System and Method for Ransomware Scan Using Incremental Data Blocks

§103 §112

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Status of Claims This office action is a response to an application filed on 03/01/2024, wherein claims 1-20 are presented for examination. Priority Acknowledgment is made of applicant’s claim for foreign priority under 35 U.S.C. 119 (a)-(d) to Indian Application No. 202341077782, filed on November 15, 2023. Receipt is acknowledged of certified copies of papers required by 37 CFR 1.55. Claim Interpretation The following is a quotation of 35 U.S.C. 112(f): (f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. The following is a quotation of pre-AIA 35 U.S.C. 112, sixth paragraph: An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art. The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is invoked. As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph: (A) the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; (B) the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and (C) the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitation(s) is/are: “a snapshot access module”, “a log access module”, “an incremental block module”, “a snapshot write module” and/or “a ransomware scan module” in claims 1, 2 and 10; “a data restore system” in claims 3-5; “a file restore module” in claim 6; “an offset identification module”, “an offset log access module”, “an offset download module”, “a file write module” and/or “a file check module” in claims 7-9. Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof. If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. Claim Rejections - 35 USC § 112 The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph: The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. Claims 5 and 17-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA the applicant regards as the invention. Claim 5 recites “the one or more identified safe snapshots”. There is insufficient antecedent basis for this limitation, therefore the claim is rendered indefinite. Claim 17 recites “[t]he method of claim 10”. Since claim 10 is a system claim and not a method claim, claim 17 is rendered indefinite. For examination purposes, this will be interpreted as “[t]he method of claim 11. Claims 18-20 are dependent from claim 17 and therefore contain the same indefinite language. As a result, they are rejected under the same rationale as claim 17. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-3, 10-13 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Hansen (US 2021/0312066) in view of Kulaga et al. (US 2020/0319979), hereinafter Kulaga. Regarding claim 1, Hansen discloses a system for performing ransomware scan (Hansen, Fig. 1, [0024]: backup system 10 for ransomware attack (RWA) detection), the system comprising: a snapshot access module configured to access a base snapshot corresponding to a dataset (Hansen, [0061]: an incremental backup is a backup snapshot; [0016]: an incremental backup is a backup of all changes since the last full backup (base snapshot); [0024]: backup system’s backup instructions (snapshot access module) perform incremental backup of folders (data set). [Performing the incremental backup necessarily requires accessing the full backup (base snapshot) to apply the changes]); a log access module configured to access a log of modified metadata and/or data blocks from a data back-up server corresponding to a subsequent snapshot versus the base snapshot (Hansen, [0028]: backup system (log access module) receives incremental backup metadata (log of modified metadata/data blocks) identifying files which are new, modified or deleted (subsequent snapshot) since the last full backup (base snapshot) from an agent incremental backup engine (data back-up server)); an incremental block module configured to download one or more incremental metadata and/or data blocks from the data back-up server based on the log of modified metadata and/or data blocks (Hansen, [0028]: backup system (incremental block module) also receives file content comprising copies of the files identified as new and/or modified (incremental metadata/data blocks) in the incremental backup metadata (log of modified metadata/data blocks) from the agent incremental backup engine (data back-up server)); a snapshot write module configured to write the one or more incremental metadata and/or data blocks on the base snapshot to generate an incremental snapshot (Hansen, [0029]: backup system’s executor thread pool (snapshot write module) adds new files, modifies or replaces files (i.e., on the base snapshot) as indicated in the incremental backup metadata; [0051]: “The file content received at operation 80 is recorded on the volume storage 20 in accord with the incremental or differential backup metadata in backup operation 82”); and a ransomware scan module configured to scan to check for ransomware (Hansen, [0031]: API processor (ransomware scan module) analyzes incremental backup metadata to detect whether a ransomware attack is ongoing). Hansen does not explicitly disclose scan the incremental snapshot. However, Kulaga discloses a ransomware scan module configured to scan the incremental snapshot to check for ransomware (Kulaga, [0029]: a backup slice is an incremental update (incremental snapshot) to a particular backup; [0035]: BR agent (ransomware scan module) mounts a backup slice (incremental snapshot) to perform anti-virus scanning (ransomware scanning)). It would have been obvious to