Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant’s arguments with respect to claims 1-4, and 7-10 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
In page 1 of the remarks, Applicant states that claims 1-13 were rejected under 35 U.S.C. 112(a) as failing to comply with the written description requirement, and states that the phrase previously used, that being “flagging the file associated with the file write” does not appear to be a description of flagging. As a result, Applicant states that claims 1, 5, 7, 11, and 13 have been amended, rendering this rejection moot. Examiner withdraws the rejections made in the previous Office Action regarding 112(a) rejections for claims 1-13.
In pages 1-2 of the remarks, Applicant states that claims 1-4, and 7-10 were previously rejected under 35 U.S.C. 102(a)(2) as being anticipated by Palisse et al. (US 20200342104 A1), hereinafter Palisse. In particular, Applicant states that Palisse does not disclose “information associated with the file write operation is provided to a memory extraction component to identify and extract at least one section of a memory that relates to the file write operation”, as amended in claim 1, with support for the amendments being found in paragraphs [0058] and [0060]. Examiner disagrees, as while Palisse does not disclose or otherwise suggest the features of the amendments made in claim 1, the reference of Pohl et al. (US 10839072), hereinafter Pohl, teaches the features of the amendments. In particular, Pohl states, in [Col. 6, lines 52-56] Fig. 1, step 106, if entropy value is greater than or equal to a threshold, perform copy-on-write process to copy-on-write storage area. As stated in [Col. 3, lines 60-62], a copy-on-write process creates a copy of the original file that can be modified, instead of overwriting it, corresponding to extracting at least one section of memory relating to file write operation. The copy-on-write storage area corresponds to a memory extract component, in conjunction with the copy-on-write process in the invention of Pohl. Dependent claims 2-4 depend on claim 1, and remain rejected based on the rejections made to claim 1. Computing device claims 7-11 and computer program product claim 13 have similar claims to claims 1-4, and as a result, share the rejections of their respective claims. New claims 14, 16, and 18 are rejected by Palisse, in particular, the locations of [0034] A critical value corresponds to the determined entropy value, and [0095] File identifier (idF) designates the file concerned by a write request 24, corresponding to a filename of file being written in Fig. 2. Process identifier (PID) idP can also be provided, stated in [0098], which can also name the process. As a result, claims 14, 16, and 18 are rejected. Claims 1-4, 7-10, and 14-16 are now rejected under 35 U.S.C. 103 as being unpatentable over Palisse in view of Pohl, as a result of the grounds of rejection being changed.
In page 3 of the remarks, Applicant states that claims 5, 11, and 14 were rejected under 35 U.S.C. 103 as being unpatentable over Palisse in view of LeCrone, with Applicant only stating that the rejection is traversed. Claims 6 and 12 are cancelled, with claims 5 and 11 amended to include elements from the now canceled claims 6 and 12. Examiner states that claims 5 and 11 are rejected under 103 over Palisse in view of Pohl, further in view of Stolfo (US 10673884 B2), and LeCrone et al. (US 20210103490 A1), hereinafter LeCrone. In particular, the limitations are taught by the reference of Stolfo, such as “determining an ASCII frequency count to the predetermined number of bytes” ([Col. 10, lines 49-Col. 11, line 11] Fig. 2, step S216 has a statistical distribution that is generated for each of the partitions created from length distribution, where the frequency distribution of ASCII characters is contained in a payload, and is described as a file in section [Col. 7, lines 35-40].) and “wherein if the determined ASCII frequency count exceeds the predetermined parameter threshold” ([Col. 16, lines 59-62] Character frequency distribution is taken into account when determining computation/distance being larger than a threshold. [Col. 17, lines 21-24] Fig. 10, S432, when server determines the distance exceeds threshold, payload is identified as anomalous.). As a result, the claims 5 and 11 remain rejected under a new ground of rejection of Palisse in view of Pohl, further in view of Stolfo, and LeCrone. Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Palisse in view of Pohl, further in view of LeCrone. As a result, the claims of the Application remain rejected.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-4, 7-10, and 14-16 are rejected under 35 U.S.C. 103 as being unpatentable over Palisse et al. (US 20200342104 A1), hereinafter Palisse, in view of Pohl et al. (US 10839072), hereinafter Pohl.
