DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-16 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. 
Independent claims 1 and 10 each recite “a cybersecurity vulnerability present in the image” and “a plurality of cybersecurity vulnerabilities.” Each of said claims further refer to “the cybersecurity vulnerability,” where it is not clear whether the referred to vulnerability is the former or from among the latter. As such, the claim language is unclear. The dependent claims do not cure this deficiency and are therefore likewise indefinite.
Each of independent claims 1 and 10 further recites “scanning… an image of the container to generate a scan result identifying a cybersecurity vulnerability present in the image.” This limitation may be interpreted as merely reciting an intended use of the scan (“to generate”) and does not positively recite completing the scan or identifying the vulnerability. Accordingly, there is insufficient antecedent basis for the later limitations which rely on the scan result, i.e., “aggregating… data to generate aggregated data identifying an exploit related to the cybersecurity vulnerability,” (this limitation likewise shares the abovementioned issues due to its “to generate” language)  “aligning…the aggregated data with the scan result to identify the exploit for the cybersecurity vulnerability” (this limitation likewise shares the abovementioned issues due to its “to identify” language) and “preventing… a container from launching in response to identifying the exploit.” The dependent claims do not cure this deficiency and are therefore likewise indefinite.
	Since dependent claims 2-9 and 11-16 are likewise indefinite, they are also rejected with their respective parent claims. 

Claims 9 and 16 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. Claims 9 and 16 recite “intelligence data” and “vulnerabilities,” where it is not clear if these are intended to be interpreted as the “threat-intelligence data,” “a cybersecurity vulnerability present in the image,” and/or “plurality of cybersecurity vulnerabilities.” As such, the claim language is unclear. 

Claims 17-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. Independent claim 17 recites “scanning… an image of the container to generate a scan result identifying a cybersecurity vulnerability present in the image.” This limitation may be interpreted as merely reciting an intended use of the scan (“to generate”) and does not positively recite completing the scan or identifying the vulnerability. Accordingly, there is insufficient antecedent basis for the later limitations which rely on the scan result, i.e., “identifying… an exploit for the cybersecurity vulnerability” and “preventing…the container from launching in response to identifying the exploit for the cybersecurity vulnerability.” The dependent claims do not cure this deficiency and are therefore likewise indefinite. Accordingly, claims 18-20 are also rejected with their parent claim 17.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1-2, 4-5, 7-10, 12, and 14-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Levin (US 2018/0144123 A1) in view of Eacmen (US 2019/0294802 A1).

Regarding claim 1, Levin discloses: A method for detecting cybersecurity threats in a container, comprising: 
scanning, by a vulnerability scanner of a computer-based system, an image of the container to generate a scan result identifying a cybersecurity vulnerability present in the image; 
Refer to at least FIG. 6, [0044], and [0077]-[0080] of Levin with respect to scanning a container image. Container configuration, programs, access settings, and port settings are identified. 
Refer to at least [0015] of Levin with respect to exploitation of vulnerable programs, services, and/or configuration of a container.
receiving, by a computer-based system, threat-intelligence data from a threat-intelligence source comprising a first set of information regarding a plurality of cybersecurity vulnerabilities; 
Refer to at least [0040]-[0041] of Levin with respect to obtaining security policies and, e.g., common vulnerability and exposure information from intelligence systems for use in detecting vulnerabilities and/or profiling the container image.
receiving, by the computer-based system, ground-truth data from a ground-truth-data source comprising a second set of information regarding the plurality of cybersecurity vulnerabilities; 
Refer to at least [0034], [0054], [0073], and [0082]-[0084] of Levin with respect to a learning phase for profiling the container image. 
aggregating, by the computer-based system, the ground-truth data and the threat- intelligence data to generate aggregated data identifying an exploit related to the cybersecurity vulnerability; 
Refer to at least [0053], [0072]-[0073] and [0086] of Levin with respect to updating the security profile for the container image using data obtained from the learning phase. 
aligning, by the computer-based system, the aggregated data with the scan result to identify the exploit for the cybersecurity vulnerability; and 
Refer to at least [0035], [0057]-[0059], and [0074]-[0075] of Levin with respect to using the updated security profile for determining violations. 
preventing, by the computer-based system, a container from [executing] in response to identifying the exploit for the cybersecurity vulnerability.
Refer to at least [0074]-[0076] of Levin with respect to, upon receiving an event indicative of instantiation, performing enforcement actions based on the updated security profile. An exemplary enforcement action is halting the container. 
Although Levin discloses events such as adding or modifying a container image leading to a scan and resultant enforcement action, it appears that enforcement takes place after execution. Accordingly, Levin does not disclose preventing the container from launching.  However, Levin in view of Eacmen discloses: preventing the container from launching.  
Refer to at least FIG. 2, [0015], and [0037]-[0039] of Eacmen with respect to performing remedial actions on a scanned image after the scan rather than during execution.
The teachings of Levin and Eacmen both concern vulnerability analysis for respective images, as well as remediation responsive to the analysis. Accordingly, they are considered to be within the same field of endeavor and combinable as such. 
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Levin such that the enforcement phase may be extended to also take place before execution (e.g., during the static analysis portion described in [0032]-[0033] of Levin); to the container image itself. For example, after an event of an image being modified (e.g., [0043] of Levin), scanning and analysis would be performed (e.g., [0044]-[0045] of Levin) and remediation of the image would take place responsive to identifying vulnerabilities (e.g., [0037] of Eacmen). One of ordinary skill in the art would have been motivated to perform this modification for at least the purpose of ensuring security compliance for container images (e.g., that vulnerable containers are not launched before being fixed). 

