Remarks
Claims 1-5, 7-19, 21, 22, 24, and 25 are pending.  

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant's arguments filed 2/19/2021 have been fully considered but they are not persuasive.
Applicant quotes many lines of claim 1, alleges “The references relied upon by the Office Action fail to teach or suggest such instructions”, explains Applicant’s understanding of a portion of Redberg, and alleges “The generalized API of Redberg is to ‘facilitate storing of files, issuing of search requests,’ etc.  (Id.)  Redberg does not teach or suggest any form of ‘hooking’ into its generalized API.  Further, to the extent that Redberg also describes its generalized API as being agnostic as to vendor is immaterial to the patentability of claim 1, as claim 1 does not include an agnostic API but rather claim 1 includes instructions to cause a cloud storage server to” and copies in the intercept limitation with highlighting on every word.  However, Redberg clearly discloses this subject matter since the gateway itself, a portion thereof (e.g., mediation module), and/or the generalized API are, themselves, the hooks, hooking into the vendor-specific APIs and/or generalized API and intercepts the API based accesses via this generalized API and/or vendor-specific API to cloud storage.  Applicant’s 
Applicant then chains all remaining arguments onto this erroneous argument by alleging “As Redberg fails to describe this element of claim 1, Redberg by default, also fails to teach or suggest the other elements of claim 1…”.  Since no argument is present here, no response is possible or necessary.  It has been shown above that Redberg discloses the intercept as well as hook limitations.  
Applicant then alleges “Although Ye shows a picture of a cloud storage 170 in FIG. 1, there is no discussion or depiction of instructions to cause a cloud storage server to ‘hook into an application programming interface (API) of the cloud storage server using a hook, the API in- line with a cloud file access flow.’  In fact, Claim 10 and 13 of Ye describe a method that includes ‘determining that said suspicious process is not malicious by comparing a ‘file’ extension of said computer ‘file with said suspicious process.”  Applicant continues by arguing only claims 10 and 13 of Ye.  However, these claims have not been cited as disclosing this subject matter, nor has Applicant shown anything in Ye that requires this in all instances or explained how this is of any detriment to the instant claims in some embodiment of Ye.  Therefore, Applicant’s allegations are moot since they are irrelevant to the instant rejection.  
Ye discloses hooking into an API of the cloud storage server using a hook, the API in-line with a cloud file access flow, the API used to store data representative of user files as entries in a database of a cloud storage of the cloud storage service in Ye’s disclosure of hooking system events at a server connected to the Internet or cloud 
Applicant then alleges “the cloud service in Ye is a ‘remote’ cloud service that is referred to in the patent application only three times (outside of claim 13).  (See Id., Col. 5; ll: 28 and 44).  Thus, the remote cloud service of Ye is remote from the system monitor driver 110 and the abnormal file change correlation engine which are the portions of Ye that perform the malware detection/blocking.  Thus, Ye cannot and indeed does not teach or even suggest instructions to cause a cloud storage server to” and copies in the intercept limitation of claim 1.  To the contrary, there is a cloud service on the device (e.g., figure 1, element 170), which makes any server which stores data a cloud storage server, for example.  It is also noted that this cloud storage server stores data in databases (e.g., databases 140 and 150), thus making it structured to store data as data entries in a cloud storage database and not as files in a file system), where the cloud storage server receives requests from remote clients, for example.  
Ye states that”, copies in a portion of Ye, and alleges “This statement has nothing to do with instructions to cause a cloud storage server to” and copies in the intercept limitation.  Applicant then alleges “In fact, the file-based operating system hooks of Ye are installed in the system monitor driver of Ye, which is described as being installed in the kernel of an operating system of a computer device (see Ye, Col. 3; ll.: 24-25) and not into an API of the remote cloud service.  Thus, Ye cannot and does not teach” the hook limitation.  The hook is in the device in which the ransomware analysis occurs, just like in the claim.  The claim does not require a remote device to include a hook.  Indeed, Applicant has admitted that Ye discloses that determining whether a process or file is suspicious may be accomplished by using hooks in the middle of page 19 of the response dated 2/19/2021.  The Examiner thanks Applicant for such admission.  This clearly shows hooking and that performing of any of Ye’s analysis activities (including the intercepting discussed above) may be aided by this hook to determine the information used in analysis, just as claimed.  Therefore, Ye clearly discloses intercepting, using the hook, API-based accesses of the cloud storage, the intercept performed independent of how file-based access input/output operations are performed by the cloud storage server, and the API-based accesses to include cloud storage operations to cause the API to store the data representative of the user files in Ye’s disclosure of system continuously monitor system events and/or hooks intercept storage operations, for example.  
