Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
2. This action is in response to the Amendment filed March 25, 2026.
3. Claims 1-2 and 4-20 have been amended and new claim 21 has been added.
4. Claims 1-2 and 4-21 have been examined are pending with this action.
Response to Arguments
5. Applicant's arguments filed March 19, 2026 with respect to the rejection of claims 1, 5-13, and 15-20, previously rejected under 35 U.S.C. 102(a)(1) and 102(a)(2) as being anticipated by Chen et al. (US 11,120,131 B2) and the rejection of claims under 35 U.S.C. 103, have been fully considered but are moot because the arguments do not apply to any of the references being used in the current rejection. After further searching and consideration, Vasseur et al. (US 2017/0279836 A1) has been cited to teach the gist of the inventive concept and Namjoshi et al. (US 2013/0275943 A1) has been cited to teach the missing limitation of part of step (B) in independent claim 1. Please see rejections set forth below. For theses reasons and the rejections set forth below, claims 1-2 and 4-21 remain rejected and pending.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
6. Claims 1-2 and 4-21 are rejected under 35 U.S.C. 103 as being unpatentable over Vasseur et al. (US 2017/0279836 A1) in view of Namjoshi et al. (US 2013/0275943 A1).
INDEPENDENT:
As per claim 1, Vasseur teaches a computer-implemented method for detecting an anomalous attribute for a plurality of resources transmitted to a data backup system, the computer-implemented method comprising:
(A) generating, by a ransomware detection system, a first machine learning model associated with a first type of resource associated with the plurality of resources transmitted to the data backup system (see Vasseur, [0049]: “For purposes of anomaly detection in a network, a learning machine may construct a model of normal network behavior, to detect data points that deviate from this model… Example machine learning techniques that may be used to construct and analyze such a model may include, but are not limited to, nearest neighbor (NN) techniques (e.g., k-NN models, replicator NN models, etc.), statistical techniques (e.g., Bayesian networks, etc.), clustering techniques (e.g., k-means, etc.), neural networks (e.g., reservoir networks, artificial neural networks, etc.), support vector machines (SVMs), or the like”; [0067]: “TIP 404 may also generate or otherwise leverage a machine learning-based model that computes a relevance index. Such a model may be used across the network to select/prioritize anomalies according to the relevancies.”; [0078]: “Notably, the anomaly detection engine (e.g., DLC 408) may use a set of machine learning models, to detect anomalies at the edge of a local network. For example, DLC 408 may employ an unsupervised machine learning-based anomaly detector that identifies statistical deviations in the characteristics of the network traffic.”; and [0084]: “TIB 506 may further include one or more storage management processes 620 configured to store any of the received data in persistent storage 622 (e.g., a persistent memory of SCA 502).”), wherein the generating comprises:
configuring, by the ransomware detection system, the first machine learning model to be trained on a prior observation of the first machine learning model towards the first type of resource, wherein the prior observation scopes the first machine learning model to identify the anomalous attribute for the first type of resource (see Vasseur, [0057]: “The techniques herein not only leverage threat intelligence feeds to garner context for detected anomalies, but also introduce a feedback mechanism to trigger specific actions on learning agents (e.g., DLAs), effectively interconnecting both platforms. Said differently, the techniques herein provide for the joining of machine learning-based anomaly detection mechanisms trained at the network edge with threat intelligence feed data collected centrally (e.g., at an SCA or other supervisory device). A centralized agent aggregates several sources of threat intelligence feeds and selectively sends downstream signals to the DLAs. In turn, the receiving DLA(s) may use these signals to adjust their behaviors (e.g., to favor anomalies that match characteristics/patterns reported by threat intelligence services).”; [0061]: “In various embodiments, the anomaly detection mechanisms in network 100 may use Internet Behavioral Analytics (IBA). In general, IBA refers to the use of advanced analytics coupled with networking technologies, to detect anomalies in the network… Observing behavioral changes (e.g., a deviation from modeled behavior) thanks to aggregated flows records, deep packet inspection, etc., may allow detection of an anomaly such as an horizontal movement (e.g. propagation of a malware, etc.), or an attempt to perform information exfiltration.”; and [0102]: “The impact of a particular threat intelligence feed/source can be dynamically increased based on the historical contribution to the modification of the machine learning processes.”);
