Notice of Pre-AIA  or AIA  Status
1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Remarks
2.	Claims 1-15 currently stand rejected. 
3.	Claims 1, 3, 5, 7, 9, 11, 13, and 14 are amended.
4.	No new claims are added, and no claims are canceled. 
5.	No new matter has been entered by any of the amendments.

Continued Examination Under 37 CFR 1.114
6.	A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 02/15/2021 has been entered.
 
Response to Arguments
7.	Applicant’s arguments filed on 2/15/2021, with respect to the 35 U.S.C.  103 rejections of claims 1-7 and 9-15 as allegedly being unpatentable over U.S. Application Publication No. 2017/0024561 filed by Hajmasan (“Hajmasan”) in view of U.S. Application Publication No. 2011/0219450 filed by McDougal (“McDougal”) and claim 8 currently stands rejected under as allegedly being unpatentable over Hajmasan in view of McDougal in view of U.S. Patent No. 8,204,907 to Smith (“Smith”). have been fully considered. However, upon further consideration, a new ground(s) of rejection is made in view of amended claims.
Applicant alleges dependent claim 8 further introduces the concept of “decreasing a counter recording the number of sequences of file accesses ... after a predetermined period of time....” Accordingly, dependent claim 8 introduces a timing element that results in ransomware being detected based on the predefined patterns of file accesses within a certain amount of time. None of McDougal, Hajmasan, nor Smith, whether considered alone or in combination, teaches or suggests “decreasing a counter” used to record the “number of sequences of file accesses that match a predefined pattern” of personal user file accesses. Examiner respectfully disagrees.
Smith discloses a method for managing file access history information is described. An application opening a file may be identified. Access rights used to open the file may be determined. A time parameter associated with the opening of the file may be recorded. An access frequency parameter for the file over a predetermined period of time may be calculated. File access history information associated with the file may be stored (Col. 1 Lines 45-52).
Further, a timer may determine an access frequency associated with a file (or group of files) over a pre-determined period of time. For example, the timer may determine how often a file (such as file B 212 of Fig. 2) has been accessed over a period of time. In addition, the timer 226 may determine how often a group of files (such as file A 210, file B 212, and file C 214 of Fig. 2) have been accessed over a predetermined period of time (Col. 4 Lines 19-25).
  A file access report may further include file access frequency information 338 and duration of file access information. In one embodiment, the file access frequency information may indicate how often a file has been accessed over a pre-determined period of time. In addition, the file access frequency information 338 may also indicate how often a particular application or program has accessed a file over a period of time. duration of file access information may be a parameter that indicates the length of time a file is accessed, or opened (Col. 4 Line 62- Col. 5 Line 4).
A scanner may be a real time scanning engine that scans files that are accessed during a boot up operation. The scanner may analyze the file access report for a particular file to determine whether the file has been accessed during the boot up operation. If the file has been accessed during previous boot up operations, the scanning engine may pre-scan the file when the client is in an idle time. If the file is pre-scanned, the scanning engine may skip the scanning of the file during the next boot up operation. Reducing the number of files scanned during the boot up operation may improve the speed and efficiency of the client (Col. 5 Lines 13-25)
A heuristic system may use information in file access reports in order to determine which files have been accessed for a significant period of time without being implicated in malicious activity. For example, the heuristic system may analyze file access reports through the reporting interface in order to determine which files do not need to be analyzed in the future because they have been accessed, or opened, for a pre-determined period of time. Reducing the number of files analyzed by the heuristic system may improve the speed and efficiency of the client. In one embodiment, the heuristic system may query the database directly for the file access reports (Col. 5 Lines 41-52).
Smith discloses reducing the number of files analyzed during boot-up based on a file access report that determines how one or more files are accessed based on a pre-determined amount of time (i.e., next boot up operation). Therefore, Smith discloses 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

8.	Claim 1-7 and 9-15 are rejected under 35 U.S.C. 103 as being unpatentable over
U.S. Publication No. 20170024561 hereinafter Hajmasan in view of U.S. Publication No.
200219450 hereinafter Mcdougal, and further in view of U.S. Patent No. 9317686 hereinafter Ye.

