DETAILED ACTION

Notice of Pre-AIA  or AIA  Status

The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .



Claim Rejections - 35 USC § 101

35 U.S.C. 101 reads as follows:

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claim(s) 29 claim(s) a "system”.  It further lists the elements of the system as: “a program store storing code, a processor couple to the program store, code, etc.”. It should be further noted that a “processor” as claimed can be under the broadest reasonable interpretation be interpreted to be a “software processor”. 

Because all of the elements of the system of claim 29 can be reasonably interpreted as software elements and do not constitute ”concrete things”, “parts” or “certain devices and combination of devices”, the entire claim can be interpreted to be “software per se” and therefore is non-statutory under 35 U.S.C. 101. 

How to overcome this rejection under 35 U.S.C. 101:

Applicant may choose to recite a hardware component as an element of the system that is connected with the other elements that make up the system. One non-limiting example to address the deficiency under 35 USC 101 would be “memory storing code” and “a processor coupled to the memory, when executing the code performs the steps of: monitoring at least one file”. 


Claim Rejections - 35 USC § 102

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:

A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1-7, 10, 11, 13, 15, 17, 18, 21-23 and 27-29 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by U.S. PGPub. No. 2018/0075239 A1 (hereinafter "Boutnaru").

Regarding claim 1:

Boutnaru discloses: 

A computer implemented method for protecting data stored in at least one file from being overwritten by malicious code (Abstract: “…detecting that ransomware is operating on a computer … by correlating between the original data and content … the negative effects of the ransomware may be mitigated or avoided”), the computer implemented method comprising:

monitoring at least one file stored in a storage device location to detect a request to perform an overwrite operation at least a portion of data of the at least one file (Boutnaru discloses the monitoring … to detect a request to perform an overwrite operation in Fig. 3A as well as corresponding ¶29: “When the operating system handles the read operation from ransomware 130, an original data portion 310 becomes stored in user cache 230.”);

redirecting the overwrite operation to a memory location designated as safe for being overwritten (in ¶30 Boutnaru further discloses how the overwrite operation is redirected inside the user cache and not actually written to the file, see ¶31-32: “Modified data portion 320 may be an encrypted version of original data portion 310, for example. As per the read operation of FIG. 3A, the present write operation is handled by an operating system in various embodiments. When ransomware 130 writes modified data portion 320, it may be stored in user cache 230 temporarily before it is actually written to permanent storage (e.g. persistent storage that retains data after a power cycle). Thus, modified data portion 320 is stored in user cache 230 (or another cache) before the contents of file 120 become permanently changed, in various embodiments.”);

analyzing the overwrite operation at the memory location to identify an association with malicious code (in ¶32 Boutnaru discloses how the overwrite operation is analyzed to determine malice: “Because file 120 may not become irrevocably changed the instant that ransomware 130 issues a write instruction, this allows an opportunity to analyze modified data portion 320 relative to original data portion 310 to determine if ransomware 130 is performing a damaging operation.”); and

outputting an indication of an attempt to overwrite the at least one file by malicious code (in ¶46-47 Boutnaru discloses that an alert is output if malicious activity is detected: “In operation 440, system 110 prevents original content from being deleted if altered content is believed to have been encrypted, in one embodiment. Prevention from deletion may take various forms, as discussed below. In one embodiment, operation 440 includes causing an alert to be transmitted to a user of system 110 (or a user of another system). This alert may inform the user that a program appears to be attempting to encrypt data and delete the underlying data, and then present the user with a dialog asking the user whether they wish to allow the operation to proceed, or to halt the operation.”).

Regarding claim 2:

Boutnaru discloses: 

The computer implemented method of claim 1, further comprising creating a mirror of the at least one file at the memory location, and redirecting the overwrite operation to the mirror of the at least one file (in Fig. 3B it clearly depicts how a mirror is created (i.e. “original portion: 310”, it should be noted that ¶28 discloses that also the entire file may be read and consequently duplicated: “Ransomware 130 may read all or a portion of file 120”).

Regarding claim 3:

Boutnaru discloses: 

The computer implemented method of claim 2, wherein analyzing the overwrite operation comprises verifying the file structure of the mirror of the at least one file according to a predefined file structure (in ¶39, Boutnaru discloses: “This contextual data may include but is not limited to: a process that accessed the content and caused it to be stored in cache; a location in permanent storage of the content; a filename and/or file path with which the content is associated; an offset or location within a file with which the content is associated (e.g., a particular segment, or bytes 4096-8191, etc.), a time the data was first stored in cache, a time the data was last accessed in cache, whether data was first saved in cache due to reading, or due to writing, or other information. By comparing contextual data for two pieces of content in cache (e.g., original data previously read from disk and modified data to be written to disk), system 110 can determine that the two pieces of content correspond to one another.”).

