Office Action Predictor
Last updated: April 15, 2026
Application No. 18/295,366

RANSOMWARE DISCOVERY BY DETECTION OF TRANSMIT/OVERWRITE PROCESSES

Final Rejection §103
Filed
Apr 04, 2023
Examiner
JEUDY, JOSNEL
Art Unit
2438
Tech Center
2400 — Computer Networks
Assignee
Dell Products L.P.
OA Round
4 (Final)
84%
Grant Probability
Favorable
5-6
OA Rounds
2y 9m
To Grant
67%
With Interview

Examiner Intelligence

Grants 84% — above average
84%
Career Allow Rate
659 granted / 788 resolved
+25.6% vs TC avg
Minimal -17% lift
Without
With
+-16.9%
Interview Lift
resolved cases with interview
Typical timeline
2y 9m
Avg Prosecution
21 currently pending
Career history
809
Total Applications
across all art units

Statute-Specific Performance

§101
19.1%
-20.9% vs TC avg
§103
49.0%
+9.0% vs TC avg
§102
6.8%
-33.2% vs TC avg
§112
8.9%
-31.1% vs TC avg
Black line = Tech Center average estimate • Based on career data from 788 resolved cases

Office Action

§103
DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 1.This is a Final Office Action in response to applicant’s amendment filed on November 21, 2025. At this time, claims 1-2 and 11-12 have been amended. No claim has been added or cancelled. Therefore, claims 1-20 are pending and addressed below. Response to Amendments As to Claims 1-20, Applicants’ amendment of independent Claims 1 and 11 with newly added feature “ detecting write operations requested by a process with respect to data, wherein the write operations write changes to the data in a userspace; determining whether the write operations include a request to transmit the data, by the process, to a recipient that is unknown or unauthorized and external to the userspace; “[Claims 1-20] has necessitated a new ground(s) of rejection in this Office action. Therefore, Applicants’ arguments filed on 11/21/2025 have been fully considered but are moot in view of the new ground(s) of rejection because the arguments do not apply to any of the updated reference(s) being used in the current rejection. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-20 are rejected under 35 U.S.C 103 as being unpatentable over MacLeod, US pat. No 20180351969 in view of Stickle, US pat. No 11170104 in further view of Speirs, US pat. No US 20080052468 A1 in further view of Thyamagondlu, US 20200151120 A1. 1. MacLeod discloses a method, (See MacLeod, abstract; a method for real-time detection of and protection from steganography in a kernel mode comprises detecting transmission of a file via a firewall, an operating system, or an e-mail system.) comprising: detecting write operations requested by a process with respect to data,[[ wherein the write operations write changes to the data in a userspace;]] (See MacLeod, [0037]; In one embodiment, the I/O manager 120 detects file operation requests (e.g., read, write, file open, etc.) that are received by the managed node 100. The filter manager 125 may determine, from a file handle corresponding to the file operation request, whether the file operation request corresponds to an operation of interest.) when it is determined that the write operations include the request to transmit the data to the unknown or unauthorized recipient, disabling the write operations to the data; (See MacLeod, [0071]; the network 110 receives responses from the managed node 100 and forwards the responses to the client devices. See also [0050]; the security manager 115 may transmit a signal or message to the managed node 100 to execute a malware remediation action. The malware remediation action may include terminating a rite operation associated with a detected file operation request. The malware remediation action may include terminating the detected file operation request by deleting the detected file operation request from memory. The malware remediation action may include isolating a disk file image associated with the identified process.) and alerting a security protocol that the process is a suspected ransomware process. (See MacLeod, [0063]; [0087] , In the entropy determination above, H is the total entropy and P.sub.i is the value of the byte read from the appended payload. Encrypted and obfuscated files usually have a much higher entropy than plain text or structured data files. The entropy H may be compared to an entropy threshold. An entropy above the threshold indicates that the appended payload is likely to be encrypted or compressed, and so it could be affected by ransomware. The malware analytics module 140 may perform entropy calculations on sections (buffers) or the entire appended payload to detect hidden or encrypted copies of malware (“packed”) hidden in the appended payload.) MacLeod does not appear to explicitly disclose for subsequent requested write operations, logging differentials associated with those subsequent requested write operations; However, Stickle discloses for subsequent requested write operations, logging differentials associated with those subsequent requested write operations; (See Stickle, col 2, lines 5-29; the data patterns of file operations (e.g., both read and write operations) may be monitored during a predetermined time period for files in a file system to collect a set of training data. The data patterns related to the set of training data may be recorded during the monitoring. A machine learning model may be constructed according to the recorded training data to establish a machine learning model that may detect when unexpected changes are occurring with respect to files and file attributes in a file system or backup file system. For example, a regression model may be used in the machine learning model to identify unexpected changes for a group of files.) MacLeod and stickle are analogous art because they are from the same filed of endeavor which is ransomware attack. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of MacLeod with the teaching of Stickle to include the recording of changes to the file because it would have been used to identify whether or not the filesystem has been under attack. The combination of MacLeod and stickle does not appear to explicitly disclose determining whether the write operations include a request to transmit the data, by the process, to a recipient that is unknown or unauthorized and external to the userspace. However, Speirs discloses determining whether the write operations include a request to transmit the data, by the process, to a recipient that is unknown or unauthorized and external to the userspace; (See Speirs, [0046-0049]; [0046] Following start 22 a destination address is received at 24 when a process (e.g. running instance of a program) desires a write operation 26, for instance, store input data, output data, variable data, etc. In any event, the desired write operation has a corresponding address (or address range) in memory which is requested, and the beginning of this address is referred to herein as the "destination" address. Method 20 depicts a scenario in which the destination address is considered at 28 to be illegitimate so that the process may then be alerted at 210 of a potential buffer overflow condition. More particularly, a monitoring component 32 is provided to monitor the executing process 24 such that, when a write operation is desired by the process at 34, monitoring component 32 receives at 26 the destination address corresponding to the requested write operation. A buffer overflow detection component 38 ascertains at 310 whether the destination address corresponds to a legitimate writable memory segment. If not, then the alert is preferably issued to the process at 210. If, on the other hand, a legitimate writable memory segment is involved, then the process can optionally be provided with its identification at 312. For purposes of determining a potential buffer overflow condition, the terms "legitimate" and "illegitimate" are used do described the memory segment(s) corresponding to the desired write operation. The term "illegitimate writable memory" is intended to refer to a segment of memory that should not be written to by a user process, while the term "legitimate writable memory" is intended to refer to a segment of memory into which a user process has a valid reason for writing data. ) MacLeod, stickle and Speirs are analogous art because they are from the same filed of endeavor which is data communication. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of MacLeod and Stickle with the teaching of Speirs to include the write operation because it would have been used to identify whether or not the system has been under attack. The combination of MacLeod, stickle and Speirs does not appear to explicitly disclose wherein the write operations write changes to the data in a userspace; However, Thyamagondlu discloses wherein the write operations write changes to the data in a userspace; (See Thyamagondlu, [0092] In one or more embodiments, runtime 128 provides input/output control (IOCTL) system calls for input/output operations relating to IC 104 that can be invoked to create, destroy, start, stop, and modify read and/or write requests. In particular embodiments, these system calls are not available to user space applications executing in host system 102. Runtime 128 further may provide Portable Operating System Interface (POSIX) read/write functions and asynchronous I/O (AIO) read/write functions that are available to user space applications executed within host system 102.) MacLeod, stickle, Speirs and Thyamagondlu are analogous art because they are from the same filed of endeavor which is data communication. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of MacLeod, Stickle and Speirs with the teaching of Thyamagondlu to include the userspace because it would have allowed monitoring of user generated data. 2. The combination of MacLeod and stickle and Speirs and Thyamagondlu discloses the method as recited in claim 1, wherein the process runs in the userspace. (See MacLeod, [0025], fig 3; user mode) 3. The combination of MacLeod, stickle, Speirs and Thyamagondlu discloses the method as recited in claim 1, wherein the determining, the disabling, and the logging, are performed in a kernel space. (See MacLeod, fig 3; [0028]; remediation action, such as terminating, kernel mode) 4. The combination of MacLeod, stickle, Speirs and Thyamagondlu discloses the method as recited in claim 1, wherein the suspected ransomware process is determined to be a ransomware process of a type in which data targeted by the ransomware process is first transmitted to an attacker, and then encrypted, by the ransomware process. (See MacLeod, [0025], [0043], [0063]; In one embodiment, a file operation request initiated by a process running in user mode is detected. Malware detection analytics are performed on a file buffer associated with the detected file operation request to detect behavior indicating presence of malware. Responsive to detecting the behavior indicating presence of the malware, the process responsible for initiating the detected file operation request is identified. A search for the identified process is performed on one or more of a blacklist of programs and a whitelist of programs to determine whether the identified process is a trusted process. Responsive to determining that the identified process is not a trusted process, a malware remediation action is executed against the identified process. Information describing the malware is transmitted to a client device.) 