SYSTEM AND METHOD FOR TERMINATING RANSOMWARE BASED ON DETECTION OF ANOMALOUS DATA

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Amendment The amendments filed on November 18, 2025 have been entered. Claims 1, 6-10, and 12-13 have been amended. Applicant’s amendment and response to the claims are sufficient to overcome the 35 USC § 112 (a), 35 USC § 112 (b), and claim objection set forth in the previous office action. The examiner has withdrawn the rejection/objection. Response to Arguments Applicant's arguments filed on November 18, 2025, have been fully considered, but they are moot in view of the new grounds of rejection. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. Claims 1-7 and 9-16 are rejected under 35 U.S.C. 103 as being unpatentable over Guri et al. (Pub. No. US 2019/0332766), hereinafter Guri; Venkatachalam et al. Pub. No. US 2023/0078476), hereinafter Venkatachalam; and in further view of Rajasekharan et al. (Pub. No. US 2019/0042744), hereinafter Rajasekharan. Claim 1. Guri discloses a computer-implemented method for terminating ransomware based on detection of anomalous data (See Parag. [0002]; detecting and/or neutralizing malware or other security threats on computer systems, such as ransomware. See also Parag. [0045]), comprising: generating, by one or more hardware processors, first data associated with the anomalous data based on analysis of registry data in one or more computing devices (See Parag. [0071-0072]; at step 304, one or more file access operations are determined to be performed with respect to at least one of the one or more decoy files. For example, with reference to FIG. 4, operation monitor 406 monitors decoy file(s) 416 to determine file access operation(s) 403 are being performed with respect thereto. Operation monitor 406 may use hooking techniques to hook procedure calls issued to decoy file(s) 216. At step 306, the one or more file access operations are analyzed to determine whether the one or more file access operations originate from a malicious process. Operation monitor 406 may send a request 405 to operation analyzer 408 that includes information specifying file access operation(s) 403 that were detected by operation monitor 406. Operation analyzer 408 may analyze the file access operation(s) to determine whether file access operation(s) 403 originate from a malicious process (e.g., process 420)); retrieving, by the one or more hardware processors, Process IDs (PIDs) from at least one of a: Process ID (PID) Filter and Process ID (PID) Fetch associated with the first data and the second data to initiate a ransomware termination process (See Parag. [0060]; Operation analyzer 208 may analyze the file access operation(s) to identify a pattern associated with the file access operation(s). Operation analyzer 208 may apply the rule(s) to the identified pattern to determine whether the file access operation(s) originate from a non-malicious process or a malicious process …); and terminating, by the one or more hardware processors, the retrieved Process IDs (PIDs) from at least one of the: Process ID (PID) Filter and Process ID (PID) Fetch to terminate the ransomware based on detection of the anomalous data from the one or more computing devices (See Parag. [0076]; at step 308, in response to determining that the one or more file access operations originate from the malicious process, an action is performed to neutralize the malicious process. In accordance with an embodiment, comprises one or more of terminating the malicious process, suspending the malicious process ...). Guri doesn’t explicitly disclose detecting, by the one or more hardware processors, ransomware modifications to at least one of: a Volume Shadow Copy Service (VSS) registry key, a Restart Manager registry key, Windows Script File (WSF) registry keys, a FileExts registry key, a Run registry key, a RunOnce registry key, MuiCache registry key and a WindowsSearch registry kev; generating, by the one or more hardware processors, second data associated with the anomalous data based on analysis of one or more trap files associated with one or more directory files in the one or more computing devices, wherein the analysis comprising: applying, by the one or more hardware processors, data-mining models to extract frequent and low-frequency file-access patterns from historical file- modification data, and detecting, by the one or more hardware processors, directory paths having at least one of: a low access frequency and high order of file modification as potential trap-file locations. However, Venkatachalam discloses detecting, by the one or more hardware processors, ransomware modifications to at least one of: a Volume Shadow Copy Service (VSS) registry key, a Restart Manager registry key, Windows Script File (WSF) registry keys, a FileExts registry key, a Run registry key, a RunOnce registry key, MuiCache registry key and a WindowsSearch registry kev (See Parag. [0077]; Detection engine 130 receives event sequences from event reader 125 (step 405). Per decision 410, events consistent with ransomware behavior are passed to decision 415 where they are analyzed for signals of a path-traversal attack. See Parag. [0081]; A malware VSS operation requester 520 can issue file deletion requests to VSS 520 using e.g. command-line instructions via an administrative process vssadmin.exe 525, code or script via a utility process wmic.exe 530, or directly via the COM API 535), wherein the analysis comprising: applying, by the one or more hardware processors, data-mining