DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The following is a quotation of pre-AIA 35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art. The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is invoked.
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph:
(A) the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function;
(B) the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and
(C) the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function.
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function.
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function.
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitation(s) is/are: “SIP module is configured to obtain a plurality of storage commands/filter the plurality of storage commands/application information about the filtered plurality of storage commands/provide a notification to the host device” in claim 1 and “SIP module is further configured to obtain an update/apply new information about a new filtered plurality of storage commands/provide notification to the host device” in claim 2.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph.
This application includes one or more claim limitations that use the word “means” or “step” but are nonetheless not being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph because the claim limitation(s) recite(s) sufficient structure, materials, or acts to entirely perform the recited function. Such claim limitation(s) is/are: “at least one processor configured to implement a storage internal protection (SIP) module” in claim 1; “neural-network (NN) processor configured to execute malware protection firmware code” in claim 2; “SSD controller configured to receive the plurality of storage commands and perform operations on memory” in claim 3; “host interface configured to receive the plurality of storage commands” and “the SIP module and the host interface are configured to process the plurality of storage commands” in claim 4; “machine learning ransomware detection algorithm is configured to identify ransomware” in claim 6; “host device is configured to operate a SIP application (SIPA)” and “the SIPA is configured to provide an alert” in claim 8; “at least one processor is configured to obtain a plurality of storage commands/filter the plurality of storage commands/apply information about the filtered plurality of storage commands/provide a notification to a user” in claim 9; “SSD controller configured to receive the plurality of storage commands and perform operations on the memory” in claim 10; “at least one processor is further configured to obtain the information about the filtered plurality of storage commands”; “at least one processor is further configured to filter the plurality of storage commands” in claim 14; “SSD controller configured to receive the plurality of storage commands and perform operations on the memory” in claim 17; “host interface configured to receive the plurality of storage commands” in claim 18; and “machine-learning ransomware detection algorithm is configured to identify the ransomware operation” in claim 20.
Because this/these claim limitation(s) is/are not being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, it/they is/are not being interpreted to cover only the corresponding structure, material, or acts described in the specification as performing the claimed function, and equivalents thereof.
If applicant intends to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitation(s) to remove the structure, materials, or acts that performs the claimed function; or (2) present a sufficient showing that the claim limitation(s) does/do not recite sufficient structure, materials, or acts to perform the claimed function.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claim 18 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
Claim 18 recites the limitation "The storage system of claim 17" in line 1 wherein claim 17 recites “The method of claim 16” in line 1, and accordingly, claim 16 recites “A method of controlling a storage system” in line. Claim 18 should be amended to recite “The method . There is insufficient antecedent basis for this limitation in the claim.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1, 6-9, 12-16, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Meiri et al, U.S. Patent 11,449,749 in view of Seetharamaiah et al, US 2019/0034633.
As per claim 1, it is taught by Meiri et al of a storage system, comprising:
a host device (host devices, col. 5, lines 6-9); and
a storage device comprising a memory and at least one processor (col. 1, lines 59-61) configured to implement a storage internal protection (SIP) module (storage system comprises storage devices comprising storage volumes (i.e., memory), and a storage controller (i.e., storage internal protection (SIP) module), col. 6, lines 3-7 & 17-25), wherein the SIP module is configured to:
obtain, from the host device, a plurality of storage commands corresponding to the memory (I/O patterns (i.e., plurality of storage commands) corresponding to one or more storage volumes (i.e., memory) are detected from a host device, col. 7, lines 9-13 and col. 8, lines 39-46),
monitoring the plurality of storage commands to obtain a plurality of atypical behavior associated with the of storage commands (the I/O data patterns (i.e., plurality of storage commands) monitored at the storage volumes (i.e., memory), col. 7, lines 9-13, col. 8, lines 39-46, and col. 9, lines 64-66),
apply information about the atypical behavior associated with the plurality of storage commands to a machine-learning ransomware detection algorithm (based on the I/O data patterns (i.e., plurality of storage commands), a machine learning system (i.e., machine-learning ransomware detection algorithm) identifies reads and write I/O data patterns (i.e., storage commands) exceeding thresholds and compares the changes indicative of a ransomware attack, col. 7, lines 9-13 and col. 9, line 64 through col. 10, line 21), and
based on the machine-learning ransomware detection algorithm indicating that a ransomware operation is detected, provide a notification to the host device (based upon the machine learning system (i.e., machine-learning ransomware detection algorithm) analysis of reads and write I/O data patterns (i.e., storage commands), an indication of a ransomware attack is determined, and an access alert (i.e., notification) is produced, col. 7, lines 7-16 and col. 10, lines 7-26, wherein the access alert (i.e., notification) is provided to one or more host devices, col. 7, line 66 through col. 8, line 7).
