Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
FINAL ACTION
This action is in response to applicant's submission filed on 12/31/2020. Claims 1 and 11 are amended. Claims 1-20 are pending.
 Response to Arguments
Examiner’s Remarks – Double Patenting
The examiner withdraws the rejection under Double Patenting in view of applicant’s claim amendments.
Examiner’s Remarks – 35 USC § 112
The examiner withdraws the rejection under 35 USC § 112 in view of applicant’s claim amendments.
Examiner’s Remarks - 35 USC § 103
The examiner notes that the applicant has amended each independent claim to recite the new feature(s) of, “taking a preventative action with respect to the virtualized execution instance, based on the privileged configuration inspection and the probability of privilege risk, a control action in reaction to the likelihood of privilege risk, the preventative action comprising at least one of: reporting the probability of privilege risk, neutralizing the probability of privilege risk, identifying the virtualized execution instance with the probability of privilege risk, generating an alert for the virtualized execution 
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Marino (US Patent No. 9,729,579) in view of Rozenfeld (US Patent Publication No. 2009/0133001) and further in view of Caragea (US Patent Publication No. 2017/0289109 (cited from IDS 12/31/2020)).

As to claims 1 and 11, Marino teaches a non-transitory computer readable medium including instructions that, when executed by at least one processor, cause the at least one processor to perform operations for identifying vulnerabilities for virtualized execution instances to escape their operating environment and threaten a host environment, the operations comprising: 

performing a privileged configuration inspection for the virtualized execution instance (i.e., …teaches in column 4 lines 20-25 the following: “defining a security policy with rules to manage various configurations of application containers running on multiple host computing systems, the systems and methods described herein may enforce security privileges by modifying commands to deploy application containers in order to comply with the security policy”.  ..further teaches in column 5 lines 25-35 the following: “permissions for resources used by whitelisted application containers on host computing system 206, and/or configurations of whitelisted application containers allowed to deploy concurrently on host computing system”. Next teaches in column 6 lines 45-60 the following: “For example, and as will be described in greater detail below, authentication module 104 may authenticate application container 218 that facilitates launching at least one application on host computing system 206 by verifying that application container 218 meets a certain trustworthiness threshold. Interception module 106 may intercept, via policy-enforcement proxy 208, command 212 to perform a deployment action on host computing system 206 in connection with authenticated application container 218. Determination module 108 may determine that the deployment action potentially violates security policy 122 applied to authenticated application container 218. Modification module 110 may modify, via policy-enforcement proxy 208, command 212 to prevent the potential violation of security policy 122 in response to the determination that the deployment action potentially violates security”.),


Marino does not expressly teach:
the privileged configuration inspection determining a probability of privilege risk by analyzing whether the virtualized execution instance has been configured with one or more configuration parameters that can permit operation of the virtualized execution instance to perform operations on an environment of the host.
In this instance the examiner notes the teachings of prior art reference of Rozenfeld. 
With regards to applicant’s claim limitation element of, “the privileged configuration inspection determining a probability of privilege risk by analyzing whether the virtualized execution instance has been configured with one or more configuration parameters that can permit operation of the virtualized execution instance to perform operations on an environment of the host”,  Rozenfeld teaches in paragraph 0033 the following: “If monitoring detects that the software application (105) depends on an operating system feature that is unavailable or restricted in the virtualized environment, the virtualization assessment tool (115) may determine that the software application (105) does not satisfy a virtualization requirement.”.


The system of Marino and Rozenfeld do not expressly teach:
taking a preventative action with respect to the virtualized execution instance, based on the privileged configuration inspection and the probability of privilege risk, a control action in reaction to the likelihood of privilege risk, the preventative action comprising at least one of:
reporting the probability of privilege risk, 
neutralizing the probability of privilege risk, 
identifying the virtualized execution instance with the probability of privilege risk,
generating an alert for the virtualized execution instance with the probability of privilege risk,
monitoring operations performed by the virtualized execution instance with the probability of privilege risk,
determining a control action in reaction to the probability of privilege risk to control the virtualized execution instance’s ability to perform operations on the environment of the host, 
disabling one or more credentials associated with the virtualized execution instance with the probability of privilege risk, or generating a prompt requiring an authentication or authorization.
In this instance the examiner notes the teachings of prior art reference of Caragea.
The examiner notes that applicant’s usage of the phrase “at least one of” places above limitation in alternative form. As such as it pertains to applicant’s alternative limitation element of, 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Marino and Rozenfeld with the teachings of Caragea by including the feature of preventative action. Utilizing preventative action as taught by Caragea above allows a system to provide comprehensive threat protection and therefore provides the motivation in this instance to combine the references. The examiner contends that by combining the references, the system of Marino and Rozenfeld system will obtain the capability to provide enhanced system security.

As to claim 2, Marino teaches a non-transitory computer readable medium of claim 1, wherein the virtualized execution instance is a container instance (i.e., …teaches in col. 1, lines 45-50 the following: “ensuring application containers are authenticated before deployment on a host computing system”).

