DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 have been examined.

Information Disclosure Statement
The information disclosure statements (IDSs) submitted on 07/08/2019 and 12/01/2020 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statements are being considered by the examiner.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1, 15 and 16 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. Claim 1 recites: “determining, …, one or more layers of a multi-layer file system in which one or more objects corresponding to the file can be found” and claim 16 recites: “determine, based on the file states for the file, one or more layers of a multi-layer file system in which one or more objects corresponding to the file can be found”. The word “can” in these limitations renders the scope of the claims indefinite and unclear.
Claim 15 recites the limitation "the notification" in line 3.  There is insufficient antecedent basis for this limitation in the claim.


Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1-7 and 16-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by applicant provided prior art US 20180293374 to Huamin Chen (hereinafter Chen).
As per claim 1, Chen teaches:
A method, comprising: 
outputting, by one or more processors, file states for a file (Chen: [0022]: [0022] In an example, watcher service 245 may take periodic snapshots (e.g., snapshot 280) of the data in upper system layer 257. In the example, watcher service 245 may compare snapshots to compile modifications done to upper system layer 257 (e.g., file modification 275)); 
determining, by the one or more processors based on the file states for the file, one or more layers of a multi-layer file system in which one or more objects corresponding to the file can be found (Chen: [0020]: persistent storages 155, 156, 157, and 158 may actually include two or more layers, including at least a lower base-build layer that includes the core files required to execute a container, and an upper dynamic layer for storing any changes from the base-build as the container executes. [0021]: In an example, container 250 is executing application 270. In the example, container 250 is associated with persistent storage 255, which includes upper system layer 257 and lower system layer 259. In an example, application 270 may make changes to upper system layer 257 (e.g., by requesting file modification 275). In an example, persistent storage 255 may be configured such that file modification 275 acts on a second copy of a file from lower system layer 259, saving the changed file in upper system layer 257 while the original copy is still preserved in lower system layer 259. Also, [0025]); 
detecting, by the one or more processors, a potential threat to the multi-layer file system based on the one or more layers in which the one or more objects corresponding to the file are found (Chen: [0022]: In an example, watcher service 245 may forward file modification 275 to security inspection service 240 for analysis to determine whether file modification 275 places container 250 in a threatening state); and 
taking an action in response to the potential threat (Chen: [0022]: In the example, based on the analysis regarding file modification 275 showing that file modification 275 places container 250 in a threatening state with a medium threat level, security inspection service 240 may issue instruction 290 to a container engine 260 (e.g., to roll back file modification 275). In an example, container engine 260 may then issue command 295 to container 250, command 295 being a trigger to restore upper system layer 257 to a version from a previous snapshot taken by the watcher service 245).

As per claim 2, Chen teaches:
The method of claim 1, further comprising: 
determining that an object corresponding to the file found in a modifiable image in an upper layer of the multi-layer file system contains modifications to an object corresponding to the file found in a base image in a lower layer of the multi- layer file system (Chen: [0021]: In an example, container 250 is executing application 270. In the example, container 250 is associated with persistent storage 255, which includes upper system layer 257 and lower system layer 259. In an example, application 270 may make changes to upper system layer 257 (e.g., by requesting file modification 275). In an example, persistent storage 255 may be configured such that file modification 275 acts on a second copy of a file from lower system layer 259, saving the changed file in upper system layer 257 while the original copy is still preserved in lower system layer 259), wherein detecting the potential threat is further based on determining that the object corresponding to the file found in the modifiable image contains modifications to the object corresponding to the file found in the base image (Chen: [0022]: In an example, watcher service 245 may forward file modification 275 to security inspection service 240 for analysis to determine whether file modification 275 places container 250 in a threatening state. In the example, based on the analysis regarding file modification 275 showing that file modification 275 places container 250 in a threatening state with a medium threat level, security inspection service 240 may issue instruction 290 to a container engine 260).

