Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
2.	Claims 1, 3, 6-10, 12-16, 18-25 are pending. 

Response to Arguments and Amendments
3.	Applicant’s arguments filed on 10/26/2021 with respect to the 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph rejection of claims 1, 3, 6-10, 12-16, 18-21 have been fully considered in view of applicant arguments and amendments made to the rejected claims and persuasive. The rejection of claims 1, 3, 6-10, 12-16, 18-21 has been withdrawn.
4.	Applicant argues that the arts on record Sean Hittel (US 2018/0048658) fail to teach in response to receiving an encrypted file, secured by a first encryption, sent from a user to a backup service as part of a backup of the encrypted file; obtaining metadata for the encrypted file; applying, using at least one processing device of the backup service, an anomaly detection technique to the metadata to compare at least one attribute in the metadata to one or more corresponding historical baseline values for the at least one attribute; and determining, using the at least one processing device of the backup service, whether the encrypted file, secured  by the first encryption, was also encrypted using a ransomware encryption, in addition to the first encryption, based at least in part on the comparison, wherein the ransomware encryption is distinct from the first encryption, Examiner respectfully disagrees.
5.	Examiner would point out that Hitle teaches in response to receiving an encrypted file, secured by a first encryption, sent from a user to a backup service as part of a backup of the encrypted file (Hittel, Fig.7, 9 [166], [141]), detecting and responding to a data attack (e.g., malicious activity) on a local file system 902 (including files 904) of a local device (e.g., computer 154) synchronized to a file system 402 of a cloud storage (i.e., independent data store) 142 by performing analysis of files stored on the independent data store 142. Examiner interprets stored on independent data store is backup encrypted file claimed.  Obtaining metadata for the encrypted file (para 142, and 143); applying, using at least one processing device of the backup service, an anomaly detection technique to the metadata to compare at least one attribute in the metadata to one or more corresponding historical baseline values for   

6.	Applicant’s arguments, see page 1-2 on remarks, filed 10/26/2021, with respect to the rejection(s) of claim(s) 1, 3, 6-10, 12-16, 18-25 under 103 rejections have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Vitaly Filimonov (US 9652354).

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

7.	Claims 1, 6-7, 9-10, 12-13, 15-16, 18-19 , 22-25 are rejected under 35U.S.C 103 as being unpatentable over Sean Hittel (US 2018/0048658), Vitaly Filimonov (US 9652354),hereinafter Filimonov.

Regarding claim 1:
	Hittel discloses a method comprising:
performing the following steps, in response to receiving an encrypted file, secured by a first encryption, sent from a user to a backup service (cloud-based file system) as part of a backup of the encrypted file (Hittel: Fig 7, 9; [0166], [0141] provides for receiving files that are being synchronized to a cloud-based storage system, and performing various actions at an intermediary network security system in response to receiving the uploaded files; see [0178]-[0180] for the intentional encryption by the user, such as via Boxcryptor, Bitlocker, etc. for their normally uploaded sync’d files):
Obtaining metadata for the file (Hittel: [0142]-[0143] for obtaining both current metadata for the uploaded file and historical metadata for previous versions of the file; See also [0180]-[0183] for specifically obtaining historical metadata for a normally encrypted uploaded file); 
applying, using at least one processing device, an anomaly detection technique to the metadata to compare at least one attribute in the metadata to one or more corresponding historical baseline values for the at least one attribute (Hittel: [0144] for determining metadata change velocity has exceeded a threshold; [0066], [0174]-[0185] provides for detecting irregularities in encrypted file metadata compared to its historical metadata), and 
 determining, using the at least one processing device, whether the encrypted file, secured by the first encryption and, was also encrypted using a ransomware encryption, in addition to the first encryption, based at least in part on the comparison (Hittel: [0177]-[0183] provides for detecting an uploaded file was encrypted with ransomware based on analyzing metadata change velocity, and also provides the expected file was a normally encrypted file); wherein the ransomware encryption is distinct from the first encryption ([178-180], encrypted files encrypted via a normal backup service encryption application Bitlocker),and [177-183], detected uploaded file was encrypted with ransomware). 
However, Hittel fails to disclose wherein the anomaly detection technique comprises a machine learning technique that employs at least one trained machine learning model that is trained using historical time- 15series data for each of a plurality of file types statistical, signal procession and machine learning techniques can be applied to identify anomalies in time series (Filimonov, column 1, [lines 50-53]); and further deducing the normal and abnormal behavior of a component quickly means there is typically not enough time to wait for a very large statistical sample to make predictions regarding the characteristics (normal versus anomalous) of a piece of data within a time series (Filimonoy, column 3, [lines 23-28]). It would have been obvious to someone skilled in the art before the effective filling date of claimed invention to combine the teaching of Hittel with that of Filimonoy in order to enable automatic detection of values that are abnormal to a high degree of probability in any time series sequence.