Regarding claim 1, Palisse discloses ‘a method of detecting a file encrypted by ransomware in a computing device, comprising’ ([0026]-[0041] Process of encryption detection method is described in this section of Palisse, with [0026] stating an 'encryption detection method' and listing the process in order.):
‘identifying a file write operation for a file on the computing device’ ([0028] File write requests are retrieved, and the requests comprise a character string to be written as an argument.);
‘determining if a predetermined number of bytes of the file is stored in a memory buffer on the computing device’ ([0028]-[0029] As a file write request is being emitted from a thread 20 in Fig. 1 or Fig. 2 to a file identified by IdF, as stated in paragraph [0095], in an instruction 22 in a user thread 20, wherein the user thread corresponds to a memory buffer on the computing device of the applicant, as the user thread 20 sends a write request to a memory manager 16 as the user thread holds the instructions, and then receives a request return 26 as to whether or not the request has been executed as explained in paragraph [0072], and file identifier IdF 36 designates the file 8 to be written to by write request 24. [0130] Fig. 3, which is the behavioral analysis module 302 of Fig. 2, comprises an extraction operation 318 in paragraph [0128], has an extraction operation 318 ensure that the write request takes effect in the header Ent00 of the file identified as IdF, and the header Ent00 is in an identified file IdF that is in a user thread 20, which corresponds to a memory buffer of the applicant.);
‘determining an entropy value of the predetermined number of bytes in the memory buffer’ ([0029] A first deviation quantity is calculated according to a part of a character string which relates to a header of the file identified as IdF, along with a statistical model for header writing. [0034] A critical quantity is derived from a first deviation quantity, to which the critical quantity corresponds to the entropy value of the predetermined number of bytes in a memory buffer of the applicant, as paragraph [0047]-[0048] state that a second deviation quantity is derived from a first deviation quantity and quantification quantity of the randomness, and using a second deviation as a critical quantity. Therefore, a critical value corresponds to the entropy value of the applicant.);
‘comparing the determined entropy value of the predetermined number of bytes to a first predetermined threshold’ ([0035] A user thread 20 is neutralized if a critical quantity exceeds a first threshold, to which the first threshold corresponds to the first predetermined threshold of the applicant. [0203] Fig. 5 shows a diagram of decision module 304, wherein behavioral value S, wherein in step 340, the behavioral value S is compared with a first threshold, and if it exceeds the first threshold, the thread is neutralized.);
Palisse does not appear to disclose, but Pohl teaches ‘and wherein if the determined entropy value exceeds the first predetermined threshold, information associated with the file write operation is provided to a memory extraction component to identify and extract at least one section of a memory that relates to the file write operation’ ([Col. 6, lines 52-56] Fig. 1, step 106, if entropy value is greater than or equal to a threshold, perform copy-on-write process to copy-on-write storage area. As stated in [Col. 3, lines 60-62], a copy-on-write process creates a copy of the original file that can be modified, instead of overwriting it, corresponding to extracting at least one section of memory relating to file write operation. The copy-on-write storage area corresponds to a memory extract component, in conjunction with the copy-on-write process.).
Accordingly, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Palisse and Pohl before them, to include Pohl’s “information associated with the file write operation is provided to a memory extraction component to identify and extract at least one section of a memory that relates to the file write operation” in Palisse’s method performing “detecting a file encrypted by ransomware in a computing device”. One would have been motivated to make such a combination to increase efficiency by having the file continue to be in existence, even if the ransomware attack has occurred that would modify the files, as taught by Pohl [Col. 4, lines 26-35].
Regarding claim 2, Palisse in view of Pohl teach the method of claim 1 as recited above. Palisse also discloses the limitation of ‘monitoring an operation of the computing device to identify the file write operation.1’ ([0073] Kernel of a system executes a system probe 30, or HIDS probe. The HIDS probe duplicates the system calls of the user threads 20 without being detectable by a user thread 20, and will not execute the requests, including the write requests identified by Palisse.).