models to extract frequent and low-frequency file-access patterns from historical file- modification data (See Parag. [0015-0019]; Behavioral detection unit 200 identifies behavioral patterns in event sequences for each process under consideration. These behavioral patterns include: [0016] ORIGINAL_FILE_OVERWRITE, ORIGINAL_FILE_DELETED_AND_NEW_ENCRYPTED_FILE_CREATED, The ORIGINAL_FILE_OVERWRITE_AND_RENAMED,ORIGINAL_FILE_RENAMED_AND_OVERWRITE … See Parag. [0024]; Behavioral detection unit 200 passes files whose event sequences have been determined to be a ransomware threat to file-traversal-information detection unit 205, which determines the information corresponding to the file traversal pattern using Application Program Interface (API) based traversal and/or New Technology File System (NTFS) based traversal. Detection unit 205 supports an algorithm that detects path-traversal attacks, which exploit security flaws associated with user-supplied file names), and detecting, by the one or more hardware processors, directory paths having at least one of: a low access frequency and high order of file modification as potential trap-file locations (See Parag. [0029]; Whenever a file is modified by a process, true-root-path detection unit 210 looks up the path of the folder containing the file and compares this path with those of other files modified by the same process. See Parag. [0068]; True-root-folder detection unit 210 compare the true-root-path count with a root-path threshold. If the number is greater than the root-path threshold, then files associated with the process under considerations are suspected of to be or to be infected by malware). It would have been obvious to one of ordinary skill in the art at the time before the effective filling date of the claimed invention to modify the teaching, taught by Guri, to include detecting ransomware modifications to a Volume Shadow Copy Service (VSS) registry key; applying, data-mining models to extract frequent and low-frequency file-access patterns from historical file- modification data; and detecting directory paths having a low access frequency and high order of file modification as potential trap-file locations, as taught by Venkatachalam. This would be convenient for protecting computer systems from malware (Venkatachalam, Parag. [0001]). Rajasekharan discloses generating, by the one or more hardware processors, second data associated with the anomalous data based on analysis of one or more trap files associated with one or more directory files in the one or more computing devices (See Parag. [0023]; The anomalous backup activity detection module 402, in an example embodiment, is configured to analyze the file backup metadata 142 generated from the client devices 120 to detect anomalous backup activity on each of the client devices 120. For example, the anomalous backup activity detection module 402 may view a sudden increase or decrease in the number of files (or the total size of files) to be backed up, or the number of files (or the total size of files) that were recently backed up, as an indication that a corresponding sudden change (e.g., addition, deletion, and/or modification) of files has occurred on the client device 120, thereby possibly indicating ransomware activity, such as the unauthorized encrypting of files on the client device 120). It would have been obvious to one of ordinary skill in the art at the time before the effective filling date of the claimed invention to modify the teaching, taught by Guri in view of Venkatachalam, to include generating first data associated with the anomalous data based on analysis of registry data in one or more computing devices, as taught by Rajasekharan. This would be convenient for detecting the onset of a ransomware attack (Rajasekharan, Parag. [0001]). Claim 2. Guri in view of Venkatachalam and Rajasekharan discloses the computer-implemented method of claim 1, Rajasekharan further discloses wherein the first data generated upon detecting at least one of: key additions, value additions, and value updates in the registry data indicating a ransomware activity within a registry of the one or more computing devices (See Parag. [0023]; The anomalous backup activity detection module 402, in an example embodiment, is configured to analyze the file backup metadata 142 generated from the client devices 120 to detect anomalous backup activity on each of the client devices 120. For example, the anomalous backup activity detection module 402 may view a sudden increase or decrease in the number of files (or the total size of files) to be backed up, or the number of files (or the total size of files) that were recently backed up, as an indication that a corresponding sudden change (e.g., addition, deletion, and/or modification) of files has occurred on the client device 120, thereby possibly indicating ransomware activity, such as the unauthorized encrypting of files on the client device 120). It would have been obvious to one of ordinary skill in the art at the time before the effective filling date of the claimed invention to modify the teaching, taught by Guri in view of Venkatachalam, to include wherein the first data generated upon detecting at least one of: key additions, value additions, and value updates in the registry data indicating a ransomware activity within a registry of the one or more computing devices, as taught by Rajasekharan. This would be convenient for detecting the onset of a ransomware attack (Rajasekharan, Parag. [0001]). Claim 3. Guri in view of Venkatachalam