Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .



DETAILED ACTION
This action is in response to the communication filed on 05/11/2022.
Claims 1-21 are under examination.

Priority
Acknowledgment is made of applicant's claim for foreign priority under 35 U.S.C. 119(a)-(d).  


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claims ** are rejected under 35 U.S.C. 103 as being unpatentable over Salamendi et al. (US 2013/0340077 A1), Hufsmith et al. (US 2020/0097662 A1) and Patteson et al. (US 2016/0182554 A1).
Regarding claim 1, Salamendi et al. discloses A method to operate a security solution in a virtualized computing environment that includes a host and a virtual machine that runs on the host [abs, “A hypervisor-monitor may be nested between the hardware of a host system and a hypervisor that is capable of supporting one or more guest virtual machines… the hypervisor-monitor may monitor prevent the execution of malware by the hypervisor or the guests or provide a record of when code of an unknown origin was executed”], the method comprising: identifying, by a security sensor at the virtual machine, an attempt to execute code in the virtual machine [par. 0019, “the monitor 102 may be configured to detect the presence of foreign code that is executing or attempting to execute on the system 100”]; generating, by the security sensor, a hash value corresponding to the code [par. 0026, “the monitor may perform a hash of the instruction code that was loaded by the hypervisor”]; receiving, by the security sensor from the security engine, a verdict that instructs the security sensor to deny execution of the code based on the security engine having determined from the hash value that the code is malicious [par. 0028, “if the comparison of the hash at 214 indicates that the code is part of a program that is known malware or otherwise malicious the execution of the code by the processor may be prevented by the monitor”].
Salamendi et al. does not explicitly disclose sending, by the security sensor to a security engine remote from the host, the generated hash value and a file map that corresponds to the code; receiving, by at least one host-level element of the host from the security engine, the verdict and the file map, wherein the at least one host-level element executes in the host and outside of the virtual machine; and verifying, by the at least one host-level element based on the verdict and activity, whether the security sensor has successfully enforced the verdict.
However Hufsmith et al. teaches sending, by the security sensor to a security engine remote from the host, the generated hash value and a file map that corresponds to the code [par. 0121, “The malware evaluator 115 may evaluate malware properties 116 identified within a container score record associated with a container image... Potential malicious files may be listed by an identifier of each file (e.g., file name/location) and may include information about the file. The information about the file may include image-specific information determined about the file such as a file name, file type, file location, file size, hash of the file, hash of a malicious portion of the file”]; receiving, by at least one host-level element of the host from the security engine, the verdict and the file map, wherein the at least one host-level element executes in the host and outside of the virtual machine; and verifying, by the at least one host-level element based on the verdict and activity, whether the security sensor has successfully enforced the verdict [par. 0089, par. 0189, “Some embodiments may determine whether the identified vulnerabilities and query results are mitigated by other commands in the source code document, such as subsequent commands. For example, a vulnerability may be present in a base version of body of code added in a layer, and that vulnerability may be mitigated, for instance, eliminated, in a subsequent version of that body of code that is added to the container image in a subsequent layer corresponding to a subsequent command to apply an update to that body of code... In some cases, the above-describe annotations for security vulnerability may include suggested text for a command to add such a fix, for instance, for automatic insertion in the source code document being edited in the IDE upon selection by the user from within the annotation. Upon determining that the vulnerability is mitigated, embodiments may return to block 352”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Hufsmith et al. into the teaching of Salamendi et al. with the motivation to detect that a potential vulnerability present in one layer is removed by a deletion in a different higher layer and filter out those potential vulnerabilities that are addressed by the subsequent change as taught by Hufsmith et al. [Hufsmith et al.: par. 0089].
They do not explicitly disclose verifying, by the at least one host-level element based on  input/output (I/O) activity associated with the file map, whether the security sensor has successfully enforced the verdict to deny execution of the code.
However, Patteson et al. teaches verifying, by the at least one host-level element based on  input/output (I/O) activity associated with the file map, whether the security sensor has successfully enforced the verdict to deny execution of the code [par. 0016, “Such suspicious activities may include, for example, attempts by storage device 130 to access host system 110, or vice versa, when storage device 130 and host system 110 should not be initiating communication with each other while threat detection system 120 is undergoing the scanning and detection”, par. 0020, “file scanning module 241 acquires information about a directory structure of the files stored in the storage device. The information may include a list of the files, the location of the files, the hierarchy of the directory structure, etc. Based on the directory structure, file scanning module 241 checks the attributes of each of the files stored in storage device 130 for security threat”, par. 0021, “detecting traffic at I/O interface 210 or a request to send data to I/O interface 210, both of which are contrary to what system 200 expects, can signal that storage device 130 and/or host system 110 are infected”, par. 0033].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Patteson et al. into the teaching of Salamendi et al. and Hufsmith et al. with the motivation for detecting and isolating devices posing security threat as taught by Patteson et al. [Patteson et al.: abs.].
Regarding claim 2, the rejection of claim 1 is incorporated.
Salamendi et al. further discloses the at least one host-level element includes a hypervisor, a host operating system, a sub-process of the hypervisor or host operating system, or a sub-element of the hypervisor or host operating system [par. 0013, “FIG. 1 illustrates an example block diagram of a host system 100 equipped with a hypervisor monitor 102”, par. 0015, “One or more operating systems may be utilized on the virtual machines 112”].
