DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

Response to Amendment
The Amendment filed on 11/01/2021 has been entered. 
Claims 1, 11 and 16 are amended.
Claims 1-20 are pending of which claims 1, 11 and 16 are independent claims.

Response to Arguments
The applicant's arguments filed on 11/01/2021 regarding claims 1-20 have been fully considered but the arguments are essentially directed towards the newly introduced limitations and they are addressed in this Office Action, below.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


s 1-4, 6-7, 11-14 and 16-18 are rejected under 35 U.S.C. 103 as being unpatentable over Challener et al. (Pub. No.: US 2006/0021041, hereinafter Challener) in view of MARANO et al. (Pub. No.: US 2012/0030187, hereinafter MARANO) and Hangai (Pub. No.: US 2014/0106787).
Regarding claim 1: Challener discloses A method comprising
scanning, by a first computer system, a cluster of one or more virtual machines (Challener - [0052]: the scanning for malicious code is performed for all files stored on the disk drive);
detecting, based on the scanning of the cluster, a first content file change (Challener - [0058]: The list of files which have changed since last virus scan can then be derived for the anti-virus software from the directory),
wherein the first content file change is to a first content file located on a first virtual machine related to the cluster (Challener - [0057]: controller 301 correlates clusters to filenames for clusters that have been written since the last successful scan. This is done by referencing the directory and file allocation table on the hard disk partition for each cluster being written by the file system driver to obtain the corresponding filename for the files which are cached in the staging read/write area 204);
However Challener doesn’t explicitly teach:
wherein the detecting includes performing natural language processing on the first content file;
determining, based on the detecting of the first content file change and based on the natural language processing, a content-based security level of the cluster;
comparing the determined content-based security level of the cluster to a security level standard of the cluster;
identifying, based on the comparing of the determined content-based security level to the security level standard, a security gap; and performing, in response to the identified security gap, an update to a security setting of the cluster. 
In an analogous art, MARANO discloses:
wherein the detecting includes performing natural language processing on the first content file (MARANO - [0025]: Rules may evaluate document content based on any criteria, for example, text strings, keywords, text patterns, numerical patterns, alphanumeric patterns including all characters, including symbols, general document patterns, and/or logic rules combining these rules, for example, using AND, OR, NOR, XOR, NOT operations, etc);
determining, based on the detecting of the first content file change and based on the natural language processing, a content-based security level of the cluster (MARANO - [0027]: documents may be evaluated for an updated security level, based at least in part on their content at certain times, for example, … upon modification of their content, etc.);
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Challener with MARANO so that security level can be identified based on the change of a file with rules based on natural language (text pattern, keyword etc.). The modification would have allowed the system to identify security level change based on file changing. 
However the combination of Challener and MARANO doesn’t explicitly teach but Hangai discloses: comparing the determined content-based security level of the cluster to a security level standard of the cluster (Hangai - [0084]: The security function control section 506 compares the security setting information specified by the setting information specifying section 504 with the current security setting information obtained by the current setting information obtaining section 505);
identifying, based on the comparing of the determined content-based security level to the security level standard, a security gap; and performing, in response to the identified security gap, an update to a security setting of the cluster (Hangai - [0084]: In a case where the security setting information is different from the current security setting information, the security function control section 506 changes a security state in accordance with the security setting information specified by the setting information specifying section 504).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Challener and MARANO with Hangai so that the identified security level is compared with current one to determine if there is any gap and take action accordingly. The modification would have allowed the system to enhance security. 
Regarding claim 2: Challener as modified discloses wherein the cluster includes a second virtual machine (Challener - [0067]: virtual machines 1304 and 1306),
and wherein the method further comprises
scanning a second content file located on a second virtual machine (Challener - [0068]: the successfully scanned files in read/write areas 504 are converted, see also [0052]);
and wherein the determining of the content-based security level of the cluster is further in response to the scanning of the second content file (MARANO - [0025]: scanning every document therein and assigning a security level for each document based on a set of document security rules).
MARANO is combined with Challener and Hangai herein for similar obviousness reasons and motivation and the same rationale as stated for claim 1.
Regarding claim 3: Challener as modified discloses wherein the performing of the update to the security setting of the cluster includes updating a security setting of the first virtual machine (Hangai - [0084]: the security function control section 506 changes a security state in accordance with the security setting information specified by the setting information specifying section 504).
Hangai is combined with Challener and MARANO herein for similar obviousness reasons and motivation and the same rationale as stated for claim 1.
Regarding claim 4: Challener as modified discloses wherein the performing the update to the security setting of the cluster includes updating a security setting of a virtual machine of the cluster other than the first virtual machine (Hangai - [0072] security setting information associated with an image whose effective area has the highest security level, among the plurality of effective areas, becomes effective).
Hangai is combined with Challener and MARANO herein for improving updating areas for security settings.
Regarding claim 6: Challener as modified discloses wherein the first content file change is a creation of the first content file (Challener - [0062]: scan only those files which have been created).
Regarding claim 7: Challener as modified discloses wherein the first content file change is an update to the first content file (Challener - [0062]: scan only those files which have been created or modified).
Regarding claims 11-14: Claims are directed to system claims and do not teach or further define over the limitations recited in claims 1-4. Therefore, claims 11-14 are also rejected for similar reasons set forth in claims 1-4. 
Regarding claims 16-18: Claims are directed to computer readable medium claims and do not teach or further define over the limitations recited in claims 1, 6-7. Therefore, claims 16-18 are also rejected for similar reasons set forth in claims 1, 6-7. 

