Remarks
Claims 1-20 are pending.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Interpretation
Various claims include subject matter that does not affect the scope of the claims. For example, multiple claims attempt to claim what the ransomware is (e.g., the candidate process comprise a file overwriting process in claims 6 and 16 and the ransomware process comprises a fileless ransomware process in claims 8 and 18), however, this is not actually part of Applicant’s method of protecting against ransomware. It is noted that claim 9 is fine since it defines what occurs in the protection method (snapshots being taken while the process is overwriting a file).
Response to Arguments
Applicant's arguments filed 8/7/2025 have been fully considered but they are not persuasive.
Applicant alleges “Claims 6, 16, 8, and 18 define what ransomware is snapshotted and analyzed, thereby limiting the scope of the claims.” To the contrary, the protection method is exactly the same whether the ransomware process is a file overwriting process, a fileless ransomware process, or any other ransomware process. If Applicant decides to argue this point again, Applicant will need to prove how the protection method is a different invention for different ransomware processes (e.g., by showing how the protection method changes in the specification for different ransomware processes in order to be different species). If the invention really is specific to a particular ransomware process and each is distinct, then a restriction will likely be required and more detail regarding the species that Applicant desires to have in the claims will be required to be amended into the claims. However, as of now, it is clear that the protection method does not change whatsoever whether the ransomware process is a file overwriting process, fileless ransomware process, or any other type of ransomware process.
With respect to Applicant’s medium based 101 allegations, the claim must be directed to a physical medium. Based on Applicant’s allegations (e.g., “because the virtual storage systems and data structures are generally implemented on a physical storage medium”), then a program would be patentable under 101, which is not the case. Indeed, Applicant does not even argue that the 101 rejection is incorrect in stating that the claim could be directed to virtual storage systems and data structures. Virtual storage systems and data structures are not patentable.
With respect to Applicant’s abstract idea based 101 allegations, as shown below, the amended aspects of claim 1 are still within the abstract ideas:
These steps can be performed by a human, for example, looking at an application, remembering what the application looks like and/or does at a couple locations, focusing more on it if it looks suspicious, deciding that something went wrong (e.g., watching a word processor that has completely viewable data at first later have complete gibberish since the data was overwritten with encrypted data), and closing the application. These steps may also be performed in a human determining that a ransom process is taking place, for example, by identifying a potential ransomer and/or ransomee, watching as the ransomee is taken by the ransomer, focusing more on this interaction if it looks suspicious, determining that a ransom process has taken place upon receiving instructions for ransom, and taking action to stop the ransom process from occurring. This can all be performed in the human mind just by noticing things that happen, remembering things, focusing on things, then comparing them later inside the mind, and stopping thinking about them. Such mental (or pen-and-paper) steps fall within the ‘mental processes’ grouping of abstract ideas set forth in the 2019 PEG. 2019 PEG Section I, 84 Fed. Reg. at 52. Thus, this limitation recites concepts that fall into the ‘mental process’ grouping of abstract ideas.
Thus, the claims are still directed to abstract ideas and a rejection is provided for the amended claims below.
Applicant appears to copy in more than half of the limitations of claim 1 and alleges that 5 references fail to teach or suggest these. Applicant then appears to copy in a portion of the office action and alleges “Patton fails to teach or suggest zoom-in snapshots. It is also noted that the zoom-in snapshots are taken ‘at a relatively high frequency within a defined timeframe’ (see ¶ [0011] of the specification). Thus, the zoom-in snapshots are different from snapshots.’ Thus, Patton fails to teach or suggest ‘ sampling the set of zoom-in snapshots at a frequency that is determined based on dissimilarity of the candidate process to known malware,’ as recited in independent claims 1 and 11.” First, the claims include “zoom-in snapshots”, as amended, and any definition provided in the specification of “zoomed in snapshots”, as in paragraph 11, does not appear binding thereon. Moreover, paragraph 11 does not state that zoomed in snapshots must be taken at a relatively high frequency within a defined timeframe. Rather, paragraph 11 states “the snapshots may be taken at a relatively high frequency within a defined timeframe”, which does not require such. Moreover, the specification uses zoomed in snapshots and snapshots interchangeably, meaning that zoomed in snapshots are not different from snapshots.
With respect to the claim language being argued here, Patton discloses sampling the set of zoom in snapshots at a frequency that is determined based on dissimilarity of the candidate process to known malware in Patton’s disclosure of file snapshots taken and associated with timestamps, for example; stopping monitoring if safe process, whitelisting after determining safe process, continuing monitoring if not safe process, etc., as examples, analyzing the zoom in snapshots obtained during the sampling to determine whether the candidate process comprises a ransomware process in Patton’s disclosure of determining ransomware based on the snapshots in some fashion, such as by detecting changes to files, a certain number of encrypted files within a time window, or many other methods, for example, and taking a remedial action to stop the ransomware process in a case where it is determined that the candidate process comprises the ransomware process in Patton’s disclosure of remediate, such as terminating, quarantining, removing from whitelist, etc., as examples.
With respect to Halcrow, Applicant states that “Halcrow is related to ‘capturing virtual machine resources for forensics’ (¶ [0003]) and discloses capturing snapshots ‘at a high frequency to ensure a small delta and the desirability to maintain performance by minimizing the number of snapshots captured and stored’ (¶ [0002]). Even though Halcrow discloses capturing snapshots at a high frequency, Halcrow nowhere disclose that the high frequency is determined ‘based on dissimilarity of the candidate process to known malware,’ as recited in independent claims 1 and 11.” To the contrary, Halcrow explicitly enters a state of heightened auditing, where every action is captured, when an attack is likely occurring (e.g., paragraph 37). Therefore, Halcrow certainly discloses the argued subject matter.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 11-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because the claimed medium need not be statutory. For example, paragraphs 74 and 75 of the instant application state the following:
[0074] As indicated above, embodiments within the scope of the present invention also include computer storage media, which are physical media for carrying or having computer- executable instructions or data structures stored thereon. Such computer storage media may be any available physical media that may be accessed by a general purpose or special purpose computer.
[0075] By way of example, and not limitation, such computer storage media may comprise hardware storage such as solid state disk/device (SSD), RAM, ROM, EEPROM, CD-ROM, flash memory, phase-change memory ("PCM"), or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other hardware storage devices which may be used to store program code in the form of computer-executable instructions or data structures, which may be accessed and executed by a general-purpose or special-purpose computer system to implement the disclosed functionality of the invention. Combinations of the above should also be included within the scope of computer storage media. Such media are also examples of non- transitory storage media, and non-transitory storage media also embraces cloud-based storage systems and structures, although the scope of the invention is not limited to these examples of non-transitory storage media.
Therefore, based on the definitions provided, non-transitory storage media “also embraces cloud-based storage systems and structures, although the scope of the invention is not limited to these examples of non-transitory storage media”. Cloud based storage systems and structures include virtual storage systems and data structures. Thus, the non-transitory storage medium of claim 11 is not statutory, since a statutory medium must be physical. None of claims 12-20 fix this issue and they are rejected for the same reasons.
Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
Regarding claim 1, with respect to step 1, this part of the eligibility analysis evaluates whether the claim falls within any statutory category. MPEP 2106.03. The claim recites a method comprising: identifying a candidate process for monitoring; while the candidate process is running, taking a set of zoom-in snapshots of the candidate process, wherein each of the zoom-in snapshots corresponds to a respective time period during which the candidate process was running; sampling the set of zoom-in snapshots at a frequency that is determined based on dissimilarity of the candidate process to known malware; analyzing the zoom-in snapshots to determine whether the candidate process comprises a ransomware process; and taking a remedial action to stop the ransomware process in a case where it is determined that the candidate process comprises the ransomware process. Therefore, this claim appears to be a method, which is a statutory category of invention. Please see MPEP 2106.3.I:
A process defines "actions", i.e., an invention that is claimed as an act or step, or a series of acts or steps. As explained by the Supreme Court, a "process" is "a mode of treatment of certain materials to produce a given result. It is an act, or a series of acts, performed upon the subject-matter to be transformed and reduced to a different state or thing." Gottschalk v. Benson, 409 U.S. 63, 70, 175 USPQ 673, 676 (1972) (italics added) (quoting Cochrane v. Deener, 94 U.S. 780, 788, 24 L. Ed. 139, 141 (1876)). See also Nuijten, 500 F.3d at 1355, 84 USPQ2d at 1501 ("The Supreme Court and this court have consistently interpreted the statutory term ‘process’ to require action"); NTP, Inc. v. Research in Motion, Ltd., 418 F.3d 1282, 1316, 75 USPQ2d 1763, 1791 (Fed. Cir. 2005) ("[A] process is a series of acts.") (quoting Minton v. Natl. Ass’n. of Securities Dealers, 336 F.3d 1373, 1378, 67 USPQ2d 1614, 1681 (Fed. Cir. 2003)). As defined in 35 U.S.C. 100(b), the term "process" is synonymous with "method."
With respect to step 2A, prong one, this part of the eligibility analysis evaluates whether the claim recites a judicial exception. As explained in MPEP 2106.04(II) and the October 2019 Update, a claim ‘recites’ a judicial exception when the judicial exception is ‘set forth’ or ‘described’ in the claim. There are no nature-based product limitations in the claim, and thus the markedly different characteristics analysis is not performed. However, the claim still must be reviewed to determine if it recites any other type of judicial exception.
Claim 1 recites “comprising: identifying a candidate process for monitoring; while the candidate process is running, taking a set of zoom-in snapshots of the candidate process, wherein each of the zoom-in snapshots corresponds to a respective time period during which the candidate process was running; sampling the set of zoom-in snapshots at a frequency that is determined based on dissimilarity of the candidate process to known malware; analyzing the zoom-in snapshots to determine whether the candidate process comprises a ransomware process; and taking a remedial action to stop the ransomware process in a case where it is determined that the candidate process comprises the ransomware process.”.
These steps can be performed by a human, for example, looking at an application, remembering what the application looks like and/or does at a couple locations, focusing more on it if it looks suspicious, deciding that something went wrong (e.g., watching a word processor that has completely viewable data at first later have complete gibberish since the data was overwritten with encrypted data), and closing the application. These steps may also be performed in a human determining that a ransom process is taking place, for example, by identifying a potential ransomer and/or ransomee, watching as the ransomee is taken by the ransomer, focusing more on this interaction if it looks suspicious, determining that a ransom process has taken place upon receiving instructions for ransom, and taking action to stop the ransom process from occurring. This can all be performed in the human mind just by noticing things that happen, remembering things, focusing on things, then comparing them later inside the mind, and stopping thinking about them. Such mental (or pen-and-paper) steps fall within the ‘mental processes’ grouping of abstract ideas set forth in the 2019 PEG. 2019 PEG Section I, 84 Fed. Reg. at 52. Thus, this limitation recites concepts that fall into the ‘mental process’ grouping of abstract ideas.
As explained in the MPEP and the October 2019 Update, situations like this where a series of steps recite judicial exceptions, examiners should combine all recited judicial exceptions and treat the claim as containing a single abstract idea for purposes of further eligibility. See MPEP 2106.04 and 2106.05(ii). Thus, for purposes of further discussion, this rejection may consider all limitations as a single abstract idea.
With respect to step 2A, prong two, this part of the eligibility analysis evaluates whether the claim as a whole integrates the recited judicial exception into a practical application of the exception. This evaluation is performed by (a) identifying whether there are any additional elements recited in the claim beyond the judicial exception, and (b) evaluating those additional elements individually and in combination to determine whether the claim as a whole integrates the exception into a practical application. 2019 PEG Section III(A)(2), 84 Fed. Reg. at 54-55. Besides the abstract idea, this claim recites a candidate process which may comprise a ransomware process.
However, this candidate process that may comprise a ransomware process is recited so generically (no details are provided other than that it is a candidate process that may comprise a ransomware process) that it represents no more than mere instructions to apply the judicial exception on a computer system in order to detect such process(es). This limitation can also be viewed as nothing more than an attempt to generally link the use of the judicial exception to the technological environment of a computer. It should be noted that because the courts have made clear that mere physicality or tangibility of an additional element or elements is not a relevant consideration in the eligibility analysis, the nature of these components being physical or tangible does not affect this analysis. See MPEP 2106.05(I) for more information on this point, including explanations from judicial decisions including Alice Corp. Pty. Ltd. V. CLS Bank Int’l, 573 U.S. 208, 224-26 (2014).
An evaluation of whether any part of the claim is ‘insignificant extra-solution activity’ is then performed. Note that because the step 2A Prong Two analysis excludes consideration of whether a limitation is well-understood, routine, conventional activity (2019 PEG Section III(A)(2), 84 Fed. Reg. at 55), this evaluation does not take into account whether or not the limitation is well-known. See October 2019 Update at Section III.D. When so evaluated, the limitation represents at most mere data gathering that is necessary for use of the recited judicial exception. This limitation at most represents extra-solution activity because it is a mere nominal or tangential addition to the claim at most. See MPEP 2106.05(g), discussing limitations that the Federal Circuit has considered to be insignificant extra-solution activity, for instance the step of printing a menu that was generated through an abstract process in Apple, Inc. v. Ameranth, Inc., 842 F.3d 1229, 1241-42 (Fed. Cir. 2016) and the mere generic presentation of collected and analyzed data in Electric Power Group, LLC v. Alstom S.A., 830 F.3d 1350, 1354 (Fed. Cir. 2016).
