DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant’s arguments with respect to claim(s) 1-2, 4-9, 11-14 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Applicant’s arguments, see pages 4,6, filed April 2, 2026, with respect to the rejection(s) of claim(s) 1, 3-9, 11-14 under 103 have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of 101. Based on updated training the present pending claims were reconsidered in view of 35 U.S.C. 101.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-2, 4-9, 11-14 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
A. Claim 1 is analyzed according to Subject Matter Eligibility (SME) flowchart. Claim 1 is directed to detecting ransomware. According to step 1, the method of claim 1 comprises steps for detecting ransomware wherein the process comprises: metadata of files and folders of filesystem, each file path of each file. The process comprises steps to: review the file paths and identify the subfolder paths or the files, combining the subfolder paths into other paths. Comparing the number of other paths to threshold. Metadata of the file system listed folder creation time and subfolder path. Each are data structures. The method of claim 1 fits one of the statutory categories and claim 1 qualifies as a process.
Claim 1 is analyzed according to Subject Matter Eligibility (SME) flowchart. Claim 1 is directed to detecting ransomware. According to step 1, the method of claim 1 comprises for detecting ransomware comprises: files and folders of filesystem, each file path of each file. Process to organize the files, combining the subfolder paths into other paths. Comparing the number of other paths to threshold. Metadata of the file system listed folder creation time and subfolder path. Each are data structures. The method of claim 1 fits one of the statutory categories and claim 1 qualifies as a process.
Claim 1 is analyzed according to Subject Matter Eligibility (SME) flowchart. The computer system of claim 8, functions similarly to claim 1 as recited above. Claim 8 further comprises an event detection engine to collect event and a response engine to response to events. The combination of engines sends and receives event data. The computer system of claim 8 fits one of the statutory categories and claim 8 qualifies as a machine.
B. When considering step 2A, prong 1, claim 1 recites an abstract idea. The type of abstract is categorized under a mental process. Claim 1 recites processing data based on folders of file systems, files, folders, sub-folder paths and file paths. The process reviews the subfolder path of file for each file. The metadata used for the review is folder creation time. Comparing the subfolder creation time of folders in the subfolder path, identifying subfolder path. Combining subfolder paths into different process paths. Compare the number of process paths to folder threshold. With respect to dependent claim 2, issue a warning message based on conditions. Dependent claim 4, comparison different between folder-creation times. Dependent claim 5, checking whether encrypted. Claim 6, applying machine learning algorithm to detect encryption. Claim 7, issuing a ransomware warning based on conditions. The additional limitations of the dependent clams does not impact the functions of the mental process. Therefore the dependent claims are also categorized as a mental process.
When considering step 2A, prong 1, claim 8 recites an abstract idea. The type of abstract is categorized under a mental process. Claim 8 recites a computer system for processing based on folders of file systems, files, folders, sub-folder paths and file paths. Engine to detect events which corresponds to noting occurrence of type of folders. A response engine that response to threats of the event. The computer system reviews the subfolder path of file for each file. The metadata used for the review is folder creation time. Comparing the subfolder creation time of folders in the subfolder path, identifying subfolder path. Combining subfolder paths into different process paths. Compare the number of process paths to folder threshold. With respect to dependent claim 9, issue a warning message based on conditions. Dependent claim 11, comparison different between folder-creation times. Dependent claim 12, checking whether encrypted. Claim 13, applying machine learning algorithm to detect encryption. Claim 14, issuing a ransomware warning based on conditions. The additional limitations of the dependent clams does not impact the functions of the mental process. Therefore the dependent claims are also categorized as a mental process.
C. The additional features of claim 1 are considered in step 2A, prong 2. The additional features of claim 1 are considered for determination of whether the claims are integrated in a practical application. The first addition feature is processing file system including files, file paths, folders and sub-folders which are data structures and are organized in a hierarchy. Data structures and/or hierarchies does not make an improvement to computer technology. The second additional limitation is creation times of sub-folders which is insignificant pre-processing solution activity. The clustering based on creation times is a form of groups and is insignificant pre-processing solution activity. Clustering is not an integration into a practical application. The third additional feature is applying a threshold to the number of sub-folder paths and application of threshold is well-known. The calculation of a threshold and application of a threshold is not a practical integration into computer technology. Thus, claim 1 fails to recite additional features to integrate into a practical application in a technological environment or field of use. The additional features of claim 1 are considered for determination of whether the claims are integrated in a practical application. The first addition feature is processing file system including files, file paths, folders and sub-folders which are data structures and are organized in a hierarchy. Data structures and/or hierarchies does not make an improvement to computer technology. The second additional limitation is creation times of sub-folders which is insignificant pre-processing solution activity. The clustering based on creation times is a form of groups and is insignificant pre-processing solution activity. Clustering is not an integration into a practical application. The third additional feature is applying a threshold to the number of sub-folder paths and application of threshold is well-known. The calculation of a threshold and application of a threshold is not a practical integration into computer technology. Thus, claim 1 fails to recite additional features to integrate into a practical application in a technological environment or field of use.
The additional limitations of dependent claims 2,4-7 are considered. Dependent claim 2 determines the number of sub-folder paths which a number. Counting the number of sub-folder paths is a mathematical calculation. Dependent claim 4, essentially recites comparison different between folder-creation times. Comparing data is a mental process and comparison is not a practical integration into computer technology. Dependent claim 5 recites checking whether the data is encrypted. Changing the data format is not integration into a practical application. Claim 6, applying machine learning algorithm to detect encryption. Claim 7, issuing a ransomware warning based on conditions. The additional limitations of dependent clams 2, 4-7 does not impact the functions of the mental process and therefore do not integrate into a practical application. Therefore the dependent claims are also categorized as a mental process.
