Data Tampering Defense System

§102 §103 §112

Detailed Action This communication is in respond to applicant's claims filed on 12/22/2023. Claims 1-64 are pending. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Claim Objections Claims 1-33, 34-63, 64 are objected to because of the following informalities: The claims reciting limitations, for example, “for storing”, “for evaluating”, “for generally continuously”, “for comparing”, “for indicating” and the like fail to recite a combination of elements as required by that statutory provision and thus cannot rely on the specification to provide the structure, material or acts to support the claimed function. As such, the claim recites a function that has no limits and covers every conceivable means for achieving the stated function, while the specification discloses at most only those means known to the inventor. Accordingly, the disclosure is not commensurate with the scope of the claim. The dependent claims included in the statement of objection but not specifically addressed in the body of the objection have inherited the deficiencies of their parent claim and have not resolved the deficiencies. Therefore, they are objected to based on the same rationale as applied to their parent claims above. Claim Rejections - 35 USC § 112 The following is a quotation of the first paragraph of 35 U.S.C. 112(a): (a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention. The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112: The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention. Claims 31 and 62 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, because the specification, while being enabling for “in which when said plurality of target data (11) is arranged in a first structure (34A)”, does not reasonably provide enablement for “said plurality of EnFrets (40P) are not arranged congruent to said first structure (34A).”. The specification does not enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the invention commensurate in scope with these claims. The specification neither suggests nor explicitly discloses the concept of EnFret congruence. Similarly, claim 62 is rejected under the same reasoning/rationale applied to claim 31, as claim 62 recites substantially similar limitations as claim 31, but for recitation in the form of a method ([AB] “This disclosure and the exemplary embodiments described herein, provide methods and systems for detecting a ransomware infection in one or more files.”). Claim 39 is rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, because the specification, while being enabling for “A method as recited in Claim 37, in which said false positive reduction evaluator (28) performs computational operations”, does not reasonably provide enablement for “A method as recited in Claim 37, in which said false positive reduction evaluator (28) performs computational operations that are more computationally expensive than said order measurement sensor (14).”. The specification does not enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the invention commensurate in scope with these claims. The specification neither suggests nor explicitly discloses the concept of operations that are more or less computationally expensive than another. The dependent claims included in the statement of rejection but not specifically addressed in the body of the rejection have inherited the deficiencies of their parent claim and have not resolved the deficiencies. Therefore, they are rejected based on the same rationale as applied to their parent claims above. The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph: The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. Claims 1-33, 34-63, and 64 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention. The term “generally continuously” in claims 1, 34, 64 is a relative term which renders the claim indefinite. The term “generally continuously” is not defined by the claim, the specification does not provide a standard for ascertaining the requisite degree, and one of ordinary skill in the art would not be reasonably apprised of the scope of the invention. The dependent claims included in the statement of rejection but not specifically addressed in the body of the rejection have inherited the deficiencies of their parent claim and have not resolved the deficiencies. Therefore, they are rejected based on the same rationale as applied to their parent claims above. Claim Rejections - 35 USC § 102 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention. (a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention. Claim(s) (1-3, 7-12, 14-19, 23-25, 27-30, 32-33), (34-36, 40-45, 47-52, 56, 58-61, 63), and (64) is/are rejected under 35 U.S.C. 102(a)(2) as being anticipated by HANSEN (US 20200387609 A1), hereafter HANSEN. Regarding claim 1, HANSEN (US 20200387609 A1) teaches: An apparatus ([0249] “The exemplary embodiment also relates to an apparatus for performing the operations discussed herein. This apparatus may be specially constructed for the required purposes, or it may comprise a general-purpose computer selectively activated or reconfigured by a computer program stored in the computer.”) for detecting tampering ([0001] “The present innovations generally address methods and systems for detecting infection of computer files with malicious software, and more specifically, for detecting infection of computer files with ransomware.”) comprising: an electronic device (10); an electronic storage device (1OD);a repository of data (12); said repository of data (12) being contained within said electronic storage device (1OD) ([0038] “The ‘other files’ monitored are generally associated in some manner with the file determined to be encrypted and