Notice of Pre-AIA  or AIA  Status
1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Election/Restrictions
2.    NO restrictions warranted at initial time of filing for patent.

Priority
3.    Applicant claims domestic priority under 35 USC 119e to provisional application filed on 11/29/2019.
Information Disclosure Statement
4.    The information disclosure statement (IDS) submitted on 10/19/202, 01/22/2021, 06/22/2021, 08/30/2021, 10/22/2021, 12/22/2021and 01/28/2021, the submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Oath/Declaration
5.    Applicant’s Oath was filed on 10/19/2020.

Drawings
6.    Applicant’s drawings filed on 10/19/2020 has been inspected and is in compliance with MPEP 608.01.
Specification
7.    Applicant’s specification filed on 10/19/2020 has been inspected and is in compliance with MPEP 608.02.
Claim Objections
8.    NO objections warranted at initial time of filing for patent.

Remarks
9.	Examiner request Applicant review relevant prior art under the conclusion of this office action.



Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


10.	Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. 

Step one: Are the claims at issue directed to a statutory category? 
Yes. The claims recites a series of steps i.e., identifying, by a data protection system, a first attribute set associated with a first file stored in a storage system; determining, by the data protection system, that the first file is replaced in the storage 

Step 2A – Prong 1: Is a Judicial Exception recited? 
Yes. The claim recites the limitation of identifying, by a data protection system, a first attribute set associated with a first file stored in a storage system; determining, by the data protection system, that the first file is replaced in the storage system with a second file; identifying, by the data protection system, a second attribute set associated with the second file. This limitation, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components. That is nothing in the claim element precludes the step from practically being performed in the mind. For example the claim encompasses a user thinking and comparing about an attribute about two files their mind. Thus, the claim recites a mental process. 
The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. The limitation of determining, by the data protection system based on the determining that the first file is replaced in the storage system with the second file and on one or more attributes in at least one of the first attribute set or the second attribute set, that data stored by the storage system is 

Step 2A – Prong 2: Are the claims integrated into a practical application recited?
No. The claim recites five elements: identifying a first attribute set associated with a first file stored in a storage system, determining that the first file is replaced in the storage system with a second file, identifying, a second attribute set associated with the second file and determining that data stored by the storage system is possibly being targeted by a security threat. The determining and identifying steps are recited at a high level of generality (i.e., as a general means of identifying attributes of a first and second file and determining a possible attack based on the attributes of the first and second files in the series of steps), and amounts to mere data gathering, which is a form of insignificant extra-solution activity. The generic computing components that performs the determining and identifying steps are also recited at a high level of generality, and merely automates the determining and identifying steps. Each of the additional limitations is no more than mere instructions to apply the exception using a generic computer component (processor).



Step 2b: Does the claims provide an inventive concept?
No. As discussed with respect to Step 2A Prong Two, the additional elements in the claim amount to no more than mere instructions to apply the exception using a generic computer component. The same analysis applies here in 2B, i.e., mere instructions to apply an exception on a generic computer cannot integrate a judicial exception into a practical application at Step 2A or provide an inventive concept in Step 2B.
Under the 2019 PEG, a conclusion that an additional element is insignificant extra-solution activity in Step 2A should be re-evaluated in Step 2B. Here, the determining and identifying steps were considered to be extra-solution activity in Step 2A, and thus it is re-evaluated in Step 2B to determine if it is more than what is well-understood, routine, conventional activity in the field. The background of the example does not provide any indication that the processor is anything other than a generic, off-the-shelf computer component, and the Symantec, TLI, and OIP Techs. court decisions cited in MPEP 2106.05(d)(II) indicate that mere collection or receipt of data over a network is a well‐understood, routine, and conventional function when it is claimed in a 
For these reasons, there is no inventive concept in the claim, and thus it is ineligible.


Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

11.	Claims 1-4, 6-10 and 15-20 are rejected under 35 U.S.C. 102(a)(1)/(a)(2) as being anticipated by U.S. Publication No. 20180048658 hereinafter Hittel.