Regarding claim 4:

Boutnaru discloses: 

in ¶43 Boutnaru discloses using entropy calculation to determine a difference between the content and the altered content: “In one embodiment, this comparing includes using a calculated entropy level of the original content, and then comparing that to a calculated entropy level for the altered content. A goal of encryption is frequently to make data look as random as possible (high entropy level). Thus, if system 110 sees a file read from disk that has a relatively low entropy level, then a modified file is written back to disk with a relatively high entropy level, it can be assumed (in various embodiment) that the modified file represents an encrypted version of the original file. Simply opening a text document and changing a few words (editing a report or manuscript, for example) is unlikely to have a significant change on the entropy level of that file, in one or more embodiments. Entropy level can therefore be used as a proxy for encryption in various instances.”).

Regarding claim 5:

Boutnaru discloses: 

The computer implemented method of claim 2, wherein analyzing the overwrite operation comprises identifying an encryption of the mirror of the at least one file by parsing the mirror to identify at least one field, determining at least one illegal value in the at least one field by comparing at least one value of each identified at least one field of the mirror to a corresponding at least one value of at least one field of the file at the storage device location, and evaluating the compared difference according to a requirement representing predefined allowed values (in ¶43 Boutnaru discloses using entropy calculation to determine a difference between the content and the altered content: “In one embodiment, this comparing includes using a calculated entropy level of the original content, and then comparing that to a calculated entropy level for the altered content. A goal of encryption is frequently to make data look as random as possible (high entropy level). Thus, if system 110 sees a file read from disk that has a relatively low entropy level, then a modified file is written back to disk with a relatively high entropy level, it can be assumed (in various embodiment) that the modified file represents an encrypted version of the original file. Simply opening a text document and changing a few words (editing a report or manuscript, for example) is unlikely to have a significant change on the entropy level of that file, in one or more embodiments. Entropy level can therefore be used as a proxy for encryption in various instances.”).

Regarding claim 6:

Boutnaru discloses: 

Boutnaru discloses in ¶39-44 how the system identifies non-text encrypted data by using entropy calculations, and are compared with text documents (“MS-WORD docs” – see ¶44)).  

Regarding claim 7:

Boutnaru discloses: 

The computer implemented method of claim 2, wherein the mirror of the at least one file stores only the portions of at least one file that are designated to be overwritten by the overwrite operation, wherein the mirror of the at least one file does not include portions of the at least one file that are unaffected by the overwrite operation (in Fig. 3B it clearly depicts how a mirror is created (i.e. “original portion: 310”, it should be noted that ¶28 discloses that only portions of the file may be read and consequently duplicated: “Ransomware 130 may read all or a portion of file 120”). 

Regarding claim 10:

Boutnaru discloses: 

The computer implemented method of claim 1, wherein analyzing the overwrite operation comprises checking whether the portion of data of the at least one file is read prior to the request to perform the overwrite operation of the portion of the at least one file (in ¶30, Boutnaru discloses where a portion of the file is read prior to the request to perform the overwrite operation: “after the read operation of FIG. 3A, ransomware 130 has a copy of original data portion 310, but another copy of original data portion 310 has also been retained in user cache 230”).  

Regarding claim 11:

Boutnaru discloses: 

The computer implemented method of claim 1, wherein the association with malicious code is identified when the overwrite operation is detected as being performed on a plurality of files including at least a predefined number of files or when a deletion operation of the portion of the at least one file is attempted after the overwrite operation of the portion of the at least one file (Boutnarus discloses how malicious code is identified when the overwrite operation is performed on multiple files, see ¶44-48).  

Regarding claim 13:

Boutnaru discloses: 

The computer implemented method of claim 1, wherein the overwrite operation comprises at least one of: encrypting at least the portion of the at least one file, renaming the at least one file, changing content of at least the portion of the at least one file to irrelevant values, and deleting at least the portion of the at least one file (Boutnaru discloses how the overwrite operation comprises encrypting at least the portion of the at least one file in numerous sections throughout the document, however notably in ¶43: “represents an encrypted version of the original file”).  


