Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
The present application is being examined under the pre-AIA  first to invent
provisions.
This office action is in response to the amendment filed on 05/02/2022. Claims 1, 9, 16, 20, and 25 have been amended. Claims 1 – 25 are pending for consideration. 

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 05/26/2022 has been entered.

Response to Arguments
Applicant's arguments/remarks filed on 05/02/2022 (hereafter Remarks) have been fully considered but they are not persuasive they are also moot in view of new ground of rejection. 
On p. 11 of the Remarks Applicant stated that given that the security agent is written into the container it is inspection, the security agent/master agent are not separate from the container  concluding that LI fails to disclose the limitation of claim 1 wherein the container is separate from the virtual container, and executes the container to perform the container inspection of the live runtime state of the virtual container based on the one or more constrained capabilities 
Examiner respectfully disagrees. It is understood that virtual container, as a kind of a virtual machine, which is running a complete operating system in contrast to a container that is running the user-mode portion of an operating system. Therefore, a virtual container is separate from the container by definition, as disclosed by Coady (Coady, in Para. [0021] discloses “operating system level virtualization may include a single operating system kernel that manages multiple isolated virtual containers. Each virtual container may share the kernel of the underlying operating system without requiring its own kernel.”).
The security agent, as a specialized software, could be written into a container in Li to collect required files and forward them to sandbox analyzer located in a different container, a host, or a remote machine performing the inspection. Accordingly, a container of Li, i.e. the one containing a sandbox, can inspect another container and/or virtual container (Li, in col. 5, ll.47-50 discloses “The security agent may also collect the files and provide them to a sandbox analyzer. The sandbox analyzer machine may be in the host, in another container, or at a remote machine”).  For clarification, Li further disclosed details of the container inspection by another virtual unit including a migration of security agent (Li, in col. 6, ll.19-21 discloses “In an exemplary implementation, the security agent 104 may migrate between the host machine and the containers”). Therefore, inspection of a container could be performed by another container e.g. per sandbox analyzer of Li.
On p. 12 of the Remarks Applicant asserts that Coady et al. does not disclose a container performing a container inspection on another container that is executing in a live runtime state. 
Examiner respectfully notes that rejection of the cited limitation is relied upon Li as discussed above.
In summary, the cited limitations of claim 1 in the present edition including all amendments made are taught by the prior art. Accordingly rejection under 103 is maintained.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1 – 25 are rejected under 35 U.S.C. 103 as being unpatentable over Li et al. (US 0922386) (hereafter Li), in view of Coady et al. (US 2019/0347127) (hereafter Coady), and in view of Huang et al. (US 20190394219).