one of ordinary skill in the art, having the teachings of Hansen and Kulaga before him or her before the effective filing date of the claimed invention, to modify an incremental backup system that detects ransomware by scanning incremental metadata as taught by Hansen, to include the scanning of mounted backup slices (incremental snapshots) as taught by Kulaga. The motivation for doing so would have been to improve the reliability and accuracy of ransomware detection, and to facilitate identification of a clean restore point. Regarding claim 2, Hansen discloses wherein, the log access module, the incremental block module, the snapshot write module are configured to iteratively perform their respective operations for each subsequent snapshot (Hansen, [0014]: incremental backups are performed at periodic or aperiodic time intervals). Hansen does not explicitly disclose and the ransomware scan module; until a safe snapshot is identified. However, Kulaga discloses the ransomware scan module are configured to iteratively perform their respective operations for each subsequent snapshot until a safe snapshot is identified (Kulaga, [0035], [0051]: the mounted backup is used to search for infected or safe versions of data; [0033]: dangerous files are compared to files in the history of snapshots (subsequent snapshots); [0037]: “determines the exact timing of the attack using the history of snapshots 204. Once the timing is identified, a clean backup prior to that time is discovered” [i.e., evaluating a history of snapshots (subsequent snapshots) until a safe/clean one is identified]). It would have been obvious to one of ordinary skill in the art, having the teachings of Hansen and Kulaga before him or her before the effective filing date of the claimed invention, to modify an incremental backup system that detects ransomware by scanning incremental metadata as taught by Hansen, to include the scanning of mounted backup slices (incremental snapshots) as taught by Kulaga. The motivation for doing so would have been to improve the reliability and accuracy of ransomware detection, and to facilitate identification of a clean restore point. Regarding claim 3, Hansen discloses further comprising a data restore system configured to restore the dataset to a restore destination (Hansen, [0019]: “restoring to the last full backup plus all successive incremental backups prior to the point in time”). Hansen does not explicitly disclose based on the identified safe snapshot. However, Kulaga discloses further comprising a data restore system configured to restore the dataset to a restore destination based on the identified safe snapshot (Kulaga, [0037]: “determines the exact timing of the attack using the history of snapshots 204. Once the timing is identified, a clean backup prior to that time is discovered”). It would have been obvious to one of ordinary skill in the art, having the teachings of Hansen and Kulaga before him or her before the effective filing date of the claimed invention, to modify an incremental ransomware detection system as taught by Hansen, to include restoring from an identified clean backup as taught by Kulaga. The motivation for doing so would have been to provide a reliable recovery mechanism following detection of ransomware. Regarding claim 10, Hansen discloses wherein the snapshot access module is configured to access the base snapshot by: accessing a first snapshot in a plurality of snapshots stored in the data back-up server (Hansen, [0061]: an incremental backup is a snapshot; [0028]: backup system receives the relevant information for an incremental backup from the agent incremental or differential backup engine (data back-up server); [0019]: “restoring to the last full backup plus all successive incremental backups prior to the point in time” [Restoring to the last full backup = accessing the first snapshot from a plurality]), or taking a snapshot at the start of workflow for performing the ransomware scan. Regarding claims 11-13 and 16, the limitations have been addressed in the rejections of claims 1-3 and 10, respectively. Claims 4 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Hansen in view of Kulaga, further in view of Michael et al. (US 2008/0263658), hereinafter Michael. Regarding claim 4, Hansen and Kulaga do not explicitly disclose wherein the data restore system is further configured to create a virtual machine based on the identified safe snapshot. However, Michael discloses wherein the data restore system is further configured to create a virtual machine based on the identified safe snapshot (Michael, [0063]: “iteratively scan time-stamped virtual machine checkpoint images 506A-C, 508A-C, stepping back in time until a virtual machine image 506A-C, 508A-C without malware is found. Once the virtual machine image 506A-C, 508A-C is found without a malware infestation, the virtual machine image 506A-C, 508A-C may be used to restore an infested virtual machine”. It would have been obvious to one of ordinary skill in the art, having the teachings of Hansen, Kulaga and Michael before him or her before the effective filing date of the claimed invention, to modify ransomware detection and clean backup identification system as taught by Hansen and Kulaga, to include the virtual machine restoration technique as taught by Michael. The motivation for doing so would have been to enable rapid recovery of virtualized systems following identification of a safe snapshot. Regarding claim 14, the limitations