DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 03/08/2022 and 06/08/2022 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 1-20 rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
Regarding claim 1, the limitations “copier layer” and “decryptor layer” are unclear because the function of above terms is not defined and therefore can be broadly interpreted as a generic image layer. 
Independent claim 11 is rejected for the same reason as stated in claim 1.
Dependent claims 2-10 and 12-20 are also rejected for inheriting the deficiencies of the independent claims from which they depend on.

	
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1-3, 7-13, 17-19 are rejected under 35 U.S.C. 103 as being unpatentable over Giannakopoulos et al. (Isolation in Docker through Layer Encryption, 2017 IEEE 37th International Conference on Distributed Computing Systems, IDS reference, hereinafter Giannakopoulos) in view of Givonetti (Patent No.: US 8,082,585) and Gerebe et al. (Pub. No.: US 2019/0213319, hereinafter Gerebe).
Regarding claim 1: Givonetti discloses A method, comprising:
packaging an application that is associated with sensitive data into at least a first image and a second image by placing first layers in the first image, the first layers including a copier layer and by placing second layers in the second image (Giannakopoulos - [Page 2530, Right Col. Line 25-28]: As depicted in the figure, we decompose the container’s image in two parts: The public part – formed by Layers 0-5 – and the private part that consists of Layer 6. [Page 2529, Right Col. Line 3-6]: when making a change to a container (e.g., installing a new software package, etc.), the additional content is written on a new layer, created on top of the existing ones (which remain read-only)), 
However Givonetti doesn’t explicitly teach, but Gerebe discloses:
wherein the second layers include a decryptor layer and an encrypted layer that includes the sensitive data in an encrypted form (Gerebe - [0021]: The encrypted software container image 14B also includes an unencrypted security agent layer 86 that includes the security agent 18, and includes an updated version of the manifest 84 that has a modified entry point that points to the security agent 18 in the security agent layer 86. [0018]: The security agent 18 utilizes a cryptographic key from cryptographic key repository 42 to decrypt the encrypted software application 16); and
configuring the second image to run before the first image (Gerebe - [0032]: The software container image 14A has an execution entry point that tells the container engine 32 what file to launch when the software container image 14A is instantiated. The build computing device 12 replaces an initial execution entry point of the software container image 14A that would have launched the software application 16 upon instantiation of the software container image 14A with a modified execution entry point that instead launches the security agent 18 upon instantiation of the encrypted software container image 14B (step 106)).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Givonetti with Gerebe so that the image container includes decryptor and encrypted data. The modification would have allowed the system to have an container with decryptor and encrypted data. 
Regarding claim 2: Givonetti as modified discloses further comprising running the second image as an initialization container (Gerebe - [0032]: The build computing device 12 replaces an initial execution entry point of the software container image 14A that would have launched the software application 16 upon instantiation of the software container image 14A with a modified execution entry point that instead launches the security agent 18 upon instantiation of the encrypted software container image), wherein execution of the initialization container includes decrypting, by the decryptor, the encrypted layer to obtain decrypted sensitive data (Gerebe - [0018]: The security agent 18 utilizes a cryptographic key from cryptographic key repository 42 to decrypt the encrypted software application).
Gerebe is combined with Givonetti herein for similar obviousness reasons and motivation and the same rationale as stated for claim 1.
Regarding claim 3: Givonetti as modified discloses further comprising storing the decrypted sensitive data in a directory of a filesystem (Gerebe - [0038]: scanning the content of the decrypted layers 82 of the software container image 14B based on its manifest).
Gerebe is combined with Givonetti herein for similar obviousness reasons and motivation and the same rationale as stated for claim 1.
Regarding claim 7: Givonetti as modified discloses further comprising generating the encrypted layer by encrypting one or more sensitive layers of the sensitive data (Giannakopoulos - [Page 2530, Right Col. Line 31-32]: The private image layer is encrypted using AES-256 and additionally signed with the ECDSA algorithm).
Regarding claim 8: Givonetti as modified discloses wherein packaging the application includes dividing an image into the first image and the second image or constructing a command file for the first image and a command file for the second image (Giannakopoulos - [Page 2530, Right Col. Line 25-28]: As depicted in the figure, we decompose the container’s image in two parts: The public part – formed by Layers 0-5 – and the private part that consists of Layer 6).
Regarding claim 9: Givonetti as modified discloses further comprising placing the decryptor layer in the second image such that the decryptor layer in the second image is not dependent on an operating system included in the first image (Gerebe - [0035]: The container engine 32 runs on top of an operating system 36 of the host computing device 30).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Givonetti with Gerebe so that container engine runs on top of the OS. 
Regarding claim 10: Givonetti as modified discloses further comprising creating the first image and the second image (Giannakopoulos - [Page 2530, Right Col. Line 25-28]: As depicted in the figure, we decompose the container’s image in two parts: The public part – formed by Layers 0-5 – and the private part that consists of Layer 6).