Regarding claim 6:
	Hittel discloses wherein the at least one attribute in the metadata comprises a file extension attribute and wherein the comparison to the one or more corresponding historical baseline values reveals one or more of a renaming of at least one file extension attribute and a deviation from an expected file extension distribution a length of a filename and/or extension can be considered. For example, a consideration can be made as to whether the filename or extension is a certain length that is known to ransomware. This might be reliable preliminary check, before implementing a more thorough scanning/detection. This could be implemented on standalone files or using current and historical metadata of header information, and/or current and historical content properties of payloads of files. When comparing current and historical information, a pattern of changes between the current and historical information that exceeds a predetermined change velocity may indicate the presence of an attack (Hittel, [para 181]).



	Hittel discloses wherein the at least one attribute in the metadata comprises a file size attribute of the encrypted file and wherein the comparison to the one or more corresponding14 111833.01 historical baseline values reveals one or more of a deviation in size of one or more increments of an incremental backup and a file size of the encrypted file is larger than a corresponding historical baseline value the block size of a file can be calculated and then compared to multiples of the known file sizes. This can also be done by checking to see if existing files are a multiple of frequently used block sizes of encryption. This could be implemented on standalone files, using current and historical metadata of header information, and/or current and historical content properties of payloads of files. This could be implemented on standalone files or using current and historical metadata of header information, and/or current and historical content properties of payloads of files. When comparing current and historical information, a pattern of changes between the current and historical information that exceeds a predetermined change velocity may indicate the presence of an attack (Hittel, [para 192]).

	Regarding claim 9:
	Hittel discloses further comprising the step of evaluating a number of encrypted 10 files sent within a predefined time window identify files in the local file system of the independent data store that have been updated within a determined timeframe (Hittel, para 24).

Regarding claim 10:
Claim 10 is rejected under the same reason set forth in rejection of claim 1.


Regarding claim 12:
Claim 12 is rejected under the same reason set forth in rejection of claim 6.

Regarding claim 13:



Regarding claim 15:
Claim 15 is rejected under the same reason set forth in rejection of claim 9.

Regarding claim 16:
Claim 16 is rejected under the same reason set forth in rejection of claim 1.

Regarding claim 18:
Claim 18 is rejected under the same reason set forth in rejection of claim 6.

Regarding claim 19:
Claim 19 is rejected under the same reason set forth in rejection of claim 7.

Regarding claim 22:
Hittel discloses further comprising the step of evaluating a number of encrypted 10 files sent within a predefined time window identify files in the local file system of the independent data store that have been updated within a determined timeframe (Hittel, para 24).

Regarding claim 23:
Hittel disclose obtaining metadata for the file (Hittel: [0142]-[0143] for obtaining both current metadata for the uploaded file and historical metadata for previous versions of the file; See also [0180]-[0183] for specifically obtaining historical metadata for a normally encrypted uploaded file); but fail to disclose wherein the historical time- series data is further used to evaluate a behavior. Filimonoy teaches  determine the behavior the data stream exhibits and consequently classify the time series into either one that follows a Gaussian distribution pattern or one that does not follow Gaussian distribution, the standard Z-test algorithm can be applied on the raw data (Filimonoy, column 4, anomaly detector 156 can automatically detect anomalies in any performance counter in any application in real-time by continuously monitoring and evaluating performance counter data points ( Filimonoy, column 6, [line 12-16]).It would have been obvious to someone skilled in the art before the effective filling date of claimed invention to combine the teaching of Hittel with that of Filimonoy in order to enable automatic detection of values that are abnormal to a high degree of probability in any time series sequence.

