DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This communication is in response to amendments filed on 03/16/2026. Claims 7-21, and 23-26 are currently pending in the application.
Response to Arguments
Applicant’s arguments with respect to 103 rejections made regarding claims 7, 11, and 17 have been considered but are moot in view of the new rejections made below.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 7-14, 17-20, and 23-26 are rejected under 35 U.S.C. 103 as being unpatentable over US. PGPub. 20190109870 to BEDHAPUDI et al. (hereinafter BEDHAPUDI) in view of US PGPub. No.20220303295 to ERLINGSSON et al. (hereinafter ERLINGSSON) and further in view of US. PGPub. No. 20200201675 to Li; Yilong (hereinafter Li).
Regarding claim 7, BEDHAPUDI discloses a computer-implemented method (¶0036, “…automated ransomware detection described herein in reference to various embodiments cannot reasonably be performed by humans alone, without the computer technology upon which they are implemented”) comprising:
obtaining an indication of a change in an object at a production environment of the object (¶0291, “the filter driver 314 may intercept data modification operations that include changes, updates, and/or new information (e.g., file creation, file deletion, file modification, file renaming, etc.) with respect to one or more of the application(s) 310. For example, the filter driver 314 may locate, monitor, and/or process one or more of the following with respect to a particular application 310, application type, or group of applications (e.g., some or all of the application(s) 310): file system operations (e.g., file creation, file deletion, file modification, file renaming), data management operations (e.g., data write operations, file attribute modifications), logs or journals (e.g., NTFS change journal), configuration files, file settings, control files, other files used by one or more of the application(s) 310, combinations of the same or the like. In certain embodiments, such data may also be gathered from files across multiple storage systems within the client computing device 302 (production environment). Furthermore, the filter driver 314 may be configured to monitor changes to particular volumes, directories, and/or files within the file system 316.”, wherein file creation, file deletion, file modification, file renaming are indications of a change in an object ), wherein one or more snapshot images of the object are stored at a backup environment (¶0086, “… a disk array capable of performing hardware snapshots stores primary data 112 and creates and stores hardware snapshots of the primary data 112 as secondary copies 116. Secondary copies 116 may be stored in relatively slow and/or lower cost storage (e.g., magnetic tape). A secondary copy 116 may be stored in a backup or archive format, or in some other format different from the native source application format or other format of primary data 112.”), (¶0079, “…As used herein, a “data object” can refer to (i) any file that is currently addressable by a file system or that was previously addressable by the file system (e.g., an archive file), and/or to (ii) a subset of such a file (e.g., a data block, an extent, etc.)…”);
generating an alert that comprises the indication of the change (¶0004, “…The software module records the number of times the files in the file system are modified, created, deleted, and/or renamed. The recorded number is compared against a threshold. If the number exceeds the threshold, the software module provides an alert to the user of the client machine that the client machine may be under a ransomware attack”), (¶0312, “At block 510, the filter driver 314 causes a warning to be output (e.g., via a user interface, email, or another notification service). For example, the filter driver 314 may cause the client computing device 302 to display a file activity anomaly alert 1400 shown in FIG. 14… As shown in FIG. 16, file activity anomalies detected in multiple client computing devices 302 may be presented via a single user interface and provide an indication of the file system operations that triggered the anomaly detection.”);
based on the alert, identifying the object (¶0312, “… As shown in FIG. 16, file activity anomalies detected in multiple client computing devices 302 may be presented via a single user interface and provide an indication of the file system operations that triggered the anomaly detection.”);
storing the alert in a database (¶0320, “such an algorithm may compare the data stored in the local database with one or more thresholds for triggering a file activity anomaly detection, as described in connection with block 506. The anomaly detection engine 320 may run the anomaly detection algorithm on the local database periodically (e.g., every 5 minutes, 30 minutes, 1 hour, 6 hours, 12 hours, 24 hours, 7 days, etc.). The anomaly detection algorithm may determine, based on the historical data stored in the local database, a baseline number of file system operations and detect any spikes in the number of file system operations based on the baseline number…”, wherein running the anomaly detection algorithm on the local database periodically to determine, based on the historical data stored in the local database, a baseline number of file system operations and detect any spikes in the number of file system operations based on the baseline number is an indication that the alert has been stored in the database), the alert identifying the object (¶0312, “the filter driver 314 causes a warning to be output (e.g., via a user interface, email, or another notification service). For example, the filter driver 314 may cause the client computing device 302 to display a file activity anomaly alert 1400 shown in FIG. 14. The filter driver 314 may further cause a report to be stored in a page accessible by the user (e.g., as illustrated by the user interface 1500 of FIG. 15)…”);
polling the database to identify a new alert, the new alert comprising the alert (¶0320, “…The anomaly detection engine 320 may run the anomaly detection algorithm on the local database periodically (e.g., every 5 minutes, 30 minutes, 1 hour, 6 hours, 12 hours, 24 hours, 7 days, etc.). The anomaly detection algorithm may determine, based on the historical data stored in the local database, a baseline number of file system operations and detect any spikes in the number of file system operations based on the baseline number. For example, if 100 file deletes were performed during the past 10 days, and the anomaly detection engine 320 determines that 2000 file deletes occurred today, the anomaly detection engine 320 may flag the 2000 file deletes as a file activity anomaly and alert the user and/or take remedial action.”);
based on identification of the new alert, identifying a snapshot image including the object (¶0316- ¶0317, “… For example, the directory change information may include file name changes, directory name changes, file attribute changes, file size changes, last write time changes, last access time changes, creation time changes, and/or any other changes in the directory or the files in the directory… The directory change information received from the notification service may identify which files were modified at what time, but may not include information necessary to determine the entropy change or sdhash value.”, wherein modified (changed) files will trigger alerts and the snapshot image is a file (object) which is in consonant with applicant disclosure in ¶0091- ¶0092), (¶0164, “a snapshot may be thought of as an “instant” image of primary data 112 at a given point in time, and may include state and/or status information relative to an application 110 that creates/manages primary data 112. In one embodiment, a snapshot may generally capture the directory structure of an object in primary data 112 such as a file or volume or other data set at a particular moment in time and may also preserve file attributes and contents”);
retrieving data and/or metadata concerning the object from the production environment (¶0080-¶0081, “It can also be useful in performing certain functions of system 100 to access and modify metadata within primary data 112. Metadata generally includes information about data objects and/or characteristics associated with the data objects…In addition to metadata generated by or related to file systems and operating systems, some applications 110 and/or other components of system 100 maintain indices of metadata for data objects, e.g., metadata associated with individual email messages…A client computing device 102 is said to be associated with or in communication with a particular primary storage device 104 if it is capable of one or more of: routing and/or storing data (e.g., primary data 112) to the primary storage device 104, coordinating the routing and/or storing of data to the primary storage device 104, retrieving data from the primary storage device 104, coordinating the retrieval of data from the primary storage device 104, and modifying and/or deleting data in the primary storage device 104. Thus, a client computing device 102 may be said to access data stored in an associated storage device 104”, FIG. 1D shows data movements between primary storage device 104 and client computing devices 102).
the first type of data processing and the second type of data processing are each one of a hash calculation, an entropy calculation, a data exposure check, or an email data and metadata review (¶0174, “In order to streamline the comparison process, system 100 may calculate and/or store signatures (e.g., hashes or cryptographically unique IDs) corresponding to the individual source data portions and compare the signatures to already-stored data signatures, instead of comparing entire data portions…”), an entropy calculation (¶0303, “…The I/O requests can be tracked by the file system filter driver, and encryption of the files in the file system can be predicted by calculating the entropy on data buffers.”), a data exposure check, or an email data and metadate review (¶0194, “…Content indexing can identify files or other data objects based on content (e.g., user-defined keywords or phrases, other keywords/phrases that are not defined by a user, etc.), and/or metadata (e.g., email metadata such as “to,” “from,” “cc,” “bcc,” attachment name, received time, etc.)”).
Although, BEDHAPUDI discloses storing the alert report in a page accessible by the user (e.g., as illustrated by the user interface 1500 of FIG. 15) in ¶0312, BEDHAPUDI does not explicitly disclose:
retrieving data and/or metadata concerning the object from the production environment based at least in part on the identification of the new alert in the database that there was the change in the object; and
processing, based at least in part on the identification of the new alert in the database, the data and/or metadata concerning the object via two or more workflows in parallel, wherein:
each workflow of the two or more workflows processes, in parallel, the same data and/or metadata concerning the object from the production environment, a first workflow of the two or more workflows uses a first type of data processing, a second workflow of the two or more workflows uses a second type of data processing different from the first type, and the first type of data processing and the second type of data processing are each one of a hash calculation, an entropy calculation, a data exposure check, or an email data and metadata review.
ERLINGSSON discloses an alert database loader responsible for loading data into an appropriate data store (¶0155-¶0156, “… Data loader 136 can be implemented in any appropriate programming language, such as Java or C, and can be configured to use a Kinesis library to interface with Kinesis. In various embodiments, data loader 136 uses the Amazon Simple Queue Service (SQS) (e.g., to alert DB loader 140 that there is work for it to do)… DB loader 140 is a microservice that is responsible for loading data into an appropriate data store 30, such as SnowflakeDB or Amazon Redshift, using individual per-customer databases…);
retrieving data and/or metadata concerning the object from the production environment based at least in part on the identification of the new alert in the database that there was the change in the object (¶0624, “… Referring 506 to the annotations for an unexpected change 512 may be carried out, for example, in response to receiving a security alert about an unexpected change 512 that has been detected in a second environment 514 and by manually or automatically referring to the annotations for the detected change 510 from the first environment 508. Alternatively, referring 506 to the annotations for an unexpected change 512 upon detecting the unexpected change 412 in a second environment 514 that is outside the second environment may be carried out by detecting an unexpected change 512 that has been detected in a second environment 514 and by manually or automatically referring to the annotations for the detected change 510 from the first environment 508. As described above, the annotations are evidence providing information about aspects of the detected change 510 in the software application and may include the developers' names, the reviewers' names, information about testing, a description or explanation of the change, or other relevant evidence documenting the change.”, wherein the annotations such as the developers' names, the reviewers' names, information about testing, a description or explanation of the change, or other relevant evidence documenting the change is interpreted as data/metadata concerning the object”), (¶0436, “Such changes can be surfaced as alerts, e.g., to help an administrator determine when/what anomalous behavior occurs within a datacenter…”)
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the method of BEDHAPUDI to include an retrieving data/metadata of the changed object whenever a new alert is received as disclosed by ERLINGSSON and be motivated in doing so in order to determine whether the change has been pre-approved, to identify a developer that should be contacted for determining whether the change is expected- ERLINGSSON ¶0624 in part.
