DETAILED ACTION
This communication is responsive to the application # 16/817,543 filed on March 12, 2020. Claims 1-20 are pending and are directed toward SCANNING CONTAINER IMAGES AND OBJECTS ASSOCIATED WITH BUILDING THE CONTAINER IMAGES.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.


 Claims 12-14 are rejected under 35 U.S.C. 102(a)(1) as being unpatentable over ANTONY (US 2016/0381058, Pub. Date: Dec. 29, 2016), hereinafter referred to as ANTONY.
As per claim 12, ANTONY teaches a non-transitory machine readable storage medium to store machine readable instructions that, when executed by a machine, cause the machine to:
examine a virtual machine instance to identify a container image built in the virtual machine instance (receiving a request to perform a scan for security threats within a container executing within a virtual machine, wherein the container comprises an operating system-isolated group of processes. The method also includes identifying a container disk tile associated with the container, wherein the container disk file is not included within a virtual machine disk file associated with the virtual machine and is separate from other container disk files associated with other containers executing within the virtual machine. ANTONY, [0004]);
scan the container image (Security scanning involves scanning system or application files for viruses, malware, or other threats. Because disk data for virtual machines are stored in virtual machine disk files, security scanning at least partially involves scanning the virtual machine disk files. ANTONY, [0003]);
scan an image of the virtual machine instance (because virtual machines may execute containers, if security scanning for containers is desired, then the virtual machine disk file is scanned. ANTONY, [0003]);
assign a label to the container image representing a degree of trust associated with the container image based on the scanning of the container image; assign a label to the virtual machine instance representing a degree of trust associated with the virtual machine instance; store the label assigned to the container image and an identifier for the container image as an entry in a database; and store the label assigned to the virtual machine instance and an identifier for the virtual machine instance as an entry in the database (FIG. 3 illustrates container scan catalog 204 in more detail, according to an example. Container scan catalog 204 stores scan catalog entries 302. In the embodiment shown, each scan catalog entry 302 includes a container identifier, an identifier of the VM in which the container resides, and the threat status for the container, which can indicate either that a threat exists in the container or that no threat exists. In various embodiments, other information may be included in container scan catalog 204, such as an indication of the number of containers in each VM included in container scan catalog 204, whether threat cleaning was attempted, a specific indication that all containers 126 in a particular VM have security threats, and other information. ANTONY, [0029]).
As per claim 13, ANTONY teaches the storage medium of claim 12, wherein the instructions, when executed by the machine, cause the machine to scan the container image for program code associated with defining secure mode computing (ANTONY,[0017], [0019]).
As per claim 14, ANTONY teaches the storage medium of claim 12, wherein the instructions, when executed by the machine, cause the machine to scan the container image for program code associated with exposing a privileged operating system kernel connection to an instance of the container image (ANTONY,[0016]).
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-7, 9, 11, 16-19 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over ANTONY (US 2016/0381058, Pub. Date: Dec. 29, 2016), in view of Berger et al. (US 2016/0261624, Pub. Date: Sep. 8, 2016), hereinafter referred to as ANTONY and Berger.
As per claim 1, ANTONY teaches a method comprising:
accessing, by a computer, a container image, built at least in part inside a virtual machine instance (receiving a request to perform a scan for security threats within a container executing within a virtual machine, wherein the container comprises an operating system-isolated group of processes. The method also includes identifying a container disk tile associated with the container, wherein the container disk file is not included within a virtual machine disk file associated with the virtual machine and is separate from other container disk files associated with other containers executing within the virtual machine. ANTONY, [0004]);
accessing, by the computer, an image of the virtual machine instance (Security scanning involves scanning system or application files for viruses, malware, or other threats. Because disk data for virtual machines are stored in virtual machine disk files, security scanning at least partially involves scanning the virtual machine disk files. ANTONY, [0003]);
scanning, by the computer, the container image and the image of the virtual machine instance for security issues (because virtual machines may execute containers, if security scanning for containers is desired, then the virtual machine disk file is scanned. ANTONY, [0003]); and
ANTONY does not teach displaying, Berger however teaches displaying, by the computer, a result of the scanning (The method further comprises displaying on the display 624 of the particular computer system 170 a plurality of applications executing on the one or more computer systems. The determining the one or more applications executing on the one or more computer systems that are causing the network activity is performed by an administrator using the displayed plurality of applications executing on the one or more computer systems. Berger, [0144]).
ANTONY in view of Berger are analogous art to the claimed invention, because they are from a similar field of endeavor of systems, components and methodologies for providing secure communication between computer systems. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify ANTONY in view of Berger. This would have been desirable because the dashboard 120 may be a user interface in a display such as a web browser. The display in this example includes an OS (Operating System)/Cloud Analytics GUI (Graphical User Interface) 140 and an OS/Cloud Analytics Alerts GUI. The dashboard 120 may directly or indirectly interact with the Cassandra database 106 from which the dashboard receives display data for the OS/Cloud Analytics GUI 140 and alert notification for the OS/Cloud Analytics Alerts GUI 145 (Berger, [0144]).