and Rajasekharan discloses the computer-implemented method of claim 1, Guri further discloses wherein the one or more trap files are produced based on at least one of: engaging a pre-existing one or more directory files and selecting additional trap files in the one or more directory files (See Parag. [0050]; decoy documents manager 202 is configured to create one or more decoy files 216 in one or more of director(ies) 210, which may comprise one or more other file(s) 212). Claim 4. Guri in view of Venkatachalam and Rajasekharan discloses the computer-implemented method of claim 3, Guri further discloses wherein the pre-existing one or more directory files comprises at least one of: system directories, user directories, and temporary directories to optimise the generation of the second data (See Parag. [0046]; Malicious process detector 114 may create one or more decoy files 116 in one or more of director(ies) 110. Examples of such directories include, but are not limited to, a default documents storage directory of operating system 106, directories that contain user, documents, spreadsheets, pictures, images, or any other directory maintained by file system 108). Claim 5. Guri in view of Venkatachalam and Rajasekharan discloses the computer-implemented method of claim 1, Guri further discloses wherein the second data is generated based on analysing the one or more trap files by detecting at least one of a: file write, file delete, and file rename operations indicative of the ransomware activity within the one or more computing devices, the second data is generated based on detecting at least one of the: file write, file delete, and file rename operations of at least two trap files of the one or more trap files for averting false positive alerts (See Parag. [0071-0072]; operation monitor 406 monitors decoy file(s) 416 to determine file access operation(s) 403 are being performed with respect thereto. In accordance with an embodiment, operation monitor 406 may use hooking techniques to hook procedure calls issued to decoy file(s) 216… the one or more file access operations are analyzed to determine whether the one or more file access operations originate from a malicious process. See Parag. [0074]; the pattern associated with the one or more file access operation(s) comprises a read operation to the decoy file or to a portion thereof and a write operation to the same decoy file or the same portion thereof). Claim 6. Guri in view of Venkatachalam and Rajasekharan discloses the computer-implemented method of claim 1, Guri further discloses the data mining models comprises at least one of: association rule mining, sequential pattern mining, and frequency rule mining to identify potential one or more trap file locations (See Parag. [0060]; Updateable knowledge base 224 may further maintain a set of rules (e.g., predetermined rules) that indicate which types of file access operations to decoy file(s) 216 (or patterns thereof) are illegal (i.e., issued from a malicious process) or legal (i.e., issued from a non-malicious process). Operation analyzer 208 may analyze the file access operation(s) to identify a pattern associated with the file access operation(s). Operation analyzer 208 may apply the rule(s) to the identified pattern to determine whether the file access operation(s) originate from a non-malicious process or a malicious process … See also Parag. [0079-0080]). Claim 7. Guri in view of Venkatachalam and Rajasekharan discloses the computer-implemented method of claim 1, Rajasekharan further discloses wherein the one or more hardware processors is configured with a time synchronization module, the time synchronization module configured to synchronise timestamps data associated with the first data and the second data to confirm the ransomware activity in the one or more computing devices, the timestamps data comprises a predetermined timeframe for receiving the second data upon receiving the first data, the predetermined timeframe being less than 10 seconds (See Parag. [0026-0027]; The anomalous backup activity detection module 402 may internally generate signals indicating potentially anomalous backup activity on a particular client device 120 and employ a sliding time-based window that triggers an anomalous backup activity event when a threshold number of signals have been generated. For instance, FIG. 5 is a set of graphs 511, 512, 513 illustrating an example method of detecting a file backup anomaly on a client device 120 based on separate anomaly signals 502. In graph 511, a plurality of anomaly signals 502 are generated. Each anomaly signal 502 may indicate the detection (e.g., based on a machine learning model) that a particular backup event has been detected as being potentially anomalous, such as a sudden increase in the number or overall size of files updated since the most recent backup operation on the corresponding client device 120. More generally, in example embodiments, changes in file backup activity that may be detected as anomalous include, but are not limited to, an increase in a total number of new files backed up, an increase in a total size of new files backed up, an increase in a total number of previously existing files backed up, an increase in a total size of previously existing files backed up, a decrease in the total number of files backed up, and a decrease in the total size of files backed up … The anomaly signals 502 may then be processed by way of a sliding time-based window 504 within which the number of anomaly signals 502 are counted