DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is responsive to communication filed on 1/16/2025.
Claims 1-9, 11-19, 21-23 are subject to examination.
This amendment and applicant’s arguments have been fully considered and entered by the Examiner.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1-2, 4-6, 8-9, 11-12, 14-16, 18, 21-22 is/are rejected under 35 U.S.C. 103 as being unpatentable over Shukla et al. U.S. Patent Publication # 2018/0115577 (hereinafter Shukla) in view of Weaver et al. U.S. Patent # 10,555,582 (hereinafter Weaver) further in view of Striem-Amit et al. U.S. Patent # 10,503,897 (hereinafter Amit)
With respect to claim 1, Shukla teaches a data processing arrangement comprising: at least one processor configured to execute instructions to cause the data processing arrangement to:
-generate a file catalog including information describing characteristics of data files stored within a data memory arrangement (i.e. server configured to maintain in an associated memory space at least one threat feature database as a reference database in which data related to features of behavioral traits of various file system are stored. Gather/collect information pertaining to threat identification and create and maintain global database that comprises of information pertaining threats, corresponding value of each feature and reference database of patterns and updates the database periodically ) (Paragraph 28);
-periodically update the file catalog to provide a temporal record of the information (i.e. at each periodical intervals, the global database is updated with information from the local agents in real-time which helps in learning new features of ransomware and to combat newer versions of the ransomware) (Paragraph 28);
-determine a behavioral profile indicative of temporal trends of temporal patterns in the information (i.e. reference data of patterns) (Paragraph 28, 31, 37)wherein the behavioral profile provides indication in an event that the information for a given data file of the data files has temporally changed (i.e. upon detecting a file system change, the threat management system performs behavioral analysis of the files to detect possible anomalous behavior) in a first manner that deviates more than a threshold amount (Paragraph 20-21) from a model of expected temporal trends or expected temporal patterns of the given data file (i.e. anomalous behavior wherein the criteria to identify the threat can be the behavioral traits of the process being monitored matches at least 3 features of any trait defined in the threat feature database))(Paragraph 31, 37); and
Shukla does not provide warning and dynamically adjust the threshold amount according to a first structure of the data memory arrangement or a second structure of the file catalog.
Weaver teaches providing a warning indication (i.e. alert) in an event that the information for a given data file of the data files has temporally changed in a first manner that deviates more than a threshold amount (i.e. exceeds a specified threshold) from a model or expected temporal trends or expected temporal patterns of the given data file (i.e. generate an alert if the score for one of set of files exceeds a specified threshold wherein the rate of change of multiple files of first set). It would have been obvious to one of ordinary skill in the art before the filing date of the claimed invention to implement Weaver’s teaching in Shukla’s teaching to come up with providing warning indication for data file has temporally changed that devices more than a threshold amount. The motivation for doing so would to notify the user and admin that malicious activity has taken place and it could be a ransomware attack therefore remedial action can be taken.
Shukla and Weaver does not explicitly teach dynamically adjust the threshold amount according to a first structure of the data memory arrangement or a second structure of the file catalog.
Amit teaches dynamically adjust the threshold amount (i.e. operating system commands on the subset of the set of files being greater than a specified threshold) (column 5 lines 58-67)(column 6 lines 1-7) according to a first structure of the data memory arrange or a second structure of file catalog (i.e. user data such as current user file data occupies relatively little storage space. Accordingly, the data file identification manager is configured to search for such user file data and copy it several times to various locations throughout the non-volatile memory eventually becoming the previous user file data, N being the number locations. In some implementations, the data in the previous user file is not updated but rather the version number remains the same for specified period of time)(column 6 lines 34-55). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement Amit’s teaching in Shukla and Weaver’s teaching to come up with dynamically adjusting the threshold amount according to first structure of the data memory arrangement or a second structure of the file catalog. The motivation for doing so would be to making it difficult to control access to files as a user may simply move to protect any of the previous user file data in response to an alert from alert manager.
