DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is responsive to amendment filed on 05/05/2022. Claims 1-21 have been examined and are pending in this application.
Response to Arguments
Applicant's arguments filed 05/05/2022 have been fully considered but they are not persuasive.
Applicant argues, page 8 of the remarks, “[the] above references are not conceded as prior art, and the rights to challenge the references at a later time are reserved.”
The Examiner respectfully requests the Applicant to review MPEP 2152 where it is clearly described what qualifies as prior art. The effective filing date of each of the references cited is before the effective filing date of the claimed invention. Accordingly, the references qualify as prior art. See MPEP 2152 for a detailed analysis.
Applicant argues, pages 10-11 of the remarks, “it is abundantly clear from the foregoing teachings of Kuwamura that he determines whether a restored VM is virus-free, after the VM is restored. In comparison, claim 1 recites that the restoration involves using an image that has (already) been determined to be secure, specifically ‘using … a point-in-time image determined as being secure for the restoration’ (emphasis ours).”
The Examiner respectfully disagrees. The claim limitation in question requires “using, by the host, a point-in-time image generated prior to the particular time and determined as being secure for the restoration of the virtual machine”. The claim language “determined as being secure” can be interpreted more broadly. For example, the determination that the point-in-time image is secure may be done either at the point-in-time of the generation of the image (predetermined) or at the time when the image is being restored. This broad interpretation is supported by paragraphs [0011] and [0035] of the instant filed specification. 
For example, paragraph [0011] of the instant filed specification states in part “[if] the in-guest agent identifies behavior (at a particular point in time) at [that] the VM may be indicative of the presence of malicious code, the replication module can tag a checkpoint that corresponds to the same particular point in time as an unsecure image with a security risk (e.g., the checkpoint is tagged as being infected, corrupted, quarantined, vulnerable, etc.). That checkpoint (and subsequent checkpoints in time) in turn can be discarded and/or further investigated (e.g., by applying a virus scan) to determine the appropriate remedial action. Other checkpoints that were created prior to the particular point in time and which correspond to behavior by the VM that was validated (e.g., not identified as being indicative of malicious code) by the in-guest agent can be deemed as being secure, and can be used to launch the VM if there is a need for disaster recovery.”
Accordingly, in the claimed invention, a replication module tags point in time images of a VM as being secure, and at the restoration time, the restoration may occur on a point in time image that is predetermined to be secure.
Alternatively, in paragraph [0035] of the instant filed specification, “the cloud 142 can run a virus scan in sequence on each checkpoint generated prior to checkpoint 2 (starting at a checkpoint that is generated from just before T2 and moving in reverse order in time through each checkpoint), until a first secure checkpoint is identified.”
Accordingly, in the claimed invention, a virus scan is performed in sequence on a plurality of point in time images at the time of restoration until a secure image is identified. 
As already pointed out before, the claim language “determined as being secure” can be interpreted either as predetermined to be secure prior to the restoration time or determined to be secure at the time of restoration. The Examiner cited two paragraphs from the instant filed specification that support the two interpretations. The Examiner interpreted the above claim language as determined to be secure at the time of restoration. 
In FIG. 4 of Kuwamura, a preceding snapshot of a VM is restored (or retrieved) at step S23 on which a virus scan is performed at step S24. If the VM snapshot is not infected with virus (determination step S25) then in step S27 the VM is resumed which is the same as launching the VM described in paragraph [0011] of the instant filed specification.
Thus, Kuwamura teaches the claim limitation “using, by the  host, a point-in-time image generated prior to the particular time and determined as being secure for the restoration of the virtual machine”.
In order to overcome Kuwamura, Applicant needs to narrow the interpretation of the claim language. The Examiner suggests language such as “determined as being secure at the point-in-time of the generation of the image” to further narrow the interpretation and overcome Kuwamura. 
In view of the foregoing remarks, independent claims 1, 8, and 15 are not in a condition for allowance. Claims depending therefrom, either directly or indirectly, are also not in a condition for allowance.   
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-6, 8-13, and 15-20 are rejected under 35 U.S.C. 103 as being unpatentable over Vashisht et al. US 10,552,610 (“Vashisht”) in view of Kuwamura US 2010/0043073 (“Kuwamura”).
