DETAILED ACTION
This communication is in response to the application filed on July 2nd, 2024 in which claims 1-17 are presented for examination
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Specification
The disclosure is objected to because of the following informality: Paragraph 0055 states “…the first file may be set in association with reach other.” Correct the word “reach” to “each”. Appropriate correction is required.
Drawings
The drawings are objected to as failing to comply with 37 CFR 1.84(p)(5) because they do not include the following reference sign(s) mentioned in the description: “710”, “720”, and “730”. Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.
The drawings are objected to as failing to comply with 37 CFR 1.84(p)(5) because they include the following reference character(s) not mentioned in the description: “110”. Corrected drawing sheets in compliance with 37 CFR 1.121(d), or amendment to the specification to add the reference character(s) in the description in compliance with 37 CFR 1.121(b) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.
Claim Objections
Claim 15 is objected to because of the following informality: The claim states “…times per hour that the a combination of the first…”. Clarify by only using one term to correct ambiguity. Appropriate correction is required.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1, 16, and 17 are rejected under U.S.C 103 as being unpatentable over US 20190108340 A1 to Bedhapudi et al (hereinafter Bedhapudi) in view of US 20240248989 A1 to Armangau et al (hereinafter Armangau).
As per claim 1, Bedhapudi discloses a method for real-time detection and monitoring of ransomware based on behavior analysis (Bedhapudi, claim 1, “A computer-implemented method for detecting file activity anomalies”) comprising:
generating monitoring information including information on a first file in response to an open of a first file (Bedhapudi, abstract, and par 0004, “Thus, ransomware attacks may be detected by analyzing the I/O activity in a given file system. In some embodiments, a software module running on a client machine monitors the I/O activity in a file system.”, generation of monitoring information on a fie is implied);
setting any one of a first flag corresponding to file generation and a second flag corresponding to file deletion in the monitoring information in response to a first behavior associated with the first file (Bedhapudi, par 0004, and abstract, “The software module records the number of times the files in the file system are modified, created, deleted, and renamed.”, each of the identified “modified”, “created”, “deleted” and “renamed” corresponds to a different behavior, the information used to determine number of files the behavior happens corresponds to a flag);
setting a flag different from the flag set in the monitoring information in response to the first behavior among the first and second flags in the monitoring information in response to a second behavior …. (Bedhapudi, par 0004, abstract, “The software module records the number of times the files in the file system are modified, created, deleted, and renamed.”, each of the identified “modified”, “created”, “deleted” and “renamed” corresponds to a different behavior, the information used to determine number of files the behavior happens corresponds to a flag, there);
and detecting a process associated with the ransomware by performing analysis based on the first and second flags set in the monitoring information (Bedhapudi, abstract, “The recorded number is compared against a threshold. If the number exceeds the threshold, the software module provides an alert to the user of the client machine that the client machine may be under a ransomware attack.”);
Bedhapudi does not explicitly disclose the second behavior is a subsequent behavior of the first behavior, however, in an analogous art, Armangau disclosed the concept of context based ransomware detection where file access operation sequences are identified (Armangau, par 0049, “ransomware detection process 10 may monitor 302 for a predefined number of sequence of file modification operations (e.g., an encryption operation followed by a deletion operation followed by a renaming operation) on a threshold number of files. In this manner, ransomware detection process 10 may monitor 302 the plurality of operations for particular types and sequences of file modification operations on the file level of a storage system”); It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the system of Bedhapudi to incorporate the context based ransomware detection as disclosed by Armangau, in order to identify ransomware attack based on attack patterns (Armangau, par 0051).
As per claim 16, Bedhapudi-Armangau teaches a computer-readable non-transitory recording medium to execute the method of claim 1 (Bedhapudi, par 0407, “These computer program instructions may also be stored in a non-transitory computer-readable memory that can direct a computer or other programmable data processing apparatus to operate in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the acts specified in the flow chart and/or block diagram block or blocks.”).
