DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-18 are pending in this application.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 03/19/2024 & 05/17/2024. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-18 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (an abstract idea) and does not recite additional elements that integrate the exception into a practical application or amount to significantly more than the exception itself.
Step 2A -Prong One (Judicial Exception)
The claims recite a method and system that fundamentally involve: extracting semantic features from files, comparing the extracted features using a distance function, determining whether a threshold is exceeded, and issuing a warning based on the comparison. These steps constitute analyzing information, information, performing mathematical comparisons, and making a determination based on the analysis, which fall within the categories of: mental processes and mathematical concepts, both of which are judicial exceptions and accordingly, the claims are directed to an abstract idea.
Step 2A-Prong Two (Integration into a Practical Application)
The additional elements recited in the claims including: a semantic extracting module, multiple semantic extractors, distance functions, thresholds, file importing modules, comparing modules, warning modules, and a computing device, do not integrate the abstract idea into a practical application. Specifically: the claims merely invoke generic computing components to perform routine data processing operations; the claims do not recite an improvement to the functioning of a computer, file system, storage architecture, or network; the claims do not specify any particular algorithm, data structure, or unconventional processing technique that improves computer performance; limiting the abstract idea to the field of ransomware detection constitutes a field-of-use limitation, which is insufficient to confer eligibility. Therefore, the claims do not integrate the abstract idea into a practical application.
Step 2B -Inventive Concept
The additional elements, considered individually and as an ordered combination, do not amount to significantly more than the abstract idea. The additional elements (e.g., modules/extractors, distance functions, computing device) are well-understood, routine, and conventional in the field of data analysis and malware detection, as evidenced by: generic use of DNNs/parsers for feature extractor (routine in ML-based detection by filing date); distance computations/thresholds as standard mathematical operations; and file copying/locking as conventional backup mechanisms.
The dependent claims 2-9 and 11-18 included in the statement of rejection but not specifically addressed in the body of the rejection have inherited the deficiencies of their parent claim and have not resolved the deficiencies. Therefore, they are rejected based on the same rationale as applied to their parent claims above.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 10-18 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
Claim limitation “a file importing module configured to receive a first file having a first ID and a second file having a second ID"; "a semantic extracting module... comprising multiple semantic extractors, and configured to extract a first semantic feature of the first file and a second semantic feature of the second file"; "a comparing module... configured to determine whether the first ID matches with the second ID, confirming that the first file and the second file are different versions of same file and compute a distance between the first semantic feature and the second semantic feature if the first ID matches with the second ID"; and "a warning module... configured to issue a warning when the comparing module determines that the distance exceeds a threshold" invokes 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. These limitations use nonce words ("module") followed by functional language ("configured to...") without reciting sufficient structure to perform the functions in their entirety. Therefore, they are construed under § 112(f) as means-plus-function limitations (MPEP § 2181(I)).
However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function.
The specification fails to disclose sufficient corresponding structure (e.g., specific algorithms, flowcharts, or step-by-step procedures) for these functions:
For the "file importing module configured to receive...", the specification describes it generically as receiving files (e.g., [0013]: "The file importing module is configured to receive the first file and the second file."), without an algorithm or specific implementation beyond routine data input.
For the "semantic extracting module... configured to extract...", the specification describes multiple extractors (e.g., DNNs, parsers) at a high level (e.g., [0015]: "The multiple semantic extractors may comprise different deep neural networks (DNNs)..."; [0017]: "The multiple semantic extractors may comprise different file parsers..."), but lacks specific algorithms (e.g., no DNN architectures, training details, or parsing logic/code).
For the "comparing module configured to determine... and compute a distance...", the specification mentions generic matching (e.g., [0014]: "determine whether the first ID matches with the second ID... compute a distance... based on a distance function"), without a specific algorithm for ID matching (e.g., Hamming distance calculation) or distance computation (e.g., no formula like cosine or Euclidean).
For the "warning module configured to issue a warning...", the specification describes it generically (e.g., [0013]: "issue a warning when... the distance exceeds a threshold"), without structure beyond a routine alert.
