Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .



DETAILED ACTION
This action is in response to the communication filed on 08/16/2019.
Claims 1-24 are under examination.
The Information Disclosure Statements filed on 08/16/2019 and 02/19/2021 have been entered and considered.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 4-5, 8-9, 12-13, 16-17, 20-21 and 24 are rejected under 35 U.S.C. 103 as being unpatentable over Roth et al. (US 9,524,389 B1), Hartrell et al. (US 2007/0150957 A1) and Crowell et al. (US 2015/0052614 A1).
Regarding claim 1, Roth et al. discloses A method comprising: receiving, at data processing hardware, an indication of compromise, the indication of compromise indicating an attack against a virtual machine, snapshotting, by the data processing hardware, a volatile-memory state of volatile-memory used by the virtual machine and a non-volatile memory state of non- volatile memory used by the virtual machine [col. 3, lines 11-14, “upon detection of an intrusion/security compromise of the virtual machine, detection of the software or hardware error of the virtual machine”, col. 3, lines 50-54, “Once the initial snapshot has been captured, the virtual machine may be allowed to run and perform its tasks until the occurrence of the predetermined event (i.e., thereby triggering the event trigger), whereupon a second snapshot may be obtained”, col. 3, lines 64-67, “Like the initial snapshot, the current snapshot may be a snapshot of the state of the memory of the virtual machine and/or the state of the storage attached to the virtual machine at the current time”, col. 27, lines 32-37, “volatile and non-volatile”].  
Roth et al. does not explicitly disclose the indication of compromise indicating an attack is imminent; and snapshotting  5in response to receiving the indication of compromise and before the attack begins, and  20storing, by the data processing hardware, the data in memory external to the virtual machine.
However Hartrell et al. teaches the indication of compromise indicating an attack is imminent; and snapshotting  5in response to receiving the indication of compromise and before the attack begins. and 20storing, by the data processing hardware, the data in memory external to the virtual machine [par. 0027, “If a notification of a suspected malware infection is received, then, in block 208, the system activity monitor component creates a pre-infection snapshot of the monitored activities”, par. 0027, “the system activity monitor component may create an additional snapshot of the subsequent Y seconds of recorded monitored activities after receiving the notification event. In some embodiments, the activities that are monitored subsequent to receiving the notification event may be different from the activities that are monitored prior to receiving the notification event. In block 212, the system activity monitor component provides the created snapshots for further processing and/or analysis. For example, the system activity monitor component may provide the snapshots to a remote data store that is accessible by the other components of the malware analysis system and/or an administrator”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Hartrell et al. into the teaching of Roth et al. with the motivation to provide the created snapshot or snapshots for further analysis as taught by Hartrell et al. [Hartrell et al.: abs.].
They do not explicitly disclose increasing, by the data processing hardware, a level of auditing of the virtual machine from a standard level of auditing to a heightened level of auditing, the heightened level of auditing generating data representative of all accesses to the volatile- memory used by the virtual machine and the non-volatile memory used by the virtual machine; and 15after the attack against the virtual machine has begun: maintaining, by the data processing hardware, the heightened level of auditing for a threshold period of time; notifying, by the data processing hardware, a user of the virtual machine of the indication of compromise.
However, Crowell et al. teaches increasing, by the data processing hardware, a level of auditing of the virtual machine from a standard level of auditing to a heightened level of [par. 0041, “When a virtual machine in the trusted zone 104 is observed to exhibit levels of suspicious activity, the security and relocation engine 102 determines whether to relocate that virtual machine to the un-trusted zone 106 or the disabled zone 108… virtual machines in the un-trusted zone 106 may experience diminished service levels and heightened monitoring and logging levels”]; and 15after the attack against the virtual machine has begun: maintaining, by the data processing hardware, the heightened level of auditing for a threshold period of time [par. 0034, “the security and relocation engine may apply a time decay function that reviews instances of suspicious activity from its tally over time. Instances of suspicious activity that become less relevant over time are removed. In one embodiment, virtual machines may be relocated back to the trusted zone when their levels of suspicious activity fall below the first threshold. But the security and relocation engine will continue to evaluate virtual machines that are back in the trusted zone from the un-trusted or disabled zone”, par. 0058, “the administrator 318 may customize variables such as the length of time or frequency of relocation events that would constitute a pattern in the determination of the engine logger 308”]; notifying, by the data processing hardware, a user of the virtual machine of the indication of compromise [par. 0033, “if the evaluation of a virtual machine results in a suspicious activity level that exceeds the warning threshold, but not the unacceptable threat threshold, the security and relocation engine relocates that virtual machine to an un-trusted zone. When this occurs, the security and relocation engine can notify an administrator. Similarly, the cloud provider may contact or otherwise notify the owner of a virtual machine to request information about the applications running on the virtual machine”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Crowell et al. into the teaching of Roth et al. and Hartrell et al. with the motivation to enables administrators to more efficiently respond to security threats on a particular virtual machine as taught by Crowell et al. [Crowell et al.: abs.].
Regarding claim 4, the rejection of claim 1 is incorporated.