to generate a combined anomaly signal 506, as shown in graph 512. If the combined anomaly signal 506 exceeds a threshold value 508 (e.g., 3.5), the anomalous backup activity detection module 402 may trigger an anomalous backup activity event 510, as depicted in graph 513). It would have been obvious to one of ordinary skill in the art at the time before the effective filling date of the claimed invention to modify the teaching, taught by Guri, to include wherein the decision generating subsystem is configured with a time synchronization module, the time synchronization module configured to synchronise timestamps data associated with the first data and the second data to confirm the ransomware activity in the one or more computing devices, the timestamps data comprises a predetermined timeframe for receiving the second data upon receiving the first data, the predetermined timeframe ranges between 3 seconds and 10 seconds, as taught by Rajasekharan. This would be convenient for detecting the onset of a ransomware attack (Rajasekharan, Parag. [0001]). Claim 9. Guri in view of Venkatachalam and Rajasekharan discloses the computer-implemented method of claim 1, Guri further discloses wherein the one or more hardware processors comprises a prioritization module, the prioritization module configured to prioritize the termination of the Process IDs (PIDs) from at least one of the: Process ID (PID) Filter and Process ID (PID) Fetch based on acuteness parameters of the ransomware activity (See Parag. [0076]; at step 308, in response to determining that the one or more file access operations originate from the malicious process, an action is performed to neutralize the malicious process. In accordance with an embodiment, comprises one or more of terminating the malicious process, suspending the malicious process ... See Parag. [0059]; operation analyzer 208 may access updateable knowledge base 224 Updateable knowledge base 224 may comprise a data store (e.g., a database) that stores one or more decoy file identifiers that each represent a particular decoy file of decoy file(s) 216. The identifier may be the file name of the decoy file, the directory path of the decoy file, a tag representative of the decoy file and/or the like). Claim 10. Guri discloses a computer-implemented system for terminating ransomware based on detection of anomalous data (See Parag. [0002]; detecting and/or neutralizing malware or other security threats on computer systems, such as ransomware. See also Parag. [0045]), comprising: one or more hardware processors operatively connected to one or more computing devices; a computer readable storage unit operatively connected to the one or more hardware processors, wherein the computer readable storage unit comprises a set of program instructions in form of a plurality of subsystems, configured to be executed by the one or more hardware processors (See Parag. [0026]; one or more processors and a memory coupled to the one or more processors, the memory storing instructions, which, when executed by one or more processors, cause the one or more processors to perform operations), wherein the plurality of subsystems comprises: a file trap monitoring subsystem configured to generate second data associated with the anomalous data based on analysing one or more trap files associated with one or more directory files in the one or more computing devices (See Parag. [0071-0072]; at step 304, one or more file access operations are determined to be performed with respect to at least one of the one or more decoy files. For example, with reference to FIG. 4, operation monitor 406 monitors decoy file(s) 416 to determine file access operation(s) 403 are being performed with respect thereto. Operation monitor 406 may use hooking techniques to hook procedure calls issued to decoy file(s) 216. At step 306, the one or more file access operations are analyzed to determine whether the one or more file access operations originate from a malicious process. Operation monitor 406 may send a request 405 to operation analyzer 408 that includes information specifying file access operation(s) 403 that were detected by operation monitor 406. Operation analyzer 408 may analyze the file access operation(s) to determine whether file access operation(s) 403 originate from a malicious process (e.g., process 420)), a decision generating subsystem configured to initiate a ransomware termination process upon retrieving Process IDs (PIDs) from at least one of a: Process ID (PID) Filter and Process ID (PID) Fetch associated with the first data and the second data (See Parag. [0060]; Operation analyzer 208 may analyze the file access operation(s) to identify a pattern associated with the file access operation(s). Operation analyzer 208 may apply the rule(s) to the identified pattern to determine whether the file access operation(s) originate from a non-malicious process or a malicious process …)`; and a termination subsystem configured to terminate the retrieved Process IDs (PIDs) from at least one of the: Process ID (PID) Filter and Process ID (PID) Fetch for terminating the ransomware based on detection of the anomalous data from the one or more computing devices (See Parag. [0076]; at step 308, in response to determining that the one or more file access operations originate from the malicious process, an action is performed to neutralize the malicious process. In accordance with an embodiment, comprises one or more of terminating the malicious process, suspending the malicious process ...). Guri doesn’t