(C) analyzing, by the ransomware detection system and using the first machine learning model, the first resource to determine whether the first resource includes the anomalous attribute based on the prior observation, the analyzing occurring prior to the transmission of the second resource to the data backup system (see Vasseur, [0057]: “For example, some machine learning approaches may analyze changes in the overall statistical behavior of the network traffic (e.g., the traffic distribution among flow flattens when a DDoS attack based on a number of microflows happens). Other approaches may attempt to statistically characterizing the normal behaviors of network flows or TCP connections, in order to detect significant deviations. Classification approaches try to extract features of network flows and traffic that are characteristic of normal traffic or malicious traffic, constructing from these features a classifier that is able to differentiate between the two classes (normal and malicious).”; [0059]: “Anomalous traffic flows may be incoming, outgoing, or internal to a local network serviced by a DLA, in various cases.”; and [0064]: “NSC 416 may be configured to perform data analysis and data enhancement (e.g., the addition of valuable information to the raw data through correlation of different information sources). Moreover, NSC 416 may compute various networking based metrics relevant for the Distributed Learning Component (DLC) 408, such as a large number of statistics”);
(D) based on the analyzing, determining, by the ransomware detection system and prior to the transmission of the second resource that the first resource includes the anomalous attribute (see Vasseur, [0003]: “In general, anomaly detection techniques seek to identify network behaviors that deviate from the pattern of normal network behavior… an anomaly detection mechanism in the network may flag this condition as anomalous”; [0043]: “SLN process 248 may detect malware based on the corresponding impact on traffic, host models, graph-based analysis, etc., when the malware attempts to connect to a C2 channel, attempts to move laterally, or exfiltrate information using various techniques.”; [0071]: “As noted above, a DLA may leverage unsupervised machine learning, to detect anomalous network behavior. This is in contrast to other techniques, such as signature-based approaches, that instead attempt to match an observed network behavior to a known pattern of interest (e.g., a known attack pattern, etc.). While machine learning-based anomaly detectors are quite capable of identifying anomalous network behavior, the relevancy of a given anomaly may differ significantly.”; and [0078]: “Notably, the anomaly detection engine (e.g., DLC 408) may use a set of machine learning models, to detect anomalies at the edge of a local network. For example, DLC 408 may employ an unsupervised machine learning-based anomaly detector that identifies statistical deviations in the characteristics of the network traffic.”); and
(E) transmitting, by the ransomware detection system, an alert of the determination that the first resource includes the anomalous attribute (see Vasseur, [0016]: “The node reports the detected network anomaly to a supervisory device.”; [0053]: “provide information regarding a detected anomaly to a user interface (e.g., by providing a webpage to a display, etc.), and/or analyze data regarding a detected anomaly using more CPU intensive machine learning processes.”; [0079]: “architecture 500 may also include an SCA 502 that provides supervisory control over DLA 400 and receives notifications of any anomalies detected by DLA 400”; and [0093]: “If the assessed traffic is statistically anomalous, DLA 400a may flag the anomalous condition and report the anomaly to SCA 502 via an AnomalyNotification( ) message 702.”).