Applicant then alleges that Ye does not disclose the analysis limitation and alleges “Ye is entirely based on detecting ransomware based on file data and even 
Applicant then alleges that “the storage 170 of Ye is not described in any way as having an API nor hooking into an API of the storage…”.  Redberg already discloses such an API.  Therefore, the combination includes such when discussing Ye.  
Applicant then quotes Ye and argues the analyze limitation again, then alleges that a portion of the explanation of how Ye discloses the previous analyze limitation is not “the equivalent of (or even remotely close to)” the analyze limitation.  Applicant fails to quote the entire portion of how Ye discloses the argued subject matter, however.  Therefore, Applicant fails to argue the actual rejection and Applicant’s argument is moot.  
Applicant goes on to allege “To the contrary, an algorithm described in Ye further supports the fact that any analysis in Ye’s malware detection system is indeed file based.”  Applicant continues by quoting Ye and describing Applicant’s understanding of a portion of Ye.  Applicant then alleges “Nothing in Ye’s algorithm involves” and copies in the analyze limitation.  This appears to have nothing to do with the claims at hand.  While claim 1, for example, states that “the analysis performed at a logical API level and not at a file system level”, there is no prohibition of analyzing files within claim 1, for example.  Therefore, Applicant’s allegations are moot.  
Applicant also alleges “the system of Ye captures storage operations using a monitor that resides in the kernel mode of a computer having a file based operating system (see Ye, FIG. 1, and Col. 3; ll. 24-25).).”  These portions of Ye do not 
Applicant then alleges “As such, Ye is solely related to detecting and blocking ransomware on a file-based operating system.  Ye need only (and indeed does only) use a detector that can operate with an input/output access type that is part of a file-based system.  Thus, Ye contains no description of” the intercept limitation.”  Indeed, Applicant provides no proof of any of this.  Nor does Applicant explain how a file based OS has anything to do with the claims at hand.  Even if a file based OS is a thing, which Applicant has not proven, this would be different from a file system level, which is a certain level that is not necessarily an entire network based system that includes a particular OS on a device.  
Regarding Maylor, Applicant only alleges “Maylor is directed to using cloud storage to perform backup functions (See Maylor, Abstract), but does not provide any of the foregoing aspects of claim 1 that are missing from Ye and Redberg.”  These aspects are not missing from Ye and Redberg, as explained above.  Furthermore, Maylor discloses the following:
Maylor also discloses analyze the API-based accesses of the cloud storage to detect anomalous activity, the analysis to at least track API-based accesses that result in one or more modifications of the one or more entries of the database of the cloud storage, and the analysis performed at a logical API level of a software stack (Exemplary Citations: for example, Paragraphs 18, 21, 47, 74, 76, 86, 90, 91, 95, 98 and 
Determine based on the analysis that the anomalous activity corresponds to ransomware (Exemplary Citations: for example, Paragraphs 18, 21, 47, 74, 76, 86, 90, 91, 95, 98 and associated figure; detecting malware, for example); and
Block the anomalous activity on the cloud storage server in response to the determination that the anomalous activity corresponds to ransomware (Exemplary Citations: for example, Abstract, Paragraphs 10-14, 21, 74, 98 and associated figures; blocking access to a resource if ransomware detected, for example).  It would have been obvious to one of ordinary skill in the art at the time of applicant's invention, which is before any effective filing date of the claimed invention, to incorporate the malware detection techniques of Maylor into the cloud storage system of Redberg as modified by Ye in order to limit potential threats to a sandbox, ensure that the latest security patches and definitions are obtained and used, limit the effects of potential threats, disable functions on potential threats, and/or increase security in the system.  
Applicant provides no argument against any of this.  Thus, such stands as fact.  
Applicant goes on to admit, with respect to claim 9, “The alleged Redberg/Ye/Maylor combination teaches or suggests such a method.”  The Examiner thanks Applicant for such admission.  
Redberg/Ye/Maylor combination teaches or suggests such a cloud storage server.”  The Examiner thanks Applicant for such admission.  