Claims 5, 8, 15 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Challener et al. (Pub. No.: US 2006/0021041, hereinafter Challener) in view of MARANO et al. (Pub. No.: US 2012/0030187, hereinafter MARANO)  and Hangai (Pub. No.: US 2014/0106787) and Li et al. (Pub. No.: US 2013/0055398, hereinafter Li).
Regarding claims 5 and 15: Challener as modified doesn’t explicitly teach but Li discloses wherein the scanning of the cluster includes monitoring for a given virtual machine to be added to the cluster, and wherein the first virtual machine is added to the cluster (Li - [0044]: the virtual asset tool 105 can initiate a vulnerability scan of the virtual machines in response to receiving the update. For example, if the update indicates that a new virtual machine has been instantiated on one of the physical machines, then the vulnerability scan can be initiated on the new virtual machine).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Challener, MARANO and Hangai with Li so that newly added virtual asset is monitored and scanned. The modification would have allowed the system to improve security. 
Regarding claims 8 and 19: Challener as modified doesn’t explicitly teach but Li discloses wherein the first content file change is a deletion of the first content file (Li - [0044]: the update can comprise a modification of the stored metadata, as well as a deletion of existing data from the asset record).
prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Challener, MARANO and Hangai with Li so that updating can include deletion of existing data. The modification would have allowed the system to improve security. 

Claims 9 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Challener et al. (Pub. No.: US 2006/0021041, hereinafter Challener) in view of MARANO et al. (Pub. No.: US 2012/0030187, hereinafter MARANO) and Hangai (Pub. No.: US 2014/0106787) and Tatarinov et al. (Pub. No.: US2020/0257811, hereinafter Tatarinov).
Regarding claims 9 and 20: Challener as modified doesn’t explicitly teach but Tatarinov discloses wherein the first content file change is changing a sharing permission of the first content file (Tatarinov - [0061]: working with the rights of objects of the operating system (modification of the access rights of objects of the file system and memory system).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Challener, MARANO and Hangai with Tatarinov so that updating can include modifying the access rights of objects. The modification would have allowed the system to improve security. 

Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Challener et al. (Pub. No.: US 2006/0021041, hereinafter Challener) in view of MARANO et al. (Pub. No.: US 2012/0030187, hereinafter MARANO) and Hangai (Pub. No.: US 2014/0106787) and Gupta et al. (Pub. No. : US 2019/0014023, hereinafter Gupta).
Regarding claim 10: Challener as modified doesn’t explicitly teach but Gupta discloses wherein the scanning of the cluster includes monitoring for a given virtual machine to be removed from the cluster, and wherein the first virtual machine is removed from the cluster (Gupta - [0023]: The example healer 214 retrieves and analyzes monitoring information retrieved from the example monitoring datastore 212 to determine the health of the infrastructure and to, when needed, perform operations via the example cloud manager 204 to correct unhealthy conditions in the example infrastructure … The example healer 214 either instructs the cloud manager to add nodes or remove nodes to return the infrastructure to the target state).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Challener, MARANO and Hangai with Gupta so that a node can be removed . The modification would have allowed the system to determine the health of the infrastructure and perform actions such as add or remove to enhance security.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Yumer (Patent No.: US 9,800,606) - Systems and methods for evaluating network security
MOHANTY et al. (Pub. No.: US 2017/0279826) - Protecting dynamic and short-lived virtual machine instances in cloud environments
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MENG LI whose telephone number is (571)272-8729.  The examiner can normally be reached on M-F 8:30-5:30.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s acting supervisor, Kristine Kincaid can be reached on (571) 272-4063.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8729.






/MENG LI/
Primary Examiner, Art Unit 2437