DETAILED ACTION

Information Disclosure Statement
The IDS filed 4/9/2020 has been considered and entered.

Drawings
The drawings filed 9/26/2019 are accepted.
Specification
The specification filed 9/26/2019 is accepted.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
As per claims 1, 9, 19, and 20, 
a second instance of the limitation 'detecting' is used without distinguishing the limitation as a 2nd occurrence or referencing the  second instance to the first instance.

As per claims 1, 4, 5, 9,  19, and 20, 
the term possible is interpreted as a term of degree

As per claims 3
a second instance of the limitation 'determining' is used without distinguishing the limitation as a 2nd occurrence or referencing the  second instance to the first instance.

As per claims 5
the may be interpreted as modification of a the file by a user  that exceeds the permission level of the user (et al) which indicates an unclear meaning

As per claims 6
the meaning of performing a step in accordance with a kernel level is unclear

Claims 2-18 are further rejected because they depend from rejected base claims.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of pre-AIA  35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under pre-AIA  35 U.S.C. 103(a) are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

This application currently names joint inventors. In considering patentability of the claims under pre-AIA  35 U.S.C. 103(a), the examiner presumes that the subject matter of the various claims was commonly owned at the time any inventions covered therein were made absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and invention dates of each claim that was not commonly owned at the time a later invention was made in order for the examiner to consider the applicability of pre-AIA  35 U.S.C. 103(c) and potential pre-AIA  35 U.S.C. 102(e), (f) or (g) prior art under pre-AIA  35 U.S.C. 103(a).


Claims 1-2, 6-8, and 10-20  are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Roguine et al (US 2017/0364681 hereinafter Roguine)in view of Dong et al (US 2015/0205979 hereinafter Dong)
.




As to claim 1,   
Roguine discloses
by a processing system Fig 9 including [0051] a monitoring system
including at least one processor Fig 9 21 in view of [0063] a processor

detecting, by a processing system including at least one processor, [0051] triggers
an accessing of a file, [0051] open for write action

wherein the accessing comprises a read operation; 
[0051] open one or more files for read/write operation

generating, by the processing system, 
a copy of the file in response to detecting the accessing of the file; 
	[0051] create a copy of the file

storing, by the processing system, the copy of the file 
	[0051] snapshots saved using backup methods
in a designated storage location; 
	[0047] backup location

detecting, by the processing system, a completion of the accessing of the file; 
	[0051]  the "close" action will trigger further analysis

[[applying, by the processing system, a checksum operation to the file to generate a checksum 
in response to detecting the completion of the accessing of the file; ]]

[[determining, by the processing system, that the checksum does not match an expected checksum for the file; ]]

and generating, by the processing system, an alert 
[0039] warning in the form of a prompt, popup, or alert
of a possible manipulation of the file 
[0039] an encrypted or modified file has been detected 
in view of [0038] ransomware will attempt to encrypt files
[[in response to determining that the checksum does not match the expected checksum.]]


	Roguine does not disclose
applying, by the processing system, a checksum operation to the file to generate a checksum 
in response to detecting the completion of the accessing of the file;

determining, by the processing system, that the checksum does not match an expected checksum for the file;

and generating, by the processing system, an alert of a possible manipulation of the file 
 in response to determining that the checksum does not match the expected checksum

Dong teaches
applying, by the processing system, a checksum operation [0036] the checksum method
to the file to generate a checksum [0037] a checksum is calculated
in response to detecting the completion of the accessing of the file; 
[0037] during or before using the file every time
determining, by the processing system, that the checksum does not match an expected checksum for the file;
[0037] checking whether a checksum  calculated from current content is consistent with the originally-store checksum  
in view of  [0027] the file signature is incorrect for example the MD5 value 
Note: those of ordinary skill in the art understand that an MD5 calculation is an embodiment of a checksum 

and generating, by the processing system, an alert of a possible manipulation of the file 
 in response to determining that the checksum does not match the expected checksum
	[0055] – [0056]  after finding out the file abnormality, prompting the user terminal

 
Before the effective filing date, it would have been obvious to a person having ordinary skill in the art to combine the teachings of Roguine and Dong as elements known in the prior art combined to yield predictable results.  For example, both Roguine and Dong are directed towards protecting files from attacks such as ransomware attacks wherein file integrity must be checked contemporaneously with file access.  