Regarding claim 3, Palisse in view of Pohl teach the method of claim 1 as recited above. Palisse also discloses the limitation of ‘in which determining the entropy value is based on a Shannon entropy or a modified Shannon entropy’ ([0170] Fig. 4, behavioral analysis module 302 can comprise a second branch, and in block 332, the calculation of randomness is determined to be behavioral value S in a request-value pair 314, denoted as (RE, S), as shown in Fig. 5 as well. It includes a calculation of chi-square (χ_2) as well based on randomness. [0187] Chi-square (χ_2) is preferred to Shannon's entropy, but Shannon's entropy can be used nevertheless in some cases.).
Regarding claim 4, Palisse in view of Pohl teach the method of claim 1 as recited above. Palisse also discloses the limitation of ‘in which if the determined entropy value does not exceed the first predetermined threshold, the method further comprises: comparing the determined entropy value to a second predetermined threshold, wherein the second predetermined threshold is lower than the first predetermined threshold’ ([0203] Fig. 5, decision module 304 has a test operation 348 contains a comparison for a second threshold 350, where behavioral value S fails to exceed the first threshold 342 in operation 340, as stated in paragraph [0208]. Critical value is compared to a second threshold, with the second threshold in paragraph [0014], and a second threshold is less than a first threshold in paragraph [0011]. [0214] First and second thresholds can be utilized for the indicator chi-square (χ_2), and corresponds to comparing the entropy values of the applicant with a second predetermined threshold.).
Regarding claim 7, Palisse in view of Pohl recites similar limitations to claim 1 as recited above. Palisse also discloses ‘a computing device comprising:’ ([0063]-[0064] Computer 1 of the invention).
‘a processor’ ([0063]-[0064] Computer 1 of the invention comprises a machine 2, comprising a central processing unit (CPU) 4 and a mass memory 6 for storing files, and CPU cooperates with an operating system 10, comprising core or kernel, and programs. Claim 1 states that the encryption detection device comprise a computer with a CPU, and cooperates with the kernel, and executing by the CPU, carries out the functions of the invention.);
‘and a memory buffer’ ([0028] A user thread 20, wherein the user thread corresponds to a memory buffer on the computing device of the applicant, as the user thread 20 sends a write request to a memory manager 16 as the user thread holds the instructions, and then receives a request return 26 as to whether or not the request has been executed as explained in paragraph [0072].);
Regarding claim 8, Palisse in view of Pohl teach the computing device of claim 7 as recited above. Palisse also discloses the limitations also present in dependent claim 2 recited above.
Regarding claim 9, Palisse in view of Pohl teach the computing device of claim 7 as recited above. Palisse also discloses the limitations also present in dependent claim 3 recited above.
Regarding claim 10, Palisse in view of Pohl teach the computing device of claim 7 as recited above. Palisse also discloses the limitations also present in dependent claim 4 recited above.
Regarding claim 14, Palisse in view of Pohl teach the method of claim 1 as recited above. Palisse also discloses “which the information provided may include one or more of the process name, the process identifier (PID), the filename of file being written, and the determined entropy value” ([0034] A critical value corresponds to the determined entropy value. [0095] File identifier (idF) designates the file concerned by a write request 24, corresponding to a filename of file being written in Fig. 2. Process identifier (PID) idP can also be provided, stated in [0098], which can also name the process.).
Regarding claim 16, Palisse in view of Pohl teach the computing device of claim 7 as recited above. Palisse also discloses the limitations also present in dependent claim 14 recited above.
Claims 5 and 11 are rejected under 35 U.S.C. 103 as being unpatentable over Palisse in view of Pohl, further in view of Stolfo (US 10673884 B2), and LeCrone et al. (US 20210103490 A1), hereinafter LeCrone.
Regarding claim 5, Palisse in view of Pohl teaches the method of claims 1 and 4 as recited above. Palisse in view of Pohl does not appear to disclose, but Stolfo teaches “determining an ASCII frequency count to the predetermined number of bytes” ([Col. 10, lines 49-Col. 11, line 11] Fig. 2, step S216 has a statistical distribution that is generated for each of the partitions created from length distribution, where the frequency distribution of ASCII characters is contained in a payload, and is described as a file in section [Col. 7, lines 35-40].)
“comparing the determined ASCII frequency count to a predetermined ASCII frequency count threshold” ([Col. 16, lines 59-62] Character frequency distribution is taken into account when determining computation being larger than a threshold.)