As per independent claim 1, Vashisht teaches A method for a host in a virtualized computing environment to restore a virtual machine supported by the host (A method is described for updating a virtual machine (VM) disk snapshot that is used in the instantiation of one or more guest virtual machine instances for handling the analysis of an object for a presence of malware, col 1 lines 17-20), the method comprising:
performing, by the host, a replication process to store point-in-time images of the virtual machine at a storage location (A VM disk snapshot features a modular configuration where different portions or modules of the VM disk snapshot may be updated in accordance with a time-based update scheme and/or a frequency-based update scheme, col 2 lines 49-53. The update of the VM disk snapshot with a time-based update scheme teaches storing point-in-time images of the virtual machine for the following reason. The claimed virtual machine is obviously running since its operational behavior is monitored as claimed. Further, it is interpreted that at each point-in-time, changes (updates) to the running virtual machine state is stored rather than at each point-in-time storing a complete image of the state of the running virtual machine);
performing, by the host, a monitoring process concurrently with the replication process to monitor operational behavior of the virtual machine (As illustrated in FIG. 4, a guest image update package 195.sub.2 includes analytic tools such as pre-analysis software tool or a monitoring/detection tool or a post-analysis software tool that are to analyze and monitor the behavior of an object within the virtual machine guest instance, col 12 lines 9-28 and FIG. 4);
in response to the monitored operational behavior at a particular time being in violation of expected operational behavior of the virtual machine (As a monitoring/detection tool, the software component may be configured to setup the environment for detection, detect/monitor activity during analysis of the object, and perform analysis of logged activity, col 12 lines 18-22. Malware is designed to cause a network device to experience anomalous (unexpected or undesirable) behaviors, col 6 lines 18-22, that are monitored and/or detected), identifying, by the host, a point-in-time image that corresponds to the particular time as an unsecure image with a security risk (Once the object is deemed “suspicious”, namely the probability of the object being associated with a malicious attack exceeds a threshold, the object is further analyzed to determine if the object is malicious, col 8 lines 10-16).
In addition to Vashisht teaching the claim limitation “performing, by the host, a replication process to store point-in-time images of the virtual machine at a storage location”, an analogous art in the same field of endeavor, Kuwamura also teaches this claim limitation.
Kuwamura teaches performing, by the host, a replication process to store point-in-time images of the virtual machine at a storage location (Virtual machines 110 and 120 periodically store their states as snapshots, para 0051).
Vashisht discloses all of the claimed limitations from above, but does not explicitly teach “performing, by the host, an action on the unsecure image to restrict use of the unsecure image for restoration of the virtual machine” and “using, by the host, a point-in-time image generated prior to the particular time and determined as being secure for the restoration of the virtual machine”.
However, the analogous art, Kuwamura teaches performing, by the host, an action on the unsecure image to restrict use of the unsecure image for restoration of the virtual machine (Referring to FIG. 4, in step S22, it is determined whether or not a virus detected by an antivirus software 132 can be completely removed from a virtual machine snapshot. Responsive to the determination being “NO”, at step S23, a preceding snapshot of the virtual machine is checked to determine whether or not the preceding snapshot of the virtual machine is infected with virus, paras 0049-0052 and FIG. 4. Thus, the snapshot of the virtual machine that is scanned for virus at step S22 is not used);
using, by the host, a point-in-time image generated prior to the particular time and determined as being secure for the restoration of the virtual machine (At step S23, a preceding snapshot of the virtual machine is restored and scanned for virus at step S24. If the snapshot is not infected with virus, then at step S27, the virtual machine is resumed with the preceding snapshot, para 0052 and FIG. 4).
Given the teaching of Kuwamura, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to further modify the scope of the invention of Vashisht with “performing, by the host, an action on the unsecure image to restrict use of the unsecure image for restoration of the virtual machine” and “using, by the host, a point-in-time image generated prior to the particular time and determined as being secure for the restoration of the virtual machine”. The motivation would be that the need for executing antivirus software for each virtual machine can be avoided, para 0013 of Kuwamura.
As per dependent claim 2, Vashisht in combination with Kuwamura discloses the method of claim 1. Vashisht may not explicitly disclose, but Kuwamura teaches wherein performing the action on the unsecure image includes at least one of: discarding the unsecure image (Referring to FIG. 4, in step S22, it is determined whether or not a virus detected by the antivirus software 132 can be completely removed from the virtual machine snapshot. Responsive to the determination being “NO”, the snapshot is not used, para 0049 and FIG. 4) or performing a virus scan on the unsecure image (Referring to FIG. 4, in step S22, it is determined whether or not a virus detected by the antivirus software 132 can be completely removed from the virtual machine snapshot, para 0049 and FIG. 4).
The same motivation that was utilized for combining Vashisht and Kuwamura as set forth in claim 1 is equally applicable to claim 2.
As per dependent claim 3, Vashisht in combination with Kuwamura discloses the method of claim 1. Vashisht may not explicitly disclose, but Kuwamura teaches further comprising restricting use of at least one point-in-time image, generated after the unsecure image, for restoration of the virtual machine (In FIG. 4, preceding snapshots are checked for virus and if not infected, the virtual machine is restored from one of the preceding snapshots, paras 0049-52. Thus, any snapshot at a point-in-time that is infected, snapshots subsequent to that point-in-time are not used for restoration of the VM).
The same motivation that was utilized for combining Vashisht and Kuwamura as set forth in claim 1 is equally applicable to claim 3.