include, but are not limited to: 1) files received by a server from an associated agent module or client device for synchronization, sharing and/or storage,”, [0135] “The example computer system 800 includes a processing device 802, a main memory 804 (e.g., read-only memory (ROM), flash memory, dynamic random access memory (DRAM) such as synchronous DRAM (SDRAM) or rambus DRAM (RDRAM), etc.), a static memory 806 (e.g., flash memory, static random access memory (SRAM), etc.), and a data storage device 818, which communicate with each other via a bus 830.”); a plurality of target data (11); said plurality of target data (11) being stored in said repository of data (12) ([0015] “In one embodiment of this disclosure, described is a processor implemented method for detecting a ransomware infection in a plurality of files received by a device operatively associated with a file synchronization and sharing network,”); a library (20);said library (20) for storing a plurality of pre-determined levels of order (22), a plurality of ranges of order (23) ([0049] “Files that have been encrypted by a strong encryption algorithm will exhibit a high ‘randomness’ of its content. Shannon entropy is a well-known method in information theory for measuring the level of randomness, or disorder of a sequence of values. According to the disclosed encryption detection method, files are analyzed at the byte-level, so the result of computing entropy on the content of a file yields a number between 0 and 8, where 8 indicates the highest level of randomness.”, [0062] “At step 202 the method calculates a low frequency entropy value associated with the file section,”, [0073] “At step 302, the method calculates a high frequency average entropy value associated with a plurality of consecutive subsection entropy values calculated for a plurality of respective consecutive subsections of bytes included in the file section.”), and a plurality of predetermined EnFret configurations (42P) ( [0099] “The watcher contains a number of counters, that are maintained and incremented for each incoming file event that match a pattern specific to the counter. Each counter is evaluated against a ‘threshold value’, and if triggered, the counter contributes to an evaluation result with the weight of this counter.” The pattern specific to a counter is mapped to predetermined EnFret configuration, wherein the pattern is a predefined configuration for the counter to produce an incrementation result based on the evaluated data, or EnFret.); an order measurement sensor (14); said order measurement sensor (14) for evaluating the order of a repository of data (12) ([0049] “Shannon entropy is a well-known method in information theory for measuring the level of randomness, or disorder of a sequence of values. According to the disclosed encryption detection method, files are analyzed at the byte-level, so the result of computing entropy on the content of a file yields a number between 0 and 8, where 8 indicates the highest level of randomness.”, [0062] “At step 202 the method calculates a low frequency entropy value associated with the file section, the low frequency entropy value calculated based on a total number, or substantially a total number, of byte value occurrences included in the file section for each of the possible byte values”, [0204] “one or both of the low frequency analysis and high frequency analysis includes one or more of: Shannon entropy values; Chi-Squared test; mean byte values; and a Monte Carlo method to approximate pi to indicate randomness of the byte values.”); said order measurement sensor (14) generally continuously sensing a plurality of measurements of order (16) in said repository of data (12) ([0046] “2) A method for analyzing a file update pattern associated with a plurality of files, in as close to real-time as possible.”, [0036] “a ransomware infection can be detected by measuring the entropy (i.e., randomness or information density) of a file, or a collection of files. As used herein, “entropy” refers to any measure or indication of randomness or information density, and references to the “entropy” of one or more files refers to any measure or indication of the randomness or information density of all or part of the one or more files' contents.”, );a plurality of configured EnFrets (44P) ([0015] “determining a value-count of byte values included in a file section associated with a received file, the value-count including a count of byte value occurrences of the byte values included in the file section;” The counted occurrences of byte values within a file section associated of the received file are mapped to a plurality of configured EnFrets where each countable occurence is mapped to an EnFret.); said order measurement sensor (14) using said plurality of predetermined EnFret configurations (42P) to produce said plurality of configured EnFrets (44P); each of said plurality of configured EnFrets (44P) contained within said plurality of target data (11) ([0099] “The watcher is initiated or utilized when a device or agent sends an encrypted file to the server. From this point onwards, file events coming from this particular device or agent are monitored for a period of time. The watcher contains a number of counters, that are maintained and incremented for each incoming file event that match a pattern specific to the counter. Each counter is evaluated against a ‘threshold value’, and if triggered, the counter contributes to an evaluation result with the weight of this counter.”, [0102] “At step 404, the method monitors file events associated with unencrypted and encrypted received files and increments counters associated with the occurrences of monitored file events including predetermined file event