Regarding claim 1 Li teaches: A system, comprising: a memory that stores computer executable components; and a processor that executes the computer executable components stored in the memory, wherein the computer executable components comprise: (Li, in col.8, ll. 48-58, discloses “The computer system may include one or more processors 701 and one or more buses 703 coupling its various components. The computer systems may also include one or more user input devices 702 (e.g., keyboard, mouse), one or more data storage devices 706 (e.g., hard drives, optical disk, Universal Serial Bus memory), one or more display monitors 704 (e.g., liquid crystal display, flat panel monitor), one or more computer network interfaces 705 (e.g., network adapter, modem), and a main memory 708 (i.e., random access memory).”), a container inspection control component (Examiner note: the control component is met by the controlling component of security agent written/running in a container) (Li, in col.1, ll. 42-44, discloses “The present disclosure provides effective solutions to security inspection and monitoring of operations within security containers.” Li, in col. 5, ll.47-50 discloses “The security agent may also collect the files and provide them to a sandbox analyzer. The sandbox analyzer machine may be in the host, in another container, or at a remote machine”) that: defines one or more constrained capabilities of a container (Li, in col.1, ll. 15-19, discloses “A software container or container image is a lightweight, standalone, executable package of a piece of software that includes everything needed to run it: code; runtime (i.e. executable code); and necessary system tools, system libraries, and settings.”) to perform a container inspection (Examiner note: additional capabilities of a container are met by the capabilities of the security agent running within a container) (Li, in col.3, ll. 43-45, discloses “At this point, the security agent 104 is effectively running within Container-A 102A.” Li, in col.4, ll. 38-41, discloses “This effectively moves the security agent 104 into the namespace of Container-A 102-A so that it may perform inspection within that container.”) of a 
[live runtime state of a virtual container executing one or more processes] 
[wherein the one or more constrained capabilities limits the container inspection to read-only operations on the virtual container,] 
[wherein the container is separate from the virtual container] 
[and executes the container to perform the container inspection of the live runtime state of the virtual container based on the one or more constrained capabilities.]
Li fails to explicitly teach: live runtime state of a virtual container executing one or more processes (ref. Coady)
wherein the one or more constrained capabilities limits the container inspection to read-only operations on the virtual container (ref. Huang) 
wherein the container is separate from the virtual container (ref. Coady)
Coady from the analogous technical field teaches: live runtime state of a virtual container executing one or more processes (Coady, in Para. [0021] discloses “operating system level virtualization may include a single operating system kernel that manages multiple isolated virtual containers. Each virtual container may share the kernel of the underlying operating system without requiring its own kernel.”).
wherein the container is separate from the virtual container (Examiner note: a virtual container is running a complete operating system in contrast to a container that is running the user-mode portion of an operating system. Therefore, a virtual container is separate from a container by definition) (Coady, in Para. [0002] discloses “operating system level virtualization may include a single operating system kernel that manages multiple isolated virtual containers. Each virtual container may share the kernel of the underlying operating system without requiring its own kernel. Avoiding usage of separate kernels may reduce computational overhead. Data centers may therefore benefit by converting the services running on a virtual machine to run within one or more containers.”).
and executes the container to perform the container inspection of the live runtime state of the virtual container based on the one or more constrained capabilities (Examiner note: inspection of virtual container by another container is met by operating manager 110 at kernel level, i.e. a container, managing/inspecting the virtual containers) (Coady, in Para. [0021] discloses “operating system level virtualization may include a single operating system kernel that manages multiple isolated virtual containers.” Coady, in Para. [0047] discloses “the kernel level rules may enable manager 110 to identify operating system ("OS") specific processes (e.g., system processes that are exclusive to the operating system) that are already included within the operating system managing the containers and do not need to be executed within a container”).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Li, in view of the teaching of Coady, which discloses operations on readiness and operating system level operations on containers in order to further improve virtual container management in the system (Coady, [0002, 0021, 0047]).
Li, as modified by Coady, fails to explicitly teach: wherein the one or more constrained capabilities limits the container inspection to read-only operations on the virtual container 
Huang from the analogous technical field teaches: wherein the one or more constrained capabilities limits the container inspection to read-only operations on the virtual container (Examiner note: operations on virtual container are met by operations on virtualized user-space instances, i.e. containers) (Huang, in Para. [0072] discloses “the container servers 310 include an operating system that enables operating- system-level virtualization, such that the kernel of the operating system allows for multiple isolated user-space instances (i.e., "containers").” Huang, in Para. [0084] discloses “An additional read-write layer also may be added by the container service 330 to the running app container 320, as the images are read only.” Huang, in Para. [0085] discloses “each container is self-contained, and as noted above, may be packaged as a read-only image.”)
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Li, as modified by Coady, in view of the teaching of Huang, which discloses additional read-only operations on virtual containers in order to further improve security of virtual container management/inspection by Li/Coady (Huang, [0072, 0084, 0085]).