As per claim 1, Hajmasan discloses:
A system (para 0006 “According to one aspect, a host system comprises at least one hardware processor and a memory unit, the at least one hardware processor configured to execute an entity manager and a heuristic engine. The entity manager is configured to organize a collection of monitored executable entities into a plurality of entity groups.”), comprising:
a monitor module to monitor files stored on the system for sequences of file accesses that match a predefined pattern of file accesses (para 0037 “In some embodiments, behavior manager 42 receives a set of event notifications 40 Fig. 6, para 0053 “In some embodiments, step 170 determines whether the detected lifecycle event comprises an injection of code, and when no, manager 44 may advance to a step 174. As a general rule, security application 36 may interpret each code injection-event as suspect, possibly indicating malicious activities In some embodiments, a step 171 checks whether the injection can be trusted to be legitimate, for instance by attempting to match details of the respective injection event to a list of exceptions.” Fig. 7, Para 0058 “FIG. 7 illustrates an exemplary behavior signature associated with a ransomware attack. Ransomware is a particular type of malware, which encrypts a set of files on a user's computer, and then asks the user to pay in order to recover the respective files. Entity creation is illustrated as a zigzagged arrow. Each solid vertical line shows the life history of each entity. For instance, entity El dies after spawning entity E2. Entity E3 became part of the illustrated group in response to receiving injected code from E2. Some actions of the respective entities are not part of signature 68. For instance, entity E3's spawning of entity E4 is not included in signature 68.”);
(para 0051 “In a sequence of steps 150-152, entity manager 44 intercepts an entity life-cycle event, and when such an event has occurred, the sequence of steps 154-155 identifies a type of the event and the affected entities. In some embodiments, lifecycle events comprise process creation, code injection, and process termination, among others. ” para 0058 “FIG. 7 illustrates an exemplary behavior signature associated with a ransomware attack. Ransomware is a particular type of malware, which encrypts a set of files on a user's computer, and then asks the user to pay in order to recover the respective files.”),
where the investigation module is activated when a number sequences of file accesses that match the predefined pattern exceeds a first threshold (para 0055 “In some embodiments, heuristic engine 46 (FIG. 3) performs a set of tests or procedures, herein generically called heuristics, to determine whether the occurrence of a set of events within client system 10 is indicative of a security threat, e.g., is malware-indicative. When the respective heuristic(s) conclude(s) that the set of events is malware-indicative, engine 46 may transmit a scoring alert 50 to scoring engine 48, which may further determine whether client system 10 comprises malware.” Para 0057 “A particular example of heuristic checks for the occurrence of a particular sequence of events (a behavioral signature) on client system 10. Not all events of the sequence need to be caused by the same entity. However, the occurrence of such a sequence of events may be malware-indicative. In one such example, illustrated in FIG. 7, malicious activities are The particular sequence of actions A1-A6 amounts to a behavioral signature 68 identifying a
particular malware attack.”):
and a reaction module to, when the number sequences of file accesses that match the predefined pattern exceeds a second threshold (para 0075 “A step 336 then increments the aggregate score of the respective group. When the aggregate score of either entity or group (or both) exceed a predetermined threshold, a step 340 sends malice indicator 58 to cleanup module 56 Fig. 12-c, para 0076 “Using the example of behavior signature 68 in FIG. 7, a heuristic detecting the occurrence of the sequence of events A1-A6 may generate scoring alert 50 in response to detecting that entity E.sub.4 has performed action A.sub.6, and thus completing the malware-indicative sequence of actions indicated by behavioral signature 68. In response to receiving such an alert, step 348 may increment the entity evaluation score of entity E4, the score corresponding to the respective heuristic. If the increment associated to the respective heuristic is chosen to be large enough, the increase of the respective entity evaluation score may be large enough so that the aggregate score computed for entity E.sub.4 exceeds the malware detection threshold.”),
pause a set of processes operating on the system executed by a hardware processor of the system, identify processes associated with a suspected ransomware attack based on the logging performed by the investigation module (para 0006 “According to one aspect, a host para 0078 “In some embodiments, a step 406 checks whether the respective suspect entity is a member of a single group. When no, module 56 advances to step 410. When yes, in step 408, cleanup module 56 cleans the entire group of the suspect entity. In some embodiments, cleaning an entity group comprises cleaning every member entity of the respective group. Cleanup may involve any method known in the art of computer security. In some embodiments, cleaning an entity comprises suspending or terminating execution of the respective entity.”),
and resume legitimate processes (Para 0078 and 0079 “In one example of cleaning, when malicious activities have been tracked down to a code injection event, cleanup module 56 terminates the recipient entity and rolls back all changes to memory and/or the file system that occurred after the respective injection event.”)
wherein the monitor module, the investigation module, and the reaction module are executed by the hardware processor of the system (para 0009 “According to another aspect, a host system comprises at least one hardware processor and a memory unit, the at least one hardware processor configured to execute an entity manager and a heuristic engine.”)