Even when viewed in combination, any additional elements in this claim do no more than automate the mental processes that the human can perform, using computer components as a tool. There is no change to any computers or other technology in the claim as automating the abstract ideas, and thus this claim cannot improve computer functionality or other technology. See, e.g., Trading Technologies Int’l v. IBG, Inc., 921 F.3d 1084, 1093 (Fed. Cir. 2019) (using a computer to provide a trader with more information to facilitate market trades improved the business process of market trading, but not the computer) and the cases discussed in MPEP 2106.05(a)(I), particularly FairWarning IP, LLC v. Iatric Sys., 839 F.3d 1089, 1095 (Fed. Cir. 2016) (accelerating a process of analyzing audit log data is not an improvement when the increased speed comes solely from the capabilities of a general-purpose computer) and Credit Acceptance Corp. v. Westlake Services, 859 F.3d 1044, 1055 (Fed. Cir. 2017)(using a generic computer to automate a process of applying to finance a purchase is not an improvement to the computer’s functionality). Accordingly, the claim as a whole does not integrate the recited judicial exception into a practical application and the claim is directed to the judicial exception.
With respect to step 2B, this part of the eligibility analysis evaluates whether the claim as a whole amounts to significantly more than the recited exception, i.e., whether any additional element, or combination of additional elements, adds an inventive concept to the claim. MPEP 2106.05. As explained with respect to Step 2A Prong Two, the candidate process that may comprise a ransomware process is at best the equivalent of merely adding the words “apply it” to the judicial exception. Mere instructions to apply an exception cannot provide an inventive concept. Any other additional elements identified above are extra-solution activity, which for purposes of Step 2A Prong Two was considered insignificant. Under the 2019 PEG, however, a conclusion that an additional element is insignificant extra-solution activity in Step 2A should be re-evaluated in Step 2B. 2019 PEG Section III(B), 84 Fed. Reg. at 56. At Step 2B, the evaluation of the insignificant extra-solution activity consideration takes into account whether or not the extra-solution activity is well-known. See MPEP 2106.05(g). Here, any insignificant extra solution activity is within the examples provided in USPTO guidance, such as MPEP 2106.05(g), for example. Thus, any subject matter that may be considered extra-solution activity therefore remain insignificant extra-solution activity even upon reconsideration, and do not amount to significantly more. Even when considered in combination, these additional elements represent mere instructions to apply an exception and insignificant extra-solution activity, which cannot provide an inventive concept.
Regarding claim 2, with respect to step 1, this part of the eligibility analysis evaluates whether the claim falls within any statutory category. MPEP 2106.03. The claim recites when it is determined that the candidate process does not comprise a ransomware process, the candidate process is added to a whitelist in addition to claim 1’s method comprising: identifying a candidate process for monitoring; while the candidate process is running, taking a set of snapshots of the candidate process, wherein each of the snapshots corresponds to a respective time period during which the candidate process was running; and analyzing the snapshots to determine whether the candidate process comprises a ransomware process. Therefore, this claim appears to be a method, which is a statutory category of invention. Please see MPEP 2106.3.I:
A process defines "actions", i.e., an invention that is claimed as an act or step, or a series of acts or steps. As explained by the Supreme Court, a "process" is "a mode of treatment of certain materials to produce a given result. It is an act, or a series of acts, performed upon the subject-matter to be transformed and reduced to a different state or thing." Gottschalk v. Benson, 409 U.S. 63, 70, 175 USPQ 673, 676 (1972) (italics added) (quoting Cochrane v. Deener, 94 U.S. 780, 788, 24 L. Ed. 139, 141 (1876)). See also Nuijten, 500 F.3d at 1355, 84 USPQ2d at 1501 ("The Supreme Court and this court have consistently interpreted the statutory term ‘process’ to require action"); NTP, Inc. v. Research in Motion, Ltd., 418 F.3d 1282, 1316, 75 USPQ2d 1763, 1791 (Fed. Cir. 2005) ("[A] process is a series of acts.") (quoting Minton v. Natl. Ass’n. of Securities Dealers, 336 F.3d 1373, 1378, 67 USPQ2d 1614, 1681 (Fed. Cir. 2003)). As defined in 35 U.S.C. 100(b), the term "process" is synonymous with "method."
With respect to step 2A, prong one, this part of the eligibility analysis evaluates whether the claim recites a judicial exception. As explained in MPEP 2106.04(II) and the October 2019 Update, a claim ‘recites’ a judicial exception when the judicial exception is ‘set forth’ or ‘described’ in the claim. There are no nature-based product limitations in the claim, and thus the markedly different characteristics analysis is not performed. However, the claim still must be reviewed to determine if it recites any other type of judicial exception.
Claim 2 recites “when it is determined that the candidate process does not comprise a ransomware process, the candidate process is added to a whitelist.”. This step can be performed by a human, for example, making a mental note that the application is safe, or writing down a list of non-ransomware applications on a piece of paper using a pencil. Such mental (or pen-and-paper) step falls within the ‘mental processes’ grouping of abstract ideas set forth in the 2019 PEG. 2019 PEG Section I, 84 Fed. Reg. at 52. Thus, this limitation recites concepts that fall into the ‘mental process’ grouping of abstract ideas.
As explained in the MPEP and the October 2019 Update, situations like this where a series of steps recite judicial exceptions, examiners should combine all recited judicial exceptions and treat the claim as containing a single abstract idea for purposes of further eligibility. See MPEP 2106.04 and 2106.05(ii). Thus, for purposes of further discussion, this rejection may consider all limitations as a single abstract idea.
With respect to step 2A, prong two, this part of the eligibility analysis evaluates whether the claim as a whole integrates the recited judicial exception into a practical application of the exception. This evaluation is performed by (a) identifying whether there are any additional elements recited in the claim beyond the judicial exception, and (b) evaluating those additional elements individually and in combination to determine whether the claim as a whole integrates the exception into a practical application. 2019 PEG Section III(A)(2), 84 Fed. Reg. at 54-55. Besides the abstract idea, this claim recites a candidate process that does not comprise a ransomware process.
However, this candidate process that does not comprise a ransomware process is recited so generically (no details are provided other than that it is a candidate process that does not comprise a ransomware process) that it represents no more than mere instructions to apply the judicial exception on a computer system in order to detect such process(es). This limitation can also be viewed as nothing more than an attempt to generally link the use of the judicial exception to the technological environment of a computer. It should be noted that because the courts have made clear that mere physicality or tangibility of an additional element or elements is not a relevant consideration in the eligibility analysis, the nature of these components being physical or tangible does not affect this analysis. See MPEP 2106.05(I) for more information on this point, including explanations from judicial decisions including Alice Corp. Pty. Ltd. V. CLS Bank Int’l, 573 U.S. 208, 224-26 (2014).
An evaluation of whether any part of the claim is ‘insignificant extra-solution activity’ is then performed. Note that because the step 2A Prong Two analysis excludes consideration of whether a limitation is well-understood, routine, conventional activity (2019 PEG Section III(A)(2), 84 Fed. Reg. at 55), this evaluation does not take into account whether or not the limitation is well-known. See October 2019 Update at Section III.D. When so evaluated, the limitation represents at most insignificant application that is necessary for use of the recited judicial exception. This limitation at most represents extra-solution activity because it is a mere nominal or tangential addition to the claim at most. See MPEP 2106.05(g), discussing limitations that the Federal Circuit has considered to be insignificant extra-solution activity, for instance the step of printing a menu that was generated through an abstract process in Apple, Inc. v. Ameranth, Inc., 842 F.3d 1229, 1241-42 (Fed. Cir. 2016) and the mere generic presentation of collected and analyzed data in Electric Power Group, LLC v. Alstom S.A., 830 F.3d 1350, 1354 (Fed. Cir. 2016).
Even when viewed in combination, any additional elements in this claim do no more than automate the mental processes that the human can perform, using computer components as a tool. There is no change to any computers or other technology in the claim as automating the abstract ideas, and thus this claim cannot improve computer functionality or other technology. See, e.g., Trading Technologies Int’l v. IBG, Inc., 921 F.3d 1084, 1093 (Fed. Cir. 2019) (using a computer to provide a trader with more information to facilitate market trades improved the business process of market trading, but not the computer) and the cases discussed in MPEP 2106.05(a)(I), particularly FairWarning IP, LLC v. Iatric Sys., 839 F.3d 1089, 1095 (Fed. Cir. 2016) (accelerating a process of analyzing audit log data is not an improvement when the increased speed comes solely from the capabilities of a general-purpose computer) and Credit Acceptance Corp. v. Westlake Services, 859 F.3d 1044, 1055 (Fed. Cir. 2017)(using a generic computer to automate a process of applying to finance a purchase is not an improvement to the computer’s functionality). Accordingly, the claim as a whole does not integrate the recited judicial exception into a practical application and the claim is directed to the judicial exception.
With respect to step 2B, this part of the eligibility analysis evaluates whether the claim as a whole amounts to significantly more than the recited exception, i.e., whether any additional element, or combination of additional elements, adds an inventive concept to the claim. MPEP 2106.05. As explained with respect to Step 2A Prong Two, the candidate process that does not comprise a ransomware process is at best the equivalent of merely adding the words “apply it” to the judicial exception. Mere instructions to apply an exception cannot provide an inventive concept. Any other additional elements identified above are extra-solution activity, which for purposes of Step 2A Prong Two was considered insignificant. Under the 2019 PEG, however, a conclusion that an additional element is insignificant extra-solution activity in Step 2A should be re-evaluated in Step 2B. 2019 PEG Section III(B), 84 Fed. Reg. at 56. At Step 2B, the evaluation of the insignificant extra-solution activity consideration takes into account whether or not the extra-solution activity is well-known. See MPEP 2106.05(g). Here, any insignificant extra solution activity is within the examples provided in USPTO guidance, such as MPEP 2106.05(g), for example. Thus, any subject matter that may be considered extra-solution activity therefore remain insignificant extra-solution activity even upon reconsideration, and do not amount to significantly more. Even when considered in combination, these additional elements represent mere instructions to apply an exception and insignificant extra-solution activity, which cannot provide an inventive concept.
Regarding claim 3, with respect to step 1, this part of the eligibility analysis evaluates whether the claim falls within any statutory category. MPEP 2106.03. The claim recites when a counter indicates that the candidate process comprises a number of write operations that exceeds a threshold, the candidate process is identified as a ransomware process in addition to claim 1’s method comprising: identifying a candidate process for monitoring; while the candidate process is running, taking a set of snapshots of the candidate process, wherein each of the snapshots corresponds to a respective time period during which the candidate process was running; and analyzing the snapshots to determine whether the candidate process comprises a ransomware process. Therefore, this claim appears to be a method, which is a statutory category of invention. Please see MPEP 2106.3.I:
A process defines "actions", i.e., an invention that is claimed as an act or step, or a series of acts or steps. As explained by the Supreme Court, a "process" is "a mode of treatment of certain materials to produce a given result. It is an act, or a series of acts, performed upon the subject-matter to be transformed and reduced to a different state or thing." Gottschalk v. Benson, 409 U.S. 63, 70, 175 USPQ 673, 676 (1972) (italics added) (quoting Cochrane v. Deener, 94 U.S. 780, 788, 24 L. Ed. 139, 141 (1876)). See also Nuijten, 500 F.3d at 1355, 84 USPQ2d at 1501 ("The Supreme Court and this court have consistently interpreted the statutory term ‘process’ to require action"); NTP, Inc. v. Research in Motion, Ltd., 418 F.3d 1282, 1316, 75 USPQ2d 1763, 1791 (Fed. Cir. 2005) ("[A] process is a series of acts.") (quoting Minton v. Natl. Ass’n. of Securities Dealers, 336 F.3d 1373, 1378, 67 USPQ2d 1614, 1681 (Fed. Cir. 2003)). As defined in 35 U.S.C. 100(b), the term "process" is synonymous with "method."
With respect to step 2A, prong one, this part of the eligibility analysis evaluates whether the claim recites a judicial exception. As explained in MPEP 2106.04(II) and the October 2019 Update, a claim ‘recites’ a judicial exception when the judicial exception is ‘set forth’ or ‘described’ in the claim. There are no nature-based product limitations in the claim, and thus the markedly different characteristics analysis is not performed. However, the claim still must be reviewed to determine if it recites any other type of judicial exception.
Claim 3 recites “when a counter indicates that the candidate process comprises a number of write operations that exceeds a threshold, the candidate process is identified as a ransomware process.”. This step can be performed by a human, for example, counting a number of writes (e.g., each time the application saves a file, or each file loaded and modified, each time a ransom letter is written and received), comparing to a threshold in the mind, and identifying that a ransom process is occurring. Such mental (or pen-and-paper) step falls within the ‘mental processes’ grouping of abstract ideas set forth in the 2019 PEG. 2019 PEG Section I, 84 Fed. Reg. at 52. Thus, this limitation recites concepts that fall into the ‘mental process’ grouping of abstract ideas.
As explained in the MPEP and the October 2019 Update, situations like this where a series of steps recite judicial exceptions, examiners should combine all recited judicial exceptions and treat the claim as containing a single abstract idea for purposes of further eligibility. See MPEP 2106.04 and 2106.05(ii). Thus, for purposes of further discussion, this rejection may consider all limitations as a single abstract idea.
With respect to step 2A, prong two, this part of the eligibility analysis evaluates whether the claim as a whole integrates the recited judicial exception into a practical application of the exception. This evaluation is performed by (a) identifying whether there are any additional elements recited in the claim beyond the judicial exception, and (b) evaluating those additional elements individually and in combination to determine whether the claim as a whole integrates the exception into a practical application. 2019 PEG Section III(A)(2), 84 Fed. Reg. at 54-55. Besides the abstract idea, this claim recites a candidate process that comprises a ransomware process.