patterns specific to each counter.”);said plurality of measurements of order (16) are measured over said plurality of configured EnFrets (44P) ([0015 “calculating one or both of a low frequency entropy value associated with the file section and a low frequency average value of substantially all byte values associated with the file section, the low frequency entropy value associated with the count of byte value occurrences of the byte values included in the file section”), a comparator (18); said comparator (18) being connected to said order measurement sensor (14) ([0107] “the watcher inputs include file-event times, threshold values, counter weights and a time-event trigger. The watcher output includes an evaluation result value which is compared to an alert threshold to generate a ransomware alert.”); said comparator (18) being connected to said library (20); said comparator (18) for generally continuously measuring the difference between said plurality of pre-determined levels of order (22) to said plurality of measurements of order (16) in said repository data (12) ([0015] “and b2) comparing one or both of the calculated low frequency entropy value to a low frequency entropy threshold value and the calculated low frequency average value of substantially all byte values to a low frequency average value range threshold to determine if the received file is low frequency encrypted…and c2) comparing one or both of the calculated high frequency entropy value to a high frequency entropy threshold value and the calculated high frequency high-low probability ratio to a high frequency high-low probability threshold to determine if the received file is high frequency encrypted;”, ), for comparing said difference to said plurality of ranges of order (23) ([0067] “the overall entropy for the file calculated, preferably, should be in the range of 7.98-8.0 as an indicator of low frequency encryption; however, a range of 7.92-8.0 can also be used;”, [0075] “It is to be understood that the highest probability of a byte value may include any high probability measure, such as but not limited to, one of a plurality of probability indicator values associated with a range of possible probabilities, e.g. very high, high, average, low, very low.”), and for indicating when at least one of said ranges of order (23) is exceeded; an indicator (24); said indicator (24) being connected to said comparator (18); and said indicator (24) for indicating the detection of tampering ([0099] “Each counter is evaluated against a ‘threshold value’, and if triggered, the counter contributes to an evaluation result with the weight of this counter. Counters can go ‘on’ or ‘off’ as events happen, and as time passes. The evaluation result can be normalized to a value between 0 and 100, and if the evaluation result value is higher than the predefined alert-threshold, a ransomware alert is triggered.”, [0107] “As shown and described above, the watcher inputs include file-event times, threshold values, counter weights and a time-event trigger. The watcher output includes an evaluation result value which is compared to an alert threshold to generate a ransomware alert.”). Regarding claim 34, claim 34 recites substantially similar limitations to claim 1, but for recitation in the form of a method. Therefore, claim 34 is rejected for similar reasoning as claim 1 since HANSEN also teaches a method ([AB] “This disclosure and the exemplary embodiments described herein, provide methods and systems for detecting a ransomware infection in one or more files.”). Regarding claim 64, claim 64 recites substantially similar limitations to claim 1, but for recitation in the form of a product-by-process. Therefore, claim 64 is rejected for similar reasoning as claim 1 since HANSEN also teaches a product-by-process ([0033] “The present disclosure generally provides a design and implementation of a ransomware detection method and system that is an integrated part of a file-sync and share product.”). Regarding claim 2, HANSEN teaches: An apparatus as recited in Claim 1, further comprising: an access manager (26); said access manager (26) being connected to said indicator (24); said access manager (26) for preventing further activity after a changed measurement of order (16) of said repository of data (12) is indicated ([0036] “since ransomware generally encrypts the files that it infects, and since encryption will increase the randomness of an infected file's contents, a ransomware infection can be detected by measuring the entropy (i.e., randomness or information density) of a file, or a collection of files.”, [0236] “the one or more agent modules and the one or more servers further configured to: disable the device operatively associated with the file synchronization and sharing network if a ransomware alert is triggered.”). Regarding claim 35, claim 35 recites substantially similar limitations to claim 2, but for recitation in the form of a method. Therefore, claim 35 is rejected for similar reasoning as claim 2 since HANSEN also teaches a method ([AB] “This disclosure and the exemplary embodiments described herein, provide methods and systems for detecting a ransomware infection in one or more files.”). Regarding claim 3, HANSEN teaches: An apparatus as recited in Claim 1, in which: said tampering is the unauthorized encryption of said plurality of target data (11) ([0036] “Second, since ransomware generally encrypts the files that it infects, and since encryption will increase the randomness of an infected file's contents, a ransomware infection can be detected by measuring the entropy”). Regarding claim 36, claim 36 recites substantially similar limitations to claim 3, but for recitation in the form of a method. Therefore, claim 