However, the combination of BEDHAPUDI and ERLINGSSON does not explicitly disclose the limitation of:
processing, based at least in part on the identification of the new alert in the database, the data and/or metadata concerning the object via two or more workflows in parallel, wherein each workflow of the two or more workflows processes, in parallel, the same data and/or metadata concerning the object from the production environment, a first workflow of the two or more workflows uses a first type of data processing, a second workflow of the two or more workflows uses a second type of data processing different from the first type, and the first type of data processing and the second type of data processing are each one of a hash calculation, an entropy calculation, a data exposure check, or an email data and metadata review.
Li discloses processing, based at least in part on the identification of the new alert in the database, the data and/or metadata concerning the object via two or more workflows in parallel, wherein each workflow of the two or more workflows processes, in parallel, the same data and/or metadata concerning the object from the production environment, a first workflow of the two or more workflows uses a first type of data processing, a second workflow of the two or more workflows uses a second type of data processing different from the first type, and the first type of data processing and the second type of data processing are each one of a hash calculation, an entropy calculation, a data exposure check, or an email data and metadata review (abstract, ¶0036-¶0039, “…FIG. 7B depicts an exemplary workflow environment having four workflows 712-718 that are queued, but not yet executed. Each workflow includes a pre-processing step (such as adapter trimming) 722, a reference alignment step 724, a sorting step 726, and a variant calling step 728. In this example, workflows 712-718 include the same pre-processing step 722 that is executed on the same initial set of sequence reads and generates the same output files. In addition, each workflow includes the same sorting step 726. But workflows 712 and 714 use Bowtie2 for reference alignment, while workflows 716 and 718 use BWA. Additionally, workflows 712 and 716 use GATK for variant calling and workflows 714 and 718 use FreeBayes. Upon the processor identifying each step in the workflows 712-718 and generating the hash values associated therewith (as shown in FIG. 7B), the processor may identify instances that have an identical hash value and can thereby share the output files. For example, at the adapter trimming step 722, each workflow yields the same hash value (“SGJW”), and thus only one of these adapter trimming steps needs to be executed. The unexecuted steps may be marked as complete, i.e., no need for execution (shown in grey in FIG. 7B). At the alignment stage 724, because Bowtie and BWA yield different hash values (E05Y and I5TZ, respectively), only one Bowtie2 in workflow 712 or 714 and one BWA in workflow 716 or 718 needs to be executed. In this example, Bowtie2 in workflow 712 and BWA in workflow 716 are executed, while Bowtie2 in workflow 714 and BWA in workflow 718 are not executed (and thus are marked in grey). The sorting steps are similarly processed. Finally, each variant calling step 728 needs to be executed independently, as each variant generates a unique hash value in each workflow. As a result of this approach, the workflows have been optimized to reduce the total number of operations from 16 to 9…”).
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the method of BEDHAPUDI and ERLINGSSON to include processing two or more workflows in parallel using different data processing types as disclosed by Li and be motivated in doing so in order to optimize the workflows to reduce the total number of operations -Li ¶0037 in parts.
Regarding claim 8, BEDHAPUDI in view of ERLINGSSON and further in view of Li discloses the computer-implemented method of claim 7.
BEDHAPUDI further discloses wherein the data and/or metadata concerning the object is retrieved from the production environment via an application programming interface associated with the production environment (¶0094, “Some or all primary data 112 objects are associated with corresponding metadata (e.g., “Meta1-11”), which may include file system metadata and/or application-specific metadata…. For example, secondary copy data object 134A represents three separate primary data objects 133C, 122, and 129C (represented as 133C′, 122′, and 129C′, respectively, and accompanied by corresponding metadata Meta11, Meta3, and Meta8, respectively)”), (¶0077, FIG. 1A, “…Communication pathways 114 in some cases may also include application programming interfaces (APIs) including, e.g., cloud service provider APIs, virtual machine management APIs, and hosted service provider APIs…”), (¶0122, “User interface 158 may include information processing and display software, such as a graphical user interface (GUI), an application program interface (API), and/or other interactive interface(s) through which users and system processes can retrieve information about the status of information management operations or issue instructions to storage manager 140 and other components…”), (¶0245, “The target media agent 144A receives the data-agent-processed data from client computing device 102, and at step 4 generates and conveys backup copy 116A to disk library 108A to be stored as backup copy 116A, again at the direction of storage manager 140 and according to backup copy rule set 160. Media agent 144A can also update its index 153 to include data and/or metadata related to backup copy 116A, such as information indicating where the backup copy 116A resides on disk library 108A, where the email copy resides, where the file system copy resides, data and metadata for cache retrieval, etc…”).
Regarding claim 9, BEDHAPUDI in view of ERLINGSSON and further in view of Li discloses the computer-implemented method of claim 7.
BEDHAPUDI further discloses further comprising:
registering the two or more workflows concerning the object (¶0210-¶0211, “…Another type of information management policy 148 is an “audit policy” (or “security policy”), which comprises preferences, rules and/or criteria that protect sensitive data in system 100. For example, an audit policy may define “sensitive objects” which are files or data objects that contain particular keywords (e.g., “confidential,” or “privileged”) and/or are associated with particular keywords (e.g., in metadata) or particular flags (e.g., in metadata identifying a document or email as personal, confidential, etc.). An audit policy may further specify rules for handling sensitive objects. As an example, an audit policy may require that a reviewer approve the transfer of any sensitive objects to a cloud storage site, and that if approval is denied for a particular sensitive object, the sensitive object should be transferred to a local primary storage device 104 instead. To facilitate this approval, the audit policy may further specify how a secondary storage computing device 106 or other system component should notify a reviewer that a sensitive object is slated for transfer.”, wherein approving the transfer of any sensitive objects to a cloud storage site, transferring the sensitive object to a local primary storage device and, further specifying how a secondary storage computing device or other system component should notify a reviewer that a sensitive object is slated for transfer are plurality of workflows. Specifying the policies and conditions/criteria that trigger the workflows is interpreted as registering the workflows with the system ), wherein processing the data and/or metadata is based at least in part on the registering (¶0072, “...system 100 generally refers to a combination of specialized components used to protect, move, manage, manipulate, analyze, and/or process data and metadata generated by client computing devices 102.”), (¶0254, “…A classification rule defines a particular combination of criteria, such as users who have created, accessed or modified a document or data object; file or application types; content or metadata keywords; clients or storage locations; dates of data creation and/or access; review status or other status within a workflow (e.g., reviewed or un-reviewed); modification times or types of modifications; and/or any other data attributes in any combination, without limitation”, wherein users reviewing the status within a workflow is an indication that the workflow has been registered and wherein workflow is understood to be a sequence of tasks/steps that processes a set of data from initiation to completion), (¶0242, “Referring to FIG. 1E, at step 1, storage manager 140 initiates a backup job according to the backup copy rule set 160, which logically comprises all the secondary copy operations necessary to effectuate rules 160 in storage policy 148A every hour, including steps 1-4 occurring hourly. For instance, a scheduling service running on storage manager 140 accesses backup copy rule set 160 or a separate scheduling policy associated with client computing device 102 and initiates a backup job on an hourly basis. Thus, at the scheduled time, storage manager 140 sends instructions to client computing device 102 (i.e., to both data agent 142A and data agent 142B) to begin the backup job.”, wherein sending instructions to client computing device 102 (i.e., to both data agent 142A and data agent 142B) to begin the backup job base on the rule set is registration of workflow. Applicant in paragraph 96 of applicant’s specification includes backup as an example of workflow that can be registered)
Regarding claim 10, BEDHAPUDI in view of ERLINGSSON and further in view of Li discloses the computer-implemented method of claim 9.
BEDHAPUDI further discloses further comprising:
identifying potential malware included in the data and/or metadata based at least in part on the processing (FIG. 6, (¶0316-¶0324, wherein files are being analyzed to determine anomaly, and the files include metadata), (¶0369, “… the client computing device 302 may create a rule that causes the client computing device 302 to identify a specific type of file system operations as a file activity anomaly. For example, if the client computing device 302 determines that a set of file system operations, while insufficient to trigger an anomaly detection by itself, constitutes harmful operations performed also on one or more other client computing devices within the network, the client computing device 302 may create a rule that causes the client computing device 302 to identify such operations as a file activity anomaly.”), and (¶0134, “…during a secondary copy operation, data agent 142 may arrange or assemble the data and metadata into one or more files having a certain format (e.g., a particular backup or archive format) before transferring the file(s) to a media agent 144 or other component. The file(s) may include a list of files or other metadata.”).
