Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Detailed Action
Claims for application no. 18/598,004 filed on 02/13/2026 have been acknowledged. Claims 1-25 are currently pending and have been considered below. Claims 1 and 20 have been amended. Claims 1 and 20 are independent claims. No new claims have been added.
Priority
Acknowledgement is made of applicant’s claim for priority. The application claims the priority of US Provisional Application 63/450,789, filed on 03/08/2023.
Response to Arguments
Applicant’s arguments with respect to claims 1-25 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Thus, the 35 USC 103 rejection is maintained.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1, 13-15, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Weaver et al. (US Patent No. 10,055,582 B1, hereinafter, Weaver) in view of Powell (US Patent Application No. US 2017/0034189 A1) and further in view of Naik et al. (US Patent Application No. US 20220131879 A1, hereinafter, Naik).
Regarding Claim 1, Weaver discloses: A system for universal decryption of ransomware variants, the system comprising: at least one processor operatively connected to a memory, the at least one processor configured to:
analyze ransomed files (Weaver, col 6, line 16-26, “For example, the file analyzer 130 in some embodiments inspects files as they are stored on the storage device 106 and/or by direct access inspection on the storage device 106.”);
determine at least a first ransomware variant producing a subset of the ransomed files by performing (Weaver, col 8, line 48-62, “such external processes or external determinants can be used to determine if files are being modified in accordance with respective specific known ransomware variants.”):
select a first decryption suite (Weaver, col 8, line 48-62, “The ransomware detector 125 can then be configured to perform particular types of remediation based on detection of the presence of a particular ransomware variant. Such remediation can include performing a particular key capture or key recovery algorithm that is known to be suitable for use with the particular ransomware variant.”);
determine at least a second ransomware variant produced at least a second subset of the ransomed files (Weaver, col 8, line 48-62, “such external processes or external determinants can be used to determine if files are being modified in accordance with respective specific known ransomware variants.”);
Weaver does not explicitly disclose the following limitations that Powell teaches:
from a plurality of decryption suites (Powell, ¶[0021], “In some examples, the infected network user's communications with ransomware C2 server 130 may include multiple encryption keys.”)
trigger decryption and validation of the subset of the ransomed files (Powell, ¶0029], “After the encryption key 212 and user identifier have been stored in infection log 204, decryption engine 205 may initiate a decryption operation to decrypt at least one file encrypted by the ransomware application using the extracted encryption key 212.”);
trigger decryption and validation of the second subset of the ransomed files (Powell, ¶0029], “After the encryption key 212 and user identifier have been stored in infection log 204, decryption engine 205 may initiate a decryption operation to decrypt at least one file encrypted by the ransomware application using the extracted encryption key 212.”).
Weaver in view of Powell is analogous art because the references are from the “same field of endeavor” and are from the same “problem solving area.” Namely, they pertain to the field of “data and file analysis.” It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Weaver with Powell to incorporate:
“from a plurality of decryption suites;
trigger decryption and validation of the subset of the ransomed files;
trigger decryption and validation of the second subset of the ransomed files;”
because, methods and apparatus for ransomware remediation are disclosed (Powell, Abstract).
Weaver in view of Powell does not explicitly teach the following limitation that Naik teaches:
a targeted analysis of the ransomed files based on one or more reverse engineered rules associated with an encrypted file format or an attack vector, or
a statistical analysis of the ransomed files, wherein the statistical analysis comprises organizing candidate attack files into classification categories based on an analysis of a threshold portion of the ransomed files or checking an entropy of one or more target regions of the ransomed files; (More specifically, since the limitations are in the alternative form, “a statistical analysis of the ransomed files, wherein the statistical analysis comprises organizing candidate attack files into classification categories based on …. checking an entropy of one or more target regions of the ransomed files” is explicitly taught by Naik, ¶[0295], "the AVM 1070 may detect malicious activity based on a pattern (e.g., patterns 900, 905, and/or 910), characteristics of files (e.g., entropy), or other criteria and identify file-2 1094 and file-3 1092 as affected by a ransomware attack.")
Weaver in view of Powell and further in view of Naik is analogous art because the references are from the “same field of endeavor” and are from the same “problem solving area.” Namely, they pertain to the field of “data and file analysis.” It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Weaver in view of Powell with Naik to perform
“a targeted analysis of the ransomed files based on one or more reverse engineered rules associated with an encrypted file format or an attack vector, or
a statistical analysis of the ransomed files, wherein the statistical analysis comprises organizing candidate attack files into classification categories based on an analysis of a threshold portion of the ransomed files or checking an entropy of one or more target regions of the ransomed files;”
Because, the disclosed file analytics systems (e.g., analytics VM 170 of FIG. 1A) may detect ransomware attacks through patterns, sets, or series of file operation events (Naik, ¶[0290]).