have been addressed in the rejection of claim 4. Claims 5 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Hansen in view of Kulaga, further in view of Ranade (US 2011/0010515). Regarding claim 5, Hansen as modified by Kulaga discloses the one or more identified safe snapshots (Kulaga, [0037]: “determines the exact timing of the attack using the history of snapshots 204. Once the timing is identified, a clean backup prior to that time is discovered”. Hansen and Kulaga do not explicitly disclose wherein the data restore system is further configured to generate a plurality of cloned disks based on the one or more identified safe snapshots and create a plurality of virtual machines based on the plurality of cloned disks. However, Ranade discloses wherein the data restore system is further configured to generate a plurality of cloned disks based on the one or more identified snapshots and create a plurality of virtual machines based on the plurality of cloned disks (Ranade, [0097]: the virtual disk associated with the first virtual machine is copied (i.e., snapshot) to generate virtual disks (cloned disks) associated with (i.e., for creating) second and third virtual machines (plurality of virtual machines)). It would have been obvious to one of ordinary skill in the art, having the teachings of Hansen, Kulaga and Ranade before him or her before the effective filing date of the claimed invention, to modify ransomware detection and safe snapshot identification system as taught by Hansen and Kulaga, to include the virtual disk cloning and multi-virtual machine instantiation technique as taught by Ranade in order to enable parallel and scalable restoration of virtualized systems based on an identified safe snapshot. The motivation for doing so would have been to improve recovery speed, flexibility and system availability following ransomware detection. Regarding claim 15, the limitations have been addressed in the rejection of claim 5. Claims 6 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Hansen in view of Kulaga, further in view of Dontov et al. (US 2019/0138727), hereinafter Dontov. Regarding claim 6, Hansen and Kulaga do not explicitly disclose wherein the data restore system further comprises a file restore module configured to restore a safe version of a corrupted file if the ransomware scan module identifies the corrupted file in a scanned snapshot. However, Dontov discloses wherein the data restore system further comprises a file restore module configured to restore a safe version of a corrupted file if the ransomware scan module identifies the corrupted file in a scanned snapshot (Dontov, [0013]: “the server may determine that the plurality of events exceeds a predetermined event frequency threshold; determine that one of the modified files is an infected file based on the modified file information associated therewith; and/or replace the infected file in the cloud storage system with the corresponding stored backup file”. It would have been obvious to one of ordinary skill in the art, having the teachings of Hansen, Kulaga and Dontov before him or her before the effective filing date of the claimed invention, to modify ransomware detection and snapshot based recovery system as taught by Hansen and Kulaga, to include identifying infected files and replacing them with stored backup copies as taught by Dontov. The motivation for doing so would have been to enhance recovery granularity and efficiency without altering the underlying backup infrastructure. Regarding claim 17, the limitations have been addressed in the rejection of claim 6. Allowable Subject Matter Claims 7-9 and 18-20 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. The following is an examiner’s statement of reasons for the indication of allowable subject matter: The prior arts of record do not anticipate, teach or suggest, along with other limitations, a system that reconstructs a corrupted file by identifying and retrieving logged modified data offsets, writing those offsets back to the file to generate a modified version, and verifying that the generated modified file corresponds to a safe version. Related Art The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure: Wang et al. (US 2024/0354411) discloses a system for rapid analysis of changed data blocks between two versions of a volume, and the detection of anomalous conditions indicating ransomware based on block changes (see abstract). Gibbons, Jr. et al. (US 2018/0107824) discloses a snapshot server architecture that keeps history of image-based snapshots, requests and analyzes snapshot data (latest and previous) for ransomware detection, and extends/retains older snapshots when ransomware infection is detected (see [0040]-[0044]). Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to LESA M KENNEDY whose telephone number is (571)431-0704. The examiner can normally be reached Monday-Wednesday 9:30 am - 5:30 pm ET. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Umar Cheema can be reached on (571) 270-3037. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. The examiner also requests, in response to this Office Action, support be shown for language added to any original claims on amendment and any new claims. That is, indicate support for newly added claim language by specifically pointing to page(s) and line no(s) in the specification and/or drawing figure(s). This will assist the examiner in prosecuting the application. /LESA M KENNEDY/Primary Examiner, Art Unit 2458