Regarding claim 11, BEDHAPUDI discloses a non-transitory, machine-readable medium storing instructions which, when read by a machine (¶0399, “A non-transitory computer readable medium storing instructions, which when executed by at least one computing device, perform a method as generally shown and described herein and equivalents thereof.”) cause the machine to perform comprising, at least:
obtaining an indication of a change in an object at a production environment of the object (¶0291, “the filter driver 314 may intercept data modification operations that include changes, updates, and/or new information (e.g., file creation, file deletion, file modification, file renaming, etc.) with respect to one or more of the application(s) 310. For example, the filter driver 314 may locate, monitor, and/or process one or more of the following with respect to a particular application 310, application type, or group of applications (e.g., some or all of the application(s) 310): file system operations (e.g., file creation, file deletion, file modification, file renaming), data management operations (e.g., data write operations, file attribute modifications), logs or journals (e.g., NTFS change journal), configuration files, file settings, control files, other files used by one or more of the application(s) 310, combinations of the same or the like. In certain embodiments, such data may also be gathered from files across multiple storage systems within the client computing device 302 (production environment). Furthermore, the filter driver 314 may be configured to monitor changes to particular volumes, directories, and/or files within the file system 316.”, wherein file creation, file deletion, file modification, file renaming are indications of a change in an object ), wherein one or more snapshot images of the object are stored at a backup environment (¶0086, “… a disk array capable of performing hardware snapshots stores primary data 112 and creates and stores hardware snapshots of the primary data 112 as secondary copies 116. Secondary copies 116 may be stored in relatively slow and/or lower cost storage (e.g., magnetic tape). A secondary copy 116 may be stored in a backup or archive format, or in some other format different from the native source application format or other format of primary data 112.”), (¶0079, “…As used herein, a “data object” can refer to (i) any file that is currently addressable by a file system or that was previously addressable by the file system (e.g., an archive file), and/or to (ii) a subset of such a file (e.g., a data block, an extent, etc.)…”);
generating an alert that comprises the indication of the change (¶0004, “…The software module records the number of times the files in the file system are modified, created, deleted, and/or renamed. The recorded number is compared against a threshold. If the number exceeds the threshold, the software module provides an alert to the user of the client machine that the client machine may be under a ransomware attack”), (¶0312, “At block 510, the filter driver 314 causes a warning to be output (e.g., via a user interface, email, or another notification service). For example, the filter driver 314 may cause the client computing device 302 to display a file activity anomaly alert 1400 shown in FIG. 14… As shown in FIG. 16, file activity anomalies detected in multiple client computing devices 302 may be presented via a single user interface and provide an indication of the file system operations that triggered the anomaly detection.”);
based on the alert, identifying the object (¶0312, “… As shown in FIG. 16, file activity anomalies detected in multiple client computing devices 302 may be presented via a single user interface and provide an indication of the file system operations that triggered the anomaly detection.”);
storing the alert, the alert identifying the object (¶0312, “the filter driver 314 causes a warning to be output (e.g., via a user interface, email, or another notification service). For example, the filter driver 314 may cause the client computing device 302 to display a file activity anomaly alert 1400 shown in FIG. 14. The filter driver 314 may further cause a report to be stored in a page accessible by the user (e.g., as illustrated by the user interface 1500 of FIG. 15)…”);
polling the database to identify a new alert, the new alert comprising the alert (¶0320, “…The anomaly detection engine 320 may run the anomaly detection algorithm on the local database periodically (e.g., every 5 minutes, 30 minutes, 1 hour, 6 hours, 12 hours, 24 hours, 7 days, etc.). The anomaly detection algorithm may determine, based on the historical data stored in the local database, a baseline number of file system operations and detect any spikes in the number of file system operations based on the baseline number. For example, if 100 file deletes were performed during the past 10 days, and the anomaly detection engine 320 determines that 2000 file deletes occurred today, the anomaly detection engine 320 may flag the 2000 file deletes as a file activity anomaly and alert the user and/or take remedial action.”);
based on identification of the new alert, identifying a snapshot image including the object (¶0316- ¶0317, “… For example, the directory change information may include file name changes, directory name changes, file attribute changes, file size changes, last write time changes, last access time changes, creation time changes, and/or any other changes in the directory or the files in the directory… The directory change information received from the notification service may identify which files were modified at what time, but may not include information necessary to determine the entropy change or sdhash value.”, wherein modified (changed) files will trigger alerts and the snapshot image is a file (object) which is in consonant with applicant disclosure in ¶0091- ¶0092), (¶0164, “a snapshot may be thought of as an “instant” image of primary data 112 at a given point in time, and may include state and/or status information relative to an application 110 that creates/manages primary data 112. In one embodiment, a snapshot may generally capture the directory structure of an object in primary data 112 such as a file or volume or other data set at a particular moment in time and may also preserve file attributes and contents”); and
retrieving data and/or metadata concerning the object from the production environment (¶0080-¶0081, “It can also be useful in performing certain functions of system 100 to access and modify metadata within primary data 112. Metadata generally includes information about data objects and/or characteristics associated with the data objects…In addition to metadata generated by or related to file systems and operating systems, some applications 110 and/or other components of system 100 maintain indices of metadata for data objects, e.g., metadata associated with individual email messages…A client computing device 102 is said to be associated with or in communication with a particular primary storage device 104 if it is capable of one or more of: routing and/or storing data (e.g., primary data 112) to the primary storage device 104, coordinating the routing and/or storing of data to the primary storage device 104, retrieving data from the primary storage device 104, coordinating the retrieval of data from the primary storage device 104, and modifying and/or deleting data in the primary storage device 104. Thus, a client computing device 102 may be said to access data stored in an associated storage device 104”, FIG. 1D shows data movements between primary storage device 104 and client computing devices 102).
the first type of data processing and the second type of data processing are each one of a hash calculation, an entropy calculation, a data exposure check, or an email data and metadata review (¶0174, “In order to streamline the comparison process, system 100 may calculate and/or store signatures (e.g., hashes or cryptographically unique IDs) corresponding to the individual source data portions and compare the signatures to already-stored data signatures, instead of comparing entire data portions…”), an entropy calculation (¶0303, “…The I/O requests can be tracked by the file system filter driver, and encryption of the files in the file system can be predicted by calculating the entropy on data buffers.”), a data exposure check, or an email data and metadate review (¶0194, “…Content indexing can identify files or other data objects based on content (e.g., user-defined keywords or phrases, other keywords/phrases that are not defined by a user, etc.), and/or metadata (e.g., email metadata such as “to,” “from,” “cc,” “bcc,” attachment name, received time, etc.)”).
Although, BEDHAPUDI discloses storing the alert report in a page accessible by the user (e.g., as illustrated by the user interface 1500 of FIG. 15) in ¶0312, BEDHAPUDI does not explicitly disclose:
retrieving data and/or metadata concerning the object from the production environment based at least in part on the identification of the new alert in the database that there was the change in the object; and
processing, based at least in part on the identification of the new alert in the database, the data and/or metadata concerning the object via two or more workflows in parallel, wherein:
each workflow of the two or more workflows processes, in parallel, the same data and/or metadata concerning the object from the production environment, a first workflow of the two or more workflows uses a first type of data processing, a second workflow of the two or more workflows uses a second type of data processing different from the first type, and the first type of data processing and the second type of data processing are each one of a hash calculation, an entropy calculation, a data exposure check, or an email data and metadata review.
ERLINGSSON discloses an alert database loader responsible for loading data into an appropriate data store (¶0155-¶0156, “… Data loader 136 can be implemented in any appropriate programming language, such as Java or C, and can be configured to use a Kinesis library to interface with Kinesis. In various embodiments, data loader 136 uses the Amazon Simple Queue Service (SQS) (e.g., to alert DB loader 140 that there is work for it to do)… DB loader 140 is a microservice that is responsible for loading data into an appropriate data store 30, such as SnowflakeDB or Amazon Redshift, using individual per-customer databases…);
retrieving data and/or metadata concerning the object from the production environment based at least in part on the identification of the new alert in the database that there was the change in the object (¶0624, “… Referring 506 to the annotations for an unexpected change 512 may be carried out, for example, in response to receiving a security alert about an unexpected change 512 that has been detected in a second environment 514 and by manually or automatically referring to the annotations for the detected change 510 from the first environment 508. Alternatively, referring 506 to the annotations for an unexpected change 512 upon detecting the unexpected change 412 in a second environment 514 that is outside the second environment may be carried out by detecting an unexpected change 512 that has been detected in a second environment 514 and by manually or automatically referring to the annotations for the detected change 510 from the first environment 508. As described above, the annotations are evidence providing information about aspects of the detected change 510 in the software application and may include the developers' names, the reviewers' names, information about testing, a description or explanation of the change, or other relevant evidence documenting the change.”, wherein the annotations such as the developers' names, the reviewers' names, information about testing, a description or explanation of the change, or other relevant evidence documenting the change is interpreted as data/metadata concerning the object”), (¶0436, “Such changes can be surfaced as alerts, e.g., to help an administrator determine when/what anomalous behavior occurs within a datacenter…”)
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the method of BEDHAPUDI to include an retrieving data/metadata of the changed object whenever a new alert is received as disclosed by ERLINGSSON and be motivated in doing so in order to determine whether the change has been pre-approved, to identify a developer that should be contacted for determining whether the change is expected- ERLINGSSON ¶0624 in part.
However, the combination of BEDHAPUDI and ERLINGSSON does not explicitly disclose the limitation of:
processing, based at least in part on the identification of the new alert in the database, the data and/or metadata concerning the object via two or more workflows in parallel, wherein each workflow of the two or more workflows processes, in parallel, the same data and/or metadata concerning the object from the production environment, a first workflow of the two or more workflows uses a first type of data processing, a second workflow of the two or more workflows uses a second type of data processing different from the first type, and the first type of data processing and the second type of data processing are each one of a hash calculation, an entropy calculation, a data exposure check, or an email data and metadata review.