However, this candidate process that comprises a ransomware process is recited so generically (no details are provided other than that it is a candidate process that comprises a ransomware process) that it represents no more than mere instructions to apply the judicial exception on a computer system in order to detect such process(es). This limitation can also be viewed as nothing more than an attempt to generally link the use of the judicial exception to the technological environment of a computer. It should be noted that because the courts have made clear that mere physicality or tangibility of an additional element or elements is not a relevant consideration in the eligibility analysis, the nature of these components being physical or tangible does not affect this analysis. See MPEP 2106.05(I) for more information on this point, including explanations from judicial decisions including Alice Corp. Pty. Ltd. V. CLS Bank Int’l, 573 U.S. 208, 224-26 (2014).
An evaluation of whether any part of the claim is ‘insignificant extra-solution activity’ is then performed. Note that because the step 2A Prong Two analysis excludes consideration of whether a limitation is well-understood, routine, conventional activity (2019 PEG Section III(A)(2), 84 Fed. Reg. at 55), this evaluation does not take into account whether or not the limitation is well-known. See October 2019 Update at Section III.D. When so evaluated, the limitation represents at most insignificant application that is necessary for use of the recited judicial exception. This limitation at most represents extra-solution activity because it is a mere nominal or tangential addition to the claim at most. See MPEP 2106.05(g), discussing limitations that the Federal Circuit has considered to be insignificant extra-solution activity, for instance the step of printing a menu that was generated through an abstract process in Apple, Inc. v. Ameranth, Inc., 842 F.3d 1229, 1241-42 (Fed. Cir. 2016) and the mere generic presentation of collected and analyzed data in Electric Power Group, LLC v. Alstom S.A., 830 F.3d 1350, 1354 (Fed. Cir. 2016).
Even when viewed in combination, any additional elements in this claim do no more than automate the mental processes that the human can perform, using computer components as a tool. There is no change to any computers or other technology in the claim as automating the abstract ideas, and thus this claim cannot improve computer functionality or other technology. See, e.g., Trading Technologies Int’l v. IBG, Inc., 921 F.3d 1084, 1093 (Fed. Cir. 2019) (using a computer to provide a trader with more information to facilitate market trades improved the business process of market trading, but not the computer) and the cases discussed in MPEP 2106.05(a)(I), particularly FairWarning IP, LLC v. Iatric Sys., 839 F.3d 1089, 1095 (Fed. Cir. 2016) (accelerating a process of analyzing audit log data is not an improvement when the increased speed comes solely from the capabilities of a general-purpose computer) and Credit Acceptance Corp. v. Westlake Services, 859 F.3d 1044, 1055 (Fed. Cir. 2017)(using a generic computer to automate a process of applying to finance a purchase is not an improvement to the computer’s functionality). Accordingly, the claim as a whole does not integrate the recited judicial exception into a practical application and the claim is directed to the judicial exception.
With respect to step 2B, this part of the eligibility analysis evaluates whether the claim as a whole amounts to significantly more than the recited exception, i.e., whether any additional element, or combination of additional elements, adds an inventive concept to the claim. MPEP 2106.05. As explained with respect to Step 2A Prong Two, the candidate process that comprises a ransomware process is at best the equivalent of merely adding the words “apply it” to the judicial exception. Mere instructions to apply an exception cannot provide an inventive concept. Any other additional elements identified above are extra-solution activity, which for purposes of Step 2A Prong Two was considered insignificant. Under the 2019 PEG, however, a conclusion that an additional element is insignificant extra-solution activity in Step 2A should be re-evaluated in Step 2B. 2019 PEG Section III(B), 84 Fed. Reg. at 56. At Step 2B, the evaluation of the insignificant extra-solution activity consideration takes into account whether or not the extra-solution activity is well-known. See MPEP 2106.05(g). Here, any insignificant extra solution activity is within the examples provided in USPTO guidance, such as MPEP 2106.05(g), for example. Thus, any subject matter that may be considered extra-solution activity therefore remain insignificant extra-solution activity even upon reconsideration, and do not amount to significantly more. Even when considered in combination, these additional elements represent mere instructions to apply an exception and insignificant extra-solution activity, which cannot provide an inventive concept.
Regarding claim 4, with respect to step 1, this part of the eligibility analysis evaluates whether the claim falls within any statutory category. MPEP 2106.03. The claim recites the snapshots are analyzed in a vault that is isolated by an air gap from a production site where the process runs in addition to claim 1’s method comprising: identifying a candidate process for monitoring; while the candidate process is running, taking a set of snapshots of the candidate process, wherein each of the snapshots corresponds to a respective time period during which the candidate process was running; and analyzing the snapshots to determine whether the candidate process comprises a ransomware process. Therefore, this claim appears to be a method, which is a statutory category of invention. Please see MPEP 2106.3.I:
A process defines "actions", i.e., an invention that is claimed as an act or step, or a series of acts or steps. As explained by the Supreme Court, a "process" is "a mode of treatment of certain materials to produce a given result. It is an act, or a series of acts, performed upon the subject-matter to be transformed and reduced to a different state or thing." Gottschalk v. Benson, 409 U.S. 63, 70, 175 USPQ 673, 676 (1972) (italics added) (quoting Cochrane v. Deener, 94 U.S. 780, 788, 24 L. Ed. 139, 141 (1876)). See also Nuijten, 500 F.3d at 1355, 84 USPQ2d at 1501 ("The Supreme Court and this court have consistently interpreted the statutory term ‘process’ to require action"); NTP, Inc. v. Research in Motion, Ltd., 418 F.3d 1282, 1316, 75 USPQ2d 1763, 1791 (Fed. Cir. 2005) ("[A] process is a series of acts.") (quoting Minton v. Natl. Ass’n. of Securities Dealers, 336 F.3d 1373, 1378, 67 USPQ2d 1614, 1681 (Fed. Cir. 2003)). As defined in 35 U.S.C. 100(b), the term "process" is synonymous with "method."
With respect to step 2A, prong one, this part of the eligibility analysis evaluates whether the claim recites a judicial exception. As explained in MPEP 2106.04(II) and the October 2019 Update, a claim ‘recites’ a judicial exception when the judicial exception is ‘set forth’ or ‘described’ in the claim. There are no nature-based product limitations in the claim, and thus the markedly different characteristics analysis is not performed. However, the claim still must be reviewed to determine if it recites any other type of judicial exception.
Claim 4 recites “the snapshots are analyzed in a vault that is isolated by an air gap from a production site where the process runs.”. This step can be performed by a human, for example, detecting ransom and/or ransomware in a room separate from ransomers, ransomees, computers, etc. Such mental (or pen-and-paper) step falls within the ‘mental processes’ grouping of abstract ideas set forth in the 2019 PEG. 2019 PEG Section I, 84 Fed. Reg. at 52. Thus, this limitation recites concepts that fall into the ‘mental process’ grouping of abstract ideas.
As explained in the MPEP and the October 2019 Update, situations like this where a series of steps recite judicial exceptions, examiners should combine all recited judicial exceptions and treat the claim as containing a single abstract idea for purposes of further eligibility. See MPEP 2106.04 and 2106.05(ii). Thus, for purposes of further discussion, this rejection may consider all limitations as a single abstract idea.
With respect to step 2A, prong two, this part of the eligibility analysis evaluates whether the claim as a whole integrates the recited judicial exception into a practical application of the exception. This evaluation is performed by (a) identifying whether there are any additional elements recited in the claim beyond the judicial exception, and (b) evaluating those additional elements individually and in combination to determine whether the claim as a whole integrates the exception into a practical application. 2019 PEG Section III(A)(2), 84 Fed. Reg. at 54-55. Besides the abstract idea, this claim recites a vault isolated by an air gap from a production site.
However, this vault isolated by an air gap from a production site is recited so generically (no details are provided other than that it is a candidate process that comprises a ransomware process) that it represents no more than mere instructions to apply the judicial exception on a computer system in order to detect such process(es). This limitation can also be viewed as nothing more than an attempt to generally link the use of the judicial exception to the technological environment of a computer. It should be noted that because the courts have made clear that mere physicality or tangibility of an additional element or elements is not a relevant consideration in the eligibility analysis, the nature of these components being physical or tangible does not affect this analysis. See MPEP 2106.05(I) for more information on this point, including explanations from judicial decisions including Alice Corp. Pty. Ltd. V. CLS Bank Int’l, 573 U.S. 208, 224-26 (2014).
An evaluation of whether any part of the claim is ‘insignificant extra-solution activity’ is then performed. Note that because the step 2A Prong Two analysis excludes consideration of whether a limitation is well-understood, routine, conventional activity (2019 PEG Section III(A)(2), 84 Fed. Reg. at 55), this evaluation does not take into account whether or not the limitation is well-known. See October 2019 Update at Section III.D. When so evaluated, the limitation represents at most insignificant application that is necessary for use of the recited judicial exception. This limitation at most represents extra-solution activity because it is a mere nominal or tangential addition to the claim at most. See MPEP 2106.05(g), discussing limitations that the Federal Circuit has considered to be insignificant extra-solution activity, for instance the step of printing a menu that was generated through an abstract process in Apple, Inc. v. Ameranth, Inc., 842 F.3d 1229, 1241-42 (Fed. Cir. 2016) and the mere generic presentation of collected and analyzed data in Electric Power Group, LLC v. Alstom S.A., 830 F.3d 1350, 1354 (Fed. Cir. 2016).
Even when viewed in combination, any additional elements in this claim do no more than automate the mental processes that the human can perform, using computer components as a tool. There is no change to any computers or other technology in the claim as automating the abstract ideas, and thus this claim cannot improve computer functionality or other technology. See, e.g., Trading Technologies Int’l v. IBG, Inc., 921 F.3d 1084, 1093 (Fed. Cir. 2019) (using a computer to provide a trader with more information to facilitate market trades improved the business process of market trading, but not the computer) and the cases discussed in MPEP 2106.05(a)(I), particularly FairWarning IP, LLC v. Iatric Sys., 839 F.3d 1089, 1095 (Fed. Cir. 2016) (accelerating a process of analyzing audit log data is not an improvement when the increased speed comes solely from the capabilities of a general-purpose computer) and Credit Acceptance Corp. v. Westlake Services, 859 F.3d 1044, 1055 (Fed. Cir. 2017)(using a generic computer to automate a process of applying to finance a purchase is not an improvement to the computer’s functionality). Accordingly, the claim as a whole does not integrate the recited judicial exception into a practical application and the claim is directed to the judicial exception.
With respect to step 2B, this part of the eligibility analysis evaluates whether the claim as a whole amounts to significantly more than the recited exception, i.e., whether any additional element, or combination of additional elements, adds an inventive concept to the claim. MPEP 2106.05. As explained with respect to Step 2A Prong Two, a vault isolated by an air gap from a production site is at best the equivalent of merely adding the words “apply it” to the judicial exception. Mere instructions to apply an exception cannot provide an inventive concept. Any other additional elements identified above are extra-solution activity, which for purposes of Step 2A Prong Two was considered insignificant. Under the 2019 PEG, however, a conclusion that an additional element is insignificant extra-solution activity in Step 2A should be re-evaluated in Step 2B. 2019 PEG Section III(B), 84 Fed. Reg. at 56. At Step 2B, the evaluation of the insignificant extra-solution activity consideration takes into account whether or not the extra-solution activity is well-known. See MPEP 2106.05(g). Here, any insignificant extra solution activity is within the examples provided in USPTO guidance, such as MPEP 2106.05(g), for example. Thus, any subject matter that may be considered extra-solution activity therefore remain insignificant extra-solution activity even upon reconsideration, and do not amount to significantly more. Even when considered in combination, these additional elements represent mere instructions to apply an exception and insignificant extra-solution activity, which cannot provide an inventive concept.
Regarding claim 5, with respect to step 1, this part of the eligibility analysis evaluates whether the claim falls within any statutory category. MPEP 2106.03. The claim recites the snapshots are analyzed in real time as they are taken in addition to claim 1’s method comprising: identifying a candidate process for monitoring; while the candidate process is running, taking a set of snapshots of the candidate process, wherein each of the snapshots corresponds to a respective time period during which the candidate process was running; and analyzing the snapshots to determine whether the candidate process comprises a ransomware process. Therefore, this claim appears to be a method, which is a statutory category of invention. Please see MPEP 2106.3.I:
A process defines "actions", i.e., an invention that is claimed as an act or step, or a series of acts or steps. As explained by the Supreme Court, a "process" is "a mode of treatment of certain materials to produce a given result. It is an act, or a series of acts, performed upon the subject-matter to be transformed and reduced to a different state or thing." Gottschalk v. Benson, 409 U.S. 63, 70, 175 USPQ 673, 676 (1972) (italics added) (quoting Cochrane v. Deener, 94 U.S. 780, 788, 24 L. Ed. 139, 141 (1876)). See also Nuijten, 500 F.3d at 1355, 84 USPQ2d at 1501 ("The Supreme Court and this court have consistently interpreted the statutory term ‘process’ to require action"); NTP, Inc. v. Research in Motion, Ltd., 418 F.3d 1282, 1316, 75 USPQ2d 1763, 1791 (Fed. Cir. 2005) ("[A] process is a series of acts.") (quoting Minton v. Natl. Ass’n. of Securities Dealers, 336 F.3d 1373, 1378, 67 USPQ2d 1614, 1681 (Fed. Cir. 2003)). As defined in 35 U.S.C. 100(b), the term "process" is synonymous with "method."
