Notice of Pre-AIA  or AIA  Status
1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

				Election/Restriction
2. NO restrictions warranted at initial time of filing for patent. 

Priority
3. Applicant claims domestic priority under 35 USC 119¢e to provisional application filed on 11/22/2019. 

Information Disclosure Statement
4. The information disclosure statement (IDS) submitted on 09/30/2020, 1/22/2021, 06/22/2021, 8/802021, 10/22/2021 and 12/22/2021 the submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner. 

Oath/Declaration
5. Applicant's Oath was filed on 09/30/2020. 

Drawings
6. Applicant's drawings filed on 09/30/2020 has been inspected and is in compliance with MPEP 608.01.
Specification
7. Applicant's specification filed on 09/30/2020 has been inspected and is in compliance with MPEP 608.02. 

Claim Objections
8. NO objections warranted at initial time of filing for patent. 

Remarks
9. Examiner request Applicant review relevant prior art under the conclusion of this office action.


Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


10. 	Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. 

Step one: Are the claims at issue directed to a statutory category?
Yes. The claims recites a series of steps i.e., identifying, by a data protection system, one or more input operations and one or more output operations performed between a source and a storage system; identifying, by the data protection system, an 

Step 2A — Prong 1: Is a Judicial Exception recited?
Yes. The claim recites the limitation of identifying, by a data protection system, one or more input operations and one or more output operations performed between a source and a storage system; identifying, by the data protection system, an anomaly in a relationship between the one or more input operations and the one or more output operations. This limitation, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components. That is nothing in the claim element precludes the step from practically being performed in the mind. For example, the claim encompasses a user detecting and identifying in the mind attributes regarding a request to open a secure folder may be suspicious. Thus, the claim recites a mental process.
The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. The limitation of determining, by the data protection system based on the identifying of the anomaly, that the storage system is possibly being targeted by a security threat. As drafted, the limitations are a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components. That is nothing in the claim element precludes the step from practically being performed in the mind. For 
Step 2A — Prong 2: Are the claims integrated into a practical application recited?
No. The claim recites three elements: identifying, an operation, identifying, an anomaly between the relationship and the operations, and determine that the storage is possibly being targeted by a threat. The detecting, identifying and determining steps are recited at a high level of generality (i.e., as a general means of identifying, an operation, identifying, an anomaly between the relationship and the operations, and determine that the storage is possibly being targeted by a threat for use in the series of steps), and amounts to mere data gathering, which is a form of insignificant extra-solution activity. The processor that performs the identifying and determining steps are also recited at a high level of generality, and merely automates the detecting, identifying, determining and throttling steps. Each of the additional limitations is no more than mere instructions to apply the exception using a generic computer component (processor). The combination of these additional elements is no more than mere instructions to apply the exception using a generic computer component (processor). Accordingly, even in combination, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. The claim is directed to the abstract idea.

Step 2b: Does the claims provide an inventive concept?
No. As discussed with respect to Step 2A Prong Two, the additional elements in the claim amount to no more than mere instructions to apply the exception using a generic computer component. The same analysis applies here in 2B, i.e., mere instructions to apply an exception on a generic computer cannot integrate a judicial exception into a practical application at Step 2A or provide an inventive concept in Step 2B.
Under the 2019 PEG, a conclusion that an additional element is insignificant extra-solution activity in Step 2A should be re-evaluated in Step 2B. Here, the identifying and determining steps were considered to be extra- solution activity in Step 2A, and thus it is re-evaluated in Step 2B to determine if it is more than what is well- understood, routine, conventional activity in the field. The background of the example does not provide any indication that the processor is anything other than a generic, off- the-shelf computer component, and the Symantec, TLI, and OIP Techs. court decisions cited in MPEP 2106.05(d)(II) indicate that mere collection or receipt of data over a network is a well-understood, routine, and conventional function when it is claimed in a merely generic manner (as it is here). Accordingly, a conclusion that the collecting step is well-understood, routine, conventional activity is supported under Berkheimer Option 2.
For these reasons, there is no inventive concept in the claim, and thus it is ineligible.

