DETAILED ACTION
The following claims are pending in this office action: 1-20
Claims 1, 10 and 11 are independent claims.
The following claims are amended: 1, 3, 6, 10-11, 14, 17 and 19
The following claims are new: -
The following claims are cancelled: -
Claims 1-20 are rejected. This rejection is FINAL.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Previous Objections and/or Rejections Withdrawn.
The 35 U.S.C. § 112(b) rejections to claims 10 and 19 are withdrawn based on the amendments. In the case of claim 10, the 35 U.S.C. § 112(f) interpretation is also withdrawn based on the amendments.
RESPONSE TO ARGUMENTS
Applicant’s arguments in the amendment filed 02/20/2026 have been fully considered but are moot in view of new grounds of rejection.
Applicant notes: “None of the cited references, either independently or in combination, teach or suggest the limitations recited in amended claim 1. This limitation is disclosed by Collier et al. (US Pub. 2022/0129551) as explained below and rejected accordingly.
Collier teaches selecting a variable monitoring rate associated with risk characteristics such as locations for storing sensitive data as claimed and as explained below.
Independent claims 10 and 11 are amended in a similar way to claim 1. The amended limitations are disclosed by Collier et al. (US Pub. 2022/0129551) as explained below and rejected accordingly.
Dependent claims 2-9 and 12-20 depend on independent claims 1 and 11. The amended elements in the claims are disclosed by Collier et al. (US Pub. 2022/0129551) as explained below, and any additional features to the dependent claims are rejected accordingly.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1, 3-4, 6-12, 14, and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Radhakrishnan et al. (US Pub. 2023/0231881) (hereinafter “Radhakrishnan”) in view of Collier et al. (US Pub. 2022/0129551) (hereinafter “Collier”).
As per claim 1, Radhakrishnan teaches a method of operating a ransomware detection system, the method comprising: ([Radhakrishnan, para. 0014] “The present disclosure discloses a method of generating decoy files”; [para. 0076] “The method includes implementing a trap layer on file system that make use of decoy files, decoy processes, and fake user accounts to identify the ransomware infection”)
generating a decoy file based on one or more characteristics of one or more files in a file system; ([Radhakrishnan, para. 0070; Fig. 6] “Fig. 6 ... illustrating a method of generating decoy files”; [para. 0072] “Step 610 includes extracting a plurality of features [one or more characteristics] from most recently used user files in a folder [one or more files in a file system as the folder is in a computer system – see para. 0033] by the deep learning engine”; [para. 0073] “Step 615 includes converting the plurality of features to [based on the characteristics] ... generate decoy files”)
identifying a location in the file system based at which to place the decoy file; ([Radhakrishnan, para. 0043] “methods used for various operations in trap layer is detailed below [referring to the steps described as follows which are also part of the method of generating the decoy files]”; [para. 0045-0046] “the decoy files are planned to be placed in all the possible locations [identifying a location in the file system] where the scanning and action will be initiated ... based on the ... files’ names and positions in each folder [location in the file system]”)
placing the decoy file at the identified location in the file system; and ([Radhakrishnan, para. 0046] “the decoy files are given names and deployed in various locations based on the other files’ names and positions [the identified location] in each folder [in the file system]”)
monitoring the decoy file to detect changes to the decoy file; and ([Radhakrishnan, para. 0076] “The method also includes runtime suspicious behavior monitoring for identifying ransomware attack”; [para. 0061] “a suspected Ransomware infection identified [monitoring] by the changes of content, rename or deletion [changes] of decoy files”; monitoring a file at a variable rate associated with one or more risk characteristics of the identified location to detect changes to the file is more clearly taught Collier below)
in response to detecting a change to the decoy file, initiating a ransomware mitigation process. ([Radhakrishnan, para. 0061] “Whenever there is a suspected Ransomware infection identified by the changes of content, rename or deletion of decoy files by processes, [in response to detecting a change to the decoy file] the notifications and alarms are triggered ... Simultaneously the backup manager initiates the fresh backups of benign files and also do complete freezing of previous versions of backups by declining the access privileges [initiating a ransomware mitigation process]”)
Radhakrishnan does not clearly teach monitoring a file at a rate associated with the identified location to detect changes to the file.