With respect to step 2A, prong one, this part of the eligibility analysis evaluates whether the claim recites a judicial exception. As explained in MPEP 2106.04(II) and the October 2019 Update, a claim ‘recites’ a judicial exception when the judicial exception is ‘set forth’ or ‘described’ in the claim. There are no nature-based product limitations in the claim, and thus the markedly different characteristics analysis is not performed. However, the claim still must be reviewed to determine if it recites any other type of judicial exception.
Claim 5 recites “the snapshots are analyzed in real time as they are taken.”. This step can be performed by a human, for example, doing the above in real time. Such mental (or pen-and-paper) step falls within the ‘mental processes’ grouping of abstract ideas set forth in the 2019 PEG. 2019 PEG Section I, 84 Fed. Reg. at 52. Thus, this limitation recites concepts that fall into the ‘mental process’ grouping of abstract ideas.
As explained in the MPEP and the October 2019 Update, situations like this where a series of steps recite judicial exceptions, examiners should combine all recited judicial exceptions and treat the claim as containing a single abstract idea for purposes of further eligibility. See MPEP 2106.04 and 2106.05(ii). Thus, for purposes of further discussion, this rejection may consider all limitations as a single abstract idea.
With respect to step 2A, prong two, this part of the eligibility analysis evaluates whether the claim as a whole integrates the recited judicial exception into a practical application of the exception. This evaluation is performed by (a) identifying whether there are any additional elements recited in the claim beyond the judicial exception, and (b) evaluating those additional elements individually and in combination to determine whether the claim as a whole integrates the exception into a practical application. 2019 PEG Section III(A)(2), 84 Fed. Reg. at 54-55. Besides the abstract idea, this claim does not appear to recite any additional elements. Thus, the claim will be analyzed with respect to claim 1.
However, this candidate process that may comprise a ransomware process is recited so generically (no details are provided other than that it is a candidate process that may comprise a ransomware process) that it represents no more than mere instructions to apply the judicial exception on a computer system in order to detect such process(es). This limitation can also be viewed as nothing more than an attempt to generally link the use of the judicial exception to the technological environment of a computer. It should be noted that because the courts have made clear that mere physicality or tangibility of an additional element or elements is not a relevant consideration in the eligibility analysis, the nature of these components being physical or tangible does not affect this analysis. See MPEP 2106.05(I) for more information on this point, including explanations from judicial decisions including Alice Corp. Pty. Ltd. V. CLS Bank Int’l, 573 U.S. 208, 224-26 (2014).
An evaluation of whether any part of the claim is ‘insignificant extra-solution activity’ is then performed. Note that because the step 2A Prong Two analysis excludes consideration of whether a limitation is well-understood, routine, conventional activity (2019 PEG Section III(A)(2), 84 Fed. Reg. at 55), this evaluation does not take into account whether or not the limitation is well-known. See October 2019 Update at Section III.D. When so evaluated, the limitation represents at most mere data gathering that is necessary for use of the recited judicial exception. This limitation at most represents extra-solution activity because it is a mere nominal or tangential addition to the claim at most. See MPEP 2106.05(g), discussing limitations that the Federal Circuit has considered to be insignificant extra-solution activity, for instance the step of printing a menu that was generated through an abstract process in Apple, Inc. v. Ameranth, Inc., 842 F.3d 1229, 1241-42 (Fed. Cir. 2016) and the mere generic presentation of collected and analyzed data in Electric Power Group, LLC v. Alstom S.A., 830 F.3d 1350, 1354 (Fed. Cir. 2016).
Even when viewed in combination, any additional elements in this claim do no more than automate the mental processes that the human can perform, using computer components as a tool. There is no change to any computers or other technology in the claim as automating the abstract ideas, and thus this claim cannot improve computer functionality or other technology. See, e.g., Trading Technologies Int’l v. IBG, Inc., 921 F.3d 1084, 1093 (Fed. Cir. 2019) (using a computer to provide a trader with more information to facilitate market trades improved the business process of market trading, but not the computer) and the cases discussed in MPEP 2106.05(a)(I), particularly FairWarning IP, LLC v. Iatric Sys., 839 F.3d 1089, 1095 (Fed. Cir. 2016) (accelerating a process of analyzing audit log data is not an improvement when the increased speed comes solely from the capabilities of a general-purpose computer) and Credit Acceptance Corp. v. Westlake Services, 859 F.3d 1044, 1055 (Fed. Cir. 2017)(using a generic computer to automate a process of applying to finance a purchase is not an improvement to the computer’s functionality). Accordingly, the claim as a whole does not integrate the recited judicial exception into a practical application and the claim is directed to the judicial exception.
With respect to step 2B, this part of the eligibility analysis evaluates whether the claim as a whole amounts to significantly more than the recited exception, i.e., whether any additional element, or combination of additional elements, adds an inventive concept to the claim. MPEP 2106.05. As explained with respect to Step 2A Prong Two, the candidate process that may comprise a ransomware process is at best the equivalent of merely adding the words “apply it” to the judicial exception. Mere instructions to apply an exception cannot provide an inventive concept. Any other additional elements identified above are extra-solution activity, which for purposes of Step 2A Prong Two was considered insignificant. Under the 2019 PEG, however, a conclusion that an additional element is insignificant extra-solution activity in Step 2A should be re-evaluated in Step 2B. 2019 PEG Section III(B), 84 Fed. Reg. at 56. At Step 2B, the evaluation of the insignificant extra-solution activity consideration takes into account whether or not the extra-solution activity is well-known. See MPEP 2106.05(g). Here, any insignificant extra solution activity is within the examples provided in USPTO guidance, such as MPEP 2106.05(g), for example. Thus, any subject matter that may be considered extra-solution activity therefore remain insignificant extra-solution activity even upon reconsideration, and do not amount to significantly more. Even when considered in combination, these additional elements represent mere instructions to apply an exception and insignificant extra-solution activity, which cannot provide an inventive concept.
Regarding claim 6, with respect to step 1, this part of the eligibility analysis evaluates whether the claim falls within any statutory category. MPEP 2106.03. The claim recites the candidate process comprises a file overwriting process in addition to claim 1’s method comprising: identifying a candidate process for monitoring; while the candidate process is running, taking a set of snapshots of the candidate process, wherein each of the snapshots corresponds to a respective time period during which the candidate process was running; and analyzing the snapshots to determine whether the candidate process comprises a ransomware process. Therefore, this claim appears to be a method, which is a statutory category of invention. Please see MPEP 2106.3.I:
A process defines "actions", i.e., an invention that is claimed as an act or step, or a series of acts or steps. As explained by the Supreme Court, a "process" is "a mode of treatment of certain materials to produce a given result. It is an act, or a series of acts, performed upon the subject-matter to be transformed and reduced to a different state or thing." Gottschalk v. Benson, 409 U.S. 63, 70, 175 USPQ 673, 676 (1972) (italics added) (quoting Cochrane v. Deener, 94 U.S. 780, 788, 24 L. Ed. 139, 141 (1876)). See also Nuijten, 500 F.3d at 1355, 84 USPQ2d at 1501 ("The Supreme Court and this court have consistently interpreted the statutory term ‘process’ to require action"); NTP, Inc. v. Research in Motion, Ltd., 418 F.3d 1282, 1316, 75 USPQ2d 1763, 1791 (Fed. Cir. 2005) ("[A] process is a series of acts.") (quoting Minton v. Natl. Ass’n. of Securities Dealers, 336 F.3d 1373, 1378, 67 USPQ2d 1614, 1681 (Fed. Cir. 2003)). As defined in 35 U.S.C. 100(b), the term "process" is synonymous with "method."
With respect to step 2A, prong one, this part of the eligibility analysis evaluates whether the claim recites a judicial exception. As explained in MPEP 2106.04(II) and the October 2019 Update, a claim ‘recites’ a judicial exception when the judicial exception is ‘set forth’ or ‘described’ in the claim. There are no nature-based product limitations in the claim, and thus the markedly different characteristics analysis is not performed. However, the claim still must be reviewed to determine if it recites any other type of judicial exception.
Claim 6 recites “the candidate process comprises a file overwriting process.”. This is not part of the method. Even if it were, this could be met by a human remembering something over another memory, writing something over something else on a piece of paper using a pencil, or the like. Such mental (or pen-and-paper) step falls within the ‘mental processes’ grouping of abstract ideas set forth in the 2019 PEG. 2019 PEG Section I, 84 Fed. Reg. at 52. Thus, this limitation recites concepts that fall into the ‘mental process’ grouping of abstract ideas.
As explained in the MPEP and the October 2019 Update, situations like this where a series of steps recite judicial exceptions, examiners should combine all recited judicial exceptions and treat the claim as containing a single abstract idea for purposes of further eligibility. See MPEP 2106.04 and 2106.05(ii). Thus, for purposes of further discussion, this rejection may consider all limitations as a single abstract idea.
With respect to step 2A, prong two, this part of the eligibility analysis evaluates whether the claim as a whole integrates the recited judicial exception into a practical application of the exception. This evaluation is performed by (a) identifying whether there are any additional elements recited in the claim beyond the judicial exception, and (b) evaluating those additional elements individually and in combination to determine whether the claim as a whole integrates the exception into a practical application. 2019 PEG Section III(A)(2), 84 Fed. Reg. at 54-55. Besides the abstract idea, this claim recites a file overwriting process, which is not part of the method.
However, this file overwriting process, which is not part of the method is recited so generically (no details are provided other than that it is a file overwriting process, which is not part of the method) that it represents no more than mere instructions to apply the judicial exception on a computer system in order to detect such process(es). This limitation can also be viewed as nothing more than an attempt to generally link the use of the judicial exception to the technological environment of a computer. It should be noted that because the courts have made clear that mere physicality or tangibility of an additional element or elements is not a relevant consideration in the eligibility analysis, the nature of these components being physical or tangible does not affect this analysis. See MPEP 2106.05(I) for more information on this point, including explanations from judicial decisions including Alice Corp. Pty. Ltd. V. CLS Bank Int’l, 573 U.S. 208, 224-26 (2014).
An evaluation of whether any part of the claim is ‘insignificant extra-solution activity’ is then performed. Note that because the step 2A Prong Two analysis excludes consideration of whether a limitation is well-understood, routine, conventional activity (2019 PEG Section III(A)(2), 84 Fed. Reg. at 55), this evaluation does not take into account whether or not the limitation is well-known. See October 2019 Update at Section III.D. When so evaluated, the limitation represents at most mere data gathering that is necessary for use of the recited judicial exception. This limitation at most represents extra-solution activity because it is a mere nominal or tangential addition to the claim at most. See MPEP 2106.05(g), discussing limitations that the Federal Circuit has considered to be insignificant extra-solution activity, for instance the step of printing a menu that was generated through an abstract process in Apple, Inc. v. Ameranth, Inc., 842 F.3d 1229, 1241-42 (Fed. Cir. 2016) and the mere generic presentation of collected and analyzed data in Electric Power Group, LLC v. Alstom S.A., 830 F.3d 1350, 1354 (Fed. Cir. 2016).
Even when viewed in combination, any additional elements in this claim do no more than automate the mental processes that the human can perform, using computer components as a tool. There is no change to any computers or other technology in the claim as automating the abstract ideas, and thus this claim cannot improve computer functionality or other technology. See, e.g., Trading Technologies Int’l v. IBG, Inc., 921 F.3d 1084, 1093 (Fed. Cir. 2019) (using a computer to provide a trader with more information to facilitate market trades improved the business process of market trading, but not the computer) and the cases discussed in MPEP 2106.05(a)(I), particularly FairWarning IP, LLC v. Iatric Sys., 839 F.3d 1089, 1095 (Fed. Cir. 2016) (accelerating a process of analyzing audit log data is not an improvement when the increased speed comes solely from the capabilities of a general-purpose computer) and Credit Acceptance Corp. v. Westlake Services, 859 F.3d 1044, 1055 (Fed. Cir. 2017)(using a generic computer to automate a process of applying to finance a purchase is not an improvement to the computer’s functionality). Accordingly, the claim as a whole does not integrate the recited judicial exception into a practical application and the claim is directed to the judicial exception.
With respect to step 2B, this part of the eligibility analysis evaluates whether the claim as a whole amounts to significantly more than the recited exception, i.e., whether any additional element, or combination of additional elements, adds an inventive concept to the claim. MPEP 2106.05. As explained with respect to Step 2A Prong Two, file overwriting process, which is not part of the method is at best the equivalent of merely adding the words “apply it” to the judicial exception. Mere instructions to apply an exception cannot provide an inventive concept. Any other additional elements identified above are extra-solution activity, which for purposes of Step 2A Prong Two was considered insignificant. Under the 2019 PEG, however, a conclusion that an additional element is insignificant extra-solution activity in Step 2A should be re-evaluated in Step 2B. 2019 PEG Section III(B), 84 Fed. Reg. at 56. At Step 2B, the evaluation of the insignificant extra-solution activity consideration takes into account whether or not the extra-solution activity is well-known. See MPEP 2106.05(g). Here, any insignificant extra solution activity is within the examples provided in USPTO guidance, such as MPEP 2106.05(g), for example. Thus, any subject matter that may be considered extra-solution activity therefore remain insignificant extra-solution activity even upon reconsideration, and do not amount to significantly more. Even when considered in combination, these additional elements represent mere instructions to apply an exception and insignificant extra-solution activity, which cannot provide an inventive concept.
