DETAILED ACTION
The following claims are pending in this office action: 1, 3, 5-8, 10, 12-15, 17 and 19-24 
The following claims are amended: 1, 3, 5-6, 8, 10, 12-13, 15, 17 and 19-20 
The following claims are new: 22-24
The following claims are cancelled: 2, 4, 9, 11, 16, and 18
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 07/11/2022 has been entered.
RESPONSE TO ARGUMENTS
Applicant’s arguments in the amendment filed 07/11/2022 have been fully considered but are moot in view of new grounds of rejection. 
Applicant notes: Independent claim 1 is amended to recite “adding the virtual to or activating the virtual resource in the secure computing infrastructure.”  This limitation and the additional amended subject matter are disclosed in Kundu et al. (US Pub. 2014/0096135) in view of Greenberg et al. (US Pub. 2017/0006053) below and rejected accordingly.  
Kundu et al. (US Pub. 2014/0096135), as explained below, teaches an attestation method that determines whether a virtual machine image running in a data center is trustworthy, and activating the image to the cloud infrastructure even if the image is not trustworthy.  Greenberg et al. (US Pub. 2017/0006053), as explained below, teaches applying one or more security restrictions to a virtual machine as a result of a determination that the virtual machine is not trustworthy.  
Independent claims 8 and 15 are amended in a similar way to claim 1.  The subject matter at issue is disclosed by Kundu et al. (US Pub. 2014/0096135) in view of Greenberg et al. (US Pub. 2017/0006053) below and rejected accordingly.  
Dependent claims 3, 5-7, 10, 12-14, 17 and 19-21 depend on independent claims 1, 8, and 15.  The amended elements in the independent claims are disclosed by Kundu et al. (US Pub. 2014/0096135) in view of Greenberg et al. (US Pub. 2017/0006053) below, and any additional features to the dependent claims are rejected accordingly.
New dependent claims 22-24 cite elements disclosed by Kundu et al. (US Pub. 2014/0096135) as explained below, and is rejected accordingly.  
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 8, 15, and 22-24 are rejected under 35 U.S.C. 103 as being unpatentable over Kundu et al. (US Pub. 2014/0096135) (hereinafter “Kundu”) in view of Greenberg et al. (US Pub. 2017/0006053) (hereinafter “Greenberg”). 