However, Collier teaches monitoring a file at a variable rate ([Collier, para. 0138] “A file integrity monitor may be tasked with monitoring data ... frequency of monitoring ... select a suitable level of monitoring .... monitoring may be dynamically adjusted according to changes in the compute context over time ... monitoring rules ... to facilitate monitoring”) associated with one or more risk characteristics of the identified location ([para. 0153] “the context of the compute instance ... facilitate dynamic adaptation of the rules”; [para. 0155] “Useful context for dynamically selecting monitoring rules include ... indications of ... potential tampering with [one or more risk characteristics] ... a directory of protected files [of the identified location]”) to detect changes to the file. ([Para. 0138] “monitoring data in a computing environment to track changes to this data and evaluate file interactions for risks of malicious or otherwise harmful activity”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Radhakrishnan with the teachings of Collier to include monitoring a file at a variable rate associated with one or more risk characteristics of the identified location to detect changes to the file. One of ordinary skill in the art would have been motivated to make this modification because this provides data integrity monitoring needed by an organization that is dynamic and able to adapt to changes (Collier, para. 0136)
As per claim 3, Radhakrishnan in view of Collier teaches claim 1.
Radhakrishnan also teaches the identified location in the file system comprises a folder in the file system ([Radhakrishnan, para. 0046] “The decoy files are given names and deployed in various locations based on the ... positions in each folder [identified location in the file system]”) identifying the identified location comprises identifying the identified location based on one or more characteristics of the file system. ([Para. 0045] “the decoy files are planned to be placed [identifying the location] in all the possible locations where the scanning and action will be initiated [based on one or more characteristics/features of the file system]”; [para. 0072] “Step 610 includes extracting a plurality of features [one or more characteristics] from most recently used user files in a folder by the deep learning engine ... includes at least ... position of files in each folder [identifying the location]”; [para. 0079] “The deep learning engine initiates scanning of files in the file system”)
Radhakrishnan does not clearly teach the one or more risk characteristics of the identified location comprise a data sensitivity characteristic associated with data stored at the identified location.
However, Collier teaches one or more risk characteristics of the identified location comprise a data sensitivity characteristic associated with data stored at the identified location. ([Collier, para. 0155] “Useful context for dynamically selecting monitoring rules include ... indications of ... potential tampering with [one or more risk characteristics] ... a directory [of the identified location] of protected [data sensitivity characteristic] files”; [para. 0159] “Context used by the compute instance to dynamically adapt monitoring rules ... include a sensitivity of information detected in the data ... Information may be deemed sensitive based on ... a source of the information [data sensitivity characteristic associated with the data stored at the identified location]”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Radhakrishnan with the teachings of Collier to include one or more risk characteristics of the identified location comprise a data sensitivity characteristic associated with data stored at the identified location. One of ordinary skill in the art would have been motivated to make this modification because modern computing environments experience ongoing changes to protected data and such a system allow an organization to adapt to such changes. (Collier, para. 0135-0136)
As per claim 4, Radhakrishnan in view of Collier teaches claim 3.
Radhakrishnan also teaches wherein the one or more characteristics of the file system comprises an identity of a most-recently-used folder or an identity of a folder corresponding to a list of most recently used files. ([Radhakrishnan, para. 0072] “Step 610 includes extracting a plurality of features [the one or more characteristics of the file system comprises] from most recently used user files in a folder [making the following “of a most-recently-used folder”] ... file names [identity of a most-recently-used-folder] ... date of modification [identity of a folder corresponding to a list of most recently used files]”)
As per claim 6, Radhakrishnan in view of Collier teaches claim 1.
Radhakrishnan also teaches generating multiple additional decoy files; ([Radhakrishnan, para. 0073] “Step 615 includes converting the plurality of features to ... generate decoy files [multiple additional decoy files]”; [para. 0065] “the Decoy file creation/updating manager module will be responsible for creation [generating] ... the decoy files [multiple decoy files] periodically [additional decoy files]”)
placing the additional decoy files in a same location as the decoy file; ([Radhakrishnan, para. 0046] “the decoy files [the additional decoy files] are given names and deployed in [placed in] ... each folder [same location as the decoy file]”)
monitoring the additional decoy files to detect changes to any of the additional decoy files; and ([Radhakrishnan, para. 0076] “The method also includes runtime suspicious behavior monitoring for identifying ransomware attack”; [para. 0061] “a suspected Ransomware infection [monitoring the additional decoy files] by the changes of content, rename or deletion [changes] of decoy files [to any of the additional decoy files]”; [para. 0062] “a monitoring system ... to detect [monitoring] ... file operations on decoy files deployed in the trap layer [the additional decoy files]”)
in response to detecting a change to any of additional decoy files, initiating a ransomware mitigation process. ([Radhakrishnan, para. 0061] “Whenever there is a suspected Ransomware infection identified by the changes of content, rename or deletion of decoy files by processes, [in response to detecting a change to any of the additional decoy files] the notifications and alarms are triggered ... Simultaneously the backup manager initiates the fresh backups of benign files and also do complete freezing of previous versions of backups by declining the access privileges [initiating a ransomware mitigation process]”)
Radhakrishnan does not clearly teach monitoring the additional files at the variable rate to detect changes to any of the additional files.
