DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Receipt is acknowledged of certified copies of papers required by 37 CFR 1.55.
The IDS filed 10/24/2024, the IDS filed 6/2/2025, and the IDS filed 10/23/2025 have been considered.
The preliminary amendment filed 12/31/2024 has been placed of record in the file.
Claims 1-19 are presented for examination.
Specification
Applicant is reminded of the proper content of an abstract of the disclosure.
A patent abstract is a concise statement of the technical disclosure of the patent and should include that which is new in the art to which the invention pertains. The abstract should not refer to purported merits or speculative applications of the invention and should not compare the invention with the prior art.
If the patent is of a basic nature, the entire technical disclosure may be new in the art, and the abstract should be directed to the entire disclosure. If the patent is in the nature of an improvement in an old apparatus, process, product, or composition, the abstract should include the technical disclosure of the improvement. The abstract should also mention by way of example any preferred modifications or alternatives.
Where applicable, the abstract should include the following: (1) if a machine or apparatus, its organization and operation; (2) if an article, its method of making; (3) if a chemical compound, its identity and use; (4) if a mixture, its ingredients; (5) if a process, the steps.
Extensive mechanical and design details of an apparatus should not be included in the abstract. The abstract should be in narrative form and generally limited to a single paragraph within the range of 50 to 150 words in length.
See MPEP § 608.01(b) for guidelines for the preparation of patent abstracts.
The abstract of the disclosure is objected to because, as currently written, it refers to purported merits or speculative applications of the invention. Correction is required. See MPEP § 608.01(b).
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.
Claims 1, 3, 6-8, 10, 13-16, and 18 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Chen et al. (U.S. Patent Application Publication Number 2020/0034537), hereinafter referred to as Chen.
Regarding claim 1, Chen discloses a method for detecting ransomware, the method comprising: obtaining a partial feature of a target file based on preset data in the target file, wherein the partial feature comprises a partial incremental entropy and/or partial histogram statistical data (paragraph 19, determines entropy features); determining, based on the partial feature of the target file, whether the target file is an encrypted file (paragraph 19, analyzes content to determine whether file is encrypted); and determining, based on the determination that the target file is the encrypted file, that the target file is attacked by the ransomware (paragraph 29, determines whether file is infected with ransomware).
Regarding claim 3, Chen discloses obtaining a plurality of operation records of a plurality of operated files, wherein the plurality of operation records correspond to the plurality of operated files, and each of the plurality of operation records is for recording an operation on an operated file corresponding to the operation record; generating a plurality of operation mode sequences within a preset duration based on the plurality of operation records, wherein the plurality of operation mode sequences correspond to the plurality of operation records; obtaining, one by one from the plurality of operation mode sequences, an operation mode sequence that matches a preset operation mode sequence; and determining, when a quantity of operation mode sequences that match the preset operation mode sequence is greater than a preset quantity, an operated file corresponding to the operation mode sequence that matches the preset operation mode sequence as the target file (paragraph 16, examines pattern of file operations within time interval to determine whether behavior is normal or abnormal).
Regarding claim 6, Chen discloses obtaining a plurality of operation records of a plurality of operated files, and obtaining an operated file corresponding to a second operation and a third operation based on the plurality of operation records, wherein the plurality of operation records correspond to the plurality of operated files, each of the plurality of operation records is for recording an operation on an operated file corresponding to the operation record, and the second operation and the third operation are operations corresponding to a same operated file; and determining, when a quantity of types of name extensions of operated files corresponding to the second operation is not less than a preset quantity, a quantity of types of name extensions of operated files corresponding to the third operation is not less than another preset quantity, and the quantity of types of the name extensions of the operated files corresponding to the second operation is greater than the quantity of types of the name extensions of the operated files corresponding to the third operation, the operated file corresponding to the second operation and the third operation as the target file (paragraph 17, examines ratios of particular operations across selected file types to determine whether behavior is normal or abnormal).
