Notice of Pre-AIA  or AIA  Status
1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
2.	Applicant’s arguments filed 12/17/2021, with respect to 35 U.S.C 101 rejection of claims 1-20 have been fully considered and are persuasive.  The 101 rejection of claims 1-20 has been withdrawn. 

3.	Applicant’s arguments filed on 12/17/2021, with respect to the 35 U.S.C. § 102(a)(1)/(a)(2) rejection of claims 1, 4, 5, 7, 8, 11-17, 19, and 20 as being anticipated by U.S. Patent No. 9,317,686 (“Ye”) and claims 2, 3, 9, and 10 were rejected under 35 U.S.C. § 103 as being unpatentable over the combination of Ye and U.S. Patent Application Publication No. 2018/0113638 (“Petersen”), claim 6 was rejected as being
unpatentable over the combination of Ye and U.S. Patent Application Publication No.
2019/0258426 (“Roh”),  claim 18 was rejected as being unpatentable over the combination of Ye and U.S. Patent Application Publication No. 2010/0058 122 (“Compton”).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have 

4.	Claim 1, 4, 5, 7, 8, 11-17, 19, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Patent No. 9,317,686 hereinafter Ye in view of U.S. Publication No. 20180007069 hereinafter Hunt.

As per claim 1, Ye discloses:
A method (Col. 2 Lines 27 -34 “In a first embodiment, system events are monitored and a file change event of a process is detected. If the process is determined to be suspicious, then the file to be changed is backed up and then the file is allowed to be changed by the process.”) comprising:
detecting, by a monitoring system, that a storage system receives a request to perform an operation that affects a capacity of a storage structure the storage system (Fig. 2, Col. 5 Lines 11-16 “Step 212 determines whether an event has occurred indicating that a user process is attempting to change one of the files on the hard disk (for example, hooking of a system function indicates that a process is attempting to overwrite a file, write a new version of a file, encrypt a file, delete a file, etc.).”);
identifying, by the monitoring system, an attribute of at least one of the request or the storage system (Col. 5 Lines 22-32 “Step 216 determines whether the process (or thread) that has requested the file change event is suspicious or not. In general, determining whether a process (or the file that created it) is suspicious may be accomplished using information obtained from

determining, by the monitoring system and based on the attribute, that the request is indicative of a malicious action (Col. 5 Line 62 "If the process is suspicious, then control moves to step 220.” Col. 6 Lines 47-53 “Accordingly, step 224 determines whether the process is malware, or more specifically, whether the process is ransomware. In general, making a determination that the process is malware may be performed using any of the rules described above in step 216. For example, it may be concluded that a particular process is malicious if it satisfies a certain number of rules.”);
and performing, by the monitoring system in response to the determining that the request is indicative of the malicious action, a remedial action with respect to the requested operation (Col. 7 Lines 32-41 “In step 232 the process in question is blocked (because it is malware or, more specifically is ransomware) by sending a signal from the correlation engine to the system monitor driver. Driver 110 blocks the particular process or thread by making any of its file access request fail. In step 236 the correlation engine also sends a notification to the clean engine 180 to remove the malicious process and all of its artifacts from the computer. The information that the engine passes to the clean 
	
	Ye does not disclose:
detecting that a controller of storage system comprising a plurality of storage structures configured to store data receives, from a host remote from and in communication by way of a network with the storage system, a request to perform an operation that affects a capacity of a storage structure included in the plurality of storage structures; 
identifying, by the monitoring system based on the controller receiving the request from the host, an attribute
	
