DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 10/14/2021 has been entered.
Claims 1 – 20 are currently pending.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 10/14/2021 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1 – 20 are rejected under 35 U.S.C. 103 as being unpatentable over Rostami- Hesarsorkh et al (U.S. 10,230,749 B1) [hereafter Rostami], in view of Guri et al (U.S. 20/0332766 A1 [hereafter Guri].
♦As per claims 1, 9, 17,
Rostami discloses a method, system for the real-time detection of a ransomware infection in file systems, the method comprising:
“accessing audit events in a file system during a time interval, the audit events including unique and duplicative file operations within the time interval” See abstract, Fig. 16 – 19, col. 47 lines 36 – col. 48 lines 4 of Rostami wherein a log file is generated (including duplicated entries) at a predefined time period (col. 29 lines 5 – 8 of Rostami)
“in a pre-analysis phase, de-duplicating the audit events to remove selected duplicative file operations and generate time series data comprising unique file operations devoid of duplicative file operations” See Fig. 17, Fig. 21, col. 30 lines 1 – 5, col. 48 lines 1 – 4, col. 51 lines 5 – 30, col. 58 lines 19 - 24 of Rostami, wherein the inputs can be log files and distinct lines/de-duplicate is performed before the malware analysis is performed [“ de-duplicated to identify distinct lines”, “includes only distinct lines as similarly described above”].
“in an analysis phase, analyzing the time series data to determine whether a subset of the unique file operations includes delete instructions to delete files corresponding to the subset of unique file operations” See col. 18 lines 27 – 47, col. 34 lines 18 – 26 of Rostami wherein “and monitoring the behavior for a period of time, such as 30 seconds to five minutes or some other time interval or until an event is detected”, and  “A user can also expand or narrow the time range of the data displayed to view threat activity for a broad or limited time frame”; also see col. 12 lines 15 – 60 of Rostami wherein file operation includes delete instruction.
“in the analysis phase, analyzing the time series data to determine whether a subset of the. unique file operations include file-read instructions” See col. 18 lines 27 – 47 of Rostami wherein “and monitoring the behavior for a period of time, such as 30 seconds to five minutes or some other time interval or until an event is detected”, also see col. 12 lines 15 – 60 of Rostami wherein file operation includes different activities (viewing a web page, HTTP request).
“determining that the delete instructions in the subset of unique file operations are abnormal in the time interval based on determining a pattern or number of the delete instructions in the time interval and comparing the pattern or number of the delete instructions to a normal pattern or number of delete instructions” See abstract, Fig. 18 step 1808, col. 6 lines 10 – 18 of Rostami wherein “the malware analysis platform can perform an ingestion and transformation process to process a set of log files including (e.g., selected/important) malware analysis results activity (e.g., such as static malware malware analysis results, …) to facilitate an enhanced view of malware analysis results”.
“responsive to determining that the delete instructions in the subset of unique file operations are abnormal, and the file-read instructions are abnormal, determining that the file system is infected with ransomware and generating an alert” See Fig. 16 – 19 and associated texts of Rostami wherein the suspicious is detected and action is performed accordingly. 
Rostami inherently teaches the method system for identifying “ransomware” by identify/detecting malware from a log file. Rostami also does not clearly disclose “determining whether the file-read instructions are abnormal by applying a set of machine learning models to the audit events to determine if 'a pattern and number of the file-read instructions are abnormal”. 
Guri, in the same field of endeavor, discloses a method, system for detecting ransomware including the teaching of:
Generate a log file: See paragraph 0019, 0027, 0035 of Guri wherein an even log is generated.
“in the analysis phase, analyzing the time series data to determine whether a subset of the. unique file operations include file-read instructions” See paragraph 0025, 0033 of Guri (the pattern associated with the one or more file access operations comprises a read operation to the decoy file or to a portion thereof and a write operation to the same decoy file or the same portion thereof).
determining whether the file-read instructions are abnormal by applying a set of machine learning models to the audit events to determine if 'a pattern and number of the file-read instructions are abnormal” See paragraph 0022, 0063 – 0064 of Guri wherein “In machine-learning based technique to determine whether file access operations(s) originate from a non-malicious process or a malicious process”
It would have been obvious to one with ordinary skill in the art before the effective filling date of the claim invention to apply the teaching of Guri into the invention of Rostami since both inventions were available and the combination would provide more security in data protection for the databases.
♦As per claims 2, 10, 18,
“wherein the audit events include information comprising, for each audit event, a user id, a file name, a type of access, and a timestamp” See col. 7 lines 58 – 65, col. 18 lines 44 – 47 of Rostami [“.g., from the behavior table) can include one or more of the following : ID, type, description, risk, category, details, and score”].
♦As per claims 3, 11, 19,
“determining whether the subset of the file operations includes instructions to encrypt copies of the deleted files corresponding to the subset of file operations, and to delete the unencrypted original files” See paragraph 0025, 0033 of Guri.
♦As per claims 4, 12, 20,
“wherein the selection of duplicative file operations for removal in the de-duplication of the audit events is based at least in part on an identification of successive file operations that do not lead to a change in a file state” See col. 48 lines 1 – 45 of Rostami.
♦As per claims 5, 13,
“generating a finite state machine including one or more file states, the file states including a file open state, a file read state, a file write state, a file read/write state, and a file close state; and storing the file states in the finite state machine in a key value object store” See col. 7 lines 58 – 65, col. 18 lines 44 – 47 of Rostami; and See paragraph 0025, 0033 of Guri.
♦As per claims 6, 14, 
“wherein determining whether the delete instructions in the subset of the file operations files are abnormal comprises applying a set of machine learning models to the audit events, the set of machine learning models trained to determine the pattern or number of the file operations and to compare the pattern or number of the file operations to the normal pattern or number based on features representing a normal or expected behavior of the file system” See Fig. 16 – 19 and associated texts of Rostami wherein the suspicious is detected and action is performed accordingly.
♦As per claims 7, 15,
“wherein de-duplicating the audit events includes maintaining a file system state based on the finite state machine” See col. 7 lines 58 – 65, col. 18 lines 44 – 47 of Rostami.
♦As per claims 8, 16,
“wherein determining that the delete instructions in the subset of the file operations are abnormal comprises applying Seasonal-Trend…” See col. 15 lines 4 - 27 of Rostami [“the results of automated analysis of malware samples generated by the malware analysis platform can be ingested to determine data of interest (e.g., relationships of malware samples, trends in malware samples”].

Response to Arguments
Applicant’s arguments, with respect to the rejection(s) of claim(s) 1 - 20 under 35 USC 103 have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Guri et al.
The following is another related art:
Prokudin et al (U.S. 2020/0004961 A1) discloses a method, system of identifying malicious files using a learning model trained on an malicious file (See abstract, paragraph 0031).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CAM LINH T NGUYEN whose telephone number is (571)272-4024.  The examiner can normally be reached on M-F: 7:00 - 3:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Apu Mofiz can be reached on 571-272-4080.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications 




/CAM LINH T NGUYEN/Primary Examiner, Art Unit 2161