DETAILED ACTION
This action is made in response to the communication filed on April 30, 2024. This action is made non-final.
Claims 1-20 are pending. Claims 1, 9 and 17 are independent claims.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
The information disclosure statement (IDS) submitted on October 10, 2025 is/are in compliance with the provisions of 37 CFR 1.97 and has/have been considered by the examiner.
Claim Objections
5. Claim 17 is objected to because of the following informalities:
In claim 17, in line1, “Non-transitory computer readable storage media…” should read “A non-transitory computer readable storage media…”.
Appropriate correction is required.
Claim Rejections - 35 USC § 103
6. In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
7. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
8. The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
9. Claims 1, 2, 8, 9, 10 and 16-18 are rejected under 35 U.S.C. 103 as being unpatentable over Gechman et al. (US 2023/0259614 A1), hereafter Gechman, in view of Crabtree et al. (US 2022/0377093 A1), hereafter Crabtree.
Noted that indicates what the cited art does not teach.
Regarding claim 1, Gechman teaches a method comprising: {Gechman [Para. 0059] “An example method 200 of malicious activity detection in data stored in memory associated with one or more computer programs executed by a host device.”}
determining, by a data platform implemented by a computing system, a plurality of tags for a snapshot executed by the data platform; {Gechman Para. 003, Fig. 1B:146] “Data extraction logic 146 can obtain a snapshot of the data or a series of snapshots of the data stored in host physical memory 148 via host interface 120. Each snapshot represents the data at a point in time. Data extraction logic 146 has feature extraction logic to extract one or more features and send the extracted features to ML detection system 134 instead of extracted data 147. For example, data extraction logic 146 can extract a candidate URL out of extracted data 147 and send the candidate URL to ML detection system 134.”} Gechman’s system includes a data extraction logic 146 that extracts features from a snapshot. Para. 66 details data recorded by the data extraction logic 146 for the snapshot.
detecting, by the data platform, an indication of a security breach relating to the snapshot; {Gechman [Para. 0035, Fig. 1B:144 in combination with 136-142] “Data extraction logic 146 extracts and sends a series of snapshots to ML detection system 134, and ML detection system 134 includes feature extraction logic 144 to extract a set of features from different process plugins such as memory plugins. Feature extraction logic 144 extracts a set of features from different memory plugins from each snapshot of the series of snapshots. Extract features are fed into ransomware detection system 136…. The random-forest classification model can be a time-series-based model trained to classify a process as ransomware or non-ransomware using cascading of different numbers of snapshots in the series of snapshots.” [Para. 0036] “The set of features includes words in a candidate URL and numeric features of a URL structure of the candidate URL. Feature extraction logic 144 can extract the words and numeric features of the candidate URL and tokenize the words into tokens. Malicious URL detection system 138 includes a binary classification model trained to classify the candidate URL as malicious or benign using the set of features.”} ML detection system 134 includes a feature extraction logic 144 that extracts features from memory plugins in each snapshot. Paragraphs 36-38, 65, 67-73, 89-91 detail features extracted by the feature extraction logic 144 that may indicate a security breach.
processing, by the data platform and using one or more machine learning models, a plurality of attributes of the security breach and the plurality of tags to identify a potential compromise of the snapshot; {Gechman [Para. 0038] “ML detection system 134 can output an indication 149 of classification by ML detection system 134. Indication 149 can be an indication of ransomware, an indication of malicious URL, an indication of DGA domain, an indication that one or more computer programs executed by host device 104 are subject to malicious activity, an indication of classification by other malware detection systems 142, or the like.”} Also see para. 35-37. ML detection system outputs an indication, signifying a ransomware, a malicious URL, a DGA domain, or that one or more programs on a host device are involved in malicious activity.