Regarding claim 7, Chen discloses sending the target file to a user to determine whether the target file undergoes an encryption operation performed by the user; and sending an alarm prompt based on the determination that the user does not perform the encryption operation on the target file (paragraph 42, user runs analysis and reviews results).
Regarding claim 8, Chen discloses an apparatus for detecting ransomware, the apparatus comprising: at least one processor; and a computer-readable storage medium coupled to the at least one processor and storing programming instructions, the programming instructions, when executed by the at least one processor, instruct the at least one processor to perform operations such that the processor is at least configured to: obtain a partial feature of a target file based on preset data in the target file, wherein the partial feature comprises a partial incremental entropy and/or partial histogram statistical data (paragraph 19, determines entropy features); determine, based on the partial feature of the target file, whether the target file is an encrypted file (paragraph 19, analyzes content to determine whether file is encrypted); and determine, if the target file is the encrypted file, that the target file is attacked by the ransomware (paragraph 29, determines whether file is infected with ransomware).
Regarding claim 10, Chen discloses wherein the at least one processor is further configured to: obtain a plurality of operation records of a plurality of operated files, wherein the plurality of operation records correspond to the plurality of operated files, and each of the plurality of operation records is for recording an operation on an operated file corresponding to the operation record; generate a plurality of operation mode sequences within a preset duration based on the plurality of operation records, wherein the plurality of operation mode sequences correspond to the plurality of operation records; obtain, one by one from the plurality of operation mode sequences, an operation mode sequence that matches a preset operation mode sequence; and determine, when a quantity of operation mode sequences that match the preset operation mode sequence is greater than a preset quantity, an operated file corresponding to the operation mode sequence that matches the preset operation mode sequence as the target file (paragraph 16, examines pattern of file operations within time interval to determine whether behavior is normal or abnormal).
Regarding claim 13, Chen discloses wherein the at least one processor is further configured to: obtain a plurality of operation records of a plurality of operated files, and obtain an operated file corresponding to a second operation and a third operation based on the plurality of operation records, wherein the plurality of operation records correspond to the plurality of operated files, each of the plurality of operation records is for recording an operation on an operated file corresponding to the operation record, and the second operation and the third operation are operations corresponding to a same operated file; and determine, if a quantity of types of name extensions of operated files corresponding to the second operation is not less than a preset quantity, a quantity of types of name extensions of operated files corresponding to the third operation is not less than another preset quantity, and the quantity of types of the name extensions of the operated files corresponding to the second operation is greater than the quantity of types of the name extensions of the operated files corresponding to the third operation, the operated file corresponding to the second operation and the third operation as the target file (paragraph 17, examines ratios of particular operations across selected file types to determine whether behavior is normal or abnormal).
Regarding claim 14, Chen discloses wherein the at least one processor is further configured to: send the target file to a user to determine whether the target file undergoes an encryption operation performed by the user; and send an alarm prompt if the user does not perform the encryption operation on the target file (paragraph 42, user runs analysis and reviews results).
Regarding claim 15, Chen discloses a chip system, wherein the chip system is applied to an electronic device, the chip system comprises one or more interface circuits and one or more processors, the interface circuit and the processor are interconnected by a line; the interface circuit is configured to receive a signal from a memory of the electronic device and send the signal to the processor, wherein the signal comprises computer instructions stored in the memory; and when the processor executes the computer instructions, the electronic device is configured to: obtain a partial feature of a target file based on preset data in the target file, wherein the partial feature comprises a partial incremental entropy and/or partial histogram statistical data (paragraph 19, determines entropy features); determine, based on the partial feature of the target file, whether the target file is an encrypted file (paragraph 19, analyzes content to determine whether file is encrypted); and determine, if the target file is the encrypted file, that the target file is attacked by the ransomware (paragraph 29, determines whether file is infected with ransomware).
Regarding claim 16, Chen discloses wherein the at least one processor is further configured to: obtain a plurality of operation records of a plurality of operated files; perform a screening for abnormal operation behaviors based on the plurality of operation records of the plurality of operated files; and determine an operated file corresponding to the abnormal operation behaviors as the target file (paragraph 16, examines pattern of file operations within time interval to determine whether behavior is normal or abnormal).