Claim 17 recites substantially the same limitations as claim 1, therefore, it is rejected under the same rationale. Bedhapudi-Armangau further teaches an electronic device for detecting ransomware comprising of a memory to store an instruction, and a processor connected to the memory to do the ransomware monitoring (Behdapudi, par 0407, “Each block of the flow chart illustrations and/or block diagrams, and combinations of blocks in the flow chart illustrations and/or block diagrams, may be implemented by computer program instructions. Such instructions may be provided to a processor of a general purpose computer, special purpose computer, specially-equipped computer (e.g., comprising a high-performance database server, a graphics subsystem, etc.) or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor(s) of the computer or other programmable data processing apparatus, create means for implementing the acts specified in the flow chart and/or block diagram block or blocks.” Examiner Note: It is implied that the processor that Bedhapudi discloses is connected to memory).
Claims 2 and 8 are rejected under 35 U.S.C. 103 as being unpatentable over Bedhapudi in view of Armangau as applied to claim 1 above, and further in view of US 9317686 B1 to Ye et al (hereinafter Ye).
As per claim 2, Bedhapudi-Armangau teaches the method of claim 1, wherein:
the generating of the monitoring information including the information on the first file includes storing the monitoring information including the information on the first file in a list associated with an open of a document file including the first file, the setting of the flag different from the flag set in response to the first behavior among the first or second flag in the monitoring information includes: detecting the second behavior as the subsequent behavior of the first behavior, associated with the first file; confirming the monitoring information corresponding to the first file in the list (Bedhapudi, abstract, “Thus, ransomware attacks may be detected by analyzing the I/O activity in a given file system. In some embodiments, a software module running on a client machine monitors the I/O activity in a file system.”, “The software module records the number of times the files in the file system are modified, created, deleted, and renamed.”, also par 0004, “The software module records the number of times the files in the file system are modified, created, deleted, and/or renamed. The recorded number is compared against a threshold.”, and Armangau, par 0049, context based ransomware detection, the reasons of obviousness have been noted in the rejection of claim 1 above and applicable herein); and
setting the flag different from the flag set in the monitoring information in response to the first behavior among the first and second flags in the monitoring information in response to the second behavior (Bedhapudi, abstract, and par 0004, “The software module records the number of times the files in the file system are modified, created, deleted, and renamed.” Examiner Note: Recording the number of occurrences of file system operations corresponds to the flag-based monitoring described in the claim).
Bedhapudi does not explicitly disclose the following limitation taught by an analogous art from Ye. Ye teaches the detecting of the process associated with the ransomware includes detecting at least some of the at least one first process, which opens the first file and performs the first and second behaviors, as a process associated with the ransomware by confirming that the first flag and the second flag are set in the monitoring information (Ye, Col 3, lines 35-47, “The abnormal file change correlation engine 120 is a software module with the responsibility to detect any malicious or file encryption activity by correlating events received from system monitor driver 110. The correlation engine 120 also determines whether to back up a file before the file is changed (e.g., written to or deleted). For example, when a suspicious process launches, engine 120 may notify backup engine 130 to back up files that the process will change. If engine 120 confirms that the process is ransomware (e.g., by correlating events from that process), it may notify driver 110 to block this process and call clean engine 180 to remove the process. If the engine 120 confirms that the process is harmless, it may notify backup engine 132 to cease backing up files”). It would have been obvious to one of ordinary skill in the art before the effective filing date to modify the system of Bedhapudi-Armangau to incorporate ransomware process-detection as disclosed by Ye, in order to detect ransomware and backup files before they are encrypted (Ye, col 2, lines 13-17).
As per claim 8, Bedhapudi-Armangau-Ye teaches the ransomware detection method of claim 2.
Ye further teaches the first process includes a 1-1th process associated with the open of the first file, a 1-2th process associated with the first behavior, and a 1-3th process associated with the second behavior, at least some of which are different from each other (Ye, col 3, lines 24-27, “System 10 includes a system monitor driver 110 which resides in the kernel. This software module hooks relevant system events such as: file events (e.g., open file, write file, delete file, create file, rename file)”, the reasons of obviousness have been noted in the rejection of claim 2 above and applicable herein).