Regarding claim 3, the rejection of claim 1 is incorporated.
Patteson et al. further teaches verifying whether the security system has successfully enforced the verdict includes determining, by the at least one host-level element, that the security sensor has successfully enforced the verdict, due to the at least one host-level element having detected an absence of the I/O activity [par. 0016, “Such suspicious activities may include, for example, attempts by storage device 130 to access host system 110, or vice versa, when storage device 130 and host system 110 should not be initiating communication with each other while threat detection system 120 is undergoing the scanning and detection”, par. 0021, “detecting traffic at I/O interface 210 or a request to send data to I/O interface 210, both of which are contrary to what system 200 expects, can signal that storage device 130 and/or host system 110 are infected”, par. 0033].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Patteson et al. into the teaching of Salamendi et al. and Hufsmith et al. with the motivation for detecting and isolating devices posing security threat as taught by Patteson et al. [Patteson et al.: abs.].
Regarding claim 4, the rejection of claim 1 is incorporated.
Patteson et al. further teaches verifying whether the security system has successfully enforced the verdict includes determining, by the at least one host-level element, that the security sensor has failed to enforce the verdict, due to the at least one host-level element having detected a presence of the I/O activity. [par. 0021, “ activity detection module 242 can determine that the traffic at I/O interface 210, or a request to send data to that interface, signals existence of a security threat”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Patteson et al. into the teaching of Salamendi et al. and Hufsmith et al. with the motivation for detecting and isolating devices posing security threat as taught by Patteson et al. [Patteson et al.: abs.].
Regarding claim 5, the rejection of claim 4 is incorporated.
Patteson et al. further teaches verifying whether the security system has successfully enforced the verdict includes determining, by the at least one host-level element, that the security sensor has failed to enforce the verdict, due to the at least one host-level element having detected a presence of the I/O activity [par. 0021, “ activity detection module 242 can determine that the traffic at I/O interface 210, or a request to send data to that interface, signals existence of a security threat”, par. 0035, “A request to send data via I/O interface 210 can be detected by, for example, activity detection module 242 of FIG. 2. If such a request is detected, the electronic device can carry out step 410 to report a security threat”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Patteson et al. into the teaching of Salamendi et al. and Hufsmith et al. with the motivation for detecting and isolating devices posing security threat as taught by Patteson et al. [Patteson et al.: abs.].
Regarding claim 6, the rejection of claim 5 is incorporated.
Patteson et al. further teaches performing the remediation action includes blocking, by the at least one host-level element, the I/O activity so as to prevent execution of the code [par. 0016, “threat detection system 120 includes a processor, and a memory device to store a set of instructions to cause the processor to carry out the scanning for virus and malware, the detection of suspicious activities, and the isolation of device…”, par. 0022, “software program 240 implements a policy of isolating a device connected to I/O interface 212 (e.g., storage device 130) from another device connected to I/O interface 210 (e.g., host system 110)”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Patteson et al. into the teaching of Salamendi et al. and Hufsmith et al. with the motivation for detecting and isolating devices posing security threat as taught by Patteson et al. [Patteson et al.: abs.].
Regarding claim 7, the rejection of claim 5 is incorporated.
Patteson et al. further teaches performing the remediation action includes sending, by the at least one host-level element to the security engine, an alert that notifies the security engine of a violation of the verdict [par. 0021, “ activity detection module 242 can determine that the traffic at I/O interface 210, or a request to send data to that interface, signals existence of a security threat”, par. 0035, “A request to send data via I/O interface 210 can be detected by, for example, activity detection module 242 of FIG. 2. If such a request is detected, the electronic device can carry out step 410 to report a security threat”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Patteson et al. into the teaching of Salamendi et al. and Hufsmith et al. with the motivation for detecting and isolating devices posing security threat as taught by Patteson et al. [Patteson et al.: abs.].
Regarding claim 8, it recites limitations similar to claim 1. The reason for the rejection of claim 1 is incorporated herein.
Regarding claim 9, it recites limitations similar to claim 2. The reason for the rejection of claim 2 is incorporated herein.
Regarding claim 10, it recites limitations similar to claim 3. The reason for the rejection of claim 3 is incorporated herein.
Regarding claim 11, it recites limitations similar to claim 4. The reason for the rejection of claim 4 is incorporated herein.
Regarding claim 12, it recites limitations similar to claim 5. The reason for the rejection of claim 5 is incorporated herein.
Regarding claim 13, it recites limitations similar to claim 6. The reason for the rejection of claim 6 is incorporated herein.
Regarding claim 14, it recites limitations similar to claim 7. The reason for the rejection of claim 7 is incorporated herein.
Regarding claim 15, it recites limitations similar to claim 1. The reason for the rejection of claim 1 is incorporated herein.
Regarding claim 16, it recites limitations similar to claim 2. The reason for the rejection of claim 2 is incorporated herein.
Regarding claim 17, it recites limitations similar to claim 3. The reason for the rejection of claim 3 is incorporated herein.
Regarding claim 18, it recites limitations similar to claim 4. The reason for the rejection of claim 4 is incorporated herein.
Regarding claim 19, it recites limitations similar to claim 5. The reason for the rejection of claim 5 is incorporated herein.
Regarding claim 20, it recites limitations similar to claim 6. The reason for the rejection of claim 6 is incorporated herein.
Regarding claim 21, it recites limitations similar to claim 7. The reason for the rejection of claim 7 is incorporated herein.

