DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments filed with the Declaration under 37 CFR 1.130(a)
The declaration under 37 CFR 1.130(a) filed on December 3, 2025 is sufficient to overcome the rejection of claims 1-20 under 35 U.S.C. 102(a)(1) based on Elkhail et al, “Seamlessly Safeguarding Data Against Ransomware Attacks”.
The Applicant has established “inventor Anys Bacha declares that the additional authors of the Disclosure did not contribute to the claimed subject matter of the above-identified application and that the claimed subject matter was conceived by inventor Anys Bacha and the other named inventors. As a professional curtesy and to promote a cooperative and collaborative work environment, the additional authors were identified as co-authors of the Disclosure but did not contribute to or were inventors of the subject matter of the above-identified application. Further, the subject matter of the Disclosure being relied on to reject claims 1-20 came from the inventors. The Disclosure was made less than one year before the filing date of the provisional application from which this application claims priority. Thus, the Disclosure falls within the 35 USC § 102(b)(1)(A) exception. Applicant respectfully submits that the Disclosure is hence disqualified as prior art.”
Upon further consideration, a new grounds of rejection is made in view of Buchanan et al, GB 2604903 A.
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.
Claims 1-5, 7-17, 19, and 20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Buchanan et al, GB 2604903 A.
As per claim 1, it is taught of a method of preventing unauthorized manipulation of a computer file, comprising the steps of:
determining an entropy value in response to a write request issued by a running process (a file write operation (i.e., write request issued by a running process) to the storage medium is identified and monitored, page 8, lines 27-29, wherein a determination is made of the write operation (i.e., write request issued by the running process) and its associated entropy value, page 9, lines 17-24); and
in response to a determination that the entropy value exceeds a predetermined threshold (a determination is made that the entropy value exceeds a threshold value, page 9, lines 17-25 and page 9, line 30 through page 10, line 4), preventing data stored at a storage device from being manipulated by the running process (once it is determined that a ransomware attack (i.e., being manipulated by a running process) is occurring, further steps are taken to restore the user’s original data (i.e., preventing data stored at a storage device from being manipulated), page 6, lines 3-10 and page 9, line 30 through page 10, line 4).
As per claim 2, it is disclosed wherein the entropy value is determined while data subject to the write request is cached in memory used by the processor for executing the running process (the entropy value is determined from a predetermined number of bytes of a file in a buffer (i.e., cache) while the data is subject to the write request, page 9, lines 17-24).
As per claim 3, it is taught wherein the entropy value indicates entropy of the data that is represented as a measure of write coverage, and wherein the write coverage refers to an amount of data being written relative to subject data (the entropy value is determined from a predetermined number of bytes (i.e., representative as a measure of write coverage) of a file in a buffer (i.e., cache) while the data is subject (i.e., amount of data being written) to the write request, page 9, lines 17-24).
As per claim 4, it is disclosed wherein the subject data refers to a data block of a data file, and wherein the data block of the data file includes the data that is prevented from being manipulated (a file write operation (i.e., write request issued by a running process) to the storage medium is identified (i.e., subject data referring to a data block of a data file) and monitored, page 8, lines 27-29, once it is determined that a ransomware attack (i.e., being manipulated by a running process) is occurring, further steps are taken to restore the user’s original data (i.e., preventing written data stored at a storage device from being manipulated), page 6, lines 3-10 and page 9, line 30 through page 10, line 4).
As per claim 5, it is taught of further comprising:
monitoring for a write request (a file write to the storage medium is identified and monitored, page 8, lines 27-29); and
when a write request entropy value for the write request exceeds a predetermined write request entropy threshold, updating a cumulative entropy value (a second threshold is added indicative of entropy values (i.e., cumulative entropy values) to determine if thresholds are exceeded, page 10, lines 11-21).
As per claim 7, it is taught wherein the entropy value is an average entropy value that is determined based on a cumulative entropy value taken over a predefined execution period (a window of opportunity to discover and identify writes using by ransomware is retained over an associated write duration (i.e., predefined execution period) that includes cumulative entropy count values, page 2, lines 25-26 and page 12, line 29 through page 13, line 7).
As per claim 8, it is disclosed wherein the cumulative entropy value is updated when a write request entropy value exceeds a predetermined write request entropy threshold (a second threshold is added indicative of entropy values (i.e., updated cumulative entropy values) to determine if thresholds are exceeded for write requests, page 10, lines 11-21), and wherein the write request entropy value is an entropy value for a present data block being processed by the running process (a process name, process identifier, a filename being written, and determined entropy value is recorded (i.e., all entries recorded as a data block), page 12, lines 11-14).