Regarding Claim 13, Weaver in view of Powell and further in view of Naik teaches: The system of claim 1, wherein the at least one processor is configured to display a common interface for a plurality of ransomware variants (Naik, ¶[0265], “the UI 272 may provide a display of a ransomware dashboard (e.g., the user interface 600).” ¶[0266], “The information for the dashboard may be obtained by analytics VM 270 querying metadata and/or events data maintained in analytics datastore 292 (e.g., datastore 320 of FIG. 3A).”).
Regarding Claim 14, Weaver in view of Powell and further in view of Naik teaches: The system of claim 13, wherein the at least one processor is configured to update the common interface to access and present (Naik, ¶[0265], “the UI 272 may provide a display of a ransomware dashboard (e.g., the user interface 600).” ¶[0266], “The information for the dashboard may be obtained by analytics VM 270 querying metadata and/or events data maintained in analytics datastore 292 (e.g., datastore 320 of FIG. 3A).”)
functionality for at least one new ransomware variant (Weaver, col 6, line 53-64, “the security appliance 105 comprising the ransomware detector 125 is configured to take one or more remedial actions responsive to generation of the alert by the alert generator 136. … Such a cryptographic key may comprise an encryption key in a symmetric key ransomware attack in which the same key used to encrypt files can also be used to decrypt files. Alternatively, a captured encryption key may be processed using cryptanalysis to obtain a corresponding decryption key in an asymmetric key ransomware attack.”).
Regarding Claim 15, Weaver in view of Powell and further in view of Naik teaches: The system of claim 14, wherein the at least one processor is configured to update the common interface to present (Naik, ¶[0265], “the UI 272 may provide a display of a ransomware dashboard (e.g., the user interface 600).” ¶[0266], “The information for the dashboard may be obtained by analytics VM 270 querying metadata and/or events data maintained in analytics datastore 292 (e.g., datastore 320 of FIG. 3A).”)
updated functionality for at least one existing ransomware variant (Weaver, col 6, line 53-64, “the security appliance 105 comprising the ransomware detector 125 is configured to take one or more remedial actions responsive to generation of the alert by the alert generator 136. … Such a cryptographic key may comprise an encryption key in a symmetric key ransomware attack in which the same key used to encrypt files can also be used to decrypt files. Alternatively, a captured encryption key may be processed using cryptanalysis to obtain a corresponding decryption key in an asymmetric key ransomware attack.”).
Regarding Claim 20, Weaver discloses: A computer implemented method for universal decryption of ransomware variants, the method comprising:
analyzing, by at least one processor, ransomed files (Weaver, col 6, line 16-26, “For example, the file analyzer 130 in some embodiments inspects files as they are stored on the storage device 106 and/or by direct access inspection on the storage device 106.”);
determining, by the at least one processor, at least a first ransomware variant producing a subset of the ransomed files by performing (Weaver, col 8, line 48-62, “such external processes or external determinants can be used to determine if files are being modified in accordance with respective specific known ransomware variants.”):
selecting, by the at least one processor, a first decryption suite (Weaver, col 8, line 48-62, “The ransomware detector 125 can then be configured to perform particular types of remediation based on detection of the presence of a particular ransomware variant. Such remediation can include performing a particular key capture or key recovery algorithm that is known to be suitable for use with the particular ransomware variant.”);
determining, by the at least one processor, at least a second ransomware variant produced at least a second subset of the ransomed files (Weaver, col 8, line 48-62, “such external processes or external determinants can be used to determine if files are being modified in accordance with respective specific known ransomware variants.”); and
Weaver does not explicitly disclose the following limitations that Powell teaches:
from a plurality of decryption suites (Powell, ¶[0021], “In some examples, the infected network user's communications with ransomware C2 server 130 may include multiple encryption keys.”)
triggering, by the at least one processor, decryption and validation of the subset of the ransomed files (Powell, ¶0029], “After the encryption key 212 and user identifier have been stored in infection log 204, decryption engine 205 may initiate a decryption operation to decrypt at least one file encrypted by the ransomware application using the extracted encryption key 212.”);
triggering, by the at least one processor, decryption and validation of the second subset of the ransomed files (Powell, ¶0029], “After the encryption key 212 and user identifier have been stored in infection log 204, decryption engine 205 may initiate a decryption operation to decrypt at least one file encrypted by the ransomware application using the extracted encryption key 212.”).
