Notice of Pre-AIA  or AIA  Status
1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
2.	Applicant’s arguments filed on 12/17/2021 with respect to 35 U.S.C 101 rejection of claims 1-20 have been fully considered and are persuasive.  The 101 rejection of claims 1-20 has been withdrawn. 

3.	Applicant’s arguments filed 06/30/2020, with respect to the 35 U.S.C. § 103 rejection of claim 1-5 and 7-20 as being unpatentable over U.S. Patent No. 10,438,000 (“Gu”) in view of U.S. Patent Application Publication No. 2011/0296237
(“Mandagere”’) and claim 6 was rejected as being unpatentable over the combination of Gu, Mandagere, and U.S. Patent Application Publication No. 2007/0220068 (“Thompson”) have been fully considered. However, upon further consideration, a new ground(s) of rejection is made in view of amended claims.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having 

4.	Claims 1-5 and 7-20 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Patent No. 10438000 hereinafter Gu in view of U.S. Publication No. 20110296237 hereinafter Mandagere, and further in view of U.S. Publication No. 20180007069 hereinafter Hunt.

As per claim 1, Gu discloses:
A method (Col. 1 Lines 38-42 “The content of each specific image file in a user's backup set (or other type of file set on an endpoint) is analyzed, for example during a backup of the endpoint to a server or the like. Each analyzed image file is categorized based on the results of analyzing its content.”) comprising:
detecting, by a data protection system for a storage system, a potential data corruption in the storage system (Fig. 5, Col. 8 Lines 40-53 “The image modification detecting module 407 can quantify the degree of detected change, by weighting different types of modifications and/or degrees of change (at any desired level of granularity), at the level of individual image files 307 and/or across the image files 307 of the backup set 309. Where the quantification of the detected changes exceeds a given threshold level, then in response an adjudicating module 409 of the backup image based recovery manager 101 can adjudicate 509 that a cryptographic attack (or in some embodiments other form of file corrupting event) has occurred on the endpoint 300. It is to be understood 
determining corruption-free recovery point for potential use to recover from the potential data corruption (Col. 8 Line 65 — Col. 9 Line 17 “In one embodiment, the security action executing module 411 uses the categorization metadata 311 on the backed to identify 513 when the endpoint 300 was first
compromised by the corruption event /attack, and then automatically recovers 515 all of the files of the backup set 309 (not just the image files 307), using the most recent backed-up version 313 from prior to the attack/corruption event (or prompts the user to initiate such a recovery operation). More specifically, successive prior backed-up versions 313 of one or more image files 307 detected as having been changed can be analyzed, categorized and compared to the corresponding categorization metadata 311, until a version 313 is identified in which the image file(s) 307 being analyzed have not been modified to a degree in excess of a given threshold (e.g., the categorization of the given version 313 of the image files 307 matches the corresponding categorization metadata 311 within the threshold margin). Once the point of corruption is established, the all of the files (not just the image files 307) are recovered from the last backed-up version 313 of the backup set 309 prior to that point.”);. 

Gu does not disclose:

analyzing, by a data protection system in response to the detecting of the potential data corruption, one or more metrics of the storage system by obtaining one or more of data maintained by the controller or phone home data transmitted by the storage system to a cloud- based monitoring system; and
determining, by the data protection system based on the analyzing of the one or more metrics of the storage system, a corruption-free recovery point 

Mandagere discloses:
analyzing, by a data protection system in response to the detecting of the potential data corruption, one or more metrics of the storage system (para 0028 “In step 208, a problem description query for an entity with corrupted data is received, the problem description query is parsed, and a problem search criterion is generated based on information parsed from the problem description query. The query parser 108 receives a problem description query for an entity with corrupted data, parses the problem description query, and generates a problem search criterion based on information parsed from the problem description query.” Para 0030 “In step 210, dependencies relied on by the entity to function are determined and the dependencies are correlated in an entity dependency graph. For example, the dependencies are at different levels in an end-to-end system associated with the entity. In one embodiment, the dependency generator 
determining, by the data protection system based on the analyzing of the one or more metrics of the storage system, a corruption-free recovery point (para 0038 “In step 216, at least one data restore point is selected that was created prior to an occurrence of a particular event in the at least one signature match event.”)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of analyzing user’s data of Gu to include the method of analyzing, by a data 
The motivation would have been to properly verify that a file is corrupted file.