36 is rejected for similar reasoning as claim 3 since HANSEN also teaches a method ([AB] “This disclosure and the exemplary embodiments described herein, provide methods and systems for detecting a ransomware infection in one or more files.”). Regarding claim 7, HANSEN teaches: An apparatus as recited in Claim 1, in which the configuration of two of said plurality of configured EnFrets (44P) are unique to a specific variant of ransomware ([0201] “…if the watcher determines one or more of the plurality of files are ransomware infected, generating a ransomware alert signature associated with the plurality of files; and triggering a ransomware alert if the ransomware alert signature is not associated with a nonthreat ransomware alert signature.”). Regarding claim 8, HANSEN teaches: An apparatus as recited in Claim 1, in which the configuration of two of said plurality of configured EnFrets (44P) are of unequal length ([0201] “…if the watcher determines one or more of the plurality of files are ransomware infected, generating a ransomware alert signature associated with the plurality of files; and triggering a ransomware alert if the ransomware alert signature is not associated with a nonthreat ransomware alert signature.” [0079] “the entropy calculated for consecutive sections of bytes, described herein, includes a consecutive section of 256 bytes, however, it is to be understand that other byte section sizes can be used and are within the scope of this disclosure, for example but not limited to, 512 bytes, 1024 bytes, etc.” [0082] “Parameter-ranges for encrypted files can depend on the size of a file, with smaller files requiring a wider range for some of the parameters. According to an exemplary embodiment, files are classified as small, medium or large size files: small files <8 k, medium files <32 k, and large files >32 k.”). Regarding claim 9, HANSEN teaches: An apparatus as recited in Claim 1, in which the configuration of two of said plurality of configured EnFrets (44P) overlap within said plurality of target data (11) ([0196] “The processor implemented method for detecting a ransomware infection in a plurality of files according to paragraph [A8], further comprising: triggering a ransomware alert if any one or more of the following conditions are true: … more than 50% of the file extensions of the received encrypted files are the same”). Regarding claim 10, HANSEN teaches: An apparatus as recited in Claim 1, in which the configuration of two of said plurality of configured EnFrets (44P) are discontiguous with respect to said plurality of target data (11) ([0196] “The processor implemented method for detecting a ransomware infection in a plurality of files according to paragraph [A8], further comprising: triggering a ransomware alert if any one or more of the following conditions are true: …the time stamps of the received files are not equivalent). Regarding claim 11, HANSEN teaches: An apparatus as recited in Claim 1, in which when said plurality of target data (11) arranged in a first structure (34A) is processed into a second plurality of target data (11B) arranged in said first structure (34A), and said second plurality of target data (11B) replacing said plurality of target data (11) in said repository of data (12), said order measure sensing said repository of data (12) does not cause said indicator (24) to indicate the detection of unauthorized encryption ([0038] “The ‘other file commands’ monitored include, but are not limited to, one or more of, copy, replace, delete and move file commands.”, [0039-0041] The essential characteristics of a ransomware attack (RWA) can be described as including, but not limited to, the following…Targeted files are replaced by encrypted files,” [0110] “If encrypted files are simply being copied or moved around within the synced area, the creation times of the files will be preserved and be ‘not recent’. An alert should not happen.”, [0114] “If a ransomware alert is triggered by the watcher counter, it is not always certain the alert was caused by an actual ransomware attack. For example, the alert could be caused by an intentional action by a user. If the user encrypted a portion of his files with some file encryption software (not disk encryption, or similar), it would exhibit the same pattern as an RWA, the only difference being that the user has the key. The specific encryption software being used by the user can be excluded, if known, as described above.”, [0118] “According to an exemplary embodiment of this disclosure, the alert signature is used to avoid repeated alerts for the same kind or type of encryption event that generates false positives. In other words, if an admin/user has decided that an alert should be ignored, the system does not generate alerts of the same kind or type, as defined by the alert-signature.”). Regarding claim 44, claim 44 recites substantially similar limitations to claim 11, but for recitation in the form of a method. Therefore, claim 44 is rejected for similar reasoning as claim 11 since HANSEN also teaches a method ([AB] “This disclosure and the exemplary embodiments described herein, provide methods and systems for detecting a ransomware infection in one or more files.”). Regarding claim 12, HANSEN teaches: An apparatus as recited in Claim 1, in which when said plurality of target data (11) arranged in a first structure (34A) is processed into a second plurality of target data (11B) arranged in a second structure (34B), and said second plurality of target data (11B) replacing said plurality of target data (11) in said repository of data (12), said order measure sensing said repository of data (12) caused said indicator (24) to indicate the detection of unauthorized encryption([0038] “The ‘other file commands’ monitored include, but are not limited to, one or more of, copy, replace, delete and move file commands.”, [0039-0041] The essential characteristics of a ransomware attack (RWA) can be described as including, but not limited to, the following…Targeted files are replaced by encrypted files,”, [0037] “A file update pattern is analyzed on a server by means of a “watcher,” that monitors file commands arriving from a computing device via its agent module, according to an exemplary embodiment, which communicates with the server. If an update pattern receives a ‘score’ higher than a certain threshold, an alert is triggered.”). Regarding claim 45, claim 45 recites substantially similar limitations to claim 12, but for recitation in the form of a method. Therefore, claim 45 is rejected for similar reasoning as claim 12 since HANSEN also teaches a method ([AB] “This disclosure and the exemplary embodiments described herein, provide methods and systems for detecting a ransomware infection in one or more files.”). Regarding claim 14, HANSEN teaches: An apparatus as recited in Claim 1, in which said library (20) is in a memory (80) ([0135] The example computer system 800 includes a processing device 802, a main memory 804 (e.g., read-only memory (ROM), flash memory, dynamic random access memory (DRAM) such as synchronous DRAM (SDRAM) or rambus DRAM (RDRAM), etc.), a static memory 806 (e.g., flash memory, static random access memory (SRAM), etc.), and a data storage device 818, which communicate with each other via a bus 830.). Regarding claim 47, claim 47 recites substantially similar limitations to claim 14, but for recitation in the form of a method. Therefore, claim 47 is rejected for similar reasoning as claim 14 since HANSEN also teaches a method ([AB] “This disclosure and the exemplary embodiments described herein, provide methods and systems for detecting a ransomware infection in one or more files.”). Regarding claim 15, HANSEN teaches: An apparatus as recited in Claim 1, in which said library (20) is in storage (88) ([0034] “While the ransomware detection exemplary embodiments described herein are of particular importance to a file-sync-share product/service, it is to be understood that the disclosed ransomware detection methods and systems are also applicable to other products/services/systems that include the processing and/or storage of computer related files, e.g. back-up systems, file transfer/storage applications, other computer file utility applications, etc.”, [0038] “The ‘other files’ monitored are generally associated in some manner with the file determined to be encrypted and include, but are not limited to: 1) files received by a server from an associated agent module or client device for synchronization, sharing and/or storage,”). Regarding claim 48, claim 48 recites substantially similar limitations to claim 15, but for recitation in the form of a method. Therefore, claim 48 is rejected for similar reasoning as claim 15 since HANSEN also teaches a method ([AB] “This disclosure and the exemplary embodiments described herein, provide methods and systems for detecting a ransomware infection in one or more files.”). Regarding claim 16, HANSEN teaches: An apparatus as recited in Claim 1, in which said repository of data (12) is on a communications medium ([0170] “Also, an information server may contain, communicate, generate, obtain, and/or provide program component, system, user, and/or data communications, requests, and/or responses.”). Regarding claim 17, HANSEN teaches: An apparatus as recited in Claim 1, in which said repository of data (12) includes compressed data (According to this disclosure and the exemplary embodiments described herein, methods and systems of calculating the entropy and/or randomness are provided which account for the low frequency characteristics and high frequency characteristics of the byte value distributions associated with a file, thereby providing a more intelligent and accurate ransomware detection method which considers small local areas with some kind of internal structure in order to eliminate false-positive detections of a RWA based on a non-threating highly compressed file, e.g. zip archives.). Regarding claim 50, claim 50 recites substantially similar limitations to claim 17, but for recitation in the form of a method. Therefore, claim 50 is rejected for similar reasoning as claim 17 since HANSEN also teaches a method ([AB] “This disclosure and the exemplary embodiments described herein, provide methods and systems for detecting a ransomware infection in one or more files.”). Regarding claim 18, HANSEN teaches: An apparatus as recited in Claim 1, in which said repository of data (12) includes encrypted data ([0022] “FIG. 4 is a flow chart of a watcher method for monitoring file events associated with one or more files which are encrypted to detect a ransomware infection in one or more of the files according to an exemplary embodiment of this disclosure.”). Regarding claim 51, claim 51 recites substantially similar limitations to claim 18, but for recitation in the form of a method. Therefore, claim 51 is rejected for similar reasoning as claim 18 since HANSEN also teaches a method ([AB] “This disclosure and the exemplary embodiments described herein, provide methods and systems for detecting a ransomware infection in one or more files.”). Regarding claim 19, HANSEN teaches: An apparatus as recited in Claim 1, in which said comparator (18) uses an ApEn algorithm ([0036] “Entropy can be measured or indicated using various types of metrics or tests, including, but not limited to, Shannon Entropy, Monte Carlo pi approximations, Chi-Squared tests, or by computing one or more mean byte values.”). Regarding