“wherein if the determined ASCII frequency count exceeds the predetermined parameter threshold” ([Col. 16, lines 59-62] Character frequency distribution is taken into account when determining computation/distance being larger than a threshold. [Col. 17, lines 21-24] Fig. 10, S432, when server determines the distance exceeds threshold, payload is identified as anomalous.);
Accordingly, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Palisse and Stolfo before them, to include Stolfo’s “determining an ASCII frequency count to the predetermined number of bytes” and “comparing the determined ASCII frequency count to a predetermined ASCII frequency count threshold” in Palisse’s method performing “detecting a file encrypted by ransomware in a computing device”. One would have been motivated to make such a combination to increase efficiency as a frequency count chart can show which characters show up most frequency, with the most frequent character showing up on the left side of the chart in a rank order, as stated in [Col. 11, lines 30-43].
Palisse in view of Stolfo does not appear to disclose, but Pohl teaches ‘and wherein if the determined value exceeds the first predetermined threshold, information associated with the file write operation is provided to a memory extraction component to identify and extract at least one section of a memory that relates to the file write operation’ ([Col. 6, lines 52-56] Fig. 1, step 106, if entropy value is greater than or equal to a threshold, perform copy-on-write process to copy-on-write storage area. As stated in [Col. 3, lines 60-62], a copy-on-write process creates a copy of the original file that can be modified, instead of overwriting it, corresponding to extracting at least one section of memory relating to file write operation. The copy-on-write storage area corresponds to a memory extract component, in conjunction with the copy-on-write process).
Accordingly, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Palisse and Pohl before them, to include Pohl’s “information associated with the file write operation is provided to a memory extraction component to identify and extract at least one section of a memory that relates to the file write operation” in Palisse’s method performing “detecting a file encrypted by ransomware in a computing device”. One would have been motivated to make such a combination to increase efficiency by having the file continue to be in existence, even if the ransomware attack has occurred that would modify the files, as taught by Pohl [Col. 4, lines 26-35]
Palisse in view of Pohl and Stolfo does not appear to disclose, but LeCrone teaches the method of ‘do not exceed the predetermined parameter threshold’ ([0121] Fig. 27, if entropy of a file is less than a threshold, go to step 1006, but then the invention determines if an encrypt flag is set, and if it is set, when data is not meant to be encrypted as determined by step 1004, an encryption anomaly is indicated in step 1008.).
Accordingly, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Palisse, Pohl, Stolfo and LeCrone before them, to include LeCrone’s ‘do not exceed the predetermined parameter threshold’ in Palisse’s limitation of ‘and wherein if the determined one or more parameters exceed the predetermined parameter threshold, flagging the file associated with the file write operation indicated that the file is encrypted by ransomware’ in claim 5 and method performing ‘detecting a file encrypted by ransomware in a computing device’. One would have been motivated to make such a combination to enhance security by verifying a file that the indication of step 1004 in Fig. 27 is correct, as otherwise, a file that has an encrypt flag set and has a low entropy can infiltrate the system and proceed to execute the ransomware in the system of a user, as stated in LeCrone [0122].
Regarding claim 11, Palisse in view of Pohl teach the computing device of claim 7 as recited above. Palisse in view of Pohl further in view of LeCrone also teach the limitations also present in dependent claim 5 recited above.
Claim 15 is rejected under 35 U.S.C. 103 as being unpatentable over Palisse in view of Pohl, further in view of Stolfo.
