DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Priority
Applicant’s claim for the benefit of a prior-filed application under 35 U.S.C. 119(e) or under 35 U.S.C. 120, 121, 365(c), or 386(c) is acknowledged. 

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 6 October 2020 has been considered by the examiner.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 10,795,994. Although the claims at issue are not identical, they are not patentably distinct from each other the claims of the instant application broaden the scope of the claims of the ‘994 Patent. Consequently, the claims of the ‘994 Patent anticipate the claims of the instant application.
As to claims 1 and 9, the ‘994 Patent discloses a computer-implemented anti-ransomware method/apparatus (Claim 1: A ransomware mitigation engine), comprising (Claim 19: A method of detecting and remediating a ransomware attack, comprising): 
selecting a file for inspection (Claim 19: operating a neural network to compute a byte correlation factor for a file under inspection); 
assigning the file to a type class according to a file type identifier (Claim 19:  classifying the file under inspection as belonging to a file type according to the byte correlation); 
receiving an expected byte correlation for the type class (Claim 19: performing a statistical analysis of the file under inspection to determine a difference between an expected value and a computed value); 
computing, according to a byte distribution of the file, a byte correlation for the file (Claim 19: performing a statistical analysis of the file under inspection to determine a difference between an expected value and a computed value); 
comparing, via statistical analysis, the byte correlation to the expected byte correlation (Claim 19: performing a statistical analysis of the file under inspection to determine a difference between an expected value and a computed value); and 
determining that the file has been compromised, comprising determining that the file has a byte correlation that deviates from the expected byte correlation by more than a threshold, taking a ransomware remediation action for the file (Claim 19: determining 
As to claim 2, the ‘994 Patent discloses the method of claim 1, wherein the neural network is a featureless neural network (Claim 4: The ransomware mitigation engine of claim 2, wherein determining that the file has been compromised comprises identifying a statistically-significant mismatch in two or more statistical analyses from the group.).  
As to claim 3, the ‘994 Patent discloses the method of claim 1, wherein the statistical analysis is selected from the group consisting of entropy, Monte Carlo pi, Monte Carlo pi error, serial correlation coefficient, arithmetic mean, and chi square distribution (Claim 20: The method of claim 19, wherein the statistical analysis is selected from the group consisting of entropy, Monte Carlo pi, Monte Carlo pi error, serial correlation coefficient, arithmetic mean, and chi square distribution).
As to claim 4, the ‘994 Patent discloses the method of claim 3, wherein determining that the file under inspection has been compromised comprises identifying a statistically- significant mismatch in two or more statistical analyses from the group (Claim 3: The ransomware mitigation engine of claim 2, wherein determining that the file has been compromised comprises identifying a statistically-significant mismatch in two or more statistical analyses from the group).
As to claim 5, the ‘994 Patent discloses the method of claim 1, wherein the ransomware remediation action comprising creating a backup of the file and restoring 
As to claim 6, the ‘994 Patent discloses the method of claim 5, wherein the backup is a transitory backup (Claim 6: The ransomware mitigation engine of claim 5, wherein the backup is a transitory backup). 
As to claim 7, the ‘994 Patent discloses the method of claim 1, further comprising identifying a malicious process according to file artefacts (Claim 7: The ransomware mitigation engine of claim 1, further comprising a file artefact extractor configured to identify a malicious process according to file artefacts).
As to claim 8, the ‘994 Patent discloses the method of claim 1, further comprising identifying and remediating a process that instigated selecting a file for investigation (Claim 10: The ransomware mitigation engine of claim 9, wherein the policy engine is further configured to identify and remediate a process that instigated the file access operation).
As to claim 10, the ‘994 Patent discloses the apparatus of claim 9, wherein the means comprise one or more tangible, non-transitory computer-readable storage mediums having stored thereon executable instructions to instruct a processor to provide a heuristic layer (Claim 11: The ransomware mitigation engine of claim 1, wherein the circuitry and logic comprise a processor and one or more tangible, non-transitory computer-readable storage mediums having stored thereon executable instructions to instruct the processor to provide the heuristic layer.). 
claim 11, the ‘994 Patent discloses the apparatus of claim 9, wherein the means comprise a convolutional neural network (CNN) (Claim 1:  A ransomware mitigation engine, comprising: a processor; a convolutional neural network configured to provide file type identification (FTI) services).  
As to claim 12, the ‘994 Patent discloses the apparatus of claim 11, wherein the CNN comprises a field- programmable gate array (FPGA) (Claim 13: The ransomware mitigation engine of claim 1, wherein the CNN comprises a field-programmable gate array (FPGA).).
As to claim 13, the ‘994 Patent discloses the apparatus of claim 11, wherein the CNN comprises a bank of GPUs (Claim 14:  The ransomware mitigation engine of claim 1, wherein the CNN comprises a bank of GPUs.).
As to claim 14, the ‘994 Patent discloses the apparatus of claim 11, wherein the CNN comprises an ASIC (Claim 15: The ransomware mitigation engine of claim 1, wherein the CNN comprises an ASIC).
As to claim 15, the ‘994 Patent discloses a ransomware mitigation engine, comprising (Claim 16: One or more tangible, non-transitory computer-readable storage mediums having stored thereon executable instructions to program or configure a logic device to provide a ransomware mitigation engine, the ransomware mitigation engine to): 
a hardware platform comprising a processor and a memory; and instructions encoded within the memory to instruct the processor (Above plus Claim 1: comprising: a processor) to: 