As to claim 3, Marino teaches a non-transitory computer readable medium of claim 1, wherein the privileged configuration inspection includes identifying a second virtualized execution instance accessible to the virtualized execution instance (i.e., …teaches in column 4 lines 50-55 the following: “verifying that the application container meets a certain trustworthiness threshold.”.), and analyzing whether the second virtualized execution instance has been configured with one or more configuration parameters that can permit operations on the environment of the host  (i.e., …teaches in column 4 lines 

As to claim 4, Marino teaches a non-transitory computer readable medium of claim 1, wherein the virtualized execution instance has not been deployed for execution in the virtual computing environment (i.e., …teaches in col. 1, lines 45-50 the following: “ensuring application containers are authenticated before deployment on a host computing system”).

As to claim 5, Marino teaches a non-transitory computer readable medium of claim 1, wherein the one or more configuration parameters include a configuration parameter for the virtualized execution instance (i.e., …teaches in column 5 lines 25-35 the following: “permissions for resources used by whitelisted application containers on host computing system 206, and/or configurations of whitelisted application containers allowed to deploy concurrently on host computing system”. Next teaches in column 6 lines 45-60 the following: “For example, and as will be described in greater detail below, authentication module 104 may authenticate application container 218 that facilitates launching at least one application on host computing system 206 by verifying that application container 218 meets a certain trustworthiness threshold. Interception module 106 may intercept, via policy-enforcement proxy 208, command 212 to perform a deployment action on host computing system 206 in connection with authenticated application container 218. Determination module 108 may determine that the deployment action potentially violates security policy 122 applied to authenticated application container 218. Modification module 110 may modify, via policy-enforcement proxy 208, command 212 to prevent the potential violation of security policy 122 in response to the determination that the deployment action potentially violates security”.).

As to claim 6, Marino teaches a non-transitory computer readable medium of claim 1, wherein the one or more configuration parameters include a hardware configuration of the host (i.e., …teaches in column 5 lines 25-35 the following: “permissions for resources used by whitelisted application containers on host computing system 206, and/or configurations of whitelisted application containers allowed to deploy concurrently on host computing system”. Next teaches in column 6 lines 45-60 the following: “For example, and as will be described in greater detail below, authentication module 104 may authenticate application container 218 that facilitates launching at least one application on host computing system 206 by verifying that application container 218 meets a certain trustworthiness threshold. Interception module 106 may intercept, via policy-enforcement proxy 208, command 212 to perform a deployment action on host computing system 206 in connection with authenticated application container 218. Determination module 108 may determine that the deployment action potentially violates security policy 122 applied to authenticated application container 218. Modification module 110 may modify, via policy-enforcement proxy 208, command 212 to prevent the potential violation of security policy 122 in response to the determination that the deployment action potentially violates security”.).

As to claim 7, the system of Marino teaches configuration inspection however Marino does not expressly teach a non-transitory computer readable medium of claim 1, wherein performing the privileged configuration inspection includes using a file system debugger to attempt to access a directory of the host.
In this instance the examiner notes the teachings of prior art reference Rozenfeld. 
Rozefeld teaches in paragraph 0044 the following: “monitoring the software application may involve the use of probes in a tracing framework, debug statements, logging tools, and/or other known software monitoring mechanisms.”.


As to claim 8, Marino teaches a non-transitory computer readable medium of claim 1, wherein the operations further comprise, conditional on performing the privileged configuration inspection during a docker phase of the virtualized execution instance, deploying the virtualized execution instance (i.e., …teaches in col. 1, lines 45-50 the following: “ensuring application containers are authenticated before deployment on a host computing system”).

As to claim 9, the system of Marino teaches configuration inspection however Marino does not expressly teach a non-transitory computer readable medium of claim 1, wherein the operations further comprise, conditional on performing the privileged configuration inspection upon a request to deploy the virtualized execution instance, deploying the virtualized execution instance.
In this instance the examiner notes the teachings of prior art reference Rozenfeld. 
Rozefeld illustrates in figure 3, figure element step 345 Port the software application to the virtualized environment after conditional inspection.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Marino with the teachings of Rozenfeld by including the feature of application operational risk assessment. Utilizing application operational risk assessment 

As to claim 10 the system of Marino teaches configuration inspection however Marino does not expressly teach a non-transitory computer readable medium of claim 1, wherein the operations further comprise, conditional on performing the privileged configuration inspection upon a request to create the virtualized execution instance, deploying the virtualized execution instance.
In this instance the examiner notes the teachings of prior art reference Rozenfeld. 
Rozefeld illustrates in figure 3, figure element step 345…Port the software application to the virtualized environment after conditional inspection.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Marino with the teachings of Rozenfeld by including the feature of application operational risk assessment. Utilizing application operational risk assessment as taught by Rozenfeld above allows a system to provide comprehensive access control and therefore provides the motivation in this instance to combine the references. The examiner contends that by combining the references, Marino's system will obtain the capability to provide enhanced system security.