Meiri et al fails to disclose of filter the plurality of storage commands to obtain a filtered plurality of storage commands and apply information about the filtered plurality of storage commands to a machine-learning ransomware detection algorithm.
Seetharamaiah et al teaches of filtering plurality of storage commands to obtain a filtered plurality of storage commands (filter driver intercepts (i.e., filtering) I/O requests for disk I/O requests (i.e., storage commands) made by a process, paragraph 0028, lines 11-19) and apply information about (an information log is generated or updated for the process by creating a process ID, identified memory regions, and sizes of memory regions (i.e., applying information) that may or may not include malware (i.e., ransomware), paragraph 0054, lines 1-34) the filtered plurality of storage commands to a machine-learning ransomware detection algorithm (the intercepted I/O disk operations (i.e., plurality of storage commands) by the filter driver (i.e., filter) are provided to a machine learning algorithm to determine if it is malicious (i.e., indicative of ransomware) or if it is non-malicious based upon similarities, paragraph 0054, lines 1-10 and paragraph 0060, lines 5-15 & 21-34).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to have been motivated to applying filtering means as a way of sorting relevant information that could be used to accurately detect malicious conditions, such as ransomware. Known issues in the prior art exist with fileless malware (i.e., ransomware) that act as an exploit for an attacker to gain access to a computer system, paragraph 0003, lines 1-15. Seetharamaiah et al discloses of protection from fileless malware (i.e., ransomware) whereby filter drivers monitor and intercept I/O requests (i.e., storage commands) issued by executed processes, paragraph 0028, lines 9-13. Although the teachings of Meiri et al disclose of detection ransomware using machine learning techniques, the teachings of Seetharamaiah et al offer a more comprehensive monitoring process using a filter to detect malicious (i.e., ransomware) I/O disk operations (i.e., storage commands) using machine learning involving fileless operations.
As per claim 6, it is disclosed by Meiri et al wherein machine-learning ransomware detection algorithm is configured to identify the ransomware operation based on a pattern associated with plurality of storage commands (based upon the machine learning system (i.e., machine-learning ransomware detection algorithm) analysis of reads and write I/O data patterns (i.e., storage commands), an indication of a ransomware attack is determined, and an access alert (i.e., notification) is produced, col. 7, lines 7-16 and col. 10, lines 7-26), the teachings of Seetharamaiah et al are relied upon for filtering the plurality of storage commands to obtain a filtered plurality of storage commands (filter driver intercepts (i.e., filtering) I/O requests for disk I/O requests (i.e., storage commands) made by a process, paragraph 0028, lines 11-19), please refer above for the motivational reasons of applying the filtering of Seetharamaiah et al with Meiri et al, and
Wherein Meiri et al discloses that the pattern relates to at least one from among a first storage command corresponding to a read operation for reading data, a second storage command corresponding to an encryption operation for encrypting the data to generate encrypted data, and a third storage command corresponding to a write operation for overwriting the data using the encrypted data (the machine learning system identifies that at least one of the read counters (i.e., first storage command) and write counters (i.e., third storage command) associated with the I/O data of the storage volume exceeds a threshold associated with the plurality of read counters and the plurality of write counters associated with the sample I/O data patterns, where exceeding the threshold indicates atypical behavior associated with the I/O data patterns of the I/O data. For example, the machine learning system detects a change in the I/O patterns associated with the I/O data, and compares the change in the I/O data patterns with the sample I/O data patterns associated with the storage volume. The machine learning system identifies atypical behavior associated with the I/O data patterns of the I/O data by detecting a change in the I/O data patterns of the I/O data, and determining that the change in the I/O data patterns indicates that the atypical behavior is indicative of a security risk. A ransomware attack may encrypt data as part of the attack strategy (i.e., second storage command), and encrypted data may not be compressible. As noted above, a ransomware attack may encrypt data, and encrypted data may not be deduplicated, col. 9, line 65 through col. 10, line 31).
