DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is responsive to RCE filed on 08/19/2022. Claims 1-21 have been examined and are pending in this application.
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 08/19/2022 has been entered.
Response to Arguments
Applicant's arguments filed 08/19/2022 have been fully considered but they are not persuasive.
Applicant argues, page 12 of the remarks, “Chandrasekhar’s virtual machine image reputation database 232 stores the reputation of a virtual machine image and NOT the virtual machine image itself for customer use, and so a customer client computer 240 connecting to the computer system 230 (which contains the virtual machine image reputation database 232) is ‘get[ting] a reputation of a virtual machine image’ (emphasis ours), rather than ‘recovering … from the storage location, a [secure] point-in-time image’ (emphasis ours) as recited in claim 1.”
The Examiner respectfully disagrees. In Chandrasekhar, a virtual machine image reputation database 232 may comprise a database or other listing of virtual machine images that are known to be good (i.e., safe) or known to be bad (e.g., infected with malware), col 3 lines 43-46 and FIG. 2. A client computer 240 may connect to the computer system 230 to access the machine image reputation database 232 and find out if a particular virtual machine image is a known good or known bad machine image, col 3 lines 46-50. A cloud computing environment 200 may provide service to many different, unrelated customers. The cloud computing environment may provide ready-built virtual machine images 201, col 3 lines 60-63. Thus, based on the reputation of a virtual machine image from the reputation database 232, a client may obtain a ready-built virtual machine image 201 from the cloud computing environment.
Applicant argues, page 13 of the remarks, “any VM image in Chandrasekhar cannot be used for restoration in the manner recited in claim 1, since such an image in Chandrasekhar is not a point-in-time image of the virtual machine while running on the host of the customer.”
The Examiner respectfully disagrees. In determining the reputation of a virtual machine image by Chandrasekhar, he may not be able to determine the reputation of the virtual machine without running the virtual machine. “a method of certifying a virtual machine image in a cloud computing environment includes installing an anti-malware in a virtual machine. The anti-malware is used to scan the virtual machine for presence of malware. In response to finding that the virtual machine image is free of malware, the anti-malware is removed from the virtual machine and an original fingerprint is generated and stored in the virtual machine. The virtual machine is saved as a virtual machine image after removing the anti-malware from the virtual machine and storing the original fingerprint in the virtual machine. The virtual machine image is listed in a catalog of a public cloud computing environment.” Col 1 line 66 to col 2 line 9 of Chandrasekhar. Thus, prior to saving the virtual machine image, the anti-malware scans the running virtual machine for the presence of malware. The fact that an anti-malware is installed in the virtual machine indicates that the virtual machine is running. Otherwise, how can you install an anti-malware on a virtual machine image? That does not make any sense. Here, installation of the anti-malware in the virtual machine is the key phrase that indicates that the virtual machine is running. Furthermore, a point-in-time image of a virtual machine is an image that is generated at an arbitrary point-in-time while the virtual machine is running according to the claimed invention. Therefore, the image of the virtual machine that is generated after the anti-malware check while the virtual machine is running is a point-in-time image of the virtual machine. 
In view of the foregoing remarks, independent claims 1, 8, and 15 are not in a condition for allowance. Claims depending therefrom, either directly or indirectly, are also not in a condition for allowance.   
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-21 are rejected under 35 U.S.C. 103 as being unpatentable over Vashisht et al. US 10,552,610 (“Vashisht”) in view of Kuwamura US 2010/0043073 (“Kuwamura”) and in further view of Chandrasekhar et al. US 8,893,279 (“Chandrasekhar”).
As per independent claim 1, Vashisht teaches A method for a host in a virtualized computing environment to restore a virtual machine supported by the host (A method is described for updating a virtual machine (VM) disk snapshot that is used in the instantiation of one or more guest virtual machine instances for handling the analysis of an object for a presence of malware, col 1 lines 17-20), the method comprising:
performing, by the host, a replication process to store point-in-time images of the virtual machine at a storage location while the virtual machine is running on the host (A framework is employed that allows VM disk snapshots within a VM disk image to be updated during run-time, col 2 lines 44-46. As shown in FIG. 2, a base VM disk snapshot 240 features a contiguous storage area 245 (e.g., disk blocks) for receipt of a guest image update package 195.sub.i (i = 1, 2, …) to produce a revised VM disk snapshot 250. The revised VM disk snapshot 250 is used for the instantiation of one or more guest VM instances 270.sub.1-270.sub.N within a dynamic analysis engine 175, col 8 lines 30-42 and FIG. 2);
performing, by the host, a monitoring process concurrently with the replication process to monitor operational behavior of the virtual machine running on the host (Additionally, a virtual execution engine 220 controls storage of the revised VM disk snapshot 250 into memory 280 and subsequent instantiation of guest VM instances 270.sub.1-270.sub.N using the revised VM disk snapshot 250 for analysis, detection, and/or monitoring of objects for malware, col 9 lines 25-29, col 12 lines 9-28, and FIGS. 2 and 4);
in response to the monitored operational behavior at a particular time being in violation of expected operational behavior of the virtual machine (As a monitoring/detection tool, the software component may be configured to setup the environment for detection, detect/monitor activity during analysis of the object, and perform analysis of logged activity, col 12 lines 18-22. Malware is designed to cause a network device to experience anomalous (unexpected or undesirable) behaviors, col 6 lines 18-22, that are monitored and/or detected), identifying, by the host, a point-in-time image of the virtual machine that corresponds to the particular time as an unsecure image with a security risk (Once the object is deemed “suspicious”, namely the probability of the object being associated with a malicious attack exceeds a threshold, the object is further analyzed to determine if the object is malicious, col 8 lines 10-16).
