Detailed Action
Claims 1-20 are pending.
Claims 1-20 are rejected.
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.
Claims 1, 8, and 10-13 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by GURI et al (Pub. No.: US 2019/0332766 A1).
As per claim 1, GURI discloses a non-transitory machine-readable storage medium comprising instructions that upon execution cause a system to: - monitor input/output (I/O) operations to identify data matching a honeypot pattern (GURI, Fig 4, paragraph 0071, wherein “For example, with reference to FIG. 4, operation monitor 406 monitors decoy file(s) 416 to determine file access operation(s) 403 are being performed with respect thereto”; paragraph 0073, wherein “In accordance with one or more embodiments, a pattern associated with the one or more file access operations that are being performed with respect to the one or more decoy files are identified and one or more rules are applied to the pattern to determine whether the one or more file access operations originate from the malicious process. For example, with reference to FIG. 4, operation analyzer 408 may identify a pattern associated with file access operation(s) 403”); - determine storage location information associated with the data identified as matching the honeypot pattern (GURI, Fig 4, paragraph 0064, wherein “Malicious process detector 114 may create one or more decoy files 116 in one or more of director(ies) 110. Examples of such directories include, but are not limited to, a default documents storage directory of operating system 106, directories that contain user, documents, spreadsheets, pictures, images, or any other directory maintained by file system 108. It is noted in addition to or in lieu of file(s) 112 and decoy file(s) 116 being stored in director(ies) 110, file(s) 112 and decoy file(s) 116 may be stored in any suitable storage location and may be stored accordance with any suitable organization”; Thus, identifying a pattern associated with the one or more file access operations that are being performed with respect to the one or more decoy files inherently identifies the storage location where these decoy files are stored on); - detect an access of the data at a storage location indicated by the storage location information (GURI, Fig 4, paragraph 0073, wherein “In accordance with one or more embodiments, a pattern associated with the one or more file access operations that are being performed with respect to the one or more decoy files are identified and one or more rules are applied to the pattern to determine whether the one or more file access operations originate from the malicious process. For example, with reference to FIG. 4, operation analyzer 408 may identify a pattern associated with file access operation(s) 403”); and - indicate a potential attack based on detecting the access of the data at the storage location indicated by the storage location information (GURI, paragraph 0076, wherein “At step 308, in response to determining that the one or more file access operations originate from the malicious process, an action is performed to neutralize the malicious process. For example, with reference to FIG. 4, in response to receiving indicator 407, operation monitor 406 performs an action to neutralize the malicious process”);
As pre claim 8, claim 1 is incorporated and GURI discloses wherein the honeypot pattern comprises a random pattern or a specified data pattern (GURI, paragraph 0060, wherein “Updateable knowledge base 224 may further maintain a set of rules (e.g., predetermined rules) that indicate which types of file access operations to decoy file(s) 216 (or patterns thereof) are illegal (i.e., issued from a malicious process) or legal (i.e., issued from a non-malicious process). Operation analyzer 208 may analyze the file access operation(s) to identify a pattern associated with the file access operation(s). Operation analyzer 208 may apply the rule(s) to the identified pattern to determine whether the file access operation(s) originate from a non-malicious process or a malicious process. For example, a rule may specify that a particular file access operation followed by another particular file access operation is considered to be an illegal file access pattern. Thus, if the identified pattern conforms to this rule, operation analyzer 208 may determine the file access operation(s) detected by operation monitor 206 originated from a malicious process (e.g., process 220) and may provide an indication to operation monitor 206 that indicates that the file access operation(s) originate from a malicious process. If the identified pattern does not conform to this rule (or any other rule that indicates an illegal file access pattern), operation analyzer 208 may determine that the file access operation(s) detected by operation monitor 206 originated from a non-malicious process and may provide an indication to operation monitor 206 that indicates that the file access operation(s) do not originate from a malicious process. The rule(s) maintained in updateable knowledge base 224 may be periodically updated with new patterns (e.g., via a software update)”).
