PNG
    media_image1.png
    340
    340
    media_image1.png
    Greyscale
United States Patent and Trademark Office    
        
            
                                
            
        
    

Commissioner for Patents
United States Patent and Trademark Office
P.O. Box 1450
Alexandria, VA 22313-1450
www.uspto.gov











BEFORE THE PATENT TRIAL AND APPEAL BOARD


Application Number: 16/019,761
Filing Date: 27 Jun 2018
Appellant(s): Araujo et al.



__________________
          David H. Judson
For Appellant


EXAMINER’S ANSWER





This is in response to the appeal brief filed September 3, 2021.


(1) Grounds of Rejection to be Reviewed on Appeal

(1A)	Every ground of rejection set forth in the Office action dated March 2, 2021, from which the appeal is taken is being maintained by the examiner except for the grounds of rejection (if any) listed under the subheading “WITHDRAWN REJECTIONS.”  New grounds of rejection (if any) are provided under the subheading “NEW GROUNDS OF REJECTION.”

	(1B)	The following grounds of rejection are applicable to the appealed claims:
	Claims 1-21 are rejected under 35 U.S.C. 103 as being unpatentable over Goyal et al., US 10,558,818 B2, and  Zadok et al., US 2005/0273858 A1

	As for claim 1, Goyal teaches:
a method of forensic analysis in a file system (Abstract), comprising file system overlays deployed on top of a base file system (Abstract, col. 1 lines 44-53) comprising:
associating a particular file system overlay with a subject (col. 2 lines 17-45: each subject, e.g. application, is assigned a security context label, where an access control policy implemented by the overlay file system determines which objects, e.g. files, the subject application is authorized to access):
as the subject performs file-based activity in the particular file system overlay, capturing information indicative of the file-based activity (col. 2 lines 49-53: an application’s attempt access a file is monitored);

upon a determination that the subject associated with the file-based activity is malicious, taking a predetermined action to protect the file system (col. 2 lines 49-53: an application’s security context label is determined by the kernel security module and evaluated to see if it comports with an access control policy set for a particular file the application is seeking to access. If the application’s security context label is such that the application is not permitted access by the security policy, reading on a determination as to whether the application, i.e. subject, is malicious, the application is blocked from access by the kernel security module, col. 4 lines 12-19, col. 6 lines 28-46).
Zadok teaches the feature not taught by Goyal, wherein the base file system is writeable ([0037], [0080]: requests such as file creation or writing to a file can be passed on to an underlying file system in a stacked file system, reading on an overlay file system, after vetting).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have incorporated this feature into the invention of Goyal. It would have been desirable to do so since incorporating a writeable base file system into the system of Goyal would provide for increased portability of the base file system since changes made to the files would be stored in the base file system and not just the overlay layer, e.g. a base layer could be moved to a different mounting 
As for claim 2, the combination of Goyal and Zadok teaches the method as described in claim 1. Goyal teaches the additional step wherein the file-based activity is one of: creation of a file, deletion of a file, and modification of a file (col. 6 lines 37-43: kernel security module will determine if an application has read/write access, reading on modification of a file).
Zadok offers an additional and somewhat more explicit teaching of the feature wherein the file based activity is one of creation of a file, deletion of a file, and modification of a file ([0075]: anti-virus stackable file system will detect changes made to a file indicative of a virus signature). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have incorporated this feature into the invention of Goyal. It would have been desirable to do so since incorporation of the ability to analyze a file to detect changes made to it would enhance the forensic analysis conducted by Goyal’s system and thereby increase the accuracy of detection of malicious file-based activity, thus increasing the utility of Goyal’s invention.

As for claim 3, the combination of Goyal and Zadok teaches the method as described in claim 1. 
Zadok teaches the additional feature not taught by Goyal wherein
has been modified as a result of the file-based activity ([0075]: anti-virus stackable file system will detect changes made to a file indicative of a virus signature). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have incorporated this feature into the invention of Goyal. It would have been desirable to do so since incorporation of the ability to analyze a file to detect if changes have been made to it would enhance the forensic analysis conducted by Goyal’s system and thereby increase the accuracy of detection of malicious file-based activity, thus increasing the utility of Goyal’s invention.
As for claim 4, the combination of Goyal and Zadok teaches the method as described in claim 3. Zadok teaches the additional features not taught by Goyal further including extracting file features from the given file upon a determination that the given file has been modified as a result of the file-based activity ([0075]: AVS quarantines the virus after detection).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have incorporated this feature into the invention of Goyal. It would have been desirable to do so since incorporation of the ability to extract file features after detecting modifications made to it would enhance the forensic analysis conducted by Goyal’s system since these features could, for example, be studied by an administrator or be sent to a security analysis provider such as an anti-virus software vender, and thereby increase the accuracy of detection of malicious file-based activity, thus increasing the utility of Goyal’s invention.