As per claim 7, it is taught by Meiri et al wherein the machine-learning ransomware detection algorithm comprises at least one from among a convolutional neural network, a recurrent neural network, a principal component analysis model, and a random forests model (the machine learning ransomware detection algorithm is a convolutional neural network, col. 10, lines 15-21 and col. 11, lines 41-50).
As per claim 8, it is disclosed by Meiri et al wherein the host device is configured to operate a SIP application (SIPA) corresponding to the SIP module (the storage controller (i.e., SIP module) is configured identify atypical behavior by operations of resident software (i.e., SIP application or SIPA), col. 11, lines 18-32 and col. 12, lines 4-15),
wherein the SIPA is configured to provide an alert to a user of the host device based on the notification, and to receive a user input received from the user (the storage controller is configured (via an application, or SIPA, to transmit an alert notifying a user, col. 11, lines 29-40), and
wherein the at least one processor (col. 1, lines 59-61) is further configured to modify an operation of the SIP module based on the user input (the storage controller is configured to generate an alert for a user and to initiate one or more attack remediation operations responsive to the confirmation of an actual attack, col. 11, lines 29-40).
As per claim 9, it is taught by Meiri et al of a storage device (storage system comprises storage devices comprising storage volumes, and a storage controller, col. 6, lines 3-7 & 17-25), comprising:
a memory (storage system comprises storage devices comprising storage volumes (i.e., memory), col. 6, lines 3-7 & 17-25); and
at least one processor (col. 1, lines 59-61) configured to:
obtain a plurality of storage commands corresponding to the memory (I/O patterns (i.e., plurality of storage commands) corresponding to one or more storage volumes (i.e., memory) are detected from a host device, col. 7, lines 9-13 and col. 8, lines 39-46),
monitoring the plurality of storage commands to obtain a plurality of atypical behavior associated with the of storage commands (the I/O data patterns (i.e., plurality of storage commands) monitored at the storage volumes (i.e., memory), col. 7, lines 9-13, col. 8, lines 39-46, and col. 9, lines 64-66),
apply information about the atypical behavior associated with the plurality of storage commands to a machine-learning ransomware detection algorithm (based on the I/O data patterns (i.e., plurality of storage commands), a machine learning system (i.e., machine-learning ransomware detection algorithm) identifies reads and write I/O data patterns (i.e., storage commands) exceeding thresholds and compares the changes indicative of a ransomware attack, col. 7, lines 9-13 and col. 9, line 64 through col. 10, line 21), and
based on the machine-learning ransomware detection algorithm indicating that a ransomware operation is detected, provide a notification to a user of the storage device (based upon the machine learning system (i.e., machine-learning ransomware detection algorithm) analysis of reads and write I/O data patterns (i.e., storage commands), an indication of a ransomware attack is determined, and an access alert (i.e., notification) is produced, col. 7, lines 7-16 and col. 10, lines 7-26, wherein the access alert (i.e., notification) is provided to one or more host devices, col. 7, line 66 through col. 8, line 7).
Meiri et al fails to teach of filtering the plurality of storage commands to obtain a filtered plurality of storage commands and applies information about the filtered plurality of storage commands to a machine-learning ransomware detection algorithm.
Seetharamaiah et al teaches of filtering the plurality of storage commands to obtain a filtered plurality of storage commands (filter driver intercepts (i.e., filtering) I/O requests for disk I/O requests (i.e., storage commands) made by a process, paragraph 0028, lines 11-19) and applies information (an information log is generated or updated for the process by creating a process ID, identified memory regions, and sizes of memory regions (i.e., applying information) that may or may not include malware (i.e., ransomware), paragraph 0054, lines 1-34) about the filtered plurality of storage commands to a machine-learning ransomware detection algorithm (the intercepted I/O disk operations (i.e., plurality of storage commands) by the filter driver (i.e., filter) are provided to a machine learning algorithm to determine if it is malicious (i.e., indicative of ransomware) or if it is non-malicious based upon similarities, paragraph 0054, lines 1-10 and paragraph 0060, lines 5-15 & 21-34).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to have been motivated to applying filtering means as a way of sorting relevant information that could be used to accurately detect malicious conditions, such as ransomware. Known issues in the prior art exist with fileless malware (i.e., ransomware) that act as an exploit for an attacker to gain access to a computer system, paragraph 0003, lines 1-15. Seetharamaiah et al discloses of protection from fileless malware (i.e., ransomware) whereby filter drivers monitor and intercept I/O requests (i.e., storage commands) issued by executed processes, paragraph 0028, lines 9-13. Although the teachings of Meiri et al disclose of detection ransomware using machine learning techniques, the teachings of Seetharamaiah et al offer a more comprehensive monitoring process using a filter to detect malicious (i.e., ransomware) I/O disk operations (i.e., storage commands) using machine learning involving fileless operations.