identify a file write to a newly-created file (Claim 16: identify an access operation of a file as a write to the file or newly creating the file); 
compute, within the CNN, a byte correlation factor for the file (Claim 1: computing a byte correlation factor for the file); 
operate a file type identification (FTI) layer of the CNN to identify a file type of the file (Claim 16: operate a convolutional neural network (CNN) file type identification (FTI) layer to determine with a screening confidence that the file type is correct for the file); 
screen the file to determine whether the file is correct for the file type (Claim 16: operate a convolutional neural network (CNN) file type identification (FTI) layer to determine with a screening confidence that the file type is correct for the file);; 
upon determining that the file is not correct for the file type, use a statistical analysis the file to compute a delta between an expected value and an observed value (Claim 16: perform a statistical analysis of the file to determine a difference between an expected value and a computed value); 
based at least in part on the delta, designate the file as having been compromised by a ransomware attack (Claim 16: determine from the difference that the file has been compromised and that the file has been compromised by ransomware); and 

As to claim 16, the ‘994 Patent discloses the ransomware mitigation engine of claim 15, wherein the statistical analysis is selected from the group consisting of entropy, Monte Carlo pi, Monte Carlo pi error, serial correlation coefficient, arithmetic mean, and chi square distribution (Claim 20: The method of claim 19, wherein the statistical analysis is selected from the group consisting of entropy, Monte Carlo pi, Monte Carlo pi error, serial correlation coefficient, arithmetic mean, and chi square distribution). 
As to claim 17, the ‘994 Patent discloses the ransomware mitigation engine of claim 16, wherein determining that the file has been compromised comprises identifying a statistically- significant mismatch in two or more statistical analyses from the group (Claim 3: The ransomware mitigation engine of claim 2, wherein determining that the file has been compromised comprises identifying a statistically-significant mismatch in two or more statistical analyses from the group). 
As to claim 18, the ‘994 Patent discloses the ransomware mitigation engine of claim 15, wherein the CNN is a featureless CNN (Claim 4: The ransomware mitigation engine of claim 1, wherein the CNN is a featureless CNN).  
As to claim 19, the ‘994 Patent discloses one or more tangible, non-transitory computer-readable storage mediums having stored thereon executable instructions to program or configure a logic device to provide a ransomware mitigation engine, the ransomware mitigation engine to (Claim 16: One or more tangible, non-transitory 
select a file for analysis (Claim 16: identify an access operation of a file as a write to the file or newly creating the file); 
identify a write-to-disk operation for the file, wherein the write-to- disk operation is a file write or a new file creation (Claim 16: identify an access operation of a file as a write to the file or newly creating the file); 
access a neural network (Claim 16: operate a convolutional neural network (CNN) file type identification (FTI) layer to determine with a screening confidence that the file type is correct for the file, and that the screening confidence is below a screening confidence threshold); 
within the neural network, determine within a screening confidence that the file belongs to a file type and includes a byte pattern that is correct for the file type (Claim 16: operate a convolutional neural network (CNN) file type identification (FTI) layer to determine with a screening confidence that the file type is correct for the file, and that the screening confidence is below a screening confidence threshold); 
determine that the screening confidence is below a threshold (Claim 16: operate a convolutional neural network (CNN) file type identification (FTI) layer to determine with a screening confidence that the file type is correct for the file, and that the screening confidence is below a screening confidence threshold); 