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 9-19, 21, 22, 24, and 25 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
The final limitation of claim 9 states “blocking the anomalous activity based on whether the analysis indicates the anomalous activity corresponds to ransomware”.  This is indefinite since this blocking does not need to be performed (e.g., when the analysis indicates that the anomalous activity does not correspond to ransomware).  All claims dependent from claim 9 are rejected at least for the same reasons.  
Claim 16 recites the limitation "the data received at the cloud storage server from the remote endpoint device".  There is insufficient antecedent basis for this limitation in the claim.  


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-5, 7-19, 21, 22, 24, and 25 are rejected under 35 U.S.C. 103 as being unpatentable over Redberg (U.S. Patent Application Publication 2015/0154418) in view of Ye (U.S. Patent 9,317,686) and Maylor (U.S. Patent Application Publication 2017/0078321).
Regarding Claim 1,
Redberg discloses a computer readable storage device comprising instructions that, when executed, cause a cloud storage server of a cloud storage service to at least:

Intercept, using the hook, API-based accesses of the cloud storage, the intercept performed independent of how file-based access input/output operations are performed by the cloud storage server, and the API-based accesses to include cloud storage operations to cause the API to store the data representative of the user files (Exemplary Citations: for example, Abstract, Paragraphs 9, 25, 27, 29, 38, 45-48, 50-55, 61, 62, 65, 71-76, 79, 87, and associated figures; gateway/generalized API intercepting communications that are vendor API agnostic, for example);
Analyze the API-based accesses of the cloud storage to detect anomalous activity, the analysis to at least track API-based accesses that result in one or more modifications of the one or more entries of the database of the cloud storage, and the analysis performed at a logical API 
Block the anomalous activity on the cloud storage server (Exemplary Citations: for example, Abstract, Paragraphs 9, 25, 27, 29, 38, 45-48, 50-55, 61, 62, 65, 71-76, 79, 87, and associated figures; not allowing access to data for which one is not authorized, for example);
But does not explicitly disclose determine based on the analysis that the anomalous activity corresponds to ransomware and in response to the determination that the anomalous activity corresponds to ransomware.  
Ye, however, discloses a computer readable storage device comprising instructions that, when executed, cause a cloud storage server of a cloud storage service to at least:
Hook into an API of the cloud storage server using a hook, the API in-line with a cloud file access flow, the API used to store data representative of user files as entries in a database of a cloud storage of the cloud storage service (Exemplary Citations: for example, Abstract, Column 3, lines 14-34; Column 4, line 49 to Column 5, line 61; Column 6, lines 1-34; Column 8, lines 32-48 and associated figures; hooking system events at a server connected to the Internet or cloud server, for example.  
Intercept, using the hook, API-based accesses of the cloud storage, the intercept performed independent of how file-based access input/output operations are performed by the cloud storage server, and the API-based accesses to include cloud storage operations to cause the API to store the data representative of the user files (Exemplary Citations: for example, Abstract, Column 3, lines 14-34; Column 4, line 49 to Column 5, line 61; Column 6, lines 1-34; Column 8, lines 32-48; Column 9, lines 47-51; and 
Analyze the API-based accesses of the cloud storage to detect anomalous activity, the analysis to at least track API-based accesses that result in one or more modifications of the one or more entries of the database of the cloud storage, and the analysis performed at a logical API level of a software stack (Exemplary Citations: for example, Abstract, Column 3, lines 35-67; Column 4, line 49 to Column 5, line 61; Column 6, lines 1-53; Column 7, lines 10-62; and associated figures; determining if process is suspicious, using rules to determine maliciousness, determining if a process is a normal process, reviewing file activity of a suspect process, using reputation of a suspicious process, white lists, or any other form of analysis, determining modifications to database (e.g., 140 or 150) entries, having the ability to work at an API level, etc., as examples);
Determine based on the analysis that the anomalous activity corresponds to ransomware (Exemplary Citations: for example, Abstract, Column 3, lines 35-67; Column 4, line 49 to Column 5, line 61; Column 6, lines 1-53; Column 7, lines 10-62; and associated figures; ransomware detected, for example); and
Block the anomalous activity on the cloud storage server in response to the determination that the anomalous activity corresponds to ransomware (Exemplary Citations: for example, Abstract, Column 3, lines 
Maylor also discloses analyze the API-based accesses of the cloud storage to detect anomalous activity, the analysis to at least track API-based accesses that result in one or more modifications of the one or more entries of the database of the cloud storage, and the analysis performed at a logical API level of a software stack (Exemplary Citations: for example, Paragraphs 18, 21, 47, 74, 76, 86, 90, 91, 95, 98 and 
Determine based on the analysis that the anomalous activity corresponds to ransomware (Exemplary Citations: for example, Paragraphs 18, 21, 47, 74, 76, 86, 90, 91, 95, 98 and associated figure; detecting malware, for example); and
Block the anomalous activity on the cloud storage server in response to the determination that the anomalous activity corresponds to ransomware (Exemplary Citations: for example, Abstract, Paragraphs 10-14, 21, 74, 98 and associated figures; blocking access to a resource if ransomware detected, for example).  It would have been obvious to one of ordinary skill in the art at the time of applicant's invention, which is before any effective filing date of the claimed invention, to incorporate the malware detection techniques of Maylor into the cloud storage system of Redberg as modified by Ye in order to limit potential threats to a sandbox, ensure that the latest security patches and definitions are obtained and used, limit the effects of potential threats, disable functions on potential threats, and/or increase security in the system.  