Vashisht discloses all of the claimed limitations from above, but does not explicitly teach “performing, by the host, an action on the unsecure image to restrict use of the unsecure image for restoration of the virtual machine” and “recovering, by the host from the storage location, a point-in-time image of the virtual machine that was generated prior to the particular time and generated while the virtual machine was running on the host, that was stored at the storage location by the replication process, and that was determined as being secure at the point-in-time of the generation of the image, to use for the restoration of the virtual machine”.
However, in an analogous art in the same field of endeavor, Kuwamura teaches performing, by the host, an action on the unsecure image to restrict use of the unsecure image for restoration of the virtual machine (Referring to FIG. 4, in step S22, it is determined whether or not a virus detected by an antivirus software 132 can be completely removed from a virtual machine snapshot. Responsive to the determination being “NO”, at step S23, a preceding snapshot of the virtual machine is checked to determine whether or not the preceding snapshot of the virtual machine is infected with virus, paras 0049-0052 and FIG. 4. Thus, the snapshot of the virtual machine that is scanned for virus at step S22 is not used).
Given the teaching of Kuwamura, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to further modify the scope of the invention of Vashisht with “performing, by the host, an action on the unsecure image to restrict use of the unsecure image for restoration of the virtual machine”. The motivation would be that the need for executing antivirus software for each virtual machine can be avoided, para 0013 of Kuwamura.
Vashisht in combination with Kuwamura discloses all of the claimed limitations from above, but does not explicitly teach “recovering, by the host from the storage location, a point-in-time image of the virtual machine that was generated prior to the particular time and generated while the virtual machine was running on the host, that was stored at the storage location by the replication process, and that was determined as being secure at the point-in-time of the generation of the image, to use for the restoration of the virtual machine”.
However, in an analogous art in the same field of endeavor, Chandrasekhar teaches recovering, by the host from the storage location, a point-in-time image of the virtual machine that was generated prior to the particular time and generated while the virtual machine was running on the host, that was stored at the storage location by the replication process, and that was determined as being secure at the point-in-time of the generation of the image, to use for the restoration of the virtual machine (A virtual machine image reputation database 232 may comprise a database or other listing of virtual machine images that are known to be good (i.e., safe) or known to be bad (e.g., infected with malware), col 3 lines 43-46 and FIG. 2. A client computer 240 may connect to the computer system 230 to access the machine image reputation database 232 and find out if a particular virtual machine image is a known good or known bad machine image, col 3 lines 46-50. A cloud computing environment 200 may provide service to many different, unrelated customers. The cloud computing environment may provide ready-built virtual machine images 201, col 3 lines 60-63. A point-in-time image of a virtual machine is an image that is generated at an arbitrary point-in-time while the virtual machine is running according to the claimed invention. Therefore, the image of the virtual machine that is generated after the anti-malware check while the virtual machine is running is a point-in-time image of the virtual machine.).
Given the teaching of Chandrasekhar, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to further modify the scope of the invention of Vashisht and Kuwamura with “recovering, by the host from the storage location, a point-in-time image of the virtual machine that was generated prior to the particular time and generated while the virtual machine was running on the host, that was stored at the storage location by the replication process, and that was determined as being secure at the point-in-time of the generation of the image, to use for the restoration of the virtual machine”. The motivation would be that processing costs are saved, col 5 line 51 of Chandrasekhar.
As per dependent claim 2, Vashisht in combination with Kuwamura and Chandrasekhar discloses the method of claim 1. Vashisht may not explicitly disclose, but Kuwamura teaches wherein performing the action on the unsecure image includes at least one of: discarding the unsecure image (Referring to FIG. 4, in step S22, it is determined whether or not a virus detected by the antivirus software 132 can be completely removed from the virtual machine snapshot. Responsive to the determination being “NO”, the snapshot is not used, para 0049 and FIG. 4) or performing a virus scan on the unsecure image (Referring to FIG. 4, in step S22, it is determined whether or not a virus detected by the antivirus software 132 can be completely removed from the virtual machine snapshot, para 0049 and FIG. 4).
The same motivation that was utilized for combining Vashisht and Kuwamura as set forth in claim 1 is equally applicable to claim 2.
As per dependent claim 3, Vashisht in combination with Kuwamura and Chandrasekhar discloses the method of claim 1. Vashisht may not explicitly disclose, but Kuwamura teaches further comprising restricting use of at least one point-in-time image, generated after the unsecure image, for restoration of the virtual machine (In FIG. 4, preceding snapshots are checked for virus and if not infected, the virtual machine is restored from one of the preceding snapshots, paras 0049-52. Thus, any snapshot at a point-in-time that is infected, snapshots subsequent to that point-in-time are not used for restoration of the VM).