processing, by the data platform and using the one or more machine learning models, at least the plurality of attributes to generate an actionable prompt including a natural language description of at least one security response; {Gechman [Para. 38, Fig. 1B: 151] “ML detection system 134 can output an indication 149 of classification by ML detection system 134 . Indication 149 can be an indication of ransomware, an indication of malicious URL, an indication of DGA domain,… ML detection system 134 can send indication 149 to hardware-accelerated security service 122, and hardware-accelerated security service 122 can send an alert 151 to SIEM or XDR system 106. Alert 151 can include information about ransomware, malicious URLs, DGA domains, or the like.”} ML detection system 134 generates and sends an indication 149 to security service 122. The security service 122 then sends an alert 151 to a SIEM or XDR system. Alert 151 includes information about ransomware and malicious URLs.
and outputting, by the data platform, the actionable prompt. {Gechman [Para. 38, Fig. 1B: 151] “Hardware-accelerated security service 122 can send an alert 151 to SIEM or XDR system 106. Alert 151 can include information about ransomware, malicious URLs, DGA domains, or the like.” [Para. 0082] “Ransomware detection system 136, using random-forest classification model 300, classifies one or more processes as ransomware or non-ransomware and outputs an indication of ransomware 305 to SIEM or XDR system 106 for further actions by SIEM or XDR system 106. SIEM or XDR system 106 can monitor and show results of classifications of ransomware, such as on a dashboard displayed to a user or operator of SIEM or XDR system 106.”} Security service 122 sends an alert 151 to a SIEM or XDR system. Alert 151 includes information about ransomware and malicious URLs.
However, Gechman does not teach processing, by the data platform and using the one or more machine learning models, at least the plurality of attributes to generate an actionable prompt including a natural language description of at least one security response; and outputting, by the data platform, the actionable prompt.
However, Crabtree teaches processing, by the data platform and using the one or more machine learning models, at least the plurality of attributes to generate an actionable prompt including a natural language description of at least one security response; and outputting, by the data platform, the actionable prompt. {Crabtree [Para. 0062] “The system supports the use of various statistical and machine learning (ML) type methods for suspicious pattern recognition and alerting.” [Para. 0080] “When suspicious activity at a level signifying an attack is determined, the system issues action-focused alert information to all predesignated parties specifically tailored to their roles in attack mitigation or remediation and formatted to provide predictive attack modeling based upon historic, current, and contextual attack progression analysis such that human decision makers can rapidly formulate the most effective courses of action at their levels of responsibility in command of the most actionable information with as little distractive data as possible. The system then issues defensive measures in the most actionable form to end the attack with the least possible damage and exposure.”} Also see para. 83. Upon detecting a cyberattack, Crabtree’s cyber decision platform alerts relevant users and provides actionable, best-practice recommendations to mitigate damage. Once the user selects the appropriate remediation, the platform executes these measures to minimize impact.
Crabtree is analogous art because each of Gechman and Crabtree pertains to deploying machine learning models for ransomware detection. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Gechman to include Crabtree’s teaching of the elements of claim 1, listed above. Doing so would “effectively reduce the probability of a cyberattack and to significantly and most cost effectively mitigate data exposure and loss in the event of attack” (Crabtree, para. 0081).
Claim 2:
Regarding clam 2, Gechman and Crabtree teach the elements of claim 1 as stated.
However, Gechman does not teach receiving, by the data platform and from a user, a response to the actionable prompt; and performing, by the data platform, the at least one security response based on the response.
However, Crabtree teaches receiving, by the data platform and from a user, a response to the actionable prompt; and performing, by the data platform, the at least one security response based on the response. {Crabtree [Para 0080] “The system issues action-focused alert information to all predesignated parties specifically tailored to their roles in attack mitigation or remediation and formatted to provide predictive attack modeling based upon historic, current, and contextual attack progression analysis such that human decision makers can rapidly formulate the most effective courses of action at their levels of responsibility in command of the most actionable information with as little distractive data as possible. The system then issues defensive measures in the most actionable form to end the attack with the least possible damage and exposure.”} Upon detecting a cyberattack, Crabtree’s system alerts relevant users and provides actionable, best-practice recommendations to mitigate damage. Once the user selects the appropriate remediation, the platform executes these measures to minimize impact.