As per claim 3, Chen teaches:
The method of claim 1, further comprising: determining that none of the one or more objects corresponding to the file is found in a base image in a lower layer of the multi-layer file system, wherein detecting the potential threat is further based on determining that none of the one or more objects corresponding to the file is found in the base image (Chen: [0021]: In an example, application 270 may make changes to upper system layer 257 (e.g., by requesting file modification 275). In an example, persistent storage 255 may be configured such that file modification 275 acts on a second copy of a file from lower system layer 259, saving the changed file in upper system layer 257 while the original copy is still preserved in lower system layer 259. [0026]: In such an example, a first requested modification (e.g., file modification 275) may be requested (e.g., by application 270 on container 250). In an example, application 270 may be an installer such as Yellowdog Updater, Modified ("YUM"), and file modification 275 may be a new executable file being installed. In another example, application 270 may be a network driver, and file modification 275 may be an update to the network driver. After file modification 275 is written to upper system layer 257, watcher service 245 may take a snapshot 280 of upper system layer 257 and compare the contents of snapshot 280 to the original baseline snapshot. [0029] A threat state of the container is determined based on the first requested modification, where the threat state is either a threatening state or a non-threatening state (block 325)).

As per claim 4, Chen teaches:
The method of claim 3, further comprising: wherein detecting the potential threat is further based on determining that the file states indicate that the file was created after the base image (Chen: [0026]: In such an example, a first requested modification (e.g., file modification 275) may be requested (e.g., by application 270 on container 250). In an example, application 270 may be an installer such as Yellowdog Updater, Modified ("YUM"), and file modification 275 may be a new executable file being installed. In another example, application 270 may be a network driver, and file modification 275 may be an update to the network driver. After file modification 275 is written to upper system layer 257, watcher service 245 may take a snapshot 280 of upper system layer 257 and compare the contents of snapshot 280 to the original baseline snapshot. [0029] A threat state of the container is determined based on the first requested modification, where the threat state is either a threatening state or a non-threatening state (block 325)).

As per claim 5, Chen teaches:
The method of claim 3, further comprising: constructing one or more modifiable images in an upper layer of the multi- layer file system so that the one or more modifiable images contain modifications to the base image made during a runtime of an application, wherein detecting the potential threat is further based on determining that the file states indicate that the file was created during the runtime of the application (Chen: [0021]: In an example, application 270 may make changes to upper system layer 257 (e.g., by requesting file modification 275). In an example, persistent storage 255 may be configured such that file modification 275 acts on a second copy of a file from lower system layer 259, saving the changed file in upper system layer 257 while the original copy is still preserved in lower system layer 259. [0026]: In such an example, a first requested modification (e.g., file modification 275) may be requested (e.g., by application 270 on container 250). In an example, application 270 may be an installer such as Yellowdog Updater, Modified ("YUM"), and file modification 275 may be a new executable file being installed).

As per claim 6, Chen teaches:
The method of claim 3, further comprising: constructing one or more modifiable images in an upper layer of the multi- layer file system so that the one or more modifiable images contain modifications to the base image made during an instance of a container running an application, wherein detecting the potential threat is further based on determining that the file states indicate that the file was created during the instance of container (Chen: [0021]: In an example, application 270 may make changes to upper system layer 257 (e.g., by requesting file modification 275). In an example, persistent storage 255 may be configured such that file modification 275 acts on a second copy of a file from lower system layer 259, saving the changed file in upper system layer 257 while the original copy is still preserved in lower system layer 259. [0026]: In such an example, a first requested modification (e.g., file modification 275) may be requested (e.g., by application 270 on container 250). In an example, application 270 may be an installer such as Yellowdog Updater, Modified ("YUM"), and file modification 275 may be a new executable file being installed).