As per claim 1, Kundu teaches a method for establishing and maintaining a secure computing infrastructure in a data center, the method comprising: upon an attestation event, ([Kundu, para. 0151; Fig. 9] “process 900 verifies the authenticity of the virtual machine image (step 926) [an attestation event]”), determining that a virtual resource running in the data center, ([para. 0076] “Virtual machine images [a virtual resource] … exist within [running in] … data centers”), to be added to or activated in the secure computing infrastructure ([para. 0159] “process 900 sends the virtual machine image and signature to the hypervisor using the cloud infrastructure (step 946) … use the virtual machine image [added to or activate] to provision virtual machines on the cloud infrastructure [secure computing infrastructure]”) is not trustworthy; and ([para. 0151-0152] “process 900 verifies the authenticity of the virtual machine image (step 926)” … Responsive to determining that the virtual machine image is not authentic [not trustworthy]; [para. 0080] “If the origin is an unauthorized entity and/or the VM image has been tampered with un an unauthorized manner [not trustworthy], the VM image is said to “in-authentic””)
adding the virtual resource to or activating the virtual resource in the secure computing infrastructure, ([Kundu, para. 0154; Fig. 9] “step 928, responsive to process 900 proceeding with the verification process ("proceed" at step 928), process 800 instantiates [adding or activating] the non-authentic virtual machine image [the virtual resource]”; [para. 0159] “a hypervisor associated with the cloud infrastructure [in the secure computing infrastructure] can then use the virtual machine image”) wherein the adding or activating enables the virtual resource to communicate with devices of the secure computing infrastructure ([para. 0159] “A hypervisor associated with the cloud infrastructure can then use the virtual machine image [the adding or activating] to provision [communicate] virtual machines [devices] on the cloud infrastructure [secure computing infrastructure]”.  Communicate with devices of the secure computing infrastructure with the one or more security restrictions applied to the virtual resource is taught by Kundu below)
Kundu does not clearly teach based on the determination that the virtual resource is not trustworthy, applying one or more security restrictions to the virtual resource, and communicate with devices of the secure computing infrastructure with the one or more security restrictions applied to the virtual resource.
However, Greenberg based on the determination that the virtual resource is not trustworthy, ([Greenberg, para. 0045] “each tenant [virtual resource – see para. 0027: “If the virtual machine of the tenant is suspected to have fraudulent services … this information … to compute the tenant confidence score”] may be given [determination] a tenant confidence score, where the tenant confidence score is an indicator of a reputation [trustworthiness] of tenant”’; [para. 0017] “if a tenant has not established their confidence score… their confidence score is low [not trustworthy]) applying one or more security restrictions to the virtual resource, and ([para. 0046] at step 420, based on the confidence score of the tenant, one or more policies [one or more security restrictions] may be identified [applying] for the tenant; [para. 0017] “policies may be applied to restrict or otherwise limit traffic [security restrictions] from the virtual machine of the tenant [virtual resource]”)
communicate with devices of the secure computing infrastructure ([Greenberg, para. 0046] “at step 420, the tenant … may … access [communicate]… cloud computing resources [devices of the secure computing infrastructure]”) with the one or more security restrictions applied to the virtual resource. ([para. 0046]” the one or more policies [one or more security restrictions] may limit access”; [para. 0016] “policies may be applied to restrict or otherwise limit traffic [security restrictions] from the virtual machine of the tenant [applied to the virtual resource]”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Kundu with the teachings of Greenburg to include based on the determination that the virtual resource is not trustworthy, applying one or more security restrictions to the virtual resource, and communicate with devices of the secure computing infrastructure with the one or more security restrictions applied to the virtual resource.  One of ordinary skill in the art would have been motivated to make this modification because by providing security restrictions, the could computing platform may be more reliable and secure, and more efficient. (Greenberg, para. 0018)