As per claim 9, it is taught wherein the present data block is a portion of a data file that is being processed by the running process (a process name, process identifier, a filename being written, and determined entropy value is recorded (i.e., all entries recorded as a data block for the running process), page 12, lines 11-14).
As per claim 10, it is disclosed wherein preventing data stored at a storage device from being manipulated by the running process includes preventing the data from being written by the running process to the storage device (once it is determined that a ransomware attack (i.e., being manipulated by a running process) is occurring, further steps are taken to restore the user’s original data (i.e., preventing written data stored at a storage device from being manipulated), page 6, lines 3-10 and page 9, line 30 through page 10, line 4).
As per claim 11, it is taught wherein the method is performed by at least one processor through executing computer instructions stored on the storage device or another storage device comprised of non-transitory, computer-readable memory (processor executing computer executable instructions stored in memory on the device, page 2, line 27 through page 3, line 5 and page 13, lines 14-17).
As per claim 12, it is disclosed of a method of preventing unauthorized manipulation of a computer file, comprising the steps of:
determining an entropy value in response to write requests issued by a running process (a file write operation (i.e., write request issued by a running process) to the storage medium is identified and monitored, page 8, lines 27-29, wherein a determination is made of the write operation (i.e., write request issued by the running process) and its associated entropy value, page 9, lines 17-24); and
in response to a determination that the entropy value exceeds a predetermined threshold (a determination is made that the entropy value exceeds a threshold value, page 9, lines 17-25 and page 9, line 30 through page 10, line 4) and a determination that a socket request or a delete request was issued by the running process (a file write operation (i.e., write request/socket request issued by a running process) to the storage medium is identified and monitored, page 8, lines 27-29), preventing data stored at a storage device from being manipulated by the running process (once it is determined that a ransomware attack (i.e., being manipulated by a running process) is occurring, further steps are taken to restore the user’s original data (i.e., preventing data stored at a storage device from being manipulated), page 6, lines 3-10 and page 9, line 30 through page 10, line 4).
As per claim 13, it is taught of further comprising a step of preventing data stored at a storage device from being manipulated by the running process when the running process is identified as ransomware (a file write operation (i.e., write request/socket request issued by a running process) to the storage medium is identified and monitored, page 8, lines 27-29), preventing data stored at a storage device from being manipulated by the running process (once it is determined that a ransomware attack (i.e., being manipulated by a running process) is occurring (i.e., identified), further steps are taken to restore the user’s original data (i.e., preventing data stored at a storage device from being manipulated), page 6, lines 3-10 and page 9, line 30 through page 10, line 4).
As per claim 14, it is disclosed wherein preventing data stored at a storage device from being manipulated by the running process includes preventing the data from being written by the running process to the storage device (once it is determined that a ransomware attack (i.e., being manipulated by a running process) is occurring, further steps are taken to restore the user’s original data (i.e., preventing written data stored at a storage device from being manipulated), page 6, lines 3-10 and page 9, line 30 through page 10, line 4).
As per claim 15, it is taught wherein the entropy value is determined while data subject to the write request is cached in memory used by the processor for executing the running process (the entropy value is determined from a predetermined number of bytes of a file in a buffer (i.e., cache) while the data is subject to the write request, page 9, lines 17-24).
As per claim 16, it is disclosed wherein the entropy value indicates entropy of the data that is represented as a measure of write coverage, and wherein the write coverage refers to an amount of data being written relative to subject data (the entropy value is determined from a predetermined number of bytes (i.e., representative as a measure of write coverage) of a file in a buffer (i.e., cache) while the data is subject (i.e., amount of data being written) to the write request, page 9, lines 17-24).
As per claim 17, it is taught wherein the subject data refers to a data block of a data file, and wherein the data block of the data file includes the data that is prevented from being manipulated (a file write operation (i.e., write request issued by a running process) to the storage medium is identified (i.e., subject data referring to a data block of a data file) and monitored, page 8, lines 27-29, once it is determined that a ransomware attack (i.e., being manipulated by a running process) is occurring, further steps are taken to restore the user’s original data (i.e., preventing written data stored at a storage device from being manipulated), page 6, lines 3-10 and page 9, line 30 through page 10, line 4).
As per claim 19, it is taught wherein the entropy value is an average entropy value that is determined based on a cumulative entropy value taken over a predefined execution period (a window of opportunity to discover and identify writes using by ransomware is retained over an associated write duration (i.e., predefined execution period) that includes cumulative entropy count values, page 2, lines 25-26 and page 12, line 29 through page 13, line 7).