Li discloses processing, based at least in part on the identification of the new alert in the database, the data and/or metadata concerning the object via two or more workflows in parallel, wherein each workflow of the two or more workflows processes, in parallel, the same data and/or metadata concerning the object from the production environment, a first workflow of the two or more workflows uses a first type of data processing, a second workflow of the two or more workflows uses a second type of data processing different from the first type, and the first type of data processing and the second type of data processing are each one of a hash calculation, an entropy calculation, a data exposure check, or an email data and metadata review (abstract, ¶0036-¶0039, “…FIG. 7B depicts an exemplary workflow environment having four workflows 712-718 that are queued, but not yet executed. Each workflow includes a pre-processing step (such as adapter trimming) 722, a reference alignment step 724, a sorting step 726, and a variant calling step 728. In this example, workflows 712-718 include the same pre-processing step 722 that is executed on the same initial set of sequence reads and generates the same output files. In addition, each workflow includes the same sorting step 726. But workflows 712 and 714 use Bowtie2 for reference alignment, while workflows 716 and 718 use BWA. Additionally, workflows 712 and 716 use GATK for variant calling and workflows 714 and 718 use FreeBayes. Upon the processor identifying each step in the workflows 712-718 and generating the hash values associated therewith (as shown in FIG. 7B), the processor may identify instances that have an identical hash value and can thereby share the output files. For example, at the adapter trimming step 722, each workflow yields the same hash value (“SGJW”), and thus only one of these adapter trimming steps needs to be executed. The unexecuted steps may be marked as complete, i.e., no need for execution (shown in grey in FIG. 7B). At the alignment stage 724, because Bowtie and BWA yield different hash values (E05Y and I5TZ, respectively), only one Bowtie2 in workflow 712 or 714 and one BWA in workflow 716 or 718 needs to be executed. In this example, Bowtie2 in workflow 712 and BWA in workflow 716 are executed, while Bowtie2 in workflow 714 and BWA in workflow 718 are not executed (and thus are marked in grey). The sorting steps are similarly processed. Finally, each variant calling step 728 needs to be executed independently, as each variant generates a unique hash value in each workflow. As a result of this approach, the workflows have been optimized to reduce the total number of operations from 16 to 9…”).
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the method of BEDHAPUDI and ERLINGSSON to include processing two or more workflows in parallel using different data processing types as disclosed by Li and be motivated in doing so in order to optimize the workflows to reduce the total number of operations -Li ¶0037 in parts.
Regarding claim 12, BEDHAPUDI in view of ERLINGSSON and further in view of Li discloses the non-transitory, machine-readable medium of claim 11.
BEDHAPUDI further discloses wherein the data and/or metadata concerning the object is retrieved from the production environment via an application programming interface associated with the production environment (¶0094, “Some or all primary data 112 objects are associated with corresponding metadata (e.g., “Meta1-11”), which may include file system metadata and/or application-specific metadata…. For example, secondary copy data object 134A represents three separate primary data objects 133C, 122, and 129C (represented as 133C′, 122′, and 129C′, respectively, and accompanied by corresponding metadata Meta11, Meta3, and Meta8, respectively)”), (¶0077, FIG. 1A, “…Communication pathways 114 in some cases may also include application programming interfaces (APIs) including, e.g., cloud service provider APIs, virtual machine management APIs, and hosted service provider APIs…”), (¶0122, “User interface 158 may include information processing and display software, such as a graphical user interface (GUI), an application program interface (API), and/or other interactive interface(s) through which users and system processes can retrieve information about the status of information management operations or issue instructions to storage manager 140 and other components…”), (¶0245, “The target media agent 144A receives the data-agent-processed data from client computing device 102, and at step 4 generates and conveys backup copy 116A to disk library 108A to be stored as backup copy 116A, again at the direction of storage manager 140 and according to backup copy rule set 160. Media agent 144A can also update its index 153 to include data and/or metadata related to backup copy 116A, such as information indicating where the backup copy 116A resides on disk library 108A, where the email copy resides, where the file system copy resides, data and metadata for cache retrieval, etc…”).
Regarding claim 13, BEDHAPUDI in view of ERLINGSSON and further in view of Li discloses the non-transitory, machine-readable medium of claim 12.
BEDHAPUDI further discloses wherein the instructions, when read by the machine, cause the machine to perform further operations comprising:
registering the two or more workflows concerning the object (¶0210-¶0211, “…Another type of information management policy 148 is an “audit policy” (or “security policy”), which comprises preferences, rules and/or criteria that protect sensitive data in system 100. For example, an audit policy may define “sensitive objects” which are files or data objects that contain particular keywords (e.g., “confidential,” or “privileged”) and/or are associated with particular keywords (e.g., in metadata) or particular flags (e.g., in metadata identifying a document or email as personal, confidential, etc.). An audit policy may further specify rules for handling sensitive objects. As an example, an audit policy may require that a reviewer approve the transfer of any sensitive objects to a cloud storage site, and that if approval is denied for a particular sensitive object, the sensitive object should be transferred to a local primary storage device 104 instead. To facilitate this approval, the audit policy may further specify how a secondary storage computing device 106 or other system component should notify a reviewer that a sensitive object is slated for transfer.”, wherein approving the transfer of any sensitive objects to a cloud storage site, transferring the sensitive object to a local primary storage device and, further specifying how a secondary storage computing device or other system component should notify a reviewer that a sensitive object is slated for transfer are plurality of workflows. Specifying the policies and conditions/criteria that trigger the workflows is interpreted as registering the workflows with the system ), wherein processing the data and/or metadata is based at least in part on the registering (¶0072, “...system 100 generally refers to a combination of specialized components used to protect, move, manage, manipulate, analyze, and/or process data and metadata generated by client computing devices 102.”), (¶0254, “…A classification rule defines a particular combination of criteria, such as users who have created, accessed or modified a document or data object; file or application types; content or metadata keywords; clients or storage locations; dates of data creation and/or access; review status or other status within a workflow (e.g., reviewed or un-reviewed); modification times or types of modifications; and/or any other data attributes in any combination, without limitation”, wherein users reviewing the status within a workflow is an indication that the workflow has been registered and wherein workflow is understood to be a sequence of tasks/steps that processes a set of data from initiation to completion), (¶0242, “Referring to FIG. 1E, at step 1, storage manager 140 initiates a backup job according to the backup copy rule set 160, which logically comprises all the secondary copy operations necessary to effectuate rules 160 in storage policy 148A every hour, including steps 1-4 occurring hourly. For instance, a scheduling service running on storage manager 140 accesses backup copy rule set 160 or a separate scheduling policy associated with client computing device 102 and initiates a backup job on an hourly basis. Thus, at the scheduled time, storage manager 140 sends instructions to client computing device 102 (i.e., to both data agent 142A and data agent 142B) to begin the backup job.”, wherein sending instructions to client computing device 102 (i.e., to both data agent 142A and data agent 142B) to begin the backup job base on the rule set is registration of workflow. Applicant in paragraph 96 of applicant’s specification includes backup as an example of workflow that can be registered).
Regarding claim 14, BEDHAPUDI in view of ERLINGSSON and further in view of Li discloses the non-transitory, machine-readable medium of claim 13.
BEDHAPUDI further discloses wherein the instructions, when read by the machine, cause the machine to perform further operations comprising:
identifying potential malware included in the data and/or metadata based at least in part on the processing (FIG. 6, (¶0316-¶0324, wherein files are being analyzed to determine anomaly, and the files include metadata), (¶0369, “… the client computing device 302 may create a rule that causes the client computing device 302 to identify a specific type of file system operations as a file activity anomaly. For example, if the client computing device 302 determines that a set of file system operations, while insufficient to trigger an anomaly detection by itself, constitutes harmful operations performed also on one or more other client computing devices within the network, the client computing device 302 may create a rule that causes the client computing device 302 to identify such operations as a file activity anomaly.”), and (¶0134, “…during a secondary copy operation, data agent 142 may arrange or assemble the data and metadata into one or more files having a certain format (e.g., a particular backup or archive format) before transferring the file(s) to a media agent 144 or other component. The file(s) may include a list of files or other metadata.”).
