Notice of Pre-AIA  or AIA  Status
1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Election/Restrictions
2.    NO restrictions warranted at initial time of filing for patent.

Priority
3.    Applicant claims domestic priority under 35 USC 119e to provisional application filed on 11/08/2013.
Information Disclosure Statement
4.    The information disclosure statement (IDS) submitted on 04/07/2020, 12/21/2020 and 09/15/2020, the submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Oath/Declaration
5.    Applicant’s Oath was filed on 04/06/2020.

Drawings
6.    Applicant’s drawings filed on 04/06/2020 has been inspected and is in compliance with MPEP 608.01.
Specification

Claim Objections
8.    NO objections warranted at initial time of filing for patent.

Remarks
9.	Examiner request Applicant review relevant prior art under the conclusion of this office action.


EXAMINER'S AMENDMENT
10.	An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.

11.	Authorization for this examiner’s amendment was given in an interview with Jeffrey Zahn on 12/20/2021.

The application has been amended as follows: 
1.	(Currently Amended) A non-transitory storage medium storing instructions readable and executable by an electronic processor to perform a ransomware attack (RWA) detection method comprising:

	extracting file metadata from the received incremental or differential backup metadata for the files which are new or deleted since the last incremental or last full backup of the computer or network of computers;
	identifying candidate new files and candidate deleted files in which the candidate new files are candidates for being encrypted copies of the candidate deleted files, the candidate new files and the candidate deleted files being identified using the extracted file metadata; [[and]]
	generating a RWA alert [[if]] when the identified candidate new files and the candidate deleted files meet a RWA alert criterion computed using the extracted file metadata; and
	the RWA alert triggering a RWA remediation including at least disabling the computer or network of computers via the electronic network in response to the RWA alert when a RWA alert verification criterion is satisfied, wherein the RWA alert verification criterion is more than a predetermined threshold number or a fraction of sampled candidate new files being encrypted as indicated by an entropy analysis exceeding a verification threshold.


via the electronic network, receiving file content including (i) copies of the files identified in the incremental or differential backup metadata as new since the last incremental or last full backup of the computer or network of computers and (ii) at least changes for the files identified in the incremental or differential backup metadata as modified since the last incremental or last full backup of the computer or network of computers; and
updating a backup of the computer or network of computers stored on a data storage with the received file content.

3.	(Original)  The non-transitory storage medium of claim 2 wherein the identifying of the candidate new files and the candidate deleted files does not use the received file content.

	4.	(Canceled)  

	5.	(Canceled)  

	6.	(Original)  The non-transitory storage medium of claim 1 wherein the identifying of candidate new files and candidate deleted files comprises identifying 

	7.	(Original)  The non-transitory storage medium of claim 1 wherein the identifying of candidate new files and candidate deleted files includes one of: 
identifying candidate new and deleted files based at least in part on similarity of a sum of the file sizes of the new files and a sum of the file sizes of the deleted files; or
identifying candidate pairs of new and deleted files based at least in part on similarity of a file size of the new file of a candidate pair and a file size of the deleted file of the candidate pair.

	8.	(Original)  The non-transitory storage medium of claim 7 wherein the identifying of candidate new files and candidate deleted files comprises identifying candidate pairs of new and deleted files based at least in part on the new file of a candidate pair being larger than the deleted file of the candidate pair.

	9.	(Original)  The non-transitory storage medium of claim 1 wherein the identifying of candidate new and candidate deleted files comprises identifying candidate pairs of new and deleted files based at least in part on a comparison of a file name of the new file of a candidate pair and a file name of the deleted file of the candidate pair. 

	10.	(Original)  The non-transitory storage medium of claim 1 wherein the identifying of candidate new and candidate deleted files comprises identifying candidate pairs of new and deleted files based at least in part on the new and deleted files of a candidate pair being in a same directory or folder of a hierarchical system of folders or directories of the computer or network of computers. 

	11.	(Original)  The non-transitory storage medium of claim 1 wherein the computer or network of computers employs a hierarchical system of folders or directories, and the identifying of candidate new and candidate deleted files is performed on a per-folder or per-directory basis.