As per dependent claim 4, Vashisht in combination with Kuwamura discloses the method of claim 1. Vashisht teaches further comprising: generating and sending, by the host to a manager, an alarm to indicate that the monitored operational behavior is in violation of the expected operational behavior (Once the object is deemed “suspicious, namely the probability of the object being associated with malicious attack exceeds a threshold probability, a scheduler notifies logic 220 within a dynamic analysis engine 175 of an upcoming analysis of the suspicious object to determine if the object is potentially malicious, col 8 lines 10-16);
receiving, by the host, a remediation instruction from the manager, in response to the manager having verified from at least the alarm that the virtual machine is infected with malicious code (The logic 220, referred to as a “virtual execution engine”, is responsible for managing VM disk snapshot updates within the VM disk image, loading of VM disk images into memory, and controlling instantiation one or more for analysis of the suspicious object, col 8 lines 16-21).
Vashisht may not explicitly disclose, but Kuwamura teaches wherein the point-in-time image is identified based on the particular time which is indicated in the received remediation instruction (Referring to FIG. 4, a snapshot of a virtual machine is identified as being infected with a virus, step S21, para 0049 and FIG. 4. The snapshot corresponds to a point-in-time image of the virtual machine, since the virtual machine snapshots are periodically taken, para 0051).
The same motivation that was utilized for combining Vashisht and Kuwamura as set forth in claim 1 is equally applicable to claim 4.
As per dependent claim 5, Vashisht in combination with Kuwamura discloses the method of claim 1. Vashisht teaches wherein performing the monitoring process includes, comparing, by the host, one or more operations performed by the virtual machine against a whitelist for compliance with operations identified in the whitelist (The unexpected or unusual behavior caused by a malware are summarized in col 6 lines 6-29. The evasive behaviors are detected by activities which may include simulated user interaction (e.g., mouse movement or clicks, password or other data entry, etc.) or processing procedures that are designed to quickly address detected activation delays or other evasive behaviors by malware. For instance, generating the guest VM instance, an image launcher 410 may be configured to update software components associated with malware detection that cause the virtual guest instance to perform a different user interaction pattern when processing a suspect object to actuate or trigger observable behavior by the object, col 11 lines 21-44. Since observable behavior of a suspect object are actuated or triggered, it would be obvious to those of ordinary skill in the art to compare the observed behavior of the suspected object to a whitelist to determine compliance).
As per dependent claim 6, Vashisht in combination with Kuwamura discloses the method of claim 1. Vashisht may not explicitly disclose, but Kuwamura teaches further comprising performing a virus scan on a plurality of point-in-time images that are generated prior to the unsecure image, wherein the virus scan is performed on the plurality of point-in-time images in reverse time order in which the plurality of point-in-time images were generated, until a particular point-in-time image is determined by the virus scan to be the secure point-in-time image (Referring to FIG. 4, a preceding snapshot of the virtual machine is restored at step S23 and is scanned for virus at step S24. At step S25, if it is determined that the preceding snapshot is infected with virus, then the flow of FIG. 4 loops back to step S22, paras 0049-0052 and FIG. 4. At step S27, a VM is resumed from a preceding snapshot that is not infected with virus).
The same motivation that was utilized for combining Vashisht and Kuwamura as set forth in claim 1 is equally applicable to claim 6.
As per claims 8-13, these claims are respectively rejected based on arguments provided above for similar rejected claims 1-6. For computer program product on a non-transitory computer readable medium see col 5 lines 26-27 of Vashisht.
As per claims 15-20, these claims are respectively rejected based on arguments provided above for similar rejected claims 1-6. See FIG. 1 of Vashisht for a network device 100 comprising processor 110 and memory 120.
Claims 7, 14, and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Vashisht in view of Kuwamura and in further view of Chandrasekhar et al. US 8,893,279 (“Chandrasekhar”).
As per dependent claim 7, Vashisht in combination with Kuwamura discloses the method of claim 1. Vashisht and Kuwamura may not explicitly disclose, but in an analogous art in the same field of endeavor, Chandrasekhar teaches further comprising sending, by the host to a manager, report information whenever the monitoring process determines that the monitored operational behavior is compliant with the expected operational behavior, wherein the manager uses the report information to identify times that correspond to secure point-in-time images (A virtual machine image reputation database 232 may comprise a database or other listing of virtual machine images that are known to be good (i.e., safe) or known to be bad (e.g., infected with malware), col 3 lines 43-46 and FIG. 2).
Given the teaching of Chandrasekhar, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to further modify the scope of the invention of Vashisht and Kuwamura with “further comprising sending, by the host to a manager, report information whenever the monitoring process determines that the monitored operational behavior is compliant with the expected operational behavior, wherein the manager uses the report information to identify times that correspond to secure point-in-time images”. The motivation would be that processing costs are saved, col 5 line 51 of Chandrasekhar.
As per dependent claims 14 and 21, these claims are rejected based on arguments provided above for similar rejected dependent claim 7.
Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZUBAIR AHMED whose telephone number is (571)272-1655. The examiner can normally be reached 7:30AM - 5:00PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, DAVID X YI can be reached on (571) 270-7519. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ZUBAIR AHMED/Examiner, Art Unit 2132                                                                                                                                                                                                        
/DAVID YI/Supervisory Patent Examiner, Art Unit 2132