Gu does not disclose:
storage system comprising a controller configured to control operations of one or more storage structures within which one or more hosts connected to the storage system store data
one or more metrics of the storage system by obtaining one or more of data maintained by the controller or phone home data transmitted by the storage system to a cloud- based monitoring system

	Hunt discloses: 
storage system comprising a controller configured to control operations of one or more storage structures within which one or more hosts connected to the storage system store data (para 0019 “FIG. 1 is a block diagram illustrating a system 100 in which ransomware attacks on local data may be blocked from infecting the user's cloud storage data according to one embodiment. A user at workstation 110 has an account with a cloud storage service.” para 0020 “A cloud storage API 120 installed on the user workstation 110 provides the interface to allow reading, writing, creating, and deleting of files in the cloud storage system. File activity typically traverses one or more networks 130, which 
one or more metrics of the storage system by obtaining one or more of data maintained by the controller or phone home data transmitted by the storage system to a cloud- based monitoring system (para 0036 “FIG. 2 is a flowchart 200 illustrating a technique for detecting ransomware activity according to one embodiment. In block 210, file operation requests made by the user workstation 110 are detected and analyzed. Because ransomware file operations are individually ordinary file operations, any one specific file operation is generally not recognizable as an indication of ransomware activity. Thus in block 220 the behavior is recorded to allow detection of sequences of actions that together may indicate ransomware activity, such as the sequences described above.” Para 0037 “In addition, even a sequence of activity in isolation such as a single read and write of a file with different data may not indicate ransomware activity. Therefore, to avoid false positive detections, embodiments may use a heuristic approach that recognize multiple sequences of activity as an indication of ransomware activity. For example, an embodiment may define a threshold number of events in a time period as an indication of ransomware 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of analyzing user’s data of Gu in view of Mandagere and Hunt to include storage system comprising a controller configured to control operations of one or more storage structures within which one or more hosts connected to the storage system store data and one or more metrics of the storage system by obtaining one or more of data maintained by the controller or phone home data transmitted by the storage system to a cloud- based monitoring system, as taught by Hunt.
The motivation would have been to properly verify through a controller that a file is corrupted file.

As per claim 2, Gu in view of Mandagere and Hunt discloses:
The method of claim 1, further comprising: selecting, by the data protection system based on the corruption-free recovery point, a recovery dataset corresponding to the corruption-free recovery point; and restoring, by the 

As per claim 3, Gu in view of Mandagere and Hunt discloses:
The method of claim 2, further comprising determining, by the data protection system, that the storage system is possibly being targeted by a security threat that causes the potential data corruption (Gu Fig. 5, Col. 8 Lines 40-53 and Col. 8 Line 65 — Col. 9 Line 17).

As per claim 4, Gu in view of Mandagere and Hunt discloses:
The method of claim 3, wherein the recovery dataset comprises one or more of a recovery dataset generated prior to the determining that the storage system is possibly being targeted by the security threat or a recovery dataset generated after the determining that the storage system is possibly being targeted by the security threat (Gu Fig. 5, Col. 8 Line 65 — Col. 9 Line 17 and Col. 9 Lines 18-30).

As per claim 5, Gu in view of Mandagere and Hunt discloses:
The method of claim 4, wherein the recovery dataset generated prior to the determining that the storage system is possibly being targeted by the security threat comprises a provisional ransomware recovery structure that can only be deleted or modified in accordance with one or more ransomware recovery parameters (Gu Col. 9 Lines 18-30).
As per claim 7, Gu in view of Mandagere and Hunt discloses:
The method of claim 5, wherein the one or more ransomware recovery parameters specify a retention duration before which the provisional ransomware recovery structure can be deleted or modified (Gu Col. 9 Lines 18-30).