As for claim 5, the combination of Goyal and Zadok teaches the method as described in claim 4. Zadok teaches the additional features not taught by Goyal further including using the file features extracted to identify one or more indicators of compromise ([0082]-[0083]: virus scanner may use pattern matching to identify a viral signature).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have incorporated this feature into the invention of Goyal. It would have been desirable to do so since incorporation of the ability to extract file features after detecting modifications made to the file in order to detect indicators of compromise would enhance the forensic analysis conducted by Goyal’s system since these features could, for example, then be studied by an administrator or be sent to a security analysis provider such as an anti-virus software vender, and thereby increase the accuracy of detection of malicious file-based activity, thus increasing the utility of Goyal’s invention.

As for claim 6, the combination of Goyal and Zadok teaches the method as described in claim 5. Zadok teaches the additional features not taught by Goyal further including determining whether the subject associated with the file-based activity is malicious based on the one or more indicators of compromise ([0082]-[0083]: virus scanner may use pattern matching to identify a viral signature associated with a process attempting to write to a file).


As for claim 7, the combination of Goyal and Zadok teaches the method as described in claim 6. Zadok teaches the additional features not taught by Goyal wherein the predetermined action to protect the file system is one of: issuing an alert, blocking additional file-based activity associated with the subject ([0075]: as soon as a process, i.e. an application, attempts to write a virus, the antiviral file system (AVFS) returns an error to the process before the changes are made to the file), quarantining the suspect ([0075]: suspect file is quarantined), reassigning trust dynamically to hide certain files, injecting one or more new deceptions, and gathering and sharing threat intelligence. 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have incorporated this feature into the invention of Goyal. It would have been desirable to do so since incorporation of predetermined actions such as quarantine of a file or blocking file-based activity by an 

As for claims 8-14 and 15-21, these claims are drawn to the apparatus and computer program-product respectively that correspond to the method of claims 1 -7. Claims 8-14 and 15-21 teach substantially the same limitations as claims 1-7 and are therefore rejected on the same basis as claims 1 -7.

(2) Response to Argument
The Appellant’s arguments are addressed in the order in which they are presented in his Brief.
Appellant’s Argument:
On pages 5-6 of his Brief the Appellant argues that the combination of references (Goyal and Zadok) cited in the 35 USC Sec. 103 rejection of the claims fails to teach the limitations of claims 1, 2, 8, 9, 15 and 16. The Appellant stresses the view that the references fails to teach the claimed steps of: “…as the subject performs file-based activity in the particular file system overlay, capturing information indicative of the file-based activity; analyzing the captured information to determine whether the subject associated with the file-based activity is malicious…”
The Appellant argues on page 6 of his brief that the Goyal reference in particular fails to teach the steps of “…capturing information indicative of file based activity...”. The Appellant argues that the “security context label” taught by Goyal is not equivalent to the claimed “captured information”. The Appellant argues that this is because Goyal’s 
Examiner’s Rebuttal:
The Examiner disagrees with the Appellant’s interpretation of Goyal and maintains that the reference does indeed teach the claimed features at the sections cited in the rejection, i.e., col. 2 lines 49-53 and col. 6 lines 13-46. 
In these sections Goyal teaches the steps where a kernel security module or mandatory access controls (MAC) evaluates a request by a user or application for access to a resource such as a file.  At col. 6 lines 35-36 for example, Goyal teaches the steps where the MAC will evaluate an access request for a file by reading a “security context label” from the file, and compare this to a “security context label” associated with the application or user requesting access, and then determine if the application is permitted access to the file according to a security policy.  
The Examiner maintains that these steps of Goyal read on the claimed steps of capturing information indicative of file-based activity as a user performs a file-based activity. Here, the user or application is performing the “file-based” activity of requesting access to a file. The MAC “captures” the security context label by reading the file or file metadata. The security context label is indicative of a file-based activity because it controls whether a request to open the file will be granted.
Appellant’s Argument:

Examiner’s Rebuttal: 
The Examiner disagrees with the Appellant’s interpretation of Goyal and maintains that the reference does indeed teach the claimed features at the sections cited in the rejection, i.e., col. 2 lines 49-53 and col. 6 lines 13-46. For example, at col. 6 lines 13-15 Goyal teaches the steps where the MAC enforces a predetermined “security policy” for both a file and an application or user requesting access to the file by comparing the “security context label” for the file and for the requesting application or user with the predetermined security policy in order to determine if the user or application is allowed access. If the security policy does not allow access, then the MAC prohibits it. The Examiner maintains that these steps read on the claim limitation of a forensic analysis of the captured information, i.e., the security context label, to determine whether the subject associated with the file-based activity is malicious. The Appellant’s instant specification at, for example, paragraph [0005] defines “subject” as a process or a user. Goyal’s steps for determining whether an unauthorized application or user is seeking access to a file reads on determining if the application or user is “malicious” since the broadest reasonable interpretation of the term “malicious” in this claim context would include behavior such as seeking unauthorized access to a file. 
Appellant’s Argument:
The Appellant argues on pages 8-9 of his Brief that the Zadok reference fails to teach the limitation of claims 3, 10, and 17 wherein, in the analyzing operation, a determination is made as to whether an individual file has been modified. The Appellant stresses the view that the cited sections of Zadok: paragraphs [0073] and [0075], merely teach the steps where an antivirus scanner compares a present cryptographic hash of a file to determine if it matches a hash value from a set of previous hashes for the file, wherein a pattern match represents that the file has previously been found to be a virus.
Examiner’s Rebuttal:
The Examiner disagrees with the Appellant’s interpretation of Zadok, particularly regarding paragraph [0075]. Here, Zadok teaches the steps wherein, when a file is being written to, a virus scanner makes a backup copy of the original file and monitors the data being written to the original file for known viral signatures. If such a signature is found, the scanner allows the write operation to proceed, but quarantines the modified file and then reverts to the original backup version. The scanner then notifies an administrator of the event.  The Examiner maintains that these steps of Zadok read on the claim limitations wherein a forensic examination is undertaken of captured information from a file as a subject performs a file-based activity, in this case a write 
Appellant’s Argument:
The Appellant argues on page 9 of his brief that Zadok fails to teach the limitation of claims 4, 11, 18 wherein individual file features are extracted from a given file being analyzed. The Appellant argues that Zadok merely teaches the steps where a virus signature is recognized and if so the file is placed in quarantine and that these steps do not read on the claim limitation. The Appellant further argues that as a result, Zadok also fails to teach the limitations of claims 5, 12, and 19 drawn to “using extracted file features”.
Examiner’s Rebuttal:
The Examiner disagrees with the Appellant’s interpretation of Zadok, particularly regarding the paragraphs [0082] and [0083]. Here, Zadok teaches the steps wherein a virus scanner will match known viral signatures from a virus definition database in the form of characteristic strings or simple sequences of characters, to portions of a file as it is being written. This reads on extraction of individual file features and using the extracted file features. As per Zadok at [0075], the anti-viral scanner quarantines the virus after detection.
Appellant’s Argument:
The Appellant argues on page 10 of his Brief that the Goyal and Zadok references both fail to teach the limitation of claims 6, 7, 13, 14, 20, and 21 wherein a determination is made as to whether a subject associated with a file-based activity is “malicious”. The Appellant repeats his earlier argument that Goyal’s steps for evaluation 
Examiner’s Rebuttal: 
The Examiner disagrees with the Appellant’s interpretation of Goyal and maintains that the reference does indeed teach the claimed feature of determining if a subject is malicious.
The Appellant’s instant specification at, for example, paragraph [0005] defines “subject” as a process or a user. 
At col. 2 lines 49-53 and col. 6 lines 13-46 Goyal teaches steps for determining whether an unauthorized application or user, i.e., a subject, is seeking access to a file. Here, Goyal teaches the steps where a kernel security module or mandatory access controls (MAC) evaluates a request by a user or application for access to a resource such as a file by reading a “security context label” from the file, and comparing this to a “security context label” associated with the application or user requesting access, and then determining if the user or application is permitted access to the file according to a security policy.  These steps read on determining if the application or user, i.e. the subject, is “malicious” since the broadest reasonable interpretation of the term “malicious” in this claim context would include behavior such as seeking unauthorized access to the file.




Respectfully submitted,
/PAUL E CALLAHAN/Primary Examiner, Art Unit 2437                                                                                                                                                                                                        

Conferees:
/KRISTINE L KINCAID/Supervisory Patent Examiner, Art Unit 2437                                                                                                                                                                                                        
/BENJAMIN E LANIER/Primary Examiner, Art Unit 2437                                                                                                                                                                                                        




Requirement to pay appeal forwarding fee.  In order to avoid dismissal of the instant appeal in any application or ex parte reexamination proceeding, 37 CFR 41.45 requires payment of an appeal forwarding fee within the time permitted by 37 CFR 41.45(a), unless appellant had timely paid the fee for filing a brief required by 37 CFR 41.20(b) in effect on March 18, 2013.