Hajmasan does not disclose:

a paused set of processes includes paused legitimate processes and illegitimate processes,
identify paused processes associated with a suspected attack and resume execution of legitimate processes

Mcdougal discloses:
a paused set of processes includes paused legitimate processes and illegitimate processes and identify paused processes associated with a
suspected attack (para 0084 “At step 608, in some embodiments, the processing of the message by an e-mail delivery system may be paused. This may be done because the malware detection system operating in an active mode. By pausing the processing of the message, the message may be prevented from being delivered. A copy of the message as well as the attachment may be created and sent to the malware detection system. In various embodiments, the message and the attachment themselves may be sent to the malware detection system without creating a copy. These actions may be performed or facilitated by an agent that communicates both with the malware detection system and the messaging system. In contexts other than e-mail, other underlying processes or services may be paused. For example, if the context is uploading files to a network location, the uploading process may be paused while the system analyzes the files as further described below.”)
and resume execution of legitimate processes (para 0097 “At step 642, the message may resume being processed. In some embodiments where multiple files are being processed as a group (i.e., if there are multiple files in an attachment), this step may include waiting for the results of the analysis of other files. In some embodiments, this may occur if it is determined that the attachment does not contain malware. This step may be reached if the attachment has been determined as malware but after the attachment has been removed from the message as in step 640. Hence the processing and delivering of the message may be paused at step 608 and resumed at step 642. In some embodiments, this step may be performed in different contexts. For example, if the system was analyzing files that were to be uploaded to a network location, this step may include allowing some or all of the files to be uploaded. If the system was invoked as a service, this step may include the entity that invoked the system as a service performing actions in response to receiving the results of the malware analysis. For example, if a desktop security agent invoked the system as a service, the agent may have received the results at step 640 and may alert the user of the desktop system of those results at step 642.")
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of organizing a collection of monitored executable entities into a plurality of entity groups of Hajmasan to include a paused set of processes includes 
The motivation would have been to pause and unpause processes based on analyzing a potential malicious attack.
	
Hajmasan in view of Mcdougal does not disclose:
identify personal user files in a set of files on the system, wherein the set of files includes personal user files and system files, and monitor the personal user files stored on the system for sequences of file accesses that match a predefined pattern of file accesses
	
	Ye discloses:
identify personal user files in a set of files on the system, wherein the set of files includes personal user files and system files (Col. 3 Lines 24-34 “System 10 includes a system monitor driver 110 which resides in the kernel. This software module hooks relevant system events such as: file events (e.g., open file, write file, delete file, create file, rename file); registry events (e.g., create registry key, add registry value, delete registry key, delete registry value); process and thread events (e.g., create new process, create new thread, terminate process, terminate thread); and network events (e.g., the IP address of a remote server, the port used to connect, the URL to access, etc.). Any of the user mode modules will be able to receive events from this driver.”).”
Col. 5 Lines 1-21 “FIG. 2 is a flow diagram describing a specific embodiment of how ransomware is detected and blocked. The system monitor driver 110 continuously monitors system events 204 using system hooks. Although driver 110 is able to monitor all system events, in one embodiment it may focus exclusively upon file events in order to detect when a file is about to be changed.”  Step 212 determines whether an event has occurred indicating that a user process is attempting to change one of the files on the hard disk (for example, hooking of a system function indicates that a process is attempting to overwrite a file, write a new version of a file, encrypt a file, delete a file, etc.). If no file change event is currently detected, it is likely that ransomware is not currently executing upon the computer and control returns to step 204 for more monitoring of events. On the other hand, if a file change event is detected, then control moves to step 216 to determine whether or not the file in question should be backed up.”)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of organizing a collection of monitored executable entities into a plurality of entity groups of Hajmasan in view of Mcdougal to include identify personal user files in a set of files on the system, wherein the set of files includes personal user files and system files, and monitor the personal user files stored on the system for sequences of file accesses that match a predefined pattern of file accesses, as taught by Ye.


As per claim 2, Hajmasan in view of Mcdougal and Ye discloses:
The system of claim 1, comprising an alert module to notify a user of the system regarding the suspected ransomware attack, and to take an action in response to an instruction from the user (Hajmasan para 0058 and 0078).