Regarding claim 18, Chen discloses obtaining a plurality of operation records of a plurality of operated files; performing a screening for abnormal operation behaviors based on the plurality of operation records of the plurality of operated files; and determining an operated file corresponding to the abnormal operation behaviors as the target file (paragraph 16, examines pattern of file operations within time interval to determine whether behavior is normal or abnormal).
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 2, 9, 17, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Chen in view of Adams (U.S. Patent Number 10,121,003) as cited on the applicant’s IDS filed 10/23/2025.
Chen disclosed techniques for detecting ransomware infection. In an analogous art, Adams disclosed techniques for detecting ransomware. Both systems are directed toward the detection of ransomware.
Regarding claim 2, Chen does not explicitly state obtaining a magic number and a file name extension of the target file; determining, based on a preset correspondence between the magic number and the file name extension, whether the magic number corresponds to the file name extension in the target file; and triggering, based on the determination that the magic number corresponds to the file name extension in the target file, the operation of the obtaining of the partial feature of the target file based on the preset data in the target file. However, using a magic number in ransomware detection in such a fashion was well known in the art as evidenced by Adams. Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Chen by adding the ability for obtaining a magic number and a file name extension of the target file; determining, based on a preset correspondence between the magic number and the file name extension, whether the magic number corresponds to the file name extension in the target file; and triggering, based on the determination that the magic number corresponds to the file name extension in the target file, the operation of the obtaining of the partial feature of the target file based on the preset data in the target file as provided by Adams (see column 8, lines 39-43, determines entropy values when magic number matches file type suffix). One of ordinary skill in the art would have recognized the benefit that analyzing the magic number of a file would assist in detecting ransomware (see Adams, column 1, lines 36-44).
Regarding claim 9, Chen does not explicitly state wherein the at least one processor is further configured to: obtain a magic number and a file name extension of the target file; determine, based on a preset correspondence between the magic number and the file name extension, whether the magic number corresponds to the file name extension in the target file; and trigger, if the magic number corresponds to the file name extension in the target file, the obtaining of the partial feature of the target file based on the preset data in the target file. However, using a magic number in ransomware detection in such a fashion was well known in the art as evidenced by Adams. Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Chen by adding the ability that the at least one processor is further configured to: obtain a magic number and a file name extension of the target file; determine, based on a preset correspondence between the magic number and the file name extension, whether the magic number corresponds to the file name extension in the target file; and trigger, if the magic number corresponds to the file name extension in the target file, the obtaining of the partial feature of the target file based on the preset data in the target file as provided by Adams (see column 8, lines 39-43, determines entropy values when magic number matches file type suffix). One of ordinary skill in the art would have recognized the benefit that analyzing the magic number of a file would assist in detecting ransomware (see Adams, column 1, lines 36-44).
Regarding claim 17, Chen does not explicitly state wherein the at least one processor is further configured to: obtain a magic number and a file name extension of the target file; detect a correspondence between a magic number and a file name extension of the target file; and when the correspondence between the magic number and the file name extension of the target file is detected, determine that the target file is the encrypted file based on the partial feature obtained based on the preset data in the target file to determine that the target file is attacked by the ransomware. However, using a magic number in ransomware detection in such a fashion was well known in the art as evidenced by Adams. Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Chen by adding the ability that the at least one processor is further configured to: obtain a magic number and a file name extension of the target file; detect a correspondence between a magic number and a file name extension of the target file; and when the correspondence between the magic number and the file name extension of the target file is detected, determine that the target file is the encrypted file based on the partial feature obtained based on the preset data in the target file to determine that the target file is attacked by the ransomware as provided by Adams (see column 8, lines 39-43, determines entropy values when magic number matches file type suffix). One of ordinary skill in the art would have recognized the benefit that analyzing the magic number of a file would assist in detecting ransomware (see Adams, column 1, lines 36-44).
