved, those requests will be allowed through the web proxy), (b) the networking intermediary is prevented from accessing the application (Martz, Para. 0046) and (Martz, Para. 0047, The sandbox implements web proxy authentication, which allows access to the open internet. Moreover, internet access is permitted (e.g., only permitted) through proxy device 506 using an, application operating in the sandbox 517, such as an untrusted browser. If requests come to the proxy device 506 that are not properly authenticated or are from an application in the trusted memory space (e.g., outside of sandbox 517) and not explicitly permitted, the requests will be denied. If requests come to the web proxy listing a network destination that has been identified on a blacklist as a forbidden destination, the requests will be blocked by the web proxy 506. On the other hand, if requests come to the web proxy 506 listing a network destination that is identified on a whitelist as preapproved, those requests will be allowed through the web proxy), (c) the application is prevented from communicating via the network with at least some entities external to the computing resource (Martz, Para. 0046) and (Martz, Para. 0047, if requests come to the proxy device 506 that are not properly authenticated or are from an application in the trusted memory space (e.g., outside of sandbox 517) and not explicitly permitted) and (d) the networking intermediary and the application are permitted to communicate with each other via a local communication channel of the computing resource (Martz, Para. 0051, all improperly authenticated or unauthenticated traffic received on this port would be automatically dropped. Authenticated access to the web proxy is available (e.g., only available) using a sandboxed application, such as a browser. Authentication credentials, encrypted or not encrypted, may be stored in configuration files, whether locally or in other network-accessible locations); and
processing, by the application at the computing resource, a particular set of data received by the networking intermediary via the network from a particular entity external to the computing resource (Martz, Paras. 0050- 0051, system 500 is configured so that all externally bound web protocols from internal hosts are automatically directed to the web proxy on a specific port, such as 4321. In some cases, the location of this “redirection” is a router just prior to the border firewall (e.g. router 507). With the exception of traffic bound for whitelisted destinations or traffic received from an authenticated container, all other traffic received by the web proxy is automatically dropped),
Martz does not explicitly disclose wherein the particular set of data is obtained at the application from the networking intermediary via the local communication channel.
However, Joshi teaches wherein the particular set of data is obtained at the application from the networking intermediary via the local communication channel (Joshi, Para. 0170, a request may be sent to a Clipboard Proxy running in the Protected Context over a Named Pipe, with the format identifier that was requested. The Clipboard Proxy in the Protected Context may be able to access these formats, since it may not be running with any access-controls with regards to the clipboard. It may send back the data of the requested format over the Named Pipe connection. The original call may then be completed with the data that is retrieved via the proxy. The storage for this data is locally allocated in the Process's address space, and may be cleaned up when the Process closes the clipboard).
Martz and Joshi are both considered to be analogous to the claim invention because they are in the same field of network isolation levels for run-time environments supported at a managed application execution service. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Martz to incorporate the teachings of Joshi to include wherein the particular set of data is obtained at the application from the networking intermediary via the local communication channel (Joshi, Para. 0170). Doing so would aid to detect intrusions that have already occurred, or intrusions in progress. These types of systems may suffer from false positives, and also may have very little potential for prevention. Because these systems depend on monitoring activity on the network to infer whether an intrusion is in progress, they may interpret many sorts of unusual activity as a potential intrusion (Joshi, Col. 2, Lines 39-46).
Regarding claim 22, the combination of Martz in view of Joshi teaches the computer-implemented method as recited in claim 21, further comprising: establishing, at the computing resource, a first run-time environment and a second run-time environment (Martz, Paras. 0036, For example, the sandboxed browser may establish an authenticated connection to the web proxy. This authenticated connection allows the untrusted browser to send user-initiated communications to untrusted web sites or visit other untrusted internet destinations); executing the networking intermediary at the first run-time environment; and executing the application at the second run-time environment (Martz, Paras. 0015, the sandbox firewall process ensures that requests to untrusted network destinations are handled by processes within (e.g., fully contained within) a sandbox environment, starting a new process as required. Likewise, the sandbox firewall ensures that requests to trusted network destinations are handled by processes outside (e.g., fully contained outside) of a sandbox environment, (trusted memory space), starting a new process as required).
Regarding claim 23, the combination of Martz in view of Joshi teaches the computer-implemented method as recited in claim 22, wherein the first run-time environment comprises one of (a) a software container or (b) a virtual machine (Martz, Para. 0051, the isolated computing environment may be a sandboxed computing environment enforced by a sandbox container process that enables the internal isolation firewall) and (Martz, Para. 0040, this classification may be performed by a standalone process (e.g., the sandbox firewall) operating in isolation, or by multiple processes operating in conjunction (e.g. with a virtual machine (VM) or another sandboxed application)).
Regarding claim 26, the combination of Martz in view of Joshi teaches the computer-implemented method as recited in claim 21, wherein the local communication channel comprises one or more in-memory streaming buffers or pipes (Joshi, Para. 0119, During the intercept to the CIFS function, the security client may take the universal naming convention (UNC) path- 65 name that the Isolated Context passed to CIFS, and uses it to create a UNC path to a named pipe on the same server (i.e. it), it is noted that UNC is equated to a local communication channel, and (Joshi, Para.0170, the storage for this data is locally allocated in the Process's address space). Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Martz to incorporate the teachings of Joshi to include wherein the local communication channel comprises one or more in-memory streaming buffers or pipes (Joshi, Para. 0119). Doing so would aid to detect intrusions that have already occurred, or intrusions in progress. These types of systems may suffer from false positives, and also may have very little potential for prevention. Because these systems depend on monitoring activity on the network to infer whether an intrusion is in progress, they may interpret many sorts of unusual activity as a potential intrusion (Joshi, Col. 2, Lines 39-46).