 
Conclusion
The prior art made of record and not relied upon is considered pertinent to Applicant’s disclosure:
US 20200195694 A1		METHOD AND COMPUTING DEVICE FOR IDENTIFYING SUSPICIOUS USERS IN MESSAGE EXCHANGE SYSTEMS
US 20200019704 A1		Systems And Methods For Detecting Obfuscated Malware In Obfuscated Just-In-Time (JIT) Compiled Code
US 20190278925 A1		SECURE COMPUTING SYSTEM
US 20170279826 A1		PROTECTING DYNAMIC AND SHORT-LIVED VIRTUAL MACHINE INSTANCES IN CLOUD ENVIRONMENTS
US 20170149807 A1		Detecting Malicious Instructions On A Virtual Machine
US 20150007175 A1		CRYPTOGRAPHICALLY ATTESTED RESOURCES FOR HOSTING VIRTUAL MACHINES
US 8261085 B1		Methods, Apparatus And Systems To Improve Security In Computer Systems
US 20080126779 A1		Methods And Apparatus To Perform Secure Boot
US 20050132122 A1		Method, Apparatus And System For Monitoring System Integrity In A Trusted Computing Environment


Any inquiry concerning this communication or earlier communications from the examiner should be directed to JASON CHIANG whose telephone number is (571)270-3393.  The examiner can normally be reached on 9 AM to 6 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/JASON CHIANG/Primary Examiner, Art Unit 2431