Regarding Claim 2,
Redberg as modified by Ye and Maylor discloses the storage device of claim 1, in addition, Redberg discloses that the instructions cause the cloud storage server to block anomalous activity by blocking the one or more modifications of the entries (Exemplary Citations: for 
Ye discloses that the instructions cause the cloud storage server to block anomalous activity by blocking the one or more modifications of the entries (Exemplary Citations: for example, Abstract, Column 3, lines 35-67; Column 4, line 49 to Column 5, line 61; Column 6, lines 1-53; Column 7, lines 10-62; and associated figures; device requesting file operations is endpoint and user is whatever user is making requests for file operations, for example); and
Maylor discloses that the instructions cause the cloud storage server to block anomalous activity by blocking the one or more modifications of the entries (Exemplary Citations: for example, Abstract, Paragraphs 10-14, 21, 74, 98 and associated figures; blocking access to a resource, for example).  
Regarding Claim 3,
Redberg as modified by Ye and Maylor discloses the storage device of claim 1, in addition, Maylor discloses that the instructions cause the cloud storage server to block the anomalous activity by: notifying the remote endpoint device of the detection of anomalous activity (Exemplary Citations: for example, Abstract, Paragraphs 10-14, 21, 74, 86, 98 and associated figures; warning/alert to user, for example); and
Blocking the one or more modifications of the entries based on instructions from the remote endpoint device in response to the notifying 
Regarding Claim 4,
Redberg as modified by Ye and Maylor discloses the storage device of claim 1, in addition, Ye discloses that the analysis includes identification of a plurality of sequences of the one or more modifications of the entries that are indicative of anomalous activity (Exemplary Citations: for example, Abstract, Column 3, lines 35-67; Column 4, line 49 to Column 5, line 61; Column 6, lines 1-53; Column 7, lines 10-62; and associated figures; event patterns and rules, file change events, determining ransomware based on a certain number of rules being met, and the like, as examples).  
Regarding Claim 5,
Redberg as modified by Ye and Maylor discloses the storage device of claim 4, in addition, Ye discloses that the instructions cause the cloud storage server to identify the plurality of sequences of the one or more modifications of the entries by: comparing a number of sequences included in the plurality of sequences with a threshold value (Exemplary Citations: for example, Abstract, Column 3, lines 35-67; Column 4, line 49 to Column 5, line 61; Column 6, lines 1-53; Column 7, lines 10-62; and associated figures; determining ransomware based on a certain number of rules being met, for example); and

Regarding Claim 7,
Redberg as modified by Ye and Maylor discloses the storage device of claim 4, in addition, Ye discloses that the instructions further cause the cloud storage server to identify the sequences of the modifications by determining whether the one or more modifications delete existing data entries of the database and create new data entries in the database with near-matching names (Exemplary Citations: for example, Abstract, Column 3, lines 35-67; Column 4, line 49 to Column 5, line 61; Column 6, lines 1-53; Column 7, lines 10-62; and associated figures; using the pattern of rules to detect changed files and/or encrypted files, as examples).  