	12.	(Original)  The non-transitory storage medium of claim 11 wherein the identifying of candidate new and candidate deleted files comprises identifying candidate pairs of new and deleted files in a folder or directory based on one or more of:
a deletion timestamp of the deleted file of a candidate pair being later in time than a creation timestamp of the new file of the candidate pair;
similarity of a file size of the new file of a candidate pair and a file size of the deleted file of the candidate pair;
a file size of the new file of a candidate pair being larger than a file size of the deleted file of the candidate pair; and/or


	13.	(Currently Amended)  The non-transitory storage medium of claim 11 wherein the RWA alert is generated [[if]] when the identified candidate new and candidate deleted files in at least one folder or directory of the hierarchical system of folders or directories satisfies the RWA alert criterion.

	14.	(Currently Amended)  The non-transitory storage medium of claim 13 wherein the RWA alert is generated [[if]] when the identified candidate new and candidate deleted files in a folder or directory satisfies a folder or directory RWA alert criterion computed using counts of the candidate new files and the candidate deleted files in the folder or directory. 

	15.	(Original)  The non-transitory storage medium of claim 14 wherein:
	the extracting of the file metadata further includes extracting file metadata from the received incremental or differential backup metadata for the files which are modified since the last incremental or last full backup of the computer or network of computers; and
the RWA alert criterion is further based on a count of the modified files in the folder or directory being less than or equal to a maximum modified files count threshold. 



	17.	(Original)  The non-transitory storage medium of claim 15 wherein the folder or directory RWA alert criterion further includes at least:
similarity of a sum of file sizes of the candidate new files in the folder or directory and a sum of file sizes of the candidate deleted files in the folder or directory.

	18.	(Currently Amended)  A ransomware attack (RWA) detection method performed by a backup system including an electronic processor, the RWA detection method comprising:
	receiving incremental or differential backup metadata for a computer or network of computers via an electronic network, the incremental or differential backup metadata identifying files of the computer or network of computers which are new, modified, or deleted since a last incremental or last full backup of the computer or network of computers;
via the electronic network, receiving file content including (i) copies of the files identified in the incremental or differential backup metadata as new since the last incremental or last full backup of the computer or network of computers and (ii) at least changes for the files identified in the incremental or differential backup metadata as modified since the last incremental or last full backup of the computer or network of computers; 

	identifying candidate new files and candidate deleted files in which the candidate new files are candidates for being encrypted copies of the candidate deleted files, the candidate new and candidate deleted files being identified using the extracted file metadata and not using the received file content; and
	performing RWA remediation including at least disabling the computer or network of computers via the electronic network in response to [[one of]]: 
(i) the identified candidate new and candidate deleted files meeting a RWA alert criterion, [[or]] and 
(ii) the identified candidate new and candidate deleted files meeting the RWA alert criterion and a RWA verification subsequently performed on the received file content of at least a sample of the candidate new files, wherein the RWA verification criterion is more than a predetermined threshold number or a fraction of sampled candidate new files being encrypted as indicated by an entropy analysis exceeding a verification threshold.

19.	(Original)  The RWA detection method of claim 18 wherein: 
the computer or network of computers employs a hierarchical system of folders or directories; and 

the RWA alert criterion is applied on a per-folder or per-directory basis. 

20.	(Original)  The RWA detection method of claim 19 wherein the RWA alert criterion applied to a folder or directory is based at least on: 
similarity of a count of the candidate new files in the folder or directory and a count of the candidate deleted files in the folder or directory; and 
similarity of a sum of file sizes of the candidate new files in the folder or directory and a sum of file sizes of the candidate deleted files in the folder or directory.

21.	(Original)  The RWA detection method of claim 19 wherein the identifying of candidate new and candidate deleted files in a folder or directory includes identifying candidate pairs of new and deleted files in which the candidate new file of each pair is a candidate for being an encrypted copy of the candidate deleted file of the pair.