Therefore, the claim is indefinite and is rejected under 35 U.S.C. 112(b) or pre-AIA 35 U.S.C. 112, second paragraph.
Dependent claims 11–18 inherit these issues and add similar functional limitations (e.g., claim 13: "semantic extracting module is configured to extract features... through the DNNs"; claim 15: "semantic extracting module is configured to execute following actions... outputting a first signal..."), which also invoke § 112(f) without disclosed algorithms (e.g., no specific parsing steps or signal generation logic).
Applicant may:
(a) Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph;
(b) Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the entire claimed function, without introducing any new matter (35 U.S.C. 132(a)); or
(c) Amend the written description of the specification such that it clearly links the structure, material, or acts disclosed therein to the function recited in the claim, without introducing any new matter (35 U.S.C. 132(a)).
If applicant is of the opinion that the written description of the specification already implicitly or inherently discloses the corresponding structure, material, or acts and clearly links them to the function so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant should clarify the record by either:
(a) Amending the written description of the specification such that it expressly recites the corresponding structure, material, or acts for performing the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or
(b) Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181.
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-6, 9-15 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Scaife et al. Title: “CryptoLock (and Drop It): Stopping Ransomeware Attacks on User Data”, IEEE 2016 (hereinafter, “Scaife”) in view of Schmugar et al. (Pub. No.: US 2018/0018458 A1) (hereinafter, “Schmugar”).
As to claim 1, Scaife discloses a detection method for ransomware, comprising:
a) receiving a first file having a first ID (“CryptoDrop monitors read and write accesses to the user’s protected directories (e.g., ‘My Documents’).” -e.g., see, page 306; Section IV; herein, Scaife teaches receiving/monitoring original files with identifiers like paths/directories);
b) importing the first file into a semantic extracting module comprising multiple semantic extractors, and outputting a first semantic feature of the first file by the semantic extracting module (“The type of data stored in a file can be approximated using ‘magic numbers’” -e.g., see, page 305, Section III. A; see also: “We selected sdhash [40] for this metric. This function outputs a similarity score from o to 100 that describes the confidence of similarity between two files.” -e.g., see, page 305, Section III.B; see also: “The Shannon entropy of an array of bytes can be computed as the sum …”; herein, Scaife teaches a module using multiple extractors/indicators for semantic features like type, similarity, and entropy);
c) receiving a second file having a second ID (“Given the similarity hash of the previous version of a file, a comparison with the hash of the encrypted version of that file should yield no match …” -e.g., see, page 305, Section III.B; herein, Scaife teaches receiving modified/new versions of a file);
d) importing the second file into the semantic extracting module and outputting a second semantic feature of the second file by the semantic extracting module (analogous to step b for the new version; see Page 3, Section III.B; herein, we use sdhash [40] to calculate the similarity score between the original file and the new version written by the process);
e) determining whether the first ID matches with the second ID (“Class A ransomware overwrites the contents of the original file by opening the file, reading its contents, writing the encrypted contents in-place, then closing the file.” -e.g., see, page 304, Section III; herein, Scaife teaches tracking/matching versions of the same file via path/directory);
f) confirming that the first file and the second file are different versions of same file … if the first ID matches with the second ID (Scaife teaches confirming same-file versions and computing similarity (inverse of distance) -e.g., see Page 305, Section III; herein, sdhash [40] is selected to calculate the similarity score between the original file and the new version written by the process); and
g) issuing a warning when the distance exceeds a threshold (“CryptoDrop, an early-warning detection system that alerts a user during suspicious file activity.” -e.g., see, page 303, Abstract: see also: “Once this score reaches a malicious threshold, our system pauses disk accesses for the flagged process and requests permission from the user to allow the process to continue.” -e.g., see, page 306, Section IV.A.; herein, Scaife teaches alerting on low similarity/high changes).