Crabtree is analogous art because each of Gechman and Crabtree pertains to deploying machine learning models for detecting ransomware. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Gechman to include Crabtree’s teaching of the limitations of claim 2, listed above. Doing so “enables proactive and high-speed reactive defense capabilities against a variety of cyberattack threats” (Crabtree, para. 0120).
Claim 8:
Regarding clam 8, Gechman and Crabtree teach the elements of claim 1 as stated.
Gechman further teaches wherein processing the plurality of attributes of the security breach and the plurality of tags to identify the potential compromise of the snapshot comprises determining, by the data platform and using the machine learning model, an intent to compromise the snapshot based on the plurality of attributes and the plurality of tags. {Gechman {Para. 0062] “The processing logic obtains a series of snapshots of the data stored in the memory, each snapshot representing the data at a point in time. The processing logic extracts a set of features from different memory plugins from each snapshot of the series of snapshots. The processing logic determines whether the malicious activity is caused by ransomware using a random-forest classification model of the ML detection system. The random-forest classification model can be a time-series-based model trained to classify the process as ransomware or non-ransomware using cascading of different numbers of snapshots in the series of snapshots…”} The system uses machine learning model to identify ransomware and its malicious intent. By analyzing feature sets from snapshots, the model distinguishes ransomware from benign behavior, determining an intent to compromise data.
Claims 9, 10 and 16:
Regarding claims 9, 10 and 16, the claims are directed to a computer system that implements the method recited by claims 1, 2 and 8. Therefore, the rejection applied to claims 1, 2 and 8 also applies to claims 9, 10 and 16. Claims 1, 2 and 8 are rejected under the same rationale as claims 9, 10 and 16.
Claim 9 further recites a computing system comprising: a memory storing instructions; and processing circuitry that executes the instructions to: implement the method recited by claim 1. {Gechman [Para. 0131] “A process such as those processes described herein is performed under control of one or more computer systems configured with executable instructions and is implemented as code (e.g., executable instructions…) executing collectively on one or more processors, by hardware or combinations thereof. Code is stored on a computer-readable storage medium, for example, in form of a computer program comprising a plurality of instructions executable by one or more processors.”}
Claims 17 and 18:
Regarding claims 17 and 18, the claims are directed to a non-transitory computer-readable storage media comprising instructions that, when executed, cause processing circuitry of a computer system to: implement the method recited by claims 1 and 2. Therefore, the rejection applied to claims 1 and 2 also applies to claims 17 and 18. Claims 1 and 2 are rejected under the same rationale as claims 1 and 2.
Claim 17 further recites a non-transitory computer-readable storage media comprising instructions that, when executed, cause processing circuitry of a computing system to: implement the method recited by claim 1. {Gechman [Para. 0131] “Code (e.g., executable code) is stored on a set of one or more non-transitory computer-readable storage media having stored thereon executable instructions that, when executed by one or more processors of a computer system, cause a computer system to perform operations described herein.”}
10. Claims 3, 11 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Gechman and Crabtree as applied to claims 1, 2, 9, 10 and 17, and further in view of Herman et al. (US 2020/0042703 A1), hereafter Herman.
Regarding claim 3, Crabtree teaches the elements of claim 2 as outlined above.
However, Gechman and Crabtree do not teach wherein the at least one security response includes blocking a backup of the snapshot.