Regarding Claim 8,
Redberg as modified by Ye and Maylor discloses the storage device of claim 1, in addition, Ye discloses that the instructions, when executed, further cause the cloud storage server to use context information from an agent on the remote endpoint device to track the one or more modifications to the one or more entries (Exemplary Citations: for example, Abstract, Column 3, lines 35-67; Column 4, line 49 to Column 5, 
Maylor discloses that the instructions, when executed, further cause the cloud storage server to use context information from an agent on the remote endpoint device to track the modifications to the entries (Exemplary Citations: for example, Abstract, Paragraphs 10-14, 21, 74, 98 and associated figures; information received, such as that described above, for example).  
Regarding Claim 9,
Redberg discloses a method for ransomware protection in a cloud storage system, the method comprising:
Hooking, by executing an instruction with at least one processor, into an API of a cloud storage server using a hook, the API in-line with a cloud file access flow (Exemplary Citations: for example, Abstract, Paragraphs 9, 25, 27, 29, 38, 45-48, 50-55, 61, 62, 65, 71-76, 79, 87, and associated figures);
Storing, by executing an instruction with the at least one processor, cloud storage operations that include data to be stored as entries in a database of a cloud storage of the cloud storage server, the data representative of user files, the data received from a remote endpoint device in response to file input/output activities performed at the remote 
Intercepting, by executing an instruction with at least one processor, the API-based accesses of the cloud storage of the cloud storage server, the intercepting performed independent of how file-based access input/output operations are performed by the cloud storage server (Exemplary Citations: for example, Abstract, Paragraphs 9, 25, 27, 29, 38, 45-48, 50-55, 61, 62, 65, 71-76, 79, 87, and associated figures);
Analyzing the API-based accesses of the cloud storage to detect anomalous activity, the analysis to at least track API-based accesses that result in one or more modifications of one or more entries of the database of the cloud storage, and the analysis performed at a logical API level of a software stack (Exemplary Citations: for example, Abstract, Paragraphs 9, 25, 27, 29, 38, 45-48, 50-55, 61, 62, 65, 71-76, 79, 87, and associated figures); and
Blocking the anomalous activity (Exemplary Citations: for example, Abstract, Paragraphs 9, 25, 27, 29, 38, 45-48, 50-55, 61, 62, 65, 71-76, 79, 87, and associated figures);
But does not explicitly disclose based on whether the analysis indicates the anomalous activity corresponds to ransomware.  

Hooking, by executing an instruction with at least one processor, into an API of a cloud storage server using a hook, the API in-line with a cloud file access flow (Exemplary Citations: for example, Abstract, Column 3, lines 14-34; Column 4, line 49 to Column 5, line 61; Column 6, lines 1-34; Column 8, lines 32-48; Column 9, lines 47-51; and associated figures);
Storing, by executing an instruction with the at least one processor, cloud storage operations that include data to be stored as entries in a database of a cloud storage of the cloud storage server, the data representative of user files, and the cloud storage operations included in API-based accesses intercepted by the hook (Exemplary Citations: for example, Abstract, Column 3, lines 14-34; Column 4, line 49 to Column 5, line 43; Column 6, lines 1-34; Column 9, lines 47-51; and associated figures);
Intercepting, by executing an instruction with at least one processor, the API-based accesses of the cloud storage of the cloud storage server, the intercepting performed independent of how file-based access input/output operations are performed by the cloud storage server (Exemplary Citations: for example, Abstract, Column 3, lines 14-34; Column 4, line 49 to Column 5, line 61; Column 6, lines 1-34; Column 8, lines 32-48; Column 9, lines 47-51; and associated figures);

Blocking the anomalous activity based on whether the analysis indicates the anomalous activity corresponds to ransomware (Exemplary Citations: for example, Abstract, Column 3, lines 35-67; Column 4, line 49 to Column 5, line 61; Column 6, lines 1-53; Column 7, lines 10-62; and associated figures).  It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the ransomware protection techniques of Ye into the cloud storage system of Redberg in order to detect ransomware, protect files by backing up prior to ransomware taking effect, block and remove malicious processes, and/or increase security in the system.  
Maylor also discloses analyzing the API-based accesses of the cloud storage to detect anomalous activity, the analysis to at least track API-based accesses that result in one or more modifications of one or more entries of the database of the cloud storage, and the analysis performed at a logical API level of a software stack (Exemplary Citations: 
Blocking the anomalous activity based on whether the analysis indicates the anomalous activity corresponds to ransomware (Exemplary Citations: for example, Abstract, Paragraphs 10-14, 21, 74, 98 and associated figures).  It would have been obvious to one of ordinary skill in the art at the time of applicant's invention, which is before any effective filing date of the claimed invention, to incorporate the malware detection techniques of Maylor into the cloud storage system of Redberg as modified by Ye in order to limit potential threats to a sandbox, ensure that the latest security patches and definitions are obtained and used, limit the effects of potential threats, disable functions on potential threats, and/or increase security in the system.  