As per claim 8, Kundu teaches a computer system for establishing and maintaining a secure computing infrastructure in a data center, the computer system comprising: a plurality of servers, the plurality of servers including one or more virtual machines (VMs); ([Kundu, para. 0071; Fig. 3] “Referring now to FIG. 3, a set of functional abstraction layers is depicted in accordance with an illustrative embodiment. The set of functional abstraction layers may be provided by cloud computing environment 250 [one or more servers – see Fig. 2]”; [para. 0073] “Virtualization layer 362 provides … virtual clients [one or more virtual machines]”)
a plurality of networks coupled to the plurality of servers, the plurality of networks including a storage network; and ([Kundu, para. 0070; Fig. 2] “cloud computing nodes 210 and cloud computing environment 250 can communicate with [coupled with] any type of computerized device over any type of network [a plurality of networks]”; “For example, a server computer in cloud computing nodes 210 [the plurality of servers]”; “a computer recordable storage medium in one of cloud computing nodes 210… over a network [a storage network] for use in  … computing devices”)
a plurality of storage components coupled to the storage network, ([Kundu, para. 0073; Fig. 3] “Virtualization layer 362 provides virtual storage [a plurality of storage components]; [para. 0070; Fig. 2] “cloud computing nodes 210 and cloud computing environment 250 can communicate with [coupled with] any type of computerized device … For example… a computer recordable storage medium in one of cloud computing nodes 210… over a network [a storage network”])
wherein when a virtual resource running in the data center ([Kundu, para. 0105] “computing nodes [a data center: see para. 0074] on which a virtual machine running a virtual machine image is executed”) is to be added to or activated in the secure computing infrastructure, ([para. 0150] “process 800 instantiates the non-authentic virtual machine image…”; [para. 0159] a hypervisor associated with the cloud infrastructure [in the secure computing infrastructure] can then use [to be added/activated] the virtual machine image) an application running in the computer system performs a method comprising: ([Fig. 1; para. 0068] “Program/utility 140, [an application running in the computing system] … carry out the functions… as described”).
determining that the virtual resource to be added to or activated in the secure computing infrastructure, ([Kundu, para. 0159] “Process 900 sends the virtual machine image and signature to the hypervisor using the cloud infrastructure (step 946) … use the virtual machine image [added to or activate] to provision virtual machines on the cloud infrastructure [secure computing infrastructure]”) is not trustworthy, and ([para. 0151-0152] “process 900 verifies the authenticity of the virtual machine image (step 926) … Responsive to determining that the virtual machine image is not authentic [not trustworthy]”; [para. 0080] “If the origin is an unauthorized entity and/or the VM image has been tampered with un an unauthorized manner [not trustworthy], the VM image is said to “in-authentic””)
based on the determination that the virtual resource is not trustworthy, ([Kundu, para. 0152; Fig. 9] “Responsive to determining that the virtual machine image is not authentic ("no" at step 926), [not trustworthy] process 900 can … proceed (step 928)”) 
enabling the virtual resource to be added to or activated in the secure computing infrastructure, ([Kundu, para. 0154; Fig. 9] “step 928, responsive to process 900 proceeding with the verification process …. process 800 instantiates [enabling adding or activating] the non-authentic virtual machine image [the virtual resource]”; [para. 0159] “a hypervisor associated with the cloud infrastructure [in the secure computing infrastructure] can then use the virtual machine image”) wherein the enabling of the virtual resource to be added or activated further enables the virtual resource to communicate with devices of the secure computing infrastructure. ([para. 0159] “A hypervisor associated with the cloud infrastructure can then use the virtual machine image [the adding or activating] to provision [communicate] virtual machines [devices] on the cloud infrastructure [secure computing infrastructure]”.  Communicate with devices of the secure computing infrastructure with the one or more security restrictions applied to the virtual resource is taught by Kundu below)
Kundu does not clearly teach based on the determination that the virtual resource is not trustworthy, applying one or more security restrictions to the virtual resource, and communicate with devices of the secure computing infrastructure with the one or more security restrictions applied to the virtual resource.  
However, Greenberg teaches based on the determination that the virtual resource is not trustworthy, ([Greenberg, para. 0045] “each tenant [virtual resource – see para. 0027: “If the virtual machine of the tenant is suspected to have fraudulent services … this information … to compute the tenant confidence score”] may be given [determination] a tenant confidence score, where the tenant confidence score is an indicator of a reputation [trustworthiness] of tenant”’; [para. 0017] “if a tenant has not established their confidence score… their confidence score is low [not trustworthy])
applying one or more security restrictions to the virtual resource, and ([Greenberg, para. 0046] at step 420, based on the confidence score of the tenant, one or more policies [one or more security restrictions] may be identified [applying] for the tenant; [para. 0017] “policies may be applied to restrict or otherwise limit traffic [security restrictions] from the virtual machine of the tenant [virtual resource]”)
communicate with devices of the secure computing infrastructure ([Greenberg, para. 0046] “at step 420, the tenant … may … access [communicate]… cloud computing resources [devices of the secure computing infrastructure]”) with the one or more security restrictions applied to the virtual resource.  ([para. 0046]” the one or more policies [one or more security restrictions] may limit access”; [para. 0016] “policies may be applied to restrict or otherwise limit traffic [security restrictions] from the virtual machine of the tenant [applied to the virtual resource]”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Kundu with the teachings of Greenburg to include based on the determination that the virtual resource is not trustworthy, applying one or more security restrictions to the virtual resource, and communicate with devices of the secure computing infrastructure with the one or more security restrictions applied to the virtual resource.  One of ordinary skill in the art would have been motivated to make this modification because by providing security restrictions, the could computing platform may be more reliable and secure, and more efficient. (Greenberg, para. 0018)

As per claim 15, Kundu teaches a non-transitory computer-readable medium comprising instruction in a computer system wherein the instruction when executed in the computer system cause the computer system to carry out a method.  ([Kundu, para. 0033] “aspects of the present invention may take the form of a computer program product embodied in one or more computer readable medium(s) having computer readable program code embodied thereon”; “A computer readable storage medium may be, for example… memory”)
The method performs the steps of the method of claim 1, has language that is identical or substantially similar to the method of claim 1, and thus is rejected with the same rational applied against claim 1.  