Regarding claim 2 Li, as modified by Coady and Huang, teaches: The system of claim 1, wherein the container comprises an inspection instance comprising at least one of: a kernel construct (Li, in col.2, ll.8-10 discloses “the security agent may continue monitoring events within the first and second containers using the user-mode object-monitoring handles of the first and second containers.” Li, in col.2, ll.61-63 discloses “Multiple containers can run on the same machine, and share the operating system (OS) kernel with other containers, as isolated processes in user space.”); a security construct; or a containerization construct (Li, in col. 4, ll. 65-67 discloses “the security agent 104 is in the namespace of Container-A 102-A, it may perform inspection within that container.” Li, in col. 6, ll. 10-13 discloses “With this in-container user-mode object monitoring, many security inspection and protection functions may be provided, such as real-time integrity monitoring”)

Regarding claim 3 Li, as modified by Coady and Huang, teaches: The system of claim 1, wherein the container inspection control component defines the one or more constrained capabilities based on one or more control components selected from a group consisting of privilege separation, namespace, capability- based security, secure computing mode, netfilter, control groups, and Security-Enhanced Linux (Li, in col. 3, ll. 62-66 discloses “Using the LINUX operating system as an example, the namespace change may be implemented by the security agent getting the access handle of the namespace for the target container under its process ID”) thereby facilitating improved security associated with at least one of: the container (Li, in col.1, ll. 46-48, discloses “One embodiment relates a computer-implemented method for performing a security inspection of one or more software containers in a host machine.” Li, in col.8, ll. 6-11, discloses “the host machine 101 is the computer system which has the container platform to run containers (102A, 102B, and 102C, for example). The host machine 101 may be a physical machine in one implementation, and the host machine 101 may be a virtual machine in another implementation.”); the virtual container; or one or more resources of a container-based virtualization environment 

Regarding claim 4 Li, as modified by Coady and Huang, teaches: The system of claim 1, further comprising a control level component that defines a level of control of the container based on one or more combinations of one or more control components selected from a group consisting of access control components and resource constraint components (Examiner note: container access control component is met by the disclosed function of the security agent of Li controlled by the master agent) (Li, in col. 8, ll. 19-22 discloses “the security agent may be a lightweight security agent that only help to setup the monitoring handle or provide the access to the objects in containers for other security components.” Li, in col. 8, ll. 27-28 discloses “The master agent may be a controller to control security agents.”)

Regarding claim 5 Li, as modified by Coady and Huang, teaches: The system of claim 1, wherein the container operates as a non-root user during the container inspection of the live runtime state of the virtual container (Examiner note: as noted above the security agent is created within a container and is a non-root by definition) (Li, in col. 8, ll.16-18 discloses “the security agent may be a self-contained agent that can perform security inspection by itself autonomously.”) of the live runtime state of the virtual container (Li, in col.8, ll. 6-11, discloses “the host machine 101 is the computer system which has the container platform to run containers (102A, 102B, and 102C, for example). The host machine 101 may be a physical machine in one implementation, and the host machine 101 may be a virtual machine in another implementation.”)

Regarding claim 6 Li, as modified by Coady and Huang, teaches: The system of claim 1, wherein the container inspection inspects at least one of a memory state, a disk state, or a network state of the virtual container (Li, in col. 6, ll. 10-13 discloses “With this in-container user-mode object monitoring, many security inspection and protection functions may be provided, such as real-time integrity monitoring” Li, in col. 1, ll.47-48 discloses “a computer-implemented method for performing a security inspection of one or more software containers in a host machine” Li, in col. 5, ll.23-25 discloses “Example of resources and objects that may inspected include files, processes, network connection and others.”)