Crowell et al. further teaches the threshold period of time is configurable by 30the user of the virtual machine [par. 0034, “the security and relocation engine may apply a time decay function that reviews instances of suspicious activity from its tally over time. Instances of suspicious activity that become less relevant over time are removed. In one embodiment, virtual machines may be relocated back to the trusted zone when their levels of suspicious activity fall below the first threshold. But the security and relocation engine will continue to evaluate virtual machines that are back in the trusted zone from the un-trusted or disabled zone”, par. 0058, “the administrator 318 may customize variables such as the length of time or frequency of relocation events that would constitute a pattern in the determination of the engine logger 308”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Crowell et al. into the teaching of Roth et al. and Hartrell et al. with the motivation to enables administrators to more [Crowell et al.: abs.].
Regarding claim 5, the rejection of claim 1 is incorporated.
Hartrell et al. further discloses the indication of compromise is based upon existence of a suspicious process [par. 0027, “If a notification of a suspected malware infection is received, then, in block 208, the system activity monitor component creates a pre-infection snapshot of the monitored activities”, par. 0027, “the system activity monitor component may create an additional snapshot of the subsequent Y seconds of recorded monitored activities after receiving the notification event. In some embodiments, the activities that are monitored subsequent to receiving the notification event may be different from the activities that are monitored prior to receiving the notification event. In block 212, the system activity monitor component provides the created snapshots for further processing and/or analysis. For example, the system activity monitor component may provide the snapshots to a remote data store that is accessible by the other components of the malware analysis system and/or an administrator”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Hartrell et al. into the teaching of Roth et al. with the motivation to provide the created snapshot or snapshots for further analysis as taught by Hartrell et al. [Hartrell et al.: abs.].
Crowell et al. further teaches the threshold period of time is based upon the existence of the suspicious process [par. 0034, “the security and relocation engine may apply a time decay function that reviews instances of suspicious activity from its tally over time. Instances of suspicious activity that become less relevant over time are removed. In one embodiment, virtual machines may be relocated back to the trusted zone when their levels of suspicious activity fall below the first threshold. But the security and relocation engine will continue to evaluate virtual machines that are back in the trusted zone from the un-trusted or disabled zone”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Crowell et al. into the teaching of Roth et al. and Hartrell et al. with the motivation to enables administrators to more efficiently respond to security threats on a particular virtual machine as taught by Crowell et al. [Crowell et al.: abs.].
Regarding claim 8, the rejection of claim 1 is incorporated.
Roth et al. further discloses determining, by the data processing hardware, that the attack has concluded; and in response to determining that the attack has concluded, snapshotting, by the data processing hardware, the volatile-memory state of the volatile-memory used by the 15virtual machine and the non-volatile memory state of the non-volatile memory used by the virtual machine [col. 4, lines 32-36, “Described and suggested techniques improve the field of computing, specifically the field of digital forensics, by capturing before and after snapshots of a computing system which can be preserved for forensic investigation at a later date”, col. 6, lines 59-62, “the scaling service is configured to terminate and re-launch a virtual machine if an intrusion detection component of the service indicates that security or integrity of the virtual machine may have been compromised”].  
Regarding claim 9, the rejection of claim 1 is incorporated.
[col. 6, lines 59-62, “the scaling service is configured to terminate and re-launch a virtual machine if an intrusion detection component of the service indicates that security or integrity of the virtual machine may have been compromised”].
Regarding claim 12, the rejection of claim 1 is incorporated.
Roth et al. further discloses no snapshotting of the volatile-memory state of the volatile-memory and the non-volatile memory state of the non-volatile memory occurs while the attack against the virtual machine is in progress [col. 4, lines 32-36, “Described and suggested techniques improve the field of computing, specifically the field of digital forensics, by capturing before and after snapshots of a computing system which can be preserved for forensic investigation at a later date”, col. 6, lines 59-62, “the scaling service is configured to terminate and re-launch a virtual machine if an intrusion detection component of the service indicates that security or integrity of the virtual machine may have been compromised”, col. 3, lines 50-54, “Once the initial snapshot has been captured, the virtual machine may be allowed to run and perform its tasks until the occurrence of the predetermined event (i.e., thereby triggering the event trigger), whereupon a second snapshot may be obtained”, col. 3, lines 64-67, “Like the initial snapshot, the current snapshot may be a snapshot of the state of the memory of the virtual machine and/or the state of the storage attached to the virtual machine at the current time”, col. 27, lines 32-37, “volatile and non-volatile”].  
Regarding claim 13, it recites limitations similar to claim 1. The reason for the rejection of claim 1 is incorporated herein.
Regarding claim 16, it recites limitations similar to claim 4. The reason for the rejection of claim 4 is incorporated herein.
Regarding claim 17, it recites limitations similar to claim 5. The reason for the rejection of claim 5 is incorporated herein.
Regarding claim 20, it recites limitations similar to claim 8. The reason for the rejection of claim 8 is incorporated herein.
Regarding claim 21, it recites limitations similar to claim 9. The reason for the rejection of claim 9 is incorporated herein.
Regarding claim 24, it recites limitations similar to claim 12. The reason for the rejection of claim 12 is incorporated herein.

