Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 1-10 rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention. Claim 1, line 19 (and claim 6, page 2, line 7) recites “a request from a second virtual asset …” (emphasis added) however “a second virtual asset” has already been recited within the claim, and thus it’s unclear whether this second recitation of “a second virtual asset” is intended to refer to the previously recited “second virtual asset” or to a different “virtual asset”. In order to expedite examination, the examiner will construe both recitations of “a second virtual asset” as referring to the same virtual asset, however it is suggested that Applicant amend claims 1 and 6 to address this issue and to overcome this rejection.

Claim Rejections - 35 USC § 102

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1, 2, 5-7, and 10 is/are rejected under 35 U.S.C. 102(a)(2) as being anticipated by “Lazri” (US 2016/0004863).

Regarding Claim 1:
A computing system implemented method for managing security events within a computing environment (¶0011, “… detecting attacks on at least one virtual machine in a system comprising at least one host server hosting a set of virtual machines…”), comprising:
allocating hardware and software resources by a computing environment (Figure 1; ¶0045) for a first virtual asset (Figure 1, element 10-4, “VM1”); 
detecting, by a first virtual asset (Figure 1, element 10-4 contains virtual machines (assets) each containing a supervising module (ms1, ms2, ms3, etc.) for detecting security threats), a security threat against the first virtual asset (¶0045, “… a deterioration of performance that is perceived on a virtual machine constitutes damage generated by the attack and undergone by the virtual machine … The module for supervising performance ms1… is configured to send an alert to the local security management entity VMsec at the end of a given period of deterioration of resource availability”); 
receiving, at the computing environment, a first security threat event against the first virtual asset (Figure 2, step E1 - “ALERT”; ¶0045, “The module for supervising performance ms1… is configured to send an alert to the local security management entity VMsec at the end of a given period of deterioration of resource availability”), wherein the first virtual asset provides one or more services to one or more users (¶0045, “By way of example, it is measured in relation to a level of resource availability that is negotiated by contract between a client and a cloud solution provider … that provides the client with the virtual environment …”), wherein the first security threat event results in a change in network performance of the first virtual asset (¶0045, “The deterioration of performance can be felt in various ways … a decrease in the network bandwidth… By way of example, such deterioration of resource availability is observed when a speed changes from 100 Megabytes to 95 Megabytes, for a negotiated speed of 100 Megabytes”); 
adding a pattern representing the first security threat event to a database of security threats (¶0048, “In a collection step E0, data that are representative of the use of the resources of the host server 10 by all the virtual machines VM1, VM2, VM3, etc. and VMsec and resource contention management mechanism are collected in the information base 12 by the collection module 10-21 of the hypervisor 10-2 … Thus, data such as the time for which a processor is used, the number of memory pages used, the use of network interfaces, the disk consumption, etc. are collected for each of the virtual machines of the host 10 and recorded in the information base 12 according to a virtual machine identifier”; i.e.,. collect baseline patterns of resource usage for each virtual machine within a database. Here, the examiner considers the collected patterns representing various levels of usage for each virtual machine as “security threats” because such information is to be queried based on a detected security threat (steps E3 responsive to step E1) in order to detect if there’s a resource sharing problem - see ¶0051), wherein the database of security threats is hosted by the computing environment (¶0048, “… collected in the information base 12 by the collection module 10-21 of the hypervisor 10-2…”); 
detecting, by a second virtual asset (Figure 2, VmSec), a change in network performance within the computing environment (¶0051, “In a checking step E3, the local security management entity VMsec verifies whether the alert ALERT received from the module for supervising the performance ms1 of the virtual machine VM1 is caused by a resource sharing problem between the various virtual machines hosted by the host server 10”), the change in network performance being at least partially based on deviations by one or more virtual assets from predetermined operating parameters (¶0059, “… which a mechanism for managing resource contention on the host server 10 has affected the virtual machine VM1, in a step E3 for detecting the temporal correlations the local security management entity VMsec looks for at least one temporal correlation between the deterioration of performance observed on the virtual machine VM1 and the use of resources of the host server 10 by the others virtual machines VM2, VM3, etc. …”), the deviation resulting from an occurrence of an external event (¶0059, “Thus, in this example, a greater demand for memory on the virtual machine VM2 that is jointly located with the virtual machine VM1 coincides with a memory swap that is implemented on the virtual machine VM1. The virtual machine VM2 is therefore potentially at the origin of an attack on the architecture”; ¶0060, “The attack is perpetuated form the virtual machine VM2, either by a legitimate user of the virtual machine VM2, or by a third party that has illegally taken control thereof”) and matching the pattern (¶0059, “The aim of this search for temporal correlations is to identify one or more consumption profiles associated with one or more virtual machines VM2, VM3, etc. that are jointly located with the virtual machine VM1 on the host and that are at the origin of triggering of the resource contention management mechanism that has caused the performance deterioration observed on the virtual machine VM1”); 
receiving, responsive to the detection of the change in network performance by the second virtual asset, a request from a second virtual asset for a status of the collection of security threats (¶0051, “… the security management entity VMsec interrogates the management layer 10-3 in order to obtain this information … it is then the management layer 10-3 that accesses the information base 12 before responding to the security management entity VMsec”; i.e., request information from database 12 responsive to an interrogation request made by the VMsec in accordance with step E3); and 
transmitting, responsive to the request being received, the status of the collection of security threats to the second virtual asset (¶0051, “… it is then the management layer 10-3 that accesses the information base 12 before responding to the security management entity VMsec”).