explicitly disclose a registry activity monitoring subsystem configured to generate first data associated with the anomalous data based on analysing registry data in the one or more computing devices, wherein the registry activity monitoring subsystem is configured to detect ransomware modifications to at least one of: a Volume Shadow Copv Service (VSS) registrv key, a Restart Manager registry key, Windows Script File (WSF) registry keys, a FileExts registry key, a Run registry key, a RunOnce registry key, MuiCache registry key and a WindowsSearch registry key; wherein the file trap monitoring subsystem is configured to:apply data-mining models to extract frequent and low-frequency file-access patterns from historical file-modification data, anddetect directory paths having at least one of: a low access frequency and high order of file modification as potential trap-file locations. However, Venkatachalam discloses wherein the registry activity monitoring subsystem is configured to detect ransomware modifications to at least one of: a Volume Shadow Copv Service (VSS) registrv key, a Restart Manager registry key, Windows Script File (WSF) registry keys, a FileExts registry key, a Run registry key, a RunOnce registry key, MuiCache registry key and a WindowsSearch registry key (See Parag. [0077]; Detection engine 130 receives event sequences from event reader 125 (step 405). Per decision 410, events consistent with ransomware behavior are passed to decision 415 where they are analyzed for signals of a path-traversal attack. See Parag. [0081]; A malware VSS operation requester 520 can issue file deletion requests to VSS 520 using e.g. command-line instructions via an administrative process vssadmin.exe 525, code or script via a utility process wmic.exe 530, or directly via the COM API 535); wherein the file trap monitoring subsystem is configured to:apply data-mining models to extract frequent and low-frequency file-access patterns from historical file-modification data (See Parag. [0015-0019]; Behavioral detection unit 200 identifies behavioral patterns in event sequences for each process under consideration. These behavioral patterns include: [0016] ORIGINAL_FILE_OVERWRITE, ORIGINAL_FILE_DELETED_AND_NEW_ENCRYPTED_FILE_CREATED, The ORIGINAL_FILE_OVERWRITE_AND_RENAMED,ORIGINAL_FILE_RENAMED_AND_OVERWRITE … See Parag. [0024]; Behavioral detection unit 200 passes files whose event sequences have been determined to be a ransomware threat to file-traversal-information detection unit 205, which determines the information corresponding to the file traversal pattern using Application Program Interface (API) based traversal and/or New Technology File System (NTFS) based traversal. Detection unit 205 supports an algorithm that detects path-traversal attacks, which exploit security flaws associated with user-supplied file names), and detect directory paths having at least one of: a low access frequency and high order of file modification as potential trap-file locations (See Parag. [0029]; Whenever a file is modified by a process, true-root-path detection unit 210 looks up the path of the folder containing the file and compares this path with those of other files modified by the same process. See Parag. [0068]; True-root-folder detection unit 210 compare the true-root-path count with a root-path threshold. If the number is greater than the root-path threshold, then files associated with the process under considerations are suspected of to be or to be infected by malware). It would have been obvious to one of ordinary skill in the art at the time before the effective filling date of the claimed invention to modify the teaching, taught by Guri, to include detecting ransomware modifications to a Volume Shadow Copy Service (VSS) registry key; applying, data-mining models to extract frequent and low-frequency file-access patterns from historical file- modification data; and detecting directory paths having a low access frequency and high order of file modification as potential trap-file locations, as taught by Venkatachalam. This would be convenient for protecting computer systems from malware (Venkatachalam, Parag. [0001]). Rajasekharan discloses a registry activity monitoring subsystem configured to generate first data associated with the anomalous data based on analysing registry data in the one or more computing devices (See Parag. [0023]; The anomalous backup activity detection module 402, in an example embodiment, is configured to analyze the file backup metadata 142 generated from the client devices 120 to detect anomalous backup activity on each of the client devices 120. For example, the anomalous backup activity detection module 402 may view a sudden increase or decrease in the number of files (or the total size of files) to be backed up, or the number of files (or the total size of files) that were recently backed up, as an indication that a corresponding sudden change (e.g., addition, deletion, and/or modification) of files has occurred on the client device 120, thereby possibly indicating ransomware activity, such as the unauthorized encrypting of files on the client device 120). It would have been obvious to one of ordinary skill in the art at the time before the effective filling date of the claimed invention to modify the teaching, taught by Guri in view of Venkatachalam, to include generating first data associated with the anomalous data based on analysis of registry data in one or more computing devices, as taught by Rajasekharan. This would be convenient for detecting