As per claim 7, Chen teaches:
The method of claim 1, further comprising: determining whether the file is an executable binary, wherein detecting the potential threat is further based on determining that the file is an executable binary (Chen: [0047]: In an example, watcher service 145 may detect a request to modify an executable file (block 518). In some examples, watcher service 145 may be configured to monitor all changes to the upper system layer of persistent storage 155. In other examples, watcher service 145 may be configured to monitor changes to specific files in persistent storage 155, or specific classes of files (e.g., executable files). In an example, security inspection service 140 may then determine that container 150 is in a low threat level threatening state based on detecting an exploit in the requested modification (block 530)).

As per claim 16, Chen teaches:
A distributed computing system, comprising: one or more processors configured to: provide a guest operating system (OS), the guest OS configured (Chen: [0017] In an example, a VM 112 may be a virtual machine and may execute a guest operating system 196 which may utilize the underlying virtual central processing unit ("VCPU") 190, virtual memory device ("VMD") 192, and virtual input/output ("VI/O") devices 194. One or more containers that may host services (e.g., containers 152 and 153) may be running on a VM 112 under the respective guest operating system 196) to: 
output file states for a file as events (Chen: [0022]: [0022] In an example, watcher service 245 may take periodic snapshots (e.g., snapshot 280) of the data in upper system layer 257. In the example, watcher service 245 may compare snapshots to compile modifications done to upper system layer 257 (e.g., file modification 275)); 
provide a threat detection service, the threat detection service configured to: receive the events including the file states (Chen: [0022]: In an example, watcher service 245 may forward file modification 275 to security inspection service 240 for analysis to determine whether file modification 275 places container 250 in a threatening state); 
determine, based on the file states for the file, one or more layers of a multi-layer file system in which one or more objects corresponding to the file can be found (Chen: [0020]: persistent storages 155, 156, 157, and 158 may actually include two or more layers, including at least a lower base-build layer that includes the core files required to execute a container, and an upper dynamic layer for storing any changes from the base-build as the container executes. [0021]: In an example, container 250 is executing application 270. In the example, container 250 is associated with persistent storage 255, which includes upper system layer 257 and lower system layer 259. In an example, application 270 may make changes to upper system layer 257 (e.g., by requesting file modification 275). In an example, persistent storage 255 may be configured such that file modification 275 acts on a second copy of a file from lower system layer 259, saving the changed file in upper system layer 257 while the original copy is still preserved in lower system layer 259. Also, [0025]); 
detect a potential threat to the multi-layer file system based on the one or more objects corresponding to the file (Chen: [0022]: In an example, watcher service 245 may forward file modification 275 to security inspection service 240 for analysis to determine whether file modification 275 places container 250 in a threatening state); and 
generate findings on the potential threat (Chen: [0022]: In the example, based on the analysis regarding file modification 275 showing that file modification 275 places container 250 in a threatening state with a medium threat level, security inspection service 240 may issue instruction 290 to a container engine 260 (e.g., to roll back file modification 275)).

As per claim 17, Chen teaches:
The system of claim 16, wherein the threat detection service is further configured to: determine that none of the one or more objects corresponding to the file is found in a base image in a lower layer of the multi-layer file system, wherein detecting the potential threat is further based on determining that none of the one or more objects corresponding to the file is found in the base image (Chen: [0021]: In an example, application 270 may make changes to upper system layer 257 (e.g., by requesting file modification 275). In an example, persistent storage 255 may be configured such that file modification 275 acts on a second copy of a file from lower system layer 259, saving the changed file in upper system layer 257 while the original copy is still preserved in lower system layer 259. [0026]: In such an example, a first requested modification (e.g., file modification 275) may be requested (e.g., by application 270 on container 250). In an example, application 270 may be an installer such as Yellowdog Updater, Modified ("YUM"), and file modification 275 may be a new executable file being installed. In another example, application 270 may be a network driver, and file modification 275 may be an update to the network driver. After file modification 275 is written to upper system layer 257, watcher service 245 may take a snapshot 280 of upper system layer 257 and compare the contents of snapshot 280 to the original baseline snapshot. [0029] A threat state of the container is determined based on the first requested modification, where the threat state is either a threatening state or a non-threatening state (block 325)).