However, Herman teaches wherein the at least one security response includes blocking a backup of the snapshot. {Herman [Para. 0021] “In FIG. 1, if the exemplary anomaly-based ransomware detector 200 detects ransomware in one or more encrypted files 128, the anomaly-based ransomware detector 200 provides one or more anomaly alert(s) 170 to the backup agent 120 executing on the customer equipment 110. Likewise, if the exemplary anomaly-based ransomware detector 200 does not detect ransomware in one or more encrypted files 128, the anomaly-based ransomware detector 200 provides an approve backup storage flag 175 to the one or more backup repositories 180, so that the corresponding encrypted files 128 can be stored in the backup repository 180.” [Para. 0023] “The exemplary anomaly-based ransomware detector 200 monitors important sectors of the encrypted files 128 sent to the exemplary backup service provider equipment 140, such as file extensions, snapshot files characteristics... The anomaly-based ransomware detector 200 optionally employs machine learning techniques to detect more general anomaly behavior.” [Para. 0040] “Generally, snapshot files sent to the exemplary backup service provider 140 represent a point in time and therefore are not supposed to be sent more than once.”} Also see para. 41. Herman discloses a ransomware detector that evaluates whether encrypted files (including snapshots) are compromised. If no ransomware is detected, the system sends an approval flag to the backup repository, allowing the files to be stored. Conversely, if ransomware is detected, the approval flag is withheld, preventing the compromised snapshot from being backed up.
Herman is analogous art because each of Gechman, Crabtree and Herman pertains to implementing machine learning model for threat detection. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Gechman and Crabtree to include Herman’s teaching of a security response that includes blocking a backup of a snapshot. Doing so “can add another layer of safety and accuracy” (Herman, para. 0023) to machine learning models designed to detect ransomware within encrypted files, such as snapshots.
Claim 11:
Regarding claim 11, the claim is directed to a computer system that implements the method recited by claim 3. Therefore, the rejection applied to claim 3 also applies to claim 11. Claim 3 is rejected under the same rationale as claim 11.
Claim 19:
Regarding claim 19, the claim is directed to a computer system that implements the method recited by claim 3. Therefore, the rejection applied to claim 3 also applies to claim 19. Claim 3 is rejected under the same rationale as claim 19.
11. Claims 4 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Gechman and Crabtree as applied to claims 1, 2, 9 and 10, and further in view of Kuperman et al. (US 2022/0198322 A1), hereafter Kuperman.
Regarding claim 4, Crabtree teaches the element of claim 2 as outlined above.
However, Gechman and Crabtree do not teach training, by the data platform, the one or more machine learning models with a data set including at least a security knowledgebase and the response to the actionable prompt.
However, Kuperman teaches further comprising training, by the data platform, the one or more machine learning models with a data set including at least a security knowledgebase and the response to the actionable prompt. {Kuperman [Para. 0038] “To train new models 230, problems 225 are obtained and arranged into a subset of problems 225a for training and a subset of images 225b for validation/testing… The subset of problems 225a are acquired from a data storage structure such as a database, an SIEM or SOAR solution, or the like associated with the one or more detectors. The subset of problems 225a are annotated with labels 250. Annotation can be performed manually by one or more humans (annotators such as a security team member) confirming the response that should be performed in response to each problem within the subset of problems 225a and providing labels 250 to the problems.” [Para. 0045] “(ii) a testing mode in which the response recommender 255 infers a response for a given problem 225 within an active learning environment in which the response recommender 255, prior to selection of a responder, queries a user (e.g., a security team member) and/or the monitor/ analyzer 265 to accept or reject the inferred response (and optionally provide a correct or groundtruth response in the instance of the rejection of the inferred response). The acceptance or rejection of the inferred response (and optionally the provided correct or groundtruth response) are used to generate and provide the labels 250 for retraining or continuous training of the models 235; 240; 245.”} Also see para. 46 and 47 for more details about the training process for training the local and global models. Kuperman discloses an incident response system that detects security incidents and generates remediation actions. Problem 225 are security incidents (see para, 23). Security incidents from a SIEM or SOAR solution exemplify dataset from a security knowledgebase. The system also trains the models using user feedback on the security responses generated by the response recommender.
