Remarks
Claims 1-5, 7-15, and 17-20 are pending.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 8/22/2025 has been entered.
Response to Arguments
Applicant's arguments filed 8/22/2025 have been fully considered but they are not persuasive.
Applicant alleges “instead of using PITs, Halcrow discloses a real time detection of imminent attack.” Halcrow certainly uses PITs, such as data, snapshots, metadata, logs, commands, audits, accesses, etc., as examples.
Applicant alleges “one snapshot is captured before the attack begins and another snapshot is captured after the attack has concluded. Thus, Halcrow fails to teach or suggest ‘receiving a stream of data over time based on the replaying of the PITs,’ as recited in independent claims 1 and 11.” To the contrary, even looking at what Applicant states is within Halcrow, we see a group of PITs (i.e. “one snapshot is captured before the attack begins and another snapshot is captured after the attack has concluded”). These are replayed in Halcrow’s disclosure, for example, of using the above to detect exactly when an event occurs, using timelines (e.g., as in figure 6), reconstructing memory states in sequence to find point of attack, etc., for example.
Applicant then appears to provide a general allegation regarding 6 lines of claim 1 with no supporting argument. Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.
Applicant then provides Applicant’s understanding of a portion of Lu and alleges “However, Lu nowhere discloses the above-recited features of independent claims 1 and 11.” However, no argument against any particular limitation is found. Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references. Moreover, contrary to Applicant’s general allegation(s), Lu discloses at least the following:
Lu, however, discloses that analyzing the PITs comprises (Exemplary Citations: for example, Abstract, Paragraphs 4, 18, 21, 33-35, 43-49, 54, 57-59, and associated figures):
Receiving a stream of data over time based on the replaying of the PITs (Exemplary Citations: for example, Abstract, Paragraphs 4, 18, 21, 33-35, 43-49, 54, 57-59, and associated figures; steam of data, such as logged/dumped data, in static and/or dynamic analysis, for example);
Tracking the stream of data over time (Exemplary Citations: for example, Abstract, Paragraphs 4, 18, 21, 33-35, 43-49, 54, 57-59, and associated figures; tracking to determine paths, for example);
Identifying a path taken by the data after infection has occurred to the data (Exemplary Citations: for example, Abstract, Paragraphs 4, 18, 21, 33-35, 43-49, 54, 57-59, and associated figures; path, for example); and
Based on the identified path, outputting a flow of a problem that has not yet fully followed the identified path (Exemplary Citations: for example, Abstract, Paragraphs 4, 18, 21, 33-35, 43-49, 54, 57-59, and associated figures; a path that has, at least in part, been taken, or may be taken, for example); and
Wherein the method further comprises taking a security improvement action based on the output of the flow of the problem (Exemplary Citations: for example, Abstract, Paragraphs 4, 18, 21, 33-35, 43-50, 54, 57-60, and associated figures; report, for example). It would
Therefore, Halcrow in view of Lu discloses all argued subject matter.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 11-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because the application defines a storage medium in such a fashion as to be non-statutory. For example, claim 64 states that “non-transitory storage media also embraces cloud-based storage systems and structures”. This non-limiting example of what a non-transitory storage medium could be that is non-statutory includes virtual storage media as well as transmission media, such as those used in cloud based storage systems and structures. Thus, the claims are not statutory.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-5, 7-15, and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Halcrow (U.S. Patent Application Publication 2021/0049031) in view of Lu (U.S. Patent Application Publication 2013/0091571).
Regarding Claim 1,
Halcrow discloses a method comprising:
Accessing a group that comprises a group of PITs, of which each is a backup of data at a particular point in time (Exemplary Citations: for example, Abstract, Paragraphs 3-9, 22, 23, 33-44, and associated figures; data, snapshots, metadata, logs, commands, audits, accesses, etc., as examples);
Replaying the PITs according to respective times at which corresponding snapshots were taken (Exemplary Citations: for example, Abstract, Paragraphs 3-9, 22, 23, 33-44, and associated figures; using the above to detect exactly when an event occurs, using timelines (e.g., as in figure 6), reconstructing memory states in sequence to find point of attack, etc., for example);
Analyzing the PITs as they are being replayed to obtain forensic information (Exemplary Citations: for example, Abstract, Paragraphs 3-9, 22, 23, 33-44, and associated figures; as just explained, for example); and
Based on the forensic information, identifying an event that has occurred within a time frame spanned collectively by the PITs (Exemplary Citations: for example, Abstract, Paragraphs 3-9, 22, 23, 33-44, and associated figures; as just explained, for example);
Wherein analyzing the PITs comprises (Exemplary Citations: for example, Abstract, Paragraphs 3-9, 22, 23, 33-44, and associated figures):
Receiving a stream of data over time based on the replaying of the PITs (Exemplary Citations: for example, Abstract, Paragraphs 3-9, 22, 23, 33-44, and associated figures; reconstructed memory states using snapshots and the like, for example);
Tracking the stream of data over time (Exemplary Citations: for example, Abstract, Paragraphs 3-9, 22, 23, 33-44, and associated figures; finding the point of attack using the above, for example);
Outputting information of a problem (Exemplary Citations: for example, Abstract, Paragraphs 3-9, 22, 23, 33-44, and associated figures; point of attack, for example);
But does not explicitly disclose identifying a path taken by the data after infection has occurred to the data, based on the identified path, outputting a flow of a problem that has not yet fully followed the identified path, and that the method further comprises taking a security improvement action based on the output of the flow of the problem.