As per claim 12, it is disclosed by Meiri et al wherein the at least one processor is further configured to obtain the information about the plurality of storage commands by extracting a plurality of features from metadata corresponding to the plurality of storage commands (I/O data patterns (i.e., plurality of storage commands) on storage volumes are tracked, col. 7, lines 4-15, wherein figure 2 shows various table entries (i.e., metadata corresponding to the plurality of I/O data patterns (i.e., storage commands), such as total read I/O, average read I/O, total write I/O, etc., for each particular storage volume (i.e., memory), col. 8, lines 9-33). Seetharamaiah et al is relied upon for filtering the plurality of storage commands to obtain a filtered plurality of storage commands (filter driver intercepts (i.e., filtering) I/O requests for disk I/O requests (i.e., storage commands) made by a process, paragraph 0028, lines 11-19), please refer above for the motivational reasons of applying the filtering of Seetharamaiah et al with Meiri et al.
As per claim 13, it is taught by Meiri et al wherein a feature of the plurality of features comprises at least one from among an operation code corresponding to a storage command from among the plurality of storage commands (I/O data patterns (i.e., plurality of storage commands) on storage volumes are tracked, col. 7, lines 4-15, wherein figure 2 shows various table entries (corresponding to the plurality of I/O data patterns (i.e., storage commands), such as total read I/O, average read I/O, total write I/O, etc. (i.e., features for operation codes), for each particular storage volume (i.e., memory), col. 8, lines 9-33), a starting logical block address corresponding to the storage command, and a queue identifier corresponding to the storage command (an address range (i.e., logical block address) for the I/O data patterns (i.e., storage commands) is maintained along with a counter value based upon various times of day (i.e., queue identifier), col. 8, lines 11-33).
As per claim 14, it is disclosed by Meiri et al wherein the at least one processor is further configured to select the plurality of storage commands based on the extracted plurality of features, and wherein the information about the plurality of storage commands comprises a plurality of features corresponding to the select plurality of storage commands (). Seetharamaiah et al is relied upon for filtering the plurality of storage commands to obtain a filtered plurality of storage commands (filter driver intercepts (i.e., filtering) I/O requests for disk I/O requests (i.e., storage commands) made by a process, paragraph 0028, lines 11-19), please refer above for the motivational reasons of applying the filtering of Seetharamaiah et al with Meiri et al.
As per claim 15, it is taught by Meiri et al wherein the machine-learning ransomware detection algorithm comprises at least one from among a convolutional neural network, a recurrent neural network, a principal component analysis model, and a random forests model (the machine learning ransomware detection algorithm is a convolutional neural network, col. 10, lines 15-21 and col. 11, lines 41-50).
As per claim 16, it is disclosed by Meiri et al of a method of controlling a storage system, the method being performed by a storage internal protection (SIP) module implemented by at least one processor (col. 1, lines 59-61) included in a storage device of the storage system (storage system comprises storage devices comprising storage volumes (i.e., memory), and a storage controller (i.e., storage internal protection (SIP) module), col. 6, lines 3-7 & 17-25), the method comprising:
obtaining, from a host device (host devices, col. 5, lines 6-8) included in the storage system, a plurality of storage commands corresponding to a memory of the storage device (I/O patterns (i.e., plurality of storage commands) corresponding to one or more storage volumes (i.e., memory) are detected from a host device, col. 7, lines 9-13 and col. 8, lines 39-46),
monitoring the plurality of storage commands to obtain a plurality of atypical behavior associated with the storage commands (the I/O data patterns (i.e., plurality of storage commands) monitored at the storage volumes (i.e., memory), col. 7, lines 9-13, col. 8, lines 39-46, and col. 9, lines 64-66),
applying information about atypical behavior associated with the plurality of storage commands to a machine-learning ransomware detection algorithm (based on the I/O data patterns (i.e., plurality of storage commands), a machine learning system (i.e., machine-learning ransomware detection algorithm) identifies reads and write I/O data patterns (i.e., storage commands) exceeding thresholds and compares the changes indicative of a ransomware attack, col. 7, lines 9-13 and col. 9, line 64 through col. 10, line 21), and
based on the machine-learning ransomware detection algorithm indicating that a ransomware operation is detected, providing a notification to the host device (based upon the machine learning system (i.e., machine-learning ransomware detection algorithm) analysis of reads and write I/O data patterns (i.e., storage commands), an indication of a ransomware attack is determined, and an access alert (i.e., notification) is produced, col. 7, lines 7-16 and col. 10, lines 7-26, wherein the access alert (i.e., notification) is provided to one or more host devices, col. 7, line 66 through col. 8, line 7).
