Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Claims 1-20 are currently pending. Claims 1, 2, 7-9 14-20 are amended.
In light of Applicant’s argument objections to the specification have been withdrawn.
In light of Applicant’s amendments and argument the objections to claims have been withdrawn.
In light of Applicant’s amendments rejections of claims 15-20 under 35 USC 101 have been withdrawn.
Response to Arguments
Applicant's s filed on 01-13-2026 have been fully considered .
With respect to claim 6, Applicant argues “Shachar does not disclose-any feature of the files being communication to cloud service to enable that determination (e.g., rather than those feature being internally determined by the cloud service itself)”.
Examiner respectfully disagrees. Claim does not require for the cloud service being a separate, different or a second cloud service. Communicating feature of the files (second feature) to a cloud service could be broadly interpreted as internal signaling or communication of features within a cloud. Even if the features are being internally determined by the cloud service itself, as applicant argues, still the features must be communicated to a component in the cloud service to perform determination.
With respect to claim 7 applicant argues that “phrase ‘chunks of a predefined size’ merely indicates that the edited file could be divided into chunks of either the first size or the second size. It does not teach or suggest that the same file would subsequently be divided into chunks of a different size”.
In response examiner submits that firstly, chunking a file to different sizes is old and well known and does not include an inventive concept.
Additionally although not explicitly disclosed by Patton that the second size is half the first size, Patton is capable of chunking files in different sizes, since such feature does not include inventive concept. Once a system is capable of dividing a file into chunks, selecting a particular chunk size or proportions (i.e., second size being half the first size) would present a routing design choice within the knowledge of an ordinary skill in the art.
Applicant’s argument with respect to amended limitation of claims are moot in view of a new ground of rejection.
Claim Rejections-35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1, 8 and 15 are rejected under 35 U.S.C. 103 as being patentable over Shachar et al. (US 20240134976 A1), hereinafter Shachar, in view of Dubnicki et al. (US Publication No. 2008/0133561), hereinafter Dubnicki.
Regarding claims 1, 8 and 15, Shachar teaches a method (FIG. 5) comprising: chucking a file into a first set of chunks of a file size (FIGs. 3A, 3B and para. 0039, a volume that contains files 302 and 304 in the first row, file 306 in the second row; para. 0040, file 306 is shown with a storage blocks of plurality portions); identifying first features in association with the first set of chunks (FIG. 5 and para. 0046, upon determining that a triggering event has occurred, storage device may analyze one or more files stored on storage to determine whether a portion of one or more files has changed with respect to a file parameter and whether the change satisfies a defined function), the first features comprising a measure of randomness associated with the first set of chunks (FIG. 5 and para. 0046, storage device may determine an entropy of a portion of a file relative to a portion of the file before occurrence of the triggering event; para. 0048, entropy may be viewed as a measure of randomness of data of a given file and may be used to determine whether a file contains encryption); inputting the first features to a machine learning model (para. 0047, an entropy determining model running on the storage device may facilitate detection of partially encrypted files) that outputs a determination of whether the file has been attacked (paras. 0047 and 0048, analysis of a portion of a file having a high entropy score may be compared to analysis of the corresponding portion of the same file before encryption is suspected to have occurred to determine that the analyzed portions of different versions of the same file have different data density values, for example different entropy scores. If analysis of a portion of a file indicates that the portion has a higher data density after a potential encryption may have occurred, an indication that the file has been subjected to a ransomware attack may be generated. FIG. 5 and paras. 0052 and 0053, a second portion of the file may be analyzed with respect to a parameter, and a determination may be made whether analysis of the second file portion indicates on entropy that is different from an entropy of the analyzed first file portion); and determining whether to perform remediation act (FIG. 5 and para. 0053, if a determination is made that an entropy of the second file portions satisfies a criterion, perform a mitigation or a remediation action).
Shachar does not explicitly teach chunk the file into a second set of chunks of a second size smaller than the first size when the determination is inclusive about whether the file has been attack. However, in an analogous art, Dubnicki discloses applying a block or chunk splitting or breaking a part procedure to split existing chunks into smaller chunks based on particular rule (paragraph [0061], [0078]). Although Shachar does not explicitly disclose when the determination is inclusive of an attack, Shachar discloses the concept of a second segmentation into a smaller chunk if the first segmentation does not satisfy some rules or criteria, which conceptually reads on the limitation of the claim.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Shachar with Dubnicki. This would have been obvious because one of ordinary skill in the art would have been motivated to do so in order to efficiently process application.