Claims 3 and 4 are rejected under 35 U.S.C. 103 as being unpatentable over Bedhapudi in view of Armangau and Ye as applied to claim 2 above, and further in view of US 20180007069 A1 to Hunt et al (hereinafter Hunt) and US 20170324755 A1 to Dekel et al (hereinafter Dekel).
As per claim 3, Bedhapudi-Armangau-Ye teaches the ransomware detection method of claim 2. However, Bedhapudi-Armangau-Ye does not teach the detection of ransomware processes by analyzing the call structure based on behaviors stored in a process call tree. In an analogous art in the endeavor, Hunt teaches the detecting of the at least some of the at least one process as the process associated with the ransomware includes: analyzing a call structure of the first process that opens the first file and performs the first and second behaviors based on a process call tree (Hunt, par 0025, “The ransomware detection module 160 filters cloud storage API 150 calls to track modification to existing data structures (which represent user stored files) within the cloud storage system. This monitors for behavior indicating ransomware like activity at an API level. The approach is statistical, looking at sequences of events, rather than basing decisions on individual events. For example, a sequence of API calls that have a 1:1 delete and create ratio or similarly sized data objects may indicate the replacement of existing user data structures with new data, such as when ransomware might replace photos with encrypted versions of the photos. More than one sequence of this type may be used by different ransomware: (a) Read A, write B of same size, delete A; (b) Read A, write A with full overwrite; or (c) Read A, B, C, D, . . . , write A1, B1, C1, D1, . . . , delete A, B, C, D, . . . . Other read, write, delete sequences may be used that indicate a ransomware delete and create sequence.”); It would have been obvious to one of ordinary skill in the art before the effective filing date to modify the system of Bedhapudi-Armangau-Ye to incorporate process call structure analysis as disclosed by Hunt, in order to preserve data integrity and have a means for file recovery (Hunt, par 0015);
Bedhapudi-Armangau-Ye-Hunt does not teach detecting a second process that calls at least some of the first process based on the call structure. In an analogous art in the field, Dekel teaches detecting a second process that calls at least some of the first process based on the call structure (Dekel, par 0074, “Examples of activity sensed by the activity module 132 may include, but is not limited to, file accesses, network accesses, application accesses, registry accesses, file creations, file modifications, process calls and process creations.”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the system of Bedhapudi-Armangau-Ye to incorporate the monitoring of file activity and process calls as disclosed by Dekel, in order to mitigate the effects of ransomware infection and prevent infections (Dekel, par 0064).
Bedhapudi-Armangau-Ye-Hunt-Dekel further teaches: further detecting at least some of the second process as the process associated with the ransomware (Ye, Col 3, lines 35-47, “The abnormal file change correlation engine 120 is a software module with the responsibility to detect any malicious or file encryption activity by correlating events received from system monitor driver 110. The correlation engine 120 also determines whether to back up a file before the file is changed (e.g., written to or deleted). For example, when a suspicious process launches, engine 120 may notify backup engine 130 to back up files that the process will change. If engine 120 confirms that the process is ransomware (e.g., by correlating events from that process), it may notify driver 110 to block this process and call clean engine 180 to remove the process. If the engine 120 confirms that the process is harmless, it may notify backup engine 132 to cease backing up files”). The reasons of obviousness have been stated in the rejection of claim 2 above and applicable herein.