Regarding Claim 10,
Redberg as modified by Ye and Maylor discloses the method of claim 9, in addition, Ye discloses that the blocking of the anomalous activity includes pausing the API-based accesses that result in the one or more modifications of the one or more entries (Exemplary Citations: for example, Abstract, Column 3, lines 35-67; Column 4, line 49 to Column 5, line 61; Column 6, lines 1-53; Column 7, lines 10-62; and associated figures);
Rejecting the one or more modifications of the entries (Exemplary Citations: for example, Abstract, Column 3, lines 35-67; Column 4, line 49 
Maylor discloses that the blocking of the anomalous activity includes pausing the API-based accesses that result in the one or more modifications of the one or more entries (Exemplary Citations: for example, Abstract, Paragraphs 10-14, 21, 74, 86, 98 and associated figures);
Notifying the remote endpoint device of the anomalous activity (Exemplary Citations: for example, Abstract, Paragraphs 10-14, 21, 74, 86, 98 and associated figures); and
Rejecting the one or more modifications of the entries responsive to instructions received from the remote endpoint device in response to notifying of the remote endpoint device (Exemplary Citations: for example, Abstract, Paragraphs 10-14, 21, 74, 86, 98 and associated figures).  
Regarding Claim 11,
Redberg as modified by Ye and Maylor discloses the method of claim 9, in addition, Ye discloses that the blocking of the anomalous activity includes: blocking the modifications of the entries and the method further including unblocking the modifications of the entries responsive to reauthentication of the remote endpoint device (Exemplary Citations: for example, Abstract, Column 3, lines 35-67; Column 4, line 49 to Column 5, line 61; Column 6, lines 1-53; Column 7, lines 10-62; and associated figures); and

Regarding Claim 12,
Redberg as modified by Ye and Maylor discloses the method of claim 9, in addition, Ye discloses that the tracking of the one or more modifications of the one or more entries of the database of the cloud storage includes identifying a plurality of sequences of the one or more modifications that are indicative of anomalous activity (Exemplary Citations: for example, Abstract, Column 3, lines 35-67; Column 4, line 49 to Column 5, line 61; Column 6, lines 1-53; Column 7, lines 10-62; and associated figures).  
Regarding Claim 13,
Redberg as modified by Ye and Maylor discloses the method of claim 12, in addition, Ye discloses that the analyzing further includes comparing the plurality of sequences of the one or more modifications with a threshold value, and determining whether anomalous activity is detected based on whether the plurality of sequences of the one or more modifications of the entries of the cloud storage satisfy the threshold 
Regarding Claim 14,
Redberg as modified by Ye and Maylor discloses the method of claim 12, in addition, Ye discloses that the plurality of sequences of the one or more modifications includes modifications to replace existing data in one or more of the entries with new data (Exemplary Citations: for example, Abstract, Column 3, lines 35-67; Column 4, line 49 to Column 5, line 61; Column 6, lines 1-53; Column 7, lines 10-62; and associated figures).  
Regarding Claim 15,
Redberg as modified by Ye and Maylor discloses the method of claim 12, in addition, Ye discloses that at least some of the plurality of sequences of the one or more modifications include modifications to delete existing data in the one or more entries and store new data in the one or more entries with near matching names (Exemplary Citations: for example, Abstract, Column 3, lines 35-67; Column 4, line 49 to Column 5, line 61; Column 6, lines 1-53; Column 7, lines 10-62; and associated figures).  
Regarding Claim 16,
Redberg as modified by Ye and Maylor discloses the method of claim 9, in addition, Ye discloses analyzing context information related to 
Maylor discloses analyzing context information related to data received at the cloud storage server from the remote endpoint device (Exemplary Citations: for example, Abstract, Paragraphs 10-14, 21, 74, 98 and associated figures).  
