DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


2.	Claims 20–39 are pending for examination in the reply filed on 11/29/2022.  Claims 1–19 are cancelled.


Examiner’s Remarks
3.	Examiner refers to and explicitly cites particular pages, sections, figures, paragraphs or columns and lines in the references as applied to Applicant’s claims to the extent practicable to streamline prosecution.
Although the cited portions of the references are representative of the best teachings in the art and are applied to meet the specific limitations of the claims, other uncited but related teachings of the references may be equally applicable as well.  It is respectfully requested that, in preparing responses to the rejections, the Applicant fully considers not only the cited portions of the references, but also the references in their entirety, as potentially teaching, suggesting or rendering obvious all or one or more aspects of the claimed invention.

Abbreviations
4.	Where appropriate, the following abbreviations will be used when referencing Applicant’s submissions and specific teachings of the reference(s):
i.	figure / figures:		Fig. / Figs.
ii.	column / columns:		Col. / Cols.
iii.	page / pages:			p. / pp.

References Cited
5.	(A)	Loureiro et al., US 2017/0111384 A1 (“Loureiro”).
	(B)	Kempe et al., US 10,469,304 B1 (“Kempe”).
	(C)	Bahl, US 2008/0189788 A1.
	(D)	Palagummi, US 2011/0289584 A1.
	(E)	Sudhakaran et al., US 2017/0031704 A1 (“Sudhakaran”).

	These references were each cited in the previous Office action.


Notice re prior art available under both pre-AIA  and AIA 
6.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

A.
7.	Claims 20, 22, 24–25, 28–30, 32, 34–35, and 38–39 are rejected under 35 U.S.C. 103 as being unpatentable over (A) Loureiro in view of (B) Kempe and (C) Bahl.
See “References Cited” section, above, for full citations of references.

8.	Regarding claim 20, (A) Loureiro teaches/suggests the invention substantially as claimed, including:
“A system for inspecting data, the system comprising:
	at least one processor configured to:”
(¶ 33: analysis system 4 comprises a scanner 5 and a database of data relative to the vulnerabilities 6, to the scripts of tests 7 of the servers 2, to the security policies 8, and to the histories 9 of the analyses carried out;
the Examiner notes: the analysis system requires or renders obvious using a processor or CPU to carry out the analysis or detection of vulnerabilities;
see also, (B) Kempe, infra, Fig. 21 and Col. 28, teaching a computing system including one or more processors coupled to a system memory);

“establish an interface between a client environment and security components ...”
(¶ 14: system for analyzing vulnerabilities requests the cloning of the virtual production server in order to obtain a clone or a disk copy of the virtual production server;
¶ 31: The cloud computer system 1 comprises an infrastructure of programming interfaces (APIs) 3 that in particular allows the virtual production servers 2 to be created and managed in the system 1;
¶ 37: once the connection has been made, the analysis system 4 uses an API, present in the system 1, that allows the server 2 to be cloned);

	“generate at least one snapshot of the virtual disks of the virtual machine”
(¶ 15: the clone or the disk copy is created in the virtual or cloud computer system;
¶ 37: key is provided to the cloud computer system and this system then creates a clone (or disk copy) of the virtual server 2;
¶¶ 22 and 35: for the connection, the IP address and/or the identifier of the server, as well as a key that allows the server to be cloned or at least a disk copy of the virtual disk or disks of said server to be made, are provided to the analysis system, then the system generates at least one key for the administration of the clone or for the attachment of the disk copy; -- the connection is carried out with or without authentication, via a secure tunnel or scripts copied onto the clone; -- the clone or the disk copy is placed in an isolated zone of the cloud computer system);

	“analyze the at least one snapshot to detect at least one of vulnerabilities ... wherein analyzing the at least one snapshot requires no interaction with the virtual machine”
(¶ 17: the system for analyzing vulnerabilities analyzes the vulnerabilities of the clone or of the disk copy;
¶¶ 44–45: The system 4 for analyzing vulnerabilities then analyzes the vulnerabilities of the clone 10. For this purpose, it uses the data contained in the databases of data relative to the vulnerabilities ... analysis involves carrying out tests and verifying files on the clone 10;
the Examiner notes: analyzing the vulnerabilities of the clone does not require interacting with the virtual production server); and