Regarding claim 17, BEDHAPUDI discloses an apparatus (¶0406, “data processing apparatus”) comprising: one or more processors (¶0400, “computing devices having one or more processors”);
one or more memories coupled with the one or more processors (¶0400, “computing devices having one or more processors and non-transitory computer-readable memory to operate according to one or more of the systems and/or methods”); and
instructions stored in the one or more memories and executable by the one or more processors (¶0406, “Such instructions may be provided to a processor of a general purpose computer, special purpose computer, specially-equipped computer”) to cause the apparatus to:
obtain an indication of a change in an object at a production environment of the object (¶0291, “the filter driver 314 may intercept data modification operations that include changes, updates, and/or new information (e.g., file creation, file deletion, file modification, file renaming, etc.) with respect to one or more of the application(s) 310. For example, the filter driver 314 may locate, monitor, and/or process one or more of the following with respect to a particular application 310, application type, or group of applications (e.g., some or all of the application(s) 310): file system operations (e.g., file creation, file deletion, file modification, file renaming), data management operations (e.g., data write operations, file attribute modifications), logs or journals (e.g., NTFS change journal), configuration files, file settings, control files, other files used by one or more of the application(s) 310, combinations of the same or the like. In certain embodiments, such data may also be gathered from files across multiple storage systems within the client computing device 302 (production environment). Furthermore, the filter driver 314 may be configured to monitor changes to particular volumes, directories, and/or files within the file system 316.”, wherein file creation, file deletion, file modification, file renaming are indications of a change in an object ), wherein one or more snapshot images of the object are stored at a backup environment (¶0086, “… a disk array capable of performing hardware snapshots stores primary data 112 and creates and stores hardware snapshots of the primary data 112 as secondary copies 116. Secondary copies 116 may be stored in relatively slow and/or lower cost storage (e.g., magnetic tape). A secondary copy 116 may be stored in a backup or archive format, or in some other format different from the native source application format or other format of primary data 112.”), (¶0079, “…As used herein, a “data object” can refer to (i) any file that is currently addressable by a file system or that was previously addressable by the file system (e.g., an archive file), and/or to (ii) a subset of such a file (e.g., a data block, an extent, etc.)…”);
generate an alert that comprises based on the indication of the change (¶0004, “…The software module records the number of times the files in the file system are modified, created, deleted, and/or renamed. The recorded number is compared against a threshold. If the number exceeds the threshold, the software module provides an alert to the user of the client machine that the client machine may be under a ransomware attack”), (¶0312, “At block 510, the filter driver 314 causes a warning to be output (e.g., via a user interface, email, or another notification service). For example, the filter driver 314 may cause the client computing device 302 to display a file activity anomaly alert 1400 shown in FIG. 14… As shown in FIG. 16, file activity anomalies detected in multiple client computing devices 302 may be presented via a single user interface and provide an indication of the file system operations that triggered the anomaly detection.”);
based on the alert, identifying the object (¶0312, “… As shown in FIG. 16, file activity anomalies detected in multiple client computing devices 302 may be presented via a single user interface and provide an indication of the file system operations that triggered the anomaly detection.”);
store the alert, the alert identifying the object (¶0312, “the filter driver 314 causes a warning to be output (e.g., via a user interface, email, or another notification service). For example, the filter driver 314 may cause the client computing device 302 to display a file activity anomaly alert 1400 shown in FIG. 14. The filter driver 314 may further cause a report to be stored in a page accessible by the user (e.g., as illustrated by the user interface 1500 of FIG. 15)…”);
poll the database to identify a new alert, the new alert comprising the alert (¶0320, “…The anomaly detection engine 320 may run the anomaly detection algorithm on the local database periodically (e.g., every 5 minutes, 30 minutes, 1 hour, 6 hours, 12 hours, 24 hours, 7 days, etc.). The anomaly detection algorithm may determine, based on the historical data stored in the local database, a baseline number of file system operations and detect any spikes in the number of file system operations based on the baseline number. For example, if 100 file deletes were performed during the past 10 days, and the anomaly detection engine 320 determines that 2000 file deletes occurred today, the anomaly detection engine 320 may flag the 2000 file deletes as a file activity anomaly and alert the user and/or take remedial action.”);
based on identification of the new alert, identifying a snapshot image including the object (¶0316- ¶0317, “… For example, the directory change information may include file name changes, directory name changes, file attribute changes, file size changes, last write time changes, last access time changes, creation time changes, and/or any other changes in the directory or the files in the directory… The directory change information received from the notification service may identify which files were modified at what time, but may not include information necessary to determine the entropy change or sdhash value.”, wherein modified (changed) files will trigger alerts and the snapshot image is a file (object) which is in consonant with applicant disclosure in ¶0091- ¶0092), (¶0164, “a snapshot may be thought of as an “instant” image of primary data 112 at a given point in time, and may include state and/or status information relative to an application 110 that creates/manages primary data 112. In one embodiment, a snapshot may generally capture the directory structure of an object in primary data 112 such as a file or volume or other data set at a particular moment in time and may also preserve file attributes and contents”); and
retrieve data and/or metadata concerning the object from the production environment (¶0080-¶0081, “It can also be useful in performing certain functions of system 100 to access and modify metadata within primary data 112. Metadata generally includes information about data objects and/or characteristics associated with the data objects…In addition to metadata generated by or related to file systems and operating systems, some applications 110 and/or other components of system 100 maintain indices of metadata for data objects, e.g., metadata associated with individual email messages…A client computing device 102 is said to be associated with or in communication with a particular primary storage device 104 if it is capable of one or more of: routing and/or storing data (e.g., primary data 112) to the primary storage device 104, coordinating the routing and/or storing of data to the primary storage device 104, retrieving data from the primary storage device 104, coordinating the retrieval of data from the primary storage device 104, and modifying and/or deleting data in the primary storage device 104. Thus, a client computing device 102 may be said to access data stored in an associated storage device 104”, FIG. 1D shows data movements between primary storage device 104 and client computing devices 102).
the first type of data processing and the second type of data processing are each one of a hash calculation, an entropy calculation, a data exposure check, or an email data and metadata review (¶0174, “In order to streamline the comparison process, system 100 may calculate and/or store signatures (e.g., hashes or cryptographically unique IDs) corresponding to the individual source data portions and compare the signatures to already-stored data signatures, instead of comparing entire data portions…”), an entropy calculation (¶0303, “…The I/O requests can be tracked by the file system filter driver, and encryption of the files in the file system can be predicted by calculating the entropy on data buffers.”), a data exposure check, or an email data and metadate review (¶0194, “…Content indexing can identify files or other data objects based on content (e.g., user-defined keywords or phrases, other keywords/phrases that are not defined by a user, etc.), and/or metadata (e.g., email metadata such as “to,” “from,” “cc,” “bcc,” attachment name, received time, etc.)”).
Although, BEDHAPUDI discloses storing the alert report in a page accessible by the user (e.g., as illustrated by the user interface 1500 of FIG. 15) in ¶0312, BEDHAPUDI does not explicitly disclose:
retrieving data and/or metadata concerning the object from the production environment based at least in part on the identification of the new alert in the database that there was the change in the object; and
processing, based at least in part on the identification of the new alert in the database, the data and/or metadata concerning the object via two or more workflows in parallel, wherein:
each workflow of the two or more workflows processes, in parallel, the same data and/or metadata concerning the object from the production environment, a first workflow of the two or more workflows uses a first type of data processing, a second workflow of the two or more workflows uses a second type of data processing different from the first type, and the first type of data processing and the second type of data processing are each one of a hash calculation, an entropy calculation, a data exposure check, or an email data and metadata review.
ERLINGSSON discloses an alert database loader responsible for loading data into an appropriate data store (¶0155-¶0156, “… Data loader 136 can be implemented in any appropriate programming language, such as Java or C, and can be configured to use a Kinesis library to interface with Kinesis. In various embodiments, data loader 136 uses the Amazon Simple Queue Service (SQS) (e.g., to alert DB loader 140 that there is work for it to do)… DB loader 140 is a microservice that is responsible for loading data into an appropriate data store 30, such as SnowflakeDB or Amazon Redshift, using individual per-customer databases…);
retrieving data and/or metadata concerning the object from the production environment based at least in part on the identification of the new alert in the database that there was the change in the object (¶0624, “… Referring 506 to the annotations for an unexpected change 512 may be carried out, for example, in response to receiving a security alert about an unexpected change 512 that has been detected in a second environment 514 and by manually or automatically referring to the annotations for the detected change 510 from the first environment 508. Alternatively, referring 506 to the annotations for an unexpected change 512 upon detecting the unexpected change 412 in a second environment 514 that is outside the second environment may be carried out by detecting an unexpected change 512 that has been detected in a second environment 514 and by manually or automatically referring to the annotations for the detected change 510 from the first environment 508. As described above, the annotations are evidence providing information about aspects of the detected change 510 in the software application and may include the developers' names, the reviewers' names, information about testing, a description or explanation of the change, or other relevant evidence documenting the change.”, wherein the annotations such as the developers' names, the reviewers' names, information about testing, a description or explanation of the change, or other relevant evidence documenting the change is interpreted as data/metadata concerning the object”), (¶0436, “Such changes can be surfaced as alerts, e.g., to help an administrator determine when/what anomalous behavior occurs within a datacenter…”)
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the method of BEDHAPUDI to include an retrieving data/metadata of the changed object whenever a new alert is received as disclosed by ERLINGSSON and be motivated in doing so in order to determine whether the change has been pre-approved, to identify a developer that should be contacted for determining whether the change is expected- ERLINGSSON ¶0624 in part.
However, the combination of BEDHAPUDI and ERLINGSSON does not explicitly disclose the limitation of:
processing, based at least in part on the identification of the new alert in the database, the data and/or metadata concerning the object via two or more workflows in parallel, wherein each workflow of the two or more workflows processes, in parallel, the same data and/or metadata concerning the object from the production environment, a first workflow of the two or more workflows uses a first type of data processing, a second workflow of the two or more workflows uses a second type of data processing different from the first type, and the first type of data processing and the second type of data processing are each one of a hash calculation, an entropy calculation, a data exposure check, or an email data and metadata review.
Li discloses processing, based at least in part on the identification of the new alert in the database, the data and/or metadata concerning the object via two or more workflows in parallel, wherein each workflow of the two or more workflows processes, in parallel, the same data and/or metadata concerning the object from the production environment, a first workflow of the two or more workflows uses a first type of data processing, a second workflow of the two or more workflows uses a second type of data processing different from the first type, and the first type of data processing and the second type of data processing are each one of a hash calculation, an entropy calculation, a data exposure check, or an email data and metadata review (abstract, ¶0036-¶0039, “…FIG. 7B depicts an exemplary workflow environment having four workflows 712-718 that are queued, but not yet executed. Each workflow includes a pre-processing step (such as adapter trimming) 722, a reference alignment step 724, a sorting step 726, and a variant calling step 728. In this example, workflows 712-718 include the same pre-processing step 722 that is executed on the same initial set of sequence reads and generates the same output files. In addition, each workflow includes the same sorting step 726. But workflows 712 and 714 use Bowtie2 for reference alignment, while workflows 716 and 718 use BWA. Additionally, workflows 712 and 716 use GATK for variant calling and workflows 714 and 718 use FreeBayes. Upon the processor identifying each step in the workflows 712-718 and generating the hash values associated therewith (as shown in FIG. 7B), the processor may identify instances that have an identical hash value and can thereby share the output files. For example, at the adapter trimming step 722, each workflow yields the same hash value (“SGJW”), and thus only one of these adapter trimming steps needs to be executed. The unexecuted steps may be marked as complete, i.e., no need for execution (shown in grey in FIG. 7B). At the alignment stage 724, because Bowtie and BWA yield different hash values (E05Y and I5TZ, respectively), only one Bowtie2 in workflow 712 or 714 and one BWA in workflow 716 or 718 needs to be executed. In this example, Bowtie2 in workflow 712 and BWA in workflow 716 are executed, while Bowtie2 in workflow 714 and BWA in workflow 718 are not executed (and thus are marked in grey). The sorting steps are similarly processed. Finally, each variant calling step 728 needs to be executed independently, as each variant generates a unique hash value in each workflow. As a result of this approach, the workflows have been optimized to reduce the total number of operations from 16 to 9…”).