As pre claim 10, claim 1 is incorporated and GURI discloses wherein the indicating of the potential attack comprises providing a notification of the potential attack and write data written to the storage location indicated by the storage location information (GURI, paragraph 0060, wherein “In accordance with an embodiment, comprises one or more of terminating the malicious process, suspending the malicious process, performing backup of the one or more other files stores in the file directory, checking an integrity of the one or more other files, activating an anti-virus program, recording in an event log an event that indicates that the malicious process performed the one or more file access operations to the one or more decoy files, or prompting a user of the computing device to indicate an operation to perform”).
As pre claim 11, claim 1 is incorporated and GURI discloses wherein the instructions upon execution cause the system to: detect a change of the storage location of the data matching the honeypot pattern; based on detecting the change of the storage location, determine whether an access of the data matching the honeypot pattern at the changed storage location has occurred; and indicate a potential attack based on detecting the access of the data at the changed storage location (GURI, paragraph 0060-0061, wherein “An example of a rule that specifies an illegal pattern may be a read operation that reads a portion of data from a file, a write operation that rewrites that portion with an encrypted version of that data, and repeating these operations until all the portions of data from the file are encrypted. Another example be a read operation that reads the whole file for data included therein, a create operation that creates a new file (having the same file name) that contains an encrypted version of that data, and a delete operation that deletes the original file”).
As pre claim 12, claim 1 is incorporated and GURI discloses wherein the detected access comprises a read access or a write access (GURI, paragraph 0060-0061, wherein “An example of a rule that specifies an illegal pattern may be a read operation that reads a portion of data from a file, a write operation that rewrites that portion with an encrypted version of that data, and repeating these operations until all the portions of data from the file are encrypted. Another example be a read operation that reads the whole file for data included therein, a create operation that creates a new file (having the same file name) that contains an encrypted version of that data, and a delete operation that deletes the original file”).
As pre claim 13, claim 1 is incorporated and GURI discloses wherein the monitoring of the I/O operations and the determining of the storage location information are performed during an initialization stage of a data protection process (GURI, Fig 3, paragraph 0064, wherein “Malicious process detector 114 may create one or more decoy files 116 in one or more of director(ies) 110. Examples of such directories include, but are not limited to, a default documents storage directory of operating system 106, directories that contain user, documents, spreadsheets, pictures, images, or any other directory maintained by file system 108. It is noted in addition to or in lieu of file(s) 112 and decoy file(s) 116 being stored in director(ies) 110, file(s) 112 and decoy file(s) 116 may be stored in any suitable storage location and may be stored accordance with any suitable organization”), and wherein the detecting of the access and the indicating of the potential attack are performed during a tracking stage of the data protection process after the initialization stage (GURI, Fig 3, paragraph 0071, wherein “For example, with reference to FIG. 4, operation monitor 406 monitors decoy file(s) 416 to determine file access operation(s) 403 are being performed with respect thereto”; paragraph 0073, wherein “In accordance with one or more embodiments, a pattern associated with the one or more file access operations that are being performed with respect to the one or more decoy files are identified and one or more rules are applied to the pattern to determine whether the one or more file access operations originate from the malicious process. For example, with reference to FIG. 4, operation analyzer 408 may identify a pattern associated with file access operation(s) 403”).
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 2-7, 9 and 14-20 are rejected under 35 U.S.C. 103) as being unpatentable over GURI et al (Pub. No.: US 2019/0332766 A1) in view of BEDHAPUDI et al (Pub. No.: US 2019/0108340 A1).