claim 52, claim 52 recites substantially similar limitations to claim 19, but for recitation in the form of a method. Therefore, claim 52 is rejected for similar reasoning as claim 19 since HANSEN also teaches a method ([AB] “This disclosure and the exemplary embodiments described herein, provide methods and systems for detecting a ransomware infection in one or more files.”). Regarding claim 23, HANSEN teaches: An apparatus as recited in Claim 1, in which said order measurement sensor (14), said comparator (18), and said library (20) prevent the unauthorized encryption of said target data (11) ([0115] “For purposes of an FSS network, the main objective of a ransomware detection generated ransomware alert is to 1) disable the agent to prevent more infected files from being uploaded and spread…”). Regarding claim 24, HANSEN teaches: An apparatus as recited in Claim 1, in which said order measurement sensor (14), said comparator (18), and said library (20) detect the unauthorized encryption of said target data (11) ([0001] “The present innovations generally address methods and systems for detecting infection of computer files with malicious software, and more specifically, for detecting infection of computer files with ransomware.”, [0036] “Second, since ransomware generally encrypts the files that it infects, and since encryption will increase the randomness of an infected file's contents, a ransomware infection can be detected by measuring the entropy”). Regarding claim 25, HANSEN teaches: An apparatus as recited in Claim 1, in which said pre-determined levels of order (22) include the location within a filesystem of said plurality of target data (11) ([0038] “After a file is determined to be encrypted, the watcher monitors the behavior or characteristics of other files and other file commands, encrypted and unencrypted, to determine if a ransomware attack or infection is potentially occurring. The ‘other files’ monitored are generally associated in some manner with the file determined to be encrypted and include, but are not limited to… files received or associated with a particular or common time frame or location,”). Regarding claim 56, claim 56 recites substantially similar limitations to claim 25, but for recitation in the form of a method. Therefore, claim 56 is rejected for similar reasoning as claim 25 since HANSEN also teaches a method ([AB] “This disclosure and the exemplary embodiments described herein, provide methods and systems for detecting a ransomware infection in one or more files.”). Regarding claim 27, HANSEN teaches: An apparatus as recited in Claim 1, in which said plurality of pre-determined levels of order (22) each include the file extension of said plurality of target data (11) ([0037] High and low entropies for portions of files are calculated and compared to thresholds, and also examined as ratios. The entropy analysis disclosed can be configured to be file size dependent to provide more precise entropy values. A weighted hint in the update analysis is provided by a relatively small database maintained with a subset of known, common filetypes and associated extensions, and an indication of the use of particular file types for a file, as well as whether the file types are known or unknown.”, [0215] “triggering a ransomware alert if any one or more of the following conditions are true: … more than 50% of the file extensions of the received encrypted files are the same; more than 50% of the encrypted received files include an unknown file extension; the total number of deleted files is greater than 75% of the total number of encrypted files; more than 50% of the deleted files are not encrypted; more than 50% of the deleted files have known file extensions; and more than 50% of the deleted files are in the same file folders as new encrypted files received.”). Regarding claim 58, claim 58 recites substantially similar limitations to claim 27, but for recitation in the form of a method. Therefore, claim 58 is rejected for similar reasoning as claim 27 since HANSEN also teaches a method ([AB] “This disclosure and the exemplary embodiments described herein, provide methods and systems for detecting a ransomware infection in one or more files.”). Regarding claim 28, HANSEN teaches: An apparatus as recited in Claim 1, in which said plurality of pre-determined levels of order (22) each include the length of said plurality of target data (11) ([0037] “The entropy analysis disclosed can be configured to be file size dependent to provide more precise entropy values.”, [0225] “The ransomware detection module operatively associated with a computer device for detecting a ransomware infection in a plurality of files according to paragraph [A21], wherein one or more of the low frequency threshold value, the low frequency average value range threshold, the high frequency entropy threshold value and the high frequency high-low probability threshold value are dependent on a size of the file section.”) . Regarding claim 59, claim 59 recites substantially similar limitations to claim 28, but for recitation in the form of a method. Therefore, claim 59 is rejected for similar reasoning as claim 28 since HANSEN also teaches a method ([AB] “This disclosure and the exemplary embodiments described herein, provide methods and systems for detecting a ransomware infection in one or more files.”). Regarding claim 29, HANSEN teaches: An apparatus as recited in Claim 2, in which said access manager (26) blocks said plurality of target data (11) from said repository of data (12) ([0197] [A10] The processor implemented method for detecting a ransomware infection in a plurality of files according to paragraph [A9], further comprising: disabling the device operatively associated