As per claim 4, Bedhapudi-Armangau-Ye-Hunt-Dekel teaches the ransomware detection method of claim 3 wherein the further detecting of the at least some of the second process as the process associated with the ransomware includes classifying at least some of the first and second processes into a system process and a suspicious process, and detecting at least some of the suspicious processes as the process associated with the ransomware (Ye, Col 3, lines 35-47, “The abnormal file change correlation engine 120 is a software module with the responsibility to detect any malicious or file encryption activity by correlating events received from system monitor driver 110. The correlation engine 120 also determines whether to back up a file before the file is changed (e.g., written to or deleted). For example, when a suspicious process launches, engine 120 may notify backup engine 130 to back up files that the process will change. If engine 120 confirms that the process is ransomware (e.g., by correlating events from that process), it may notify driver 110 to block this process and call clean engine 180 to remove the process. If the engine 120 confirms that the process is harmless, it may notify backup engine 132 to cease backing up files”). The reasons of obviousness have been stated in the rejection of claim 2 above and applicable herein.
Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over Bedhapudi-Armangau-Ye-Hunt-Dekel as applied to claim 4 above, and further in view of US 20210152595 A1 to Hansen et al (hereinafter Hansen).
As per claim 5, Bedhapudi in view of Armangau, Ye, Hunt, and Dekel teaches the ransomware detection method of claim 4. However, Bedhapudi-Armangau-Ye-Hunt-Dekel does not teach the system process includes at least a portion of a scheduler and a shell. In an analogous art in the endeavor, Hansen teaches the system process includes at least a portion of a scheduler and a shell (Hansen, par 0017, “The exemplary method for detecting a ransomware-encryption including:….. c) a RD module scheduler processing the metadata watch-item file-event queue according to a preset time-based schedule, the scheduler processing any watch-item file-event data included in the metadata watch-item file-event queue to determine a RW-alert state of the RD module, the scheduler operatively associated with an entropy-analysis-based ransomware detection process to detect potential ransomware-encryption of one or more of the watch-items”). It would have been obvious to one of ordinary skill in the art before the effective filing date to modify the system of Bedhapudi to further incorporate the scheduler as disclosed by Hansen, in order to detect potential ransomware encryption of selected items (Hansen, par 0017).
Claims 6 and 7 are rejected under 35 U.S.C. 103 as being unpatentable over Bedhapudi in view of Armangau and Ye as applied to claim 2 above, and further in view of US 10503904 B1 to Singh et al (hereinafter Singh).
As per claim 6, Bedhapudi-Armangau-Ye teaches the ransomware detection method of claim 2.
Bedhapudi-Armangau-Ye fails to teach the open of the first file of the first process and the first and second behaviors are detected by analyzing the call to the corresponding command at a kernel stage, and the monitoring information further includes information on the first file confirmed by analyzing the call. In an analogous art in the endeavor, Singh teaches the open of the first file of the first process and the first and second behaviors are detected by analyzing the call to the corresponding command at a kernel stage, and the monitoring information further includes information on the first file confirmed by analyzing the call (Singh, Abstract, “A computerized method for detecting and mitigating a ransomware attack is described. The method features (i) a kernel mode agent that intercepts an initiation of a process, intercepts one or more system calls made by the process when the process is determined to be suspicious”). It would have been obvious to one of ordinary skill in the art before the effective filing date to modify the system of Bedhapudi-Armangau-Ye to incorporate the kernel stage call analysis as disclosed by Singh, in order to intercept suspicious operations and mitigate ransomware attacks at the kernel level to increase file protection (Singh, Abstract).
As per claim 7, Bedhapudi-Armangau-Ye-Singh teaches the ransomware detection method of claim 6. Singh further teaches blocking, at the kernel stage, the command called from the kernel level by at least some of the first processes (Singh, Abstract, “A computerized method for detecting and mitigating a ransomware attack is described. The method features (i) a kernel mode agent that intercepts an initiation of a process, intercepts one or more system calls made by the process when the process is determined to be suspicious”). The reasons of obviousness have been stated in the rejection of claim 6 above and are applicable herein.
Claims 9 and 11 are rejected under 35 U.S.C. 103 as being unpatentable over Bedhapudi in view of Armangau as applied to claim 1 above, and further in view of US 20240330461 A1 to Ezrielev et al (hereinafter Ezrielev).
