STORAGE SYSTEM AND STORAGE SYSTEM MONITORING METHOD

§103 §112

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Priority Acknowledgment is made of applicant's claim for foreign priority based on an application filed in JP on 02/28/2023. It is noted, however, that applicant has not filed a certified copy of the JP2023-029083 application as required by 37 CFR 1.55. Information Disclosure Statement The information disclosure statements (IDS) submitted on 8/10/2023 and 9/24/2024 are in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statements are being considered by the examiner. Response to Arguments Applicant's arguments, see pages 11 and 12, filed 7/25/2025, with respect to objections to the drawings, have been fully considered. Regarding the argument: “With respect to item 3(a) in the Office Action, Fig. 1 shows reference numeral 16 indicating data protection storage and Fig. 2(a) shows an example of a system in which the primary storage 15 and data protection storage 16 directly used by host 14 are implemented on the same storage and therefore reference number 16 is not shown in Fig. 2(a).” This argument is persuasive. This objection is withdrawn. Regarding the argument: “With respect to item 4(a), Figs. 2(a) — (c) contain text such as “1st storage,” “data protection storage,” which are located adjacent to the reference numbers they represent (e.g., 15, 16, respectively).” Examiner respectfully disagrees. The text, “1st Storage” is displayed as follows in the three figures: Fig. 2a) PNG media_image1.png 211 212 media_image1.png Greyscale Fig. 2b) PNG media_image2.png 214 203 media_image2.png Greyscale Fig. 2c) PNG media_image3.png 209 169 media_image3.png Greyscale To clarify the objection from the previous office action, the examiner does not proclaim that the text is not in any proximity to the “correct” reference numbers; rather, the text is at least as or more proximate to “incorrect” reference numbers. Therefore, it is ambiguous what elements of the drawings are labelled. This objection is maintained. Regarding the argument: “With respect to Fig. 11, Applicant has amended the text of S119 of Fig. 11 to “Acquire a local copy SVol 18 of PVol 17 in the first storage and backup in Data Protection Storage."” This argument is persuasive. This objection is withdrawn. Applicant's arguments, see page 12, filed 7/25/2025, with respect to interpretation of claims 1, 2, 4, and 7 under 35 USC 112(f), have been fully considered and are persuasive. These claims are no longer being interpreted under 35 USC 112(f). Applicant’s arguments, see page 13, filed 7/25/2025, with respect to the rejection of claims 1-9 under 35 USC 112(a) have been fully considered and are persuasive. These rejections have been withdrawn. Applicant’s arguments, see page 13, filed 7/25/2025, with respect to the rejection of claims 1-10 under 35 USC 112(b) have been fully considered and are persuasive. These rejections have been withdrawn. Applicant’s arguments, see pages 13-17, filed 7/25/2025, with respect to the rejection of claims 1 and 10 under 35 USC 103 have been fully considered. The amendments result in a large change in scope and interpretation of the claims; through this consideration alone, the previous prior art rejections are withdrawn. However, the examiner makes the following note regarding applicant arguments: Regarding the argument: “The combination of Crofton and Brewer does not render claim 1 obvious. For example, the presently claimed invention detects failures due to ransomware attacks, etc. on business servers (hosts) without increasing the load on the storage system. Crofton and Brewer, whether considered individually or in combination, do not disclose the elements of claim 1.” Examiner notes that the element of detecting “failures due to ransomware attacks, etc. … without increasing the load on the storage system” is not explicitly reflected in the claims. Examiner further notes that any prior art which meets the broadest reasonable interpretation of the claims may be appropriately mapped to those claims. Drawings The drawings are objected to because: Regarding Figs 2(a), 2(b), and 2(c): Each contain multiple types of “storage” (i.e. “1st storage,” “data protection storage,” etc.). The placement of the text makes it unclear which part of the drawings is being labeled. Given the context of the specification, it seems the text is partnered with reference numbers 15, 16, and 25; however, they are placed as if they are labelling reference numbers 17, 20, and 28. Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance. Claim Objections Claims 1-10 are objected to because of the following informalities: Regarding claims 1 and 10: Claim 1 further recites, “… when the write end time exceeds a backup end time …”. Claim 10 recites similar language. The antecedent basis of “write end time” is not clear. This objection can be overcome by establishing the antecedence of the term (i.e. “… exceeds [[a]] the backup end time …). Appropriate correction is required. Claim Rejections - 35 USC § 112 The following is a quotation of the first paragraph of 35 U.S.C. 112(a): (a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention. Claims 1-8 and 10 are rejected under 35 U.S.C. 112(a) as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. Regarding claims 1, 2, 8, and 10: The claims make several references to the term, “differential back up data.” There is insufficient support in the specification for these amended limitations, and thus constitutes new matter. The term “differential back up data” does not appear in the specification, and it is not clear whether any term used in the specification is meant to be used equivalently. While the specification refers to traditional backup data (a copy of data being stored as a backup), the claim language is not consistent with this interpretation. Regarding claims 3-8: They are dependent on one or more rejected claims, and thus inherit those rejections. This rejection could be overcome by overcoming the rejection(s) to any claims upon which these claims depend, or by amending the claims such that they are no longer dependent on any rejected claim. The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. Claims 1-8 and 10 are rejected under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor regards as the invention. Regarding claims 1 and 10: Claim 1 recites, “… obtain differential back up data, which is a backup of data that has changed from the volume of the first storage to the volume of the data protection storage …”. Claim 10 recites similar language. There are multiple possible interpretations of the claim which make it difficult or impossible for one skilled in the art to determine the proper intent of the invention. A “differential backup,” as it is known in the art, is a method of saving changes to an original data source since the most recent full backup of the data. The portion of the specification most similar to the claims is found in paragraph [0032] “… only the portion of the business storage volume that has changed at the maximum available network write capacity will be written to the data protection storage volume.” However, this excerpt does not align with the known meaning, as it is not clear what “changed at the maximum available network write capacity” means in this context. If the applicant intends to use an alternative definition of “differential backup,” it should be supported by the specification and its meaning made clear in the claims. The current draft of the claims are open multiple mutually exclusive interpretations, including but not necessarily limited to: Backup data located in the data protection storage which is found to be different from the original backed-up data located in the first storage. Data which is believed to have changed while in transit between the first storage and data protection storage. Whether the “differential backup data” is a backup of some other data which has changed and is not backup data. Claim 1 further recites, “the monitoring server is programmed to: obtain differential back up data …”. Claim 1 goes on to recite, “… monitor a write time of the differential back up data to the volume of the data protection storage when the differential back up data is obtained …”. Claim 10 recites similar language. The metes and bounds of the claim are unclear. The claim language first indicates it is the “monitoring server” which obtains the “differential backup data”; however, it then indicates that the server monitors the write time of the differential backup to the “data protection storage.” If the intent is to claim that it is the data protection storage which obtains and writes the differential backup, and reports the write time to the monitoring server, the claims should be amended to make this clear. Regarding claim 5: The claim recites, “… obtain a backup from a clone volume the first local volume to the second physical volume.” The grammar of this limitation makes it difficult to determine what action is being described. It is not clear whether the “backup” is of a “clone volume,” or if the backup is a clone volume. It is also not clear whether it is a backup being transferred from a first to a second volume, or whether the claim is merely stating that the second volume is a clone of the first volume, or some other action. Regarding claim 6: The claim recites, “obtain a backup from a clone volume of the local volume to the second physical volume.” The meaning of this limitation is ambiguous. It is not clear whether the “monitoring server” is obtaining the backup from a “clone volume” and then transferring it to a “second volume,” or whether the server is merely monitoring a direct transfer between the volumes, or some other action. Regarding claim 8: The claim recites, “… detect the abnormality at a time later than the backup end time in the threshold table upon detecting a delay in the start of writing …”. This limitation is mutually exclusive with depended-on claim 2. Claim 2 recites, “… detect an abnormality based on whether a completion of writing … exceeds the backup end time …”. If the intention is to also detect another anomaly in the event of detecting a delay in the start time, the anomaly should be identified as such (i.e. “a new anomaly” instead of “the anomaly”). Regarding claims 2-4 and 7: They are dependent on one or more rejected claims, and thus inherit those rejections. This rejection could be overcome by overcoming the rejection(s) to any claims upon which these claims depend, or by amending the claims such that they are no longer dependent on any rejected claim. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1 and 10 are rejected under 35 U.S.C. 103 as being unpatentable over CROFTON et al (Doc ID US 20170177867 A1), and further in view of ANAND et al (Doc ID US 20100293141 A1) and KAMBE et al (Doc ID US 20190243740 A1). Regarding claim 1: CROFTON teaches: A storage system comprising: a first storage including a storage volume storing data used by a host computer ([0032] "A device 100 may include a memory storage device 106 …"); a data protection storage including a data protection storage volume that stores a backup of the data ([0031] "… a backup manager 142 executed by a server 140 for transferring data between device 100 and server 140 or a storage device 160."); and a monitoring server, including a memory and a processor, configured to monitor the data protection storage, wherein the processor of the monitoring server is programmed to ([0026] "… FIG. 1A, ... devices 100 communicating … to a backup server 140, which may manage one or more storage devices 160."): CROFTON does NOT teach: obtain differential back up data, which is a backup of data that has changed from the volume of the first storage to the volume of the data protection storage, monitor a write time of the differential back up data to the volume of the data protection storage when the differential back up data is obtained, and determine the write amount of the differential backup data to be abnormal when the write end time exceeds a backup end time, which is a predetermined backup time threshold corresponding to the write amount of the differential backup data. ANAND teaches: obtain differential back up data, which is a backup of data that has changed from the volume of the first storage to the volume of the data protection storage ([0029] "… At the backup system … 10, the backup information 40 is received and stored, including the incremental or differential backup metadata and the file content."), Utilizing a remote backup storage system and monitoring data operations between the original and backup locations are known techniques in the art, as demonstrated by CROFTON. Further, obtaining differential backup data is a known technique in the art, as demonstrated by ANAND. It would have been obvious to a person having ordinary skill in the art (PHOSITA) before the effective filing date of the claimed invention to modify the backup storage system of CROFTON with the differential backup of ANAND with the motivation to provide for incremental backup methods as well as full backups. It is obvious when monitoring for attacks to also monitor smaller changes that occur between full backups of the data. The combination of CROFTON and ANAND does NOT teach: monitor a write time of the differential back up data to the volume of the data protection storage when the differential back up data is obtained, and determine the write amount of the differential backup data to be abnormal when the write end time exceeds a backup end time, which is a predetermined backup time threshold corresponding to the write amount of the differential backup data. KAMBE teaches: monitor a write time of the differential back up data to the volume of the data protection storage when the differential back up data is obtained ([0301] "… the abnormality determiner 224 confirms the status of the job of the disk abnormality type, such as a backup job (Step S85) to confirm whether or not the backup job is in a normal status (Step S86)."), and determine the write amount of the differential backup data to be abnormal when the write end time exceeds a backup end time, which is a predetermined backup time threshold corresponding to the write amount of the differential backup data ([0303] "... calculates ... a scheduled writing completion time point based on ... (Step S88). This calculation may use ... the writing size (entire size) of data ..." and [0305] "... if the scheduled writing completion time point is later than the allowed scheduled end time point ..., the process moves to step S84." Examiner notes that step S84 is the step of "Detect Abnormality."). Detecting abnormalities in monitored end times of data writing is a known technique in the art, as demonstrated by KAMBE. It would have been obvious to a PHOSITA before the effective filing date of the claimed invention to modify the backup storage system of CROFTON and ANAND with the write time monitoring and alerting of KAMBE with the motivation to detect abnormalities in the backup of data. It is obvious to monitor write times, as deviations from typical or scheduled times can indicate the presence of malware. Regarding claim 10: This claim is rejected with the same justification, mutatis mutandis, as its counterpart claim 1 above. Claims 2, and 4-8 are rejected under 35 U.S.C. 103 as being unpatentable over CROFTON et al (Doc ID US 20170177867 A1), ANAND et al (Doc ID US 20100293141 A1), and KAMBE et al (Doc ID US 20190243740 A1) as applied to claim 1 above, and further in view of BRANDWINE (Doc ID US 12197578 B1). Regarding claim 2: The combination of CROFTON, ANAND, and