However, Collier teaches monitoring the additional files at the variable rate ([Collier, para. 0138] “A file integrity monitor may be tasked with monitoring data ... frequency of monitoring ... select a suitable level of monitoring .... monitoring may be dynamically adjusted according to changes in the compute context over time ... monitoring rules ... to facilitate monitoring”; [para. 0153] “as new files are created, even in unmonitored directories, the data integrity monitor may establish/adapt a rule to determine if the content of the newly created file should be monitored [monitoring the additional files] and update the monitoring rules 1204 accordingly [at the variable rate]”) to detect changes to any of the additional files. ([Para. 0138] “monitoring data in a computing environment to track changes to this data and evaluate file interactions for risks of malicious or otherwise harmful activity”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Radhakrishnan and Collier for the same reasons as disclosed above.
As per claim 7, Radhakrishnan in view of Collier teaches claim 1.
Radhakrishnan also teaches wherein generating the decoy file comprises: generating the decoy file based on changes made to an existing file ([Radhakrishnan, para. 0065] “The Decoy file creation/updating manager module will be responsible for creation ... the decoy files ... triggered by changes in user files and folders”) since a most-recent snapshot taken of the existing file. ([Para. 0068] “trigger initiator to trigger backups ... to update backup files [snapshot taken of the existing file]”; [para. 0069] “When the file system update [since a most-recent snapshot taken of the existing file] the decoy file creation ... triggers [generating the decoy file]”)
As per claim 8, Radhakrishnan in view of Collier teaches claim 7.
Radhakrishnan also teaches capturing the changes made to the existing file ([Radhakrishnan, para. 0075] “Whenever there is a change in the file ... the decoy file will be updated to deceive the malicious process”) in a subsequent snapshot of the existing file; and ([para. 0068] “trigger initiator to trigger backups and periodic updater to update backup files periodically [a subsequent snapshot of the existing file at the next period in time]”; [para. 0069] “When the file system update [since a subsequent update] the decoy file ... updating manager triggers ... by giving the updated files as input [capturing the changes made in a subsequent snapshot of the existing file]”)
refreshing the decoy file based on subsequent changes made to the existing file since the subsequent snapshot. ([Radhakrishnan, para. 0069] “When the file system update [since a subsequent update] the decoy file ... updating manager triggers ... by giving the updated files as input”; [para. 0075] “Whenever there is a change in the file [based on subsequent changes made to the existing file since the subsequent screenshot] ... the decoy file will be updated [refreshing the decoy file]”)
As per claim 9, Radhakrishnan in view of Collier teaches claim 1.
Radhakrishnan also teaches wherein initiating the ransomware mitigation process comprises identifying a ransomware attack vector and foreclosing the ransomware attack vector as an entry point to access to the file system. ([Radhakrishnan, para. 0081] “a malicious process P1 is invoked, [a ransomware attack vector] then ... the monitoring process detects suspicious activity ... the monitoring results in detection of malicious process, [identifying a ransomware attack vector] then malicious Process P1 ... terminated” [foreclosing the ransomware attack vector]; [para. 0082] “Upon termination ... the system declines access to backup privileges [foreclosing as an entry point] thereby protecting the file system [foreclosing access the file system] from further infection of the ransomware”)
As per claim 10, Radhakrishnan teaches a ransomware detection system, the system comprising: ([Radhakrishnan, para. 0015] “The present disclosure discloses a system for generating decoy files in a file server for protection against ransomware attacks”)
a decoy engine comprising executable instruction that, when executed by one or more processors of one or more computing devices direct the one or more computing devices ([Radhakrishnan, para. 0033] “The system 105 includes a processor 110 ... The memory 115 is communicatively coupled to the processor 110 ... The memory 115 stores a deep learning engine 120 [executable instructions]”; [para. 0070; para. 0076] “a method of generating decoy files using a deep learning engine [program instructions executed by the processor] ... The method includes implementing a trap layer on file system that make use of decoy files, decoy processes, and fake user accounts to identify the ransomware infection”) to generate a decoy file based on one or more characteristics of one or more files in a file system; ([para. 0069] “the decoy file creation ... manager [decoy engine] triggers deep learning engine for generation of the first level decoy files”; [para. 0070; Fig. 6] “Fig. 6 ... illustrating a method of generating decoy files”; [para. 0072] “Step 610 includes extracting a plurality of features [one or more characteristics] from most recently used user files in a folder [one or more files in a file system as the folder is in a computer system – see para. 0033] by the deep learning engine”; [para. 0073] “Step 615 includes converting the plurality of features to [based on the characteristics] ... generate decoy files”)