Meiri et al fails to disclose of filtering the plurality of storage commands to obtain a filtered plurality of storage commands and applying information about the filtered plurality of storage commands to a machine-learning ransomware detection algorithm.
Seetharamaiah et al discloses of filtering the plurality of storage commands to obtain a filtered plurality of storage commands (filter driver intercepts (i.e., filtering) I/O requests for disk I/O requests (i.e., storage commands) made by a process, paragraph 0028, lines 11-19) and applying information about (an information log is generated or updated for the process by creating a process ID, identified memory regions, and sizes of memory regions (i.e., applying information) that may or may not include malware (i.e., ransomware), paragraph 0054, lines 1-34) the filtered plurality of storage commands to a machine-learning ransomware detection algorithm (the intercepted I/O disk operations (i.e., plurality of storage commands) by the filter driver (i.e., filter) are provided to a machine learning algorithm to determine if it is malicious (i.e., indicative of ransomware) or if it is non-malicious based upon similarities, paragraph 0054, lines 1-10 and paragraph 0060, lines 5-15 & 21-34).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to have been motivated to applying filtering means as a way of sorting relevant information that could be used to accurately detect malicious conditions, such as ransomware. Known issues in the prior art exist with fileless malware (i.e., ransomware) that act as an exploit for an attacker to gain access to a computer system, paragraph 0003, lines 1-15. Seetharamaiah et al discloses of protection from fileless malware (i.e., ransomware) whereby filter drivers monitor and intercept I/O requests (i.e., storage commands) issued by executed processes, paragraph 0028, lines 9-13. Although the teachings of Meiri et al disclose of detection ransomware using machine learning techniques, the teachings of Seetharamaiah et al offer a more comprehensive monitoring process using a filter to detect malicious (i.e., ransomware) I/O disk operations (i.e., storage commands) using machine learning involving fileless operations.
As per claim 20, it is disclosed by Meiri et al wherein machine-learning ransomware detection algorithm is configured to identify the ransomware operation based on a pattern associated with the plurality of storage commands (based upon the machine learning system (i.e., machine-learning ransomware detection algorithm) analysis of reads and write I/O data patterns (i.e., storage commands), an indication of a ransomware attack is determined, and an access alert (i.e., notification) is produced, col. 7, lines 7-16 and col. 10, lines 7-26), the teachings of Seetharamaiah et al are relied upon for filtering the plurality of storage commands to obtain a filtered plurality of storage commands (filter driver intercepts (i.e., filtering) I/O requests for disk I/O requests (i.e., storage commands) made by a process, paragraph 0028, lines 11-19), please refer above for the motivational reasons of applying the filtering of Seetharamaiah et al with Meiri et al, and
Wherein Meiri et al further discloses that the pattern relates to at least one from among at least one from among a first storage command corresponding to a read operation for reading data, a second storage command corresponding to an encryption operation for encrypting the data to generate encrypted data, and a third storage command corresponding to a write operation for overwriting the data using the encrypted data (the machine learning system identifies that at least one of the read counters (i.e., first storage command) and write counters (i.e., third storage command) associated with the I/O data of the storage volume exceeds a threshold associated with the plurality of read counters and the plurality of write counters associated with the sample I/O data patterns, where exceeding the threshold indicates atypical behavior associated with the I/O data patterns of the I/O data. For example, the machine learning system detects a change in the I/O patterns associated with the I/O data, and compares the change in the I/O data patterns with the sample I/O data patterns associated with the storage volume. The machine learning system identifies atypical behavior associated with the I/O data patterns of the I/O data by detecting a change in the I/O data patterns of the I/O data, and determining that the change in the I/O data patterns indicates that the atypical behavior is indicative of a security risk. A ransomware attack may encrypt data as part of the attack strategy (i.e., second storage command), and encrypted data may not be compressible. As noted above, a ransomware attack may encrypt data, and encrypted data may not be deduplicated, col. 9, line 65 through col. 10, line 31).