As per claim 3, Hajmasan in view of Mcdougal and Ye discloses:
The system of claim 1, where the reaction module is triggered when one of the investigation module and the monitor module detects one of, a modification of a shadow copy of a person user file, a modification of a canary person user file, modifications of related person user files, and a known malicious attribute in a recently modified person user file (Hajmasan para 0030 and 0040) and (Ye Col. 5 Lines 1-219)

As per claim 4, Hajmasan in view of Mcdougal and Ye discloses:
The system of claim 1, where the monitor module tracks multiple predefined patterns of file accesses (para 0037, 0051, and 0062).

As per claim 5, the implementation of the system of claim 1 will execute the method of claim 1. The claim is analyzed with respect to claim 1.

As per claim 6, Hajmasan in view of Mcdougal and Ye discloses:
The method of claim 5, comprising: notifying an entity regarding the ransomware attack; and taking a repairing action based on a response from the entity (Hajmasan para 0078 and 0079).

As per claim 7, Hajmasan in view of Mcdougal and Ye discloses:
The method of claim 6, where the repairing action is one of, resuming a member of the set of suspicious processes that is taking actions indicative of a
ransomware attack, terminating a member of the set of suspicious processes that is taking actions indicative of a ransomware attack, and restoring a personal user file from a backup (Hajmasan para 0078 and 0079) and (Ye Fig. 2).

As per claim 9, Hajmasan in view of Mcdougal and Ye discloses:
The method of claim 5, where the actions that are indicative of a ransomware attack include at least one of, deleting shadow copies of personal user files, changing personal user files to a known malicious file type, and modifying a canary personal user file (Hajmasan para 0030 and 0040) and (Ye Col. 5 Lines 1-21).
As per claim 10, Hajmasan in view of Mcdougal discloses:
The method of claim 5, where a process is considered a suspicious process based on at least one of, a recent file access sequence performed by 