Weaver in view of Powell is analogous art because the references are from the “same field of endeavor” and are from the same “problem solving area.” Namely, they pertain to the field of “data and file analysis.” It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Weaver with Powell to incorporate:
“from a plurality of decryption suites;
triggering, by the at least one processor, decryption and validation of the subset of the ransomed files;
triggering, by the at least one processor, decryption and validation of the second subset of the ransomed files;”
because, methods and apparatus for ransomware remediation are disclosed (Powell, Abstract).
Weaver in view of Powell does not explicitly teach the following limitation that Naik teaches:
a targeted analysis of the ransomed files based on one or more reverse engineered rules associated with an encrypted file format or an attack vector, or
a statistical analysis of the ransomed files, wherein the statistical analysis comprises organizing candidate attack files into classification categories based on an analysis of a threshold portion of the ransomed files or checking an entropy of one or more target regions of the ransomed files; (More specifically, since the limitations are in the alternative form, “a statistical analysis of the ransomed files, wherein the statistical analysis comprises organizing candidate attack files into classification categories based on …. checking an entropy of one or more target regions of the ransomed files” is explicitly taught by Naik, ¶[0295], "the AVM 1070 may detect malicious activity based on a pattern (e.g., patterns 900, 905, and/or 910), characteristics of files (e.g., entropy), or other criteria and identify file-2 1094 and file-3 1092 as affected by a ransomware attack.")
Weaver in view of Powell and further in view of Naik is analogous art because the references are from the “same field of endeavor” and are from the same “problem solving area.” Namely, they pertain to the field of “data and file analysis.” It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Weaver in view of Powell with Naik to perform
“a targeted analysis of the ransomed files based on one or more reverse engineered rules associated with an encrypted file format or an attack vector, or
a statistical analysis of the ransomed files, wherein the statistical analysis comprises organizing candidate attack files into classification categories based on an analysis of a threshold portion of the ransomed files or checking an entropy of one or more target regions of the ransomed files;”
Because, the disclosed file analytics systems (e.g., analytics VM 170 of FIG. 1A) may detect ransomware attacks through patterns, sets, or series of file operation events (Naik, ¶[0290]).
Claims 2-5 and 21-23 are rejected under 35 U.S.C. 103 as being unpatentable over Weaver et al. (US Patent No. 10,055,582 B1, hereinafter, Weaver) in view of Powell (US Patent Application No. US 2017/0034189 A1) and further in view of Naik et al. (US Patent Application No. US 20220131879 A1, hereinafter, Naik) and Boliek et al. (US Patent Application No. US 2012/0159518 A1, hereinafter, Boliek).
Regarding Claim 2, Weaver in view of Powell and further in view of Naik teaches: The system of claim 1, wherein the at least one processor is configured to
Weaver in view of Powell and further in view of Naik does not explicitly teach the following limitation that Boliek teaches:
manage decryption on a plurality of operating platforms ("OSs") (Boliek, ¶[0169], “each decryption program is a different version of the same decryption software and is compatible with a respective different type of electronic system, and/or is compatible with a respective different operating system employable by an electronic system such as host 50. Moreover, the decryption software, of which each decryption program is a different version, corresponds to the scheme used to encrypt the file (or data set), and is thus required in order to decrypt the file (or data set).”),
including at least Microsoft OS, Apple OS, Linux OS, ESXi, or virtualized OS implementations (Boliek, ¶[0168], “For instance, one multimedia player may be compatible with a host electronic system that runs a Java.RTM. operating system, while another multimedia player may be compatible with a host electronic system that runs a Windows.RTM. operating system, and so on.”).
Weaver in view of Powell and further in view of Naik and Boliek is analogous art because the references are from the “same field of endeavor” and are from the same “problem solving area.” Namely, they pertain to the field of “data and file analysis.” It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Weaver in view of Powell and further in view of Naik with Boliek to incorporate:
“manage decryption on a plurality of operating platforms ("OSs"), including at least Microsoft OS, Apple OS, Linux OS, ESXi, or virtualized OS implementations,”
because, a method for collecting and exchanging data are disclosed (Boliek, Abstract), and in the disclosed method, each decryption program is a different version of the same decryption software and is compatible with a respective different operating system employable by an electronic system (Boliek, ¶[0169]).