As per claim 18, Chen teaches:
The system of claim 16, wherein the threat detection service is further configured to: determine that an object corresponding to the file found in a modifiable image in an upper layer of the multi-layer file system contains modifications to an object corresponding to the file found in a base image in an upper layer of the multi-layer file system, wherein detecting the potential threat is further based on determining that the object corresponding to the file found in the modifiable image contains modifications to the object corresponding to the file found in the base image (Chen: [0021]: In an example, application 270 may make changes to upper system layer 257 (e.g., by requesting file modification 275). In an example, persistent storage 255 may be configured such that file modification 275 acts on a second copy of a file from lower system layer 259, saving the changed file in upper system layer 257 while the original copy is still preserved in lower system layer 259. [0022]: In an example, watcher service 245 may forward file modification 275 to security inspection service 240 for analysis to determine whether file modification 275 places container 250 in a threatening state. In the example, based on the analysis regarding file modification 275 showing that file modification 275 places container 250 in a threatening state with a medium threat level, security inspection service 240 may issue instruction 290 to a container engine 260).

As per claim 19, Chen teaches:
The system of claim 16, wherein the threat detection service includes a plurality of detectors, the plurality of detectors each configured to analyze events involving a specific type of file (Chen: [0047]: In other examples, watcher service 145 may be configured to monitor changes to specific files in persistent storage 155, or specific classes of files (e.g., executable files)).

As per claim 20, Chen teaches:
The system of claim 16, wherein the one or more processors are further configured to: provide a security center, the security center configured to: receive, from the threat detection service, the findings on the potential threat (Chen: [0022]: In an example, watcher service 245 may forward file modification 275 to security inspection service 240 for analysis to determine whether file modification 275 places container 250 in a threatening state); and 
generate a notification based on the findings (Chen: [0032]: In an example, after file modification 275 is reported to be non-threatening by security inspection service 240, watcher service 245 may take an additional snapshot of upper system layer 257).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Chen and US 20150096022 to Vincent et al (hereinafter Vincent).
As per claim 8, Chen does not teach: determining whether the file is a library file, wherein detecting the potential threat is further based on determining that the file is a library file. However, Vincent teaches:
further comprising: determining whether the file is a library file, wherein detecting the potential threat is further based on determining that the file is a library file (Vincent: [0056]: For example, when the specimen in the form of a DLL is received, a static analysis is performed on the content file by static analysis module 102. The static analysis may reveal certain specific processes that are related to the DLL in question. According to one embodiment, when a dynamic analysis is performed, those specific processes, instead of general-purpose processes, may be performed to determine whether the DLL is malicious, i.e., it is determined that the specimen is a DLL and based on the determination specific processes related to the DLL are used to determine whether the DLL is malicious).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Vincent in the invention of Chen to include the above limitations. The motivation to do so would be to improve the speed and accuracy of the dynamic analysis (Vincent: [0056]).

Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Chen and US 8695096 to Liang Zhang (hereinafter Zhang).
As per claim 9, Chen does not teach: determining whether the file is a script, wherein detecting the potential threat is further based on determining that the file is a script. However, Zhang teaches:
further comprising: determining whether the file is a script, wherein detecting the potential threat is further based on determining that the file is a script (Zhang: column 9, lines 31-50:  At 704, objects included in the parsed PDF file that are associated with JavaScript are extracted. In some embodiments, the extracted objects that are identified to include JavaScript are included in a list of objects to be scanned for malicious elements, i.e., based on determining that the objects are scripts, the objects are scanned for malicious elements).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Zhang in the invention of Chen to include the above limitations. The motivation to do so would be to provide automatic generation of malicious PDF file signatures (Zhang: column 2, lines 64-65)

Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Chen and US 20180144134 to Liao et al (hereinafter Liao).
As per claim 10, Chen does not teach: determining whether a process involving the file causes a usage of processing resources to meet a threshold value, wherein detecting the potential threat is further based on determining that the usage of processing resources meeting the threshold value. However, Liao teaches: 
determining whether a process involving the file causes a usage of processing resources to meet a threshold value, wherein detecting the potential threat is further based on determining that the usage of processing resources meeting the threshold value (Liao: [0034] In step 310, the central scheduling module 250 transmits a to-be tested file to a first testing machine VM1. And, the first testing machine VM1 uses for executing the to-be tested file. [0036] In one embodiment, the component usage comprises at least one of a memory usage, a disk usage, a network card or network usage, and a processor usage. And, the different component usage corresponds to the different default threshold. [0037] In one embodiment, the first testing machine VM1 can be implemented by a virtual machine. [0039] In step 320, the performance monitoring module 210 monitors that whether a component usage of the first testing machine VM1 is higher than a default threshold during a period of executing the to-be tested file. If the component usage of the first testing machine VM1 is higher than the default threshold, the memory forensics module 220 analyzes the memory space VMR of the first testing machine VM1. [0045] In step 340, the analyzing module 260 determines that whether the to-be tested file includes a malware program according to the analyzing result of the memory space VMR).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Liao in the invention of Chen to include the above limitations. The motivation to do so would be to perform the detection to the specific virtual component in multiple meaningful execution stages and avoid the careless omission of the detection during the malware program execution (Liao: [0007]).

Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Chen and US 20150278521 Amit Klein (hereinafter Klein).
As per claim 11, Chen does not teach: determining whether the file is stored in a hard disk, wherein detecting the potential threat is further based on the file not being stored in a hard disk. However, Klein teaches: 
further comprising: determining whether the file is stored in a hard disk, wherein detecting the potential threat is further based on the file not being stored in a hard disk (Klein: [0022]: In the method of FIG. 2, activity associated with the creation of a data object by a process is detected (step 200), where the data object is preferably configured to persist after termination of the process. A string that identifies the data object is determined (step 202). A computer memory is searched for a portion of the string, where the search is limited to areas of the computer memory in which are stored any instructions and/or data that together comprise the static portion of the computer software application that is instantiated as the process (step 204). If the portion of the string is absent from the searched areas of the computer memory (step 206), then one or more predefined computer-security-related remediation actions are performed (step 208), which may include any of preventing the creation of the data object, deleting or placing the data object in quarantine, and providing a computer-security-related notification reporting the activity. [0032] The term "memory" as used herein is intended to include …, a fixed memory device (e.g., hard drive)).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Klein in the invention of Chen to include the above limitations. The motivation to do so would be to detect malware-related activity on a computer (Klein: [0003]).

Claims 12-14 are rejected under 35 U.S.C. 103 as being unpatentable over Chen and US 20150007330 to Laurent Gomez (hereinafter Gomez).
As per claim 12, Chen does not teach: wherein taking an action in response to the potential threat includes generating a notification based on the potential threat, and outputting the notification to a user interface. However, Gomez teaches:
wherein taking an action in response to the potential threat includes generating a notification based on the potential threat, and outputting the notification to a user interface (Gomez: [0027] Analysis of the results of the security risk evaluations may involve a determination of whether the aggregated security score value is beyond a pre-determined threshold value indicating that there may be an unacceptable level of security risks associated with the web browser extension. In such case, depending on the score, different actions may be undertaken automatically, for example, a simple notification to the user, un-installation of the extension, alert email sent to the administrator, etc. [0052]: In an example implementation of method 200, the user and/or system administrator may be notified of the security risks, for example, via a pop-up notification in the web browser that there are security risks associated with a downloaded web browser extension that are beyond the pre-determined threshold value).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Gomez in the invention of Chen to include the above limitations. The motivation to do so would be to enable users to gain knowledge of the security risks associated with particular web browser extensions that they may choose to download or install in a web browser (Gomez: [0006]).