As per claim 2, claim 1 is incorporated and GURI does not explicitly disclose wherein the monitoring of the I/O operations is by a data replication manager that replicates data writes to a replication data repository. However, BEDHAPUDI discloses wherein the monitoring of the I/O operations is by a data replication manager that replicates data writes to a replication data repository (BEDHAPUDI, paragraph 0291, wherein “In addition to the previously described systems, the client computing device 302 may include a filter driver 314 that can interact with data (e.g., production data) associated with the applications 310. For instance, the filter driver 314 may comprise a file system filter driver, an operating system driver, a filtering program, a data trapping program, an application, a module of one or more of the applications 310, an application programming interface (“API”), or other like software module or process that, among other things, monitors and/or intercepts particular application requests targeted at a file system, another file system filter driver, a network attached storage (“NAS”), a storage area network (“SAN”), mass storage and/or other memory or raw data. In some embodiments, the filter driver 314 may reside in the I/O stack of an application 310 and may intercept, analyze, and/or copy certain data traveling to or from the application 310 from or to a file system”; paragraph 0171, wherein “Replication is another type of secondary copy operation. Some types of secondary copies 116 periodically capture images of primary data 112 at particular points in time (e.g., backups, archives, and snapshots). However, it can also be useful for recovery purposes to protect primary data 112 in a more continuous fashion, by replicating primary data 112 substantially as changes occur. In some cases a replication copy can be a mirror copy, for instance, where changes made to primary data 112 are mirrored or substantially immediately copied to another location (e.g., to secondary storage device(s) 108). By copying each write operation to the replication copy, two storage systems are kept synchronized or substantially synchronized so that they are virtually identical at approximately the same time”).
Therefore, it would have been obvious to one ordinary skill in the art before the effective filing date of the invention to incorporate BEDHAPUDI to GURI to achieve the claimed limitations because this would have provided a backup storage that can be used when the primary storage is not accessible which allows the system to directly access, copy, restore, back up, or otherwise manipulate the replication copies as if they were the “live” primary data 112 (see BEDHAPUDI 0172).
As pre claim 3, claim 2 is incorporated and BEDHAPUDI discloses wherein the instructions upon execution cause the system to: receive, by the data replication manager from an agent, the honeypot pattern (BEDHAPUDI, paragraph 0327, wherein “In some embodiments, the anomaly detection engine 320 may create honeypot files 328 (or canary files). For example, since the honeypot files 328 serve no purpose other than to bait ransomware, any access to the honeypot files 328 can automatically trigger ransomware or file activity anomaly detection. The honeypot files 328 may have specific file extensions known to be targeted by ransomware (e.g., .doc, .xls, pdf, etc.). The filter driver 314 and/or the anomaly detection engine 320 may monitor I/O access to the honeypot files 328, and any modification (e.g., writes or deletes) to the honeypot files 328 may automatically trigger ransomware or file activity anomaly detection”).
As pre claim 4, claim 3 is incorporated and GURI in view of BEDHAPUDI discloses wherein the instructions upon execution cause a system to: create, by the agent, a honeypot file containing the data having the honeypot pattern (GURI, Fig 3, paragraph 0068, wherein “At step 302, one or more decoy files in a file directory that stores one or more other files is created. For example, as shown in FIG. 4, decoy documents manager 402 creates decoy file(s) 416 in directory 410, which stores file(s) 412. In accordance with an embodiment, decoy documents manager 402 may issue a procedure call 401 to the operating system (e.g., operating system 106) that causes decoy file(s) 416 to be created. The procedure call may specify one or more attributes for the decoy file(s) 416 that are created (e.g., the file name, a path to directory 410 in which decoy file(s) 416 are to be created, file access privileges, etc.)”).