Regarding claim 24:
Hittel and Filimonoy disclose wherein the historical time- series data is further used to evaluate a behavior of one or more of the encrypted file and the metadata for the encrypted file determine the behavior the data stream exhibits and consequently classify the time series into either one that follows a Gaussian distribution pattern or one that does not follow Gaussian distribution, the standard Z-test algorithm can be applied on the raw data (Filimonoy, column 4, [lines 24-28]), and further anomaly detector 156 can automatically detect anomalies in any performance counter in any application in real-time by continuously monitoring and evaluating performance counter data points ( Filimonoy, column 6, [line 12-16]).It would have been obvious to someone skilled in the art before the effective filling date of claimed invention to combine the teaching of Hittel with that of Filimonoy in order to enable automatic detection of values that are abnormal to a high degree of probability in any time series sequence.

Regarding claim 25:
Hittel and Filimonoy disclose wherein the historical time- series data is further used to evaluate a behavior of one or more of the encrypted file and the metadata for the encrypted file determine the behavior the data stream exhibits and consequently classify the time series into either one that follows a Gaussian distribution pattern or one that does not follow Gaussian distribution, the standard Z-test algorithm can be applied on the raw data (Filimonoy, column 4, [lines 24-28]), and further anomaly detector 156 can automatically detect anomalies in any performance counter in any application in real-time by continuously monitoring and evaluating performance counter data points ( Filimonoy, column 6, [line 12-16]).It would have been obvious to someone skilled in the art before the effective filling date of claimed invention to combine the teaching of Hittel with that of Filimonoy in order to enable automatic detection of values that are abnormal to a high degree of probability in any time series sequence.

8.	Claims 3, 8, 14 and 20-21 are rejected under 35U.S.C 103 as being unpatentable over Sean Hittel (US 10469525) Vitaly Filimonov (US 9652354), and further in view of in view of  Aishwary Bhashkar (US 20160378988), hereinafter Bhashkar.

Regarding claim 3:
	Hittel discloses a network security system 120 detecting and responding to a data attack (e.g., malicious activity) on a file system 402 (including files) stored on a cloud storage (i.e., independent data store) 142 by performing analysis of files stored on the independent data store 142 (Hittel, [para 114]); but fails to disclose wherein the encrypted file is one or more of a portion of an incremental file backup and a snapshot. However, Erofeev teaches creates a snapshot of the storage volume containing the first file. The snapshot represents the data stored in the storage volume at the point of creation of the snapshot, i.e., upon opening of the first file of step 210. As is well known, when multiple processes open the respective first files in the same storage volume, the snapshot for the first process may be entire data stored on the storage volume, but snapshots for subsequent processes may contain only incremental data (i.e., those changes from the previous snapshot) (Bhashkar , paragraph 37). It would have been obvious to someone skilled in the art before the effective filling date of claimed invention to combine the teaching of Hittel with that of Bhashkar in order to detect potential malicious (Bhaskar, paragraph 13).

	Regarding claim 8:
	Hittel discloses wherein the at least one attribute in the metadata comprises a file name attribute of the encrypted file and wherein the comparison to the one or more corresponding historical baseline values reveals that a snapshot file has been sent more than once using current and historical metadata of header information, and/or current and historical content properties of payloads of files. As mentioned above, for standalone files, specific entropies could indicate an attack. Further, an attack may be present if entropies of a certain number of files change significantly enough between current versions and historical versions of the files to establish a pattern of changes that exceeds a predetermined change velocity. (Hittel, [para 180]), but fails to disclose a snapshot file. Bhaskar teaches the Snapshot mapping of file system data is also updated to reflect the changed block(s) at that particular point in time. In some other cases, a Snapshot includes a full physical copy of all or substantially all of the data represented by the Snapshot (Bhaskar, paragraph 198). It would have been obvious to someone skilled in the art before the effective filling date of claimed invention to combine the teaching of Hittel with that of Bhashkar in order to detect potential malicious (Bhaskar, paragraph 13).

Regarding claim 14:
Claim 14 is rejected under the same reason set forth in rejection of claim 8.

Regarding claim 20:
Claim 20 is rejected under the same reason set forth in rejection of claim 8.

Regarding claim 21:
Claim 21 is rejected under the same reason set forth in rejection of claim 3.

Conclusion
Any inquiry concerning this communication from the examiner should be directed to Thanh Le whose telephone number is 571-272-8556. The examiner can normally be reached on Monday-Friday 8:00a.m to 5p.m. EST
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor Nickerson L Jeffrey can be reached on (469) 295-9235.

/THANH H LE/Examiner, Art Unit 2432                                                                                                                                                                                                        
/FATOUMATA TRAORE/Primary Examiner, Art Unit 2436