Claims 2 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Roth et al. (US 9,524,389 B1), Hartrell et al. (US 2007/0150957 A1) and Crowell et al. (US 2015/0052614 A1) as applied to claims 1, 4-5, 8-9, 12-13, 16-17, 20-21 and 24 above, and further in view of Skidanov et al. (US 2013/0198139 A1).
Regarding claim 2, the rejection of claim 1 is incorporated.
Roth et al. discloses snapshotting the non-volatile memory state.
They do not teach snapshotting the non-volatile memory state comprises suspending garbage collection of the non-volatile memory.
However Skidanov et al. teaches snapshotting the non-volatile memory state comprises suspending garbage collection of the non-volatile memory [par. 0035, “When a new snapshot is being created, the database is `pinned` in memory to prevent garbage collection, or limit garbage collection”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Skidanov et al. into the teaching of Roth et al., Hartrell et al. and Crowell et al. with the motivation to assure that the state at the time that the snapshot commences is maintained until after the snapshot is completed as taught by Skidanov et al. [Skidanov et al.: par. 0035].
Regarding claim 14, it recites limitations similar to claim 2. The reason for the rejection of claim 2 is incorporated herein.

Claims 3 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Roth et al. (US 9,524,389 B1), Hartrell et al. (US 2007/0150957 A1) and Crowell et al. (US 2015/0052614 A1) as applied to claims 1, 4-5, 8-9, 12-13, 16-17, 20-21 and 24 above, and further in view of Solan et al. (US 2020/0034284 A1).
Regarding claim 3, the rejection of claim 1 is incorporated.
Roth et al. discloses snapshotting the volatile memory state.
They do not teach snapshotting the volatile memory state comprises executing a live migration of the volatile memory.
However Solan et al. teaches snapshotting the volatile memory state comprises executing a live migration of the volatile memory [par. 0035, “the static snapshot backups capture a full state of the virtual machine through a virtual machine live migration component using a source hypervisor managing the virtual machine and a target hypervisor managing the virtual machine after migration, and wherein the full state comprises: a content of substantially all virtual CPU registers and buffers, contents of the virtual machine memory, CPU BIOS (basic input/output system) values, virtualized hardware state, and contents of the virtual machine disk storage”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Skidanov et al. into the teaching of Roth et al., Hartrell et al. and Crowell et al. with the motivation such that the VM live migration process captures certain state information just prior to the VM transfer as taught by Solan et al. [Solan et al.: par. 0028].
Regarding claim 15, it recites limitations similar to claim 3. The reason for the rejection of claim 3 is incorporated herein.

Claims 6 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Roth et al. (US 9,524,389 B1), Hartrell et al. (US 2007/0150957 A1) and Crowell et al. (US 2015/0052614 A1) as applied to claims 1, 4-5, 8-9, 12-13, 16-17, 20-21 and 24 above, and further in view of Schuba et al. (US 2010/0251004 A1).
Regarding claim 6, the rejection of claim 1 is incorporated.
Roth et al. discloses snapshotting the memory state.
They do not teach the threshold period of time corresponds to the life of the virtual machine.
However Schuba et al. teaches the threshold period of time corresponds to the life of the virtual machine [see fig. 3, par. 0065, “Exploits in the virtual machine may thus be detected, analyzed, and managed using snapshot instances and limitations until the virtual machine is no longer executed”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Schuba et al. into the teaching of Roth et al., Hartrell et al. and Crowell et al. with the motivation for managing the execution of virtual machines using snapshotting and damage containment techniques as taught by Schuba et al. [Schuba et al.: par. 0028].
Regarding claim 18, it recites limitations similar to claim 6. The reason for the rejection of claim 6 is incorporated herein.