Regarding claim 7 Li, as modified by Coady and Huang, teaches: The system of claim 1, wherein the container is generated via execution of a Bourne-Again Shell command (Examiner note: the Bourne-Shell command interpreter is a default shell of many Unix/Linux operating systems; therefore, application of the Bourne-shell commands is met by the application of the kernel level operating system commands) (Li, in col. 1, ii. 19-21 discloses “Multiple containers can run on the same machine, and share the operating system (OS) kernel with other containers, as isolated processes in user space”)

Regarding claim 8 Li, as modified by Huang, fails to explicitly teach: The system of claim 1, wherein the one or more constrained capabilities prevents the container inspection from accessing read privileged files in the virtual container
Coady from the analogous technical field teaches: The system of claim 1, wherein the one or more constrained capabilities prevents the container inspection from accessing read privileged files in the virtual container (Examiner note: as noted above, inspection to the read-only operations, i.e. read privileges files on a container is met by the analysis on readiness of the container images) (Coady, in Para. [0015] discloses “the technology may analyze readiness of the container images to route service requests to a container supported by the container images.” Coady, in Para. [0043] discloses “Data store 330 may include various data, including rules 134, computer code 332, parent image 336, container image 132, readiness factors 136”);
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Li, as modified by Huang, in view of the teaching of Coady which discloses operations on readiness on containers in order to improve virtual container management in the system (Coady, [0015, 0043]).

Regarding claim 9, claim 9 discloses a method that is substantially equivalent to the system of claim 1. Therefore, the arguments set forth above with respect to claim 1 are equally applicable to claim 9 and rejected for the same reasons.

Regarding claim 10, claim 10 depended on claim 9 discloses a method that is substantially equivalent to the system of claim 3 dependent on claim 1. Therefore, the arguments set forth above with respect to claim 3 are equally applicable to claim 10 and rejected for the same reasons.

Regarding claim 11, claim 11 depended on claim 9 discloses a method that is substantially equivalent to the system of claim 4 dependent on claim 1. Therefore, the arguments set forth above with respect to claim 4 are equally applicable to claim 11 and rejected for the same reasons.

Regarding claim 12, claim 12 depended on claim 9 discloses a method that is substantially equivalent to the system of claim 6 dependent on claim 1. Therefore, the arguments set forth above with respect to claim 6 are equally applicable to claim 12 and rejected for the same reasons.

Regarding claim 13, claim 13 depended on claim 9 discloses a method that is substantially equivalent to the system of claim 5 dependent on claim 1. Therefore, the arguments set forth above with respect to claim 5 are equally applicable to claim 13 and rejected for the same reasons.

Regarding claim 14, claim 14 depended on claim 9 discloses a method that is substantially equivalent to the system of claim 7 dependent on claim 1. Therefore, the arguments set forth above with respect to claim 7 are equally applicable to claim 14 and rejected for the same reasons.

Regarding claim 15, claim 15 depended on claim 9 discloses a method that is substantially equivalent to the system of claim 8 dependent on claim 1. Therefore, the arguments set forth above with respect to claim 8 are equally applicable to claim 15 and rejected for the same reasons.

Regarding claim 16, claim 16 discloses a system that is substantially equivalent to the system of claim 1. Therefore, the arguments set forth above with respect to claim 1 are equally applicable to claim 16 and rejected for the same reasons.

Regarding claim 17 Li, as modified by Coady and Huang, teaches: The system of claim 16, wherein the container operates as a non-root user during the inspection of the live runtime state of the virtual container (Examiner note: as noted above the security agent is created within a container and is a non-root by definition) (Li, in col. 8, ll.16-18 discloses “the security agent may be a self-contained agent that can perform security inspection by itself autonomously.” Li, in col.8, ll. 6-11, discloses “the host machine 101 is the computer system which has the container platform to run containers (102A, 102B, and 102C, for example). The host machine 101 may be a physical machine in one implementation, and the host machine 101 may be a virtual machine in another implementation.”) based on one or more read-only actions (Li, in col.8, ll. 60-64, discloses “The computer system is a particular machine as programmed with one or more software modules, comprising computer-readable code or instructions 710 stored nontransitory in the main memory 708 for execution by the processor 701”)

Regarding claim 18, claim 18 depended on claim 16 discloses a system that is substantially equivalent to the system of claim 3 dependent on claim 1. Therefore, the arguments set forth above with respect to claim 3 are equally applicable to claim 18 and rejected for the same reasons.