with the file synchronization and sharing network if a ransomware alert is triggered.” One of ordinary skill in the art would appreciate how HANSEN’s disabling of the sharing network provides for block[ing] said plurality of target data from repository of data.). Regarding claim 60, claim 60 recites substantially similar limitations to claim 29, but for recitation in the form of a method. Therefore, claim 60 is rejected for similar reasoning as claim 29 since HANSEN also teaches a method ([AB] “This disclosure and the exemplary embodiments described herein, provide methods and systems for detecting a ransomware infection in one or more files.”). Regarding claim 30, HANSEN teaches: An apparatus as recited in Claim 2, in which said access manager (26) quarantines said plurality of target data (11) from said repository of data (12) ([0197] [A10] The processor implemented method for detecting a ransomware infection in a plurality of files according to paragraph [A9], further comprising: disabling the device operatively associated with the file synchronization and sharing network if a ransomware alert is triggered.” One of ordinary skill in the art would appreciate how HANSEN’s disabling of the sharing network provides for quarantine[ing] said plurality of target data from said repository of data). Regarding claim 61, claim 61 recites substantially similar limitations to claim 30, but for recitation in the form of a method. Therefore, claim 61 is rejected for similar reasoning as claim 30 since HANSEN also teaches a method ([AB] “This disclosure and the exemplary embodiments described herein, provide methods and systems for detecting a ransomware infection in one or more files.”). Regarding claim 32, HANSEN teaches: An apparatus as recited in Claim 1, in which said plurality of pre-determined levels of order (22) includes a range of order (23) ([0049] “Files that have been encrypted by a strong encryption algorithm will exhibit a high ‘randomness’ of its content. Shannon entropy is a well-known method in information theory for measuring the level of randomness, or disorder of a sequence of values. According to the disclosed encryption detection method, files are analyzed at the byte-level, so the result of computing entropy on the content of a file yields a number between 0 and 8, where 8 indicates the highest level of randomness.”, [0062] “At step 202 the method calculates a low frequency entropy value associated with the file section,”, [0073] “At step 302, the method calculates a high frequency average entropy value associated with a plurality of consecutive subsection entropy values calculated for a plurality of respective consecutive subsections of bytes included in the file section.”). Regarding claim 33, HANSEN teaches: An apparatus as recited in Claim 30, in which said range is determined by computing the standard deviation of said plurality of pre-determined levels of order (22) ([0036] “Entropy can be measured or indicated using various types of metrics or tests, including, but not limited to, Shannon Entropy, Monte Carlo pi approximations, Chi-Squared tests, or by computing one or more mean byte values.” One of ordinary skill in the art would appreciate that Chi-square distribution is based on the square of a standard normal distribution, providing for computing the standard deviation of said plurality of pre-determined levels of order). Regarding claim 63, claim 63 recites substantially similar limitations to claim 33, but for recitation in the form of a method. Therefore, claim 63 is rejected for similar reasoning as claim 33 since HANSEN also teaches a method ([AB] “This disclosure and the exemplary embodiments described herein, provide methods and systems for detecting a ransomware infection in one or more files.”). Regarding claim 40, HANSEN teaches: A method as recited in Claim 34, including the additional steps of: said library (20) producing a plurality of predetermined EnFret configurations (42P); producing a plurality of configured EnFrets (44P) by configuring a plurality of EnFrets (40P) using said plurality of predetermined EnFret configurations (42P) ([0099] “The watcher is initiated or utilized when a device or agent sends an encrypted file to the server. From this point onwards, file events coming from this particular device or agent are monitored for a period of time. The watcher contains a number of counters, that are maintained and incremented for each incoming file event that match a pattern specific to the counter. Each counter is evaluated against a ‘threshold value’, and if triggered, the counter contributes to an evaluation result with the weight of this counter.” The pattern specific to a counter is mapped to predetermined EnFret configuration, wherein the pattern is a predefined configuration for the counter to produce an incrementation result based on the counted evaluated data, or configured EnFret. [0102] “At step 404, the method monitors file events associated with unencrypted and encrypted received files and increments counters associated with the occurrences of monitored file events including predetermined file event patterns specific to each counter.”); each of said plurality of configured EnFrets (44P) being contained within said plurality of plurality of target data (11) ([0102] “At step 404, the method monitors file events associated with unencrypted and encrypted received files and increments counters associated with the occurrences of monitored file events including predetermined file event patterns specific to each counter.”, [0049] “According to the disclosed encryption detection method, files are analyzed at the byte-level, so the result of computing entropy on the content of a file yields a number between 0 and 8, where 