As per claim 9, Bedhapudi-Armangau teaches the ransomware detection method of claim 1.
Bedhapudi-Armangau fails to recite the method of file encryption based on the first and second behaviors, however, in an analogous art, Ezrielev recites the first behavior corresponds to the file generation of a second file associated with the first file, the second behavior corresponds to the file deletion of the first file, and the first flag is set in monitoring information in response to the first behavior (Ezrielev, par 0030, “Thus, the ransomware only needs to access the files, encrypt the files with an attacker-controlled key, and replace the original files with the attacker controlled encrypted files.”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the system of Bedhapudi-Armangau to incorporate the behavior monitoring process as disclosed by Ezrielev in order to detect malware in real time and mitigate damage to the system (Ezrielev, par 0029).
As per claim 11, Bedhapudi-Armangau teaches the ransomware detection method of claim 1. Bedhapudi-Armangau fails to recite the method of file encryption based on the first and second behaviors, however, in an analogous art, Ezrielev recites the first behavior corresponds to the file deletion of the first file, the second behavior corresponds to the file generation of the second file associated with the first file, the second flag is set in the monitoring information in response to the first behavior, and the monitoring information and backup information corresponding to the first file are stored in association with each other (Ezrielev, par 0030, “Thus, the ransomware only needs to access the files, encrypt the files with an attacker-controlled key, and replace the original files with the attacker controlled encrypted files.”). The reasons of obviousness have been stated in the rejection of claim 9 above and are applicable herein.
Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Bedhapudi in view of Armangau and Ezrielev as applied to claim 9 above, and further in view of US 20170351860 A1 to El-Moussa et al (hereinafter El-Moussa).
As per claim 10, Bedhapudi-Armangau-Ezrielev teaches the ransomware detection method of claim 9. However, Bedhapudi-Armangau-Ezrielev fails to teach the following limitation disclosed by a related prior art El-Moussa: performing the file deletion of the first file according to the second behavior and the deletion of the second file generated according to the first behavior (El-Moussa, par 0032, “Accordingly, exemplary instructions include, inter alia: uninstalling, disabling, deleting, isolating or securing a particular file, application, data item, process or the like at the client 208 to prevent continued execution or infection or proliferation of infection by potential malware;…”). It would have been obvious to one of ordinary skill in the art before the effective filing date to modify the system of Bedhapudi-Armangau-Ezrielev to incorporate the appropriate file deletion operation as disclosed by El-Moussa, in order to limit the damage caused by malware (El-Moussa, par 0032).
Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable over Bedhapudi in view of Armangau and Ezrielev as applied to claim 11 above, and further in view of US 9317686 B1 to Ye et al (hereinafter Ye).
As per claim 12, Bedhapudi-Armangau-Ezrielev teaches the ransomware detection method of claim 11. However, it fails to teach restoring the first file deleted according to the first behavior based on the backup information and deleting the second file generated according to the second behavior. In an analogous art in the same endeavor, Ye teaches restoring the first file deleted according to the first behavior based on the backup information and deleting the second file generated according to the second behavior (Ye, col 2, lines 31-34, “When it is determined that the process is ransomware, the process is blocked and further file backups are halted. The original file is recovered and the encrypted file is discarded.”). It would have been obvious to one of ordinary skill in the art before the effective filing date to modify the system of Bedhapudi-Armangau-Ezrielev to incorporate the restoration of a deleted file and the deletion of the generated file as disclosed by Ye, in order to recover any data that was lost to the malware (Ye, col 3, lines 63-67).
Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Bedhapudi in view of Armangau as applied to claim 1 above, and further in view of US 20190236274 A1 to Brenner.