Regarding claim 7, with respect to step 1, this part of the eligibility analysis evaluates whether the claim falls within any statutory category. MPEP 2106.03. The claim recites analysis of the snapshots reveals the candidate process to comprise a ransomware process in addition to claim 1’s method comprising: identifying a candidate process for monitoring; while the candidate process is running, taking a set of snapshots of the candidate process, wherein each of the snapshots corresponds to a respective time period during which the candidate process was running; and analyzing the snapshots to determine whether the candidate process comprises a ransomware process. Therefore, this claim appears to be a method, which is a statutory category of invention. Please see MPEP 2106.3.I:
A process defines "actions", i.e., an invention that is claimed as an act or step, or a series of acts or steps. As explained by the Supreme Court, a "process" is "a mode of treatment of certain materials to produce a given result. It is an act, or a series of acts, performed upon the subject-matter to be transformed and reduced to a different state or thing." Gottschalk v. Benson, 409 U.S. 63, 70, 175 USPQ 673, 676 (1972) (italics added) (quoting Cochrane v. Deener, 94 U.S. 780, 788, 24 L. Ed. 139, 141 (1876)). See also Nuijten, 500 F.3d at 1355, 84 USPQ2d at 1501 ("The Supreme Court and this court have consistently interpreted the statutory term ‘process’ to require action"); NTP, Inc. v. Research in Motion, Ltd., 418 F.3d 1282, 1316, 75 USPQ2d 1763, 1791 (Fed. Cir. 2005) ("[A] process is a series of acts.") (quoting Minton v. Natl. Ass’n. of Securities Dealers, 336 F.3d 1373, 1378, 67 USPQ2d 1614, 1681 (Fed. Cir. 2003)). As defined in 35 U.S.C. 100(b), the term "process" is synonymous with "method."
With respect to step 2A, prong one, this part of the eligibility analysis evaluates whether the claim recites a judicial exception. As explained in MPEP 2106.04(II) and the October 2019 Update, a claim ‘recites’ a judicial exception when the judicial exception is ‘set forth’ or ‘described’ in the claim. There are no nature-based product limitations in the claim, and thus the markedly different characteristics analysis is not performed. However, the claim still must be reviewed to determine if it recites any other type of judicial exception.
Claim 7 recites “analysis of the snapshots reveals the candidate process to comprise a ransomware process.”. This could be met by a human noticing that a ransom process is occurring. Such mental (or pen-and-paper) step falls within the ‘mental processes’ grouping of abstract ideas set forth in the 2019 PEG. 2019 PEG Section I, 84 Fed. Reg. at 52. Thus, this limitation recites concepts that fall into the ‘mental process’ grouping of abstract ideas.
As explained in the MPEP and the October 2019 Update, situations like this where a series of steps recite judicial exceptions, examiners should combine all recited judicial exceptions and treat the claim as containing a single abstract idea for purposes of further eligibility. See MPEP 2106.04 and 2106.05(ii). Thus, for purposes of further discussion, this rejection may consider all limitations as a single abstract idea.
With respect to step 2A, prong two, this part of the eligibility analysis evaluates whether the claim as a whole integrates the recited judicial exception into a practical application of the exception. This evaluation is performed by (a) identifying whether there are any additional elements recited in the claim beyond the judicial exception, and (b) evaluating those additional elements individually and in combination to determine whether the claim as a whole integrates the exception into a practical application. 2019 PEG Section III(A)(2), 84 Fed. Reg. at 54-55. Besides the abstract idea, this claim recites that the candidate process comprises a ransomware process.
However, this candidate process comprising a ransomware process is recited so generically (no details are provided other than candidate process comprising a ransomware process) that it represents no more than mere instructions to apply the judicial exception on a computer system in order to detect such process(es). This limitation can also be viewed as nothing more than an attempt to generally link the use of the judicial exception to the technological environment of a computer. It should be noted that because the courts have made clear that mere physicality or tangibility of an additional element or elements is not a relevant consideration in the eligibility analysis, the nature of these components being physical or tangible does not affect this analysis. See MPEP 2106.05(I) for more information on this point, including explanations from judicial decisions including Alice Corp. Pty. Ltd. V. CLS Bank Int’l, 573 U.S. 208, 224-26 (2014).
An evaluation of whether any part of the claim is ‘insignificant extra-solution activity’ is then performed. Note that because the step 2A Prong Two analysis excludes consideration of whether a limitation is well-understood, routine, conventional activity (2019 PEG Section III(A)(2), 84 Fed. Reg. at 55), this evaluation does not take into account whether or not the limitation is well-known. See October 2019 Update at Section III.D. When so evaluated, the limitation represents at most insignificant application that is necessary for use of the recited judicial exception. This limitation at most represents extra-solution activity because it is a mere nominal or tangential addition to the claim at most. See MPEP 2106.05(g), discussing limitations that the Federal Circuit has considered to be insignificant extra-solution activity, for instance the step of printing a menu that was generated through an abstract process in Apple, Inc. v. Ameranth, Inc., 842 F.3d 1229, 1241-42 (Fed. Cir. 2016) and the mere generic presentation of collected and analyzed data in Electric Power Group, LLC v. Alstom S.A., 830 F.3d 1350, 1354 (Fed. Cir. 2016).
Even when viewed in combination, any additional elements in this claim do no more than automate the mental processes that the human can perform, using computer components as a tool. There is no change to any computers or other technology in the claim as automating the abstract ideas, and thus this claim cannot improve computer functionality or other technology. See, e.g., Trading Technologies Int’l v. IBG, Inc., 921 F.3d 1084, 1093 (Fed. Cir. 2019) (using a computer to provide a trader with more information to facilitate market trades improved the business process of market trading, but not the computer) and the cases discussed in MPEP 2106.05(a)(I), particularly FairWarning IP, LLC v. Iatric Sys., 839 F.3d 1089, 1095 (Fed. Cir. 2016) (accelerating a process of analyzing audit log data is not an improvement when the increased speed comes solely from the capabilities of a general-purpose computer) and Credit Acceptance Corp. v. Westlake Services, 859 F.3d 1044, 1055 (Fed. Cir. 2017)(using a generic computer to automate a process of applying to finance a purchase is not an improvement to the computer’s functionality). Accordingly, the claim as a whole does not integrate the recited judicial exception into a practical application and the claim is directed to the judicial exception.
With respect to step 2B, this part of the eligibility analysis evaluates whether the claim as a whole amounts to significantly more than the recited exception, i.e., whether any additional element, or combination of additional elements, adds an inventive concept to the claim. MPEP 2106.05. As explained with respect to Step 2A Prong Two, candidate process comprising a ransomware process is at best the equivalent of merely adding the words “apply it” to the judicial exception. Mere instructions to apply an exception cannot provide an inventive concept. Any other additional elements identified above are extra-solution activity, which for purposes of Step 2A Prong Two was considered insignificant. Under the 2019 PEG, however, a conclusion that an additional element is insignificant extra-solution activity in Step 2A should be re-evaluated in Step 2B. 2019 PEG Section III(B), 84 Fed. Reg. at 56. At Step 2B, the evaluation of the insignificant extra-solution activity consideration takes into account whether or not the extra-solution activity is well-known. See MPEP 2106.05(g). Here, any insignificant extra solution activity is within the examples provided in USPTO guidance, such as MPEP 2106.05(g), for example. Thus, any subject matter that may be considered extra-solution activity therefore remain insignificant extra-solution activity even upon reconsideration, and do not amount to significantly more. Even when considered in combination, these additional elements represent mere instructions to apply an exception and insignificant extra-solution activity, which cannot provide an inventive concept.
Regarding claim 8, with respect to step 1, this part of the eligibility analysis evaluates whether the claim falls within any statutory category. MPEP 2106.03. The claim recites the ransomware process comprises a fileless ransomware process in addition to claim 1’s method comprising: identifying a candidate process for monitoring; while the candidate process is running, taking a set of snapshots of the candidate process, wherein each of the snapshots corresponds to a respective time period during which the candidate process was running; and analyzing the snapshots to determine whether the candidate process comprises a ransomware process. Therefore, this claim appears to be a method, which is a statutory category of invention. Please see MPEP 2106.3.I:
A process defines "actions", i.e., an invention that is claimed as an act or step, or a series of acts or steps. As explained by the Supreme Court, a "process" is "a mode of treatment of certain materials to produce a given result. It is an act, or a series of acts, performed upon the subject-matter to be transformed and reduced to a different state or thing." Gottschalk v. Benson, 409 U.S. 63, 70, 175 USPQ 673, 676 (1972) (italics added) (quoting Cochrane v. Deener, 94 U.S. 780, 788, 24 L. Ed. 139, 141 (1876)). See also Nuijten, 500 F.3d at 1355, 84 USPQ2d at 1501 ("The Supreme Court and this court have consistently interpreted the statutory term ‘process’ to require action"); NTP, Inc. v. Research in Motion, Ltd., 418 F.3d 1282, 1316, 75 USPQ2d 1763, 1791 (Fed. Cir. 2005) ("[A] process is a series of acts.") (quoting Minton v. Natl. Ass’n. of Securities Dealers, 336 F.3d 1373, 1378, 67 USPQ2d 1614, 1681 (Fed. Cir. 2003)). As defined in 35 U.S.C. 100(b), the term "process" is synonymous with "method."
With respect to step 2A, prong one, this part of the eligibility analysis evaluates whether the claim recites a judicial exception. As explained in MPEP 2106.04(II) and the October 2019 Update, a claim ‘recites’ a judicial exception when the judicial exception is ‘set forth’ or ‘described’ in the claim. There are no nature-based product limitations in the claim, and thus the markedly different characteristics analysis is not performed. However, the claim still must be reviewed to determine if it recites any other type of judicial exception.
Claim 8 recites “the ransomware process comprises a fileless ransomware process.”. This could be met by a human noticing that a ransom process is occurring. Such mental (or pen-and-paper) step falls within the ‘mental processes’ grouping of abstract ideas set forth in the 2019 PEG. 2019 PEG Section I, 84 Fed. Reg. at 52. Thus, this limitation recites concepts that fall into the ‘mental process’ grouping of abstract ideas.
As explained in the MPEP and the October 2019 Update, situations like this where a series of steps recite judicial exceptions, examiners should combine all recited judicial exceptions and treat the claim as containing a single abstract idea for purposes of further eligibility. See MPEP 2106.04 and 2106.05(ii). Thus, for purposes of further discussion, this rejection may consider all limitations as a single abstract idea.
With respect to step 2A, prong two, this part of the eligibility analysis evaluates whether the claim as a whole integrates the recited judicial exception into a practical application of the exception. This evaluation is performed by (a) identifying whether there are any additional elements recited in the claim beyond the judicial exception, and (b) evaluating those additional elements individually and in combination to determine whether the claim as a whole integrates the exception into a practical application. 2019 PEG Section III(A)(2), 84 Fed. Reg. at 54-55. Besides the abstract idea, this claim recites that the ransomware process comprises a fileless ransomware process.
However, this the ransomware process comprises a fileless ransomware process is recited so generically (no details are provided other than the ransomware process comprises a fileless ransomware process) that it represents no more than mere instructions to apply the judicial exception on a computer system in order to detect such process(es). This limitation can also be viewed as nothing more than an attempt to generally link the use of the judicial exception to the technological environment of a computer. It should be noted that because the courts have made clear that mere physicality or tangibility of an additional element or elements is not a relevant consideration in the eligibility analysis, the nature of these components being physical or tangible does not affect this analysis. See MPEP 2106.05(I) for more information on this point, including explanations from judicial decisions including Alice Corp. Pty. Ltd. V. CLS Bank Int’l, 573 U.S. 208, 224-26 (2014).
An evaluation of whether any part of the claim is ‘insignificant extra-solution activity’ is then performed. Note that because the step 2A Prong Two analysis excludes consideration of whether a limitation is well-understood, routine, conventional activity (2019 PEG Section III(A)(2), 84 Fed. Reg. at 55), this evaluation does not take into account whether or not the limitation is well-known. See October 2019 Update at Section III.D. When so evaluated, the limitation represents at most insignificant application that is necessary for use of the recited judicial exception. This limitation at most represents extra-solution activity because it is a mere nominal or tangential addition to the claim at most. See MPEP 2106.05(g), discussing limitations that the Federal Circuit has considered to be insignificant extra-solution activity, for instance the step of printing a menu that was generated through an abstract process in Apple, Inc. v. Ameranth, Inc., 842 F.3d 1229, 1241-42 (Fed. Cir. 2016) and the mere generic presentation of collected and analyzed data in Electric Power Group, LLC v. Alstom S.A., 830 F.3d 1350, 1354 (Fed. Cir. 2016).
Even when viewed in combination, any additional elements in this claim do no more than automate the mental processes that the human can perform, using computer components as a tool. There is no change to any computers or other technology in the claim as automating the abstract ideas, and thus this claim cannot improve computer functionality or other technology. See, e.g., Trading Technologies Int’l v. IBG, Inc., 921 F.3d 1084, 1093 (Fed. Cir. 2019) (using a computer to provide a trader with more information to facilitate market trades improved the business process of market trading, but not the computer) and the cases discussed in MPEP 2106.05(a)(I), particularly FairWarning IP, LLC v. Iatric Sys., 839 F.3d 1089, 1095 (Fed. Cir. 2016) (accelerating a process of analyzing audit log data is not an improvement when the increased speed comes solely from the capabilities of a general-purpose computer) and Credit Acceptance Corp. v. Westlake Services, 859 F.3d 1044, 1055 (Fed. Cir. 2017)(using a generic computer to automate a process of applying to finance a purchase is not an improvement to the computer’s functionality). Accordingly, the claim as a whole does not integrate the recited judicial exception into a practical application and the claim is directed to the judicial exception.