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the method of BEDHAPUDI and ERLINGSSON to include processing two or more workflows in parallel using different data processing types as disclosed by Li and be motivated in doing so in order to optimize the workflows to reduce the total number of operations -Li ¶0037 in parts.
Regarding claim 18, BEDHAPUDI in view of ERLINGSSON and further in view of Li discloses the apparatus of claim 17.
BEDHAPUDI further discloses wherein the data and/or metadata concerning the object is retrieved from the production environment via an application programming interface associated with the production environment (¶0094, “Some or all primary data 112 objects are associated with corresponding metadata (e.g., “Meta1-11”), which may include file system metadata and/or application-specific metadata…. For example, secondary copy data object 134A represents three separate primary data objects 133C, 122, and 129C (represented as 133C′, 122′, and 129C′, respectively, and accompanied by corresponding metadata Meta11, Meta3, and Meta8, respectively)”), (¶0077, FIG. 1A, “…Communication pathways 114 in some cases may also include application programming interfaces (APIs) including, e.g., cloud service provider APIs, virtual machine management APIs, and hosted service provider APIs…”), (¶0122, “User interface 158 may include information processing and display software, such as a graphical user interface (GUI), an application program interface (API), and/or other interactive interface(s) through which users and system processes can retrieve information about the status of information management operations or issue instructions to storage manager 140 and other components…”), (¶0245, “The target media agent 144A receives the data-agent-processed data from client computing device 102, and at step 4 generates and conveys backup copy 116A to disk library 108A to be stored as backup copy 116A, again at the direction of storage manager 140 and according to backup copy rule set 160. Media agent 144A can also update its index 153 to include data and/or metadata related to backup copy 116A, such as information indicating where the backup copy 116A resides on disk library 108A, where the email copy resides, where the file system copy resides, data and metadata for cache retrieval, etc…”).
Regarding claim 19, BEDHAPUDI in view of ERLINGSSON and further in view of Li discloses the apparatus of claim 18.
BEDHAPUDI further discloses wherein the instructions are further executable by the one or more processors to cause the apparatus to:
register the two or more workflows concerning the object (¶0210-¶0211, “…Another type of information management policy 148 is an “audit policy” (or “security policy”), which comprises preferences, rules and/or criteria that protect sensitive data in system 100. For example, an audit policy may define “sensitive objects” which are files or data objects that contain particular keywords (e.g., “confidential,” or “privileged”) and/or are associated with particular keywords (e.g., in metadata) or particular flags (e.g., in metadata identifying a document or email as personal, confidential, etc.). An audit policy may further specify rules for handling sensitive objects. As an example, an audit policy may require that a reviewer approve the transfer of any sensitive objects to a cloud storage site, and that if approval is denied for a particular sensitive object, the sensitive object should be transferred to a local primary storage device 104 instead. To facilitate this approval, the audit policy may further specify how a secondary storage computing device 106 or other system component should notify a reviewer that a sensitive object is slated for transfer.”, wherein approving the transfer of any sensitive objects to a cloud storage site, transferring the sensitive object to a local primary storage device and, further specifying how a secondary storage computing device or other system component should notify a reviewer that a sensitive object is slated for transfer are plurality of workflows. Specifying the policies and conditions/criteria that trigger the workflows is interpreted as registering the workflows with the system ), wherein processing the data and/or metadata is based at least in part on the registering (¶0072, “...system 100 generally refers to a combination of specialized components used to protect, move, manage, manipulate, analyze, and/or process data and metadata generated by client computing devices 102.”), (¶0254, “…A classification rule defines a particular combination of criteria, such as users who have created, accessed or modified a document or data object; file or application types; content or metadata keywords; clients or storage locations; dates of data creation and/or access; review status or other status within a workflow (e.g., reviewed or un-reviewed); modification times or types of modifications; and/or any other data attributes in any combination, without limitation”, wherein users reviewing the status within a workflow is an indication that the workflow has been registered and wherein workflow is understood to be a sequence of tasks/steps that processes a set of data from initiation to completion), (¶0242, “Referring to FIG. 1E, at step 1, storage manager 140 initiates a backup job according to the backup copy rule set 160, which logically comprises all the secondary copy operations necessary to effectuate rules 160 in storage policy 148A every hour, including steps 1-4 occurring hourly. For instance, a scheduling service running on storage manager 140 accesses backup copy rule set 160 or a separate scheduling policy associated with client computing device 102 and initiates a backup job on an hourly basis. Thus, at the scheduled time, storage manager 140 sends instructions to client computing device 102 (i.e., to both data agent 142A and data agent 142B) to begin the backup job.”, wherein sending instructions to client computing device 102 (i.e., to both data agent 142A and data agent 142B) to begin the backup job base on the rule set is registration of workflow. Applicant in paragraph 96 of applicant’s specification includes backup as an example of workflow that can be registered).
Regarding claim 20, BEDHAPUDI in view of ERLINGSSON and further in view of Li discloses the apparatus of claim 19.
BEDHAPUDI further discloses wherein the instructions are further executable by the one or more processors to cause the apparatus to:
identify potential malware included in the data and/or metadata based at least in part on the processing (FIG. 6, (¶0316-¶0324, wherein files are being analyzed to determine anomaly, and the files include metadata), (¶0369, “… the client computing device 302 may create a rule that causes the client computing device 302 to identify a specific type of file system operations as a file activity anomaly. For example, if the client computing device 302 determines that a set of file system operations, while insufficient to trigger an anomaly detection by itself, constitutes harmful operations performed also on one or more other client computing devices within the network, the client computing device 302 may create a rule that causes the client computing device 302 to identify such operations as a file activity anomaly.”), and (¶0134, “…during a secondary copy operation, data agent 142 may arrange or assemble the data and metadata into one or more files having a certain format (e.g., a particular backup or archive format) before transferring the file(s) to a media agent 144 or other component. The file(s) may include a list of files or other metadata.”).
Regarding claim 23, BEDHAPUDI in view of ERLINGSSON and further in view of Li discloses the apparatus of claim 20.
BEDHAPUDI further discloses a backup environment (¶0245, “The target media agent 144A receives the data-agent-processed data from client computing device 102, and at step 4 generates and conveys backup copy 116A to disk library 108A to be stored as backup copy 116A, again at the direction of storage manager 140 and according to backup copy rule set 160…”, wherein the disk library to which backup copy is stored is interpreted as backup environment), see also ¶0283-¶0284, and
ERLINGSSON further discloses wherein the two or more workflows comprises a machine learning anomaly and ransomware detection system trained based at least in part on filesystem metadata changes between a first snapshot of the one or more snapshot images and a second snapshot of the one or more snapshot images at the backup environment (¶0181, “… For each machine, a determination is made as to what type of machine it is, based on what kind(s) of workflows it runs. As one example, some machines run as master nodes (having a typical set of workflows they run, as master nodes) and can thus be clustered as master nodes…”), (¶0150, “… Histograms allow data platform 12 to model application behavior (e.g., using machine learning techniques), for establishing baselines, and for detecting deviations…”), (¶0583, “the systems described herein may be leveraged for the specific use case of detecting and/or remediating ransomware attacks and/or other malicious action taken with respect to data, systems, and/or other resources associated with one or more entities…”), (¶0221-¶0223, “One approach to merging a snapshot of the activity of the last hour into a cumulative graph is as follows. An aggregate graph of physical connections is made for the connections included in the snapshot (as was previously done for the original snapshot used during bootstrap). And, clustering/splitting is similarly performed on the snapshot's aggregate graph. Next, PType clusters in the snapshot's graph are compared against PType clusters in the cumulative graph to identify commonality….”), (¶0345, “… such agents send associated records to data platform 12 which includes one or more datastores (e.g., data store 30) for persistently storing such data. Such data can be modeled using logical tables, also persisted in datastores (e.g., in a relational database that provides an SQL interface), allowing for querying of the data…”, wherein data platform 12 which includes one or more datastores (e.g., data store 30) for persistently storing data is interpreted as the claimed backup environment).
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the apparatus of BEDHAPUDI, ERLINGSSON and Li to include the use machine learning model to detect anomaly and ransomware as disclosed by ERLINGSSON and be motivated in doing so in order to compare the annotations of the detected change in the first environment and the annotations of the unexpected change in the second environment and use the information in the annotations as an input to one or more machine learning models- ERLINGSSON ¶0646 in parts.
Regarding claim 24, BEDHAPUDI in view of ERLINGSSON and further in view of Li discloses the apparatus of claim 20.