As to claim 12, the system of Marino teaches configuration inspection however Marino does not expressly teach a computer-implemented method of claim 11, further comprising detecting a runtime 
In this instance the examiner notes the teachings of prior art reference Rozenfeld. 
Rozefeld illustrates in figure 3, figure element step 310… Monitor execution of the software application.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Marino with the teachings of Rozenfeld by including the feature of application operational risk assessment. Utilizing application operational risk assessment as taught by Rozenfeld above allows a system to provide comprehensive access control and therefore provides the motivation in this instance to combine the references. The examiner contends that by combining the references, Marino's system will obtain the capability to provide enhanced system security.

As to claim 13, the system of Marino teaches configuration inspection however Marino does not expressly teach a computer-implemented method of claim 12, wherein the runtime operation involves an inspection of the host.
In this instance the examiner notes the teachings of prior art reference Rozenfeld. 
Rozefeld illustrates in figure 3, figure element step 310… Monitor execution of the software application.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Marino with the teachings of Rozenfeld by including the feature of application operational risk assessment. Utilizing application operational risk assessment as taught by Rozenfeld above allows a system to provide comprehensive access control and therefore provides the motivation in this instance to combine the references. The examiner contends that by 

As to claim 14, the system of Marino teaches configuration inspection however Marino does not expressly teach a computer-implemented method of claim 12, wherein the runtime operation involves an inspection of hardware of the host.
In this instance the examiner notes the teachings of prior art reference Rozenfeld. 
Rozefeld illustrates in figure 3, figure element step 315…Analyze the performance data (i.e., host interaction data).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Marino with the teachings of Rozenfeld by including the feature of application operational risk assessment. Utilizing application operational risk assessment as taught by Rozenfeld above allows a system to provide comprehensive access control and therefore provides the motivation in this instance to combine the references. The examiner contends that by combining the references, Marino's system will obtain the capability to provide enhanced system security.

As to claim 15, the system of Marino teaches configuration inspection however Marino does not expressly teach a computer-implemented method of claim 12, wherein the runtime operation involves an attempt to access a root directory of the host.
In this instance the examiner notes the teachings of prior art reference Rozenfeld. 
Rozefeld teaches in paragraph 0044 the following: “The performance data may include a log of system calls”.


As to claim 16, the system of Marino teaches configuration inspection however Marino does not expressly teach a computer-implemented method of claim 12, wherein the runtime operation involves an attempt to execute code on the host.
In this instance the examiner notes the teachings of prior art reference Rozenfeld. 
Rozefeld teaches figure 3 figure element step 310 monitor execution of software application.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Marino with the teachings of Rozenfeld by including the feature of application operational risk assessment. Utilizing application operational risk assessment as taught by Rozenfeld above allows a system to provide comprehensive access control and therefore provides the motivation in this instance to combine the references. The examiner contends that by combining the references, Marino's system will obtain the capability to provide enhanced system security.

As to claim 17, the system of Marino teaches configuration inspection however Marino does not expressly teach a computer-implemented method of claim 11, wherein performing the privileged 
In this instance the examiner notes the teachings of prior art reference Rozenfeld. 
Rozefeld teaches in paragraph 0044 the following: “monitoring the software application may involve the use of probes in a tracing framework, debug statements, logging tools, and/or other known software monitoring mechanisms.”.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Marino with the teachings of Rozenfeld by including the feature of application operational risk assessment. Utilizing application operational risk assessment as taught by Rozenfeld above allows a system to provide comprehensive access control and therefore provides the motivation in this instance to combine the references. The examiner contends that by combining the references, Marino's system will obtain the capability to provide enhanced system security.

As to claim 18, Marino teaches a computer-implemented method of claim 11, further comprising, conditional on performing the privileged configuration inspection during a docker phase of the virtualized execution instance, deploying the virtualized execution instance (i.e., …teaches in col. 1, lines 45-50 the following: “ensuring application containers are authenticated before deployment on a host computing system”).

As to claim 19, the system of Marino teaches configuration inspection however Marino does not expressly teach a computer-implemented method of claim 12, wherein the runtime operation involves a write operation on the host.
In this instance the examiner notes the teachings of prior art reference Rozenfeld. 

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Marino with the teachings of Rozenfeld by including the feature of application operational risk assessment. Utilizing application operational risk assessment as taught by Rozenfeld above allows a system to provide comprehensive access control and therefore provides the motivation in this instance to combine the references. The examiner contends that by combining the references, Marino's system will obtain the capability to provide enhanced system security.

As to claim 20, Marino teaches a computer-implemented method of claim 11, wherein the one or more configuration parameters include a configuration parameter for the virtualized execution instance that was determined at a time of creation of the virtualized execution instance (i.e., …teaches in column 8 lines 35-50 the following: “may verify that application container 218 contains the expected application to be deployed. Additionally or alternatively, authentication module 104 may confirm an integrity level of application container 218 by identifying a version of application container 218 and/or ensuring that the version of application container 218 has been digitally signed through a code signing process.”.).

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  


Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BRYAN F WRIGHT whose telephone number is (571)270-3826.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni Shiferaw can be reached on (571)272-3867.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.


/BRYAN F WRIGHT/Examiner, Art Unit 2497