5. The combination of MacLeod, stickle, Speirs and Thyamagondlu discloses the method as recited in claim 1, wherein when the suspected ransomware process is determined to not be a ransomware process, the differentials are automatically applied to the data in response to a request for the data by a caller. (See MacLeod, [0098]; restore the file) 6. The combination of MacLeod, stickle, Speirs and Thyamagondlu discloses the method as recited in claim 1, wherein detecting the write operations comprises monitoring respective inodes of one or more files. (See Stickle, Col 10, lines 45-60; fig 3) MacLeod, stickle and Speirs and Thyamagondlu are analogous art because they are from the same filed of endeavor which is ransomware attack. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of MacLeod and Speirs and Thyamagondlu with the teaching of Stickle to include the recording of changes to the file because it would have been used to identify whether or not the filesystem has been under attack. 7. The combination of MacLeod, stickle, Speirs and Thyamagondlu discloses the method as recited in claim 1, wherein the differentials are logged in a journal outside of the data to which the subsequent requested write operations are directed. (See Stickle, fig 1) MacLeod, stickle and Speirs and Thyamagondlu are analogous art because they are from the same filed of endeavor which is ransomware attack. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of MacLeod, Speirs and Thyamagondlu with the teaching of Stickle to include the recording of changes to the file because it would have been used to identify whether or not the filesystem has been under attack. 8. The combination of MacLeod, stickle, Speirs and Thyamagondlu discloses the method as recited in claim 1, wherein prior to determining whether the write operations include the request to transmit the data, by the process, to the unknown or unauthorized recipient the data is modified according to prior write operations. (See Stickle, Col 2, lines 17-25) MacLeod, stickle, Speirs and Thyamagondlu are analogous art because they are from the same filed of endeavor which is ransomware attack. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of MacLeod and Speirs and Thyamagondlu with the teaching of Stickle to include the modification because it would have been used to format the data accordingly. 9. The combination of MacLeod, stickle and Speirs, Thyamagondlu discloses the method as recited in claim 1, wherein disabling the write operations to the data prevents encryption of the data by the suspected ransomware process. (See MacLeod, [0050-0051]) 10. The combination of MacLeod, stickle, Speirs and Thyamagondlu discloses the method as recited in claim 1, wherein the data comprises files and/or blocks. (See stickle, col 2, lines 5-15) MacLeod and stickle and Speirs are analogous art because they are from the same filed of endeavor which is ransomware attack. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of MacLeod, Speirs and Thyamagondlu with the teaching of Stickle to include the file/blocks because it would have been used to format the data accordingly. 11. As to claim 11, the claim is rejected under the same rationale as claim 1. See the rejection of claim 1 above. 12. As to claim 12, the claim is rejected under the same rationale as claim 2. See the rejection of claim 2 above. 13. As to claim 13, the claim is rejected under the same rationale as claim 3. See the rejection of claim 3 above. 14. As to claim 14, the claim is rejected under the same rationale as claim 4. See the rejection of claim 4 above. 15. As to claim 15, the claim is rejected under the same rationale as claim 5. See the rejection of claim 5 above. 16. As to claim 16, the claim is rejected under the same rationale as claim 6. See the rejection of claim 6 above. 17. As to claim 17, the claim is rejected under the same rationale as claim 7. See the rejection of claim 7 above. 18. As to claim 18, the claim is rejected under the same rationale as claim 8. See the rejection of claim 8 above. 19. As to claim 19, the claim is rejected under the same rationale as claim 9. See the rejection of claim 9 above. 20. As to claim 20, the claim is rejected under the same rationale as claim 10. See the rejection of claim 10 above. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. DUBEYKO, US 20170316047 A1, title “ GENERALIZED VERIFICATION SCHEME FOR SAFE METADATA MODIFICATION .“ [0040] FIG. 5 is a flowchart depicting an exemplary verification process 500 responsive to a write request for changing content (metadata or user data) in a file system volume according to an embodiment of the present disclosure. Such a modification request typically is generated by a file system driver, a special user space utility capable of modifying any physical sector in the file system volume, or a specialized user-space utility capable of working with volume of some file system by extracting data or modifying file system states. During verification, the write request is analyzed to extract pertinent information, which is checked against the stored verified area legend related to the metadata. In this example, the extracted information includes a Logical Block Address (LBA), presence of a known magic signature, a number of blocks, and a node size. Armangu, US pat. No 11755733, title “ Identifying ransomware host attacker “. Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOSNEL JEUDY whose telephone number is (571)270-7476. The examiner can normally be reached M-F 10:00-8:00. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Arani T Taghi can be reached on (571)272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. Date: 12/23/2025 /JOSNEL JEUDY/Primary Examiner, Art Unit 2438
Read full office action