BEDHAPUDI further discloses wherein the two or more workflows (¶0210-¶0211, “…Another type of information management policy 148 is an “audit policy” (or “security policy”), which comprises preferences, rules and/or criteria that protect sensitive data in system 100. For example, an audit policy may define “sensitive objects” which are files or data objects that contain particular keywords (e.g., “confidential,” or “privileged”) and/or are associated with particular keywords (e.g., in metadata) or particular flags (e.g., in metadata identifying a document or email as personal, confidential, etc.). An audit policy may further specify rules for handling sensitive objects. As an example, an audit policy may require that a reviewer approve the transfer of any sensitive objects to a cloud storage site, and that if approval is denied for a particular sensitive object, the sensitive object should be transferred to a local primary storage device 104 instead. To facilitate this approval, the audit policy may further specify how a secondary storage computing device 106 or other system component should notify a reviewer that a sensitive object is slated for transfer.”, wherein approving the transfer of any sensitive objects to a cloud storage site, transferring the sensitive object to a local primary storage device and, further specifying how a secondary storage computing device or other system component should notify a reviewer that a sensitive object is slated for transfer are plurality of workflows) comprises diff File Management Data augmentation associated with the one or more snapshot images at the backup environment (¶0168, “An initial snapshot may use only a small amount of disk space needed to record a mapping or other data structure representing or otherwise tracking the blocks that correspond to the current state of the file system. Additional disk space is usually required only when files and directories change later on. Furthermore, when files change, typically only the pointers which map to blocks are copied, not the blocks themselves. For example for “copy-on-write” snapshots, when a block changes in primary storage, the block is copied to secondary storage or cached in primary storage before the block is overwritten in primary storage, and the pointer to that block is changed to reflect the new location of that block. The snapshot mapping of file system data may also be updated to reflect the changed block(s) at that particular point in time. In some other cases, a snapshot includes a full physical copy of all or substantially all of the data represented by the snapshot…”, wherein Diff file Management Data is understood as practice of managing and utilizing diff file to track and apply changes in data, and Diff file is a file that records differences between two versions of a file or a data set), (¶0245, “The target media agent 144A receives the data-agent-processed data from client computing device 102, and at step 4 generates and conveys backup copy 116A to disk library 108A to be stored as backup copy 116A, again at the direction of storage manager 140 and according to backup copy rule set 160…”disk library to which backup copy is stored is interpreted as backup environment), and
ERLINGSSON further discloses wherein the two or more workflows comprises a machine learning anomaly and ransomware detection system trained based at least in part on a diff File Management Data augmentation associated with the one or more snapshot images at the backup environment (¶0646, “The example method depicted in FIG. 7 also includes comparing 704 the annotations of the detected change in the first environment and the annotations of the unexpected change in the second environment. As described above, the annotations for the unexpected change 512 are compared to the corresponding annotations for the detected change 510 in the computing environment. The annotations may be identical. In some embodiments, the annotations are similar with similar or identical explanations and with different developer's names or reviewer's names, as well as information such as testing tools and other relevant information. In such cases, when the annotations are not identical, then similarity is determined by a predictable measure such as the application of rules, policies, heuristics, or similar mechanism or via machine learning techniques such as where information describing the types of information in the annotations are fed as input to one or more machine learning models which subsequently identifies information in annotations that are similar”, wherein feeding the one or more machine learning models with information in the annotations is training the machine learning models). (¶0150, “… Histograms allow data platform 12 to model application behavior (e.g., using machine learning techniques), for establishing baselines, and for detecting deviations…”), (¶0583, “the systems described herein may be leveraged for the specific use case of detecting and/or remediating ransomware attacks and/or other malicious action taken with respect to data, systems, and/or other resources associated with one or more entities…”), (¶0221-¶0223, “One approach to merging a snapshot of the activity of the last hour into a cumulative graph is as follows. An aggregate graph of physical connections is made for the connections included in the snapshot (as was previously done for the original snapshot used during bootstrap). And, clustering/splitting is similarly performed on the snapshot's aggregate graph. Next, PType clusters in the snapshot's graph are compared against PType clusters in the cumulative graph to identify commonality….”, wherein aggregating is interpreted as augmentation), (¶0345, “… such agents send associated records to data platform 12 which includes one or more datastores (e.g., data store 30) for persistently storing such data. Such data can be modeled using logical tables, also persisted in datastores (e.g., in a relational database that provides an SQL interface), allowing for querying of the data…”, wherein data platform 12 which includes one or more datastores (e.g., data store 30) for persistently storing data is interpreted as the claimed backup environment).
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the apparatus of BEDHAPUDI, ERLINGSSON, and Li to include DiffFile Management Data augmentation as disclosed by ERLINGSSON and be motivated in doing so in order to reduce network congestion- ERLINGSSON ¶0098 in parts.
Regarding claim 25, BEDHAPUDI in view of ERLINGSSON and further in view of Li discloses the computer-implemented method of claim 7.
BEDHAPUDI further discloses further comprising: sending the data and/or metadata to a software-as-a-service application hosted at a different environment than the production environment and the backup environment (¶0083, “System 100 may also include hosted services (not shown), which may be hosted in some cases by an entity other than the organization that employs the other components of system 100. For instance, the hosted services may be provided by online service providers. Such service providers can provide social networking services, hosted email services, or hosted productivity applications or other hosted applications such as software-as-a-service (SaaS), platform-as-a-service (PaaS), application service providers (ASPs), cloud services, or other mechanisms for delivering functionality via a network. As it services users, each hosted service may generate additional data and metadata, which may be managed by system 100, e.g., as primary data 112. In some cases, the hosted services may be accessed using one of the applications 110. As an example, a hosted mail service may be accessed via browser running on a client computing device 102.”, wherein generation of additional data and metadata indicates that data and metadata already exist in the host services); and
processing the data and/or metadata via the two or more workflows at the software- as-a-service application (¶0095, “…secondary storage computing devices 106 or other components in secondary storage subsystem 118 may process the data received from primary storage subsystem 117 and store a secondary copy including a transformed and/or supplemented representation of a primary data object and/or metadata that is different from the original format, e.g., in a compressed, encrypted, deduplicated, or other modified format. For instance, secondary storage computing devices 106 can generate new metadata or other information based on said processing, and store the newly generated information along with the secondary copies…”), (¶0295-¶0296, “…The plurality of client computing devices 302A-302N may each push the I/O data 338 collected on the respective client computing devices to a cloud service 336. The cloud service 336 may also store the index data 340 comprising information captured at the time of each backup associated with the respective client computing device 302…”, wherein the cloud service 336 is interpreted as the claimed software-as-a-service application.).
Regarding claim 26, BEDHAPUDI in view of ERLINGSSON and further in view of Li discloses the computer-implemented method of claim 7.
BEDHAPUDI further discloses wherein the processing, comprises processing the data and/or metadata and second data and/or metadata retrieved from the snapshot image (¶0072, “…in some cases, system 100 generally refers to a combination of specialized components used to protect, move, manage, manipulate, analyze, and/or process data and metadata generated by client computing devices 102…”), (¶0164, “…a snapshot may be thought of as an “instant” image of primary data 112 at a given point in time, and may include state and/or status information relative to an application 110 that creates/manages primary data 112. In one embodiment, a snapshot may generally capture the directory structure of an object in primary data 112 such as a file or volume or other data set at a particular moment in time and may also preserve file attributes and contents…”), (¶0188, “System 100 in some cases is configured to process data (e.g., files or other data objects, primary data 112, secondary copies 116, etc.), according to an appropriate encryption algorithm (e.g., Blowfish, Advanced Encryption Standard (AES), Triple Data Encryption Standard (3-DES), etc.) to limit access and provide data security…”), (¶0168, “…Users in some cases gain read-only access to the record of files and directories of the snapshot. By electing to restore primary data 112 from a snapshot taken at a given point in time, users may also return the current file system to the state of the file system that existed when the snapshot was taken.”).
Claims 15-16, and 21 are rejected under 35 U.S.C. 103 as being unpatentable over US. PGPub. 20190108340 to BEDHAPUDI et al. (hereinafter BEDHAPUDI) in view of US PGPub. No.20220303295 to ERLINGSSON et al. (hereinafter ERLINGSSON) and further in view of US. PGPub. No. 20200201675 to Li; Yilong (hereinafter Li) and further in view of US Pat. No. 11556664 to Levy et al. (hereinafter Levy).
Regarding claim 15, BEDHAPUDI in view of ERLINGSSON and further in view of Li discloses the computer-implemented method of claim 7.
BEDHAPUDI further discloses further comprising:
identifying audit events (¶0213, “audit”) associated with user file accesses in the production environment of the object (¶0293, FIG. 3A, “Using the file monitor 322, the filter driver 314 can monitor interactions with a file. This interaction can include accessing the file via the file system 316, one or more applications 310, one or more data agents 312, or through any other method of accessing or interacting with a file”, wherein filter 314 is in the production environment (client computing device 302) of the object) the audit events including a create event and a subsequent event (¶0294, “, the file monitor 322 identifies when a file is modified and/or created. Monitoring the creation of a file can include identifying a “new” file operation, a “save as” operation, a “copy” operation, or any other operation that can result in a new file or a new copy of an existing file.”), the subsequent event including a read, write, or cleanup event (¶0318, “the anomaly detection engine 320 determines the number of file system operations performed for a given directory or volume (e.g., the number of file opens, reads, creates, writes, rewrites, deletes, renames, etc., the pattern of such file opens, reads, creates, writes, rewrites, deletes, renames, etc., and/or the timestamps associated with such file opens, reads, creates, writes, rewrites, deletes, renames, etc.)”);
resolving a pair value including a user ID at the create event (¶0227, “the identity of users, applications 110, client computing devices 102 and/or other computing devices that created, accessed, modified, or otherwise utilized primary data 112 or secondary copies 116”);
associating the pair value with a file object ID for a base file or one or more forward incremental files associated including the object (¶0196, “…Files or other data objects can be associated with identifiers (e.g., tag entries, etc.) to facilitate searches of stored data objects”), (¶0156, “An incremental backup operation generally tracks and stores changes since the most recent backup copy of any type, which can greatly reduce storage utilization.”); and
storing the associated file object ID and pair value in a map in a file object cache (¶0168, “…when files change, typically only the pointers which map to blocks are copied, not the blocks themselves. For example for “copy-on-write” snapshots, when a block changes in primary storage, the block is copied to secondary storage or cached in primary storage before the block is overwritten in primary storage, and the pointer to that block is changed to reflect the new location of that block. The snapshot mapping of file system data may also be updated to reflect the changed block(s) at that particular point in time”, wherein the pointers is interpreted as file object ID), (¶0142, “… information stored in index cache 153 typically comprises data that reflects certain particulars about relatively recent secondary copy operations. After some triggering event, such as after some time elapses or index cache 153 reaches a particular size, certain portions of index cache 153 may be copied or migrated to secondary storage device 108, e.g., on a least-recently-used basis.”).