Whereas Roguine discloses a checking file signatures see  [0052], Roguine does not specifically discloses a checksum calculation.  Dong teaches a checksum method to protect file integrity in [0036]-[0041] to cure Roguine 's  deficiency and to thereby  arrive at the claimed invention.


As to claim 2,   
Roguine discloses
wherein the alert [0039] warning in the form of a prompt, popup, or alert
indicates a possible encryption of the file 
[0039] warn the user that an encrypted file has been detected
by a ransomware process
	[0038] ransomware typically attempts to encrypt files

As to claim 6,   
Roguine discloses wherein 
at least the detecting [0051]  the "close" action will trigger further analysis
and the generating [0051] create a copy of the file
are performed by the processing system 
[0056] computer system including [0051] a monitoring system
in accordance with a kernel level component  Fig 5 Snapshot Driver
that interfaces between running processes Fig 5 Application\Operating System
and a file system containing the file. Fig 5 System Storage

As to claim 7,   
Roguine discloses wherein 
the alert [0039] warning in the form of a prompt, popup, or alert
presents a plurality of response options to address the possible manipulation of the file, 
[0039] receive instructions or input from the user authorizing the software to allow or 
deny the copy operation

the method further comprising: 
obtaining a selection [0039] the software application may ben receive
of one of the plurality of response options; [0039] allow or deny the copy operation

and implementing the one of the plurality of response options.
[0039] receive instructions or input from the user authorizing the software to 
allow or deny the copy operation
				in view of  Fig 2 steps 207, 204 and 209

As to claim 8,   
Roguine discloses wherein 
	restoring of the copy of the file from the designated storage location Fig 2 step 210
	storing the file [[that is renamed]] in a different storage location  Fig 3 307

Roguine does not teach  
storing the file that is renamed in a different storage location  

Dong teaches 
storing the file that is renamed in a different storage location  see  [0143] its name is changed

Before the effective filing date, it would have been obvious to a person having ordinary skill in the art to combine the teachings of Roguine and Dong as elements known in the prior art combined to yield predictable results.  For example, both Roguine and Dong are directed towards protecting files from attacks such as ransomware attacks wherein file integrity must be checked contemporaneously with file access.  Whereas Roguine discloses allowing a file to be copied to a redirected location, Roguine adds that a file name may be changed when the file is uploaded.

As to claim 10,   
Roguine does not teach  
applying, by the processing system, the checksum operation to the copy of the file to generate the expected checksum.
	
Dong teaches 
applying, by the processing system, the checksum operation to the copy of the file to generate the expected checksum.[0037] originally stored checksum

Before the effective filing date, it would have been obvious to a person having ordinary skill in the art to combine the teachings of Roguine and Dong as elements known in the prior art combined to yield predictable results.  For example, both Roguine and Dong are directed towards protecting files from attacks such as ransomware attacks wherein file integrity must be checked contemporaneously with file access.  Whereas Roguine discloses a checking file signatures see  [0052], Roguine does not specifically discloses a checksum calculation.  Dong teaches a checksum method to protect file integrity in [0036]-[0041] to cure Roguine 's  deficiency and to thereby  arrive at the claimed invention.