Claims 2-7, 9-14 and 16-20 are rejected under 35 U.S.C. 103 as being patentable over Shachar and Dubnicki, further in view of Patton et al. (US 10229269 B1), hereinafter Patton.
Regarding claims 2, 9 and 16, Shachar as modified teaches all of the limitations of claims 1, 8 and 15, respectively, as show above. Shachar further teaches features comprising a measure of randomness associated with the set of chunks (FIG. 5 and para. 0046, storage device may determine an entropy of a portion of a file relative to a portion of the file before occurrence of the triggering event; para. 0048, entropy may be viewed as a measure of randomness of data of a given file and may be used to determine whether a file contains encryption).
Shachar as modified does not explicitly disclose, but in an analogous art, Patton teaches
extracting the second set of chunks from the file (FIG. 4 and col7 ln58-col8 ln49, the encryption analysis module 206 divides 402 at least a portion of the edited file into chunks of predefined size); and identifying second features in association with the second set of chunks (col8 ln10-15, encryption analysis module calculates one or more entropy parameters representing an entropy measure associated with the file. Here, the encryption analysis module may calculate one or more entropy values for each chunk of a chunk pair meeting the modification threshold), the second features comprising a measure of randomness associated with the second set of chunks (col2 ln29-42, detect whether the edited file is encrypted with high accuracy, even when ransomware applies an advanced encryption technique that results in low levels of randomness).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the invention to combine Shachar and Dubnicki with Patton because it provides a better process to detect ransomware where it is difficult to detect encryption by ransomware using traditional methods (Patton, col2 ln18-24).
Regarding claims 3, 10 and 17, Patton further teaches inputting the second features to the machine learning model (col8 ln30-34, the encryption analysis module applies a machine-learned model to the entropy parameters to detect encryption indicative of ransomware).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the invention to combine the teaching of Shachar, Dubnicki and Patton because it provides a better process to detect ransomware where it is difficult to detect encryption by ransomware using traditional methods (Patton, col2 ln18-24).
Regarding claims 4, 11 and 18, Patton further teaches wherein the first features further comprise a file extension or header information for the file (col8 ln38-44, inputs to the decision tree may include the entropy parameters, a compression percentage, a value indicating whether the new file size is a multiple of a predefined size, and whether the new file has a ransomware file header on a blacklist of known ransomware file headers).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the invention to combine teaching of Shachar, Dubnicki and Patton because it provides a better process to detect ransomware where it is difficult to detect encryption by ransomware using traditional methods (Patton, col2 ln18-24).
Regarding claims 5, 12 and 19, Patton further teaches wherein the second features further comprise a file extension or header information for the file (col8 ln38-44, inputs to the decision tree may include the entropy parameters, a compression percentage, a value indicating whether the new file size is a multiple of a predefined size, and whether the new file has a ransomware file header on a blacklist of known ransomware file headers).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the invention to combine teaching of Shachar, Dubnicki and Patton because it provides a better process to detect ransomware where it is difficult to detect encryption by ransomware using traditional methods (Patton, col2 ln18-24).
Regarding claims 6, 13 and 20, Shachar further teaches communicating the second features to a cloud service, wherein the cloud service applies a second machine learning model that outputs a second determination of whether the file has been attacked (para. 0037, storage device and/or cloud service, may determine, responsive to a triggering event, that out of files of folder that may have been unencrypted during a baseline period, nine files comprise a portion that has been encrypted, each exhibiting a portion that is denser, or has more entropy, than the corresponding portion of the files as they existed before the triggering event).
Regarding claims 7 and 14, Patton further teaches wherein the second sized portion is half the first sized portion (FIG. 4 and col7 ln58-col8 ln49, the encryption analysis module divides at least a portion of the edited file into chunks of predefined size). Patton discloses the claimed invention except for the second sized portion is half the first sized portion. It would have been an obvious matter of design choice to reduce the second sized portion into any reasonable size smaller than the first sized portion, since applicant has not disclosed that half the size solves any stated problem or is for any particular purpose and it appears that the invention would perform equally well with any reasonable smaller size.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Ali Abyaneh whose telephone number is (571) 272-7961. The examiner can normally be reached on Monday-Friday from (8:00-5:00). If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alexander Lagor can be reached on (571) 270-5143. can be reached on (571) 272-4063. The fax phone numbers for the organization where this application or proceeding is assigned as (571) 273-8300 Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
/ALI S ABYANEH/ Primary Examiner, Art Unit 2437