However, BEDHAPUDI in view of ERLINGSSON and Li does not explicitly disclose the concept of resolving a pair value including a user ID and remote IP address at the create event;
Levy discloses the limitation of resolving a pair value including a user ID and remote IP address at the create event (Col. 45, lines 64-67 to Col. 46, line 1-4, “ a secondary authentication may be based on information such as whether a user recently logged in to the device, whether a user recently provided a token passcode (e.g., within the last day or the last week), whether the device recently connected to the enterprise network, the current IP address for a device, the geolocation of a device, or whether the user/device combination recently logged in to the remote resource.”, wherein user token passcode is interpreted as user ID), (Col. 20, lines 8-23, “… the valuation model may estimate value based on one or more of encryption status, file type, file usage history, file creation date, file modification date, file content, and file author…”)
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the invention of BEDHAPUDI, ERLINGSSON, and Li to include remote IP address as disclosed by Levy and be motivated in doing so in order to determine whether a user has recently logged in to a remote resource- Levy col. 46, lines 2-4.
Regarding claim 16, BEDHAPUDI in view of ERLINGSSON and further in view of Li discloses the non-transitory, machine-readable medium of claim 11.
BEDHAPUDI further discloses wherein the instructions, when read by the machine, cause the machine to perform further operations comprising:
identifying audit events (¶0213, “audit”) associated with user file accesses in the production environment of the object (¶0293, FIG. 3A, “Using the file monitor 322, the filter driver 314 can monitor interactions with a file. This interaction can include accessing the file via the file system 316, one or more applications 310, one or more data agents 312, or through any other method of accessing or interacting with a file”, wherein filter 314 is in the production environment (client computing device 302) of the object) the audit events including a create event and a subsequent event (¶0294, “, the file monitor 322 identifies when a file is modified and/or created. Monitoring the creation of a file can include identifying a “new” file operation, a “save as” operation, a “copy” operation, or any other operation that can result in a new file or a new copy of an existing file.”), the subsequent event including a read, write, or cleanup event (¶0318, “the anomaly detection engine 320 determines the number of file system operations performed for a given directory or volume (e.g., the number of file opens, reads, creates, writes, rewrites, deletes, renames, etc., the pattern of such file opens, reads, creates, writes, rewrites, deletes, renames, etc., and/or the timestamps associated with such file opens, reads, creates, writes, rewrites, deletes, renames, etc.)”);
resolving a pair value including a user ID at the create event (¶0227, “the identity of users, applications 110, client computing devices 102 and/or other computing devices that created, accessed, modified, or otherwise utilized primary data 112 or secondary copies 116”);
associating the pair value with a file object ID for a base file or one or more forward incremental files associated including the object (¶0196, “…Files or other data objects can be associated with identifiers (e.g., tag entries, etc.) to facilitate searches of stored data objects”), (¶0156, “An incremental backup operation generally tracks and stores changes since the most recent backup copy of any type, which can greatly reduce storage utilization.”); and
storing the associated file object ID and pair value in a map in a file object cache (¶0168, “…when files change, typically only the pointers which map to blocks are copied, not the blocks themselves. For example for “copy-on-write” snapshots, when a block changes in primary storage, the block is copied to secondary storage or cached in primary storage before the block is overwritten in primary storage, and the pointer to that block is changed to reflect the new location of that block. The snapshot mapping of file system data may also be updated to reflect the changed block(s) at that particular point in time”, wherein the pointers is interpreted as file object ID), (¶0142, “… information stored in index cache 153 typically comprises data that reflects certain particulars about relatively recent secondary copy operations. After some triggering event, such as after some time elapses or index cache 153 reaches a particular size, certain portions of index cache 153 may be copied or migrated to secondary storage device 108, e.g., on a least-recently-used basis.”).
However, BEDHAPUDI in view of ERLINGSSON and Li does not explicitly disclose the concept of resolving a pair value including a user ID and remote IP address at the create event;
Levy discloses the limitation of resolving a pair value including a user ID and remote IP address at the create event (Col. 45, lines 64-67 to Col. 46, line 1-4, “ a secondary authentication may be based on information such as whether a user recently logged in to the device, whether a user recently provided a token passcode (e.g., within the last day or the last week), whether the device recently connected to the enterprise network, the current IP address for a device, the geolocation of a device, or whether the user/device combination recently logged in to the remote resource.”, wherein user token passcode is interpreted as user ID), (Col. 20, lines 8-23, “… the valuation model may estimate value based on one or more of encryption status, file type, file usage history, file creation date, file modification date, file content, and file author…”)
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the invention of BEDHAPUDI, ERLINGSSON, and Li to include remote IP address as disclosed by Levy and be motivated in doing so in order to determine whether a user has recently logged in to a remote resource- Levy col. 46, lines 2-4.
Regarding claim 21, BEDHAPUDI in view of ERLINGSSON and further in view of Li discloses the apparatus of claim 17.
BEDHAPUDI further discloses wherein the instructions are further executable by the one or more processors to cause the apparatus to:
identify audit events (¶0213, “audit”) associated with user file accesses in a monitored system (¶0293, “Using the file monitor 322, the filter driver 314 can monitor interactions with a file. This interaction can include accessing the file via the file system 316, one or more applications 310, one or more data agents 312, or through any other method of accessing or interacting with a file”), the audit events including a create event and a subsequent event (¶0293, “ the file monitor 322 identifies when a file is modified and/or created. Monitoring the creation of a file can include identifying a “new” file operation, a “save as” operation, a “copy” operation, or any other operation that can result in a new file or a new copy of an existing file.”), the subsequent event including a read, write, or cleanup event (¶0318, “the anomaly detection engine 320 determines the number of file system operations performed for a given directory or volume (e.g., the number of file opens, reads, creates, writes, rewrites, deletes, renames, etc., the pattern of such file opens, reads, creates, writes, rewrites, deletes, renames, etc., and/or the timestamps associated with such file opens, reads, creates, writes, rewrites, deletes, renames, etc.)”);
resolve a pair value including a user ID at the create event (¶0227, “the identity of users, applications 110, client computing devices 102 and/or other computing devices that created, accessed, modified, or otherwise utilized primary data 112 or secondary copies 116”);
associate the pair value with a file object ID for a base file or one or more forward incremental files associated including the object (¶0196, “…Files or other data objects can be associated with identifiers (e.g., tag entries, etc.) to facilitate searches of stored data objects”), (¶0156, “An incremental backup operation generally tracks and stores changes since the most recent backup copy of any type, which can greatly reduce storage utilization.”); and
store the associated file object ID and pair value in a map in a file object cache (¶0168, “…when files change, typically only the pointers which map to blocks are copied, not the blocks themselves. For example for “copy-on-write” snapshots, when a block changes in primary storage, the block is copied to secondary storage or cached in primary storage before the block is overwritten in primary storage, and the pointer to that block is changed to reflect the new location of that block. The snapshot mapping of file system data may also be updated to reflect the changed block(s) at that particular point in time”, wherein the pointers is interpreted as file object ID), (¶0142, “… information stored in index cache 153 typically comprises data that reflects certain particulars about relatively recent secondary copy operations. After some triggering event, such as after some time elapses or index cache 153 reaches a particular size, certain portions of index cache 153 may be copied or migrated to secondary storage device 108, e.g., on a least-recently-used basis.”).
However, BEDHAPUDI in view of ERLINGSSON and Li does not explicitly disclose the concept of resolving a pair value including a user ID and remote IP address at the create event;
Levy discloses the limitation of resolving a pair value including a user ID and remote IP address at the create event (Col. 45, lines 64-67 to Col. 46, line 1-4, “ a secondary authentication may be based on information such as whether a user recently logged in to the device, whether a user recently provided a token passcode (e.g., within the last day or the last week), whether the device recently connected to the enterprise network, the current IP address for a device, the geolocation of a device, or whether the user/device combination recently logged in to the remote resource.”, wherein user token passcode is interpreted as user ID), (Col. 20, lines 8-23, “… the valuation model may estimate value based on one or more of encryption status, file type, file usage history, file creation date, file modification date, file content, and file author…”)
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the invention of BEDHAPUDI, ERLINGSSON, and Li to include remote IP address as disclosed by Levy and be motivated in doing so in order to determine whether a user has recently logged in to a remote resource- Levy col. 46, lines 2-4.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MUDASIRU K OLAEGBE whose telephone number is (571)272-2082. The examiner can normally be reached MON-FRI. 7.30AM-5.30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached at 5712723739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/MUDASIRU K OLAEGBE/Examiner, Art Unit 2495 /FARID HOMAYOUNMEHR/Supervisory Patent Examiner, Art Unit 2495
Prosecution Insights