Regarding Claim 3, Weaver in view of Powell and further in view of Naik and Boliek teaches: The system of claim 2, wherein the at least one processor is configured to execute at least one of a plurality of cryptographic primitives independent of a current operating system being executed (Boliek, ¶[0169], “each decryption program is a different version of the same decryption software and is compatible with a respective different type of electronic system, and/or is compatible with a respective different operating system employable by an electronic system such as host 50. Moreover, the decryption software, of which each decryption program is a different version, corresponds to the scheme used to encrypt the file (or data set), and is thus required in order to decrypt the file (or data set).”).
Regarding Claim 4, Weaver in view of Powell and further in view of Naik and Boliek teaches: The system of claim 3, wherein the at least one processor is configured to decrypt files encrypted by another operating system (Boliek, ¶[0169], “each decryption program is a different version of the same decryption software and is compatible with a respective different type of electronic system, and/or is compatible with a respective different operating system employable by an electronic system such as host 50. Moreover, the decryption software, of which each decryption program is a different version, corresponds to the scheme used to encrypt the file (or data set), and is thus required in order to decrypt the file (or data set).”) and
ransomware (Weaver, col 8, line 48-62, “such external processes or external determinants can be used to determine if files are being modified in accordance with respective specific known ransomware variants.”)
on a different operating platform based on execution of the at least one cryptographic primitive (Boliek, ¶[0169], “each decryption program is a different version of the same decryption software and is compatible with a respective different type of electronic system, and/or is compatible with a respective different operating system employable by an electronic system such as host 50. Moreover, the decryption software, of which each decryption program is a different version, corresponds to the scheme used to encrypt the file (or data set), and is thus required in order to decrypt the file (or data set).”).
Regarding Claim 5, Weaver in view of Powell and further in view of Naik and Boliek teaches: The system of claim 4, wherein the at least one processor is configured to access the at least one cryptographic primitive based on identifying an operating system associated with at least one of the ransomware, ransomed files, and a match to the at least one cryptographic primitive (Boliek, ¶[0169], “each decryption program is a different version of the same decryption software and is compatible with a respective different type of electronic system, and/or is compatible with a respective different operating system employable by an electronic system such as host 50. Moreover, the decryption software, of which each decryption program is a different version, corresponds to the scheme used to encrypt the file (or data set), and is thus required in order to decrypt the file (or data set).”).
Regarding Claim 21, Weaver in view of Powell and further in view of Naik and Boliek teaches: The method of claim 20, wherein the method comprises managing decryption on a plurality of operating platforms ("OSs") (Boliek, ¶[0169], “each decryption program is a different version of the same decryption software and is compatible with a respective different type of electronic system, and/or is compatible with a respective different operating system employable by an electronic system such as host 50. Moreover, the decryption software, of which each decryption program is a different version, corresponds to the scheme used to encrypt the file (or data set), and is thus required in order to decrypt the file (or data set).”),
including at least Microsoft OS, Apple OS, Linux OS, ESXi, or virtualized OS implementations (Boliek, ¶[0168], “For instance, one multimedia player may be compatible with a host electronic system that runs a Java.RTM. operating system, while another multimedia player may be compatible with a host electronic system that runs a Windows.RTM. operating system, and so on.”).
Regarding Claim 22, Weaver in view of Powell and further in view of Naik and Boliek teaches: The method of claim 21, wherein the method comprises executing at least one of a plurality of cryptographic primitives independent of a current operating system being executed (Boliek, ¶[0169], “each decryption program is a different version of the same decryption software and is compatible with a respective different type of electronic system, and/or is compatible with a respective different operating system employable by an electronic system such as host 50. Moreover, the decryption software, of which each decryption program is a different version, corresponds to the scheme used to encrypt the file (or data set), and is thus required in order to decrypt the file (or data set).”), and
optionally wherein the method comprises decrypting files encrypted by another operating system (Boliek, ¶[0169], “each decryption program is a different version of the same decryption software and is compatible with a respective different type of electronic system, and/or is compatible with a respective different operating system employable by an electronic system such as host 50. Moreover, the decryption software, of which each decryption program is a different version, corresponds to the scheme used to encrypt the file (or data set), and is thus required in order to decrypt the file (or data set).”) and
ransomware (Weaver, col 8, line 48-62, “such external processes or external determinants can be used to determine if files are being modified in accordance with respective specific known ransomware variants.”)
on a different operating platform based on execution of the at least one cryptographic primitive (Boliek, ¶[0169], “each decryption program is a different version of the same decryption software and is compatible with a respective different type of electronic system, and/or is compatible with a respective different operating system employable by an electronic system such as host 50. Moreover, the decryption software, of which each decryption program is a different version, corresponds to the scheme used to encrypt the file (or data set), and is thus required in order to decrypt the file (or data set).”).