The additional features of claim 8 are considered in step 2A, prong 2. The additional features of claim 8 are considered for determination of whether the claims are integrated in a practical application. The first addition feature is processing file system including files, file paths, folders and sub-folders which are data structures and are organized in a hierarchy. Data structures and/or hierarchies does not make an improvement to computer technology. The second additional limitation is creation times of sub-folders which is insignificant pre-processing solution activity. The clustering based on creation times is a form of groups and is insignificant pre-processing solution activity. Clustering is not an integration into a practical application. The third additional feature is applying a threshold to the number of sub-folder paths and application of threshold is well-known. The calculation of a threshold and application of a threshold is not a practical integration into computer technology. The fourth additional limitations are a response engine to message alerts which is not an integration into a practical application. The fifth additional limitation is an event engine to process the events. Generating notification is not integration to a practical application. The sixth additional limitation is an event detection engine and response engine, one to send event data and the other to consume event data. Sending and receiving are well known functions of computers. Thus, claim 8 fails to recite additional features to integrate into a practical application in a technological environment or field of use. These additional features fail to integrate the claims into a practical application.
With respect to dependent claim 9, issues a message. Dependent claim 11, comparison different between folder-creation times. Dependent claim 12, checking whether encrypted. Claim 13, applying machine learning algorithm to detect encryption. Claim 14, issuing a ransomware warning based on conditions. The additional limitations of the dependent clams does not impact the functions of the mental process. Therefore the dependent claims fail to integrate the claims into a practical application.
D. The additional limitations of claim 1 are considered in Step 2B. Claim 1 does not recite additional limitations the amount to more than the judicial exception. One additional limitation is the file system data structure which is a well understood type of data structure. The file system data structures does not integrate the invention in a technological field or a particular machine. A second additional limitation is creation time events which is based on events which are well known identifiers. A third additional limitation is correlating or clustering subfolder data structures by creation time events is a well-known method of grouping. Correlation based on data items is processing and not an integration into a technical solution. The fourth additional limitation threshold which is a mathematical calculation. Applying a threshold is preprocessing solution activity is which does not amount to significant more than the abstract idea. Dependent claim 3, recites further issuing a warning which is an example of post processing activity. Dependent claim 4, recites comparing time differences and applying a time threshold. The pre- processing activity and well-known activity of applying a threshold. Dependent claims 5-6 recites pre-processing activity of checking data type of encrypted data and using machine learning as a tool. These post-processing activity is not integration into a technological solution. Dependent claims 7 issuing a warning conditional to the comparison to threshold. The application of differences between creation event, numbers of sub-paths, comparing to thresholds, identifying encrypting and issuing messages o claims 1, 3-8, 10-14 fail to provide an improvement to computer network technology.
The additional limitations of claim 8 are considered in Step 2B. Claim 8 does not recite additional limitations the amount to more than the judicial exception. One additional limitation is the file system data structure which is a well understood type of data structure. The file system data structures does not integrate the invention in a technological field or a particular machine. A second additional limitation is creation time events which is based on events which are well known identifiers. A third additional limitation is correlating or clustering subfolder data structures by creation time events is a well-known method of grouping. Correlation based on data items is processing and not an integration into a technical solution. The fourth additional limitation threshold which is a mathematical calculation. Applying a threshold is preprocessing solution activity is which does not amount to significant more than the abstract idea. The fifth additional limitations are detection engine for determining events and response engine sending events. Sending and receiving data are well-known computer task. Dependent claim 9, recites further issuing a warning which is an example of post processing activity. Dependent claim 11, recites comparing time differences and applying a time threshold. The pre- processing activity and well-known activity of applying a threshold. Dependent claims 12-13 recites pre-processing activity of checking data type of encrypted data and using machine learning as a tool. These post-processing activity is not integration into a technological solution. Dependent claim 14 issuing a warning conditional to the comparison to threshold. The application of differences between creation event, numbers of sub-paths, comparing to thresholds, identifying encrypting and issuing messages in claims 1, 3-8, 10-14 fail to amount of significantly more. Claims 1,3-8, 10-14 fail to provide an improvement to computer network technology.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Oprea et al., US 10122742 B1, teaches file system path features include, by way of example, the number of directory levels in the path, the path category, the number of other executable and non-executable files in the same folder, the number of sub-folders, etc. The path of destination events features include, by way of example, the path category of destination files extracted from behavior events, number of events that are in the same and in different paths from the source software module, etc. File metadata features include, by way of example, file owner, hidden attributes, days of creation, etc.
Breiman et al., US 10789361 B2, teaches the pattern characteristic may be an access to files based on an alphabetic order, an access to files based on a file creation time order, an access to files based on folder names and/or any other pattern which known Ransomwares access files. Ransomware that creates new encrypted files and deletes the original files. In this modus operandi the ransomware is accessing a file only for reading as it is not about to overwrite it or even delete it yet.
Isreal et al., US 20200162516 A1, teaches IoT data 540 includes access event data 540A (e.g., which specific users or computer systems accessed or are currently accessing the IoT device and/or file, folder, or other information included on the IoT device as well as how that access was performed, attempted, or achieved) and creation event data 540B (e.g., which files or folders were created by the IoT device during a particular time period as well as timestamp data for those creation events). IoT data 540 additionally includes edit event data 540C describing how a file or folder was modified or edited in any manner (e.g., or perhaps only for changes that satisfy a minimum threshold change amount, as discussed earlier).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to PATRICE L WINDER whose telephone number is (571)272-3935. The examiner can normally be reached M-F 10am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, KAMAL B DIVECHA can be reached at (571)272-5863. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Patrice L Winder/Primary Examiner, Art Unit 2453