Regarding claim 15, Palisse in view of Pohl teach the method of claims 1 and 4 as recited above. Palisse also discloses “wherein if a length does not exceed the predetermined parameter threshold” ([0203] Fig. 5, decision module 304 has a test operation 348 contains a comparison for a second threshold 350, where behavioral value S fails to exceed the first threshold 342 in operation 340.);
Palisse does not disclose, but Stolfo teaches “in which if the determined entropy value exceeds the second predetermined threshold, the method further comprises: determining a maximum ASCII string length related to the predetermined number of bytes” ([Col. 12, lines 1-2] Fig. 6A, payload signature string 150 includes plurality of ASCII characters. [Col. 18, lines 52-57] String edit distance tests for equivalence of strings and signature string.);
“and comparing the determined maximum ASCII string length to a predetermined maximum ASCII string length threshold” ([Col. 17, lines 15-19] Fig. 10, S428, a comparison is made if string edit distance is greater than the threshold, being the signature string. In this case, a payload signature string is compared to a payload received.);
“wherein if the determined maximum ASCII string length exceeds the predetermined parameter threshold” ([Col. 17, lines 21-24] Fig. 10, S432, when server determines the distance exceeds threshold, payload is identified as anomalous.);
Accordingly, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Palisse and Stolfo before them, to include Stolfo’s “determining a maximum ASCII string length related to the predetermined number of bytes” and “comparing the determined maximum ASCII string length to a predetermined maximum ASCII string length threshold” in Palisse’s method performing “detecting a file encrypted by ransomware in a computing device”. One would have been motivated to make such a combination to enhance security as the longest common string will be found in payloads or files that are considered anomalous, as it can indicate a malicious action in the payload, as stated in [Col. 17, lines 39-52].
Palisse in view of Stolfo does not appear to teach, but Pohl teaches ‘information associated with the file write operation is provided to a memory extraction component to identify and extract at least one section of a memory that relates to the file write operation’ ([Col. 6, lines 52-56] Fig. 1, step 106, if entropy value is greater than or equal to a threshold, perform copy-on-write process to copy-on-write storage area. As stated in [Col. 3, lines 60-62], a copy-on-write process creates a copy of the original file that can be modified, instead of overwriting it, corresponding to extracting at least one section of memory relating to file write operation.).
Accordingly, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Palisse and Pohl before them, to include Pohl’s “information associated with the file write operation is provided to a memory extraction component to identify and extract at least one section of a memory that relates to the file write operation” in Palisse’s method performing “detecting a file encrypted by ransomware in a computing device”. One would have been motivated to make such a combination to increase efficiency by having the file continue to be in existence, even if the ransomware attack has occurred that would modify the files, as taught by Pohl [Col. 4, lines 26-35].
Regarding claim 17, Palisse in view of Pohl teach the method of claims 7 and 10 as recited above. Palisse in view of Pohl further in view of Stolfo also teach the limitations also present in dependent claim 15 recited above.
Claim 13 and 18 is rejected under 35 U.S.C. 103 as being unpatentable over Palisse in view of Pohl, further in view of LeCrone.
Regarding claim 13, Palisse in view of Pohl recites similar limitations to claim 1 as recited above. Palisse in view of Pohl does not appear to disclose, but LeCrone teaches the method of ‘computer program product comprising computer readable executable code for implementing the method comprising:’ ([0129] Software implementations of the invention include executable code stored in a non-transitory computer-readable medium, which is execute by one or more processors, which corresponds to a computer program product of the applicant to perform the processes of the invention.).
Accordingly, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Palisse, Pohl, and LeCrone before them, to include LeCrone’s ‘computer program product comprising computer readable executable code’ in Palisse’s function of performing ‘identifying a file write operation for a file on the computing device’. One would have been motivated to make such a combination to increase efficiency by having a physical media such as a disk, SD card, hard drive, or otherwise a tangible or non-transitory computer-readable medium to store the invention and have the instructions be executed by a processor of the invention, as taught by LeCrone [0129].
Regarding claim 18, Palisse in view of Pohl and LeCrone teach the computer program product of claim 13 as recited above. Palisse also discloses the limitations also present in dependent claim 14 recited above.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Thomas et al. (US 20130031632 A1, “System And Method For Detecting Malicious Content”)
Patton et al. (US 10032025 B1, “Behavior-based Ransomware Detection”)
Challita et al. (US 20180248896 A1, “SYSTEM AND METHOD TO PREVENT, DETECT, THWART, AND RECOVER AUTOMATICALLY FROM RANSOMWARE CYBER ATTACKS, USING BEHAVIORAL ANALYSIS AND MACHINE LEARNING”)
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TOMMY MARTINEZ whose telephone number is (703)756-5651. The examiner can normally be reached Monday thru Friday 8AM-5PM ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado can be reached at (571) 272-7624 on Monday thru Friday, 7AM-7PM ET. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/T.M./ Examiner, Art Unit 2496
/SHAHRIAR ZARRINEH/ Primary Examiner, Art Unit 2496