Although Scaife teaches entropy as an indicator between two files (e.g., see, page 305, Section III.C.), Scaife doesn’t explicitly disclose computing a distance between the first semantic features and the second semantic feature;
However, in an analogous art, Schmugar discloses computing a distance between the first semantic features and the second semantic feature (“… determine an entropy value between the file and the attempted modification of the file, and create a security event if the entropy value satisfies a threshold.” -e.g., see, [0015]; herein, a distance is computed as entropy value as a change measure between features of file versions with thresholds; see also: “Yet another behavioral heuristic can include monitoring (e.g., using entropy engine 120) changes in the entropy of the documents or other files such as per type of the document/file, average entropy over last number of operation or over a period of time. The entropy measurements may be done over a random number of blocks at random locations in the file.” -e.g., see, [0025]; see also: [0031]-[0034]; herein, discloses extracting semantic characteristic from files, including content-based attributes and contextual features, using multiple analysis engines. [0036] – [0039]; herein, discloses that the system employs multiple feature extractors operating in parallel to generate semantic representations of file). Schmugar further discloses monitoring for ransomware-indicative changes (“Some of the behavioral heuristics can include monitoring (e.g., using entropy engine 120) the rate of modify/delete/rename operations with documents or other critical files commonly targeted by ransomware. The rate can be an exceeding configurable threshold over a time period, per process ID, or per executable binary.” -e.g., see, [0025]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Scaife’s similarity-based detection to incorporate Schmugar’s entropy-based feature extraction and threshold distance computation between file versions, as both references address detecting ransomware analysis of file changes (e.g., encryption causing low similarity/high entropy). The motivation would be to enhance detection accuracy by combining multiple indicators, allowing for more robust identification of subtle ransomware modifications without relying solely on hashing, thereby reducing false positive and improving early warnings.
As to claim 10, it is rejected using the similar rationale as for the rejection of claim 1.
As to claim 2, Scaife in view of Schmugar discloses the detection method in claim 1, Scaife further discloses wherein the first ID and the second ID are filenames or metadata of the first file and the second file, the step e) comprises one or a combination of the followings: determining that the first ID matches with the second ID when the filename of the first file is identical to the filename of the second file (e.g., see, Scaife: Section III; herein, “It then reads the contents, writes the encrypted contents, then moves the file back to the user’s directory. The file name when moving back to the documents directory may be different than the original file name”),
Scaife doesn’t explicitly disclose but Schmugar discloses a hamming distance between the filename of the first file and the filename of the second file is close, the metadata of the first file is close to the metadata of the second file, and, the first file and the second file are placed in same directory and the first file and the second file have a similar filename (e.g., see, Schmugar: “… the rate of modify/delete/rename operations with documents or other critical files commonly targeted by ransomware. “-e.g., see, [0025]; herein, Schmugar teaches distance analysis between files; see also, Schmugar: [0026] – [0029]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Scaife’s similarity-based detection to incorporate Schmugar’s entropy-based feature extraction and threshold distance computation between file versions, as both references address detecting ransomware analysis of file changes (e.g., encryption causing low similarity/high entropy). The motivation would be to enhance detection accuracy by combining multiple indicators, allowing for more robust identification of subtle ransomware modifications without relying solely on hashing, thereby reducing false positive and improving early warnings.
As to claim 11, it is rejected using the similar rationale as for the rejection of claim 2.
As to claim 3, Scaife in view of Schmugar discloses the detection method in claim 1, Scaife further discloses wherein the step f) comprises computing the distance between the first semantic feature and the second semantic feature based on a distance function (“This function outputs a similar score from 0 to 100 that describes the confidence of similarity between two files” -e.g., see, page 305, Section III. B; herein, Scaife teaches a distance/similarity function).
As to claim 12, it is rejected using the similar rationale as for the rejection of claim 3.
As to claim 4, Scaife in view of Schmugar discloses the detection method in claim 1, Schmugar further discloses wherein the multiple semantic extractors comprise different deep neural networks (DNNs), and the step b) and the step d) comprise extracting features from the first file and the second file through the DNNs to respectively output multiple features in form of vector to be the first semantic feature and the second semantic feature (“Yet another behavioral heuristic can include monitoring (e.g., using entropy engine 120) changes in the entropy of the documents or other files such as per type of the document/file, average entropy over last number of operation or over a period of time.” -e.g. see, Schmugar: [0025]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Scaife’s similarity-based detection to incorporate Schmugar’s entropy-based feature extraction and threshold distance computation between file versions, as both references address detecting ransomware analysis of file changes (e.g., encryption causing low similarity/high entropy). The motivation would be to enhance detection accuracy by combining multiple indicators, allowing for more robust identification of subtle ransomware modifications without relying solely on hashing, thereby reducing false positive and improving early warnings.