Regarding Claim 17,
Redberg as modified by Ye and Maylor discloses the method of claim 16, in addition, Maylor discloses that the remote endpoint device is a first remote endpoint device, and the context information indicates API based accesses from the first remote endpoint device include content originating from a second remote endpoint device, the second remote endpoint device remote to the first remote endpoint device (Exemplary Citations: for example, Abstract, Paragraphs 10-14, 16, 21, 23, 34, 74, 76, 80, 86, 90, 98 and associated figures; file that is stored on the cloud file system was received as an attachment in an email or forwarding of such, as examples).  
Regarding Claim 18,
Redberg discloses a cloud storage server to block ransomware activity, the cloud storage server comprising:

A storage device in communication with the processor, the storage device including instructions that, when executed, cause the processor to at least (Exemplary Citations: for example, Figure 11 and associated written description, as well as Abstract, Paragraphs 9, 25, 27, 29, 38, 45-48, 50-55, 61, 62, 65, 71-76, 79, 87, and associated figures):
Hook into an API of the cloud storage server using a hook, the API in-line with a cloud file access flow, the API to store data representative of user files as entries in a database of the cloud storage of the cloud storage server in response to cloud storage operations received in API based accesses of the cloud storage, the data received, via a network, from a remote endpoint device in response to file I/O activities performed at the remote endpoint device (Exemplary Citations: for example, Abstract, Paragraphs 9, 25, 27, 29, 38, 45-48, 50-55, 61, 62, 65, 71-76, 79, 87, and associated figures);
Intercept, with the hook, the API based accesses of the cloud storage, the intercept performed by the hook independent of how file based access I/O operations are performed by the cloud storage server (Exemplary Citations: for example, Abstract, Paragraphs 9, 25, 27, 29, 38, 45-48, 50-55, 61, 62, 65, 71-76, 79, 87, and associated figures);
Analyze API based accesses of the cloud storage to detect anomalous activity, the analysis to at least track the API based accesses 
Determine, based on the analysis, that anomalous activity is detected (Exemplary Citations: for example, Abstract, Paragraphs 9, 25, 27, 29, 38, 45-48, 50-55, 61, 62, 65, 71-76, 79, 87, and associated figures); and
Block the anomalous activity (Exemplary Citations: for example, Abstract, Paragraphs 9, 25, 27, 29, 38, 45-48, 50-55, 61, 62, 65, 71-76, 79, 87, and associated figures);
But does not explicitly disclose as corresponding to ransomware, based on the determination.  
Ye, however, discloses a cloud storage server to block ransomware activity, the cloud storage server comprising:
A processor (Exemplary Citations: for example, Abstract, Column 3, lines 14-34; Column 4, line 49 to Column 5, line 61; Column 6, lines 1-34; Column 7, lines 10-62; Column 8, lines 32-48; Column 9, lines 47-51; and associated figures);
A storage device in communication with the processor, the storage device including instructions that, when executed, cause the processor to at least (Exemplary Citations: for example, Abstract, Column 3, lines 14-34; Column 4, line 49 to Column 5, line 61; Column 6, lines 1-34; Column 
Hook into an API of the cloud storage server using a hook, the API in-line with a cloud file access flow, the API to store data representative of user files as entries in a database of the cloud storage of the cloud storage server in response to cloud storage operations received in API based accesses of the cloud storage (Exemplary Citations: for example, Abstract, Column 3, lines 14-34; Column 4, line 49 to Column 5, line 61; Column 6, lines 1-34; Column 8, lines 32-48 and associated figures);
Intercept, with the hook, the API based accesses of the cloud storage, the intercept performed by the hook independent of how file based access I/O operations are performed by the cloud storage server (Exemplary Citations: for example, Abstract, Column 3, lines 14-34; Column 4, line 49 to Column 5, line 61; Column 6, lines 1-34; Column 8, lines 32-48; Column 9, lines 47-51; and associated figures);
Analyze the API based accesses of the cloud storage to detect anomalous activity, the analysis to at least track the API based accesses that result in one or more modifications of one or more of the entries in the database, the analysis performed at a logical API level of a software stack (Exemplary Citations: for example, Abstract, Column 3, lines 35-67; Column 4, line 49 to Column 5, line 61; Column 6, lines 1-53; Column 7, lines 10-62; and associated figures);

Block the anomalous activity, as corresponding to ransomware, based on the determination (Exemplary Citations: for example, Abstract, Column 3, lines 35-67; Column 4, line 49 to Column 5, line 61; Column 6, lines 1-53; Column 7, lines 10-62; and associated figures).  It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the ransomware protection techniques of Ye into the cloud storage system of Redberg in order to detect ransomware, protect files by backing up prior to ransomware taking effect, block and remove malicious processes, and/or increase security in the system.  