Claims 3, 4, 10, 17, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Meiri et al, U.S. Patent 11,449,749 in view of Seetharamaiah et al, US 2019/0034633, in further view of Bernat et al, U.S. Patent 11,032,259.
As per claims 3, 10, and 17, it is taught by Meiri et al wherein the storage device comprises a solid state drive (SSD) including an SSD controller (storage system comprises storage devices comprising storage volumes (i.e., memory), and a storage controller, col. 6, lines 3-7 & 17-25, wherein the storage device comprise solid state drives, or SSDs, col. 6, lines 17-19) configured to receive the plurality of storage commands and perform operations on the memory based on the plurality of storage commands (I/O patterns (i.e., plurality of storage commands) are received corresponding to one or more storage volumes (i.e., memory) that are detected from a host device, col. 7, lines 9-13 and col. 8, lines 39-46),
wherein the at least one processor is included in the SSD controller (storage system comprises storage devices comprising storage volumes (i.e., memory), and a storage controller, col. 6, lines 3-7 & 17-25, wherein the storage device comprise solid state drives, or SSDs, col. 6, lines 17-19, wherein furthermore it is disclosed of containing a processor, col. 1, lines 59-61), and
wherein the plurality of storage commands includes at least one nonvolatile memory (NVM)(I/O patterns (i.e., storage commands) correspond to non-volatile memory, or NVM commands, col. 6, lines 17-25 and col. 7, lines 4-13).
The combined teachings of Meiri et al in view of Seetharamaiah et al fail to disclose of the use of nonvolatile memory express (NVMe) memory. Bernat et al discloses of using nonvolatile memory express (NVMe) memory (col. 54, lines 15-17).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to have been motivated to use certain types of memory that offer certain benefits over other types of memory devices. The teachings of Bernat et al disclose of motivational reasonings of using NVMe by citing the enablement of hardware and software to fully exploit the levels of parallelism that exists in modern SSDs by reducing I/O overhead and performance improvements for long command queues, col. 54, lines 29-34. The teachings of Meiri et al are suggestive of using multiple different types of NVM devices in regards to SSDs (col. 6, lines 17-25 of Meiri et al), wherein the teachings of Bernat et al offer an improvement to storage operations by use of NVMe SSD storage devices which would have been obvious because the substitution of one known element for another would have yielded predictable results to one of ordinary skill in the art at the effective filing date of the claimed invention.
As per claim 4, it is disclosed it is disclosed by Meiri et al wherein the SSD controller further comprises a host interface configured to receive the plurality of storage commands from the host device (storage system comprises storage devices comprising storage volumes (i.e., memory), and a storage controller, col. 6, lines 3-7 & 17-25, wherein the storage device comprise solid state drives, or SSDs, col. 6, lines 17-19 and I/O patterns (i.e., plurality of storage commands) are received corresponding to one or more storage volumes (i.e., memory) that are detected via a host device via an host interface (host interface (as part of the machine learning system for use in monitoring), col. 8, lines 34-46), col. 7, lines 9-13 and col. 8, lines 39-46) wherein the storage commands are processed by the storage controller (i.e., SIP module), and host interface (as part of the machine learning system for use in monitoring), col. 8, lines 34-46), and
wherein Bernat et al is relied upon for disclosing of processing the plurality of storage commands in parallel. Please refer above for the motivational reasonings of applying the teachings of Bernat al with Meiri et al in view of Seetharamaiah et al in regards to using NVMe SSDs for the enablement of hardware and software to fully exploit the levels of parallelism that exists in modern SSDs by reducing I/O overhead and performance improvements for long command queues, col. 54, lines 29-34.
As per claim 18, it is disclosed by Meiri et al wherein the SSD controller further comprises a host interface configured to receive the plurality of storage commands from the host device (storage system comprises storage devices comprising storage volumes (i.e., memory), and a storage controller, col. 6, lines 3-7 & 17-25, wherein the storage device comprise solid state drives, or SSDs, col. 6, lines 17-19 and I/O patterns (i.e., plurality of storage commands) are received corresponding to one or more storage volumes (i.e., memory) that are detected via a host device via an host interface ((as part of the machine learning system for use in monitoring), col. 8, lines 34-46), col. 7, lines 9-13 and col. 8, lines 39-46, wherein the storage commands are processed by the storage controller (i.e., SIP module) and host interface (as part of the machine learning system for use in monitoring), col. 8, lines 34-46) and
wherein Bernat et al is relied upon for disclosing of processing the plurality of storage commands in parallel. Please refer above for the motivational reasonings of applying the teachings of Bernat al with Meiri et al in view of Seetharamaiah et al in regards to using NVMe SSDs for the enablement of hardware and software to fully exploit the levels of parallelism that exists in modern SSDs by reducing I/O overhead and performance improvements for long command queues, col. 54, lines 29-34.