11. 	Claims 12-19 is rejected under 35 U.S.C. 101 because claims 12-19 claim recites “a system” but as the system does not have a specific definition in the specification 

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

12. 	Claims 1-8 and 10-20 are rejected under 35 U.S.C. 102(a)(1)/(a)(2) as being anticipated by U.S. Publication No. 20180054454 hereinafter Astigarraga.

As per claim 1, Astigarraga discloses:
para 0003 “A computer-implemented method according to one embodiment includes identifying a cloud computing environment, establishing a baseline associated with input and output requests within the cloud computing environment, monitoring activity associated with the cloud computing environment, comparing the activity to the baseline, and performing one or more actions, based on the comparing.”) comprising:
identifying, by a data protection system, one or more input operations and one or more output operations performed between a source and a storage system (para 0003 “A computer-implemented method according to one embodiment includes identifying a cloud computing environment, establishing a baseline associated with input and output requests within the cloud computing environment, monitoring activity associated with the cloud computing environment, comparing the activity to the baseline, and performing one or more actions, based on the comparing.”):
 identifying, by the data protection system, an anomaly in a relationship between the one or more input operations and the one or more output operations (para 0065 “In one embodiment, performing the one or more actions may include flagging the activity if the activity deviates from the baseline by more than a predetermined amount. For example, the activity may be flagged as an anomaly if the activity deviates from the baseline by more than a predetermined amount. For instance, the activity may include a downloading of an abnormally large volume of data from one or more storage devices of the cloud computing 
and determining, by the data protection system based on the identifying of the anomaly, that the storage system is possibly being targeted by a security threat (Para 0066 “Further, in one embodiment, performing the one or more actions may include examining the activity if the activity is flagged as an anomaly. For example, examining the activity may include comparing the activity to one or more predetermined security threat criteria. For instance, the security threat criteria may include user-submitted criteria indicative of a security threat, criteria indicative of a threat that was developed based on previous monitoring of the cloud computing environment (e.g., before the current activity is monitored), etc.”).

As per claim 2, Astigarraga discloses:
The method of claim 1, wherein the identifying of the anomaly in the relationship between the one or more input operations and the one or more output operations comprises: identifying a timing between the one or more input operations and the one or more output operations; and determining, based on the timing, that the one or more input operations and the one or more output operations are correlated. (para 0057 and 0058).

As per claim 3, Astigarraga discloses:


As per claim 4, Astigarraga discloses:
The method of claim 3, wherein the determining that the one or more input operations and the one or more output operations are performed in accordance with the identifiable pattern comprises determining that the one or more input operations and the one or more output operations progress through sequentially numbered logical storage units of a storage structure within the storage system (para 0058, 0060 0062, 0065, and 0067).

As per claim 5, Astigarraga discloses:
The method of claim 4, wherein the sequentially numbered logical storage units comprise sectors of the storage structure (para 0073, 0074, and 0078). 

As per claim 6, Astigarraga discloses:
The method of claim 3, wherein the determining that the one or more input operations and the one or more output operations are performed in accordance with the identifiable pattern comprises determining that the one or more input operations and the one or more output operations are continuous from a 

As per claim 7, Astigarraga discloses:
The method of claim 1, wherein the identifying of the anomaly in the relationship between the one or more input operations and the one or more output operations comprises: determining that the one or more output operations include read operations that cause data stored by the storage system for more than a predetermined amount of time to be transmitted from the storage system to the source; identifying a total amount of the data transmitted from the storage system to the source; determining that the one or more input operations include write operations that write new data to the source; and determining that a total amount of the new data is within a threshold amount of the total amount of the data transmitted from the storage system to the source (para 0056-0065).

As per claim 8, Astigarraga discloses:
The method of claim 7, wherein the identifying of the anomaly in the relationship between the one or more input operations and the one or more output operations further comprises determining that the write operations each occur within a threshold amount of time after an occurrence of a different one of the read operations (para 0056, 0059 and 0062-0065)


As per claim 10, Astigarraga discloses:
The method of claim 7, wherein the identifying of the anomaly in the relationship between the one or more input operations and the one or more output operations further comprises determining that each data instance included in the data transmitted from the storage system to the source is only transmitted one time to the source (para 0061, 0067, 0068, 0073, 0074, and 0078). 

