DETAILED ACTION
This office action is a response to an application filed on 07/04/2019 in which claims 13-20 are pending for examination.

Notice of Pre-AIA  or AIA  Status
2.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 101
3.	35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


4.	Claims 13-19 are rejected under 35 U.S.C. 101 because claim recites “the system for securing a container, the system comprising a design time agent operable for”. The system comprising a design time agent can be software or software component. There is no structure in the system. The specification does not disclose the system comprising a design time agent as a hardware. Therefore, claims are rejected under 35 U.S.C 101 as software per se.

Claim Rejections - 35 USC § 103
5.	The following is a quotation of pre-AIA  35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person 


6.	Claim(s) 13, 15 and 20  is/are rejected are rejected under 35 U.S.C. 103(a) as being unpatentable over LEVIN et al (US 2018/0129803 A1) in view of Gerebe et al (US 2019/0156023 A1).

Regarding claim 13,  LEVIN discloses a system for securing a container, the system comprising: (a) a design time agent (Fig.3; 310, 315) operable for: (i) accessing an application image (Fig.5; S530; extracting contents of the container image), (ii) examining said application image (Fig.5; S540; analyzing content of the container image), and (iii) generate, based on said examining, an administrative service to said application image (paragraph [0033]; the security profile is created based on analysis of all layers in a container image; paragraph [0072]; the generated security profile includes a list of permissible file system actions, paragraph [0079]; a cluster admin user service is permitted to read and write SSH keys therefore, the generated security profile includes administrative service ), said administrative service having administrator access to an instantiated application of said application image (paragraph [0072]; the generated security profile includes a list of permissible file system actions, paragraph [0079]; a cluster admin user service is permitted to read and write therefore, the generated security profile includes administrative service access to application of a container image), and 
The embodiment of LEVIN discloses generating an administrative service to said application image.
However, the embodiment of LEVIN does not explicitly disclose adding an administrative service to said application image.

Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify the method of generating administrative service for container image of one embodiment of LEVIN with the method adding administrative service to container image of other embodiment of LEVIN in order to improve security in accessing permissible file taught by LEVIN.
The embodiments of LEVIN does not explicitly disclose said administrative service operable to install in said instantiated application at least one security module during runtime of said instantiated application in the container.
Gerebe et al discloses said administrative service operable to install in said instantiated application at least one security module during runtime of said instantiated application in the container. (Fig.1; 18, 18A-18N,paragraph [0018]; the security agent is configured to download the security policy at runtime when the software container image is instantiated wherein security agent can be considered as said instantiated application because it is one of the applications of instantiated container image , security policy can be considered as security module)
Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify the method of accessing application 

Regarding claim 15, The embodiments of LEVIN and Gerebe discloses the system of claim 13 wherein said adding gives administrator access by a technique selected from the group consisting of: 
(a) altering original image files,
(b) altering original image instance access rights credentials, and
(c) altering original image instance accounts.(LEVIN; paragraph [0072]; updating existing security profile which includes cluster administrator access to file please see paragraph [0079])

Regarding claim 20, claim 20 is rejected for the same reason as set forth in claim 1.

7.	Claim(s) 14  is/are rejected are rejected under 35 U.S.C. 103(a) as being unpatentable over LEVIN et al (US 2018/0129803 A1) in view of Gerebe et al (US 2019/0156023 A1) and Do et al (US 10,691, 480 B2).

Regarding claim 14, The embodiments of LEVIN and Gerebe discloses the system of claim 13 wherein said application image is selected from the group consisting of: a container image to be instantiated as said instantiated application, (LEVIN; paragraph [0069]; a container image is 
The embodiments of LEVIN and Gerebe does not explicitly disclose a container image file system to be altered in order to provide said instantiated application.
Do et al discloses a container image file system to be altered in order to provide said instantiated application.(column 2; lines 30-40; virtual machine image and virtual application deployment descriptor are modified for instantiated virtual application)
Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify the method of accessing application image, examining application image, adding administrative service to an instantiated application of said application image of LEVIN and the method installing security policy or module to the instantiated application of the instantiated container image of Gerebe with the method modifying the virtual machine image and virtual application descriptor of Do in order to deploy in cloud environment taught by Do.

8.	Claim(s) 16  is/are rejected are rejected under 35 U.S.C. 103(a) as being unpatentable over LEVIN et al (US 2018/0129803 A1) in view of Gerebe et al (US 2019/0156023 A1) and ZAVESKY et al (US 2019/0342187 A1).

Regarding claim 16, the embodiments of LEVIN and Gerebe discloses the system of claim 13, the embodiment of LEVIN discloses said design time agent additionally is operable for: generate, based on said examining, an administrative service to said application image (paragraph [0033]; the security profile is created based on analysis of all layers in a container 
The embodiments of LEVIN does not explicitly discloses adding said at least one security module to said application image.
Gerebe discloses adding said at least one security module to said application image (paragraph [0028]; adding a layer which includes security agent to the container image)
Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify the method of accessing application image, examining application image, adding administrative service to an instantiated application of said application image of LEVIN with the method installing security policy or module to the instantiated application of the instantiated container image of Gerebe in order to control operation of the application taught by Gerebe.
The embodiments of LEVIN and Gerebe does not explicitly disclose the time that performing to said application image and a time selected from the group consisting of:
(a) prior to instantiation, and
(b) after instantiation.
ZAVESKY et al discloses the time that modifying to said application image and a time selected from the group consisting of:
(a) prior to instantiation, and
(b) after instantiation. (paragraph [0056]; modifying to the application before instantiation or after instantiation ;)
.