a provisioning engine comprising executable instructions that, when executed by the one or more processors, direct the one or more computing devices to identify a location in the file system based at which to place the decoy file and to place the decoy file at the identified location in the file system; and ([Radhakrishnan, para. 0069] “Whenever new decoy files are generated the decoy file creation/updation/updating manager [provisioning engine] is triggered to place the decoy files”; [para. 0043] “methods used for various operations in trap layer is detailed below”; [para. 0045-0046] “the decoy files are planned to be placed in all the possible locations [identifying a location in the file system] where the scanning and action will be initiated ... based on the ... files’ names and positions in each folder [location in the file system]”)
a monitoring engine comprising executable instructions that, when executed by the one or more processors, direct the one or more computing devices to monitor the decoy file to detect changes to the decoy file and, ([Radhakrishnan, para. 0076] “The method also includes runtime suspicious behavior monitoring [a monitoring engine] for identifying ransomware attack”; [para. 0061] “a suspected Ransomware infection identified [monitor] by the changes of content, rename or deletion [changes] of decoy files”; monitor a file at a variable rate associated with one or more risk characteristics of the identified location to detect changes to the file is more clearly taught Collier below) in response to detecting a change to the decoy file, to initiate a ransomware mitigation process. ([para. 0061] “Whenever there is a suspected Ransomware infection identified by the changes of content, rename or deletion of decoy files by processes, [in response to detecting a change to the decoy file] the notifications and alarms are triggered ... Simultaneously the backup manager initiates the fresh backups of benign files and also do complete freezing of previous versions of backups by declining the access privileges [initiating a ransomware mitigation process]”)
Radhakrishnan does not clearly teach monitor a file at a variable rate associated with one or more risk characteristics of the identified location to detect changes to the file.
However, Collier teaches monitor a file at a variable rate ([Collier, para. 0138] “A file integrity monitor may be tasked with monitoring data ... frequency of monitoring ... select a suitable level of monitoring .... monitoring may be dynamically adjusted according to changes in the compute context over time ... monitoring rules ... to facilitate monitoring”) associated with one or more risk characteristics of the identified location ([para. 0153] “the context of the compute instance ... facilitate dynamic adaptation of the rules”; [para. 0155] “Useful context for dynamically selecting monitoring rules include ... indications of ... potential tampering with [one or more risk characteristics] ... a directory of protected files [of the identified location]”) to detect changes to the file. ([Para. 0138] “monitoring data in a computing environment to track changes to this data and evaluate file interactions for risks of malicious or otherwise harmful activity”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Radhakrishnan with the teachings of Collier to include monitor a file at a variable rate associated with one or more risk characteristics of the identified location to detect changes to the file. One of ordinary skill in the art would have been motivated to make this modification because this provides data integrity monitoring needed by an organization that is dynamic and able to adapt to changes (Collier, para. 0136)
As per claim 11, Radhakrishnan teaches a computing apparatus comprising: ([Radhakrishnan, para. 0033] “The environment 100 depicts ransomware attack on a computer system 105 [a computing apparatus] over a network 125 ... The system 105 can be a standalone file server, cloud server, a computer, a laptop, or any computing system which stores files in a folder format”)
one or more computer readable storage media; ([Radhakrishnan, para. 0033] “The system 105 includes ... a memory 115”)
one or more processors operatively coupled with the one or more computer readable storage media; and ([Radhakrishnan, para. 0033] “The system 105 includes a processor 110 ... The memory 115 is communicatively coupled to the processor 110”)
a ransomware detection system comprising program instructions stored on the one or more computer readable storage media, wherein the program instructions, when executed by the one or more processors, direct the computing apparatus to at least: ([Radhakrishnan, para. 0033] “The memory 115 stores a deep learning engine 120”; [para. 0070; para. 0076] “a method of generating decoy files using a deep learning engine [program instructions executed by the processors] ... The method includes implementing a trap layer on file system that make use of decoy files, decoy processes, and fake user accounts to identify the ransomware infection”)