the onset of a ransomware attack (Rajasekharan, Parag. [0001]). Claim 11. Guri in view of Venkatachalam and Rajasekharan discloses the computer-implemented system of claim 10, Guri further discloses: comprises a notification subsystem and a real-time monitoring subsystem, the notification subsystem is configured to generate one or more alerts based on termination of the Process IDs (PIDs) from at least one of the: Process ID (PID) Filter and Process ID (PID) Fetch (See Parag. [0019]; the performing step comprises at least one of terminating the malicious process, suspending the malicious process, performing a backup of the one or more other files stored in the file directory, checking an integrity of the one or more other files, activating an anti-virus program, recording in an event log an event that indicates that the malicious process performed the one or more file access operations to the one or more decoy files, or prompting a user of the computing device to indicate an operation to perform); and the real-time monitoring subsystem configured to update the computer-implemented system with updated ransomware behaviour patterns and one or more trap file selection strategies based on ongoing analysis of the registry data and the one or more directory files (See Parag. [0060]; Updateable knowledge base 224 may further maintain a set of rules (e.g., predetermined rules) that indicate which types of file access operations to decoy file(s) 216 (or patterns thereof) are illegal (i.e., issued from a malicious process) or legal (i.e., issued from a non-malicious process). Operation analyzer 208 may analyze the file access operation(s) to identify a pattern associated with the file access operation(s). Operation analyzer 208 may apply the rule(s) to the identified pattern to determine whether the file access operation(s) originate from a non-malicious process or a malicious process. For example, a rule may specify that a particular file access operation followed by another particular file access operation is considered to be an illegal file access pattern. Thus, if the identified pattern conforms to this rule, operation analyzer 208 may determine the file access operation(s) detected by operation monitor 206 originated from a malicious process (e.g., process 220) and may provide an indication to operation monitor 206 that indicates that the file access operation(s) originate from a malicious process. If the identified pattern does not conform to this rule (or any other rule that indicates an illegal file access pattern), operation analyzer 208 may determine that the file access operation(s) detected by operation monitor 206 originated from a non-malicious process and may provide an indication to operation monitor 206 that indicates that the file access operation(s) do not originate from a malicious process. The rule(s) maintained in updateable knowledge base 224 may be periodically updated with new patterns (e.g., via a software update)). Claim 12. Guri discloses a non-transitory computer readable storage unit having instructions stored therein that when executed by one or more hardware processors (See Parag. [0026]; one or more processors and a memory coupled to the one or more processors, the memory storing instructions, which, when executed by one or more processors, cause the one or more processors to perform operations), cause the one or more hardware processors to execute operations of: generating second data associated with the anomalous data based on analysis of one or more trap files associated with one or more directory files in the one or more computing devices (See Parag. [0071-0072]; at step 304, one or more file access operations are determined to be performed with respect to at least one of the one or more decoy files. For example, with reference to FIG. 4, operation monitor 406 monitors decoy file(s) 416 to determine file access operation(s) 403 are being performed with respect thereto. Operation monitor 406 may use hooking techniques to hook procedure calls issued to decoy file(s) 216. At step 306, the one or more file access operations are analyzed to determine whether the one or more file access operations originate from a malicious process. Operation monitor 406 may send a request 405 to operation analyzer 408 that includes information specifying file access operation(s) 403 that were detected by operation monitor 406. Operation analyzer 408 may analyze the file access operation(s) to determine whether file access operation(s) 403 originate from a malicious process (e.g., process 420)), retrieving Process IDs (PIDs) from at least one of a: Process ID (PID) Filter and Process ID (PID) Fetch associated with the first data and the second data to initiate a ransomware termination process (See Parag. [0060]; Operation analyzer 208 may analyze the file access operation(s) to identify a pattern associated with the file access operation(s). Operation analyzer 208 may apply the rule(s) to the identified pattern to determine whether the file access operation(s) originate from a non-malicious process or a malicious process … See Parag. [0059]; operation analyzer 208 may access updateable knowledge base 224 Updateable knowledge base 224 may comprise a data store (e.g., a database) that stores one or more decoy file identifiers that each represent a particular decoy file of decoy file(s) 216. The identifier may be the file name of the decoy file, the directory path of the decoy file, a tag representative of the decoy file and/or the like); and terminating the retrieved