Although Vasseur teaches (B) determining, by the ransomware detection system, that a first resource in the plurality of resources is associated with the first type of resource by comparing, the determining occurring prior to a transmission of a second resource in the plurality of resources to the data backup system (see Vasseur, [0059]: “Anomalous traffic flows may be incoming, outgoing, or internal to a local network serviced by a DLA, in various cases.”; [0093]: “As noted above, message 702 may include any or all information regarding the analyzed features that gave rise to the detected anomaly.”; [0096]: “where resource_type is the type of resource concerned by the signal (e.g., an autonomous system, an IP address, a URL), resource_uid is the unique identifier of this resource (whose format depends on resource)”; [0104]: “In various embodiments, the threat intelligence feed data may indicate one or more of: a resource type, a unique resource identifier, a threat type, or a threat level, based on the match.”; and [0106]: “For example, the feedback may indicate a resource type, a unique resource identifier, a threat type, or a threat level, based on the anomaly data. In various embodiments, the feedback may be configured to cause the receiving node(s) to adjust their anomaly detection mechanisms (e.g., by bypassing a reporting filter, adjusting an anomaly or relevancy score, adjusting the anomaly detector itself, etc.).”), Vasseur does not explicitly teach comparing internal metrics associated with the first type of resource with internal metrics of the first resource, wherein the internal metrics comprise one or more of byte distribution data, compression data, encryption statistics, file churn metadata, modification time metadata, or extension metadata.
Namjoshi teaches comparing internal metrics associated with the first type of resource with internal metrics of the first resource, wherein the internal metrics comprise one or more of byte distribution data, compression data, encryption statistics, file churn metadata, modification time metadata, or extension metadata (see Namjoshi, [0048]: “The differences may be identified by difference tool 150 based on comparing the respective images of the older and newer versions. For example, the changed file type resources may be identified by comparing the files/directories in the images. The changed symbolic type resources may be identified by searching for link files (having ".lnk" extension) and then comparing the properties (e.g., the target property indicating the file to which the link points to) of the link files. The changed function type resources may be identified by searching for library files (having ".lib" extensions), inspecting the library files to determine the publicly accessible symbols/functions specified in the library files, and then comparing the determined symbols/functions. Each of the Figures is described in detail below.”).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the system of Vasseur in view of Namjoshi by implementing comparing internal metrics associated with the first type of resource with internal metrics of the first resource, wherein the internal metrics comprise one or more of byte distribution data, compression data, encryption statistics, file churn metadata, modification time metadata, or extension metadata. One would be motivated to do so because such an implementation enables determining the type of resource and Vasseur further teaches in paragraphs [0087], “It should be noted that these rules do not need explicit endpoints specified but instead may be based on metadata that capture characteristics of the threat against which modifications need to be done in the machine learning mechanisms.” and [0104], “In various embodiments, the threat intelligence feed data may indicate one or more of: a resource type, a unique resource identifier, a threat type, or a threat level, based on the match.”, emphasis added.
As per claim 13, Vasseur and Namjoshi teach a non-transitory computer-readable medium having computer program instructions that, when executed by at least one computer processor, cause the at least one computer processor to execute operations for detecting an anomalous attribute for a plurality of resources transmitted to a data backup system (see Vasseur, [0114]: “For instance, it is expressly contemplated that the components and/or elements described herein can be implemented as software being stored on a tangible (non-transitory) computer-readable medium (e.g., disks/CDs/RAM/EEPROM/etc.) having program instructions executing on a computer, hardware, firmware, or a combination thereof.”) the operations comprising:
(A) generating a first machine learning model associated with a first type of resource associated with the plurality of resources transmitted to the data backup system (see Claim 1 rejection above), wherein the generating comprises:
configuring the first machine learning model to be trained on a prior observation of the first machine learning model towards the first type of resource, wherein the prior observation scopes the first machine learning model to identify the anomalous attribute for the first type of resource (see Claim 1 rejection above);
(B) determining that a first resource in the plurality of resources is associated with the first type of resource by comparing internal metrics associated with the first type of resource with internal metrics of the first resource, wherein the internal metrics comprise one or more of byte distribution data, compression data, encryption statistics, file churn metadata, modification time metadata, or extension metadata, the determining occurring prior to a transmission of a second resource in the plurality of resources to the data backup system (see Claim 1 rejection above);
(C) analyzing using the first machine learning model, the first resource to determine whether the first resource includes the anomalous attribute based on the prior observation, the analyzing occurring prior to the transmission of the second resource to the data backup system (see Claim 1 rejection above);
(D) based on the analyzing, determining prior to the transmission of the second resource that the first resource includes the anomalous attribute (see Claim 1 rejection above); and
(E) transmitting an alert of the determination that the first resource includes the anomalous attribute (see Claim 1 rejection above).