Regarding claim 19, Chen does not explicitly state obtaining a magic number and a file name extension of the target file; detecting a correspondence between the magic number and the file name extension of the target file; and upon the detection of the correspondence between the magic number and the file name extension of the target file, determining that the target file is the encrypted file based on the partial feature obtained based on the preset data in the target file to determine that the target file is attacked by the ransomware. However, using a magic number in ransomware detection in such a fashion was well known in the art as evidenced by Adams. Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Chen by adding the ability for obtaining a magic number and a file name extension of the target file; detecting a correspondence between the magic number and the file name extension of the target file; and upon the detection of the correspondence between the magic number and the file name extension of the target file, determining that the target file is the encrypted file based on the partial feature obtained based on the preset data in the target file to determine that the target file is attacked by the ransomware as provided by Adams (see column 8, lines 39-43, determines entropy values when magic number matches file type suffix). One of ordinary skill in the art would have recognized the benefit that analyzing the magic number of a file would assist in detecting ransomware (see Adams, column 1, lines 36-44).
Claims 4, 5, 11, and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Chen in view of Massiglia et al. (U.S. Patent Application Publication Number 2021/0382992), hereinafter referred to as Massiglia.
Chen disclosed techniques for detecting ransomware infection. In an analogous art, Massiglia disclosed techniques for analyzing potentially corrupt data written to storage. Both systems are directed toward the detection of ransomware.
Regarding claim 4, Chen discloses obtaining a plurality of operation records of a plurality of operated files, and obtaining, based on the plurality of operation records, a same operated file on which an operation is performed by a same device, wherein the plurality of operation records correspond to the plurality of operated files, and each of the plurality of operation records is for recording an operation on an operated file corresponding to the operation record (paragraph 16, file operations).
Chen does not explicitly state that the performed operation is a write operation and further successively obtaining a write offset and a write length of the same operated file on which the write operation is performed by the same device; accumulating, when a current write offset is greater than a previous write offset for the same operated file on which the write operation is performed by the same device, a current write length and a previous write length for the same operated file to obtain an accumulated write length value of the same operated file; obtaining a write ratio of the same operated file based on a size of the same operated file and the accumulated write length value; and determining, when the write ratio of the same operated file within a preset duration is not less than a preset write ratio, the same operated file on which the write operation is performed by the same device as the target file. However, analyzing write operations for ransomware detection in such a fashion was well known in the art as evidenced by Massiglia. Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Chen by adding the ability that the performed operation is a write operation and further successively obtaining a write offset and a write length of the same operated file on which the write operation is performed by the same device; accumulating, when a current write offset is greater than a previous write offset for the same operated file on which the write operation is performed by the same device, a current write length and a previous write length for the same operated file to obtain an accumulated write length value of the same operated file; obtaining a write ratio of the same operated file based on a size of the same operated file and the accumulated write length value; and determining, when the write ratio of the same operated file within a preset duration is not less than a preset write ratio, the same operated file on which the write operation is performed by the same device as the target file as provided by Massiglia (see paragraph 363, examines file compressibility, and paragraph 496, metrics include compressibility of writes). One of ordinary skill in the art would have recognized the benefit that analyzing compressibility metrics would assist in determining whether or not data is encrypted (see Massiglia, paragraph 363).
Regarding claim 5, Chen discloses obtaining a plurality of operation records of a plurality of operated files, and obtaining operated files corresponding to a first operation based on the plurality of operation records, wherein the plurality of operation records correspond to the plurality of operated files, and each of the plurality of operation records is for recording an operation on an operated file corresponding to the operation record (paragraph 16, file operations).
Chen does not explicitly state further obtaining, one by one from the operated files corresponding to the first operation, an operated file that matches a preset abnormal file name extension; and determining, when a quantity of operated files that match the preset abnormal file name extension is greater than a preset quantity, the operated file that matches the preset abnormal file name extension as the target file. However, analyzing file name extensions for ransomware detection in such a fashion was well known in the art as evidenced by Massiglia. Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Chen by adding the ability for further obtaining, one by one from the operated files corresponding to the first operation, an operated file that matches a preset abnormal file name extension; and determining, when a quantity of operated files that match the preset abnormal file name extension is greater than a preset quantity, the operated file that matches the preset abnormal file name extension as the target file as provided by Massiglia (see paragraph 394, determines preponderance of files of particular file type with incorrect filename pattern, and paragraph 396, examining filename pattern includes suffixes of particular file types). One of ordinary skill in the art would have recognized the benefit that analyzing filename formats would assist in determining possible security threats (see Massiglia, paragraph 396).