Claims 5, 11, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Meiri et al, U.S. Patent 11,449,749 in view of Seetharamaiah et al, US 2019/0034633, in further view of Danz et al, U.S. Patent 11,947,568.
As per claims 5, 11, and 19, it is taught by Seetharamaiah et al wherein the filtered plurality of storage commands is obtained (filter driver intercepts (i.e., filtering) I/O requests for disk I/O requests (i.e., storage commands) made by a process, paragraph 0028, lines 11-19). Please refer above for the motivational reasoning of applying the filtering of Seetharamaiah et al with Meiri et al, however the combined teachings fail to disclose of applying a sliding window having a predetermined size to the plurality of storage commands.
Danz et al discloses of applying a sliding window having a predetermined size to the plurality of storage commands (a time window is selected that filters out entries existing outside of a time range desired for a working set estimate, col. 4, lines 6-11, wherein the sliding time window is applied to storage I/O for moving data items, col. 3, lines 21-23 & 26-33).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to have been motivated to apply the use of filtering mechanisms to capture select data from a certain periods of time. The teachings of Danz et al discloses of the need to filter out entries that are for data items accessed outside of a time range for a working set estimate, col. 4, lines 6-11 which is desirable for observing conditions during select time periods, and in the case of Meiri et al in view of Seetharamaiah et al, for filtering time periods indicative of ransomware attacks to provide a more accurate picture of the malicious nature and timing of the attack which would have been an obvious substitution taught by Danz et al.
Allowable Subject Matter
Claim 2 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
The closest prior art teachings of Li, CN 114460913 A are relied upon for disclosing of an ECU firmware updating instruction in this example can be only used for triggering the abnormal ECU to update the firmware of the instruction, namely the ECU firmware updating instruction may not contain the corresponding firmware of an abnormal ECU after receiving the ECU firmware updating instruction, can be stored in the local, or server, or local external storage device obtains the firmware information to be updated. wherein, the firmware update in this embodiment can be updated to the firmware of the latest version, also can be parallel to the upgrade, that is to keep the firmware version number is not changed, also can be updated to the old firmware version, such as in the local storage, or server, or the local external storage device is stored with the old version firmware with relatively stable corresponding ECU performance, then it can indicate the abnormal ECU to update firmware by the ECU firmware updating instruction, see machine translation.
In another related teaching, Li, CN 110298174 A is relied upon for disclosing of a chip in a memory module selected of the firmware in the process of updating, control module can monitor chip, so as to prevent the operation of the firmware chip unauthorized operation of the firmware thereof, comprising the protection area of the read-write operation and erase operation, and so on. by the updating process of the firmware to monitor and prevent third party malicious implanted in the malicious code from the firmware during updating of the firmware, so as to further improve the security of the firmware operation, see machine translation.
Wu, CN 101763272 A is relied upon for disclosing of a security updating mode for updating and electronic device the normal operation of the operating system to the firmware updating, and the updating unit equipped in the element and data is read only information can not be changed, even if the operating system is abnormal, it will start the electronic device updating unit capable of updating the firmware of the operation, and does not require additional storing space regularly copying one part of the firmware data. the hardware storing space is saved; in addition, to provide a way of updating the interface and receiving the operation maintenance command for firmware updating operation, has the advantage of intuitive and simple operation is, whether viewed from the user or electronic device operation angle, the system or method of the technical solution provided by the invention is hand space, it can achieve the safe updating and simple operation, see machine translation.
Although Li ‘913, Li ‘174, and Wu disclose of updating firmware, they fail to provide the updated firmware in the manner as claimed by the Applicant in claim 2 with respect to new filtered plurality of storage commands to an updated machine-learning ransomware detection algorithm corresponding to updated malware detection firmware code, and indicating the detection of new ransomware.