KAMBE teaches: The storage system described in claim 1, wherein the monitoring server stores (CROFTON [0038] "… server 140 may include ... storage devices. Data storage may be internal, such as memory 144 …" and [0039] "... Backup manager 142 ... for backing up, synchronizing, and/or restoring data files."): a backup plan table storing a start time to start back up of the volume of the first storage (KAMBE Fig. 3 and [0056] "… an example of the reference time point is a scheduled start time point ... at which the job is to start and/or end."), and a threshold table storing a backup start time, the backup end time, and an amount of data to be written (KAMBE Fig. 3 and [0303] "... calculates ... a scheduled writing completion time point based on ... (Step S88). This calculation may use ... the writing size (entire size) of data ..."), wherein the processor of the monitoring server is programmed to: refer to the backup plan table and start backup of the volume of the first storage at the start time (KAMBE [0056] "… An example of the reference time period is a scheduled execution time (time period) for which the job is to be executed …"), detect an abnormality based on whether a completion of writing the differential back up data to the volume of the data protection storage exceeds the backup end time in the threshold table (KAMBE [0303] "... calculates ... a scheduled writing completion time point based on ... (Step S88). This calculation may use ... the writing size (entire size) of data ..." and [0305] "... if the scheduled writing completion time point is later than the allowed scheduled end time point ..., the process moves to step S84." Examiner notes that step S84 is the step of "Detect Abnormality."), and Tracking data operation start and end times and using them to detect abnormalities is a known technique in the art, as demonstrated by KAMBE. It would have been obvious to a PHOSITA before the effective filing date of the claimed invention to modify the anomaly-detecting backup storage system of CROFTON, ANAND, and KAMBE with the data transfer schedule metric of KAMBE with the motivation to detect attacks at the point where data is backed up to storage. It is obvious to assess time taken data transferred, as an attack may cause a significantly longer transfer than what is typical for a backup operation. The combination of CROFTON, ANAND, and KAMBE does NOT teach: output volume information of the volume of the first storage in which the abnormality occurred and host information corresponding to the volume of the first storage. BRANDWINE teaches this limitation: Col 25 lines 17-21 "… generating an alert notifying a user associated with the computer system of the potential ransomware attack, wherein the alert includes identification of the storage volume." Outputting a detailed alert upon the detection of an abnormality is a known technique in the art, as demonstrated by BRANDWINE. It would have been obvious to a PHOSITA before the effective filing date of the claimed invention to modify the anomaly-detecting backup storage system of CROFTON, ANAND, and KAMBE with the abnormality alert of BRANDWINE with the motivation to notify a user or administrator of the presence of the abnormality. It is obvious to include common details such at the location of the abnormality in the notification. Regarding claim 4: The combination of CROFTON, ANAND, KAMBE, and BRANDWINE teaches: The storage system described in claim 2, wherein the monitoring server includes a backup control table storing a deletion possibility flag indicating whether the backup can be deleted (CROFTON [0068] "… At step 356, the prior version of the file may be unlocked or a flag removed to allow overwriting of the prior version …"), and upon detecting an abnormality, the deletion possibility flag of the most recent generation of backup control tables is changed to non-deletable (CROFTON [0067] "… At step 322, the backup manager may tag or identify the file or fragment as potentially malicious. At step 324, the backup manager may lock the prior version of the file or fragment from being overwritten ..."). Regarding claim 5: The combination of CROFTON, ANAND, KAMBE, and BRANDWINE teaches: The storage system described in claim 2, wherein the first storage includes a first physical volume accessed by the monitoring server and a first local volume associated with the first physical volume storing data used by the host computer (CROFTON [0033] "Memory 106 may also store common data files 112 …" and [0035] "Memory 106 may also store personal data files 114 …"), wherein the volume of the data protection storage is a second physical volume storing backups of the first physical volume (CROFTON [0040] "... server 140 may include internal memory .... Memory 144 and/or storage 160 may store backup data 146 …"), wherein the processor of the monitoring server is programmed to obtain a backup from a clone volume the first local volume to the second physical volume (CROFTON [0039] "... Backup manager 142 ... for backing up, synchronizing, and/or restoring data files."). Regarding claim 6: The combination of CROFTON, ANAND, KAMBE, and BRANDWINE teaches: The storage system described in claim 2, wherein the first