Regarding claim 11, Chen discloses wherein the at least one processor is further configured to: obtain a plurality of operation records of a plurality of operated files, and obtain, based on the plurality of operation records, an operated file on which an operation is performed by a same device, wherein the plurality of operation records correspond to the plurality of operated files, and each of the plurality of operation records is for recording an operation on an operated file corresponding to the operation record (paragraph 16, file operations).
Chen does not explicitly state that the performed operation is a write operation and further successively obtaining a write offset and a write length of the operated file on which the write operation is performed by the same device; accumulating, if a current write offset is greater than a previous write offset for the operated file on which the write operation is performed by the same device, a current write length and a previous write length for the operated file to obtain an accumulated write length value of the operated file; obtaining a write ratio of the operated file based on a size of the operated file and the accumulated write length value; and determining, if the write ratio of the operated file within a preset duration is not less than a preset write ratio, the operated file on which the write operation is performed by the same device as the target file. However, analyzing write operations for ransomware detection in such a fashion was well known in the art as evidenced by Massiglia. Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Chen by adding the ability that the performed operation is a write operation and further successively obtaining a write offset and a write length of the operated file on which the write operation is performed by the same device; accumulating, if a current write offset is greater than a previous write offset for the operated file on which the write operation is performed by the same device, a current write length and a previous write length for the operated file to obtain an accumulated write length value of the operated file; obtaining a write ratio of the operated file based on a size of the operated file and the accumulated write length value; and determining, if the write ratio of the operated file within a preset duration is not less than a preset write ratio, the operated file on which the write operation is performed by the same device as the target file as provided by Massiglia (see paragraph 363, examines file compressibility, and paragraph 496, metrics include compressibility of writes). One of ordinary skill in the art would have recognized the benefit that analyzing compressibility metrics would assist in determining whether or not data is encrypted (see Massiglia, paragraph 363).
Regarding claim 12, Chen discloses wherein the at least one processor is further configured to perform the following operations: obtain a plurality of operation records of a plurality of operated files, and obtain operated files corresponding to a first operation based on the plurality of operation records, wherein the plurality of operation records correspond to the plurality of operated files, and each of the plurality of operation records is for recording an operation on an operated file corresponding to the operation record (paragraph 16, file operations).
Chen does not explicitly state further obtaining, one by one from the operated files corresponding to the first operation, an operated file that matches a preset abnormal file name extension; and determining, when a quantity of operated files that match the preset abnormal file name extension is greater than a preset quantity, the operated file that matches the preset abnormal file name extension as the target file. However, analyzing file name extensions for ransomware detection in such a fashion was well known in the art as evidenced by Massiglia. Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Chen by adding the ability for further obtaining, one by one from the operated files corresponding to the first operation, an operated file that matches a preset abnormal file name extension; and determining, when a quantity of operated files that match the preset abnormal file name extension is greater than a preset quantity, the operated file that matches the preset abnormal file name extension as the target file as provided by Massiglia (see paragraph 394, determines preponderance of files of particular file type with incorrect filename pattern, and paragraph 396, examining filename pattern includes suffixes of particular file types). One of ordinary skill in the art would have recognized the benefit that analyzing filename formats would assist in determining possible security threats (see Massiglia, paragraph 396).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Linnen et al. (U.S. Patent Application Publication Number 2019/0294507) disclosed techniques for entropy indicator analysis and encryption detection.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Victor Lesniewski whose telephone number is (571)272-2812. The examiner can normally be reached Monday thru Friday, 9am to 5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached at 571-272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Victor Lesniewski/Primary Examiner, Art Unit 2493