With respect to claim 2, Shukla, Weaver and Amit teaches the data processing arrangement of claim 1, but Shukla further teaches wherein the at least one processor is further configured to execute the instructions to cause the data processing arrangement to determine the model (i.e. behavioral model) from a second manner in which the given data file has behaved previously in the data processing arrangement (i.e. detecting a file system change, the threat management system performs a behavioral analysis of the files to detect any possible anomalous behavior that would amount to a ransomware threat) or other data processing arrangements (Paragraph 37-38)
With respect to claim 4, Shukla, Weaver and Amit teaches the data processing arrangement of claim 1, but Shukla further teaches wherein at least one processor is further configured to execute the instructions to cause the data processing arrangement to use a machine learning arrangement including an adaptive neural network arrangement to: determine the temporal trends or the temporal patterns (i.e. patterns of processes associated with identified anomalous behavior)(Paragraph 33, 37); an detect an occurrence of the temporal trends or the temporal patterns changing in the first manner (i.e. patterns of processes associated with identified anomalous behavior)(Paragraph 33, 37)
With respect to claim 5, Shukla, Weaver and Amit teaches the data processing arrangement of claim 4, but Shukla further teaches wherein the occurrence is indicative of ransomware (i.e. ransomware threat & attack)(Paragraph 18, 28, 37)
With respect to claim 6, Shukla, Weaver and Amit teaches the data processing arrangement of claim 3, but Shukla further teaches wherein the at least one processor is further configured to execute the instructions to cause the data processing arrangement to provide a catalog service (i.e. database) to a user of the data processing arrangement (Paragraph 22-23, 28) and wherein the catalog service provides an overview of the file catalog to the user (i.e. the database comprises information pertaining to threats identified, corresponding features and combination and gives information to the UEs/admin) (Paragraph 22-23, 27-28).
With respect to claim 8, Shukla, Weaver and Amit teaches the data processing arrangement of claim 5, but Shukla further teaches the data processing arrangement of claim 5, wherein the information includes: temporal changes in data resource consumptions associated with the data files; temporal changes in data block segments of compressed or non-compressed data associated with the data files; temporal changes in randomization patterns associated with the data files; temporal changes in dispersal of volumes of the data files and size changes associated therewith (column 5 lines 59-67)(column 6 lines 1-7).
With respect to claim 9, Shukla, Weaver and Amit teaches the data processing arrangement of claim 5, but Amit further teaches wherein the information includes: temporal changes in deduplication ratios of the data files for a given system or a given group of systems; histories of scanning patterns of the data files; temporal changes in a minimum size, an average size or a maximum size of the data files (column 5 lines 59-67)(column 6 lines 1-7)
With respect to claim 11, Shukla teaches a method comprising:
-generating a file catalog including information describing characteristics of data files stored within a data memory arrangement (i.e. server configured to maintain in an associated memory space at least one threat feature database as a reference database in which data related to features of behavioral traits of various file system are stored. Gather/collect information pertaining to threat identification and create and maintain global database that comprises of information pertaining threats, corresponding value of each feature and reference database of patterns and updates the database periodically ) (Paragraph 28);
-periodically updating the file catalog to provide a temporal record of the information (i.e. at each periodical intervals, the global database is updated with information from the local agents in real-time which helps in learning new features of ransomware and to combat newer versions of the ransomware) (Paragraph 28);
-determining a behavioral profile indicative of temporal trends of temporal patterns in the information (i.e. reference data of patterns) (Paragraph 28, 31, 37)wherein the behavioral profile provides indication in an event that the information for a given data file of the data files has temporally changed (i.e. upon detecting a file system change, the threat management system performs behavioral analysis of the files to detect possible anomalous behavior) in a first manner that deviates more than a threshold amount (Paragraph 20-21) from a model of expected temporal trends or expected temporal patterns of the given data file (i.e. anomalous behavior wherein the criteria to identify the threat can be the behavioral traits of the process being monitored matches at least 3 features of any trait defined in the threat feature database))(Paragraph 31, 37); and
Shukla does not provide warning and dynamically adjust the threshold amount according to a first structure of the data memory arrangement or a second structure of the file catalog.