Kuperman is analogous art because each of Gechman, Crabtree and Kuperman pertains to generating incident responses. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Gechman and Crabtree to include Kuperman’s teaching of training machine learning models with a data set including at least a security knowledgebase and the response to an actionable prompt. Doing so enables automated incident remediation, eliminating the delays and disconnects associated with traditional security responses, such as those disclosed in para. 0033 of Kuperman.
Claim 12:
Regarding claim 12, the claim is directed to a computer system that implements the method recited by claim 3. Therefore, the rejection applied to claim 3 also applies to claim 12. Claim 3 is rejected under the same rationale as claim 12.
12. Claims 5, 13, 14 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Gechman and Crabtree as applied to claim 1, 9 and 17 and further in view of Brandwine (US 12,197,578 B1), hereafter Brandwine .
Regarding claim 5, Gechman and Crabtree teach the elements of claim 1 as stated.
Gechman further teaches determining, by the data platform, a confidence indicator for the potential compromise; {Gechman [Para. 0079] “Ransomware detection system 136 can output an indication of ransomware 305 responsive to the process being classified as ransomware 307. The indication of ransomware 305 can specify a level of confidence that the process corresponds to the ransomware class.” [Para. 0076] “The level of confidence can be a prediction percentage of being ransomware.”} The ransomware detection system produces an output specifying a confidence metric (e.g., confidence percentage) that the identified process is ransomware.
However, Gechman and Crabtree do not teach responsive to determining the confidence indicator is below a threshold confidence level, selecting, by the data platform and based on the potential compromise, a security microservice from a plurality of security microservices; and including, by the data platform, security information from the security microservice in the plurality of attributes.
However, Brandwine teaches determining, by the data platform, a confidence indicator for the potential compromise; {Brandwine [Col. 24, line 5-21] “Sending, to a security posture management service of a cloud provider, data indicating detection of the potential ransomware attack; determining, based on the data indicating detection of the potential ransomware attack, a first likelihood that an actual ransomware attack is occurring, wherein the first likelihood is below a threshold likelihood used to determine when to generate an alert;”} The system determines an initial likelihood of a ransomware attack based on data indicating a potential threat.
responsive to determining the confidence indicator is below a threshold confidence level, selecting, by the data platform and based on the potential compromise, a security microservice from a plurality of security microservices; and including, by the data platform, security information from the security microservice in the plurality of attributes. {Brandwine [Col. 24, line 5-21] “Determining, based on the data indicating detection of the potential ransomware attack, a first likelihood that an actual ransomware attack is occurring, wherein the first likelihood is below a threshold likelihood used to determine when to generate an alert; determining, based on the data indicating detection of the potential ransomware attack and security findings related to the computer system, a second likelihood that an actual ransomware attack is occurring, wherein the second likelihood is above the threshold likelihood used to determine when to generate an alert, and wherein the security findings include data derived from at least one of: network flow logs, DNS logs, or account activity logs; and generating the alert.” [Col. line 15, col. 12-33] “A security posture analyzer 148 analyzes the I/O activity data 146 optionally in combination with other security findings 138 related to the computer system 114. A security posture management service 136 can be configured to collect security findings 138 from a number of sources including, e.g., threat detection service data 140, firewall management service data 142, systems management service data 144, and the like. These data sources can include network flow logs, DNS logs, account activity log, and other information reflecting activity caused by or involving a computer system 114. The security posture analyzer 148 can then determine a likelihood of whether the I/O activity actually reflects a ransomware attack or other type of intentional malicious activity, e.g., based on other security findings 138 indicating that a malicious process was detected.”} The system calculates an initial ransomware likelihood based on preliminary threat indicators. If the initial ransomware likelihood falls below the alert threshold, the system calculates a second, higher likelihood by incorporating specific security findings. These findings, which include data on malicious processes and suspicious system actions, are derived from additional sources to enrich the breach attributes.