Regarding claim 15:

Boutnaru discloses:

The computer implemented method of claim 1, further comprising determining whether the at least one file is designated for protection; wherein determining comprises analyzing a format of the at least one file according to a predefined file format designated for protection; wherein the predefined file format is a member selected from the group consisting of: a word processing document file format (Boutnaru in ¶44 specifically discloses that the original file may be a “MS-WORD docs” which is an example of a processing document file format), a spreadsheet file format, a PDF file format, and a presentation file format.  

Regarding claim 17:

Boutnaru discloses:


The computer implemented method of claim 1, further comprising analyzing the overwrite operation to identify an overwrite to a header of the at least one file; and triggering the redirecting the overwrite operation when the overwrite to the header is identified (see Boutnaru in ¶27-33).   

Regarding claim 18:

Boutnaru discloses:

The computer implemented method of claim 1, further comprising analyzing the overwrite operation at the memory location to identify an association with safe code; and overwriting the at least one file at the storage device location with the overwritten data at the memory location (in ¶50, Boutnaru discloses that if it is identified with safe code form a whitelisted application, then the write process proceeds as normal).  

Regarding claim 21:

Boutnaru discloses:

The computer implemented method of claim 1, further comprising deleting the overwritten data at the memory location when the analysis identifies identify the overwrite operation associated with malicious code (in ¶46, Boutnaru discloses how the system prevents original content from being deleted if altered content is believed to have been encrypted, since the altered content does not overwrite the content it must be inherently deleted as memory is not infinite and otherwise would crash the system if not cleaned up/deleted).  

Regarding claim 22:

Boutnaru discloses:

The computer implemented method of claim 1, wherein analyzing the overwrite operation is performed according to at least one of: when the overwrite operation is complete, and when a predefined size of data is overwritten (in ¶31-35 Boutnaru discloses how the analysis of the overwrite operation follows once the suspected ransomware writes out the file).  


Regarding claim 23:

Boutnaru discloses: 

The computer implemented method of claim 1, wherein analyzing the overwrite operation comprises detecting encryption by calculating entropy of the data overwritten at the memory location according to an entropy requirement representing encrypted data (in ¶39, Boutnaru discloses: “This contextual data may include but is not limited to: a process that accessed the content and caused it to be stored in cache; a location in permanent storage of the content; a filename and/or file path with which the content is associated; an offset or location within a file with which the content is associated (e.g., a particular segment, or bytes 4096-8191, etc.), a time the data was first stored in cache, a time the data was last accessed in cache, whether data was first saved in cache due to reading, or due to writing, or other information. By comparing contextual data for two pieces of content in cache (e.g., original data previously read from disk and modified data to be written to disk), system 110 can determine that the two pieces of content correspond to one another.”).
  


Regarding claim 27:

Boutnaru discloses: 

in ¶50, Boutnaru discloses a “whitelist of known binaries … and if a program is on this list, the user may not be alerted about a perceived encryption/deletion operation”).  

Regarding claim 28:

Boutnaru discloses: 

The computer implemented method of claim 1, further comprising performing the analyzing in response to opening of the at least one file with write permission and/or file overwrite, wherein the analyzing the open/overwrite7 operation is performed by an analysis of at least one of stack trace and flow-data to determine whether access to the at least one file is permitted or whether access to the at least one file is denied (Boutnaru discloses in ¶44 how the analysis is performed using a stack trace and flow-data to determine whether the access is permitted or denied).  


Regarding claim 29:

Claim 29 contains similar subject matter, albeit directed to a “system” instead of a “method”, but otherwise discloses the same features and limitations as those disclosed in claim 1. For this reason claim 29 is rejected under the same grounds of rejection as those given in the rejection of claim 1. Furthermore, applicant is kindly requested to review the citations given in claim 1.