As per claim 13, Chen does not teach the limitations of claim 12. However, Gomez teaches:
The method of claim 12, further comprising: assigning a first confidence score to the potential threat based on the determination based on the file states (Gomez: [0036]-[0038]. [0039]: Extension security validator 102 may be further configured to assign an overall security score for web browser extension 20 based on the static analysis security score and individual KPI security scores. The overall security score for web browser extension 20 may be a weighted sum of the static analysis security score and individual KPI security scores); 
assigning one or more additional confidence scores to the potential threat based on one or more additional factors indicative of a threat (Gomez: [0040]-[0042]. [0043] Library security validator 103 may be further configured to assign an overall security score for each library 10 based on the static analysis security score and individual KPI security scores for the library. The overall security score for each library 10 may be a weighted sum of the static analysis security score and individual KPI security scores); and 
determining that a total confidence score including the first confidence score and the one or more additional confidence scores meets a threshold level, wherein generating the notification is further based on the total confidence score meeting the threshold level (Gomez: [0044] In system 100, combined security validator 106 may be configured receive and process the security score outputs of extension security validator 102 and library security validator 202. Combined security validator 106 may collect the overall security score for each library 10 and the overall security score for web browser extension 20 and process these to compute a combined security score for web browser extension 20. [0046] Further, combined security validator 106 may be configured to generate alerts (e.g., score notice 109) or otherwise notify the user if the combined security score for web browser extension 20 is below or above a predetermined threshold value. Also, [0052]).
The examiner provides the same rationale to combine Chen and Gomez as in claim 12 above. 

As per claim 14, Chen in view of Gomez teaches:
The method of claim 12, further comprising: determining a type of the potential threat, wherein the notification further includes the type of the potential threat (Gomez: [0053] An example implementation of method 200 may further involve retrieving detailed information regarding the security risks from external information sources (e.g., common weakness enumeration available at web site cwe.miter.org). The retrieved detailed information may be provided to the user and/or system administrator for further action).
The examiner provides the same rationale to combine Chen and Gomez as in claim 12 above.

Claim 15 is rejected under 35 U.S.C. 103 as being unpatentable over Chen and US 20160275287 to Wiest et al (hereinafter Wiest).
As per claim 15, Chen does not teach: identifying a container in which the potential threat is detected, wherein the notification further includes an identity of the container. However, Wiest teaches:
further comprising: identifying a container in which the potential threat is detected, wherein the notification further includes an identity of the container (Wiest: [0024]: Each application image includes multiple layers of files, with the top-most layer of an application image instance running in a node 111, 112, 121, 122 being configurable, while the remaining lower layer are immutable or unchangeable. [0054] At block 350, information pertaining to the scan results is stored in a central scan data store maintained by the PaaS system. In one implementation, the information may include, but is not limited to, a unique ID for the application image layer scanned (e.g., a checksum of the application layer). If the scan results failed, then method 300 continues to block 370 where the failed scan results are reported to a monitoring component of the PaaS system in order to initiate a takedown process for the new application image).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Wiest in the invention of Chen to include the above limitations. The motivation to do so would be to initiate a takedown process for the new application image (Wiest: [0054]).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 
US 20200233954 to Teo: Systems and methods for automated detection and analysis of security threats are disclosed. In one embodiment, in an information processing apparatus comprising at least one computer processor, a method for automated detection and analysis of security threats may include the following: (1) receiving an item from an asset; (2) inspecting the item using at least one rule; (3) determining an exposure related to the item to determine an exposure to the item; (4) enriching the item with additional data; (5) calculating a total score for the item based on the inspection, the exposure, and the enriching; and (6) generating an alert for the item based on the total score exceeding a threshold.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MADHURI R HERZOG whose telephone number is (571)270-3359.  The examiner can normally be reached on 8:30AM-5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on (571)272-3787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


MADHURI R. HERZOG
Primary Examiner
Art Unit 2438



/MADHURI R HERZOG/Primary Examiner, Art Unit 2438