Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.
Claim(s) 1, 3-14 and 16-20 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Cosenetino (US Patent Pub. 2025/0190558).
As per claims 1, 14 and 20: Cosentino discloses a non-transitory computer-readable medium storing instructions that, when executed by one or more processors, cause the one or more processors to (see abstract):
monitor system calls initiated by processes executing on a computer system (see abstract Paragraph 9-11; The kernel monitor can include a respective kernel program monitoring each system call in the set of system calls. The set of system calls can be filtered by the kernel monitor to identify a subset of system calls associated with encrypting a filesystem of the host system);
generate kernel telemetry data for a plurality of system calls, the kernel telemetry data associating, for each system call of the plurality of system calls, a process invoking the system call, an operation type of the system call, and a target of the system call (see abstract Paragraph 9-11; The set of system calls can be filtered by the kernel monitor to identify a subset of system calls associated with encrypting a filesystem of the host system. The computing system can determine that the subset of system calls is indicative of ransomware activity associated with the host system based on the subset of system calls exceeding a predefined threshold. Subsequently, the computing system can perform a mitigation operation to mitigate the ransomware activity);
analyze the kernel telemetry data; based on analyzing the kernel telemetry data, determine that a particular process executed under control of a ransomware agent (Paragraph 11; once the kernel monitor detects the ransomware activity, the kernel monitor can implement a mitigation operation to mitigate the ransomware activity. For instance, the kernel monitor can isolate the host system to prevent ransomware affecting the host system from migrating or spreading to other components of the computing system associated with the host system. In some implementations, the mitigation operation may involve identifying a ransomware file in the filesystem that is associated with the ransomware activity); and
in response to determining that the particular process executed under control of the
ransomware agent, initiate one or more response measures (Paragraph 11; Once the ransomware file is identified, the computing system can isolate the ransomware file to prevent the ransomware file from affecting the host system or the other components of the computing system).
As per claims 3 and 16: The non-transitory computer-readable medium of claim 1:
wherein determining that the particular process executed under control of the ransomware agent comprises detecting a hallmark in particular kernel telemetry data corresponding to the particular process, the hallmark comprising a first pattern of kernel-level behavior consistent with ransomware execution (Paragraph 22; The abnormal behavior can correspond to ransomware activity 116 related to encryption or decryption of the filesystem 114. Although the abnormal behavior is generally described herein as being related to encryption or decryption of the filesystem 114 caused by ransomware, other types of malware (e.g., wiper malware) may cause or contribute to the abnormal behavior).
As per claims 4 and 17: The non-transitory computer-readable medium of claim 3:
wherein the hallmark comprises a pattern of kernel-level behavior associated with a particular ransomware variant (Paragraph 22; The abnormal behavior can correspond to ransomware activity 116 related to encryption or decryption of the filesystem 114. Although the abnormal behavior is generally described herein as being related to encryption or decryption of the filesystem 114 caused by ransomware, other types of malware (e.g., wiper malware) may cause or contribute to the abnormal behavior).
As per claims 5 and 18: The non-transitory computer-readable medium of claim 3:
wherein the hallmark comprises deviation from typical kernel-level behavior of the particular process (Paragraph 24; the subset of system calls 122 can be flagged as being indicative of abnormal behavior (e.g., the ransomware activity 116). For example, the predefined threshold 126 can involve identifying ten encryption-related system calls within a time window 124 of two hours. Accordingly, the subset of system calls 122 including more than ten encryption-related system calls can indicate that the subset of system calls 122 corresponds to the ransomware activity 116.).
As per claims 6 and 19: The non-transitory computer-readable medium of claim 3:
wherein the hallmark comprises a pattern of file access relating to file encryption (Paragraph 24; the subset of system calls 122 can be flagged as being indicative of abnormal behavior (e.g., the ransomware activity 116). For example, the predefined threshold 126 can involve identifying ten encryption-related system calls within a time window 124 of two hours. Accordingly, the subset of system calls 122 including more than ten encryption-related system calls can indicate that the subset of system calls 122 corresponds to the ransomware activity 116.).
As per claim 7: The non-transitory computer-readable medium of claim 3:
wherein the hallmark comprises a pattern of file access relating to exfiltration of data (Paragraph 28; generate a dataset that can be used to update the ransomware pattern 208 or to generate a different ransomware pattern that can be stored in the pattern database 210).