Regarding claims 11-13 and 17-19: Claims are directed to computer readable medium claims and do not teach or further define over the limitations recited in claims 1-3 and 7-9. Therefore, claims 11-13 and 17-19 are also rejected for similar reasons set forth in claims 1-3 and 7-9. 

Claims 4, 6, 14 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Giannakopoulos et al. (Isolation in Docker through Layer Encryption, 2017 IEEE 37th International Conference on Distributed Computing Systems, IDS reference, hereinafter Giannakopoulos) in view of Gerebe et al. (Pub. No.: US 2019/0213319, hereinafter Gerebe) and Kulkarni et al. (Pub. No.: US 2022/0012373, hereinafter Kulkarni).
Regarding claims 4 and 14: Givonetti as modified doesn’t explicitly teach but Kulkarni discloses further comprising running the first image as a main container after the initialization container successfully completes (Kulkarni - [0034]: determines that the specification includes a requirement for encrypted data storage and, in response, inserts into the specification an initialization container specification comprising an encryption key, wherein the initialization container will execute prior to the execution of the application container).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Givonetti and Gerebe with Kulkarni so that the initialization container will execute prior to the execution of the application container. The modification would have allowed the system to provide flexibility and security (Kulkarni - [0015]).
Regarding claims 6 and 16: Givonetti as modified doesn’t explicitly teach but Kulkarni discloses further comprising generating a pod specification such that the second image runs and completes before the first image is run (Kulkarni - [0034]: determines that the specification includes a requirement for encrypted data storage and, in response, inserts into the specification an initialization container specification comprising an encryption key, wherein the initialization container will execute prior to the execution of the application container).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Givonetti and Gerebe with Kulkarni so that the initialization container will execute prior to the execution of the application container. The modification would have allowed the system to provide flexibility and security (Kulkarni - [0015]). 

Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Giannakopoulos et al. (Isolation in Docker through Layer Encryption, 2017 IEEE 37th International Conference on Distributed Computing Systems, IDS reference, hereinafter Giannakopoulos) in view of Gerebe et al. (Pub. No.: US 2019/0213319, hereinafter Gerebe) and Chen et al. (Pub. No.: US 2018/0124055, hereinafter Chen).
Regarding claim 20: Givonetti as modified doesn’t explicitly teach but Chen discloses the second image including a signal layer and a stop-signal layer that identify a location of the encrypted layer in the second image (Chen - [0039]: The container image generator 110 stores the first container layer 210 at the storage location 150 (blocks 414 and 416). For example, the first URL 411 is stored at storage location 150. The container image generator 110 stores the second container layer 220 at the storage location 150 (blocks 418 and 420). For example, the second URL 413 is stored at storage location 150).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Givonetti and Gerebe with Chen so that layers of container image include location of the data. 

Allowable Subject Matter
Claims 5 and 15 are objected to as being dependent upon a rejected base claim, but would be allowable if the 112b are overcome and if rewritten in independent form including all of the limitations of the base claim and any intervening claims. The reason for allowance will be furnished upon allowance of the application.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Bacher et al. (Pub. No.: US 2020/0250319) - Creation and execution of secure containers
Du et al. (Pub. No.: US  2019/0354389) - Container image building
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MENG LI whose telephone number is (571)272-8729.  The examiner can normally be reached on M-F 8:30-5:30.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s acting supervisor, Kristine Kincaid can be reached on (571) 272-4063.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8729.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MENG LI/
Primary Examiner, Art Unit 2437