Regarding Claim 23, Weaver in view of Powell and further in view of Naik and Boliek teaches: The method of claim 22, wherein the method comprises accessing the at least one cryptographic primitive based on identifying an operating system associated with at least one of the ransomware, ransomed files, and a match to the at least one cryptographic primitive (Boliek, ¶[0169], “each decryption program is a different version of the same decryption software and is compatible with a respective different type of electronic system, and/or is compatible with a respective different operating system employable by an electronic system such as host 50. Moreover, the decryption software, of which each decryption program is a different version, corresponds to the scheme used to encrypt the file (or data set), and is thus required in order to decrypt the file (or data set).”).
Claims 6-7 and 24-25 are rejected under 35 U.S.C. 103 as being unpatentable over Weaver et al. (US Patent No. 10,055,582 B1, hereinafter, Weaver) in view of Powell (US Patent Application No. US 2017/0034189 A1) and further in view of Naik et al. (US Patent Application No. US 20220131879 A1, hereinafter, Naik) and Ragland et al. (US Patent Application No. US 2019/0079806 A1, hereinafter, Ragland).
Regarding Claim 6, Weaver in view of Powell and further in view of Naik teaches: The system of claim 1, wherein the at least one processor is configured to … decryption (Powell, ¶0029], “After the encryption key 212 and user identifier have been stored in infection log 204, decryption engine 205 may initiate a decryption operation to decrypt at least one file encrypted by the ransomware application using the extracted encryption key 212.”)
Weaver in view of Powell and Naik does not explicitly teach the following limitations that Ragland teaches:
enable user optimization during runtime to limit threaded (Ragland, ¶[0125], “either within the BIOS code itself or obtained via a user interface within the BIOS code, OEM/user selective multi-thread configuration information 1755 may be present within BIOS 1750 and similarly communicated to PCU 1730 to enable its use in configuring cores 1720 for an appropriate thread mode of operation”).
Weaver in view of Powell and further in view of Naik and Ragland is analogous art because the references are from the “same field of endeavor” and are from the same “problem solving area.” Namely, they pertain to the field of “data and file analysis.” It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Weaver in view of Powell and further in view of Naik with Ragland to:
“enable user optimization during runtime to limit threaded operations for network file access;”
because, user selective multi-thread configuration information may be communicated to enable its use in configuring cores for an appropriate thread mode of operation (Ragland, ¶[0125]).
Regarding Claim 7, Weaver in view of Powell and further in view of Naik and Ragland teaches: The system of claim 6, wherein the at least one processor is configured to display a user interface open for enabling and disabling thread limitation functionality (Ragland, ¶[0125], “either within the BIOS code itself or obtained via a user interface within the BIOS code, OEM/user selective multi-thread configuration information 1755 may be present within BIOS 1750 and similarly communicated to PCU 1730 to enable its use in configuring cores 1720 for an appropriate thread mode of operation”).
Regarding Claim 24, Weaver in view of Powell and further in view of Naik and Ragland teaches: The method of claim 20, wherein the method comprises enabling user optimization during runtime to limit threaded (Ragland, ¶[0125], “either within the BIOS code itself or obtained via a user interface within the BIOS code, OEM/user selective multi-thread configuration information 1755 may be present within BIOS 1750 and similarly communicated to PCU 1730 to enable its use in configuring cores 1720 for an appropriate thread mode of operation”).
decryption (Powell, ¶0029], “After the encryption key 212 and user identifier have been stored in infection log 204, decryption engine 205 may initiate a decryption operation to decrypt at least one file encrypted by the ransomware application using the extracted encryption key 212.”)
Regarding Claim 25, Weaver in view of Powell and further in view of Naik and Ragland teaches: The method of claim 24, wherein the method comprises displaying a user interface open for enabling and disabling thread limitation functionality (Ragland, ¶[0125], “either within the BIOS code itself or obtained via a user interface within the BIOS code, OEM/user selective multi-thread configuration information 1755 may be present within BIOS 1750 and similarly communicated to PCU 1730 to enable its use in configuring cores 1720 for an appropriate thread mode of operation”).
Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Weaver et al. (US Patent No. 10,055,582 B1, hereinafter, Weaver) in view of Powell (US Patent Application No. US 2017/0034189 A1) and further in view of Naik et al. (US Patent Application No. US 20220131879 A1, hereinafter, Naik) and Webster (US Patent Application No. US 2016/0259567 A1).