As per claim 8, Gu in view of Mandagere and Hunt discloses:
The method of claim 3, further comprising: receiving, by the data protection system, user input; wherein the determining that the storage system is possibly being targeted by the security threat is based on the user input (Gu Col. 8 Lines 40-53, Col. 8 Line 65 — Col. 9 Line 5).

As per claim 9, Gu in view of Mandagere and Hunt discloses:
The method of claim 3, further comprising: identifying, by the data protection system, an anomaly with respect to the storage system; wherein the determining that the storage system is possibly being targeted by the security threat is based on the identifying of the anomaly (Gu Fig. 5, Col. 8 Lines 40-53). 

As per claim 10, Gu in view of Mandagere and Hunt discloses:
The method of claim 2, wherein the restoring is further based on a version of the data stored by the storage system that resides on a system other than the storage system (Gu Fig. 3).

As per claim 11, Gu in view of Mandagere and Hunt discloses:


As per claim 12, Gu in view of Mandagere and Hunt discloses:
The method of claim 11, further comprising: receiving, by the data protection system, user input based on the visualization (Gu Col. 8 Lines 40-53, Col. 8 Line 65 — Col. 9 Line 5) and (Mandagere para 0022, The motivation would have been to properly view the metrics to determine a potential file corruption);
wherein the determining of the corruption-free recovery point is further based on the user input (Gu Col. 8 Lines 40-53, Col. 8 Line 65 — Col. 9 Line 5) 

As per claim 13, Gu in view of Mandagere and Hunt discloses:
The method of claim 1, wherein the data protection system is implemented by a controller within the storage system (Gu Figs. 1 and 3).

As per claim 14, Gu in view of Mandagere and Hunt discloses:
The method of claim 1, wherein the data protection system is implemented by a computing system communicatively coupled to the storage system by way of a network (Gu Figs. 1 and 3).

As per claim 15, the implementation of the method of claim 1 will execute
the system of claim 1. The claim is analyzed with respect to claim 1.

As per claim 16, the claim is analyzed with respect to claim 2.

As per claim 17, the claim is analyzed with respect to claim 3.

As per claim 18, the claim is analyzed with respect to claim 4.

As per claim 19, the claim is analyzed with respect to claim 5.

As per claim 20, the implementation of the method of claim 1 will execute
the non-transitory computer-readable medium (Mandagere paragraph 0008)
of claim 1. The claim is analyzed with respect to claim 1.

5. 	Claims 6 is rejected under 35 U.S.C. 103 as being unpatentable over Gu in view of Mandagere, and in view of Hunt, and further in view of U.S. Publication No. 20070220068 hereinafter Thompson.

As per claim 6, Gu in view of Mandagere and Hunt discloses:
The method of claim 5, wherein the one or more ransomware recovery parameters (Gu Fig. 5, Col. 8 Line 65 — Col. 9 Line 17 and Col. 9 Lines 18-30)

Gu in view of Mandagere and Hunt does not disclose:
specify a number or type of authenticated entities that have to approve a deletion or modification of the provisional ransomware recovery structure before the provisional ransomware recovery structure can be deleted or modified 

Thompson discloses:
specify a number or type of authenticated entities that have to approve a deletion or modification of the provisional ransomware recovery structure before the provisional ransomware recovery structure can be deleted or modified (para 0081 “As noted above, the file a user works on is placed in an underrevision directory, and the system maintains a mirror copy of the file. In this regard, users access files on the server, and back-up/mirror copies are maintained. Therefore, when users access the system it appears to the users that the files they are editing are actually being changed. In this regard, each of the clients is allowed to write information to the files on the system. This is particularly useful since the client is enabled to make virtually whatever modifications to the files as the client may desire; however, the mirror files are not modified until the changes are authorized by an approver, thus, the system allows for readily restoring files after authorized changes. Further, such restoration may be automated.”)

The motivation would have been to have a single approver to delete a copy of a file before the copy of the file is can be modified in order to properly allow access to files by authorized users.


	Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 


Any inquiry concerning this communication or earlier communications from the examiner should be directed to GARY S GRACIA whose telephone number is (571)270-5192. The examiner can normally be reached Monday-Friday 9am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 5712723972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/GARY S GRACIA/Primary Examiner, Art Unit 2491