Weaver teaches providing a warning indication (i.e. alert) in an event that the information for a given data file of the data files has temporally changed in a first manner that deviates more than a threshold amount (i.e. exceeds a specified threshold) from a model or expected temporal trends or expected temporal patterns of the given data file (i.e. generate an alert if the score for one of set of files exceeds a specified threshold wherein the rate of change of multiple files of first set). It would have been obvious to one of ordinary skill in the art before the filing date of the claimed invention to implement Weaver’s teaching in Shukla’s teaching to come up with providing warning indication for data file has temporally changed that devices more than a threshold amount. The motivation for doing so would to notify the user and admin that malicious activity has taken place and it could be a ransomware attack therefore remedial action can be taken.
Shukla and Weaver does not explicitly teach dynamically adjust the threshold amount according to a first structure of the data memory arrangement or a second structure of the file catalog.
Amit teaches dynamically adjust the threshold amount (i.e. operating system commands on the subset of the set of files being greater than a specified threshold) (column 5 lines 58-67)(column 6 lines 1-7) according to a first structure of the data memory arrange or a second structure of file catalog (i.e. user data such as current user file data occupies relatively little storage space. Accordingly, the data file identification manager is configured to search for such user file data and copy it several times to various locations throughout the non-volatile memory eventually becoming the previous user file data, N being the number locations. In some implementations, the data in the previous user file is not updated but rather the version number remains the same for specified period of time)(column 6 lines 34-55). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement Amit’s teaching in Shukla and Weaver’s teaching to come up with dynamically adjusting the threshold amount according to first structure of the data memory arrangement or a second structure of the file catalog. The motivation for doing so would be to making it difficult to control access to files as a user may simply move to protect any of the previous user file data in response to an alert from alert manager.
With respect to claims 12, 14-16 respectively, teaches same limitation as claims 2, 4-6, respectively, therefore rejected under same basis.
With respect to claim 18, Shukla, Weaver and Amit teaches the method of claim 15, but Amit further teaches wherein the information includes temporal changes in incremental file-system scans concerning sizes of the data files and times at which the data files are accessed; temporal changes in sizes of the data files (column 5 lines 58-67)(column 6 lines 1-7) OR temporal changes in input/output temperatures across the data files as calculated from reads of the data files performed within a given time duration.
With respect to claim 21, Shukla teaches a computer program product comprising instructions that are stored on a non-transitory computer-readable medium and that when executed by a processor, cause a data processing arrangement to:
-generate a file catalog including information describing characteristics of data files stored within a data memory arrangement (i.e. server configured to maintain in an associated memory space at least one threat feature database as a reference database in which data related to features of behavioral traits of various file system are stored. Gather/collect information pertaining to threat identification and create and maintain global database that comprises of information pertaining threats, corresponding value of each feature and reference database of patterns and updates the database periodically ) (Paragraph 28);
-periodically update the file catalog to provide a temporal record of the information (i.e. at each periodical intervals, the global database is updated with information from the local agents in real-time which helps in learning new features of ransomware and to combat newer versions of the ransomware) (Paragraph 28);
-determine a behavioral profile indicative of temporal trends of temporal patterns in the information (i.e. reference data of patterns) (Paragraph 28, 31, 37)wherein the behavioral profile provides indication in an event that the information for a given data file of the data files has temporally changed (i.e. upon detecting a file system change, the threat management system performs behavioral analysis of the files to detect possible anomalous behavior) in a first manner that deviates more than a threshold amount (Paragraph 20-21) from a model of expected temporal trends or expected temporal patterns of the given data file (i.e. anomalous behavior wherein the criteria to identify the threat can be the behavioral traits of the process being monitored matches at least 3 features of any trait defined in the threat feature database))(Paragraph 31, 37); and
Shukla does not provide warning and dynamically adjust the threshold amount according to a first structure of the data memory arrangement or a second structure of the file catalog.