As to claim 11,   
Roguine discloses wherein
 the accessing of the file [0051] open for write action
is from a protected computing system  Fig 9 20

As to claim 12,   
Roguine discloses wherein 
the protected computing system Fig 9 20
 comprises: 
  a plurality of computing devices Fig 9 48, 55, etc.
As to claim 13,   
Roguine discloses wherein 
the protected computing system Fig 9 20
 comprises: 
 a virtual machine Fig 9  35 and 26
		 hosted by a computing device Fig 9 22
 
As to claim 14,   
Roguine discloses wherein 
the protected computing system Fig 9 20
 comprises: 
a plurality of host storage devices Fig 9 32, 22, 33, 34, etc

As to claim 15,   
Roguine discloses wherein 
wherein the processing system Fig 9
comprises 
at least a portion of the protected computing system.  Fig 9 20

As to claim 16,   
Roguine discloses wherein 
wherein the designated storage location [0047] backup location
is selected 
[0047] snapshot driver is configured to determine to allow writing to a predefined 
backup location
by an administrator [0055] administrator
of the protected computing system Fig 9 20
As to claim 17,   
Roguine discloses wherein 
wherein the designated storage location [0047] backup location
comprises
an external data storage device Fig 9 56
 As to claim 18,   
Roguine discloses wherein 
wherein the designated storage location [0047] backup location
comprises
a distributed data storage system Fig 32, 33, and 34
provide via
a plurality of host data storage devices Fig 27, 28, and 30


Claims 19 and 20 are rejected on the basis previously presented in the rejection of claim 1. 
s 3-5,  are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Roguine   in view of Dong   in further view of Adams (US 10121003 hereinafter Adams)
As to claim 3, Roguine   in view of Dong   teaches all the subject matter pointed out in the above 103 rejection of parent claim 1.

As to claim 3,   
Roguine discloses
applying a bit-level or a byte-level comparison [0011] bytes in the header
of the file and the copy of the file [0011] comparing the copy to the file 

	Dong teaches
determining that the checksum does not match the expected checksum.
the originally-store checksum  
in view of  [0027] the file signature is incorrect for example the MD5 value 
Note: those of ordinary skill in the art understand that an MD5 calculation is an embodiment of a checksum 

Neither Roguine nor Dong teach
applying a bit-level or a byte-level comparison of the file and the copy of the file to generate a correlation metric between the file and the copy of the file, 

wherein the applying is performed in response to the determining that the checksum does not match the expected checksum.
Adams teaches
applying a bit-level or a byte-level C3 48 per byte 
comparison 
Fig 2 235
C4 44-50 entropy value greater than a threshold 
In C4 1-3 Adams teaches an average entropy value of the existing files is determined during Fig 2 step 210.  Therefore Fig 2 step 235 is a comparison between the entropy of the modified file as calculated in Fig 2 step 225 and the average entropy value which includes the entropy of the modified file before it was modified.
of the file C6 28 the modified version of the file
and the copy of the file C6 27 the file
to generate a correlation metric 
Fig 2 225 DETERMINE ENTROPY 
also  Fig 3B NEW ENTROPY  
between the file C6 28 the modified version of the file
and the copy of the file, C6 27 the file

wherein the applying is performed Fig 2 235
in response to Fig 2 215 event occurred
[[determining that the checksum does not match the expected checksum.]]

therefore
Roguine as modified by Dong as further modified by Adams teaches
wherein the applying is performed in response to determining that the checksum does not match the expected checksum
because
Adams teaches that in response to certain events (Fig 2 215 event occurred) an entropy analysis may be made.  Dong provides an event that may indicate malicious encryption which is a checksum comparison.  Adams may perform the entropy analysis when the checksum indicates a possible nefarious file change as occurred.		
Before the effective filing date, it would have been obvious to a person having ordinary skill in the art to combine the teachings of Roguine and Dong with those of Adams as elements known in the prior art combined to yield predictable results.  For example, Roguine, Dong and Adams are directed towards protecting files from attacks such as ransomware attacks wherein file integrity must be checked contemporaneously with file access.  

Roguine disclose determining if a file is encrypted or modified (Fig 3 303) and indicates corrective actions that are applied when either is detected.  Likewise, Dong teaches detecting changes by comparing a known checksum of a file to a currently calculated checksum to determine the possibility of a virus attack.  Adams, however, admits that some changes to a file are legitimate and provides a mechanism including an entropy comparison to an entropy baseline threshold to differentiate between a ransomware attack include encrypting the file under attack and normal file modification.