With respect to step 2B, this part of the eligibility analysis evaluates whether the claim as a whole amounts to significantly more than the recited exception, i.e., whether any additional element, or combination of additional elements, adds an inventive concept to the claim. MPEP 2106.05. As explained with respect to Step 2A Prong Two, the ransomware process comprises a fileless ransomware process is at best the equivalent of merely adding the words “apply it” to the judicial exception. Mere instructions to apply an exception cannot provide an inventive concept. Any other additional elements identified above are extra-solution activity, which for purposes of Step 2A Prong Two was considered insignificant. Under the 2019 PEG, however, a conclusion that an additional element is insignificant extra-solution activity in Step 2A should be re-evaluated in Step 2B. 2019 PEG Section III(B), 84 Fed. Reg. at 56. At Step 2B, the evaluation of the insignificant extra-solution activity consideration takes into account whether or not the extra-solution activity is well-known. See MPEP 2106.05(g). Here, any insignificant extra solution activity is within the examples provided in USPTO guidance, such as MPEP 2106.05(g), for example. Thus, any subject matter that may be considered extra-solution activity therefore remain insignificant extra-solution activity even upon reconsideration, and do not amount to significantly more. Even when considered in combination, these additional elements represent mere instructions to apply an exception and insignificant extra-solution activity, which cannot provide an inventive concept.
Regarding claim 9, with respect to step 1, this part of the eligibility analysis evaluates whether the claim falls within any statutory category. MPEP 2106.03. The claim recites the snapshots are taken while the candidate process is overwriting a file in addition to claim 1’s method comprising: identifying a candidate process for monitoring; while the candidate process is running, taking a set of snapshots of the candidate process, wherein each of the snapshots corresponds to a respective time period during which the candidate process was running; and analyzing the snapshots to determine whether the candidate process comprises a ransomware process. Therefore, this claim appears to be a method, which is a statutory category of invention. Please see MPEP 2106.3.I:
A process defines "actions", i.e., an invention that is claimed as an act or step, or a series of acts or steps. As explained by the Supreme Court, a "process" is "a mode of treatment of certain materials to produce a given result. It is an act, or a series of acts, performed upon the subject-matter to be transformed and reduced to a different state or thing." Gottschalk v. Benson, 409 U.S. 63, 70, 175 USPQ 673, 676 (1972) (italics added) (quoting Cochrane v. Deener, 94 U.S. 780, 788, 24 L. Ed. 139, 141 (1876)). See also Nuijten, 500 F.3d at 1355, 84 USPQ2d at 1501 ("The Supreme Court and this court have consistently interpreted the statutory term ‘process’ to require action"); NTP, Inc. v. Research in Motion, Ltd., 418 F.3d 1282, 1316, 75 USPQ2d 1763, 1791 (Fed. Cir. 2005) ("[A] process is a series of acts.") (quoting Minton v. Natl. Ass’n. of Securities Dealers, 336 F.3d 1373, 1378, 67 USPQ2d 1614, 1681 (Fed. Cir. 2003)). As defined in 35 U.S.C. 100(b), the term "process" is synonymous with "method."
With respect to step 2A, prong one, this part of the eligibility analysis evaluates whether the claim recites a judicial exception. As explained in MPEP 2106.04(II) and the October 2019 Update, a claim ‘recites’ a judicial exception when the judicial exception is ‘set forth’ or ‘described’ in the claim. There are no nature-based product limitations in the claim, and thus the markedly different characteristics analysis is not performed. However, the claim still must be reviewed to determine if it recites any other type of judicial exception.
Claim 9 recites “the snapshots are taken while the candidate process is overwriting a file.”. This could be met by a human noticing that a ransom process is occurring. Such mental (or pen-and-paper) step falls within the ‘mental processes’ grouping of abstract ideas set forth in the 2019 PEG. 2019 PEG Section I, 84 Fed. Reg. at 52. Thus, this limitation recites concepts that fall into the ‘mental process’ grouping of abstract ideas.
As explained in the MPEP and the October 2019 Update, situations like this where a series of steps recite judicial exceptions, examiners should combine all recited judicial exceptions and treat the claim as containing a single abstract idea for purposes of further eligibility. See MPEP 2106.04 and 2106.05(ii). Thus, for purposes of further discussion, this rejection may consider all limitations as a single abstract idea.
With respect to step 2A, prong two, this part of the eligibility analysis evaluates whether the claim as a whole integrates the recited judicial exception into a practical application of the exception. This evaluation is performed by (a) identifying whether there are any additional elements recited in the claim beyond the judicial exception, and (b) evaluating those additional elements individually and in combination to determine whether the claim as a whole integrates the exception into a practical application. 2019 PEG Section III(A)(2), 84 Fed. Reg. at 54-55. Besides the abstract idea, this claim recites a candidate process overwriting a file.
However, this candidate process overwriting a file is recited so generically (no details are provided other than candidate process overwriting a file) that it represents no more than mere instructions to apply the judicial exception on a computer system in order to detect such process(es). This limitation can also be viewed as nothing more than an attempt to generally link the use of the judicial exception to the technological environment of a computer. It should be noted that because the courts have made clear that mere physicality or tangibility of an additional element or elements is not a relevant consideration in the eligibility analysis, the nature of these components being physical or tangible does not affect this analysis. See MPEP 2106.05(I) for more information on this point, including explanations from judicial decisions including Alice Corp. Pty. Ltd. V. CLS Bank Int’l, 573 U.S. 208, 224-26 (2014).
An evaluation of whether any part of the claim is ‘insignificant extra-solution activity’ is then performed. Note that because the step 2A Prong Two analysis excludes consideration of whether a limitation is well-understood, routine, conventional activity (2019 PEG Section III(A)(2), 84 Fed. Reg. at 55), this evaluation does not take into account whether or not the limitation is well-known. See October 2019 Update at Section III.D. When so evaluated, the limitation represents at most mere data gathering that is necessary for use of the recited judicial exception. This limitation at most represents extra-solution activity because it is a mere nominal or tangential addition to the claim at most. See MPEP 2106.05(g), discussing limitations that the Federal Circuit has considered to be insignificant extra-solution activity, for instance the step of printing a menu that was generated through an abstract process in Apple, Inc. v. Ameranth, Inc., 842 F.3d 1229, 1241-42 (Fed. Cir. 2016) and the mere generic presentation of collected and analyzed data in Electric Power Group, LLC v. Alstom S.A., 830 F.3d 1350, 1354 (Fed. Cir. 2016).
Even when viewed in combination, any additional elements in this claim do no more than automate the mental processes that the human can perform, using computer components as a tool. There is no change to any computers or other technology in the claim as automating the abstract ideas, and thus this claim cannot improve computer functionality or other technology. See, e.g., Trading Technologies Int’l v. IBG, Inc., 921 F.3d 1084, 1093 (Fed. Cir. 2019) (using a computer to provide a trader with more information to facilitate market trades improved the business process of market trading, but not the computer) and the cases discussed in MPEP 2106.05(a)(I), particularly FairWarning IP, LLC v. Iatric Sys., 839 F.3d 1089, 1095 (Fed. Cir. 2016) (accelerating a process of analyzing audit log data is not an improvement when the increased speed comes solely from the capabilities of a general-purpose computer) and Credit Acceptance Corp. v. Westlake Services, 859 F.3d 1044, 1055 (Fed. Cir. 2017)(using a generic computer to automate a process of applying to finance a purchase is not an improvement to the computer’s functionality). Accordingly, the claim as a whole does not integrate the recited judicial exception into a practical application and the claim is directed to the judicial exception.
With respect to step 2B, this part of the eligibility analysis evaluates whether the claim as a whole amounts to significantly more than the recited exception, i.e., whether any additional element, or combination of additional elements, adds an inventive concept to the claim. MPEP 2106.05. As explained with respect to Step 2A Prong Two, candidate process overwriting a file is at best the equivalent of merely adding the words “apply it” to the judicial exception. Mere instructions to apply an exception cannot provide an inventive concept. Any other additional elements identified above are extra-solution activity, which for purposes of Step 2A Prong Two was considered insignificant. Under the 2019 PEG, however, a conclusion that an additional element is insignificant extra-solution activity in Step 2A should be re-evaluated in Step 2B. 2019 PEG Section III(B), 84 Fed. Reg. at 56. At Step 2B, the evaluation of the insignificant extra-solution activity consideration takes into account whether or not the extra-solution activity is well-known. See MPEP 2106.05(g). Here, any insignificant extra solution activity is within the examples provided in USPTO guidance, such as MPEP 2106.05(g), for example. Thus, any subject matter that may be considered extra-solution activity therefore remain insignificant extra-solution activity even upon reconsideration, and do not amount to significantly more. Even when considered in combination, these additional elements represent mere instructions to apply an exception and insignificant extra-solution activity, which cannot provide an inventive concept.
Regarding claim 10, with respect to step 1, this part of the eligibility analysis evaluates whether the claim falls within any statutory category. MPEP 2106.03. The claim recites a known program or known process is whitelisted before the snapshots are taken of the candidate process in addition to claim 1’s method comprising: identifying a candidate process for monitoring; while the candidate process is running, taking a set of snapshots of the candidate process, wherein each of the snapshots corresponds to a respective time period during which the candidate process was running; and analyzing the snapshots to determine whether the candidate process comprises a ransomware process. Therefore, this claim appears to be a method, which is a statutory category of invention. Please see MPEP 2106.3.I:
A process defines "actions", i.e., an invention that is claimed as an act or step, or a series of acts or steps. As explained by the Supreme Court, a "process" is "a mode of treatment of certain materials to produce a given result. It is an act, or a series of acts, performed upon the subject-matter to be transformed and reduced to a different state or thing." Gottschalk v. Benson, 409 U.S. 63, 70, 175 USPQ 673, 676 (1972) (italics added) (quoting Cochrane v. Deener, 94 U.S. 780, 788, 24 L. Ed. 139, 141 (1876)). See also Nuijten, 500 F.3d at 1355, 84 USPQ2d at 1501 ("The Supreme Court and this court have consistently interpreted the statutory term ‘process’ to require action"); NTP, Inc. v. Research in Motion, Ltd., 418 F.3d 1282, 1316, 75 USPQ2d 1763, 1791 (Fed. Cir. 2005) ("[A] process is a series of acts.") (quoting Minton v. Natl. Ass’n. of Securities Dealers, 336 F.3d 1373, 1378, 67 USPQ2d 1614, 1681 (Fed. Cir. 2003)). As defined in 35 U.S.C. 100(b), the term "process" is synonymous with "method."
With respect to step 2A, prong one, this part of the eligibility analysis evaluates whether the claim recites a judicial exception. As explained in MPEP 2106.04(II) and the October 2019 Update, a claim ‘recites’ a judicial exception when the judicial exception is ‘set forth’ or ‘described’ in the claim. There are no nature-based product limitations in the claim, and thus the markedly different characteristics analysis is not performed. However, the claim still must be reviewed to determine if it recites any other type of judicial exception.
Claim 10 recites “a known program or known process is whitelisted before the snapshots are taken of the candidate process.”. This could be met by a human noticing that a ransom process is occurring. Such mental (or pen-and-paper) step falls within the ‘mental processes’ grouping of abstract ideas set forth in the 2019 PEG. 2019 PEG Section I, 84 Fed. Reg. at 52. Thus, this limitation recites concepts that fall into the ‘mental process’ grouping of abstract ideas.
As explained in the MPEP and the October 2019 Update, situations like this where a series of steps recite judicial exceptions, examiners should combine all recited judicial exceptions and treat the claim as containing a single abstract idea for purposes of further eligibility. See MPEP 2106.04 and 2106.05(ii). Thus, for purposes of further discussion, this rejection may consider all limitations as a single abstract idea.
With respect to step 2A, prong two, this part of the eligibility analysis evaluates whether the claim as a whole integrates the recited judicial exception into a practical application of the exception. This evaluation is performed by (a) identifying whether there are any additional elements recited in the claim beyond the judicial exception, and (b) evaluating those additional elements individually and in combination to determine whether the claim as a whole integrates the exception into a practical application. 2019 PEG Section III(A)(2), 84 Fed. Reg. at 54-55. Besides the abstract idea, this claim recites a known process or program.
However, this a known process or program is recited so generically (no details are provided other than a known process or program) that it represents no more than mere instructions to apply the judicial exception on a computer system in order to detect such process(es). This limitation can also be viewed as nothing more than an attempt to generally link the use of the judicial exception to the technological environment of a computer. It should be noted that because the courts have made clear that mere physicality or tangibility of an additional element or elements is not a relevant consideration in the eligibility analysis, the nature of these components being physical or tangible does not affect this analysis. See MPEP 2106.05(I) for more information on this point, including explanations from judicial decisions including Alice Corp. Pty. Ltd. V. CLS Bank Int’l, 573 U.S. 208, 224-26 (2014).