Prosecution Timeline

Apr 04, 2023
Application Filed
Jan 07, 2025
Non-Final Rejection — §103
Apr 14, 2025
Response Filed
Jun 04, 2025
Final Rejection — §103
Jul 31, 2025
Request for Continued Examination
Aug 05, 2025
Response after Non-Final Action
Aug 19, 2025
Non-Final Rejection — §103
Nov 21, 2025
Response Filed
Dec 23, 2025
Final Rejection — §103
Mar 27, 2026
Request for Continued Examination
Apr 12, 2026
Response after Non-Final Action

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12591709
SYSTEMS AND METHODS FOR FUNCTIONALLY SEPARATING GEOSPATIAL INFORMATION FOR LAWFUL AND TRUSTWORTHY ANALYTICS, ARTIFICIAL INTELLIGENCE AND MACHINE LEARNING
2y 5m to grant Granted Mar 31, 2026
Patent 12585744
Method for Performing Biometric Feature Authentication When Multiple Application Interfaces are Simultaneously Displayed
2y 5m to grant Granted Mar 24, 2026
Patent 12579264
CYBER THREAT INFORMATION PROCESSING APPARATUS, CYBER THREAT INFORMATION PROCESSING METHOD, AND STORAGE MEDIUM STORING CYBER THREAT INFORMATION PROCESSING PROGRAM
2y 5m to grant Granted Mar 17, 2026
Patent 12566727
UNIVERSAL DATA SCAFFOLD BASED DATA MANAGEMENT PLATFORM
2y 5m to grant Granted Mar 03, 2026
Patent 12561476
TOKENIZATION SYSTEMS AND METHODS FOR REDACTION
2y 5m to grant Granted Feb 24, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

AI Strategy Recommendation

Get an AI-powered prosecution strategy using examiner precedents, rejection analysis, and claim mapping.
Powered by AI — typically takes 5-10 seconds

Prosecution Projections

5-6
Expected OA Rounds
84%
Grant Probability
67%
With Interview (-16.9%)
2y 9m
Median Time to Grant
High
PTA Risk
Based on 788 resolved cases by this examiner. Grant probability derived from career allow rate.

Sign in for Full Analysis

Enter your email to receive a magic link. No password needed.

Free tier: 3 strategy analyses per month