Incorporation of Adams into Roguine and Dong may yield an improved system by reducing false positive attack detection to thereby arrive at the claimed invention.

As to claim 4,   
Roguine discloses
determining that the possible manipulation of the file comprises a possible encryption of the file 
by a ransomware process, 
[0039] an encrypted or modified file has been detected 
in view of [0038] ransomware will attempt to encrypt files

[[when the correlation metric is less than a threshold level of correlation, ]]

wherein the alert indicates the possible encryption of the file by the ransomware process.
[0039] warning in the form of a prompt, popup, or alert  that an encrypted or 
modified file has been detected 
in view of [0038] ransomware will attempt to encrypt files

Neither Roguine nor Dong teach
determining that the possible manipulation of the file comprises a possible encryption of the file 
by a ransomware process when the correlation metric is less than a threshold level of correlation
Adams teaches
determining that the possible manipulation of the file comprises a possible encryption of the file 
by a ransomware process  Fig 6 step 630
when the correlation metric is [[less]] greater than a threshold level of correlation Fig 6 step 625
		
One of ordinary skill in the art would understand that Adam's comparison in Fig 6 step 625 which implements a CHANGE >THRESHOLD ? operation may be alternatively implemented as -CHANGE < THRESHOLD ?  to arrive at the claimed invention.   
In other words, Adams Fig 6 step 625 renders obvious the claim limitation of:  when the correlation metric is less than a threshold level of correlation 
Before the effective filing date, it would have been obvious to a person having ordinary skill in the art to combine the teachings of Roguine and Dong with those of Adams as elements known in the prior art combined to yield predictable results.  For example, Roguine, Dong and Adams are directed towards protecting files from attacks such as ransomware attacks wherein file integrity must be checked contemporaneously with file access.  

Roguine disclose determining if a file is encrypted or modified (Fig 3 303) and indicates corrective actions that are applied when either is detected.  Likewise, Dong teaches detecting changes by comparing a known checksum of a file to a currently calculated checksum to determine the possibility of a virus attack.  Adams, however, admits that some changes to a file are legitimate and provides a mechanism including an entropy comparison to an entropy baseline threshold to differentiate between a ransomware attack include encrypting the file under attack and normal file modification.

Incorporation of Adams into Roguine and Dong may yield an improved system by reducing false positive attack detection to thereby arrive at the claimed invention.

As to claim 5,   
Roguine discloses
determining that the possible manipulation of the file comprises a modification of the file, 
Fig 2 step 202 Is the file modified ?

[[ by a user  that exceeds the permission level of the application]]
[[when the correlation metric is greater than a threshold level of correlation, ]]


Neither Roguine nor Dong teach
determining that the possible manipulation of the file comprises a modification of the file 
by a user  that exceeds the permission level of the application when the correlation metric is greater than a threshold level of correlation

Adams teaches
determining that the possible manipulation of the file comprises a modification of the file 
	C4 16 -17 modification of an existing file
by a user  that exceeds the permission level of the application
C4 16 -118 modification of an existing file from an authorized user
 
when the correlation metric is [[greater]] less  than a threshold level of correlation Fig 6 step 625
		
One of ordinary skill in the art would understand that Adam's comparison in Fig 6 step 625 which implements a CHANGE<THRESHOLD ? operation may be alternatively implemented as -CHANGE > THRESHOLD ?  to arrive at the claimed invention.   

In other words, Adams Fig 6 step 625 renders obvious the claim limitation of:  when the correlation metric is greater than a threshold level of correlation 

Before the effective filing date, it would have been obvious to a person having ordinary skill in the art to combine the teachings of Roguine and Dong with those of Adams as elements known in the prior art combined to yield predictable results.  For example, Roguine, Dong and Adams are directed towards protecting files from attacks such as ransomware attacks wherein file integrity must be checked contemporaneously with file access.  