An evaluation of whether any part of the claim is ‘insignificant extra-solution activity’ is then performed. Note that because the step 2A Prong Two analysis excludes consideration of whether a limitation is well-understood, routine, conventional activity (2019 PEG Section III(A)(2), 84 Fed. Reg. at 55), this evaluation does not take into account whether or not the limitation is well-known. See October 2019 Update at Section III.D. When so evaluated, the limitation represents at most insignificant application that is necessary for use of the recited judicial exception. This limitation at most represents extra-solution activity because it is a mere nominal or tangential addition to the claim at most. See MPEP 2106.05(g), discussing limitations that the Federal Circuit has considered to be insignificant extra-solution activity, for instance the step of printing a menu that was generated through an abstract process in Apple, Inc. v. Ameranth, Inc., 842 F.3d 1229, 1241-42 (Fed. Cir. 2016) and the mere generic presentation of collected and analyzed data in Electric Power Group, LLC v. Alstom S.A., 830 F.3d 1350, 1354 (Fed. Cir. 2016).
Even when viewed in combination, any additional elements in this claim do no more than automate the mental processes that the human can perform, using computer components as a tool. There is no change to any computers or other technology in the claim as automating the abstract ideas, and thus this claim cannot improve computer functionality or other technology. See, e.g., Trading Technologies Int’l v. IBG, Inc., 921 F.3d 1084, 1093 (Fed. Cir. 2019) (using a computer to provide a trader with more information to facilitate market trades improved the business process of market trading, but not the computer) and the cases discussed in MPEP 2106.05(a)(I), particularly FairWarning IP, LLC v. Iatric Sys., 839 F.3d 1089, 1095 (Fed. Cir. 2016) (accelerating a process of analyzing audit log data is not an improvement when the increased speed comes solely from the capabilities of a general-purpose computer) and Credit Acceptance Corp. v. Westlake Services, 859 F.3d 1044, 1055 (Fed. Cir. 2017)(using a generic computer to automate a process of applying to finance a purchase is not an improvement to the computer’s functionality). Accordingly, the claim as a whole does not integrate the recited judicial exception into a practical application and the claim is directed to the judicial exception.
With respect to step 2B, this part of the eligibility analysis evaluates whether the claim as a whole amounts to significantly more than the recited exception, i.e., whether any additional element, or combination of additional elements, adds an inventive concept to the claim. MPEP 2106.05. As explained with respect to Step 2A Prong Two, a known process or program is at best the equivalent of merely adding the words “apply it” to the judicial exception. Mere instructions to apply an exception cannot provide an inventive concept. Any other additional elements identified above are extra-solution activity, which for purposes of Step 2A Prong Two was considered insignificant. Under the 2019 PEG, however, a conclusion that an additional element is insignificant extra-solution activity in Step 2A should be re-evaluated in Step 2B. 2019 PEG Section III(B), 84 Fed. Reg. at 56. At Step 2B, the evaluation of the insignificant extra-solution activity consideration takes into account whether or not the extra-solution activity is well-known. See MPEP 2106.05(g). Here, any insignificant extra solution activity is within the examples provided in USPTO guidance, such as MPEP 2106.05(g), for example. Thus, any subject matter that may be considered extra-solution activity therefore remain insignificant extra-solution activity even upon reconsideration, and do not amount to significantly more. Even when considered in combination, these additional elements represent mere instructions to apply an exception and insignificant extra-solution activity, which cannot provide an inventive concept.
Regarding claim 11, with respect to step 1, this part of the eligibility analysis evaluates whether the claim falls within any statutory category. MPEP 2106.03. For purposes of compact prosecution, it is noted that the below rejections would be provided if the above 101 rejection for claim 11 were to be overcome. In such a situation, the claim would recite a manufacture or machine, depending on the amendment. The claim recites identifying a candidate process for monitoring; while the candidate process is running, taking a set of snapshots of the candidate process, wherein each of the snapshots corresponds to a respective time period during which the candidate process was running; and analyzing the sampled snapshots to determine whether the candidate process comprises a ransomware process. Therefore, this claim appears to be a manufacture or machine (if amended appropriately), which is a statutory category of invention. Please see MPEP 2106.3.I:
A process defines "actions", i.e., an invention that is claimed as an act or step, or a series of acts or steps. As explained by the Supreme Court, a "process" is "a mode of treatment of certain materials to produce a given result. It is an act, or a series of acts, performed upon the subject-matter to be transformed and reduced to a different state or thing." Gottschalk v. Benson, 409 U.S. 63, 70, 175 USPQ 673, 676 (1972) (italics added) (quoting Cochrane v. Deener, 94 U.S. 780, 788, 24 L. Ed. 139, 141 (1876)). See also Nuijten, 500 F.3d at 1355, 84 USPQ2d at 1501 ("The Supreme Court and this court have consistently interpreted the statutory term ‘process’ to require action"); NTP, Inc. v. Research in Motion, Ltd., 418 F.3d 1282, 1316, 75 USPQ2d 1763, 1791 (Fed. Cir. 2005) ("[A] process is a series of acts.") (quoting Minton v. Natl. Ass’n. of Securities Dealers, 336 F.3d 1373, 1378, 67 USPQ2d 1614, 1681 (Fed. Cir. 2003)). As defined in 35 U.S.C. 100(b), the term "process" is synonymous with "method."
The other three categories (machines, manufactures and compositions of matter) define the types of physical or tangible "things" or "products" that Congress deemed appropriate to patent. Digitech Image Techs. v. Electronics for Imaging, 758 F.3d 1344, 1348, 111 USPQ2d 1717, 1719 (Fed. Cir. 2014) ("For all categories except process claims, the eligible subject matter must exist in some physical or tangible form."). Thus, when determining whether a claimed invention falls within one of these three categories, examiners should verify that the invention is to at least one of the following categories and is claimed in a physical or tangible form.
• A machine is a "concrete thing, consisting of parts, or of certain devices and combination of devices." Digitech, 758 F.3d at 1348-49, 111 USPQ2d at 1719 (quoting Burr v. Duryee, 68 U.S. 531, 570, 17 L. Ed. 650, 657 (1863)). This category "includes every mechanical device or combination of mechanical powers and devices to perform some function and produce a certain effect or result." Nuijten, 500 F.3d at 1355, 84 USPQ2d at 1501 (quoting Corning v. Burden, 56 U.S. 252, 267, 14 L. Ed. 683, 690 (1854)).
• A manufacture is "a tangible article that is given a new form, quality, property, or combination through man-made or artificial means." Digitech, 758 F.3d at 1349, 111 USPQ2d at 1719-20 (citing Diamond v. Chakrabarty, 447 U.S. 303, 308, 206 USPQ 193, 197 (1980)). As the courts have explained, manufactures are articles that result from the process of manufacturing, i.e., they were produced "from raw or prepared materials by giving to these materials new forms, qualities, properties, or combinations, whether by hand-labor or by machinery." Samsung Electronics Co. v. Apple Inc., 137 S. Ct. 429, 120 USPQ2d 1749, 1752-3 (2016) (quoting Diamond v. Chakrabarty, 447 U. S. 303, 308, 206 USPQ 193, 196-97 (1980)); Nuijten, 500 F.3d at 1356-57, 84 USPQ2d at 1502. Manufactures also include "the parts of a machine considered separately from the machine itself." Samsung Electronics, 137 S. Ct. at 435, 120 USPQ2d at 1753 (quoting 1 W. Robinson, The Law of Patents for Useful Inventions §183, p. 270 (1890)).
• A composition of matter is a "combination of two or more substances and includes all composite articles." Digitech, 758 F.3d at 1348-49, 111 USPQ2d at 1719 (citation omitted). This category includes all compositions of two or more substances and all composite articles, "'whether they be the results of chemical union or of mechanical mixture, or whether they be gases, fluids, powders or solids.'" Chakrabarty, 447 U.S. at 308, 206 USPQ at 197 (quoting Shell Dev. Co. v. Watson, 149 F. Supp. 279, 280 (D.D.C. 1957); id. at 310 holding genetically modified microorganism to be a manufacture or composition of matter).
With respect to step 2A, prong one, this part of the eligibility analysis evaluates whether the claim recites a judicial exception. As explained in MPEP 2106.04(II) and the October 2019 Update, a claim ‘recites’ a judicial exception when the judicial exception is ‘set forth’ or ‘described’ in the claim. There are no nature-based product limitations in the claim, and thus the markedly different characteristics analysis is not performed. However, the claim still must be reviewed to determine if it recites any other type of judicial exception.
Claim 11 recites “identifying a candidate process for monitoring; while the candidate process is running, taking a set of snapshots of the candidate process, wherein each of the snapshots corresponds to a respective time period during which the candidate process was running; and analyzing the sampled snapshots to determine whether the candidate process comprises a ransomware process.”. These steps can be performed by a human, for example, looking at an application, remembering what the application looks like and/or does at a couple locations, and deciding that something went wrong (e.g., watching a word processor that has completely viewable data at first later have complete gibberish since the data was overwritten with encrypted data). These steps may also be performed in a human determining that a ransom process is taking place, for example, by identifying a potential ransomer and/or ransomee, watching as the ransomee is taken by the ransomer, and then determining that a ransom process has taken place upon receiving instructions for ransom. This can all be performed in the human mind just by noticing things that happen, remembering things, and then comparing them later inside the mind. Such mental (or pen-and-paper) steps fall within the ‘mental processes’ grouping of abstract ideas set forth in the 2019 PEG. 2019 PEG Section I, 84 Fed. Reg. at 52. Thus, this limitation recites concepts that fall into the ‘mental process’ grouping of abstract ideas.
As explained in the MPEP and the October 2019 Update, situations like this where a series of steps recite judicial exceptions, examiners should combine all recited judicial exceptions and treat the claim as containing a single abstract idea for purposes of further eligibility. See MPEP 2106.04 and 2106.05(ii). Thus, for purposes of further discussion, this rejection may consider all limitations as a single abstract idea.
With respect to step 2A, prong two, this part of the eligibility analysis evaluates whether the claim as a whole integrates the recited judicial exception into a practical application of the exception. This evaluation is performed by (a) identifying whether there are any additional elements recited in the claim beyond the judicial exception, and (b) evaluating those additional elements individually and in combination to determine whether the claim as a whole integrates the exception into a practical application. 2019 PEG Section III(A)(2), 84 Fed. Reg. at 54-55. Besides the abstract idea, this claim recites a non-transitory storage medium, instructions, one or more hardware processors, a candidate process which may comprise a ransomware process.
However, this candidate process that may comprise a ransomware process is recited so generically (no details are provided other than that it is a candidate process that may comprise a ransomware process) that it represents no more than mere instructions to apply the judicial exception on a computer system in order to detect such process(es). Moreover, the non-transitory storage medium, instructions, and one or more hardware processors are recited so generically (no details are provided other than they each exist) that it represents no more than mere instructions to apply the judicial exception on a computer system. This limitation can also be viewed as nothing more than an attempt to generally link the use of the judicial exception to the technological environment of a computer. It should be noted that because the courts have made clear that mere physicality or tangibility of an additional element or elements is not a relevant consideration in the eligibility analysis, the nature of these components being physical or tangible does not affect this analysis. See MPEP 2106.05(I) for more information on this point, including explanations from judicial decisions including Alice Corp. Pty. Ltd. V. CLS Bank Int’l, 573 U.S. 208, 224-26 (2014).
An evaluation of whether any part of the claim is ‘insignificant extra-solution activity’ is then performed. Note that because the step 2A Prong Two analysis excludes consideration of whether a limitation is well-understood, routine, conventional activity (2019 PEG Section III(A)(2), 84 Fed. Reg. at 55), this evaluation does not take into account whether or not the limitation is well-known. See October 2019 Update at Section III.D. When so evaluated, the limitation represents at most mere data gathering and/or insignificant application that is necessary for use of the recited judicial exception. This limitation at most represents extra-solution activity because it is a mere nominal or tangential addition to the claim at most. See MPEP 2106.05(g), discussing limitations that the Federal Circuit has considered to be insignificant extra-solution activity, for instance the step of printing a menu that was generated through an abstract process in Apple, Inc. v. Ameranth, Inc., 842 F.3d 1229, 1241-42 (Fed. Cir. 2016) and the mere generic presentation of collected and analyzed data in Electric Power Group, LLC v. Alstom S.A., 830 F.3d 1350, 1354 (Fed. Cir. 2016).
Even when viewed in combination, any additional elements in this claim do no more than automate the mental processes that the human can perform, using computer components as a tool. There is no change to any computers or other technology in the claim as automating the abstract ideas, and thus this claim cannot improve computer functionality or other technology. See, e.g., Trading Technologies Int’l v. IBG, Inc., 921 F.3d 1084, 1093 (Fed. Cir. 2019) (using a computer to provide a trader with more information to facilitate market trades improved the business process of market trading, but not the computer) and the cases discussed in MPEP 2106.05(a)(I), particularly FairWarning IP, LLC v. Iatric Sys., 839 F.3d 1089, 1095 (Fed. Cir. 2016) (accelerating a process of analyzing audit log data is not an improvement when the increased speed comes solely from the capabilities of a general-purpose computer) and Credit Acceptance Corp. v. Westlake Services, 859 F.3d 1044, 1055 (Fed. Cir. 2017)(using a generic computer to automate a process of applying to finance a purchase is not an improvement to the computer’s functionality). Accordingly, the claim as a whole does not integrate the recited judicial exception into a practical application and the claim is directed to the judicial exception.
