Isolated Snapshot Storage For Fast Ransomware Protection

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Detailed Action 2. Claims 1-20 are pending in Instant Application. Information Disclosure Statement The information disclosure statement (IDS) submitted on 08/19/2025 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. 4. Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over US 12,197,578 issued to Brandwine in view US 9,594,636 issued to Mortensen et al. (Mortensen). As per claim 1, Brandwine teaches a method of operating a data vault system, comprising: receiving, via a first port, snapshot configuration data from a configuration manager (Brandwine: Fig. 7, Fig. 8 - receiving, by an input/output (I/0) proxy device coupled to an interconnect of a computer system, a plurality of (I/0) messages generated by a compute instance running on the computer system, a pattern of input/output (I/0) messages indicative of a potential ransomware attack, wherein the potential ransomware attack affects a storage volume attached to a compute instance running on the computer system); determining, based on the snapshot configuration data, to obtain a snapshot of a data volume of one or more data volumes in a data storage service (Brandwine: Fig. 7, Fig. 8 - identifying a snapshot of the storage volume and causing a copy of the snapshot of the storage volume to be retained in storage); Brandwine however does not teach in response to determining to obtain the snapshot of the data volume, enabling a second port through which to communicate a pull request for the snapshot; transmitting, via the second port, the pull request to the data storage service to obtain the snapshot of the data volume; disabling the second port in response to receiving the snapshot from the data storage service; and storing the snapshot in a secure data volume. Mortensen however explicitly teach in response to determining to obtain the snapshot of the data volume, enabling a second port through which to communicate a pull request for the snapshot; transmitting, via the second port, the pull request to the data storage service to obtain the snapshot of the data volume; disabling the second port in response to receiving the snapshot from the data storage service; and storing the snapshot in a secure data volume (Mortensen: Col. 15, ll. (24-37) - the storage server 206 may start a port forwarding or TCP/IP connection tunneling (e.g. secure shell session) e.g., 220 with the storage server 207. Thereafter, backup files (snapshot) may be synchronized from the storage server 206 to the storage server 207 while minimizing data transfers. An example of a mechanism to start a port forwarding connection and synchronization process has been already substantially shown in this specification e.g., 221. Concurrently, the storage server 206 may start a polling process e.g., 218 which will continuously check the storage server 207 for a message indicating that the synchronization process has been completed. Once the completion message has been emitted by the storage server 207 the storage server 206 may bring the tunneling session to an end). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Brandwine in view of Mortensen to teach in response to determining to obtain the snapshot of the data volume, enabling a second port through which to communicate a pull request for the snapshot; transmitting, via the second port, the pull request to the data storage service to obtain the snapshot of the data volume; disabling the second port in response to receiving the snapshot from the data storage service; and storing the snapshot in a secure data volume. One would be motivated to do so as the storage server 206 may start a port forwarding or TCP/IP connection tunneling (e.g. secure shell session) e.g., 220 with the storage server 207. Thereafter, backup files (snapshot) may be synchronized from the storage server 206 to the storage server 207 while minimizing data transfers. An example of a mechanism to start a port forwarding connection and synchronization process has been already substantially shown in this specification e.g., 221. Concurrently, the storage server 206 may start a polling process e.g., 218 which will continuously check the storage server 207 for a message indicating that the synchronization process has been completed. Once the completion message has been emitted by the storage server 207 the storage server 206 may bring the tunneling session to an end (Mortensen: Col. 15, ll. (24-37)). As per claim 2, the modified teaching of Brandwine teaches the method of claim 1, the method further comprising: hosting the data vault system on an isolated network, wherein the isolated network is remote to the data storage service (Brandwine: Col. 9, ll. 67 to Col. 10, ll. 2 - the remote, network-accessible data storage devices similarly can provide block storage via logical volumes). As per claim 3, the modified teaching of Brandwine teaches the method of claim 2, wherein the second port is an endpoint in a communication pathway dedicated to transmitting the pull request to the data storage service and to receiving the snapshot from the data storage service (Mortensen: Col. 15, ll. (24-29) - the storage server 206 may start a port forwarding or TCP/IP connection tunneling (e.g. secure shell session) e.g., 220 with the storage server 207. Thereafter, backup files (snapshot) may be synchronized from the storage server 206 to the storage server 207 while minimizing data transfers). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Brandwine in view of Mortensen to teach wherein the second port is an endpoint in a communication pathway dedicated to transmitting the pull request to the data storage service and to receiving the snapshot from the data storage service. One would be motivated to do so as the storage server 206 may start a port forwarding or TCP/IP connection tunneling (e.g. secure shell session) e.g., 220 with the storage server 207. Thereafter, backup files (snapshot) may be synchronized from the storage server 206 to the storage server 207 while minimizing data transfers (Mortensen: Col. 15, ll. (24-37)). As per claim 4, the modified teaching of Brandwine teaches the method of claim 3, the method further comprising: enabling the configuration manager before receiving the snapshot configuration data; and disabling the configuration manager after receiving the snapshot configuration data (Brandwine: Col. 14, ll. (42-53) - the I/O proxy device is coupled to a control plane of the provider network 100 and thus the ability to monitor I/O messages for potential ransomware attacks can be selectively enabled or disabled or the analysis process can be configured. For example, a user associated with a computer system can provide input indicating whether the user desires for the I/O analyzer 122 to monitor I/O messages for patterns indicative or ransomware (and for potentially other types of malware or other operational issues), whether continuous or periodic monitoring is desired, one or more particular types of I/O patterns for which to monitor, and the like). As per claim 5, the modified teaching of Brandwine teaches the method of claim 4, wherein: the snapshot configuration data comprises a port schedule comprising schedule information governing the second port; and determining to obtain the snapshot of the data volume based on the snapshot configuration data comprises determining to obtain the snapshot of the data volume based on the port schedule (Mortensen: Col. 4, ll. (56-67) - the backup aggregator may thereafter generate a snapshot of the received image backup file(s) according to a local backup schedule. The snapshot operation may be server specific, such as for example a local backup snapshot policy that generates hourly backups for a mission-critical mail server while only generating daily snapshots of image backup files from a user's laptop. The BDR may also be configured such that the transfer of image-based backup files from client devices (such as servers, workstations, laptops, etc. described above) may differ from the local snapshot policy itself). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Brandwine in view of Mortensen to teach the snapshot configuration data comprises a port schedule comprising schedule information governing the second port; and determining to obtain the snapshot of the data volume based on the snapshot configuration data comprises determining to obtain the snapshot of the data volume based on the port schedule. One would be motivated to do so as the backup aggregator may thereafter generate a snapshot of the received image backup file(s) according to a local backup schedule. The snapshot operation may be server specific, such as for example a local backup snapshot policy that generates hourly backups for a mission-critical mail server while only generating daily snapshots of image backup files from a user's laptop. The BDR may also be configured such that the transfer of image-based backup files from client devices (such as servers, workstations, laptops, etc. described above) may differ from the local snapshot policy itself (Mortensen: Col. 4, ll. (56-67)). As per claim 6, the modified teaching of Brandwine teaches the method of claim 5, wherein the schedule information governing the second port comprises information corresponding to each of the one or more data volumes (Mortensen: Col. 17, ll. (17-25) - an assisting node processing request may be triggered periodically (e.g., every 10 min) and/or in response to determined events e.g., a reconfiguration of the BDR system. In one embodiment, an assistance node processing request may specify commands that are required to be performed by the storage server including but not limited to calculating how much disk space is available in the storage server, updating software e.g., file system software, logical volume manager software and the like). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Brandwine in view of Mortensen to teach wherein the schedule information governing the second port comprises information corresponding to each of the one or more data volumes. One would be motivated to do so as an assisting node processing request may be triggered periodically (e.g., every 10 min) and/or in response to determined events e.g., a reconfiguration of the BDR system. In one embodiment, an assistance node processing request may specify commands that are required to be performed by the storage server including but not limited to calculating how much disk space is available in the storage server, updating software e.g., file system software, logical volume manager software and the like (Mortensen: Col. 17, ll. (17-25)). As per claim 7, the modified teaching of Brandwine teaches the method of claim 6, wherein: the snapshot configuration data further comprises snapshot retention periods corresponding to each of the one or more data volumes in the data storage service, wherein the snapshot retention period comprises a period for which a snapshot is retained in the data vault system; and the method further comprises: determining to delete the snapshot from the secure data volume based on the snapshot retention period; and deleting the snapshot (Mortensen: Col. 4, ll. (4-11) - files that are created and then deleted between the first and last hourly snapshot being merged may be skipped completely in determining the merged snapshot because the underlying file system may be aware of the file status over time while a configuration applying incremental changes would only be aware of the one-hour differences to the substantially ready-to-run disk image). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Brandwine in view of Mortensen to teach wherein the snapshot configuration data further comprises snapshot retention periods corresponding to each of the one or more data volumes in the data storage service, wherein the snapshot retention period comprises a period for which a snapshot is retained in the data vault system; and the method further comprises: determining to delete the snapshot from the secure data volume based on the snapshot retention period; and deleting the snapshot. One would be motivated to do so as files that are created and then deleted between the first and last hourly snapshot being merged may be skipped completely in determining the merged snapshot because the underlying file system may be aware of the file status over time while a configuration applying incremental changes would only be aware of the one-hour differences to the substantially ready-to-run disk image (Mortensen: Col. 4, ll. (4-11)). As per claim 8, the claim resembles claim 1 and is rejected under the same rationale while Brandwine also teaches one or more computer readable storage media; one or more processors operatively coupled with the one or more computer readable storage media (Brandwine: Col. 21, ll. (53-57) - a computer-readable storage medium, for example, in the form of a computer program comprising instructions executable by one or more processors). As per claim 9, the claim resembles claim 2 and is rejected under the same rationale. As per claim 10, the claim resembles claim 3 and is rejected under the same rationale. As per claim 11, the claim resembles claim 4 and is rejected under the same rationale. As per claim 12, the claim resembles claim 5 and is rejected under the same rationale. As per claim 13, the claim resembles claim 6 and is rejected under the same rationale. As per claim 14, the claim resembles claim 7 and is rejected under the same rationale. As per claim 15, the claim resembles claim 1 and is rejected under the same rationale while Brandwine also teaches One or more computer readable storage media having program instructions stored thereon that, when executed by one or more processors in a computing device, direct the computing device (Brandwine: Col. 21, ll. (53-57) - a computer-readable storage medium, for example, in the form of a computer program comprising instructions executable by one or more processors). As per claim 16, the claim resembles claim 2 and is rejected under the same rationale. As per claim 17, the claim resembles claim 3 and is rejected under the same rationale. As per claim 18, the claim resembles claim 4 and is rejected under the same rationale. As per claim 19, the claim resembles claim 5 and is rejected under the same rationale. As per claim 20, the claim resembles claim 6 and is rejected under the same rationale. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to SM AZIZUR RAHMAN whose telephone number is (571)270-7360. The examiner can normally be reached on M-F Telework; If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ali Shayanfar can be reached on 571-270-1050. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /SM A RAHMAN/Primary Examiner, Art Unit 2434