As per claim 2, ANTONY in view of Berger teaches the method of claim 1, wherein the scanning comprises applying machine learning to determine at least one of whether the container image is trusted or whether the virtual machine instance is trusted (Berger, [0034]).
ANTONY in view of Berger are analogous art to the claimed invention, because they are from a similar field of endeavor of systems, components and methodologies for providing secure communication between computer systems. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify ANTONY in view of Berger. This would have been desirable because A local or remote system security administrator may then be able to look at those measurements and determine whether all components of the system are assumed to be trustworthy based on known measurements written in the log (Berger, [0040]).

As per claim 3, ANTONY in view of Berger teaches the method of claim 1, further comprising:
generating a tag representing a result of the scanning of the container image; and storing the tag with the container image in a database (ANTONY, [0029]).
As per claim 4, ANTONY in view of Berger teaches the method of claim 1, wherein displaying a result of the scanning comprises displaying the result in a graphical user interface (GUI), the method further comprising: displaying a user control in the GUI to take at least one action on the container image (The GUI 175 may also provide, in response to a request from the administrator, information to allow the administrator to determine the source virtual or physical machine causing the network activity. Additionally, the Net/Dev Analytics engine may be responsive to the administrator to undertake remedial action indicated by the administrator, such as invoking quarantine for the source virtual or physical machine. Berger, [0048]).
ANTONY in view of Berger are analogous art to the claimed invention, because they are from a similar field of endeavor of systems, components and methodologies for providing secure communication between computer systems. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify ANTONY in view of Berger. This would have been desirable because the dashboard 120 may be a user interface in a display such as a web browser. The display in this example includes an OS (Operating System)/Cloud Analytics GUI (Graphical User Interface) 140 and an OS/Cloud Analytics Alerts GUI. The dashboard 120 may directly or indirectly interact with the Cassandra database 106 from which the dashboard receives display data for the OS/Cloud Analytics GUI 140 and alert notification for the OS/Cloud Analytics Alerts GUI 145 (Berger, [0144]).

As per claim 5, ANTONY in view of Berger teaches the method of claim 4, wherein displaying the user control comprises displaying a user control to initiate blocking of the container image from being used, the method further comprising: in response to selection of the user control to initiate blocking, generating a tag representing an untrusted state for the container image and storing the tag with an identifier of the container image in a database (Berger, [0048]).
ANTONY in view of Berger are analogous art to the claimed invention, because they are from a similar field of endeavor of systems, components and methodologies for providing secure communication between computer systems. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify ANTONY in view of Berger. This would have been desirable because the dashboard 120 may be a user interface in a display such as a web browser. The display in this example includes an OS (Operating System)/Cloud Analytics GUI (Graphical User Interface) 140 and an OS/Cloud Analytics Alerts GUI. The dashboard 120 may directly or indirectly interact with the Cassandra database 106 from which the dashboard receives display data for the OS/Cloud Analytics GUI 140 and alert notification for the OS/Cloud Analytics Alerts GUI 145 (Berger, [0144]).