Maylor also discloses analyze the API based accesses of the cloud storage to detect anomalous activity, the analysis to at least track the API based accesses that result in one or more modifications of the entries in the database, the analysis performed at a logical API level of a software stack (Exemplary Citations: for example, Paragraphs 18, 21, 47, 74, 76, 86, 90, 91, 95, 98 and associated figures);
Determine, based on the analysis, that anomalous activity is detected (Exemplary Citations: for example, Paragraphs 10-14, 18, 21, 47, 74, 76, 86, 90, 91, 95, 98 and associated figures); and

Regarding Claim 19,
Redberg as modified by Ye and Maylor discloses the server of claim 18, in addition, Redberg discloses that the instructions cause the processor to block the anomalous activity by blocking the one or more modifications of the r more entries of the database of the cloud storage (Exemplary Citations: for example, Abstract, Paragraphs 9, 25, 27, 29, 38, 45-48, 50-55, 61, 62, 65, 71-76, 79, 87, and associated figures);
Ye discloses that the instructions cause the processor to block the anomalous activity by blocking the one or more modifications of the r more entries of the database of the cloud storage (Exemplary Citations: for example, Abstract, Column 3, lines 35-67; Column 4, line 49 to Column 5, 
Maylor discloses that the instructions cause the processor to block the anomalous activity by blocking the one or more modifications of the r more entries of the database of the cloud storage (Exemplary Citations: for example, Abstract, Paragraphs 10-14, 21, 74, 98 and associated figures).   
Regarding Claim 21,
Redberg as modified by Ye and Maylor discloses the server of claim 18, in addition, Ye discloses that the instructions cause the processor to identify a plurality of sequences of the one or more modifications of the one or more entries in the database that are indicative of anomalous activity (Exemplary Citations: for example, Abstract, Column 3, lines 35-67; Column 4, line 49 to Column 5, line 61; Column 6, lines 1-53; Column 7, lines 10-62; and associated figures).  
Regarding Claim 22,
Redberg as modified by Ye and Maylor discloses the server of claim 21, in addition, Ye discloses that the processor is to identify the plurality of sequences of the one or more modifications as indicative of anomalous activity by comparing the plurality of sequences of the one or more modifications of the one or more entries of the database with a threshold value (Exemplary Citations: for example, Abstract, Column 3, 
Identifying the plurality of sequences of the one or more modifications of the one or more entries as indicative of anomalous activity when the threshold is satisfied (Exemplary Citations: for example, Abstract, Column 3, lines 35-67; Column 4, line 49 to Column 5, line 61; Column 6, lines 1-53; Column 7, lines 10-62; and associated figures).  
Regarding Claim 24,
Redberg as modified by Ye and Maylor discloses the server of claim 21, in addition, Ye discloses that at least some of the plurality of sequences of the one or more modifications of the one or more entries delete existing data stored in entries of the database and store new data in the same entries with near-matching names (Exemplary Citations: for example, Abstract, Column 3, lines 35-67; Column 4, line 49 to Column 5, line 61; Column 6, lines 1-53; Column 7, lines 10-62; and associated figures).  
Regarding Claim 25,
Redberg as modified by Ye and Maylor discloses the server of claim 18, in addition, Ye discloses that the instructions cause the processor to receive context information from an agent on the emote endpoint device (Exemplary Citations: for example, Abstract, Column 3, lines 35-67; Column 4, line 49 to Column 5, line 61; Column 6, lines 1-53; Column 7, lines 10-62; and associated figures); and

Maylor discloses that the instructions cause the processor to receive context information from an agent on the emote endpoint device (Exemplary Citations: for example, Abstract, Paragraphs 10-14, 21, 74, 98 and associated figures); and
Use the context information to analyze the one or more modifications to the one or more entries of the database (Exemplary Citations: for example, Abstract, Paragraphs 10-14, 21, 74, 98 and associated figures).  

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Jeffrey D Popham whose telephone number is (571)272-7215.  The examiner can normally be reached on Monday through Friday 9:00-5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached on (469) 295-9235.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access 




/Jeffrey D. Popham/Primary Examiner, Art Unit 2432