	“report the detected vulnerabilities as alerts”
(¶ 19: a report analyzing the vulnerabilities of the clone or of the disk copy is generated;
¶ 50: Reports are created and dashboards are created with the state of the security of the virtual servers ... allows alerts to be generated when the analysis system identifies a critical vulnerability or an event that violates a security policy).

Loureiro does not teach: “using the interface, utilize cloud computing platform APIs to identify virtual disks of a virtual machine in the client environment; use the computing platform APIs to query a location of at least one of the identified virtual disks; receive an identification of the location of the virtual disks of the virtual machine.”

(B) Kempe however teaches or suggests:

	“using the interface, utilize cloud computing platform APIs to identify virtual disks of a virtual machine in the client environment”
(Col. 4, lines 41–43: Clients of the service provider may access various services of the provider network via APIs;
Col. 19, lines 62–67: network visualization service may receive a UI event from a client device on which a client private network diagram is displayed. The event may, for example, request information on a selected resource instance or connection;
Col. 23, lines 9–14: The provider data center 1000 may, for example, provide clients the ability to implement virtual computing systems (VMs 1024) via a hardware virtualization service and the ability to implement virtualized data stores 1016 on storage resources 1018 via a storage virtualization service);

	“use the computing platform APIs to query a location of at least one of the identified virtual disks; receive an identification of the location of the virtual disks of the virtual machine”
(Col. 9, lines 35–57: UI event handler 26 may obtain the requested information for the virtual resource instance either from information already collected by data collection 22 component or by querying one or more provider network management processes 12 to request the information ... examples of information for a resource component that may be thus displayed include, but are not limited to ... health information, status information, lists or ranges of IP addresses or endpoints of the respective virtual resource instance).


It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Kempe with those of Loureiro, to provide direct client access to various functions, services, and information of the virtualization system on a cloud-computing network.  The motivation or advantage to do so is to provide greater user/admin control over the viewing, selection and managing of the (statuses and configurations of) virtual machines.

Loureiro and Kempe do not teach “determine a risk level of the virtual machine” and “wherein the alerts are filtered and prioritized based on the determined risk level of the virtual machine.”

(C) Bahl however teaches or suggests:
“determine a risk level of the virtual machine”
(Fig. 6 and ¶ 83: determined whether a change in the security state of the system has occurred ... If a change in the security state has occurred;
Fig. 7A and ¶¶ 86–87: At a step 702, a change in the security state is detected. After the step 702, processing proceeds to a step 704 at which the security state is assessed. After the step 704, processing proceeds to a step 706 where a tiered set of actions are caused to be performed. The tiered set of actions may be performed automatically following the assessment of the security state); and

“wherein the alerts are filtered and prioritized based on the determined risk level of the virtual machine”
Fig. 7A and ¶¶ 86–87: The tiered set of actions may be performed automatically following the assessment of the security state;
Fig. 4 and ¶ 66–67: Based on the risk level, the action taken by RM may include one or more of the identified actions and/or other actions. As the risk level increases, the actions taken may be cumulative of all actions taken at lower risk levels .... Generate alerts-Various types of alerts may be generated ranging from visual cues provided on the task bar to sending high-priority alerts).

It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Bahl with those of Loureiro and Kempe, to prioritize and provide different types of alerts (and remedial or mitigation measures) based on a security state of the virtual machine and a risk level of the detected virus/threat.  The motivation or advantage to do so is to provide for the dynamic management and alleviation of virus threats based on risk levels.