22.	(Original)  The RWA detection method of claim 21 wherein the identifying of candidate pairs of new and deleted files is based on one or more of:
a deletion timestamp of the deleted file of a candidate pair being later in time than a creation timestamp of the new file of the candidate pair;

a file size of the new file of a candidate pair being larger than a file size of the deleted file of the candidate pair; and/or
a comparison of a file name of the new file of the candidate pair and a file name of the deleted file of the candidate pair.

23.	(Currently Amended)  A backup system comprising:
	an electronic processor operatively connected with a cloud data storage; 	and
	a non-transitory storage medium storing:
backup instructions readable and executable by the electronic processor to perform an incremental or differential backup of a system of folders or directories of a computer or network of computers via an electronic network; and
ransomware attack (RWA) detection instructions readable and executable by the electronic processor to perform RWA detection operations including:
processing incremental or differential backup metadata acquired during the incremental or differential backup to determine whether a RWA alert is issued wherein the processing does not use the file content; [[and]]
in response to the RWA alert being issued, performing a RWA verification comprising encryption detection performed on file content of at 	least a sample of the candidate new files received during the incremental or differential backup; and
performing RWA remediation including at least disabling the computer or network of computers via the electronic network based and the RWA verification meeting a RWA verification criterion.


24.	(Previously Presented)  The backup system of claim 23 wherein the processing of the incremental or differential backup metadata to determine whether a RWA alert is issued includes:
processing the incremental or differential backup metadata to identify one or more folders or directories that contain candidate new files and candidate deleted files in which the candidate new files are candidates for being encrypted copies of the candidate deleted files, the candidate new and deleted files being identified without using file content; and
issuing the RWA alert based at least in part on at least one folder or directory containing candidate new and candidate deleted files meeting a RWA alert criterion.

25.	(Canceled)  


Reasons for Allowance
12.	Claims 1-3 and 6-24 including all of the limitations of the base claim and any intervening claims are allowed.

Closest Prior Art:
U.S. Publication No. 20200034532 discloses on paragraph 0012 “In an example, there is disclosed a computing apparatus, comprising: a processor and a memory; a network interface to communicatively couple to a backup client; a storage to receive backup data from the client, including a plurality of versions and an associated reputation for each version, the associated reputation to indicate a probability that the version is valid; and instructions encoded within the memory to instruct the processor to: receive from the backup client a request to store a new version of the backup data; determine that the client has exceeded a backup threshold; identify a backup version having a lowest reputation for validity; and expunge the backup version having the lowest reputation for validity.” Paragraph 0023-0027 “In a perfect theoretical framework, an unlimited number of backup versions can be retained. If a source is compromised by ransomware, or by any other data loss event (such as, by way of non-limiting example, a hard drive failure, accidental deletion, major changes that need to be “rolled back,” or accidental overwrite), the backup can be rolled back to the last “good” version without the flaw. However, in practice, computing resources are limited, and it may not be 

U.S. Publication No. 20200042703 discloses on paragraph 0016 “In some embodiments, the ransomware encryption is detected by identifying anomalies in the normal behavior of the metadata of the encrypted files. The disclosed ransomware detection techniques detect anomalies in the normal behavior of these files to determine whether the encrypted files, such as encrypted incremental files, that are sent by a customer to a backup service provider, secured by encryption, also contain a ransomware encryption.”

U.S. Publication No. 20190138727 discloses on paragraph 0049 “ In certain embodiments, the database may include a risk parameters table 215 that stores any number of parameters that may be employed by the system to score and/or classify files, cloud applications, users, activities and/or events (including ransomware attacks) with respect to risk. Generally, risk parameters may relate to any of the above described user information, application information, file information, and/or event information. Exemplary parameters worth mention may relate to one or more of: application permissions information, application security information, file sensitivity information, file information changes (e.g., changes to a file's name, encryption status, content, format, extension and/or metadata), event activity type (e.g., file renames, file modifications, file deletions); and/or event frequency (e.g., a number of events associated with a particular activity that occur within a given amount of time). The parameters table 215 may also incorporate up-to-date information regarding various ransomware applications (e.g., ransomware definitions) in order to detect ransomware attack events..”