As per claim 21, Vasseur and Namjoshi teach a system for detecting an anomalous attribute for a plurality of resources transmitted to a data backup system, the system comprising:
one or more memories (see Vasseur, [0114]: “For instance, it is expressly contemplated that the components and/or elements described herein can be implemented as software being stored on a tangible (non-transitory) computer-readable medium (e.g., disks/CDs/RAM/EEPROM/etc.) having program instructions executing on a computer, hardware, firmware, or a combination thereof.”); and
at least one processor each coupled to at least one of the memories and configured to perform operations (see Vasseur, [0114]) comprising:
(A) generating a first machine learning model associated with a first type of resource associated the plurality of resources transmitted to the data backup system (see Claim 1 rejection above), wherein the generating comprises:
configuring the first machine learning model to be trained on a prior observation of the first machine learning model towards the first type of resource, wherein the prior observation scopes the first machine learning model to identify the anomalous attribute for the first type of resource (see Claim 1 rejection above);
(B) determining that a first resource in the plurality of resources is associated with the first type of resource by comparing internal metrics associated with the first type of resource with internal metrics of the first resource, wherein the internal metrics comprise one or more of byte distribution data, compression data, encryption statistics, file churn metadata, modification time metadata, or extension metadata, the determining occurring prior to a transmission of a second resource in the plurality of resources to the data backup system (see Claim 1 rejection above);
(C) analyzing, using the first machine learning model, the first resource to determine whether the first resource includes the anomalous attribute based on the prior observation, the analysis occurring prior to the transmission of the second resource to the data backup system (see Claim 1 rejection above);
(D) based on the analyzing, determining, prior to the transmission of the second resource, that the first resource includes the anomalous attribute (see Claim 1 rejection above); and
(E) transmitting an alert of the determination that the first resource includes the anomalous attribute (see Claim 1 rejection above).
DEPENDENT:
As per claim 2, which depends on claim 1, Vasseur further teaches wherein the generating the first machine learning model associated with the first type of resource is based on a type of user associated with the plurality of resources (see Vasseur, [0052]: “Generally speaking, a graph-based model attempts to represent the relationships between different entities as a graph of nodes interconnected by edges. For example, ego-centric graphs have been used to represent the relationship between a particular social networking profile and the other profiles connected to it (e.g., the connected “friends” of a user, etc.). The patterns of these connections can then be analyzed for purposes of anomaly detection.”; and [0066]: “When present, RL engine 412 may enable a feedback loop between the system and the end user, to automatically adapt the system decisions to the expectations of the user and raise anomalies that are of interest to the user (e.g., as received via a user interface of the SCA).”).
As per claims 4 and 14, which respectively depend on claims 1 and 13, Vasseur further teaches wherein the generating the first machine learning model associated with the first type of resource is based on an attribute of a computing device transmitting the plurality of resources to the data backup system (see Vasseur, Abstract: “In one embodiment, a device in a network receives anomaly data regarding an anomaly detected by a machine learning-based anomaly detection mechanism of a first node in the network.”; [0059]: “For example, assume that device/node 10 sends a particular traffic flow 302 to server 154 (e.g., an application server, etc.). In such a case, router CE-2 may monitor the packets of traffic flow 302 and, based on its local anomaly detection mechanism, determine that traffic flow 302 is anomalous. Anomalous traffic flows may be incoming, outgoing, or internal to a local network serviced by a DLA, in various cases”; and [0098]: “For example, TIP 404 may use the received feedback to adjust the relevance score for any anomalies that involve the identified devices, networks, etc”).