With respect to step 2B, this part of the eligibility analysis evaluates whether the claim as a whole amounts to significantly more than the recited exception, i.e., whether any additional element, or combination of additional elements, adds an inventive concept to the claim. MPEP 2106.05. As explained with respect to Step 2A Prong Two, the candidate process that may comprise a ransomware process is at best the equivalent of merely adding the words “apply it” to the judicial exception. Mere instructions to apply an exception cannot provide an inventive concept. Any other additional elements identified above are extra-solution activity, which for purposes of Step 2A Prong Two was considered insignificant. Under the 2019 PEG, however, a conclusion that an additional element is insignificant extra-solution activity in Step 2A should be re-evaluated in Step 2B. 2019 PEG Section III(B), 84 Fed. Reg. at 56. At Step 2B, the evaluation of the insignificant extra-solution activity consideration takes into account whether or not the extra-solution activity is well-known. See MPEP 2106.05(g). Here, any insignificant extra solution activity is within the examples provided in USPTO guidance, such as MPEP 2106.05(g), for example. Thus, any subject matter that may be considered extra-solution activity therefore remain insignificant extra-solution activity even upon reconsideration, and do not amount to significantly more. Even when considered in combination, these additional elements represent mere instructions to apply an exception and insignificant extra-solution activity, which cannot provide an inventive concept.
Regarding Claims 12-20, please see the analyses of claim 11 as well as 2-10.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-3, 5, 7, 10-13, 15, 17, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Patton (U.S. Patent 10,229,269) in view of Halcrow (U.S. Patent Application Publication 2021/0049031).
Regarding Claim 1,
Patton discloses a method comprising:
Identifying a candidate process for monitoring (Exemplary Citations: for example, Abstract, Column 4, line 11 to Column 5, line 39; Column 6, lines 5-55; Column 7, lines 11-58; and associated figures; process, application, etc. to monitor, for example);
While the candidate process is running, taking a set of zoom in snapshots, wherein each of the zoom in snapshots corresponds to a respective time period during which the candidate process was running (Exemplary Citations: for example, Abstract, Column 4, line 11 to Column 5, line 39; Column 6, lines 5-55; Column 7, lines 11-58; and associated figures; file snapshots taken and associated with timestamps, for example);
Sampling the set of zoom in snapshots at a frequency that is determined based on dissimilarity of the candidate process to known malware (Exemplary Citations: for example, Abstract, Column 4, line 11 to Column 5, line 39; Column 6, lines 5-55; Column 7, lines 11-58; and associated figures; file snapshots taken and associated with timestamps, for example; stopping monitoring if safe process, whitelisting after determining safe process, continuing monitoring if not safe process, etc., as examples);
Analyzing the zoom in snapshots obtained during the sampling to determine whether the candidate process comprises a ransomware process (Exemplary Citations: for example, Abstract, Column 4, line 11 to Column 5, line 39; Column 6, lines 5-55; Column 7, lines 11-58; and associated figures; determining ransomware based on the snapshots in some fashion, such as by detecting changes to files, a certain number of encrypted files within a time window, or many other methods, for example); and
Taking a remedial action to stop the ransomware process in a case where it is determined that the candidate process comprises the ransomware process (Exemplary Citations: for example, Abstract, Column 4, line 11 to Column 5, line 39; Column 6, lines 5-55; Column 7, lines 11-58; and associated figures; remediate, such as terminating, quarantining, removing from whitelist, etc., as examples);
But does not appear to explicitly disclose that the snapshots are of the candidate process.
Halcrow, however, discloses that the snapshots are of the candidate process (Exemplary Citations: for example, Abstract, Paragraphs 3-9, 22, 23, 29, 33-44, and associated figures; snapshots as well as all data captured during heightened level of auditing, such data effectively being delta snapshots noting every change in state, taken while the process is running, for example. It is noted that the entire memory state can be captured in Halcrow, which includes the entirety of the memory space taken by any given process being monitored);
Identifying a candidate process for monitoring (Exemplary Citations: for example, Abstract, Paragraphs 3-9, 22, 23, 29, 33-44, and associated figures; processes, programs, applications, etc., and/or virtual machine including such, being monitored, for example);
While the candidate process is running, taking a set of zoom in snapshots of the candidate process, wherein each of the zoom in snapshots corresponds to a respective time period during which the candidate process was running (Exemplary Citations: for example, Abstract, Paragraphs 3-9, 22, 23, 29, 33-44, and associated figures; snapshots as well as all data captured during heightened level of auditing, such data effectively being delta snapshots noting every change in state, taken while the process is running (e.g., during a time period from attack start to attack end or certain time period thereafter, or the like, as examples), for example);
Sampling the set of zoom in snapshots at a frequency that is determined based on dissimilarity of the candidate process to known malware (Exemplary Citations: for example, Abstract, Paragraphs 3-9, 22, 23, 29, 33-44, and associated figures; any use of snapshots as well as all data captured during heightened level of auditing, such data effectively being delta snapshots noting every change in state, taken while the process is running (e.g., during a time period from attack start to attack end or certain time period thereafter, or the like, as examples), with lower frequency snapshots occurring while an attack is not in progress, for example);
Analyzing the zoom in snapshots obtained during the sampling to determine whether the candidate process comprises a malicious process (Exemplary Citations: for example, Abstract, Paragraphs 3-9, 22, 23, 29, 33-44, and associated figures; analyzing the above to detect attack, for example); and
Taking a remedial action to stop the malicious process in a case where it is determined that the candidate process comprises the malicious process (Exemplary Citations: for example, Abstract, Paragraphs 3-9, 22, 23, 29, 33-44, and associated; process termination, VM termination, restoring any damage done by an attack, effectively stopping the process, since no changes that the process made are effective, etc., as examples). It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the attack detection techniques of Halcrow into the ransomware detecting system of Patton in order to allow the system to better detect attacks and malware, to provide the system with additional information from which to base attack/malware detections on, to make it harder for attacks to hide their tracks, and/or to increase security in the system.
Regarding Claim 11,
Claim 11 is a medium claim that corresponds to method claim 1 and is rejected for the same reasons.
Regarding Claim 2,
Patton as modified by Halcrow discloses the method of claim 1, in addition, Patton discloses when it is determined that the candidate process does not comprise a ransomware process, the candidate process is added to a whitelist (Exemplary Citations: for example, Abstract, Column 6, line 56 to Column 7, line 10, and associated figures; adding non-ransomware process to whitelist, for example).
Regarding Claim 12,
Claim 12 is a medium claim that corresponds to method claim 2 and is rejected for the same reasons.
Regarding Claim 3,
Patton as modified by Halcrow discloses the method of claim 1, in addition, Patton as modified by Halcrow discloses when a counter indicates that the candidate process comprises a number of write operations that exceeds a threshold, the candidate process is identified as a ransomware process (Patton: Exemplary Citations: for example, Abstract, Column 4, line 11 to Column 5, line 39; Column 6, lines 5-55; Column 7, lines 11-58; and associated figures; comparing number of encryptions (which are file edits/writes) to a threshold; Halcrow: Exemplary Citations: for example, Abstract, Paragraphs 3-9, 22, 23, 29, 33-44, and associated figures; tracking and checking all writes, for example).
Regarding Claim 13,
Claim 13 is a medium claim that corresponds to method claim 3 and is rejected for the same reasons.
Regarding Claim 5,
Patton as modified by Halcrow discloses the method of claim 1, in addition, Patton discloses that the zoom in snapshots are analyzed in real time as they are taken (Exemplary Citations: for example, Abstract, Column 4, line 11 to Column 5, line 39; Column 6, lines 5-55; Column 7, lines 11-58; and associated figures); and
Halcrow discloses that the zoom in snapshots are analyzed in real time as they are taken (Exemplary Citations: for example, Abstract, Paragraphs 3-9, 22, 23, 29, 33-44, and associated figures).
Regarding Claim 15,
Claim 15 is a medium claim that corresponds to method claim 5 and is rejected for the same reasons.
Regarding Claim 7,
Patton as modified by Halcrow discloses the method of claim 1, in addition, Patton discloses that analysis of the zoom in snapshots reveals the candidate process to comprise a ransomware process (Exemplary Citations: for example, Abstract, Column 4, line 11 to Column 5, line 39; Column 6, lines 5-55; Column 7, lines 11-58; and associated figures).
Regarding Claim 17,
Claim 17 is a medium claim that corresponds to method claim 7 and is rejected for the same reasons.
Regarding Claim 10,
Patton as modified by Halcrow discloses the method of claim 1, in addition, Patton discloses that a known program or known process is whitelisted before the zoom in snapshots are taken of the candidate process (Exemplary Citations: for example, Abstract, Column 4, line 11 to Column 5, line 39; Column 6, line 5 to Column 7, line 58; and associated figures; whitelist used to determine whether or not to monitor process, for example).
Regarding Claim 20,
Claim 20 is a medium claim that corresponds to method claim 10 and is rejected for the same reasons.
Claims 4 and 14 is rejected under 35 U.S.C. 103 as being unpatentable over Patton in view of Halcrow and Derbeko (U.S. Patent 10,320,828).
Regarding Claim 4,
Patton as modified by Halcrow discloses the method of claim 1, in addition, Patton discloses that the zoom in snapshots are analyzed in a system (Exemplary Citations: for example, Abstract, Column 4, line 11 to Column 5, line 39; Column 6, lines 5-55; Column 7, lines 11-58; and associated figures);
But does not explicitly disclose that the system comprises a vault that is isolated by an air gap from a production site where the process runs.
Derbeko, however, discloses that the system comprises a vault that is isolated by an air gap from a production site where the process runs (Exemplary Citations: for example, Column 2, lines 41-52; Column 3, lines 4-19; Column 4, lines 43-53; Column 6, line 43 to Column 7, line 12; Column 7, line 64 to Column 8, line 24; and associated figures; air gap from production system to testbed, where testbed detects malware and the like in the production system, for example). It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the cyber testbed techniques of Derbeko into the ransomware detecting system of Patton as modified by Halcrow in order to allow for malware and vulnerabilities to be detected and tested for in a virtual environment, to allow an administrator to balance a high level of security with business usability, to detect additional attacks/attack vectors, and/or to increase security in the system.
Regarding Claim 14,
Claim 14 is a medium claim that corresponds to method claim 4 and is rejected for the same reasons.
Claims 6, 9, 16, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Patton in view of Halcrow and Striem-Amit (U.S. Patent 10,503,897).
Regarding Claim 6,
Patton as modified by Halcrow discloses the method of claim 1, in addition, Patton discloses that the candidate process comprises a file writing process (Exemplary Citations: for example, Abstract, Column 4, line 11 to Column 5, line 39; Column 6, lines 5-55; Column 7, lines 11-58; and associated figures; editing a file, saving edited file, etc., as examples);
But does not explicitly disclose that the writing comprises overwriting.
Striem-Amit, however, discloses that the candidate process comprises a file overwriting process (Exemplary Citations: for example, Abstract, Column 1, lines 17-32; Column 2, line 26 to Column 3, line 6; Column 3, line 54 to Column 4, line 7; and associated figures; ransomware overwrites files, for example). It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the ransomware detection and remediation techniques of Striem-Amit into the ransomware detecting system of Patton as modified by Halcrow in order to allow the system to detect additional ransomware patterns, to provide huge redundancy of files in a system’s storage, making it more likely ransomware will attack unnecessary files, to increase resilience of the system, and/or to increase security in the system.
Regarding Claim 16,
Claim 16 is a medium claim that corresponds to method claim 6 and is rejected for the same reasons.
Regarding Claim 9,
Patton as modified by Halcrow discloses the method of claim 1, in addition, Patton discloses that the zoom in snapshots are taken while the candidate process is overwriting a file (Exemplary Citations: for example, Abstract, Column 4, line 11 to Column 5, line 39; Column 6, lines 5-55; Column 7, lines 11-58; and associated figures);
But does not explicitly disclose that the writing comprises overwriting.
Striem-Amit, however, discloses that the writing comprises overwriting (Exemplary Citations: for example, Abstract, Column 1, lines 17-32; Column 2, line 26 to Column 3, line 6; Column 3, line 54 to Column 4, line 7; and associated figures). It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the ransomware detection and remediation techniques of Striem-Amit into the ransomware detecting system of Patton as modified by Halcrow in order to allow the system to detect additional ransomware patterns, to provide huge redundancy of files in a system’s storage, making it more likely ransomware will attack unnecessary files, to increase resilience of the system, and/or to increase security in the system.
Regarding Claim 19,
Claim 19 is a medium claim that corresponds to method claim 9 and is rejected for the same reasons.
Claims 8 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Patton in view of Halcrow and Johansen (Johansen, Alison Grace, “What is fileless malware and how does it work?”, 8/8/2018, 9 pages, obtained from https://us.norton.com/blog/malware/what-is-fileless-malware).
Regarding Claim 8,
Patton as modified by Halcrow does not appear to explicitly disclose that the ransomware process comprises a fileless ransomware process.
Johansen, however, discloses that the ransomware process comprises a fileless ransomware process (Exemplary Citations: for example, Pages 1-5; fileless malware/ransomware, for example). It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the fileless malware and protection techniques of Johansen into the ransomware detecting system of Patton as modified by Halcrow in order to allow the system to protect against additional forms of malware, to assist users in best practices for security, and/or to increase security in the system.
Regarding Claim 18,
Claim 18 is a medium claim that corresponds to method claim 8 and is rejected for the same reasons.
Conclusion
THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Jeffrey D Popham whose telephone number is (571)272-7215. The examiner can normally be reached Monday through Friday 9:00-5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached at (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Jeffrey D. Popham/Primary Examiner, Art Unit 2432