generate a decoy file based on one or more characteristics of one or more files in a file system; ([Radhakrishnan, para. 0070; Fig. 6] “Fig. 6 ... illustrating a method of generating decoy files”; [para. 0072] “Step 610 includes extracting a plurality of features [one or more characteristics] from most recently used user files in a folder [one or more files in a file system as the folder is in a computer system – see para. 0033] by the deep learning engine”; [para. 0073] “Step 615 includes converting the plurality of features to [based on the characteristics] ... generate decoy files”)
identify a location in the file system based at which to place the decoy file; ([Radhakrishnan, para. 0043] “methods used for various operations in trap layer is detailed below [referring to the steps described as follows which are also part of the method of generating the decoy files]”; [para. 0045-0046] “the decoy files are planned to be placed in all the possible locations [identifying a location in the file system] where the scanning and action will be initiated ... based on the ... files’ names and positions in each folder [location in the file system]”)
place the decoy file at the identified location in the file system; and ([Radhakrishnan, para. 0046] “the decoy files are given names and deployed in various locations based on the other files’ names and positions [the identified location] in each folder [in the file system]”)
monitor the decoy file to detect changes to the decoy file. ([Radhakrishnan, para. 0076] “The method also includes runtime suspicious behavior monitoring for identifying ransomware attack”; [para. 0061] “a suspected Ransomware infection identified [monitor] by the changes of content, rename or deletion [changes] of decoy files”; monitor the file at a variable rate associated with one or more risk characteristics of the identified location to detect changes to the file is more clearly taught by Collier below)
Radhakrishnan does not clearly teach monitor the file at a variable rate associated with one or more risk characteristics of the identified location to detect changes to the file.
However, Collier teaches monitor the file at a variable rate ([Collier, para. 0138] “A file integrity monitor may be tasked with monitoring data ... frequency of monitoring ... select a suitable level of monitoring .... monitoring may be dynamically adjusted according to changes in the compute context over time ... monitoring rules ... to facilitate monitoring”) associated with one or more risk characteristics of the identified location ([para. 0153] “the context of the compute instance ... facilitate dynamic adaptation of the rules”; [para. 0155] “Useful context for dynamically selecting monitoring rules include ... indications of ... potential tampering with [one or more risk characteristics] ... a directory of protected files [of the identified location]”) to detect changes to the file. ([Para. 0138] “monitoring deata in a computing environment to track changes to this data and evaluate file interactions for risks of malicious or otherwise harmful activity”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Radhakrishnan with the teachings of Collier to include monitor the file at a variable rate associated with one or more risk characteristics of the identified location to detect changes to the file. One of ordinary skill in the art would have been motivated to make this modification because this provides data integrity monitoring needed by an organization that is dynamic and able to adapt to changes (Collier, para. 0136)
As per claim 12, Radhakrishnan in view of Collier teaches claim 11.
Radhakrishnan also teaches wherein the program instructions further direct the computing apparatus to, in response to detecting a change to the decoy file, initiate a ransomware mitigation process. ([Radhakrishnan, para. 0061] “Whenever there is a suspected Ransomware infection identified by the changes of content, rename or deletion of decoy files by processes, [in response to detecting a change to the decoy file] the notifications and alarms are triggered ... Simultaneously the backup manager initiates the fresh backups of benign files and also do complete freezing of previous versions of backups by declining the access privileges [initiating a ransomware mitigation process]”)
As per claim 14, Radhakrishnan in view of Collier teaches claim 11.
Radhakrishnan also teaches the identified location in the file system comprises a folder in the file system; and ([Radhakrishnan, para. 0046] “The decoy files are given names and deployed [identified] in various locations based on the ... positions in each folder”)
wherein the program instructions directing the computing apparatus to identify the identified location comprises instructions to identify the identified location based on characteristics of the file system. ([Radhakrishnan, para. 0045] “the decoy files are planned to be placed [identifying the identified location] in all the possible locations where the scanning and action will be initiated [based on one or more characteristics/features of the file system]”; [para. 0072] “Step 610 includes extracting a plurality of features [one or more characteristics] from most recently used user files in a folder by the deep learning engine ... includes at least ... position of files in each folder [identifying the identified location]”; [para. 0079] “The deep learning engine initiates scanning of files in the file system”)
Radhakrishnan does not clearly teach one or more risk characteristics of the identified location comprise a data sensitivity characteristic associated with data stored at the identified location.