Weaver teaches providing a warning indication (i.e. alert) in an event that the information for a given data file of the data files has temporally changed in a first manner that deviates more than a threshold amount (i.e. exceeds a specified threshold) from a model or expected temporal trends or expected temporal patterns of the given data file (i.e. generate an alert if the score for one of set of files exceeds a specified threshold wherein the rate of change of multiple files of first set). It would have been obvious to one of ordinary skill in the art before the filing date of the claimed invention to implement Weaver’s teaching in Shukla’s teaching to come up with providing warning indication for data file has temporally changed that devices more than a threshold amount. The motivation for doing so would to notify the user and admin that malicious activity has taken place and it could be a ransomware attack therefore remedial action can be taken.
Shukla and Weaver does not explicitly teach dynamically adjust the threshold amount according to a first structure of the data memory arrangement or a second structure of the file catalog.
Amit teaches dynamically adjust the threshold amount (i.e. operating system commands on the subset of the set of files being greater than a specified threshold) (column 5 lines 58-67)(column 6 lines 1-7) according to a first structure of the data memory arrange or a second structure of file catalog (i.e. user data such as current user file data occupies relatively little storage space. Accordingly, the data file identification manager is configured to search for such user file data and copy it several times to various locations throughout the non-volatile memory eventually becoming the previous user file data, N being the number locations. In some implementations, the data in the previous user file is not updated but rather the version number remains the same for specified period of time)(column 6 lines 34-55). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement Amit’s teaching in Shukla and Weaver’s teaching to come up with dynamically adjusting the threshold amount according to first structure of the data memory arrangement or a second structure of the file catalog. The motivation for doing so would be to making it difficult to control access to files as a user may simply move to protect any of the previous user file data in response to an alert from alert manager.
With respect to claim 22 respectively, teaches same limitation as claim 2 respectively, therefore rejected under same basis.
Claim(s) 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Shukla et al. U.S. Patent Publication # 2018/0115577 (hereinafter Shukla) in view of Weaver et al. U.S. Patent # 10,555,582 (hereinafter Weaver) further in view of Amit further in view of Strogov et al. U.S. Patent Publication # 2019/0347418 (hereinafter Strogov)
With respect to claim 19, Shukla, Weaver and Amit teaches the method of claim 15, but fails to further teaches temporal changes of randomization of the data files according to Benford’s Law for deviation or fraud; temporal changes in input-output dispersion rates in metadata related to block backup and backup done segment-by-segment from a disc storage of the data memory arrangement to detect ranges of segments, wherein the temporal changes in the input-output dispersion rates are indicative of potential ransomware segmentation of the data files; OR temporal input-output entropy changes in compressed data or encrypted data indicative of ransomware compression of the data files.
Strogov teaches temporal changes of randomization of the data files according to Benford’s Law for deviation or fraud; temporal changes in input-output dispersion rates in metadata related to block backup and backup done segment-by-segment from a disc storage of the data memory arrangement to detect ranges of segments, wherein the temporal changes in the input-output dispersion rates are indicative of potential ransomware segmentation of the data files; OR temporal input-output entropy changes in compressed data or encrypted data indicative of ransomware compression of the data files (Paragraph 39). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement Strogov’s teaching in Shukla, Weaver and Amit’s teaching to come up with temporal input-output entropy changes in compressed data or encrypted data indicative of ransomware compression of the data files. The motivation for doing so would be to classify the session, client and/or user as potentially containing or execution malicious encryption software so appropriate action can be taken.
Claim(s) 3, 13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Shukla et al. U.S. Patent Publication # 2018/0115577 (hereinafter Shukla) in view of Weaver et al. U.S. Patent # 10,555,582 (hereinafter Weaver) further in view of Amit further in view of Animireddygari et al. U.S. Patent Publication # 2019/0188380 (hereinafter Ani)
With respect to claim 3, Shukla, Weaver and Amit teaches the data processing arrangement of claim 2, but Shukla further teaches wherein the given data file but does not teach is an operating system file including executable program code, configuration data or both the executable program code and the configuration data.
Ani teaches given data file is an operating system file including executable program code, configuration data or both the executable program code and the configuration data (Paragraph 25). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement Ani’s teaching in Shukla, Weaver and Amit’s teaching to come up with having given data file is an operating system file including executable program code, configuration data or both the executable program code and the configuration data. The motivation for doing so would to remediate operating system data from corruption by malware.