Regarding claim 27, the combination of Martz in view of Joshi teaches the computer-implemented method as recited in claim 21, wherein in accordance with the isolation requirement, the configuration settings prevent one or more of: (a) reads from at least a portion of a storage device or (b) writes to at least a portion of a storage device (Martz, Para. 0021,The software may restrict sandbox-based access to one more file descriptors, memory, file system space, etc. For example, the applications and/or processes operating within the sandboxed computing environment may be permitted to certain portions of Memory 14 but may not be allowed access to other portions of Memory 14. As an example, Memory).
In regards to claim 28, the system claim 28 is similarly analyzed and rejected as the method claim 21.
In regards to claim 29, the system claim 29 is similarly analyzed and rejected as the method claim 22.
In regards to claim 30, the system claim 30 is similarly analyzed and rejected as the method claim 23.
In regards to claim 33, the system claim 33 is similarly analyzed and rejected as the method claim 26.
In regards to claim 34, the system claim 34 is similarly analyzed and rejected as the method claim 27.
In regards to claim 35, the non-transitory computer-accessible storage media claim 35 is similarly analyzed and rejected as the method claim 21 and system claim 28.
In regards to claim 36, the non-transitory computer-accessible storage media claim 36 is similarly analyzed and rejected as the method claim 22 and system claim 29.
In regards to claim 37, the non-transitory computer-accessible storage media claim 37 is similarly analyzed and rejected as the method claim 23 and system claim 30.
In regards to claim 40, the non-transitory computer-accessible storage media claim 40 is similarly analyzed and rejected as the method claim 26 and system claim 33.
Claims 24-25, 31-32, and 39 are rejected under 35 U.S.C. 103 as being unpatentable over Martz et al . (US 2019/0097977 A1), hereinafter Martz in view of Joshi et al. (US 7,694,328 B2), hereinafter Joshi and further in view of Titonis et al. (US 2013/0097706 A1), hereinafter Titonis.
Regarding claim 24, the combination of Martz in view of Joshi does not explicitly teach the computer-implemented method as recited in claim 21, wherein to process the particular set of data, the application performs a machine learning operation.
However, Titonis teaches wherein to process the particular set of data, the application performs a machine learning operation (Titonis, Para. 0281, One of ordinary skill in the art appreciates that once the datasets and training sets are accumulated, that other supervised classification techniques more amenable to larger datasets will be implemented into the Cloud Service. In particular, it is foreseen the use of Support Vector Machines and Decision Trees based on the aforementioned feature vectors and/or subsets of their components).
Martz, Joshi and Titonis are all considered to be analogous to the claim invention because they are in the same field of network isolation levels for run-time environments supported at a managed application execution service. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Martz and Joshi to incorporate the teachings of Titonis to include wherein to process the particular set of data, the application performs a machine learning operation (Titonis, Para. 0281). Doing so would aid to prevent a malicious application from reaching consumers by hooking into the application distribution network, expediting the application analysis queue, and by the automatic labeling of anomalous applications early in the distribution process (Titonis, Para. 0023).
Regarding claim 25, the combination of Martz in view of Joshi does not explicitly teach the computer-implemented method as recited in claim 24, wherein the machine learning operation comprises one or more of (a) training of one or more models or (b) an inference operation.
However, Titonis teaches wherein the machine learning operation comprises one or more of (a) training of one or more models (Titonis, Para. 0020-0022, the process consists of a set of algorithms, computer programs that perform tasks based on input data that learns over time as the system is fed more data, or training samples) or (b) an inference operation (Titonis, Para. 0281-286, comparing the feature vector of an sample application binary against the feature vectors of a set of known malware binaries;). However, Titonis teaches wherein to process the particular set of data, the application performs a machine learning operation (Titonis, Para. 0281, One of ordinary skill in the art appreciates that once the datasets and training sets are accumulated, that other supervised classification techniques more amenable to larger datasets will be implemented into the Cloud Service. In particular, it is foreseen the use of Support Vector Machines and Decision Trees based on the aforementioned feature vectors and/or subsets of their components).
Martz, Joshi and Titonis are all considered to be analogous to the claim invention because they are in the same field of network isolation levels for run-time environments supported at a managed application execution service. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Martz and Joshi to incorporate the teachings of Titonis to include wherein the machine learning operation comprises one or more of (a) training of one or more models (Titonis, Para. 0020-0022) or (b) an inference operation (Titonis, Para. 0281-286). Doing so would aid to prevent a malicious application from reaching consumers by hooking into the application distribution network, expediting the application analysis queue, and by the automatic labeling of anomalous applications early in the distribution process (Titonis, Para. 0023).
In regards to claim 31, the system claim 31 is similarly analyzed and rejected as the method claim 24.
In regards to claim 32, the system claim 32 is similarly analyzed and rejected as the method claim 25.
In regards to claim 39, the non-transitory computer-accessible storage media claim 39 is similarly analyzed and rejected as the method claim 25 and system claim 32.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GITA FARAMARZI whose telephone number is (571)272-0248. The examiner can normally be reached Monday- Friday 9:00 am- 6:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado can be reached at (571)272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/GITA FARAMARZI/Examiner, Art Unit 2496
/JORGE L ORTIZ CRIADO/Supervisory Patent Examiner, Art Unit 2496