from the difference, determine that the file is a candidate file for having been compromised by a ransomware attack and requires further analysis and/or remedial action (Claim 16: determine from the difference that the file has been compromised and that the file has been compromised by ransomware).
  As to claim 20, the ‘994 Patent discloses the one or more tangible, non-transitory computer-readable mediums of claim 19, wherein determining that the file has been compromised comprises identifying a statistically-significant mismatch in two or more statistical analyses from the group (Claim 3: The ransomware mitigation engine of claim 2, wherein determining that the file has been compromised comprises identifying a statistically-significant mismatch in two or more statistical analyses from the group).  

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claim 9 is rejected under 35 U.S.C. 112(a) or pre-AIA  35 U.S.C. 112, first paragraph, because the claim purports to invoke 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, but fails to recite a combination of elements as required by that statutory provision and thus cannot rely on the specification to provide the structure, material or acts to support the claimed function.  As such, the claim recites a function that has no limits and covers every conceivable means for achieving the stated function, while the specification discloses at most only those means known to the inventor.  Accordingly, the disclosure is not commensurate with the scope of the claim.

The following is a quotation of 35 U.S.C. 112(d):
(d) REFERENCE IN DEPENDENT FORMS.—Subject to subsection (e), a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

The following is a quotation of pre-AIA  35 U.S.C. 112, fourth paragraph:
Subject to the following paragraph [i.e., the fifth paragraph of pre-AIA  35 U.S.C. 112], a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

Claim 9 is rejected under 35 U.S.C. 112(d) or pre-AIA  35 U.S.C. 112, 4th paragraph, as being of improper dependent form for failing to further limit the subject matter of the claim upon which it depends, or for failing to include all the limitations of the claim upon which it depends.  Claim 9 nominally depends from claim 1, but only requires the apparatus and not the performance of the method as required by claim 1.  Applicant may cancel the claim(s), amend the claim(s) to place the claim(s) in proper dependent form, rewrite the claim(s) in independent form, or present a sufficient showing that the dependent claim(s) complies with the statutory requirements.
Prior Art
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
U.S. Patent Application Publication No. 2009/0013405 by Schipka discloses heuristic detection of malware
U.S. Patent Application Publication No. 2012/0150/0793 by Carroll discloses selective file loading
U.S. Patent Application Publication No. 2014/0298470 by Yablokov et al. adaptive updating of antivirus databases
U.S. Patent No. 10,140,553 to Vasisht et al. discloses machine learning
U.S. Patent Application Publication No. 2018/0349796 by Gibbs et al.  discloses machine learning for classification
U.S. Patent Application Publication No. 2019/0236273 by Saxe et al. disloses machine learning to detect malicious code
U.S. Patent Application Publication No. 2020/0042645 by Douthut et al. file classification

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL S MCNALLY whose telephone number is (571)270-1599. The examiner can normally be reached Monday-Friday, 8:30 AM - 5:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached on (469)295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

MICHAEL S. MCNALLY
Primary Examiner
Art Unit 2432



/Michael S McNally/Primary Examiner, Art Unit 2432