As per claim 22, Kundu in view of Greenberg teaches claim 1.  
Kundu also teaches wherein the virtual resource is a virtual disk.  ([Kundu, para. 0073] “the following examples of virtual entities [the virtual resource] may be provided: … virtual storage [a virtual disk]”; the common meaning of the word “image” is synonymous with disk, and so a virtual machine image is a virtual disk)

As per claim 23, the claim language is identical or substantially similar to that of claim 22. Therefore, it is rejected under the same rationale applied to claim 22.

As per claim 24, the claim language is identical or substantially similar to that of claim 22. Therefore, it is rejected under the same rationale applied to claim 22.

Claims 3, 10, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Kundu in view of Greenberg as applied to claim 1, 8, and 15 above, and further in view of Allen (US Patent No. 9,135,437) (hereinafter “Allen”). 

As per claim 3, Kundu in view of Greenberg teaches claim 1.  
Kundu in view of Greenberg does not clearly teach wherein applying the one or more security restrictions includes only allowing the virtual resource to perform operations that do not involve encryption.  
However, Allen teaches wherein applying the one or more security restrictions ([Allen, col. 11, ln. 11-17] the cryptographic policy system under the control of a hypervisor and enforcing an application on a VM [the virtual resource, see col. 2, ln. 18-27] determines that an application employs cryptographic algorithms, determines that those cryptographic algorithms are disallowed, and takes one or more remediating actions [security restriction] in response to the determination) includes only allowing the virtual resource to perform operations that do not involve encryption.  ([Col. 8, ln. 62-67 to col. 9, ln. 9-10] based on the determination that the implementation of the cryptographic algorithm is disallowed by the policy, the hypervisor blocks execution of that portion of computer executable instructions by the virtual machine [only allowing the component to perform operation that do not involve encryption])
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Kundu in view of Greenberg with the teachings of Allen to include wherein applying the one or more security restrictions includes only allowing the virtual resource to perform operations that do not involve encryption.  One of ordinary skill in the art would have been motivated to make this modification because preventing an application/device from using encryption, for example because it uses a key for encryption that does not exceed a minimum complexity, prevents unapproved or insufficiently secure use of cryptography algorithms that may be introduced into the system by the application/devices. (Allen, col. 8, ln. 53-61; col. 2, ln. 47-56)

As per claim 10, the claim language is identical or substantially similar to that of claim 3. Therefore, it is rejected under the same rationale applied to claim 3.

As per claim 17, the claim language is identical or substantially similar to that of claim 3. Therefore, it is rejected under the same rationale applied to claim 3.

Claims 5-7, 12-14, and 19-21 are rejected under 35 U.S.C. 103 as being unpatentable over Kundu in view of Greenberg as applied to claims 1, 8, and 15 above and further in view of Cucinotta et al. (US Pub. 2015/0089589) (hereinafter “Cucinotta”).

As per claim 5, Kundu in view of Greenberg teaches claim 1.  
Kundu in view of Greenberg does not clearly teach wherein applying the one or more security restriction includes: encrypting data transferred to or through the component; and decrypting data received from the component.
However, Cucinotta teaches wherein applying the one or more security restriction includes: encrypting data transferred to or through the virtual resource; ([Cucinotta, Fig. 1; para. 0007] the method disclosed allows for isolation [applies a security restriction] of untrusted virtual machines such as those found in cloud computing infrastructures. [Fig. 1; para. 0065] all data transferred to or through the untrusted domain 80 [the untrusted VM] must pass through the encryption hardware 40B which is hardwired to forcibly encrypt the data before)
and decrypting data received from the virtual resource.  ([Cucinotta, Fig. 1; para. 0064] all incoming communications received from the untrusted domain 80 [the untrusted VM/the untrusted component] must pass through the decryption hardware 40A which is hardwired to decrypt the received data)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Kundu in view of Greenberg with the teachings of Cucinotta to include wherein applying the one or more security restriction includes: encrypting data transferred to or through the virtual resource; and decrypting data received from the virtual resource.  One of ordinary skill in the art would have been motivated to make this modification because this prevents access to data within the trusted domain that is not intended to be provided to the component, prevents any unencrypted data from exiting the trusted domain, and preserves integrity of the data.  (Cucinotta, para. 0013-0015)