storage includes a first physical volume for storing data used by the host computer (CROFTON [0033] "Memory 106 may also store common data files 112 …" and [0035] "Memory 106 may also store personal data files 114 …"), wherein the data protection storage has a local volume associated with the first physical volume and a second physical volume for storing backups (CROFTON [0040] "... server 140 may include internal memory .... Memory 144 and/or storage 160 may store backup data 146 …"), wherein the server of the monitoring server is programmed to obtain a backup from a clone volume of the local volume to the second physical volume (CROFTON [0039] "... Backup manager 142 ... for backing up, synchronizing, and/or restoring data files."). Regarding claim 7: The combination of CROFTON, ANAND, KAMBE, and BRANDWINE teaches: The storage system described claim 2, wherein the first storage includes physical volume for storing data used by the host computer (CROFTON [0033] "Memory 106 may also store common data files 112 …"), wherein the storage system further comprises a second physical volume corresponding to the first physical volume and a local volume corresponding to the second physical volume (CROFTON [0035] "Memory 106 may also store personal data files 114 …"), wherein the data protection storage includes a second physical volume for storing backups of the data (CROFTON [0040] "... server 140 may include internal memory .... Memory 144 and/or storage 160 may store backup data 146 …"), and wherein the processor of the monitoring server is programmed to obtain a backup from a clone volume of the local volume to the second physical volume (CROFTON [0039] "... Backup manager 142 ... for backing up, synchronizing, and/or restoring data files."). Regarding claim 8: The combination of CROFTON, ANAND, KAMBE, and BRANDWINE teaches: The storage system described in claim 2, wherein the first storage and the data protection storage are located in a cloud computing system (CROFTON [0038] "Server 140, sometimes referred to as a backup server, backup service, cloud backup service …"), wherein the processor of the monitoring server is programmed to detect the abnormality at a time later than the backup end time in the threshold table upon detecting a delay in the start of writing the differential backup data to the volume in the data protection storage (KAMBE [0157] "… FIG. 8, ... the job is determined to be normal until the allowed scheduled end time point (e.g., 10:05) passes, not scheduled end time point (e.g., 10:00) passes."). Tracking data operation start and end times and using them to detect abnormalities is a known technique in the art, as demonstrated by KAMBE. It would have been obvious to a PHOSITA before the effective filing date of the claimed invention to modify the ransomware-detecting backup storage system of CROFTON, ANAND, KAMBE, and BRANDWINE with the data transfer schedule metric of KAMBE with the motivation to detect ransomware attacks at the point where data is backed up to storage. It is obvious to assess time taken data transferred, as a ransomware attack will cause a significantly higher longer of transfer than what is typical for a backup operation. Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over CROFTON et al (Doc ID US 20170177867 A1), ANAND et al (Doc ID US 20100293141 A1), KAMBE et al (Doc ID US 20190243740 A1), and BRANDWINE (Doc ID US 12197578 B1) as applied to claim 2 above, and further in view of HARTLAND et al (Doc ID US 8244678 B1). Regarding claim 3: The combination of CROFTON, ANAND, KAMBE, and BRANDWINE teaches: A storage system described in claim 2, The combination of CROFTON, ANAND, KAMBE, and BRANDWINE does NOT teach: further comprising: a monitoring terminal coupled to the monitoring server, wherein the processor of the monitoring server is programmed to: accept changes to the backup end time from the monitoring terminal, and update the backup end time in the threshold table. HARTLAND teaches this limitation: Col 9 lines 64-65 "The client permits the user to set start and end times for backups …" Allowing changes to operation start and end times by a user is a known technique in the art, as demonstrated by HARTLAND. It would have been obvious to a PHOSITA before the effective filing date of the claimed invention to modify the ransomware-detecting backup storage system of CROFTON, ANAND, KAMBE, and BRANDWINE with the user input of HARTLAND with the motivation to allow a user to adjust backup schedules as needed. It is obvious to allow a user to make changes to the schedule, as a user may wish to create a higher threshold for abnormalities, or be privy to additional information impacting the original scheduled time(s). Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.ac Any inquiry concerning this communication or earlier communications from the examiner should be directed to BRANDON BINCZAK whose telephone number is (703)756-4528. The examiner can normally be reached M-F 0800-1700. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alexander Lagor can be reached on (571) 270-5143. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /BB/Examiner, Art Unit 2437 /ALEXANDER LAGOR/Supervisory Patent Examiner, Art Unit 2437