As per claim 20, it is disclosed of a method of identifying ransomware in order to prevent unauthorized manipulation of a computer file, comprising the steps of:
determining an entropy value based on write requests issued by a running process (a file write operation (i.e., write request issued by a running process) to the storage medium is identified and monitored, page 8, lines 27-29, wherein a determination is made of the write operation (i.e., write request issued by the running process) and its associated entropy value, page 9, lines 17-24); and
in response to a determination that the entropy value exceeds a predetermined threshold (a determination is made that the entropy value exceeds a threshold value, page 9, lines 17-25 and page 9, line 30 through page 10, line 4) and a determination that a socket request was issued by the running process (a file write operation (i.e., write request/socket request issued by a running process) to the storage medium is identified and monitored, page 8, lines 27-29), identifying the running process (a file write operation (i.e., write request issued by a running process) to the storage medium is identified and monitored, page 8, lines 27-29) as ransomware (once it is determined that a ransomware attack (i.e., being manipulated by a running process) is occurring, further steps are taken to restore the user’s original data (i.e., preventing data stored at a storage device from being manipulated), page 6, lines 3-10 and page 9, line 30 through page 10, line 4).
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 6 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Buchanan et al, GB 2604903 A in view of Gole, U.S. Patent 8,423,710.
As per claims 6 and 18, Buchanan et al fails to disclose wherein a write radix tree for the running process is created, and wherein the write radix tree indicates data files modified by the running process.
Gole discloses of a write radix tree for the running process is created, and wherein the write radix tree indicates data files modified by the running process (a write control buffer stores metadata that includes information about the data (i.e., data files modified by the running process responsive to write requests), the metadata keeps track of write request updates, column 3, lines 22-28, wherein a radix-tree data structure arranges multiple write requests into a sequential write to track changes (i.e., data files modified by the running process responsive to write requests), column 3, lines 39-46).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to have been motivated to log changes made with respect to write requests. Gole teaches of the importance of tracking changes using a radix tree to write data in a log-structured manner, wear leveling, and associated garbage collection can be handled in a manner that is faster and allows for flash memory to be available for writing data, column 3, lines 46-52. Although the teachings of Buchanan et al fail to disclose the use of a radix tree to log sequence writes, the teachings of Gole offer a way to arrange and log sequential writes by storing metadata related to the writes using a radix tree to allow for operational efficiency in tracking changes made by the writes.
Conclusion
The relevant art made of record and not relied upon is considered pertinent to applicant's disclosure.
Machine translation of Kim, KR 10-2558503 is relied upon for disclosing of determining that a cryptographic operation is detected in a path to be verified when the number of data blocks associated with randomness exceeds a threshold value among a plurality of data blocks. In an embodiment, when it is determined that a cryptographic operation is detected in the file system, the cryptographic operation verifier may control the file system to disable a delete operation for at least one of files or directories included in the file system. For example, the cryptographic operation verification unit may control the file system so that a delete operation for at least one of files or directories included in the path to be verified is inactivated. Accordingly, unintentional deletion of files due to an external attack can be prevented.
Zhang, CN 121037099 A is relied upon for disclosing of efficiency monitoring interface collects the attack blocking rate, the misjudgment rate and the resource consumption deviation index, and triggers the triune response: the entropy value correction engine shrinks the entropy value threshold value for the successful defense entity, and looseness history baseline for the high-frequency false judgement entity; the parameter optimizing engine finely adjusts the genetic algorithm weight coefficient based on the strengthening learning frame; the feature library evolution engine extracts the new attack event core behavior feature, when the correlation with the active feature library is lower than the critical threshold value, creating a new dimension expansion matrix and initializing the full solid entropy value, synchronously executing the history data backtracking updating, see machine translation.
Huang, CN 120675812 A is relied upon for disclosing of performing recombination on the communication protocol stream to generate a standardized traffic sequence; inputting the standardized flow sequence, the resource occupation time sequence signal and the access behavior log into the space-time fusion analysis network for processing, outputting the multi-scale behavior characteristic, the abnormal fluctuation spectrum and the threat association characteristic of the network flow; performing feature alignment and dimension reduction to obtain a target feature set, constructing a cross-modal threat correlation matrix according to the target feature set, generating a network security entropy value, judging whether the value exceeds a preset threshold, and triggering an attack hierarchical response when the value exceeds. The invention uses the threat judgement and response mechanism based on data drive, which can timely and accurately respond to various known and unknown network attacks, see machine translation.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER REVAK whose telephone number is (571)272-3794. The examiner can normally be reached 5:30am - 3:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Catherine Thiaw can be reached at 571-270-1138. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/CHRISTOPHER A REVAK/Primary Examiner, Art Unit 2407