As per claim 6, Kundu in view of Greenberg and further in view of Cucinotta teaches claim 5.  
Kundu in view of Greenberg does not clearly teach wherein the encrypting and decrypting the data is performed with the aid of a security module.
However, Cucinotta teaches wherein the encrypting and decrypting the data is performed with the aid of a security module. ([Cucinotta, Fig. 1; para. 0063-0065] the encrypting and decrypting is performed by the trusted cryptographic hardware unit, a security module, which includes the decryption and encryption hardware)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Kundu in view of Greenberg with the teachings of Cucinotta to include wherein the encrypting and decrypting the data is performed with the aid of a security module.  One of ordinary skill in the art would have been motivated to make this modification because using a hardware security module allows the trusted domain to avoid malicious software overriding or reprogramming functions of the devices in the trusted domain.  (Cucinotta, para. 0015)

As per claim 7, Kundu in view of Greenberg and further in view of Cucinotta teaches claim 6.  
Kundu in view of Greenberg does not teach wherein the security module is a trusted platform module.
However, Cucinotta teaches wherein the security module is a trusted platform module. ([Cucinotta, para. 0072] the private key used for the encryption/decryption process is injected into the cryptographic unit and stored in a trusted platform module, making the generic trusted cryptographic hardware unit a trusted platform module)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Kundu in view of Greenberg with the teachings of Cucinotta to include wherein the security module is a trusted platform module.  One of ordinary skill in the art would have been motivated to make this modification because such a technique allows the cryptographic chip to be protected against sophisticated physical attacks to the hardware by utilizing tamper-proof manufacturing that’s a feature of trusted platform modules.  (Cucinotta, para. 0069)

As per claim 12, the claim language is identical or substantially similar to that of claim 5. Therefore, it is rejected under the same rationale applied to claim 5.

As per claim 13, the claim language is identical or substantially similar to that of claim 6. Therefore, it is rejected under the same rationale applied to claim 6.

As per claim 14, the claim language is identical or substantially similar to that of claim 7. Therefore, it is rejected under the same rationale applied to claim 7.

As per claim 19, the claim language is identical or substantially similar to that of claim 5. Therefore, it is rejected under the same rationale applied to claim 5.

As per claim 20, the claim language is identical or substantially similar to that of claim 6. Therefore, it is rejected under the same rationale applied to claim 6.

As per claim 21, the claim language is identical or substantially similar to that of claim 7. Therefore, it is rejected under the same rationale applied to claim 7.


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Sharifi Mehr et al. (US Patent No. 11,150,927) discloses a trust score that is given for a tenant VM, and restrictions that are used to define cotenant policies.   
Gafni et al. (US Pub. 2016/0021142) discloses loading a VM to a workstation to detect content that performs malicious exploits, and generating an alert if the VM is suspicious.  
Folco et al. (US Patent No. 10,460,113) discloses determining whether there is a security issue with a container, fixing the security issue in the VM associated with the container, and performing a live migration of the VM to the container environment.  
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZHE LIU whose telephone number is (571) 272-3634.  The examiner can normally be reached on Monday - Friday: 8:30 AM to 5:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on (571) 272-3862.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at (866) 217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call (800) 786-9199 (IN USA OR CANADA) or (571) 272-1000.

/Z.L./Examiner, Art Unit 2493                                                                                                                                                                                                        
/CARL G COLIN/Supervisory Patent Examiner, Art Unit 2493