As to claim 13, it is rejected using the similar rationale as for the rejection of claim 4.
As to claim 5, Scaife in view of Schmugar discloses the detection method in claim 1, Schmugar further discloses wherein the multiple semantic extractors comprise different language analytical tools, and the step b) and the step d) comprise transforming the content of the first file and the content of the second file into textual summaries through the language analytical tools to be the first semantic feature and the second semantic feature (“… monitoring (e.g., using entropy engine 120) changes in the entropy of the documents or other files such as per type of the document/file” -e.g., see, Schmugar: [0025]; herein, Schmugar teaches behavioral heuristics that could involve language analysis for file content changes).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Scaife’s similarity-based detection to incorporate Schmugar’s entropy-based feature extraction and threshold distance computation between file versions, as both references address detecting ransomware analysis of file changes (e.g., encryption causing low similarity/high entropy). The motivation would be to enhance detection accuracy by combining multiple indicators, allowing for more robust identification of subtle ransomware modifications without relying solely on hashing, thereby reducing false positive and improving early warnings.
As to claim 14, it is rejected using the similar rationale as for the rejection of claim 5.
As to claim 6, Scaife in view of Schmugar discloses the detection method in claim 1, Scaife further discloses wherein the multiple semantic extractors comprise different file parsers, and the step b) comprises: b1) importing the first file into the file parsers; b2) outputting a first signal to be the first semantic feature when at least one of the file parsers successfully parses the first file; b3) outputting a second signal to be the first semantic feature when none of the file parsers successfully parses the first file, wherein the second signal is different from the first signal; wherein the step d) comprises: d1) importing the second file into the file parsers; d2) outputting the first signal to be the second semantic feature when at least one of the file parsers successfully parses the second file; and d3) outputting the second signal to be the second semantic feature when none of the file parsers successfully parses the second file (“The file utility is a popular program for determining file type. The default “magic” database library contains hundreds of file type signatures, ranging from specific programs (“Microsoft Word 2007+”) to general content (“Unicode text, UTF-7”). With this tool, we can track the file type both before and after a file is written. If this type changes, we can infer that some transformation has occurred.” -e.g., see, Scaife: page 305; Section III. A.; herein, Scaife implies success (matched type) vs. failure (unmatched/unparsable post-encryption) signals).
As to claim 15, it is rejected using the similar rationale as for the rejection of claim 6.
As to claim 9, Scaife in view of Schmugar discloses the detection method in claim 1, Scaife further discloses comprising: l) receiving a file by a computing device when the file is opened and generating a first copy of the file; m) locking the first copy; n) receiving a subsequent version of the file by the computing device when the file is opened again, and generating a second copy for the subsequent version of the file; o) issuing an instruction by the computing device to perform recovering from the first copy if the second copy is warned in the step g); and p) deleting the first copy and locking the second copy by the computing device if the second copy is not warned in the step g) (“Given the similarity hash of the previous version of a file, a comparison with the hash of the encrypted version of that file should yield no match, since the ciphertext should be indistinguishable from random data” -e.g., see, Scaife: page 305, Section III. B; herein, Scaife teaches copying/monitoring originals for recovery).
As to claim 18, it is rejected using the similar rationale as for the rejection of claim 9.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SUMAN DEBNATH whose telephone number is (571)270-1256. The examiner can normally be reached Mon-Fri; 9:00am-5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached at 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
SUMAN DEBNATH
Patent Examiner
Art Unit 2495
/S.D/Examiner, Art Unit 2495
/FARID HOMAYOUNMEHR/Supervisory Patent Examiner, Art Unit 2495