U.S. Publication No. 20170180394 discloses on paragraph 0057 “To distinguish an encrypted modified file from an encrypted original version of the file, without requiring decryption or identifiable metadata, the backup status file 118 may store a prior hash value 204A′-204N′ for any modified file. When a file is first generated or backed up, a hash 204 may be calculated and stored in the status file 118; when the file is subsequently modified, the hash 204 may be stored as a prior hash 204′ and a new hash 204 generated from the modified contents. Both the new hash 204 and prior hash 204′ may be transmitted to a backup service for deduplication comparison, such 

U.S. Patent No.10650146 discloses on Col. 2 Lines 11-25 “A primary system is comprised of file system data. The file system data includes a plurality of files (e.g., content files, text files, etc.) and metadata associated with the plurality of files. A storage cluster may cause the primary system to perform a backup snapshot of the file system data according to a backup policy and send the backup snapshot to the storage cluster. A backup snapshot may represent the state of the primary system at a particular point in time (e.g., the state of the file system data). The backup snapshot policy may require a full backup snapshot or an incremental backup snapshot to be performed. A full backup snapshot includes the entire state of the primary system at a particular point in time. An incremental backup snapshot includes the state of the primary system that has changed since a last backup snapshot..”

U.S. Publication No. 20200387609 discloses on paragraph 0015-0125 “In one embodiment of this disclosure, described is a processor implemented method for Paragraph 0031 “However, computers that periodically backup the contents of filesystems generally make space in memory for new backups by deleting older backup versions. For example, computers may delete one or more of the oldest, previously stored backup versions in order to make space for new backup versions. This process of deleting the oldest, previously stored backup versions may be referred to as “aging out” older backup versions. Knowing this, some types of ransomware will not announce its presence in a filesystem (e.g., by demanding the ransom payment) until a certain period of time (e.g., one week) has passed since the initial infection. This waiting period may ensure that all uninfected backup versions of a filesystem will have aged out before the user realizes that his or her files are infected..”

U.S. Publication No. 20190121978 discloses on paragraph 0099 “In some embodiments, the behavior scoring module 130 may receive a notification from the score increasing module 126 of the heuristics module 120 when one or more of the following score-increasing heuristics triggers (e.g., for a computational entity that has already been assigned a potential ransomware category): [0100] Computational entity modifies multiple files. In some embodiments, the higher the number of files modified by the potential ransomware entity, the greater the increase in the threat score. [0101] Computational entity modifies files of multiple file type classes, which distinguishes the 


 	The following is an Examiner’s Statement of Reasons for Allowance: 
 	Claims 1-3 and 6-24 are allowable over prior art references taken individually or in combination fails to particularly disclose, fairly suggests or render obvious are argued by the applicant which examiner considers persuasive as set forth above
Although the prior art discloses receiving incremental or differential backup metadata for a computer or network of computers via an electronic network, the incremental or differential backup metadata identifying files of the computer or network of computers which are new, modified, or deleted since a last incremental or last full backup of the computer or network of computers and extracting file metadata from the received incremental or differential backup metadata for the files which are new or deleted since the last incremental or last full backup of the computer or network of computers, no one or two references anticipates or obviously suggest identifying candidate new files and candidate deleted files in which the candidate new files are candidates for being encrypted copies of the candidate deleted files, the candidate new files and the candidate deleted files being identified using the extracted file metadata.
Thereafter, generating a RWA alert when the identified candidate new files and the candidate deleted files meet a RWA alert criterion computed using the extracted file metadata and the RWA alert triggering a RWA remediation including at least disabling the computer or network of computers via the electronic network in response to the RWA alert when a RWA alert verification criterion is satisfied, wherein the RWA alert verification criterion is more than a predetermined threshold number or a fraction of sampled candidate new files being encrypted as indicated by an entropy analysis exceeding a verification threshold
 Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GARY S GRACIA whose telephone number is (571)270-5192. The examiner can normally be reached Monday-Friday 9am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 5712723972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/GARY S GRACIA/Primary Examiner, Art Unit 2491