As per claim 11, Astigarraga discloses:
The method of claim 1, further comprising performing, by the data protection system in response to the determining that the storage system is possibly being targeted by the security threat, a remedial action with respect to the storage system (para0066).

As per claim 12, the implementation of the method of claim 1 will execute the system of claim 12. The claim is analyzed with respect to claim 1. 

As per claim 13, the claim is analyzed with respect to claim 2. 

As per claim 14, the claim is analyzed with respect to claim 3. 

As per claim 15, the claim is analyzed with respect to claim 4. 

As per claim 16, the claim is analyzed with respect to claim 6. 

As per claim 17, the claim is analyzed with respect to claim 7.

As per claim 18, the claim is analyzed with respect to claim 8.

As per claim 19, the claim is analyzed with respect to claim 10.

As per claim 10, the implementation of the method of claim 1 will execute the non-transitory computer-readable medium (paragraph 0084) of claim 20. The claim is analyzed with respect to claim 1. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.


13.	Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Astigarraga in view of U.S. Publication No. 20130036465 hereinafter Chuan.

As per claim 9, Astigarraga discloses:
The method of claim 7, wherein the identifying of the anomaly in the relationship between the one or more input operations and the one or more output operations (para 0056-0065)

	Astigarraga does not disclose:
determining that a data transmitted from a storage system to a source has not been read from the storage system for more than a threshold amount of time prior to the read operations being performed  

	Chuan discloses:
determining that a data transmitted from a storage system to a source has not been read from the storage system for more than a threshold amount of time prior to the read operations being performed (para 0027 “The tracking data store may comprise storage locations for storing tracking data for a predetermined number of outstanding read requests issued by the second read request path. Typically, maintenance of an entry in the tracking store requires a certain area and processing overhead, and so to conserve area and power consumption, the tracking data store would store entries for a limited number of outstanding read requests. The present technique recognizes that it is likely that only a few read requests at a time would be latency-critical and so it will often be sufficient for the second read request path to handle only a predetermined number of outstanding read requests at a time. On the rare occasions when the tracking data store becomes fully occupied with tracking data for the predetermined number of outstanding read requests which have not yet completed, then the second read request path may prevent further read requests entering the second read request path until one of the predetermined number of outstanding read requests has completed. This maintains security of the read data because read requests are prevented from being issued using the second read request path if it would not be possible to store the tracking data indicating whether a security violation occurred for that request.”)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of establishing a baseline associated with input and output requests within the cloud computing environment of Astigarraga to include determining that a data transmitted from a storage system to a source has not been read from the storage system for more than a threshold amount of time prior to the read operations being performed, as taught by Chuan.
The motivation would have to motivation would have been to maintain security of the read data since read requests are prevented from being issued using a second read request path thereby whether indicating a security violation occurred for that request (Chuan paragraph 0027).


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
U.S. Publication No. 20180351969 discloses on paragraph 0020 “Ransomware is a fast growing category of malware. Ransomware is a type of 
data. Some types of ransomware may lock a user device or system to prevent
the user from access to their device or system. Other types of ransomware may
encrypt the user's personal data, such as word processing documents, photographs, music, video, and email, using encryption software. In such cases, the user may be required to pay a ransom to regain access. Steganography is one such method to infect devices and networks with ransomware.” Paragraph 0058 “The malware analytics module 140 may retrieve a magic number from the header. The magic number may be a numerical or text value used to identify the file format or protocol. For example, the magic number may be bytes within the file used to identify the format of the file. Typically, the magic number is a short sequence of bytes (e.g., 4 bytes long) placed at the beginning of the file. For example, for a portable executable (PE) file, the hex signature may be "4D 5A" and the magic number may be "MZ." The malware analytics module 140 may verify the magic number to obtain the pointer to the section header of the file.”

Any inquiry concerning this communication or earlier communications from the examiner should be directed to GARY S GRACIA whose telephone number is (571)270-5192. The examiner can normally be reached Monday-Friday 9am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 5712723972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/GARY S GRACIA/Primary Examiner, Art Unit 2491