Regarding Claim 8, Weaver in view of Powell and further in view of Naik teaches: The system of claim 1, wherein the at least one processor is configured to:
generate output logs reflecting information (Powell, ¶[0021], “security device 110 may store the encryption key in an infection log, with an identifier of the infected network user. In some examples, security device 110 may automatically send a notification of infection to the network user in response to storing the encryption key.”)
Weaver in view of Powell and further in view of Naik does not explicitly teach the following that Webster teaches:
detect interfering operating system behavior that impacts decryption; and … on failed decryption attempt; (Webster, ¶[0022], “these tunneling techniques may be more prone to error and may not work depending on the operating system and/or drivers used in a client device. Thus, some types of operations (e.g., RAID operations, power management operations, encryption/decryption operations, other non-data related operations, etc.) may not be performed by a data storage device without the use of additional drivers and/or tunneling techniques.”)
Weaver in view of Powell and further in view of Naik and Webster is analogous art because the references are from the “same field of endeavor” and are from the same “problem solving area.” Namely, they pertain to the field of “data and file analysis.” It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Weaver in view of Powell and further in view of Naik with Webster to:
“detect interfering operating system behavior that impacts decryption; on failed decryption attempt;”
because, techniques may be more prone to error and may not work depending on the operating system and/or drivers used in a client device (Webster, ¶[0022]).
Claims 9 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Weaver et al. (US Patent No. 10,055,582 B1, hereinafter, Weaver) in view of Powell (US Patent Application No. US 2017/0034189 A1) and further in view of Naik et al. (US Patent Application No. US 20220131879 A1, hereinafter, Naik), Webster (US Patent Application No. US 2016/0259567 A1), and Hashem et al. (US Patent Application No. US 2002/0108034 A1, hereinafter, Hashem).
Regarding Claim 9, Weaver in view of Powell and further in view of Naik and Webster teaches: The system of claim 8, wherein the at least one processor is configured to
Weaver in view of Powell and further in view of Naik and Webster does not explicitly teach the following that Hashem teaches:
trigger the at least one workaround option for at least one decryption error in response to selection (Hashem, ¶[0040], “the system may record information regarding the data in an error log if the data fails the decryption process. The system may further transmit notification of decryption failure of the data to a designated recipient of the data at the destination if the data fails decryption.”).
Weaver in view of Powell and further in view of Naik, Webster, and Hashem is analogous art because the references are from the “same field of endeavor” and are from the same “problem solving area.” Namely, they pertain to the field of “data and file analysis.” It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Weaver in view of Powell and further in view of Naik and Webster with Hashem to
“trigger the at least one workaround option for at least one decryption error in response to selection;”
because, the system may record information regarding the data in an error log if the data fails the decryption process (Hashem, ¶[0040]).
Regarding Claim 19, Weaver in view of Powell and further in view of Naik, Webster, and Hashem teaches: The system of claim 1, wherein the at least one processor is configured to:
generate logging and performance outcome metrics (Powell, ¶[0026], “the infection log 204 may store additional information about the ransomware infection, such as a timestamp identifying when the infection was detected, a ransomware type identifying the ransomware application detected, an operating system type identifying the operating system of the network user, or other information relating to the detected ransomware infection.”); and
trigger supporting functions and features to troubleshoot decryption failures (Hashem, ¶[0041], “a notice may be transmitted to the designated recipient of the file at the destination that the file has failed either decryption and/or verification.”).
Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Weaver et al. (US Patent No. 10,055,582 B1, hereinafter, Weaver) in view of Powell (US Patent Application No. US 2017/0034189 A1) and further in view of Naik et al. (US Patent Application No. US 20220131879 A1, hereinafter, Naik) and Wikipedia 1 (NPL, “Mount (computing),” archived on 03/06/2023).
Regarding Claim 10, Weaver in view of Powell and further in view of Naik teaches: The system of claim 1, wherein the at least one processor is configured to: generate a local copy
execute decryption on the local copy (Powell, ¶0029], “After the encryption key 212 and user identifier have been stored in infection log 204, decryption engine 205 may initiate a decryption operation to decrypt at least one file encrypted by the ransomware application using the extracted encryption key 212.”)