Brandwine is analogous art because each of Gechman, Crabtree and Brandwine pertains to implementing threat detection. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Gechman and Crabtree to include Brandwine’s teaching of the limitations of claim 5, listed above. Doing so “ improves the security and data availability of computer systems provided to users of a cloud provider” (Brandwine, col. 3, line 6-10).
However, Brandwine does not teach selecting, by the data platform and based on the potential compromise, a security microservice from a plurality of security microservices; and including, by the data platform, security information from the security microservice in the plurality of attributes.
However, Ahuja teaches selecting, by the data platform and based on the potential compromise, a security microservice from a plurality of microservices. {Ahuja [Para. 0029] “Network security system is placed in-line to inspect traffic, and potentially intercept a threat before it arrives at, or leaves, the datacenter. Hardware processor 102 then executes various data security microservices on the data. Typically traffic first passes into and through a segment microservice, then a TCP/IP inspection microservice, then an SSL microservice, then a DPI microservice, then a NOX microservice, and then a DLP microservice… Datapath microservices as used herein refer to various microservices that inspect and analyze network traffic, such as TCP, TLS, DPI, NOX, or DLP… DPI microservice, for example, refers to Deep Packet Inspection microservice and handles layer 7 inspection… DLP microservice, for example, refers to Data Loss Prevention microservice, which detects and prevents data loss. Threats detected by the aforementioned microservices will, be reported to a chassis controller microservice, which takes remedial action.”} Ahuja deploys security microservices to detect threats. Data Loss Prevention (DLP) security microservice exemplifies a data-centric threat scan microservice.
Ahuja is analogous art because each of Gechman, Crabtree, Brandwine and Ahuja pertains to implementing threat detection. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Gechman, Crabtree and Brandwine to include Ahuja’s teaching of deploying security microservices to detect threats. Doing so “enhances the security of, a datacenter” (Ahuja, para. 0026) and “allowing scaling across the entirety of the datacenter network routable” (Ahuja, para, 0077).
Claim 13:
Regarding claim 13, the claim is directed to a computer system that implements the method recited by claim 5. Therefore, the rejection applied to claim 5 also applies to claim 13. Claim 5 is rejected under the same rationale as claim 13.
Claim 14:
Regarding claim 14, Gechman, Brandwine and Ahuja teach the elements of claim 13 as outlined above.
However, Gechman, Crabtree and Brandwine do not teach wherein the plurality of security microservices are one or more of: a ransomware detection microservice, a threat scan microservice, a data classification microservice, or a data security posture management (DSPM) microservice.
However, Ahuja teaches wherein the plurality of security microservices are one or more of: a threat scan microservice. {Ahuja [Para. 0029] “Hardware processor 102 then executes various data security microservices on the data. Datapath microservices as used herein refer to various microservices that inspect and analyze network traffic, such as TCP, TLS, DPI, NOX, or DLP… DPI microservice, refers to Deep Packet Inspection microservice and handles layer 7 inspection… DLP microservices, refers to Data Loss Prevention microservice, which detects and prevents data loss. Threats detected by the aforementioned microservices will, be reported to a chassis controller microservice.”} Ahuja deploys security microservices to detect threats. DLP security microservice exemplifies a data-centric threat scan microservice.
Ahuja is analogous art because each of Gechman, Crabtree, Brandwine and Ahuja pertains to implementing threat detection. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Gechman, Crabtree and Brandwine to include Ahuja’s teaching of deploying a threat scan microservice. Doing so “enhances the security of, a datacenter” (Ahuja, para. 0026) and “allowing scaling across the entirety of the datacenter network routable” (Ahuja, para, 0077).
Claim 20:
Regarding claim 20, the claim is directed to a non-transitory computer-readable storage media comprising instructions that, when executed, cause processing circuitry of a computer system to: implement the method recited by claim 5. Therefore, the rejection applied to claim 5 also applies to claim 20. Claim 5 is rejected under the same rationale as claim 20.