Lu, however, discloses that analyzing the PITs comprises (Exemplary Citations: for example, Abstract, Paragraphs 4, 18, 21, 33-35, 43-49, 54, 57-59, and associated figures):
Receiving a stream of data over time based on the replaying of the PITs (Exemplary Citations: for example, Abstract, Paragraphs 4, 18, 21, 33-35, 43-49, 54, 57-59, and associated figures; steam of data, such as logged/dumped data, in static and/or dynamic analysis, for example);
Tracking the stream of data over time (Exemplary Citations: for example, Abstract, Paragraphs 4, 18, 21, 33-35, 43-49, 54, 57-59, and associated figures; tracking to determine paths, for example);
Identifying a path taken by the data after infection has occurred to the data (Exemplary Citations: for example, Abstract, Paragraphs 4, 18, 21, 33-35, 43-49, 54, 57-59, and associated figures; path, for example); and
Based on the identified path, outputting a flow of a problem that has not yet fully followed the identified path (Exemplary Citations: for example, Abstract, Paragraphs 4, 18, 21, 33-35, 43-49, 54, 57-59, and associated figures; a path that has, at least in part, been taken, or may be taken, for example); and
Wherein the method further comprises taking a security improvement action based on the output of the flow of the problem (Exemplary Citations: for example, Abstract, Paragraphs 4, 18, 21, 33-35, 43-50, 54, 57-60, and associated figures; report, for example). It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the malware handling techniques of Lu into the forensics system of Halcrow in order to allow the system to trace malware/infections and repair all issues caused thereby, to allow for identification and repair of latent malware, and/or to increase security in the system.
Regarding Claim 11,
Claim 11 is a medium claim that corresponds to method claim 1 and is rejected for the same reasons.
Regarding Claim 2,
Halcrow discloses that one or more of the PITs comprises or points to data (Exemplary Citations: for example, Abstract, Paragraphs 3-9, 22, 23, 33-44, and associated figures; any data, for example).
Regarding Claim 12,
Claim 12 is a medium claim that corresponds to method claim 2 and is rejected for the same reasons.
Regarding Claim 3,
Halcrow discloses that one or more of the PITs comprises or points to an application (Exemplary Citations: for example, Abstract, Paragraphs 3-9, 22, 23, 33-44, and associated figures; programs, applications, etc., for example).
Regarding Claim 13,
Claim 13 is a medium claim that corresponds to method claim 3 and is rejected for the same reasons.
Regarding Claim 4,
Halcrow discloses that one or more of the PITs comprises or points to information about a state of a computing system (Exemplary Citations: for example, Abstract, Paragraphs 3-9, 22, 23, 33-44, and associated figures; any information about system state, for example, such as snapshots, memory accesses, commands, etc., as examples).
Regarding Claim 14,
Claim 14 is a medium claim that corresponds to method claim 4 and is rejected for the same reasons.
Regarding Claim 5,
Halcrow discloses that the event comprises introduction and running of malware (Exemplary Citations: for example, Abstract, Paragraphs 3-9, 22, 23, 33-44, and associated figures; malware, for example).
Regarding Claim 15,
Claim 15 is a medium claim that corresponds to method claim 5 and is rejected for the same reasons.
Regarding Claim 7,
Halcrow discloses that the analyzing identifies a computing system component adversely affected by an introduction of malware (Exemplary Citations: for example, Abstract, Paragraphs 3-9, 22, 23, 33-44, and associated figures; any identification of VM, software, etc., such as in a notification indicating software resources and/or VMs associated with attack, for example).
Regarding Claim 17,
Claim 17 is a medium claim that corresponds to method claim 7 and is rejected for the same reasons.
Regarding Claim 8,
Halcrow discloses that the event comprises an infection of data, and the infected data is prevented from being restored (Exemplary Citations: for example, Abstract, Paragraphs 3-9, 22, 23, 33-44, and associated figures; deleting, corrupting data, etc., for example).
Regarding Claim 18,
Claim 18 is a medium claim that corresponds to method claim 8 and is rejected for the same reasons.
Regarding Claim 9,
Halcrow discloses that the event comprises a data regarding an infection resulting from an introduction of malware, and the data spans multiple PITs (Exemplary Citations: for example, Abstract, Paragraphs 3-9, 22, 23, 33-44, and associated figures; multiple of the above-described PITs, for example); and
Lu discloses that the event comprises a path taken by an infection resulting from an introduction of malware, and the path spans multiple PITs (Exemplary Citations: for example, Abstract, Paragraphs 4, 18, 21, 33-35, 43-49, 54, 57-59, and associated figures; identifying execution paths of infection, malware, etc., which span multiple single pieces of data, for example).
Regarding Claim 19,
Claim 19 is a medium claim that corresponds to method claim 9 and is rejected for the same reasons.
Regarding Claim 10,
Halcrow discloses that replaying the PITs comprising presenting the PITs, in order from oldest to newest, as a continuous stream of events (Exemplary Citations: for example, Abstract, Paragraphs 3-9, 22, 23, 33-44, and associated figures; timeline or sequence, for example).
Regarding Claim 20,
Claim 20 is a medium claim that corresponds to method claim 10 and is rejected for the same reasons.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Jeffrey D Popham whose telephone number is (571)272-7215. The examiner can normally be reached Monday through Friday 9:00-5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached at (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Jeffrey D. Popham/Primary Examiner, Art Unit 2432