9.	Regarding claim 22, Loureiro teaches/suggests:
“wherein during the analysis of the at least one snapshot, the virtual machine is active”
(¶ 30: Virtual production servers are servers that are accessible to their users for the execution of applications;
¶ 7: the performance and the availability of the production servers ( and of their applications) are affected by the searches for vulnerabilities. Indeed, these searches use up significant resources on the servers;
the Examiner notes: analyzing the vulnerabilities of the clones, rather than the actual production servers, solves the prior art problems by providing for the availability and accessibility of the servers to their users for application executions).

10.	Regarding claim 24, Loureiro teaches/suggests:
“wherein the at least one processor is further configured to implement a remedial action for at least one of the detected vulnerabilities”
(¶ 21: fix the vulnerabilities of the virtual production server).

11.	Regarding claim 25, Kempe teaches/suggests:
“wherein the identification of the location of the virtual disks of the virtual machine includes a virtual address of at least one of the virtual disks”
(Col. 9, lines 35–57: lists or ranges of IP addresses or endpoints of the respective virtual resource instance or lists).

12.	Regarding claim 28, Loureiro teaches/suggests:
“wherein the at least one snapshot includes a plurality of snapshots, and the at least one processor is configured to generate the plurality of snapshots according to a predetermined schedule”
(¶ 41: schedule the creation of the disk copies or clones in such a way that this creation is carried out outside of periods of high demand for services).

13.	Regarding claim 29, Loureiro teaches/suggests:
“wherein the at least one processor is configured to generate the at least one snapshot in response to a predetermined trigger event”
((¶ 41: schedule the creation of the disk copies or clones in such a way that this creation is carried out outside of periods of high demand for services).

14.	Regarding claims 30, 32, 34–35, and 38, they are the corresponding method claims reciting similar limitations of commensurate scope as the system of claims 20, 22, 24–25 and 28, respectively. Therefore, they are rejected on the same basis as claims 20, 22, 24–25 and 28 above.

15.	Regarding claim 39, it is the corresponding computer program product claim reciting similar limitations of commensurate scope as the system of claim 20. Therefore, it is rejected on the same basis as claim 20 above.


B.
16.	Claims 23 and 33 are rejected under 35 U.S.C. 103 as being unpatentable over (A) Loureiro in view of (B) Kempe and (C) Bahl, as applied to claims 20 and 30 above, and further in view of (D) Palagummi.

17.	Regarding claim 23, Loureiro, Kempe and Bahl do not teach “wherein reporting the detected vulnerabilities as alerts includes indicating priority levels associated with the detected vulnerabilities.”

(D) Palagummi however teaches or suggests:
“wherein reporting the detected vulnerabilities as alerts includes indicating priority levels associated with the detected vulnerabilities”
(¶ 28: In addition to the names, some embodiments will display a threat level associated with the listed virus).

It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to further combine the teachings of Palagummi with those of Loureiro, Kempe, and Bahl to provide a threat level in the scan results. The motivation or advantage to do so is to inform user or administrator the severity of the virus threat (e.g. in assessing whether additional corrective action is necessary).

18.	Regarding claim 33, it is the corresponding method claim reciting similar limitations of commensurate scope as the system of claim 23. Therefore, it is rejected on the same basis as claim 23 above.


C.
19.	Claims 26 and 36 are rejected under 35 U.S.C. 103 as being unpatentable over (A) Loureiro in view of (B) Kempe and (C) Bahl, as applied to claims 20 and 30 above, and further in view of (E) Sudhakaran.

20.	Regarding claim 26, Loureiro, Kempe and Bahl do not teach “wherein the at least one
snapshot includes a change log of at least one of the virtual disks configured to restore the virtual machine to a particular point in time.”

(E) Sudhakaran however teaches or suggests:
“wherein the at least one snapshot includes a change log of at least one of the virtual disks configured to restore the virtual machine to a particular point in time”
(¶¶ 11–12: a VM snapshot in the virtualization context is a copy of the Virtual Machine's disk file and/or other information ( e.g., a memory dump of the Virtual Machine's memory) at a given point in time. In some examples, snapshots provide a change log for a Virtual Disk and are used to restore a VM to a particular point in time when a failure or system error occurs. VM).