13. Claims 7 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Gechman and Crabtree as applied to claims 1 and 9, and further in view of Gee et al. (US 2023/0144069 A1), hereafter Gee.
Regarding claim 7, Gechman and Crabtree teaches the elements of claim 1 as stated.
Gechman and Crabtree do not teach wherein the plurality of tags are one or more of: an indication of compromise of the snapshot, an indication of sensitive data in the snapshot, or a data security posture management (DSPM) evaluation.
However, Gee teaches wherein the plurality of tags are one or more of: an indication of compromise of the snapshot. {Gee [Para. 0069] “Malware engine 502 detects indicators of compromise that is present on a snapshot of an object (e.g., virtual machine, file system) that shows the snapshot may have been compromised by malware.” [Para. 0070] “The detector 508 then scans the mounted snapshot using YARA rules 510 and/or hashes 512 for malware.” [Para. 0071] “After a snapshot is determined to be infected based on the presence of an indicator of compromise (e.g., matching hash and/or satisfied YARA rule), the GUI 524 can display an interface showing infected versus non-infected snapshots as in example interface 700.”} Gee’s system detects indicator of compromise (IOCs) within a snapshot, and quarantines the compromised snapshot (see para. 84 and 85).
Gee is analogous art because each of Gechman, Crabtree and Gee pertains to detecting ransomware. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Gechman and Crabtree to include Gee’s teaching of a tag for a snapshot that is an indication of compromise of the snapshot. Doing so “enable an enterprise to quickly recover all protected objects to a safe copy,… cutting out the malware from IT infrastructure, and restoring the maximum amount of data possible” (Gee, para. 69).
Claim 15:
Regarding claim 15, the claim is directed to a computer system that implements the method recited by claim 7. Therefore, the rejection applied to claim 7 also applies to claim 15. Claim 7 is rejected under the same rationale as claim 15.
14. Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Gechman and Crabtree as applied to claims 1 and 4, and further in view of McCarthy et al. (US 2024/0305664 A1), hereafter McCarthy.
Regarding claim 6, Kuperman teaches the elements of claim 4 as outlined above.
However, Gechman, Crabtree and Kuperman does not wherein the plurality of security microservices are one or more of: a ransomware detection microservice, a threat scan microservice, a data classification microservice, or a data security posture management (DSPM) microservice.
However, McCarthy teaches wherein the plurality of security microservices are one or more of: a ransomware detection microservice. {McCarthy [Para. 0049] “Inputs can be received from the cybersecurity threat protection applications. The inputs can be received by a microservice. Discussed previously, the SOAR application microservice can handle threat detection, response generation, case tracking.” [Para. 0022] “The threat protection applications include endpoint protection, anti-phishing and antivirus tools, firewalls,… ransomware detection… A plurality of inputs is received from the cybersecurity threat protection applications, wherein the plurality of inputs is initiated by one or more cybersecurity events…. A computer platform is used to analyze the plurality of inputs from the cybersecurity threat protection applications … The inputs are forwarded to a security automation and response (SOAR) system running on a network-connected computer platform.”} McCarthy teaches a SOAR application microservice that detects ransomware as part of its threat detection capabilities.
McCarthy is analogous art because each of Gechman, Crabtree, Kuperman and McCarthy pertains to generating incident responses. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Gechman, Crabtree and Kuperman to include McCarthy’s teaching of a ransomware detection microservice. Doing so would “improve the performance of mitigation processes over time” (McCarthy, para. 22)
Conclusion
15. Any inquiry concerning this communication or earlier communications from the examiner should be directed to BIN QING ZHENG whose telephone number is (703)756-1535. The examiner can normally be reached on M-F 9:30 am -5:30 pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Philip J. Chea can be reached on 571-272-3951. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/BIN QING ZHENG/
Examiner, Art Unit 2499
/PHILIP J CHEA/Supervisory Patent Examiner, Art Unit 2499
Prosecution Insights