Claim Rejections - 35 USC § 103

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:

2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over U.S. PGPub. No. 2018/0075239 A1 (hereinafter "Boutnaru") as applied to claim 2 above, and further in view of U.S. PGPub. No. 2016/0224788 A1 (hereinafter "Coronado").Regarding claim 8:

Boutnaru does not disclose the following limitation as disclosed by Coronado:

The computer implemented method of claim 2, wherein the creating the mirror file is performed iteratively for successive portions of the at least one file, wherein each successive portion is copied to the location of the mirror file triggered by a write operation to the respective portion, wherein the analyzing is performed iteratively for each successive portion (Coronado discloses this in at least ¶32-33: “One or more servers as represented by the servers 110a, 110b, for example, may provide a host function to store data to and retrieve data from the storage system 180. In some storage systems, an anti-virus (AV) program runs external to the servers performing the storage function. Thus, the anti-virus software can be run on one or more dedicated servers such as the servers 110c and 110d, for example which are external to the storage system 180, or servers 110e, 110f, for example, which are internal to the storage system 180, to validate that the data contained within a storage unit of the storage system 180 is virus free. To speed the scanning of files and to provide for continued use of files, particularly large files while they are being scanned, it is known to subdivide a file into subfiles and to distribute the scanning of the subfiles to different servers so that the various subfiles of a particular file may be scanned by different servers operating in parallel or at different times. In addition, subfiles of a file may be accessed while other subfiles of the file are being scanned. Previously, a storage system typically provided real time scan "on write" operations. For example, in connection with a write operation, the write data provided by a host server 110a, 110b was previously committed directly to the targeted file, and an AV Scan was initiated on the updated targeted file in which typically the entire file was scanned after the write operation. If the last write command introduced malicious software, and the AV Scan detected it, a repair of the infected file was attempted. If the repair of the infected file failed, the infected file was typically quarantined, blocking access to the quarantined file. In some prior systems, an entire file which may be a terabyte in size or larger, may be quarantined notwithstanding that only a relatively small portion of the file is actually infected
”).  

Thus, one of ordinary skill in the art would have been motivated, before the effective filing date of the claimed invention, to modify Boutnaru’s system of preventing a ransomeware attack with the Ransomware mitigation system using successive portions as disclosed in Coronado, and thereby gaining, predictably, the commonly understood benefits of such adaption, that is, . 


Claim 25 is rejected under 35 U.S.C. 103 as being unpatentable over U.S. PGPub. No. 2018/0075239 A1 (hereinafter "Boutnaru") as applied to claim 1 above, and further in view of U.S. PGPub. No. 2016/0378988 A1 (hereinafter "Bhashkar").
Regarding claim 25:


Boutnaru discloses:

The computer implemented method of claim 1, further comprising presenting a user interface on a display in response to detecting the overwrite operation to allow a user to confirm the overwrite operation as associated with safe code (see Boutnaru ¶47: “This alert may inform the user that a program appears to be attempting to encrypt data and delete the underlying data, and then present the user with a dialog asking the user whether they wish to allow the operation to proceed, or to halt the operation.”).  

Boutnaru does not disclose the following limitation as disclosed by Bhashkar:
adding an application associated with the overwrite operation to a whitelist of safe applications exhibiting cryptoware-like behavior when the user confirms the overwrite operation as safe (Bhashkar discloses this in ¶73: “In one embodiment, in response to clicking/selecting the "Unblock" button, file system driver 350 adds the process P2 to the whitelist of table 410 (as another row in the table), thereby ensuring that the files opened by process P2 is thereafter not monitored by file system driver 350.”).  

Thus, one of ordinary skill in the art would have been motivated, before the effective filing date of the claimed invention, to modify Boutnaru’s system of preventing a ransomeware attack to permit a user to add a program to a whitelist as disclosed in Bhashkar, and thereby gaining, predictably, the commonly understood benefits of such adaption, that is, to give the user the flexibility to add programs to the whitelist and thus avoid getting false negative alerts when an authorized program performs an encryption.  

How to overcome the rejection under 35 USC 102 and 103:

Applicant may wish to contact the examiner to discuss possible claim amendments to overcome the rejections. Some examples would be to incorporate some of the subject matter of pg. 17 of the specification with regards to the stack traces that are not detailed in claim 28 and that could be incorporated into claim 1 to overcome the prior art. 

Related Art

The prior art listed in the EPO search report, GB 2517483, is found to be highly relevant. Notably, the ‘483 publication also includes the detection of ransomware by comparing the entropy of the data to be written and the original file data. 

Furhtermore, US 20170364681 A1, also discloses a system of detecting ransomware by comparing the data to be written with the data of the original file. 


Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Alexander Lagor whose telephone number is (571)270-5143.  The examiner can normally be reached on Monday thru Friday, 9:00 AM to 5:00 PM.

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashokkumar B. Patel can be reached on (571) 272-3972.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ALEXANDER LAGOR/
Primary Examiner
Art Unit 2491