Regarding claim 19, claim 19 depended on claim 16 discloses a system that is substantially equivalent to the system of claim 4 dependent on claim 1. Therefore, the arguments set forth above with respect to claim 4 are equally applicable to claim 19 and rejected for the same reasons.

Regarding claim 20 Li, as modified by Coady and Huang, teaches: The system of claim 16, wherein the container inspection control component prevents execution of one or more write operations by the container on the virtual container, 
(Examiner note: container access control component is met by the disclosed function of the security agent of Li controlled by the master agent) (Li, in col. 8, ll. 19-22 discloses “the security agent may be a lightweight security agent that only help to setup the monitoring handle or provide the access to the objects in containers for other security components.” Li, in col. 8, ll. 27-28 discloses “The master agent may be a controller to control security agents.”), thereby facilitating a safer inspection ability, without hampering the processing capacity associated with one or more resources of a container-based virtualization environment (Li, in col. 7, ll. 13-18 discloses “In order to have the master agent 505 perform the security inspection in relation to the event, the security agent 504 may either dispatch the file handles to the master agent 505, or copy the files via IPC to the master agent 505, or use an input/output redirect mechanism to allow the master agent 505 to inspect the files within the container” Li, in col.8, ll. 6-11, discloses “the host machine 101 is the computer system which has the container platform to run containers (102A, 102B, and 102C, for example). The host machine 101 may be a physical machine in one implementation, and the host machine 101 may be a virtual machine in another implementation.”)

Regarding claim 21, claim 21 discloses a computer program product that is substantially equivalent to the system of claim 1. Therefore, the arguments set forth above with respect to claim 1 are equally applicable to claim 21 and rejected for the same reasons.

Regarding claim 22, claim 22 depended on claim 21 discloses a computer program product that is substantially equivalent to the system of claim 3 dependent on claim 1. Therefore, the arguments set forth above with respect to claim 3 are equally applicable to claim 22 and rejected for the same reasons.

Regarding claim 23, claim 23 depended on claim 21 discloses a computer program product that is substantially equivalent to the system of claim 4 dependent on claim 1. Therefore, the arguments set forth above with respect to claim 4 are equally applicable to claim 23 and rejected for the same reasons.

Regarding claim 24 Li, as modified by Coady and Huang, teaches: The computer program product of claim 21, wherein the container operates as a non-root user during the inspection of the live runtime state of the virtual container based on one or more read-only actions 
(Examiner note: as noted above the security agent is created within a container and is a non-root by definition) (Li, in col. 8, ll.16-18 discloses “the security agent may be a self-contained agent that can perform security inspection by itself autonomously.” Li, in col.8, ll. 6-11, discloses “the host machine 101 is the computer system which has the container platform to run containers (102A, 102B, and 102C, for example). The host machine 101 may be a physical machine in one implementation, and the host machine 101 may be a virtual machine in another implementation.” Li, in col.8, ll. 60-64, discloses “The computer system is a particular machine as programmed with one or more software modules, comprising computer-readable code or instructions 710 stored nontransitory in the main memory 708 for execution by the processor 701”)

Regarding claim 25, claim 25 discloses a computer program product that is substantially equivalent to the system of claim 1. Therefore, the arguments set forth above with respect to claim 1 are equally applicable to claim 25 and rejected for the same reasons.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure, Griffin (US-20190310872), KÄRKKÄINEN (US-20180246646), BISKUP (US-20180173502).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to VLADIMIR IVANOVICH GAVRILENKO whose telephone number is (313)446-6530.  The examiner can normally be reached on Monday-Friday 7:30-4:30 EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/Vladimir I. Gavrilenko/Examiner, Art Unit 2431        

/TRANG T DOAN/Primary Examiner, Art Unit 2431