Regarding Claim 2:
The method of claim 1, wherein the computing environment is a virtual asset container that includes multiple virtual assets having one or more common functions, classes, and geographical locations (¶0045, “The management layer 10-3 is suited for creating, instantiating, freeing and placing virtual machines VM1, VM2, VM3, VMsec, etc. executed concurrently on one and the same physical machine, in this case the host server 10”; i.e., each of the virtual machines may be located on a single physical machine, and thus share the same common geographical location).

Regarding Claim 5:
The method of claim 1, wherein the changes in the network performance include one or more decreases in available network bandwidth available for use by the second virtual asset (¶0059, “… the security management entity VMsec has the assurance that the deterioration of the performance that is observed by the virtual machine VM1 … is due to the sharing of resources with other virtual machines that are accommodated by the host server 10”; ¶0045, “The deterioration of performance can be felt in various ways: … a decrease in the network bandwith…”).

Regarding Claims 6, 7, and 10:
.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 3, 4, 8, and 9 is/are rejected under 35 U.S.C. 103 as being unpatentable over “Lazri” (US 2016/0004863) in view of “Frascadore” (US 9807116).

Regarding Claim 3:
Lazri teaches:
The method of claim 1, …
Lazri does not disclose:

Frascadore teaches:
… wherein the status of the collection includes a list of recently detected security threats within the computing environment (Fig. 15, element 1510 contains a list of entries 1512 of recent defects detected within virtual assets; Col. 19, liens 19-25, “… the batch tester 514 … collects computing resource states for all computing resource included in the virtual commuting environment … may query the virtual computing environment 100 to retrieve/identify the most recent computing resource states of the virtual computing environment 100”).
	Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Lazri’s system of detecting attacks on virtual machines by enhancing Lazri’s method of collecting resource data on virtual machines to collect the most recent data and list them within a collection database, as taught by Frascadore, in order to make decisions using the most up-to-date data.
	The motivation is to collect and store data that corresponds to resource usage and defects of virtual machines within a computing environment such that the stored data reflects the most recent usage and defects of the virtual machines. This ensures that any decisions made using this data are based on the a non-stale data set which can increase assurance of the decisions themselves. 

Regarding Claim 4:
Lazri teaches:

Lazri does not disclose:
… wherein the collection is a queue that includes an ordered list of all security threats detected within the computing environment.
Frascadore teaches:
… wherein the collection is a queue that includes an ordered list of all security threats detected within the computing environment (Fig. 15 details database element 1510 containing a queue of entries 1512. The entries 1512 arranged as a list in the database element 1510 as 1512 … Entry N, and each entry corresponding to detected defects of virtual assets of a computing environment).
	Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Lazri’s system of detecting attacks on virtual machines by enhancing Lazri’s method of collecting resource data on virtual machines to collect and store data within a database regarding defects in an orderly fashion, as taught by Frascadore, in order to reduce overhead computational costs associated with searching the database data.
	The motivation is to collect and store data collected regarding defects in virtual machines in an organized manner in order to reduce the computational costs associated with performing interrogations of the database to retrieve the data.

Regarding Claims 8 and 9:


Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DANIEL B POTRATZ whose telephone number is (571)270-5329.  The examiner can normally be reached on M-F 10 A.M. - 6 P.M. CST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 571-272-3972.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.





/DANIEL B POTRATZ/Primary Examiner, Art Unit 2491