It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to further combine the teachings of Sudhakaran with those of Loureiro, Kempe, and Bahl to provide a change log in the disk copies (or backup copies) of the virtual disk or production server, i.e. snapshots. The motivation or advantage to do so is to allow for the restoration of the virtual production server when a system failure or error occurs).

21.	Regarding claim 36, it is the corresponding method claim reciting similar limitations of commensurate scope as the system of claim 26. Therefore, it is rejected on the same basis as claim 23 above.


Allowable Subject Matter
22.	Claims 21, 27, 31, and 37 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.


Response to Arguments
23.	Applicant’s arguments with respect to the claims have been considered but they are not persuasive.  Therefore, the 103 rejections are maintained.

In the Remarks, the Applicant contends the following:

a.	Examiner improperly misconstrued the claim by failing to address the claimed “a list of installed applications, sensitive data, keys, or non-secure configurations."

b.	Bahl do not describe determining a risk level of a virtual machine, as required by independent claim 20. Rather, at best, Bahl describes determining a risk level of an operating system. And a virtual machine and an operating system are not the same.

c.	Bahl, in Figure 7 A with Paragraphs 86-87 and Figure 4 with Paragraphs 66-67, describes causing a tiered set of actions to be performed related to a security state, not “wherein the alerts are filtered and prioritized based on the determined risk level of the virtual machine.”

The Examiner disagrees:

(a)	The claim limitation at issue recites:
“analyze the at least one snapshot to detect at least one of vulnerabilities, a list of installed applications, sensitive data, keys, or nonsecure configurations.” 

This limitation is thus presented in the ALTERNATIVE, requiring only detecting at least one (rather than all) of the listed elements.

	As applied in rejecting claim 20, Loureiro teaches or suggests: “analyze the at least one snapshot to detect at least one of vulnerabilities ... wherein analyzing the at least one snapshot requires no interaction with the virtual machine” in paragraphs 17 and 44–45.

(b)	As applied in rejecting claim 20, Loureiro teaches detecting and determining vulnerabilities (risks) of a virtual machine (¶ 50: Loureiro’s virtual production servers).  Loureiro does not teach categorizing the vulnerabilities or risks into different levels for reporting.
Bahl describes determining a risk level of an operating system, teachings which may be applied to Loureiro’s invention, so as to determine different vulnerability or risk levels of  virtual machines.

This rejection is based on a combination of references and one cannot show nonobviousness (of the combination) by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).
Accordingly, Bahl’s teachings must be understood in the context of Loureiro’s invention (primary reference).
	
Moreover, there’s nothing of record to show that an ordinary artisan would be dissuaded from applying the teaching of determining a risk level of an operating system to other types of software environments or systems that employs softwares — such as virtual machines or virtual servers, which requires at least a virtualization software component (e.g. hypervisor or host operating system) to function.

(c)	In Bahl’s paragraph 67, specifically cited and applied in the rejecting claim 20, Bahl teaches that “in alerting the user, the machine may inform the user of the new risk level and ask the user to confirm the triggering of specific mitigating actions.” That is, alerts are filtered and prioritized by the user, enabling the user to determine whether one or more specific mitigating measures (amongst multiple measures) should be taken based on the risks involved and possible impacts to the system.
	Additionally, in determining whether an low-level alert should be sent to the user to confirm the triggering of specific mitigating actions, or whether a high-priority alert should be send to a server and central controller that then automatically takes mitigation and remedial measures, Bahl teaches that these alerts are initially “filtered” based on the users/targets of the alerts, and then “prioritized” based on the actions taken at different risk levels, whether automatically or determined (confirmed) by the user.



Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to BENJAMIN C WU whose telephone number is (571)270-5906.  The examiner can normally be reached on Monday through Friday, 8:30 A.M. to 5:00 P.M..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Meng-Ai An can be reached on (571)272-3756.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/BENJAMIN C WU/Primary Examiner, Art Unit 2195                                                                                                                                                                                                        
December 16, 2022