As pre claim 5, claim 4 is incorporated and BEDHAPUDI discloses wherein the instructions upon execution cause the system to: identify, by the data replication manager, one or more data volumes to be protected by the data replication manager by replicating data writes of the one or more data volumes to the replication data repository, wherein the honeypot file created by the agent is in a data volume of the one or more data volumes (BEDHAPUDI, paragraph 0171, wherein “Replication is another type of secondary copy operation. Some types of secondary copies 116 periodically capture images of primary data 112 at particular points in time (e.g., backups, archives, and snapshots). However, it can also be useful for recovery purposes to protect primary data 112 in a more continuous fashion, by replicating primary data 112 substantially as changes occur. In some cases a replication copy can be a mirror copy, for instance, where changes made to primary data 112 are mirrored or substantially immediately copied to another location (e.g., to secondary storage device(s) 108). By copying each write operation to the replication copy, two storage systems are kept synchronized or substantially synchronized so that they are virtually identical at approximately the same time”);
As pre claim 6, claim 5 is incorporated and BEDHAPUDI discloses wherein the data writes replicated by the data replication manager comprises data writes performed by a virtual computing entity that is protected by the data replication manager (BEDHAPUDI, Fig 2A, paragraph 0070, wherein “In some embodiments, computing devices can include one or more virtual machine(s) running on a physical host computing device (or “host machine”) operated by the organization. As one example, the organization may use one virtual machine as a database server and another virtual machine as a mail server, both virtual machines operating on the same host machine. A Virtual machine (“VM”) is a software implementation of a computer that does not physically exist and is instead instantiated in an operating system of a physical computer (or host machine) to enable applications to execute within the VM's environment, i.e., a VM emulates a physical computer”; paragraph 0087, wherein “For virtual machines, the operating system and other applications 110 of client computing device(s) 102 may execute within or under the management of virtualization software (e.g., a VMM), and the primary storage device(s) 104 may comprise a virtual disk created on a physical storage device. System 100 may create secondary copies 116 of the files or other data objects in a virtual disk file and/or secondary copies 116 of the entire virtual disk file itself (e.g., of an entire .vmdk file)”).
As pre claim 7, claim 6 is incorporated and GURI discloses wherein the agent is executed in the virtual computing entity (BEDHAPUDI, Fig 2A, paragraph 0070, wherein “In some embodiments, computing devices can include one or more virtual machine(s) running on a physical host computing device (or “host machine”) operated by the organization. As one example, the organization may use one virtual machine as a database server and another virtual machine as a mail server, both virtual machines operating on the same host machine. A Virtual machine (“VM”) is a software implementation of a computer that does not physically exist and is instead instantiated in an operating system of a physical computer (or host machine) to enable applications to execute within the VM's environment, i.e., a VM emulates a physical computer”; paragraph 0087, wherein “For virtual machines, the operating system and other applications 110 of client computing device(s) 102 may execute within or under the management of virtualization software (e.g., a VMM), and the primary storage device(s) 104 may comprise a virtual disk created on a physical storage device. System 100 may create secondary copies 116 of the files or other data objects in a virtual disk file and/or secondary copies 116 of the entire virtual disk file itself (e.g., of an entire .vmdk file)”).
As pre claim 9, claim 1 is incorporated and GURI discloses wherein the indicating of the potential attack comprises providing a notification of the potential attack (GURI, paragraph 0060, wherein “In accordance with an embodiment, comprises one or more of terminating the malicious process, suspending the malicious process, performing backup of the one or more other files stores in the file directory, checking an integrity of the one or more other files, activating an anti-virus program, recording in an event log an event that indicates that the malicious process performed the one or more file access operations to the one or more decoy files, or prompting a user of the computing device to indicate an operation to perform”) GURI does not explicitly disclose information identifying a latest recovery point for data. However, BEDHAPUDI discloses information identifying a latest recovery point for data (BEDHAPUDI, paragraph 0101-0104, 0184-085, wherein “According to certain embodiments, storage manager 140 provides one or more of the following functions: … initiating restore and recovery operations”).
Therefore, it would have been obvious to one ordinary skill in the art before the effective filing date of the invention to incorporate BEDHAPUDI to GURI to achieve the claimed limitations because this would have provided a backup storage that can be used when the primary storage is not accessible which allows the system to directly access, copy, restore, back up, or otherwise manipulate the replication copies as if they were the “live” primary data 112 (see BEDHAPUDI 0172).
Claims 14-20 are rejected under the same rationale as claim 2-7 and 9.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HAMZA N ALGIBHAH whose telephone number is (571)270-7212. The examiner can normally be reached 7:30 am - 3:30 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Wing Chan can be reached on (571) 272-7493. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/HAMZA N ALGIBHAH/Primary Examiner, Art Unit 2441