As per claim 2, it was not found to be taught in the prior art, nor in the teachings of Meiri et al, Seetharamaiah et al, Li ‘913, Li ‘174, or Wu alone, or in combination since they fail to disclose of updating malware protection firmware code based; apply new information about a new filtered plurality of storage commands to an updated machine-learning ransomware detection algorithm corresponding to the updated malware detection firmware code; and based on the updated machine-learning ransomware detection algorithm indicating that a new ransomware operation is detected, provide the notification to the host device.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Botner et al, U.S. Patent 12,457,293 is relied upon for disclosing of identifying a plurality of calls and corresponding call data, identifying call parameters to identify a suspect sub-set of call parameters which indicate an elevated likelihood of call scam, see column 1, lines 45-57.
Liu, CN 114741091 A is relied upon for disclosing of a programmable device loads the firmware data in the main area through the firmware selection module; if A0 and A1 are not consistent, the firmware data in the main area is abnormal, then upgrading the firmware data in the main area. Re-reading the firmware data and check value in the main area after finishing the upgrade, the check value algorithm module of the CPU calculates the check value B1 of the read firmware data, the check value read from the data check area is marked as B0, if B0 and B1 are consistent, the firmware data in the main area after the upgrade is correct, loading the firmware data in the main area by the firmware selection module; if B0 and B1 are not consistent, representing the firmware data is abnormal after upgrading in the main area, then continuing to upgrade the firmware data of the main area, see machine translation.
Zhang et al, US 2021/0216871 is relied upon for disclosing of neural network logic is representative of hardware, software, and/or a combination thereof, which may comprise a neural network (e.g., a DNN, a CNN, etc.) that implements dynamic programing to determine and solve for an approximated value function. In at least one embodiment, the neural network logic comprises one or more CNNs, referenced as CNN model(s). Each CNN model is formed of a cascade of multiple layers of nonlinear processing units for feature extraction and transformation, see paragraph 0019. Normal convolution involves a two-dimensional (2D) a sliding-window convolution. For example, FIG. 2 depicts a 2D sliding-window convolution of an S×R element filter over a W×H element input activation plane to produce a (W−S+1)×(H−R+1) element output activation plane. The data can include C input channels. A distinct filter may be applied to each channel of the input activation plane, and the filter output for each of the channels can be accumulated together, element-wise into a single output activation channel, see paragraph 0029.
Castrejon, III et al, US 2022/0398316 is relied upon for disclosing of behaviors that are determined include one or more of (i) disk input/output calls, (ii) memory utilization, (iii) processing unit utilization, (iv) files accessed, (v) types of calls made to operating system, (vi) ports and protocols used for calls, (vii) attempts to escalate access privileges, and the like. Moreover, in additional specific embodiments of the method, the one or more behaviors that are determined are a pattern of behaviors, such that training, the one or more AI algorithms, to monitor for the behaviors further includes training, the one or more AI algorithms, to monitor for the pattern of behaviors, such that the actions occur in response to the pattern of events, see paragraph 0027.
Chen et al, U.S. Patent 11,120,131 is relied upon for disclosing of a snapshot includes data of a machine at the particular time point. As another example, the filesystem module interfaces with a machine to take a snapshot of the machine. From the snapshot, the filesystem module records the changes in the filesystem during a time interval. The changes in the filesystem includes file operations that took place during the time interval. The file operations can be of different types corresponding to different operations applied to the files. Example file operations include a read operation, a write operation, a modify operation, an add operation, a move operation, a delete operation, a create operation, a rename operation, and the like. In some embodiments, the filesystem module generates filesystem metadata of a filesystem of the machine, for example, by crawling the filesystem. The filesystem metadata includes a list of entries that correspond to filesystem changes during a time interval. The filesystem metadata describes the filesystem such as a structure of the filesystem and sizes of files in the filesystem, see column 2, line 63 through column 3, line 14.
Hunt et al, US 2018/0007069 is relied upon for disclosing of a ransomware detection module filters cloud storage API calls to track modification to existing data structures (which represent user stored files) within the cloud storage system. This monitors for behavior indicating ransomwarelike activity at an API level. The approach is statistical, looking at sequences of events, rather than basing decisions on individual events. Other read, write, delete sequences may be used that indicate a ransomware delete and create sequence, see paragraph 0025.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER REVAK whose telephone number is (571)272-3794. The examiner can normally be reached 5:30am - 3:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Catherine Thiaw can be reached at 571-270-1138. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/CHRISTOPHER A REVAK/Primary Examiner, Art Unit 2407