Roguine disclose determining if a file is encrypted or modified (Fig 3 303) and indicates corrective actions that are applied when either is detected.  Likewise, Dong teaches detecting changes by comparing a known checksum of a file to a currently calculated checksum to determine the possibility of a virus attack.  Adams, however, admits that some changes to a file are legitimate and provides a mechanism including an entropy comparison to an entropy baseline threshold to differentiate between a ransomware attack include encrypting the file under attack and normal file modification.

Incorporation of Adams into Roguine and Dong may yield an improved system by reducing false positive attack detection to thereby arrive at the claimed invention.




9 is  rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Roguine  in view of Dong  in further view of  Adams in further view of NPL cited in IDS filed 4/9/2020,  "UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware" hereinafter UNVEIL
As to claim 9, Roguine   in view of Dong in further view of Adams  teaches all the subject matter pointed out in the above 103 rejection of parent claim 1.

As to claim 9,   
Roguine discloses wherein 
the generating the copy of the file [0051] create a copy of the file
in response to detecting the accessing of the file, [0051] open for write action

the storing the copy of the file in designated storage location, 
[0051] snapshots saved using backup methods

the detecting the completion of the accessing of the file, 
[0051]  the "close" action will trigger further analysis

Roguine does not disclose
applying the checksum operation to generate a checksum 

Dong teaches
applying a checksum operation [0036] the checksum method
to generate a checksum [0037] a checksum is calculated


	Neither Roguine nor Dong teach
a verification process to detect a possible manipulation of the file,


Adams teaches
a verification process to detect a possible manipulation of the file,  Fig 6 process 600

detecting an additional accessing of the file by a trusted application, a trusted process, or a trusted user, C4 12- 24 a predetermined event

	Neither Roguine, Dong, nor Adams teach 
detecting an additional accessing of the file by a trusted application, a trusted process, or a trusted user, wherein the processing system omits performance of the verification process for the additional accessing of the file by the trusted application, the trusted process, or the trusted user. 

UNVEIL teaches 
detecting an additional accessing of the file  pg 13 C1 Kernel-level attacks
by a trusted application, a trusted process, or a trusted user, 
pg 13 C1 ransomware running with administrator privilege

wherein the processing system omits performance of the verification process for the additional accessing of the file by the trusted application, the trusted process, or the trusted user. 
	pg 13 C1 ransomware may thwart some of the hooks Unveil uses to monitor the 
  file system



Before the effective filing date, it would have been obvious to a person having ordinary skill in the art to combine the teachings of Roguine Dong and Adams with those of UNVEIL as elements known in the prior art combined to yield predictable results.  For example, Roguine, Dong and Adams are directed towards protecting files from attacks such as ransomware attacks wherein file integrity must be checked contemporaneously with file access.  
Roguine disclose determining if a file is encrypted or modified (Fig 3 303) and indicates corrective actions that are applied when either is detected.  Likewise, Dong teaches detecting changes by comparing a known checksum of a file to a currently calculated checksum to determine the possibility of a virus attack.  Adams, however, admits that some changes to a file are legitimate and provides a mechanism including an entropy comparison to an entropy baseline threshold to differentiate between a ransomware attack include encrypting the file under attack and normal file modification.

UNVEIL is a product directed at the detection and mitigation of ransomware (pg 13 section 8).  It is a product similar in nature to the combined teachings of Roguine, Dong, and  Adams wherein the techniques of UNVEIL may be advantageously incorporated into the combined teachings of Roguine, Dong, and  Adams with the motivation of outperforming all existing AV scanners and modern industrial sandboxing in detecting both superficial and sophisticated ransomware attacks as taught by  UNVEIL (pg 13 section 8).

 



		
		

Conclusion

	
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RICHARD A MCCOY whose telephone number is (313)446-6520.  The examiner can normally be reached on M - F 10 - 6.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on 571 272 2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/RICHARD A MCCOY/Examiner, Art Unit 2431