	Hunt discloses:
detecting that a controller of storage system comprising a plurality of storage structures configured to store data (para 0020 “A cloud storage API 120 installed on the user workstation 110 provides the interface to allow reading, writing, creating, and deleting of files in the cloud storage system. File activity typically traverses one or more networks 130, which may be any number of interconnected networks of any type, to reach a cloud storage server 140. The cloud storage server 140 uses its own cloud storage API to store user file data in a file store database 170.. The cloud storage server 140 uses its own cloud storage API to store user file data in a file store database 170. Although a single cloud storage server 140 and file store database 170 are illustrated in FIG. 1 for 
receives, from a host remote from and in communication by way of a network with the storage system, a request to perform an operation that affects a capacity of a storage structure included in the plurality of storage structures (para 0036 “ In block 210, file operation requests made by the user workstation 110 are detected and analyzed.” Para 0066 “ hook into a cloud storage server application programming interface; intercept cloud storage operations requested by an endpoint device; record the requested cloud storage operations; analyze the recorded cloud storage operations to determine whether ransomware activity is occurring; and block ransomware activity on the cloud storage server responsive to the analysis.”); 
identifying, by the monitoring system based on the controller receiving the request from the host, an attribute (para 0037 “In addition, even a sequence of activity in isolation such as a single read and write of a file with different data may not indicate ransomware activity. Therefore, to avoid false positive detections, embodiments may use a heuristic approach that recognize multiple sequences of activity as an indication of ransomware activity. For example, an embodiment may define a threshold number of events in a time period as an indication of ransomware activity. In another example, an embodiment may define a threshold number of files acted upon in a time period as an indication of ransomware activity, so that reading and writing one file in a directory may not indicate 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method monitoring storage events of Ye to include detecting that a controller of storage system comprising a plurality of storage structures configured to store data receives, from a host remote from and in communication by way of a network with the storage system, a request to perform an operation that affects a capacity of a storage structure included in the plurality of storage structures and identifying, by the monitoring system based on the controller receiving the request from the host, an attribute, as taught by Hunt.
The motivation would have been to properly analyze request from a remote host in order to properly detect ransomware activity.
	
As per claim 4, Ye in view Hunt discloses:
The method of claim 1, wherein: the identifying of the attribute comprises determining a source of the request; and the determining that the request is indicative of the malicious action comprises determining that the source is a malicious source (Ye Col. 6 Lines 47-53).

As per claim 5, Ye in view Hunt discloses:
The method of claim 1, wherein: the identifying of the attribute comprises determining that the request comprises a write request; and the determining that the request is indicative of the malicious action comprises determining that the write request comprises an attempt to overwrite compressible data in the storage structure with incompressible data (Ye Fig. 2, Col. 5 Lines 11-16)

As per claim 7, Ye in view Hunt discloses:
The method of claim 1, wherein: the identifying of the attribute comprises detecting an abnormal pattern of interaction with the storage system during a time period; and the determining that the request is indicative of the malicious action comprises determining that the request is received by the storage system during the time period (Ye Col. 5 Lines 1-10 and Col. 5 Lines 11-16).

As per claim 8, Ye in view Hunt discloses:
The method of claim 7, wherein the detecting of the abnormal pattern of interaction with the storage system comprises determining that operations performed with respect to the storage system during the time period differ by more than a threshold amount from historical operations performed with respect to the storage system (Col. 7 Lines 11-21).

As per claim 11, Ye in view Hunt discloses:



As per claim 12, Ye in view Hunt discloses:
The method of claim 11, wherein the performing of the remedial action comprises requiring data from multiple sources for the operation to be performed (Ye Fig. 2).

As per claim 13, Ye in view Hunt discloses:
The method of claim 1, wherein the performing of the remedial action comprises providing a notification indicating that the request is indicative of the malicious action (Ye Col. 7 Lines 37-41).

As per claim 14, Ye in view Hunt discloses:
The method of claim 1, wherein the performing of the remedial action comprises directing the storage system to abstain from actually performing the operation for a predetermined time period subsequent to the storage system receiving the request (Ye Col. 5 Lines 11-67).

As per claim 15, Ye in view Hunt discloses:
The method of claim 14, further comprising directing, by the monitoring system, the storage system to encrypt data in the storage structure so that the data is encrypted during the predetermined time period (Ye Col. 7 Lines 42-50). 

As per claim 16, Ye in view Hunt discloses:
The method of claim 1, wherein the performing of the remedial action comprises directing the storage system to abstain from actually performing the operation until a garbage collection process is to be performed with respect to the storage structure (Ye Col. 7 Lines 37-61).

As per claim 17, Ye in view Hunt discloses:
The method of claim 1, wherein the performing of the remedial action comprises at least one of blocking the request, throttling a performance of the operation, and disabling the storage system (Ye Col. 7 Lines 32-36).