As per claim 11, Hajmasan discloses:
A system (para 0006 “According to one aspect, a host system comprises at least one hardware processor and a memory unit, the at least one hardware processor configured to execute an entity manager and a heuristic engine. The entity manager is configured to organize a collection of monitored executable entities into a plurality of entity groups.”), comprising:
a lightweight detection module to monitor the system for a likelihood the system is experiencing a ransomware attack (para 0058 “FIG. 7 illustrates an exemplary behavior signature associated with a ransomware attack.
Ransomware is a particular type of malware, which encrypts a set of files on a user's computer, and then asks the user to pay in order to recover the respective files.”),
where the lightweight detection module uses a first level of system resources (para 0033 “In some embodiments, a security application 36 executes concurrently with applications 32a-c and is configured to determine whether any software executing on client system 10 (including applications 32a-c and OS 30) poses a computer security threat. For instance, application 36 may detect malware and/or spyware.” Para 0037 “In some embodiments, behavior manager 42 receives a set of event notifications 40 from a set of event interceptors 28a-c installed within various software objects executing on client system 10 Figs. 6 and 9, para 0062 “FIG. 9 illustrates an exemplary sequence of steps performed by heuristic engine 46, according to some embodiments of the present invention. A sequence of steps 200-202 listens for event notifications from interceptors 28a-c.”)
a heavyweight logging module to store information regarding suspicious processes while the lightweight detection module indicates that the likelihood the system is experiencing the ransomware attack is above a first threshold (para 0037 “In some embodiments, behavior manager 42 receives a set of event notifications 40 from a set of event interceptors 28a-c installed within
various software objects executing on client system 10. Event notifications 40 may thus inform behavior manager 42 about the occurrence of various events during execution of software. Exemplary notified events may include, among others, the creation of a process or thread, code injection, a system call, an attempt to create a new disk file, an attempt to write to an existing disk file, an attempt to edit a system register key, and an attempt to write to a particular memory section.” Fig. 6, para 0053 “In some embodiments, step 170 determines whether the detected lifecycle event comprises an injection of code, and when no, manager 44 may advance to a step 174. As a general rule, security application 36 may interpret each code injection-event as suspect, possibly indicating malicious activities In some embodiments, a step 171 checks whether the injection can be trusted to be legitimate, for instance by attempting to match details of the respective injection event to a list of exceptions.” Fig. 7,
Para 0058 “FIG. 7 illustrates an exemplary behavior signature associated with a ransomware attack. Ransomware is a particular type of malware, which encrypts a set of files on a user's computer, and then asks the user to pay in order to recover the respective files. Entity creation is illustrated as a zigzagged arrow. Each solid vertical line shows the life history of each entity. For instance, entity El dies after spawning entity E2. Entity E3 became part of the illustrated group in response to receiving injected code from E2. Some actions of the respective entities are not part of signature 68. For instance, entity E3's spawning of entity E4 is not included in signature 68.”);
where storing information regarding suspicious processes uses a second level of system resources that is greater than the first level of system resource (para 0060-0061 “In some embodiments, heuristic engine 46 interfaces with a heuristics database 26, which may reside on storage devices 20 of client system 10, or on computer-readable media communicatively coupled to client system 10. Database 26 may comprise a collection of available heuristics and an indicator of an association between heuristics and the types of events that trigger the use of the respective heuristics. Such associations allow heuristic engine 46 to selectively retrieve a heuristic in response to being notified of the occurrence of an event of a particular type. An exemplary embodiment of database 26 is a software library, e.g., a DLL.”)
and a reaction module to, when the lightweight detection module indicates that the likelihood the system is experiencing the ransomware attack is above a second threshold (para 0075 “A step 336 then increments the aggregate score of a step 340 sends malice indicator 58 to cleanup module 56 Fig. 12-c, para 0076 “Using the example of behavior signature 68 in FIG. 7. a heuristic detecting the occurrence of the sequence of events A1-A6 may generate scoring alert 50 in response to detecting that entity E.sub.4 has performed action A.sub.6, and thus completing the malware-indicative sequence of actions indicated by behavioral signature 68.
In response to receiving such an alert, step 348 may increment the entity evaluation score of entity E4, the score corresponding to the respective
heuristic. If the increment associated to the respective heuristic is chosen to be large enough, the increase of the respective entity evaluation score may be large
enough so that the aggregate score computed for entity E.sub.4 exceeds the
malware detection threshold.”),
suspend suspicious processes, identify a suspicious process potentially associated with the ransomware attack using the information regarding the suspicious processes (para 0078 “In some embodiments, a step 406 checks whether the respective suspect entity is a member of a single group. When no, module 56 advances to step 410. When yes, in step 408, cleanup module 56 cleans the entire group of the suspect entity. In some embodiments, cleaning an entity group comprises cleaning every member entity of the respective group. Cleanup may involve any method known in the art of computer security. In some embodiments, cleaning an entity comprises suspending or
terminating execution of the respective entity.”),
(Para 0078 and 0079 “In one example of cleaning, when malicious activities have been tracked down to a code injection event, cleanup module 56 terminates the recipient entity and rolls back all changes to memory and/or the file system that occurred after the respective injection event.”)
wherein the lightweight detection module, the heavyweight logging module, and the reaction module are executed by a hardware processor of the system (para 0009 “According to another aspect, a host system comprises at
least one hardware processor and a memory unit, the at least one hardware processor configured to execute an entity manager and a heuristic engine.”)

Hajmasan does not disclose:
suspend suspicious processes, including legitimate processes and illegitimate processes
resume suspended processes unassociated with an attack
monitor personal user files on the system

Mcdougal discloses:
suspend suspicious processes, including legitimate processes and illegitimate processes (para 0084 “At step 608, in some embodiments, the processing of the message by an e-mail delivery system may be paused. This may be done because the malware detection system operating in an active mode. By pausing the processing of the message, the message may be prevented from being delivered. A copy of the message as well as hese actions may be performed or facilitated by an agent that communicates both with the malware
detection system and the messaging system. In contexts other than e-mail, other
underlying processes or services may be paused. For example, if the context is
uploading files to a network location, the uploading process may be paused while
the system analyzes the files as further described below.”)
resume suspended processes unassociated with an attack (para 0097 “At step 642, the message may resume being processed. In some embodiments where multiple files are being processed as a group (i.e., if there are multiple files in an attachment), this step may include waiting for the results of the analysis of other files. In some embodiments, this may occur if it is determined that the attachment does not contain malware. This step may be reached if the attachment has been determined as malware but after the attachment has been removed from the message as in step 640. Hence the processing and delivering of the message may be paused at step 608 and resumed at step 642. In some embodiments, this step may be performed in different contexts. For example, if the system was analyzing files that were to be uploaded to a network location. this step may include allowing some or all of the files to be uploaded. If the system was invoked as a service, this step may include the entity that invoked the system as a service performing actions in response to receiving the results of the malware analysis. For example, if a 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of organizing a collection of monitored executable entities into a plurality of entity groups of Hajmasan to include a paused set of processes includes paused legitimate processes and illegitimate processes, identify paused processes associated with a suspected attack and resume execution of legitimate processes, as taught by Mcdougal.
The motivation would have been to pause and unpause processes based on analyzing a potential malicious attack.