Process IDs (PIDs) from at least one of the: Process ID (PID) Filter and Process ID (PID) Fetch to terminate the ransomware based on detection of the anomalous data from the one or more computing devices (See Parag. [0076]; at step 308, in response to determining that the one or more file access operations originate from the malicious process, an action is performed to neutralize the malicious process. In accordance with an embodiment, comprises one or more of terminating the malicious process, suspending the malicious process ...). Guri doesn’t explicitly disclose generating first data associated with the anomalous data based on analysis of registry data in one or more computing devices; detecting ransomware modifications to at least one of a Volume Shadow Copy Service (VSS) registry key, a Restart Manager registry key, Windows Script File (WSF) registry keys, a FileExts registry key, a Run registry key, a RunOnce registry key, MuiCache registry key and a WindowsSearch registry key; wherein the analysis comprising:applying, by the one or more hardware processors, data-mining models to extract frequent and low-frequency file-access patterns from historical file- modification data, anddetecting, by the one or more hardware processors, directory paths having at least one of: a low access frequency and high order of file modification as potential trap-file locations. However, Venkatachalam discloses detecting ransomware modifications to at least one of a Volume Shadow Copy Service (VSS) registry key, a Restart Manager registry key, Windows Script File (WSF) registry keys, a FileExts registry key, a Run registry key, a RunOnce registry key, MuiCache registry key and a WindowsSearch registry key (See Parag. [0077]; Detection engine 130 receives event sequences from event reader 125 (step 405). Per decision 410, events consistent with ransomware behavior are passed to decision 415 where they are analyzed for signals of a path-traversal attack. See Parag. [0081]; A malware VSS operation requester 520 can issue file deletion requests to VSS 520 using e.g. command-line instructions via an administrative process vssadmin.exe 525, code or script via a utility process wmic.exe 530, or directly via the COM API 535); wherein the analysis comprising: applying, by the one or more hardware processors, data-mining models to extract frequent and low-frequency file-access patterns from historical file- modification data (See Parag. [0015-0019]; Behavioral detection unit 200 identifies behavioral patterns in event sequences for each process under consideration. These behavioral patterns include: [0016] ORIGINAL_FILE_OVERWRITE, ORIGINAL_FILE_DELETED_AND_NEW_ENCRYPTED_FILE_CREATED, The ORIGINAL_FILE_OVERWRITE_AND_RENAMED,ORIGINAL_FILE_RENAMED_AND_OVERWRITE … See Parag. [0024]; Behavioral detection unit 200 passes files whose event sequences have been determined to be a ransomware threat to file-traversal-information detection unit 205, which determines the information corresponding to the file traversal pattern using Application Program Interface (API) based traversal and/or New Technology File System (NTFS) based traversal. Detection unit 205 supports an algorithm that detects path-traversal attacks, which exploit security flaws associated with user-supplied file names), and detecting, by the one or more hardware processors, directory paths having at least one of: a low access frequency and high order of file modification as potential trap-file locations (See Parag. [0029]; Whenever a file is modified by a process, true-root-path detection unit 210 looks up the path of the folder containing the file and compares this path with those of other files modified by the same process. See Parag. [0068]; True-root-folder detection unit 210 compare the true-root-path count with a root-path threshold. If the number is greater than the root-path threshold, then files associated with the process under considerations are suspected of to be or to be infected by malware). It would have been obvious to one of ordinary skill in the art at the time before the effective filling date of the claimed invention to modify the teaching, taught by Guri, to include detecting ransomware modifications to a Volume Shadow Copy Service (VSS) registry key; applying, data-mining models to extract frequent and low-frequency file-access patterns from historical file- modification data; and detecting directory paths having a low access frequency and high order of file modification as potential trap-file locations, as taught by Venkatachalam. This would be convenient for protecting computer systems from malware (Venkatachalam, Parag. [0001]). Rajasekharan discloses generating first data associated with the anomalous data based on analysis of registry data in one or more computing devices (See Parag. [0023]; The anomalous backup activity detection module 402, in an example embodiment, is configured to analyze the file backup metadata 142 generated from the client devices 120 to detect anomalous backup activity on each of the client devices 120. For example, the anomalous backup activity detection module 402 may view a sudden increase or decrease in the number of files (or the total size of files) to be backed up, or the number of files (or the total size of files) that were recently backed up, as an indication that a corresponding sudden change (e.g., addition, deletion, and/or modification) of files has occurred on the client device 120, thereby possibly indicating ransomware activity, such as the unauthorized encrypting of files on