As per claim 19, the implementation of the method of claim 1 will execute the system of claim 19. The claim is analyzed with respect to claim 1.

As per claim 20, the implementation of the method of claim 1 will execute the storage system including a plurality of storage elements (Ye in view Hunt Figs. 1 and 2, Col. 3 Lines 52-67 storage, backups) of claim 19. The claim is analyzed with respect to claim 1.
s 2, 3, 9 and 10 are rejected under 35 U.S.C. 103 as being unpatentable over Ye in view Hunt, and further in view of U.S. Publication No. 20180113638 hereinafter Petersen. 

As per claim 2, Ye in view Hunt discloses: 
The method of claim 1, wherein: the identifying of the attribute (Ye Col. 5 Lines 22-32) 

Ye in view Hunt does not disclose: 
an attribute comprises determining that the request is included in a plurality of requests of a similar type received by the storage system during a time period; and the determining that the request is indicative of the malicious action comprises determining that the plurality of requests exceeds a threshold 

Petersen discloses: 
an attribute comprises determining that the request is included in a plurality of requests of a similar type received by the storage system during a
time period and the determining that the request is indicative of the malicious action comprises determining that the plurality of requests exceeds a threshold (para 0048 “In one embodiment, the controller 304 is configured to assign a write and overwrite rate (which may be a single overall write rate or separate rates depending on whether the request is to write new data to unoccupied space or overwrite existing data, hereinafter referred to as a "write rate") to each of the para 0093 “In another embodiment, method 400 may include restricting the write rate (from an initial value) in response to determining an action that is indicative of a ransomware attack or malicious code executing on the media storage device. The action may include, but is not limited to, any of the following: a frequency of write activity on the media storage device or the portion thereof that exceeds a predetermined write frequency threshold, a rate of change resulting from the write request being greater than an historical rate of change for the media storage device or the portion thereof, and the write request being received outside of a time period in which write requests are expected to be received for the media storage device or the portion thereof.”)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method
monitoring storage events of Ye in view Hunt to include the method of an attribute comprises determining that the request is included in a plurality of requests of a similar type received by the storage system during a time period, as taught by Petersen.
The motivation would have been to properly detect a rate of write request



As per claim 3, Ye in view Hunt and Petersen discloses:
The method of claim 1, wherein: the identifying of the attribute comprises determining that the request is included in a plurality of requests received by the storage system during a time period, the requests being for a number of storage structures within the storage system; and the determining that the request is indicative of the malicious action comprises determining that the number of storage structures compared to a total number of storage structures within the storage system exceeds a predetermined ratio (Petersen para 0048, 0051, and 0098, the motivation would have been to properly detect a rate of write request in order to detect an attack).

As per claim 9, Ye in view Hunt discloses:
The method of claim 1, wherein: the identifying of the attribute (Ye Col. 5 Lines 22-32)

Ye in view Hunt does not disclose:
an attribute comprises determining an age of other storage structures within the storage system; and the determining that the request is indicative of the malicious action comprises determining that the age is older than a predetermined age 

Petersen discloses:
an attribute comprises determining an age of other storage structures within the storage system; and the determining that the request is indicative of the malicious action comprises determining that the age is older than a predetermined age (para 0069 “In a further embodiment, an age of an existing subset of storage space (how long it has been since the subset of storage space was written) may be used to determine whether a write request which targets the existing subset of storage space to determine a risk level for this write request and calculate the associated score. A correlation that may be used dictates that the greater the age of the existing subset of storage space, the greater the score is for the write request which targets the existing subset of storage space. This is because any request to overwrite data which has been written and unchanged for a long period of time is suspicious and may be an attempted ransomware attack that is overwriting the existing data with encrypted data.”)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method monitoring storage events of Ye in view Hunt to include the method of an attribute comprises determining an age of other storage structures within the storage system, as taught by Petersen.
The motivation would have been to properly detect age of other storage structures in order to detect an attack in other storage structures. 