Hajmasan in view of Mcdougal does not disclose:
monitor personal user files on the system

	Ye discloses:
monitor personal user files on the system (Col. 5 Lines 1-21 “FIG. 2 is a flow diagram describing a specific embodiment of how ransomware is detected and blocked. The system monitor driver 110 continuously monitors system events 204 using system hooks. Although driver 110 is able to monitor all system events, in one embodiment it may focus exclusively upon file events in order to detect when a file is about to be changed.”  Step 212 determines whether an event has occurred indicating that a user process is attempting to change one of the files on the hard disk (for example, hooking of a system function indicates that a process is attempting to overwrite a file, write a new version of a file, encrypt a file, delete a file, etc.). If no file change event is currently detected, it is likely that ransomware is not currently executing upon the computer and control returns to step 204 for more monitoring of events. On the other hand, if a file change event is detected, then control moves to step 216 to determine whether or not the file in question should be backed up.”)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of organizing a collection of monitored executable entities into a plurality of entity groups of Hajmasan in view of Mcdougal to include monitor personal user files on the system, as taught by Ye.
The motivation would have been specific monitor user files/processes in order to specifically detect ransomware attacks on user files.

As per claim 12, Hajmasan in view of Mcdougal and Ye discloses:
The system of claim 11, comprising an alert module to notify an entity invested in the security of the system regarding the suspicious process potentially associated with the ransomware attack and to take an action in response to an instruction from the entity (Hajmasan para 0058 and 0078).

As per claim 13, Hajmasan in view of Mcdougal and Ye discloses:
The system of claim 11, where the likelihood the system is experiencing the ransomware attack is measured based on a number of personal user files whose recent access sequences match a predefined pattern (Hajmasan para 0030, 0037 and 0040).

As per claim 14, Hajmasan in view of Mcdougal and Ye discloses:
The system of claim 11, where the likelihood the system is experiencing the ransomware attack is measured based on at least one of deletion of a shadow copy of a personal user file, modification of a canary personal user file, and changing of a file to a known malicious personal user file type (Hajmasan para 0030, 0037 and 0040).

As per claim 15, Hajmasan in view of Mcdougal and Ye discloses:
The system of claim 11, where identifying the suspicious process potentially associated with the ransomware attack uses a third level of system resources that is greater than the second level of system resources (Hajmasan Figs. 7 and 8, para 0058, 0059, 0078 and 0079).

9. 	Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Hajmasan in view of Mcdougal, and further in view of Ye, and further in view of U.S. Patent No. 8,204,907 hereinafter Smith.

As per claim 8, Hajmasan in view of Mcdougal and Ye discloses:
The method of claim 5, number of sequences of file accesses that match the predefined pattern (Hajmasan para 0030, 0040 and 0058)

Hajmasan in view of Mcdougal and Ye does not disclose:
decreasing a counter recording a number of sequences of file accesses that match the predefined pattern after a predetermined period of time after an occurrence of the sequence of file accesses that matches the predefined pattern

Smith discloses:

pattern (Col. 5 Lines 41-52 “The heuristic system 444 may use information in file access reports 428 in order to determine which files have been accessed for a significant period of time without being implicated in malicious activity. For example, the heuristic system 444 may analyze file access reports 428 through the reporting interface 408 in order to determine which files do not need to be analyzed in the future because they have been accessed, or opened, for a predetermined period of time. Reducing the number of files analyzed by the heuristic system 444 may improve the speed and efficiency of the client 102. In one embodiment, the heuristic system 444 may query the database 406 directly for the file access reports 428.”)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of organizing a collection of monitored executable entities into a plurality of entity groups of Hajmasan in view of Mcdougal and Ye to include decreasing a counter recording a number of sequences of file accesses that match the predefined pattern after a predetermined period of time after an occurrence of the sequence of file accesses that matches the predefined pattern, as taught by Smith.







Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GARY S GRACIA whose telephone number is (571)270-5192.  The examiner can normally be reached on Monday-Friday 9am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 5712723972.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/GARY S GRACIA/Primary Examiner, Art Unit 2491