Weaver in view of Powell and further in view of Naik does not explicitly teach the following limitation that Wikipedia 1 teaches:
of cloud mount point responsive to detection of the cloud mount point (Wikipedia 1, “Mount (computing),” “Mounting is a process by which a computer's operating system makes files and directories on a storage device (such as hard drive, CD-ROM, or network share) available for users to access via the computer's file system. … The location in the VFS to which the newly mounted medium was registered is called a "mount point"; when the mounting process is completed, the user can access files and directories on the medium from there.”); and
Weaver in view of Powell and further in view of Naik and Wikipedia 1 is analogous art because the references are from the “same field of endeavor” and are from the same “problem solving area.” Namely, they pertain to the field of “data and file analysis.” It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Weaver in view of Powell and further in view of Naik with Wikipedia 1 to access
“a cloud mount point responsive to detection of the cloud mount point;”
because, when the mounting process is completed, the user can access files and directories on the medium from there (Wikipedia 1).
Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Weaver et al. (US Patent No. 10,055,582 B1, hereinafter, Weaver) in view of Powell (US Patent Application No. US 2017/0034189 A1) and further in view of Naik et al. (US Patent Application No. US 20220131879 A1, hereinafter, Naik) and Wikipedia 2 (NPL, “Breadth-first search,” archived on 03/06/2023).
Regarding Claim 11, Weaver in view of Powell and further in view of Naik teaches: The system of claim 1, wherein the at least one processor is configured to order decryption operations (Powell, ¶0029], “After the encryption key 212 and user identifier have been stored in infection log 204, decryption engine 205 may initiate a decryption operation to decrypt at least one file encrypted by the ransomware application using the extracted encryption key 212.”).
Weaver in view of Powell and further in view of Naik does not explicitly teach the following limitation that Wikipedia 2 teaches:
based on a breadth-first-search; a same level of a tree structure that are enumerated before continuing down the tree structure (Wikipedia 2, “Breadth-first search (BFS) is an algorithm for searching a tree data structure for a node that satisfies a given property. It starts at the tree root and explores all nodes at the present depth prior to moving on to the nodes at the next depth level.”)
Weaver in view of Powell and further in view of Naik and Wikipedia 2 is analogous art because the references are from the “same field of endeavor” and are from the same “problem solving area.” Namely, they pertain to the field of “data and file analysis.” It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Weaver in view of Powell and further in view of Naik with Wikipedia 2 to incorporate:
“based on a breadth-first-search;
a same level of a tree structure that are enumerated before continuing down the tree structure;”
because, breadth-first search (BFS) is an algorithm for searching a tree data structure and it starts at the tree root and explores all nodes at the present depth prior to moving on to the nodes at the next depth level (Wikipedia 2).
Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable over Weaver et al. (US Patent No. 10,055,582 B1, hereinafter, Weaver) in view of Powell (US Patent Application No. US 2017/0034189 A1) and further in view of Naik et al. (US Patent Application No. US 20220131879 A1, hereinafter, Naik) and Vipat et al. (US Patent Application No. US 2025/0063054 A1, hereinafter, Vipat).
Regarding Claim 12, Weaver in view of Powell and further in view of Naik teaches: The system of claim 1, wherein the at least one processor is configured (Powell, ¶[0025], “The ransomware remediator 200 can include a network traffic analyzer 201, a ransomware signature repository 202”).
Weaver in view of Powell and further in view of Naik does not explicitly teach the following limitation that Vipat teaches:
to access a remote location (Vipat, ¶[0033], “threat detection service 226 may update rules database 228 based on updates from malware signature databases, or common vulnerability and exposures (CVE) databases hosted on cloud 204 or accessible via the Internet.”)
Weaver in view of Powell and further in view of Naik and Vipat is analogous art because the references are from the “same field of endeavor” and are from the same “problem solving area.” Namely, they pertain to the field of “data and file analysis.” It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Weaver in view of Powell and further in view of Naik with Vipat
“to access a remote location”
because, threat detection service may update databased based on updates from databases hosted on cloud (Vipat, ¶[0033]).
Claim 16 is rejected under 35 U.S.C. 103 as being unpatentable over Weaver et al. (US Patent No. 10,055,582 B1, hereinafter, Weaver) in view of Powell (US Patent Application No. US 2017/0034189 A1) and further in view of Naik et al. (US Patent Application No. US 20220131879 A1, hereinafter, Naik) and Hirschberg et al. (US Patent Application No. US 2018/0114020 A1, hereinafter, Hirschberg).
Regarding Claim 16, Weaver in view of Powell and further in view of Naik teaches: The system of claim 1, wherein the at least one processor is configured to
Weaver in view of Powell and further in view of Naik does not explicitly teach the following limitation that Hirschberg teaches:
execute automated unit tests to verify decryption correctness (Hirschberg, ¶0024], “The decryption engine 16 is operative to attempt to decrypt one or more of the encrypted files 26 with the selected candidate encryption key (block 48). The CPU 12 is operative to determine if the decryption is successful (block 50).”).