The same motivation that was utilized for combining Vashisht and Kuwamura as set forth in claim 1 is equally applicable to claim 3.
As per dependent claim 4, Vashisht in combination with Kuwamura and Chandrasekhar discloses the method of claim 1. Vashisht teaches further comprising: generating and sending, by the host to a manager, an alarm to indicate that the monitored operational behavior is in violation of the expected operational behavior (Once the object is deemed “suspicious, namely the probability of the object being associated with malicious attack exceeds a threshold probability, a scheduler notifies logic 220 within a dynamic analysis engine 175 of an upcoming analysis of the suspicious object to determine if the object is potentially malicious, col 8 lines 10-16);
receiving, by the host, a remediation instruction from the manager, in response to the manager having verified from at least the alarm that the virtual machine is infected with malicious code (The logic 220, referred to as a “virtual execution engine”, is responsible for managing VM disk snapshot updates within the VM disk image, loading of VM disk images into memory, and controlling instantiation one or more for analysis of the suspicious object, col 8 lines 16-21).
Vashisht may not explicitly disclose, but Kuwamura teaches wherein the point-in-time image is identified as the unsecure image based on the particular time which is indicated in the received remediation instruction (Referring to FIG. 4, a snapshot of a virtual machine is identified as being infected with a virus, step S21, para 0049 and FIG. 4. The snapshot corresponds to a point-in-time image of the virtual machine, since the virtual machine snapshots are periodically taken, para 0051).
The same motivation that was utilized for combining Vashisht and Kuwamura as set forth in claim 1 is equally applicable to claim 4.
As per dependent claim 5, Vashisht in combination with Kuwamura and Chandrasekhar discloses the method of claim 1. Vashisht teaches wherein performing the monitoring process includes, comparing, by the host, one or more operations performed by the virtual machine against a whitelist for compliance with operations identified in the whitelist (The unexpected or unusual behavior caused by a malware are summarized in col 6 lines 6-29. The evasive behaviors are detected by activities which may include simulated user interaction (e.g., mouse movement or clicks, password or other data entry, etc.) or processing procedures that are designed to quickly address detected activation delays or other evasive behaviors by malware. For instance, generating the guest VM instance, an image launcher 410 may be configured to update software components associated with malware detection that cause the virtual guest instance to perform a different user interaction pattern when processing a suspect object to actuate or trigger observable behavior by the object, col 11 lines 21-44. Since observable behavior of a suspect object are actuated or triggered, it would be obvious to those of ordinary skill in the art to compare the observed behavior of the suspected object to a whitelist to determine compliance).
As per dependent claim 6, Vashisht in combination with Kuwamura and Chandrasekhar discloses the method of claim 1. Vashisht may not explicitly disclose, but Kuwamura teaches further comprising performing a virus scan on a plurality of point-in-time images that are generated prior to the unsecure image, wherein the virus scan is performed on the plurality of point-in-time images in reverse time order in which the plurality of point-in-time images were generated, until a particular point-in-time image is determined by the virus scan to be the secure point-in-time image (Referring to FIG. 4, a preceding snapshot of the virtual machine is restored at step S23 and is scanned for virus at step S24. At step S25, if it is determined that the preceding snapshot is infected with virus, then the flow of FIG. 4 loops back to step S22, paras 0049-0052 and FIG. 4. At step S27, a VM is resumed from a preceding snapshot that is not infected with virus).
The same motivation that was utilized for combining Vashisht and Kuwamura as set forth in claim 1 is equally applicable to claim 6.
As per dependent claim 7, Vashisht in combination with Kuwamura and Chandrasekhar discloses the method of claim 1. Vashisht and Kuwamura may not explicitly disclose, but Chandrasekhar teaches further comprising sending, by the host to a manager, report information whenever the monitoring process determines that the monitored operational behavior is compliant with the expected operational behavior, wherein the manager uses the report information to identify times that correspond to secure point-in-time images (A virtual machine image reputation database 232 may comprise a database or other listing of virtual machine images that are known to be good (i.e., safe) or known to be bad (e.g., infected with malware), col 3 lines 43-46 and FIG. 2).
The same motivation that was utilized for combining Vashisht and Chandrasekhar as set forth in claim 1 is equally applicable to claim 7.
As per claims 8-14, these claims are respectively rejected based on arguments provided above for similar rejected claims 1-7. For computer program product on a non-transitory computer readable medium see col 5 lines 26-27 of Vashisht.
As per claims 15-21, these claims are respectively rejected based on arguments provided above for similar rejected claims 1-7. See FIG. 1 of Vashisht for a network device 100 comprising processor 110 and memory 120.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZUBAIR AHMED whose telephone number is (571)272-1655. The examiner can normally be reached 7:30AM - 5:00PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, DAVID X YI can be reached on (571) 270-7519. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ZUBAIR AHMED/Examiner, Art Unit 2132                                                                                                                                                                                                        
/DAVID YI/Supervisory Patent Examiner, Art Unit 2132