As per claim 6, ANTONY in view of Berger teaches the method of claim 4, wherein the scanning comprises identifying a security issue associated with the container image and determining whether the identified security issue can be rectified (ANTONY, FIG. 4);
wherein displaying the user control comprises displaying a user control to initiate rectification of the container image (Berger, [0048]).
ANTONY in view of Berger are analogous art to the claimed invention, because they are from a similar field of endeavor of systems, components and methodologies for providing secure communication between computer systems. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify ANTONY in view of Berger. This would have been desirable because the dashboard 120 may be a user interface in a display such as a web browser. The display in this example includes an OS (Operating System)/Cloud Analytics GUI (Graphical User Interface) 140 and an OS/Cloud Analytics Alerts GUI. The dashboard 120 may directly or indirectly interact with the Cassandra database 106 from which the dashboard receives display data for the OS/Cloud Analytics GUI 140 and alert notification for the OS/Cloud Analytics Alerts GUI 145 (Berger, [0144]).

 And the method further comprises: in response to selection of the user control to initiate rectification, modifying the container image to remove the identified security issue to provide a modified container image and storing an identifier of the modified container image and a tag representing the modified container image as being trusted (ANTONY, FIG. 4).

As per claim 7, ANTONY in view of Berger teaches the method of claim 1, wherein the scanning comprises identifying a security issue associated with the container image and determining whether the identified security issue can be rectified (Berger, [0040]).
ANTONY in view of Berger are analogous art to the claimed invention, because they are from a similar field of endeavor of systems, components and methodologies for providing secure communication between computer systems. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify ANTONY in view of Berger. This would have been desirable because exemplary embodiments herein may integrate external sources of information such as white and black list databases and may leverage the cloud to simplify the derivation of patterns and clusters of expected behavior. For example, VMs launched by the same user, running the same programs, started from the same image or family of images, etc., are observed. The foregoing allows the building of profiles and detection of deviations to be amortized over multiple systems. (Berger, [0039]).

As per claim 9, ANTONY in view of Berger teaches the method of claim 1, wherein accessing the container image comprises: identifying the virtual machine instance in a registry provided by a cloud provider; examining the virtual machine instance to identify the container image; and requesting the container image from the cloud provider (ANTONY, [0025], [0026], [0029], [0030], see also Berger, [0044]).
As per claim 11, ANTONY in view of Berger teaches the method of claim 1, wherein the scanning comprises identifying a security issue with the container image, the method further comprising: determining whether the container image is trusted based on at least one of determining whether the identified security issue is contained in a first list representing security issues associated with untrustworthiness or in a second list representing security issues associated with trustworthiness (Berger, FIG. 2, [0039], [0045]).
ANTONY in view of Berger are analogous art to the claimed invention, because they are from a similar field of endeavor of systems, components and methodologies for providing secure communication between computer systems. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify ANTONY in view of Berger. This would have been desirable because besides information directly obtained from within the IT infrastructure, the invention also leverages useful external security-related information to achieve better detection rate. For instance, external IP/Domain blacklists are used to compare against network connections created by the observed systems, external file blacklists are used to assess file creation/modification activities and software vulnerability reports are used to evaluate the programs running on monitored systems. (Berger, [0036]).

Claims 16-19 have limitations similar to those treated in the above rejection, and are met by the references as discussed above, and are rejected for the same reasons of obviousness as used above.
As per claim 20, ANTONY in view of Berger teaches the apparatus of claim 19, wherein the instructions, when executed by the at least one processor, further cause the at least one processor to apply a supervised machine learning model trained on features of a plurality of virtual machine instances and classifications assigned to the virtual machine instances (For each of the monitored systems, a small local whitelist will be constructed in the learning phase. The local whitelist may contain information about applications  deemed to not have security violations and therefore may be executed without raising an alarm. Integrity of files will be determined by comparing received measurements against the local and global white lists, as illustrated in FIG. 4. Berger, [0058]).
ANTONY in view of Berger are analogous art to the claimed invention, because they are from a similar field of endeavor of systems, components and methodologies for providing secure communication between computer systems. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify ANTONY in view of Berger. This would have been desirable because a local or remote system security administrator may then be able to look at those measurements and determine whether all components of the system are assumed to be trustworthy based on known measurements written in the log (Berger, [0040]).

Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over ANTONY (US 2016/0381058, Pub. Date: Dec. 29, 2016), in view of Berger et al. (US 2016/0261624, Pub. Date: Sep. 8, 2016), in view of Yin et al. (STAR: A Specialized Tagging Approach for Docker, IEEE APSEC, 2018, pages 426-435), hereinafter referred to as ANTONY, Berger and Yin.
As per claim 8, ANTONY in view of Berger teaches the method of claim 1, but does not teach microservices, Yin however teaches wherein the virtual machine instance provides a plurality of microservices (zuolan/c9-ide14 provides a web IDE image. Its GitHub based code repository is originally tagged with GitHub topics ‘docker’, ‘dockerfile’, ‘microservices’. Yin, page 433).
ANTONY in view of Berger in view of Yin are analogous art to the claimed invention, because they are from a similar field of endeavor of systems, components and methodologies for providing secure communication between computer systems. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify ANTONY in view of Berger in view of Yin. This would have been desirable STAR is helpful in describing and bookmarking Docker repositories. (Yin, page 433).

Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over ANTONY (US 2016/0381058, Pub. Date: Dec. 29, 2016), in view of Berger et al. (US 2016/0261624, Pub. Date: Sep. 8, 2016), in view of Suarez et al. (US 2017 /0177860, Pub. Date: Jun. 22, 2017), hereinafter referred to as ANTONY, Berger and Suarez.
As per claim 10, ANTONY in view of Berger teaches the method of claim 1,but does not teach dockerfile, Suarez however teaches further comprising: examining a virtual machine instance to identify a container image build file (Suarez, [0097]); and scanning the container image build file for security issues (Suarez, [0069]).
ANTONY in view of Berger in view of Suarez are analogous art to the claimed invention, because they are from a similar field of endeavor of systems, components and methodologies for providing secure communication between computer systems. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify ANTONY in view of Berger in view of Suarez. This would have been desirable because the Docker container engine uses a descriptive file format, called a Dockerfile, that allows users to build Docker images. In this example, the customer 1166 may be working on an update to a software application. The customer 1166 may build and test the updated source code locally. When the customer 1166 is satisfied that the updated source code is ready to be packaged up and deployed, the customer 1166 may provide the source code and the build file as the set of build artifacts 1158, and the automated build service 1184 may automatically build new versions of the container image from the set of build artifacts 1158 provided and cause the container registry front-end service 1114 to store the new version in a repository 1190 of the customer. (Suarez, [0101]).

Claim 15 is rejected under 35 U.S.C. 103 as being unpatentable over ANTONY (US 2016/0381058, Pub. Date: Dec. 29, 2016), in view of Suarez et al. (US 2017 /0177860, Pub. Date: Jun. 22, 2017), hereinafter referred to as ANTONY and Suarez.
As per claim 15, ANTONY teaches the storage medium of claim 12, but does not teach private key, Suarez however teaches wherein the instructions, when executed by the machine, further cause the machine to scan the container image for an environmental variable containing a private key (with the system of the present disclosure having access to a key for decryption (such as the private key of the public-private key pair) in order to perform scans for vulnerabilities, such as in the manner described for the third scenario of FIG. 5. Suarez, [0069]).
ANTONY in view of Suarez are analogous art to the claimed invention, because they are from a similar field of endeavor of systems, components and methodologies for providing secure communication between computer systems. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify ANTONY in view of Suarez. This would have been desirable because the customer may encrypt a container image and upload the container image through the container registry front-end service, whereupon the system of the present disclosure may decrypt the container image in memory and scan the decrypted container image for reference criteria. (Suarez, [0069]).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to OLEG KORSAK whose telephone number is (571)270-1938.  The examiner can normally be reached on Monday-Friday 7:30am - 5:00pm EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571)272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/OLEG KORSAK/
Primary Examiner, Art Unit 2492