Weaver in view of Powell and further in view of Naik and Hirschberg is analogous art because the references are from the “same field of endeavor” and are from the same “problem solving area.” Namely, they pertain to the field of “data and file analysis.” It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Weaver in view of Powell and further in view of Naik with Hirschberg to
“execute automated unit tests to verify decryption correctness;”
Because, the disclosure discloses a system including a decryption engine to attempt to decrypt at least one encrypted file of the plurality of encrypted files (Hirschberg, Abstract).
Claim 17 is rejected under 35 U.S.C. 103 as being unpatentable over Weaver et al. (US Patent No. 10,055,582 B1, hereinafter, Weaver) in view of Powell (US Patent Application No. US 2017/0034189 A1) and further in view of Naik et al. (US Patent Application No. US 20220131879 A1, hereinafter, Naik) and Muller et al. (US Patent Application No. US 2008/0320319 A1, hereinafter, Muller).
Regarding Claim 17, Weaver in view of Powell and further in view of Naik teaches: The system of claim 1, wherein the at least one processor is configured to
of at least one ransomed file before decrypting (Powell, ¶0029], “After the encryption key 212 and user identifier have been stored in infection log 204, decryption engine 205 may initiate a decryption operation to decrypt at least one file encrypted by the ransomware application using the extracted encryption key 212.”)
Weaver in view of Powell and further in view of Naik does not explicitly teach the following limitation that Muller teaches:
execute an overwrite mode, wherein the overwrite mode includes execution to generate backups of encrypted areas of at least one (Muller, ¶[0051], “it is possible that the system may create subsequent copies of a data set, such as additional secondary copies (for example, one backup copy and one archive copy, two archive copies, and so on). The system may selectively encrypt some or all of the created additional secondary copies, and may select to create the copies before encryption.”).
Weaver in view of Powell and further in view of Naik and Muller is analogous art because the references are from the “same field of endeavor” and are from the same “problem solving area.” Namely, they pertain to the field of “data and file analysis.” It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Weaver in view of Powell and further in view of Naik with Muller to
“execute an overwrite mode, wherein the overwrite mode includes execution to generate backups of encrypted areas of at least one file;”
Because, the system may create subsequent copies of a data set, such as additional secondary copies (Muller, ¶[0051]).
Claim 18 is rejected under 35 U.S.C. 103 as being unpatentable over Weaver et al. (US Patent No. 10,055,582 B1, hereinafter, Weaver) in view of Powell (US Patent Application No. US 2017/0034189 A1) and further in view of Naik et al. (US Patent Application No. US 20220131879 A1, hereinafter, Naik), Muller et al. (US Patent Application No. US 2008/0320319 A1, hereinafter, Muller), and Child et al. (US Patent Application No. US 2021/0216631 A1, hereinafter, Child).
Regarding Claim 18, Weaver in view of Powell and further in view of Naik and Muller teaches: The system of claim 17, wherein the at least one processor is configured to;
of the at least one ransomed file (Powell, ¶0029], “After the encryption key 212 and user identifier have been stored in infection log 204, decryption engine 205 may initiate a decryption operation to decrypt at least one file encrypted by the ransomware application using the extracted encryption key 212.”)
for backup generation (Muller, ¶[0051], “it is possible that the system may create subsequent copies of a data set, such as additional secondary copies (for example, one backup copy and one archive copy, two archive copies, and so on). The system may selectively encrypt some or all of the created additional secondary copies, and may select to create the copies before encryption.”).
Weaver in view of Powell and further in view of Naik and Muller does not explicitly teach the following limitation that Child teaches:
verify the encrypted areas of the at least one (Child, ¶[0479], “system 400 may perform a format validation for the first file and the second file (e.g., based on checksums, compression blocks, and/or encrypted regions”)
Weaver in view of Powell and further in view of Naik, Muller, and Child is analogous art because the references are from the “same field of endeavor” and are from the same “problem solving area.” Namely, they pertain to the field of “data and file analysis.” It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Weaver in view of Powell and further in view of Naik and Muller with Child to
“verify the encrypted areas of the at least one file;”
Because, the system may perform a validation for the files based on encrypted regions (Child, ¶[0479]).
CONCLUSION
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to EDGAR W XIE whose telephone number is (703)756-4777. The examiner can normally be reached Monday - Friday, 8:00am - 5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JEFFREY PWU can be reached at (571)272-6798. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/EDGAR W XIE/ Examiner, Art Unit 2433
/WASIKA NIPA/ Primary Examiner, Art Unit 2433