the client device 120). It would have been obvious to one of ordinary skill in the art at the time before the effective filling date of the claimed invention to modify the teaching, taught by Guri in view of Venkatachalam, to include generating first data associated with the anomalous data based on analysis of registry data in one or more computing devices, as taught by Rajasekharan. This would be convenient for detecting the onset of a ransomware attack (Rajasekharan, Parag. [0001]). Claim 13. The applicant is directed to the rejections to claim 2 set forth above, as it is rejected based on the same rationale. Claim 14. The applicant is directed to the rejections to claim 3 set forth above, as it is rejected based on the same rationale. Claim 15. The applicant is directed to the rejections to claim 4 set forth above, as it is rejected based on the same rationale. Claim 16. The applicant is directed to the rejections to claim 5 set forth above, as it is rejected based on the same rationale. Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Guri et al. (Pub. No. US 2019/0332766), hereinafter Guri; in view of Venkatachalam et al. Pub. No. US 2023/0078476), hereinafter Venkatachalam; in view of Rajasekharan et al. (Pub. No. US 2019/0042744), hereinafter Rajasekharan; and further in view of Park et al. (Pub. No. US 2019/0377871), hereinafter Park. Claim 8. Guri in view of Venkatachalam and Rajasekharan discloses the computer-implemented method of claim 1, Guri in view of Rajasekharan doesn’t explicitly disclose wherein the one or more hardware processors is configured with a restart module, the restart module is configured to restart the terminated Process IDs (PIDs) from at least one of the: Process ID (PID) Filter and Process ID (PID) Fetch if the one or more hardware processors detects the second data generation is beyond the predetermined timeframe. However, Park discloses wherein the decision generating subsystem is configured with a restart module, the restart module is configured to restart the terminated Process IDs (PIDs) from at least one of the: Process ID (PID) Filter and Process ID (PID) Fetch if the decision-generating subsystem detects the second data generation is beyond the predetermined timeframe (See Parag. [0068]; the processor 210 may determine to control some clients among the plurality of clients based on the determination of whether the system abnormality occurs. In more detail, the processor 210 may determine to control at least one group of a client group in which the abnormality occurs and a client group in which the abnormality does not occur among the plurality of clients, based on the type of occurring system abnormality. For example, if the occurring system abnormality is the ransomware, the processor 210 may determine to control the client group in which the abnormality occurs. In this case, the processor 210 may block the network connection of the client group already infected with the ransomware. The processor 210 may primarily shut down the driving of the ransomware by terminating and restarting the instance of the client group when the file change by the ransomware continues in the client group infected with the ransomware). It would have been obvious to one of ordinary skill in the art at the time before the effective filling date of the claimed invention to modify the teaching, taught by Guri in view of Rajasekharan, to include wherein the decision generating subsystem is configured with a restart module, the restart module is configured to restart the terminated Process IDs (PIDs) from at least one of the: Process ID (PID) Filter and Process ID (PID) Fetch if the decision-generating subsystem detects the second data generation is beyond the predetermined timeframe, as taught by Park. This would be convenient for detecting abnormal actions of a plurality of clients and controls a causative service (Park, Parag. [0002]). Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure (see PTO-form 892). The following Patents and Papers are cited to further show the state of the art at the time of Applicant’s invention with respect to terminating ransomware based on detection of anomalous data. Ezrielev et al. (Pub. No. US 2024/0330447) - “Ransomware Detection Via Monitoring Open File or Process;” Teaches a bait file owned by a bait process is created and locked in a computing system. Attempts or access the bait file or kill the bait process are detected. The process attempting to access the bait file or kill the bait process is viewed as malicious and protective operations are performed in the computing system. When an attempt to access the bait file is performed, the process attempting to access the bait file and all files related to the process attempting to access the bait file are identified. The related processes are identified using a table that tracks related processes. The protection operations are performed with respect to the process attempting to access the bait file and all related processes. (See Abstract). Applicant's amendment necessitated the new ground(s) of rejection presented in this Office Action. Accordingly, THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to GHIZLANE MAAZOUZ whose telephone number is (571)272-8118. The examiner can normally be reached Telework M-F 7:30-5 PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Philip J Chea can be reached on 571-272-3951. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /GHIZLANE MAAZOUZ/Examiner, Art Unit 2499 /PHILIP J CHEA/Supervisory Patent Examiner, Art Unit 2499