8 indicates the highest level of randomness.”); and each of said plurality of configured EnFrets (44P) producing said plurality of measurements of order (16P) ([0062] “At step 202 the method calculates a low frequency entropy value associated with the file section, the low frequency entropy value calculated based on a total number, or substantially a total number, of byte value occurrences included in the file section for each of the possible byte values,”). Regarding claim 41, HANSEN teaches: A method as recited in Claim 40, in which a plurality of said plurality of configured EnFrets (44P) are of unequal length([0201] “…if the watcher determines one or more of the plurality of files are ransomware infected, generating a ransomware alert signature associated with the plurality of files; and triggering a ransomware alert if the ransomware alert signature is not associated with a nonthreat ransomware alert signature.” [0079] “the entropy calculated for consecutive sections of bytes, described herein, includes a consecutive section of 256 bytes, however, it is to be understand that other byte section sizes can be used and are within the scope of this disclosure, for example but not limited to, 512 bytes, 1024 bytes, etc.” [0082] “Parameter-ranges for encrypted files can depend on the size of a file, with smaller files requiring a wider range for some of the parameters. According to an exemplary embodiment, files are classified as small, medium or large size files: small files <8 k, medium files <32 k, and large files >32 k.”). Regarding claim 42, HANSEN teaches: A method as recited in Claim 40, in which a plurality of said plurality of configured EnFrets (44P) overlap within said plurality of target data (11) ([0196] “The processor implemented method for detecting a ransomware infection in a plurality of files according to paragraph [A8], further comprising: triggering a ransomware alert if any one or more of the following conditions are true: … more than 50% of the file extensions of the received encrypted files are the same”). Regarding claim 43, HANSEN teaches: A method as recited in Claim 40, in which a plurality of said plurality of configured EnFrets (44P) are discontiguous with respect to said plurality of target data (11) ([0196] “The processor implemented method for detecting a ransomware infection in a plurality of files according to paragraph [A8], further comprising: triggering a ransomware alert if any one or more of the following conditions are true: …the time stamps of the received files are not equivalent). Regarding claim 49, HANSEN teaches: A method as recited in Claim 40, in which the configuration of at least two of said plurality of configured EnFrets (44P) are unique to a specific variant of ransomware ([0201] “…if the watcher determines one or more of the plurality of files are ransomware infected, generating a ransomware alert signature associated with the plurality of files; and triggering a ransomware alert if the ransomware alert signature is not associated with a nonthreat ransomware alert signature.”). Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) (4-6, 13, 20, 26) and (37, 46, 53, 57) are rejected under 35 U.S.C. 103 as being unpatentable over HANSEN (US 20200387609 A1), hereafter HANSEN in view of SAXE (US 20240134975 A1), hereafter SAXE. Regarding claim 4, HANSEN teaches the limitations previously demonstrated, however does not appear to explicitly teach the following, demonstrated by SAXE: An apparatus as recited in Claim 1, further including: a false positive reduction evaluator (28); said false positive reduction evaluator (28) being connected to said indicator (24) (SAXE [0080] “For example, the threat analyzer 114 can analyze results generated from a particular threat model (e.g., can determine an error rate, and/or a similar effectiveness metric), based on user and/or system feedback on the results generated by that threat model.”); said false positive reduction evaluator (28) for reducing false positive errors produced by said order measurement sensor (14), said comparator (18), said library (20), and said indicator (24) (SAXE [0072] “The threat analyzer 114 can also use a rate of false positives and/or false negatives obtained from previous applications of a threat model to file samples from the particular network to determine a calibration function to apply to the threat model score (e.g., where the selected calibration function can adjust the threat model score based on its predicted degree of inaccuracy, and/or the like). This factor can be updated and/or modified as the threat model is further trained and/or refined to reduce false positives and/or negatives.”). Since both HANSEN and SAXE are from the same field of endeavor as both are directed to automated classification and detection of malicious software, which is within the same field of endeavor as the claimed invention, it would have been obvious to one skilled in the art before the effective filing date of the claimed invention to modify and combine the teachings of HANSEN and SAXE by incorporating the teachings of SAXE into HANSEN for automating classification and detection of malicious software as claimed. The motivation to combine is to improve detection and classification of malicious software, such as ransomware (HANSEN [AB]; SAXE [AB]). Regarding claim 5, HANSEN-SAXE teaches: An apparatus as recited in Claim 1, further including: a false positive reduction evaluator (28); said false positive reduction evaluator (28) being connected to said indicator (24) (SAXE [0062] “The deep neural network can also include multiple hidden layers fully connected to the input and/or output nodes, which can include activation values and/or weights which can be altered as