As per claim 10, Ye in view Hunt discloses:

The method of claim 1, wherein: the identifying of the attribute (Ye Col. 5 Lines 22-32) 

Ye in view Hunt discloses:
an attribute comprises determining an amount of undisturbed capacity of the storage system, the undisturbed capacity not affected by a plurality of requests that includes the request; and the determining that the request is indicative of the malicious action comprises determining that the undisturbed capacity is less than a threshold 

Petersen discloses:
an attribute comprises determining an amount of undisturbed capacity of the storage system, the undisturbed capacity not affected by a plurality of requests that includes the request; and the determining that the request is indicative of the malicious action comprises determining that the undisturbed capacity is less than para 0048 “In one embodiment, the controller 304 is configured to assign a write and overwrite rate (which may be a single overall write rate or separate rates depending on whether the request is to write new data to unoccupied space or overwrite existing data, hereinafter referred to as a "write rate") to each of the applications 306, thereby restricting the rate at which each application 306, such as the first application 316, is able to write data to the one or more media storage devices 302.”)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method monitoring storage events of Ye in view Hunt to include the method of an attribute comprises determining an amount of undisturbed capacity of the storage system, as taught by Petersen.
The motivation would have been to properly determine an amount of undisturbed capacity in order to assess an attack in a storage structure.

6. 	Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Ye in view Hunt, and further in view of U.S. Publication No. 20190258426 hereinafter Roh. 

As per claim 6, Ye in view Hunt discloses:
The method of claim 1, wherein: the identifying of the attribute (Col. 5 Lines 22-32)

Ye in view Hunt does not discloses:
an attribute comprises determining that the storage system receives a request to change an operation time delay associated with storage structures within the storage system; and the determining that the request is indicative of the malicious action comprises determining that the request to change the operation time delay is received by the storage system within a predetermined amount of time of the request 

Roh not disclose:
an attribute comprises determining that the storage system receives a request to change an operation time delay associated with storage structures within the storage system and the determining that the request is indicative of the malicious action comprises determining that the request to change the operation time delay is received by the storage system within a predetermined amount of time of the request (para 0053 “When the access request has been received the preset number of times or more, the attack detector 620 determines that the received access request corresponds to a memory attack, and the data controller 610 may 
Therefore, it would have been obvious to one of ordinary skill in the art
before the effective filing date of the claimed invention to modify the method
monitoring storage events of Ye in view Hunt to include the method of an attribute comprises determining that the storage system receives a request to change an operation time delay associated with storage structures within the storage system, as taught by Roh. 
The motivation would have been to properly request a change in time delay operation in order to detect storage attacks.

7. 	Claim 18 is rejected under 35 U.S.C. 103 as being unpatentable over Ye in view Hunt in view of U.S. Publication No. 20100058122 hereinafter Roh. 

As per claim 18, Ye in view Hunt discloses: 
The method of claim 1, wherein the detecting that the storage system receives the request (Ye Col. 5 Lines 22-32) 

Ye in view Hunt does not disclose: 
receiving, by way of a network, phone-home logs from the storage system; and extracting data representative of the request from 

Compton discloses: 
receiving, by way of a network, phone-home logs from the storage system and extracting data representative of the request from the phone-home logs (para 0038 “In one embodiment, the one or more data package sources 102 are configured to compile, collect, gather, transfer, or otherwise provide data
packages. A data package, in one embodiment, may comprise a report, an update, a request, a status, or other data that is packaged for transmission over a network. A data package, in a further embodiment, may comprise a call home package that is transmitted from a remote system or device, such as the one or more data package sources 102, to a central system, device, repository, or the like. Data packages may comprise predefined formats to facilitate processing of the data packages by the data prioritization module 104. The one or more data package sources 102, in another embodiment, may collect data and assemble the data into a data package, such as a call home package.”)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method monitoring storage events of Ye in view Hunt to include receiving, by way of a network, 
The motivation would have been to monitor home call records to properly assess and classify data.


	Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 


Any inquiry concerning this communication or earlier communications from the examiner should be directed to GARY S GRACIA whose telephone number is (571)270-5192. The examiner can normally be reached Monday-Friday 9am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 5712723972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/GARY S GRACIA/Primary Examiner, Art Unit 2491