9.	Claim(s) 17 and 18 is/are rejected are rejected under 35 U.S.C. 103(a) as being unpatentable over LEVIN et al (US 2018/0129803 A1) in view of Gerebe et al (US 2019/0156023 A1), Plate et al (US 9959111 B2), Matsuzaki et al (US 2003/0237065 A1) and Flynn et al (US 2020/0358870 A1).

Regarding claim 17, The embodiments of LEVIN in view of Gerebe discloses the system of claim 13, said design time agent adds security module (LEVIN; paragraph [0054]; updating the content of the existing security profile for the container image) (Gerebe; paragraph [0028]; add the security agent to the container image)
The embodiments of LEVIN in view of Gerebe does not disclose prioritizes which said at least one module to add based on a pre-defined set of rules including configuration preferences.
Plate discloses prioritizes which said at least one module to add based on a pre-defined set of rules including configuration preferences. (abstract; priorities the software patches or module based on the pre-defined policy and add or install the module or software patches)

The embodiments of LEVIN in view of Gerebe and Plate does not disclose configuration includes prioritizing speed.
Matsuzaki et al discloses configuration such as prioritizing speed (paragraph [0005]; configuration for the priority of speed)
Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify the method of accessing application image, examining application image, adding administrative service to an instantiated application of said application image of LEVIN in view of Gerebe and Plate with the method of Matsuzaki in order to enhance functionalities taught by Matsuzaki.
The embodiments of LEVIN in view of Gerebe, Plate and Matsuzaki discloses prioritizes which module to add based on predefined set of rules including configuration preferences as stated above.
However, the embodiments of LEVIN in view of Gerebe, Plate and Matsuzaki does not explicitly disclose configuration such as less intrusive operating system mechanism.
Flynn et al discloses less intrusive operating system mechanism. (paragraph [0015]; running OS without intrusive protocols or mechanism)
Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify the method of accessing application 

Regarding claim 18, The embodiments of LEVIN, Gerebe, Plate, Matsuzaki and Flynn discloses the system of claim 17 wherein said predefined set of rules includes rules to invoke the configuration of said application image to execute said at least one security module (LEVIN; paragraph [0074]; APP container is a runtime instance of a corresponding container image, retrieving the respective security profile, capturing file system actions, and analyzing the captured filesystem actions to detect an attempt by the APP container to violate any parameter set in the retrieved security profile) as said application image is instantiated and starts running, in accordance with the placement of said container and framework, which manages said container.(LEVIN; paragraph [0058]; the application container image is instantiating and running by executing security module or by checking security policies)

10.	Claim(s) 19  is/are rejected are rejected under 35 U.S.C. 103(a) as being unpatentable over LEVIN et al (US 2018/0129803 A1) in view of Gerebe et al (US 2019/0156023 A1) and LeVine (US 2008/0243696 A1).

Regarding claim 19, The embodiments of LEVIN in view of Gerebe discloses the system of claim 13, the embodiments of LEVIN does not explicitly disclose said design time agent adds an additional layer to said application image, said additional layer containing a runtime agent operable to control said at least one module.

Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify the method of accessing application image, examining application image, adding administrative service to an instantiated application of said application image of LEVIN with the method installing security policy or module to the instantiated application of the instantiated container image of Gerebe in order to control operation of the application taught by Gerebe.
The embodiments of LEVIN in view of Gerebe does not explicitly disclose additional layer operable to control at least security module.
LeVine discloses additional layer operable to control at least security module.(paragraph [0034]; additional layer of authenticating security that means additional layer is operating to control security module)
Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify the method of accessing application image, examining application image, adding administrative service to an instantiated application of said application image of LEVIN and the method adding layer to container image to control operation of Gerebe with the method LeVine in order to in order to increase privacy and security taught by LeVine.

Conclusion  
11. 	The prior art made of record (see attached PTO-892) and not relied upon is considered pertinent to applicant's disclosure.
Chen et al. US 2020/0065124 A1 (Shortening Just-in Time code warm up time of Docker containers) which discloses a container used to deploy the application may require security policies or configuration settings.
Thomas et al. US 2017/0212830 A1 which discloses container image with the policy is checked before launching.
Du et al. US 2019/0354389 A1 which discloses check for updates on container images, review metadata associated with container images.

12.	A shortened statutory period for reply to this action is set to expire THREE MONTHS from the mailing date of the action. An extension of time may be obtained under 37 CFR 1.136(a). However, in no event, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to AYE M AUNG whose telephone number is (571)270-0255. The examiner can normally be reached on M-F 8:30-5:00.If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Thu Nguyen can be reached on 5712726967.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or 

/A. M. A./
Examiner, Art Unit 2452

/THU V NGUYEN/Supervisory Patent Examiner, Art Unit 2452