As per claim 8: The non-transitory computer-readable medium of claim 3:
wherein the hallmark comprises modification of system configuration data (Paragraph 22; The abnormal behavior can correspond to ransomware activity 116 related to encryption or decryption of the filesystem 114. Although the abnormal behavior is generally described herein as being related to encryption or decryption of the filesystem 114 caused by ransomware, other types of malware (e.g., wiper malware) may cause or contribute to the abnormal behavior).
As per claim 9: The non-transitory computer-readable medium of claim 3:
wherein the hallmark comprises a pattern associated with modifying one or more processes related to security (Paragraph 22; The abnormal behavior can correspond to ransomware activity 116 related to encryption or decryption of the filesystem 114. Although the abnormal behavior is generally described herein as being related to encryption or decryption of the filesystem 114 caused by ransomware, other types of malware (e.g., wiper malware) may cause or contribute to the abnormal behavior).
As per claim 10: The non-transitory computer-readable medium of claim 3:
wherein the hallmark comprises a pattern associated with modifying access control configurations (Paragraph 22; The abnormal behavior can correspond to ransomware activity 116 related to encryption or decryption of the filesystem 114. Although the abnormal behavior is generally described herein as being related to encryption or decryption of the filesystem 114 caused by ransomware, other types of malware (e.g., wiper malware) may cause or contribute to the abnormal behavior).
As per claim 11: The non-transitory computer-readable medium of claim 1:
wherein the one or more response measures comprise preventing execution of a corresponding system call associated with the particular process (Paragraph 21; the kernel monitor 104 may attach a particular kernel program of the kernel programs 115 at an entry of an ‘open ( )’ system call associated with a particular file of the filesystem 114. As a result, the kernel monitor 104 can be alerted by the particular kernel program when an operation of the host system 102 attempts to open the particular file).
As per claim 12: The non-transitory computer-readable medium of claim 1:
wherein the one or more response measures comprises terminating the particular process (Paragraph 39; After removing the ransomware file 112 from the filesystem 114, the computing system 300 can adjust the access permissions of the filesystem 114 to restore the write access 302 with respect to the filesystem 114. The computing system 300 then can reconnect the filesystem 114 to the network 106).
As per claim 13: The non-transitory computer-readable medium of claim 1:
wherein the one or more response measures comprise initiating a remediation process to address ransomware on the computer system (Paragraph 52; the processing device 502 can perform operations to detect and mitigate the ransomware activity 116 associated with the host system 500. For example, the processing device 502 can use the kernel monitor 104 of the host system 500 to track one or more system calls associated with the host system 500).
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 2 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Cosenetino (US Patent Pub. 2025/0190558) in view of N (US Patent Pub. 2023/0344844).
As per claims 2 and 15: The non-transitory computer-readable medium of claim 1:
wherein monitoring the system calls is performed in kernel space of the computer system (see abstract Paragraph 9-11; The set of system calls can be filtered by the kernel monitor to identify a subset of system calls associated with encrypting a filesystem of the host system. The computing system can determine that the subset of system calls is indicative of ransomware activity associated with the host system based on the subset of system calls exceeding a predefined threshold. Subsequently, the computing system can perform a mitigation operation to mitigate the ransomware activity);
Cosentino does not specifically disclose wherein the instructions, when executed by one or more processors, cause the one or more processors to: provide the kernel telemetry data to a user space application component executing in user space of the computer system; and wherein analyzing the kernel telemetry data is performed by the user space application component (See N, Paragraph 31; Privileged operation requests may be received, by the user space (208) (e.g., malware, ransomware, etc.), by a remote connection (e.g., received over a network), and/or from the operating system (e.g., rootkit malware, compromised kernel software, etc.). The privileged operations monitor (204) may perform one or more of the steps discussed in FIG. 4.).
Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains, having the teachings of Cosentino and N in it’s entirety, to modify the technique of Consentino for mitigating ransomware activity by adopting N's teaching for holding an anomalous privileged operation. The motivation would have been to improve ransomware defense.
Relevant Prior Art References
The following prior art is cited as being of interest to the claimed invention but has not been applied in any of the current rejections.
Smith et al.- US Patent Publication 20250232034- the prior art teaches techniques for prevent or otherwise circumvent ransomware from infiltrating and exploiting.
Heo et al.- US Patent Pub. 2025/0165592 - the prior art teaches techniques for real-time detection and blocking of ransomware.
Heo et al.- US Patent Pub. 2024/0411914 - the prior art teaches techniques for real-time detection and blocking of ransomware.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ANTHONY D BROWN whose telephone number is (571)270-1472. The examiner can normally be reached 730-330pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Linglan Edwards can be reached at 5712705440. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/ANTHONY D BROWN/Primary Examiner, Art Unit 2408