However, Collier teaches one or more risk characteristics of the identified location comprise a data sensitivity characteristic associated with data stored at the identified location. ([Collier, para. 0155] “Useful context for dynamically selecting monitoring rules include ... indications of ... potential tampering with [one or more risk characteristics] ... a directory [of the identified location] of protected [data sensitivity characteristic] files”; [para. 0159] “Context used by the compute instance to dynamically adapt monitoring rules ... include a sensitivity of information detected in the data ... Information may be deemed sensitive based on ... a source of the information [data sensitivity characteristic associated with the data stored at the identified location]”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Radhakrishnan and Collier for the same reasons as disclosed above.
As claim 17, Radhakrishnan in view of Collier teaches claim 11.
Radhakrishnan also teaches further comprising program instructions directing the computing apparatus to: generate multiple additional decoy files; ([Radhakrishnan, para. 0073] “Step 615 includes converting the plurality of features to ... generate decoy files [multiple additional decoy files]”; [para. 0065] “the Decoy file creation/updating manager module will be responsible for creation [generating] ... the decoy files [multiple decoy files] periodically [additional decoy files]”)
place the additional decoy files in a same location as the decoy file; ([Radhakrishnan, para. 0046] “the decoy files [the additional decoy files] are given names and deployed in [placed in] ... each folder [same location as the decoy file]”)
monitor the additional decoy files to detect changes to any of the additional decoy files; and ([Radhakrishnan, para. 0076] “The method also includes runtime suspicious behavior monitoring for identifying ransomware attack”; [para. 0061] “a suspected Ransomware infection [monitoring the additional decoy files] by the changes of content, rename or deletion [changes] of decoy files [to any of the additional decoy files]”; [para. 0062] “a monitoring system ... to detect [monitoring] ... file operations on decoy files deployed in the trap layer [the additional decoy files]”)
in response to detecting a change to any of additional decoy files, initiating a ransomware mitigation process. ([Radhakrishnan, para. 0061] “Whenever there is a suspected Ransomware infection identified by the changes of content, rename or deletion of decoy files by processes, [in response to detecting a change to any of the additional decoy files] the notifications and alarms are triggered ... Simultaneously the backup manager initiates the fresh backups of benign files and also do complete freezing of previous versions of backups by declining the access privileges [initiating a ransomware mitigation process]”)
Radhakrishnan does not clearly teach monitor the additional files at the variable rate to detect changes to any of the additional files.
However, Collier teaches monitor the additional files at the variable rate ([Collier, para. 0138] “A file integrity monitor may be tasked with monitoring data ... frequency of monitoring ... select a suitable level of monitoring .... monitoring may be dynamically adjusted according to changes in the compute context over time ... monitoring rules ... to facilitate monitoring”; [para. 0153] “as new files are created, even in unmonitored directories, the data integrity monitor may establish/adapt a rule to determine if the content of the newly created file should be monitored [monitor the additional files] and update the monitoring rules 1204 accordingly [at the variable rate]”) to detect changes to any of the additional files. ([Para. 0138] “monitoring data in a computing environment to track changes to this data and evaluate file interactions for risks of malicious or otherwise harmful activity”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Radhakrishnan and Collier for the same reasons as disclosed above.
As per claim 18, Radhakrishnan in view of Collier teaches claim 11.
Radhakrishnan also teaches wherein the program instructions directing the computing apparatus to generate the decoy file comprises instructions to: generate the decoy file based on changes made to an existing file ([Radhakrishnan, para. 0065] “The Decoy file creation/updating manager module will be responsible for creation ... the decoy files ... triggered by changes in user files and folders”) since a most-recent snapshot taken of the existing file. ([Para. 0068] “trigger initiator to trigger backups ... to update backup files [snapshot taken of the existing file]”; [para. 0069] “When the file system update [since a most-recent snapshot taken of the existing file] the decoy file creation ... triggers [generating the decoy file]”)
As per claim 19, Radhakrishnan in view of Collier teaches claim 17.
Radhakrishnan also teaches further comprising program instructions directing the computing apparatus to: capture the changes made to one or more files ([Radhakrishnan, para. 0075] “Whenever there is a change in the file ... the decoy file will be updated to deceive the malicious process”) in a subsequent snapshot of the one or more files; and ([para. 0068] “trigger initiator to trigger backups and periodic updater to update backup files periodically [a subsequent snapshot of the existing file at the next period in time]”; [para. 0069] “When the file system update [since a subsequent update] the decoy file ... updating manager triggers ... by giving the updated files as input [capturing the changes made in a subsequent snapshot of the existing file]”)
refresh the decoy file based on subsequent changes made to the one or more files since the subsequent snapshot. ([Radhakrishnan, para. 0069] “When the file system update [since a subsequent update] the decoy file ... updating manager triggers ... by giving the updated files as input”; [para. 0075] “Whenever there is a change in the file [based on subsequent changes made to the existing file since the subsequent screenshot] ... the decoy file will be updated [refreshing the decoy file]”)
As per claim 20, Radhakrishnan in view of Collier teaches claim 11.