With respect to claim 13 respectively, teaches same limitation as claim 3 respectively, therefore rejected under same basis.
Claim(s) 7, 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Shukla et al. U.S. Patent Publication # 2018/0115577 (hereinafter Shukla) in view of Weaver et al. U.S. Patent # 10,555,582 (hereinafter Weaver) further in view of Amit further in view of Fadli et al. U.S. Patent Publication # 2019/0279236 (hereinafter Fadli)
With respect to claim 7, Shukla, Weaver and Amit teaches the data processing arrangement of claim 6, but does not further teaches wherein the at least one processor is further configured to execute the instructions to cause the data processing arrangement to use one or more artificial intelligence algorithm to analyze unstructured data from the data files to generate overview.
Fadli teaches wherein the at least one processor is further configured to execute the instructions to cause the data processing arrangement to use one or more artificial intelligence algorithm to analyze unstructured data from the data files to generate overview (Paragraph 9). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement Fadli’s teaching in Shukla, Weaver and Amit’s teaching to come up with to use one or more artificial intelligence algorithm to analyze unstructured data from the data files to generate overview. The motivation for doing so would be so the machine-learning algorithms can provide statistical evidence that something might be wrong or right based on how many past occurrences of similar patterns exist (Paragraph 9).
With respect to claim 17 respectively, teaches same limitation as claim 7 respectively, therefore rejected under same basis.
Claim(s) 23 is/are rejected under 35 U.S.C. 103 as being unpatentable over Shukla et al. U.S. Patent Publication # 2018/0115577 (hereinafter Shukla) in view of Weaver et al. U.S. Patent # 10,555,582 (hereinafter Weaver) further in view of Amit further in view of Hittel et al. U.S. Patent # 10,469,525 (hereinafter Hittel)
With respect to claim 23, Shukla, Weaver and Amit teaches the data processing arrangement of claim 1, does not explicitly teach wherein the at least one processor is further configured to execute the instructions to cause the data processing arrangement to further dynamically adjust the threshold amount according to a duration during which the file catalog is being populated with data characterizing the data files.
Hittel teaches dynamically adjust the threshold amount (i.e. setting upper and lower threshold for the time-based window or moving average of velocity of change could be 10 days) according to a first structure of the data memory arrangement, a second structure of the file catalog OR a duration during which the file catalog is being populated with data characterizing the data files (i.e. setting upper and lower threshold for the time-based window or moving average of velocity of change could be 10 days, so that a determination can be made that the malicious activity is in process when the thresholds are exceeded)(column 24 lines 14-38). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement Hittel’s teaching in Shukla and Weaver’s teaching to come up with dynamically adjusting the threshold amount according to a duration during which the file catalog is being populated with data characterizing the data files. The motivation for doing so would be so the upper and lower thresholds can be calculated and implemented in a similar way as Bollinger bands or any other variation thereof for identifying malicious activity (column 24 lines 33-38)
Response to Arguments
Applicant’s arguments with respect to claim(s) 1-9, 11-19, 21-23 have been considered but are moot in view of new grounds of rejection.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
A). Chelarescu et al. U.S. Patent Publication # 2019/0303573 which in Paragraph 40 teaches about file churn analysis module calculating a file churn as the number of files that have been modified during a predefined period of time during the last 24 hours, as a raw number or as a percentage of the account size.
B). Chen et al. U.S. Patent Publication # 2022/0067159 which teaches about generating UI for presenting determination that filesystem is infected responsive to ransomware detection model detecting abnormal behavior.
C). Vasudeva et al. U.S. Patent Publication # 2021/0334374 which teaches about protecting against malware attacks.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DHAIRYA A PATEL whose telephone number is (571)272-5809. The examiner can normally be reached M-F 7:30am-4:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kamal B Divecha can be reached at 571-272-5863. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
DHAIRYA A. PATEL
Primary Examiner
Art Unit 2453
/DHAIRYA A PATEL/ Primary Examiner, Art Unit 2453