As per claims 5 and 15, which respectively depend on claims 1 and 13, Vasseur further teaches wherein (A) further comprises generating, by the ransomware detection system, a second machine learning model associated with a second type of resource associated with the plurality of resources (see Vasseur, [0053]: “A DLA may be operable to monitor network conditions (e.g., router states, traffic flows, etc.), perform anomaly detection on the monitored data using one or more machine learning models, report detected anomalies to the SCA, and/or perform local mitigation actions.”).
As per claims 6 and 16, which respectively depend on claims 1 and 15, Vasseur and Namjoshi further teach wherein (B) further comprises determining, by the ransomware detection system, that the first resource is associated with the second type (see Claim 1 rejection above).
As per claims 7 and 17, which respectively depend on claims 6 and 16, further teaches wherein (C) further comprises analyzing, by the ransomware detection system and using the second generated machine learning model, the first resource (see Claim 1 and Claim 5 rejections above).
As per claim 8, which depends on claim 1, Vasseur further teaches wherein D) further comprises determining, by the ransomware detection system, that the anomalous attribute of the first resource includes ransomware (see Vasseur, [0096]: “threat_type is the type of threats (e.g., a specific malware, attack or threat)”).
As per claim 9, which depends on claim 1, Vasseur and Namjoshi further teach wherein (B) further comprises determining, by the ransomware detection system, that the second resource in the plurality of resources is associated with the first type, the determining occurring prior to a transmission of a third resource in the plurality of resources to the data backup system (see Claim 1 rejection above).
As per claim 10, which depends on claim 9, Vasseur further teaches wherein (C) further comprises analyzing, by the ransomware detection system, prior to the transmission of the third resource in the plurality of resources and using the first machine learning model, the second resource (see Claim 1 rejection above).
As per claims 11 and 19, which respectively depend on claims 10 and 18, Vasseur further teaches wherein (C) further comprises determining, by the ransomware detection system and prior to the transmission of the third resource in the plurality of resources to the data backup system, that the first resource and the second resource are associated with a type of anomalous behavior (see Claim 1 and Claim 8 rejections above).
As per claims 12 and 20, which respectively depend on claims 1 and 13, Vasseur further teaches wherein (D) further comprises:
generating, by the ransomware detection system, an entropy score associated with the first resource (see Vasseur, [0067]: “In some cases, DLA 400 may include a threat intelligence processor (TIP) 404 that processes anomaly characteristics so as to further assess the relevancy of the anomaly (e.g. the applications involved in the anomaly, location, scores / degree of anomaly for a given model, nature of the flows, or the like).”; and [0098]: “For example, TIP 404 may use the received feedback to adjust the relevance score for any anomalies that involve the identified devices, networks, etc. in the feedback.”); and
determining, by the ransomware detection system, that the entropy score associated with the first resource exceeds a threshold level of entropy scores (see Vasseur, [0090]: “In one embodiment, TIB 506 may use one or more time series related to a variable such as a URL reputation scores received by TIB 506 and, if such a score crosses a predefined threshold for a defined rule, send a downstream signal to the DLA(s).”; and [0095]: “For example, if the threat score(s) in the corresponding threat intelligence feed data are below a threshold, SCA 502 may determine that feedback is not needed.”).
As per claim 18, which depends on claim 13, Vasseur further teaches wherein (B) further comprises determining that the second resource in the plurality of resources is associated with the first type, the determining occurring prior to a transmission of a third resource in the plurality of resources to the data backup system and wherein (C) further comprises analyzing, prior to the transmission of the third resource in the plurality of resources to the data backup system and using the first machine learning model, the second resource (see Claims 9 and 10 rejections above).
Conclusion
7. For the reasons above, claims 1-3 and 4-21 have been rejected and remain pending.
8. Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
9. Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL Y WON whose telephone number is (571)272-3993. The examiner can normally be reached on Wk.1: M-F: 8-5 PST & Wk.2: M-Th: 8-7 PST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Nicholas R Taylor can be reached on 571-272-3889. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Michael Won/Primary Examiner, Art Unit 2443
Prosecution Insights