Radhakrishnan also teaches further comprising program instructions directing the computing apparatus to: identify a ransomware attack vector; and ([Radhakrishnan, para. 0081] “the monitoring results in detection of malicious process, [identifying a ransomware attack vector])
foreclose the ransomware attack vector as an entry point to access to the file system. ([Radhakrishnan, para. 0081] “a malicious process P1 is invoked, [a ransomware attack vector] then ... the monitoring process detects suspicious activity ... the monitoring results in detection of malicious process, [identifying a ransomware attack vector] then malicious Process P1 ... terminated” [foreclosing the ransomware attack vector]; [para. 0082] “Upon termination ... the system declines access to backup privileges [foreclosing as an entry point] thereby protecting the file system [foreclosing access the file system] from further infection of the ransomware”)
Claims 2, 13 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Radhakrishnan in view of Collier as applied to claims 1 and 11 above, and further in view of McGrew et al. (US Pub. 2024/0333765) (hereinafter “McGrew”)
As per claim 2, Radhakrishnan in view of Collier teaches claim 1.
Radhakrishnan also teaches wherein the generating the decoy file comprises: extracting one or more characteristics for the one or more files; and ([Radhakrishnan, para. 0072] “Step 610 includes extracting a plurality of features [one or more characteristics] from most recently used user files in a folder [for the one or more files] by the deep learning engine”)
receiving the decoy file from the GAI. ([Radhakrishnan, para. 0044] “the deep learning models [GAI] are used to ... generate the decoy files”; [para. 0046] “The decoy files are given names and deployed [receiving the decoy file from the GAI]”)
Radhakrishnan in view of Collier does not clearly teach generating a prompt indicative of the one or more characteristics of the one or more files and tasking a generative artificial intelligence (GAI) to receive the prompt and create the decoy file based on the one or more characteristics.
However, McGrew teaches generating a prompt indicative of the one or more characteristics of the one or more files and tasking a generative artificial intelligence (GAI) to receive the prompt and create the decoy file based on the one or more characteristics. ([McGrew, para. 0108] “GPT-3 prompts can be tailored [generating a prompt] to match the behavior of potential adversaries by incorporating keywords [indicative of the one or more characteristics] related to their previous actions ... These keywords include ... the names of files they accessed [the one or more files] ... A system [tasking a GAI as the prompt is a GPT-3 prompt] can be created to customize these prompts [to receive the prompt] using specific keywords, [based on the one or more characteristics] which facilitates the creation of ... fabricated files [create the decoy system]”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Radhakrishnan in view of Collier with the teachings of McGrew to include generating a prompt indicative of the one or more characteristics of the one or more files and tasking a generative artificial intelligence (GAI) to receive the prompt and create the decoy file based on the one or more characteristics. One of ordinary skill in the art would have been motivated to make this modification because generating prompts allow fabricated documents to be meticulously crafted and providing the benefit of allowing the decoy files to be strategically designed to entice and engage potential adversaries. (McGrew, para. 0042)
As per claim 13, Radhakrishnan in view of Collier teaches claim 11.
Radhakrishnan also teaches extract one or more characteristics for the one or more files; and ([Radhakrishnan, para. 0072] “Step 610 includes extracting a plurality of features [one or more characteristics] from most recently used user files in a folder [for the one or more files] by the deep learning engine”)
receive the decoy file from the GAI. ([Radhakrishnan, para. 0044] “the deep learning models [GAI] are used to ... generate the decoy files”; [para. 0046] “The decoy files are given names and deployed [receiving the decoy file from the GAI]”)
Radhakrishnan in view of Collier does not clearly teach generate a prompt indicative of the one or more characteristics of the one or more files and tasking a generative artificial intelligence (GAI) to receive the prompt and create the decoy file based on the one or more characteristics.
However, McGrew teaches generate a prompt indicative of the one or more characteristics of the one or more files and tasking a generative artificial intelligence (GAI) to receive the prompt and create the decoy file based on the one or more characteristics. ([McGrew, para. 0108] “GPT-3 prompts can be tailored [generating a prompt] to match the behavior of potential adversaries by incorporating keywords [indicative of the one or more characteristics] related to their previous actions ... These keywords include ... the names of files they accessed [the one or more files] ... A system [tasking a GAI as the prompt is a GPT-3 prompt] can be created to customize these prompts [to receive the prompt] using specific keywords, [based on the one or more characteristics] which facilitates the creation of ... fabricated files [create the decoy system]”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Radhakrishnan, Collier and McGrew for the same reasons as disclosed above.