Regarding claim 2, Levin-Eacmen discloses: The method of claim 1, further comprising: performing, by the computer-based system, a mitigation action to inhibit the exploit from compromising the container in response to identifying the exploit for the cybersecurity vulnerability and preventing the container from launching; and launching, by a container orchestration system of the computer-based system, the container in response to performing the mitigating action.
Refer to at least [0037] of Eacmen, wherein a remediation module automatically repairs or removes determined vulnerabilities before pushing the image to a device or manufacturer.
See at least [0033] of Eacmen with respect to the remediation being performed responsive to the image being put out by the manufacturer.
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Levin such that container images are automatically patched before provision for at least the purpose of ensuring security compliance for container images (e.g., that vulnerable containers are not launched before being fixed). 

Regarding claim 4, it is rejected for substantially the same reasons as claim 2 above (i.e., [0037] of Eacmen with respect to removing vulnerable files and software).

Regarding claim 5, it is rejected for substantially the same reasons as claim 2 above (i.e., [0037] of Eacmen with respect to pushing a remediated image).

Regarding claim 7, Levin-Eacmen discloses: The method of claim 2, further comprising selecting, by the computer-based system, the mitigating action from a plurality of mitigating actions in response to the scan result and the aggregated data meeting an administrator criteria associated with the mitigating action.
Refer to at least [0061] of Levin with respect to security policy being defined by an administrator. 
Refer to at least [0076] of Levin with respect to enforcement actions being determined based on the security policy. 

Regarding claim 8, it is rejected for substantially the same reasons as claim 1 above (i.e., updated security profiles based on CVE information and learning phase information; Eacmen likewise discloses updating vulnerability analyses as new vulnerabilities are discovered—e.g., [0040]-[0041] of Eacmen).

Regarding claim 9, it is rejected for substantially the same reasons as claim 1 above (e.g., [0041] of Levin concerning CVE databases). It is further noted that this claim appears to be drawn to an admitted prior art solution (i.e., using an off-the-shelf product such as “CYR3CON®, Recorded Future®, SixGill®, etc.” as per the claim and [0025] of the instant specification).

Regarding independent claim 10, it is substantially similar to elements of claims 1 and 2 above, and is therefore likewise rejected for substantially the same reasons (i.e., the citations and obviousness rationale).

Regarding claims 12 and 14-16, they are substantially similar to claims 4-5 and 8-9 above, and are therefore likewise rejected.

Regarding independent claim 17, it is substantially similar to elements of independent claim 1 above, and is therefore likewise rejected for substantially the same reasons (i.e., the citations and obviousness rationale).

Regarding claims 18-20, they are substantially similar to claims 2 and 4-5 above, and are therefore likewise rejected.

Claim(s) 3, 6, 11, and 13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Levin-Eacmen as applied to claims 1-2, 4-5, 7-10, 12, and 14-20 above, and further in view of Park (US 2019/0377871 A1).

Regarding claim 3, Levin-Eacmen discloses identifying ports, identifying vulnerabilities associated with ports, and remediation based on the identified vulnerabilities. However, Levin-Eacmen does not specify: wherein the mitigating action comprises blocking a port associated with the exploit. However, Levin-Eacmen in view of Park discloses: wherein the mitigating action comprises blocking a port associated with the exploit. 
Refer to at least [0069] and [0096] of Park with respect to blocking ports as part of remediation. 
The teachings of Levin-Eacmen concern ports and suggest a wide assortment of possible enforcement actions (e.g., [0076] of Levin). Accordingly, they are considered to be combinable with those of Park concerning such. 
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Levin-Eacmen to further include blocking ports for at least the purpose of preventing malicious traffic from posing a security risk to the container. 

Regarding claim 6, Levin-Eacmen-Park discloses: The method of claim 2, wherein the mitigating action comprises blocking an IP address.
Refer to at least [0069] of Park with respect to blacklist IP blocking. 
This claim would have been obvious for substantially the same reasons as claim 3 above.

Regarding claims 11 and 13, they are substantially similar to claims 3 and 6 above, and are therefore likewise rejected.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to VADIM SAVENKOV whose telephone number is (571)270-5751. The examiner can normally be reached 12PM-8PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached on (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432                                                                                                                                                                                                        




/V.S/Examiner, Art Unit 2432