Claims 7 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Roth et al. (US 9,524,389 B1), Hartrell et al. (US 2007/0150957 A1) and Crowell et al. (US 2015/0052614 A1) as applied to claims 1, 4-5, 8-9, 12-13, 16-17, 20-21 and 24 above, and further in view of Boutnaru (US 2018/0077201 A1).
Regarding claim 7, the rejection of claim 1 is incorporated.
Crowell et al. discloses the data from the heightened level of auditing.
They do not teach the data further comprises a list of all commands executed by the virtual machine during the heightened level of auditing.
However Boutnaru teaches the data further comprises a list of all commands executed by the virtual machine during the heightened level of auditing [par. 0041, “a log of commands or attempted commands that have occurred”].
[Boutnaru: par. 0041].
Regarding claim 19, it recites limitations similar to claim 7. The reason for the rejection of claim 7 is incorporated herein.

 Claims 10-11 and 22-23 are rejected under 35 U.S.C. 103 as being unpatentable over Roth et al. (US 9,524,389 B1), Hartrell et al. (US 2007/0150957 A1) and Crowell et al. (US 2015/0052614 A1) as applied to claims 1, 4-5, 8-9, 12-13, 16-17, 20-21 and 24 above, and further in view of Lemay et al. (US 2014/0380009 A1).
Regarding claim 10, the rejection of claim 9 is incorporated.
Roth et al. discloses the intrusion detection system.
They do not explicitly disclose the intrusion detection system executes in a first hierarchical protection domain and software resources within a user space of the virtual machine executes in a second hierarchical protection domain, the first hierarchical 25protection domain having more privileges than the second hierarchical protection domain.
However Lemay et al. teaches the intrusion detection system executes in a first hierarchical protection domain and software resources within a user space of the virtual machine executes in a second hierarchical protection domain, the first hierarchical 25protection domain having more privileges than the second hierarchical protection domain [par. 0083, “the forgoing components and the protected memory views are configured to monitor and detect unauthorized access to memory, the unauthorized access associated with malware”, par. 0086, “the forgoing operations and further includes executing the editor module in a ring 0 privilege mode, and the ring 0 privilege mode is a reduced privilege mode relative to a privilege mode associated with a VMM. Another example method includes the forgoing operations and further includes providing access to the nested page table structure by user space applications within the guest of the VM, the user space applications configured to execute in a ring 3 privilege mode, and the ring 3 privilege mode is a reduced privilege mode relative to the ring 0 privilege mode”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Lemay et al. into the teaching of Roth et al., Hartrell et al. and Crowell et al. with the motivation to monitor and detect unauthorized access to memory as taught by Lemay et al. [Lemay et al.: par. 0083].
Regarding claim 11, the rejection of claim 10 is incorporated.
Lemay et al. further teaches the first hierarchical protection domain corresponds to Ring 0 of the virtual machine and the second hierarchical protection 30domain corresponds to Ring 3 of the virtual machine [par. 0083, “the forgoing components and the protected memory views are configured to monitor and detect unauthorized access to memory, the unauthorized access associated with malware”, par. 0086, “the forgoing operations and further includes executing the editor module in a ring 0 privilege mode, and the ring 0 privilege mode is a reduced privilege mode relative to a privilege mode associated with a VMM. Another example method includes the forgoing operations and further includes providing access to the nested page table structure by user space applications within the guest of the VM, the user space applications configured to execute in a ring 3 privilege mode, and the ring 3 privilege mode is a reduced privilege mode relative to the ring 0 privilege mode”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Lemay et al. into the teaching of Roth et al., Hartrell et al. and Crowell et al. with the motivation to monitor and detect unauthorized access to memory as taught by Lemay et al. [Lemay et al.: par. 0083].
Regarding claim 22, it recites limitations similar to claim 10. The reason for the rejection of claim 10 is incorporated herein.
Regarding claim 23, it recites limitations similar to claim 11. The reason for the rejection of claim 11 is incorporated herein.


 
Conclusion
The prior art made of record and not relied upon is considered pertinent to Applicant’s disclosure:
US 20200084229 A1		CROSS-DOMAIN SOLUTION USING NETWORK-CONNECTED HARDWARE ROOT-OF-TRUST DEVICE
US 20150172300 A1		BEHAVIORAL MODEL BASED MALWARE PROTECTION SYSTEM AND METHOD
US 20180247055 A1		METHODS FOR PROTECTING A HOST DEVICE FROM UNTRUSTED APPLICATIONS BY SANDBOXING

US 9223962 B1		Micro-virtual Machine Forensics And Detection
US 20180159866 A1		Computer Malware Detection
US 20180167403 A1		MALWARE ANALYSIS AND RECOVERY
US 20120124285 A1		VIRTUAL DISK DRIVE SYSTEM AND METHOD WITH CLOUD-BASED STORAGE MEDIA
US 20090320137 A1		SYSTEMS AND METHODS FOR A SIMULATED NETWORK ATTACK GENERATOR

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JASON CHIANG whose telephone number is (571)270-3393.  The examiner can normally be reached on 9 AM to 6 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.





/JASON CHIANG/Primary Examiner, Art Unit 2431