As claim 15, Radhakrishnan in view of Collier and further in view of McGrew teaches claim 13.
Radhakrishnan also teaches wherein the characteristic of the file system comprises one of an identity of a most-recently-used folder or a folder corresponding to a list of most recently used files. ([Radhakrishnan, para. 0072] “Step 610 includes extracting a plurality of features [the one or more characteristics of the file system comprises] from most recently used user files in a folder [making the following “of a most-recently-used folder”] ... file names [identity of a most-recently-used-folder] ... date of modification [identity of a folder corresponding to a list of most recently used files]”)
Claims 5 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Radhakrishnan in view of Collier as applied to claims 1 and 11 above, and further in view of Guri et al. (US Pub. 2019/0332766) (hereinafter “Guri”)
As claim 5, Radhakrishnan in view of Collier teaches claim 1.
Radhakrishnan does not clearly teach refreshing the decoy file to preserve a position of the decoy file in a list of most-recently-used files.
However, Guri teaches refreshing the decoy file to preserve a position of the decoy file in a list of most-recently-used files. ([Guri, para. 0047] “a file list [list] may be returned to the process that includes each of the files included therein ... The file list may be sortable by ... the modification date [a list of most-recently-used files”; [para. 0053] “decoy documents manager 202 may determine that the first file ... when directory 210 is sorted chronologically by ... modification date, is “Jan. 29, 2014.” To ensure that decoy file(s) 216 appear before this file, decoy documents manager 202 may designate the ... modification date of decoy file(s) 216 to have a ... modification date before this date [refreshing the decoy file] ... Decoy documents manager 202 may create decoy file(s) 216 that reside ... at the beginning ... of the file list [in a list of most-recently-used-files] to ensure that decoy file(s) 216 are accessed [preserve a position of the decoy file]”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Radhakrishnan in view of Collier with the teachings of Guri to include generate a prompt indicative of the one or more characteristics of the one or more files and tasking a generative artificial intelligence (GAI) to receive the prompt and create the decoy file based on the one or more characteristics. One of ordinary skill in the art would have been motivated to make this modification because by having the malicious process intentionally target the decoy file(s) first, the risk of having important user files compromised before detection of the malware process is greatly reduced (Guri, para. 0038)
As claim 16, Radhakrishnan in view of Collier teaches claim 11.
Radhakrishnan does not clearly teach further comprising program instructions directing the computing apparatus to refresh the decoy file to preserve a position of the decoy file in a list of most-recently-used files.
However, Guri teaches further comprising program instructions directing the computing apparatus to refresh the decoy file to preserve a position of the decoy file in a list of most-recently-used files. ([Guri, para. 0047] “a file list [list] may be returned to the process that includes each of the files included therein ... The file list may be sortable by ... the modification date [a list of most-recently-used files”; [para. 0053] “decoy documents manager 202 may determine that the first file ... when directory 210 is sorted chronologically by ... modification date, is “Jan. 29, 2014.” To ensure that decoy file(s) 216 appear before this file, decoy documents manager 202 may designate the ... modification date of decoy file(s) 216 to have a ... modification date before this date [refreshing the decoy file] ... Decoy documents manager 202 may create decoy file(s) 216 that reside ... at the beginning ... of the file list [in a list of most-recently-used-files] to ensure that decoy file(s) 216 are accessed [preserve a position of the decoy file]”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Radhakrishnan and Collier and Guri for the same reasons as disclosed above.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Lounsberry et al. (US Pub. 2022/0261487) discloses including secrets risk metadata which includes exposure metadata that indicates whether a secret resides in a honeypot where the honeypot asset is more heavily monitored than all other access activities.
Chen Kaidi (US Pub. 2021/0360028) discloses protecting directory enumeration using honeypot pages within a network directory where scaling deployment of honeypot pages is based on scan frequency.
Rivera et al. (US Patent No. 9,418,222) discloses that a decoy resource may be monitored at a high frequency in accordance with an updated monitoring policy depending on an associated suspicious reputation.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZHE LIU whose telephone number is (571) 272-3634. The examiner can normally be reached on Monday - Friday: 8:30 AM to 5:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on (571) 272-3862. The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at (866) 217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call (800) 786-9199 (IN USA OR CANADA) or (571) 272-1000.
/ZHE LIU/Examiner, Art Unit 2493