As per claim 13, Bedhapudi-Armangau teaches the ransomware detection method of claim 1, however, it fails to teach similarity comparisons based on a threshold value of the files. In an analogous art in the same field, Brenner teaches the second file generated by any one of the first and second behaviors corresponding to the file storage is confirmed as at least one of a file generated in a directory corresponding to the first file or a file generated with a similarity to the first file greater than or equal to a threshold value (Brenner, par 0025, “If a computer system has been backed up previously, the change rate in file size between current version of files in a backup and one or more prior versions can be compared to see if the change in size is in an expected range. Additionally, overall backup size can be compared to expected values. File attributes can be compared to their expected values. The system may also check to see if new files are present in a current backup and/or others unexpectedly not present in the current backup.”, Brenner, par 0038, “For example, a backup and data analysis system can calculate the expected size of each backup file in the backup data based on prior backup data size, and compare the expected and current size. The system can compare expected file permissions against prior values received from the same machine. The system can compare individual metadata such as file sizes and other file characteristics against expected values.”). It would have been obvious to one of ordinary skill in the art before the effective filing date to modify the method of Bedhapudi-Armangau to incorporate the comparison of file similarity thresholds as taught by Brenner in order to take appropriate action upon ransomware detection such as alerting, isolating the system, or rolling the machine back to a valid backup (Brenner, par 0041).
Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Bedhapudi in view of Armangau as applied to claim 1 above, and further in view of US 20180113638 A1 to Petersen et al (hereinafter Petersen).
As per claim 14, Bedhapudi-Armangau teaches the ransomware detection method of claim 1. Bedhapudi-Armangau fails to teach the analysis of the process based on time differences between the first and second behaviors. In an analogous art in ransomware detection, Petersen teaches the detecting of the process associated with the ransomware includes performing the analysis of the process further based on information on a time difference between the first and second behaviors detected (Petersen, par 0070, “In another embodiment, a relative difference between multiple data access events may be used to determine the score assigned to a write request. This relative difference may be between a creation time and a last modification time for existing data that is attempting to be accessed by an application or possibly malicious code. Data files with the same creation and last write dates may have a higher calculated score than those which exhibit greater separation between creation and modification times.”). It would have been obvious to one of ordinary skill in the art before the effective filing date to modify the system of Bedhapudi-Armangau to incorporate time analysis based on the difference between behaviors as disclosed by Petersen, in order to protect the integrity of file data by correcting any unauthorized changes or changing the file permission settings to prevent further changes (Petersen, par 0068).
Claim 15 is rejected under 35 U.S.C. 103 as being unpatentable over Bedhapudi in view of Armangau as applied to claim 1 above, and further in view of US 20170351860 A1 to El-Moussa et al (hereinafter El-Moussa).
As per claim 15, Bedhapudi-Armangau teaches the ransomware detection method of claim 1. Bedhapudi-Armangau fails to teach behavior frequency analysis over a period of time, however, in an analogous art, El-Moussa teaches the detecting of the process associated with the ransomware includes performing the analysis of the process further based on information on the number of times per hour that the combination of the first and second behaviors associated with each file included in a specific range of directories including the first file is detected (El-Moussa, par 0031, “In use, the agent 210 is adapted to receive the behavior profile and monitor the client computer system 208 to identify operational behavior of the client 208 conforming to the behaviors specified in the behavior profile. In some embodiments this will involve checking rules specified in the behavior profile, such as counters of behaviors, frequencies of behaviors, volumes of data and the like.”). It would have been obvious to one of ordinary skill in the art before the effective filing date to modify the system of Bedhapudi-Armangau to incorporate behavior frequency analysis over a window of time as disclosed by El-Moussa, in order to take the appropriate reaction such as deleting, uninstalling, or isolation the infected files or applications upon the discovery of ransomware behaviors (El-Moussa, par 0032).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Amit (US 11349855 B1) discloses a system and method to detect and terminate ransomware attacks
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TAFHIMUL HOQUE whose telephone number is (571)272-2571. The examiner can normally be reached M-F 8:00-5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Linglan Edwards can be reached at (571) 270-5440. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/T.H./ Examiner, Art Unit 2408
/LINGLAN EDWARDS/Supervisory Patent Examiner, Art Unit 2408
Prosecution Insights