As per claim 1, Hittel discloses:
A method (para 0024 “In accordance with an aspect of the present disclosure a method of detecting and responding to a data attack on a local file system of a local device synchronized to a file system of an independent data store is provided.”) comprising: 
para 0063 “Inspective agent 194 leverages API connections to inspect content that is already resident in the cloud storage 142, 144, irrespective of when the content was uploaded or when it was created. In particular, the cloud storage 142, 144 is communicably interfaced with network 160 via an API through which content from the cloud storage 142, 144 and metadata about the content is observed, listened to, monitored, tracked, collected, aggregated, assembled, retrieved, etc. Such content is, for example, files, folders, documents, images, and videos and content metadata is, for example, file or folder level details like who the file or folder owner is, which cloud application is hosting the file or folder, when was the file or folder created, posted, edited, modified, an audit trail of user activity, version history, file type, and others. In other implementations, the collected content metadata provides details on file exposure, including whether files are private, shared internally, shared externally with specific people or shared publicly via a link. This metadata can be obtained for each file and/or content on the cloud storage 142, 144 based on information assembled from a file system list for the respective files and/or content and from file headers of the respective files and/or contents. Additionally, content properties of the payloads of the respective files can be obtained for the respective files and/or contents. The obtained metadata and the obtained content properties of the respective files stored on the cloud storage 142, 144 can be stored on a historical metadata or content properties store 196 as historical metadata and historical content para 0095 “In FIG. 2, a client, such as a computer 154 attempts to perform a transmission 202 by uploading/updating files 187 on the cloud storage 142 (e.g., an independent data store). Before the files 187 are transmitted/updated on the cloud storage 142, the active agent 192 will obtain current metadata and/or current content properties for the files 187 from the headers and/or payloads of the files 187.”); 
determining, by the data protection system, that the first file is replaced in the storage system with a second file (para 0065 “Further, during or after the transmission of files and/or contents from management clients 130 and client devices 150 to the cloud storage 142, 144 via the network 160, the inspective agent 194 can (repeatedly) scan the files and/or contents or scan a list of the files and/or contents to identify files and/or contents in the file system of the cloud storage 142, 144 that have been updated within a determined time frame.” Para 0096 “The historical metadata or content properties store 196 stores the historical metadata and/or historical content properties 206 of the files. In an implementation, the historical metadata or content properties store 196 is maintained independently from and not under control of the file system and the historical metadata or content properties store 196 preserves generations of metadata describing files in the file system, such that prior generation metadata remains available after a file and file metadata have been updated in the file system and/or preserves generations of content properties describing files in the file system, such that prior generation content properties remains available after a file and file content properties have been updated in the file system. Para 0097 “The active agent 192 then compares the current metadata and/or current content properties to the historical metadata and/or historical content properties 206 to determine whether or not malware (e.g., malicious activity) is present on the files 187.”);
identifying, by the data protection system, a second attribute set associated with the second file (para 0101 “As discussed supra, the inspective agent 194 inspects content that resides in the cloud storage 142 after the content has been uploaded/updated on the cloud storage 142. Specifically, the inspective agent 194 detects malicious activity using historical metadata and/or historical content properties 306 stored on a historical metadata or content properties store 196 and using current metadata and/or current content properties 308 obtained from files stored on the cloud storage 142. In FIG. 3, a client, such as a computer 154 may update/transfer files to the cloud storage 142 via the network 160 and a mobile device 134 may update/transfer files to the cloud storage 142 via a network other than the network 160. One of the advantages of the inspective agent 194 is that malicious activity can detected by analyzing files updated and/or transferred to the cloud storage 142 outside of the network 160.”); 
and determining, by the data protection system based on the determining that the first file is replaced in the storage system with the second file and on one or more attributes in at least one of the first attribute set or the second attribute para 0067 “Additionally, the inspective agent 194 can determine whether or not malicious activity is in process by analyzing the current metadata and/or current content properties of the respective files/contents and known patterns of malicious metadata and/or malicious content properties that indicate a known malicious file modification to identify a match between the current metadata and/or content properties of the respective files and the known patterns of malicious metadata and/or content properties that indicate the known malicious file modification.” Para 0068 “After determining that malicious activity is in process, the inspective agent 194 can invoke or facilitate a determination of a machine and/or user that initiated the malicious activity. Additionally, after determining the machine and/or user that initiated the malicious activity, the inspective agent 194 can invoke or facilitate an implementation of a response mechanism that restricts file modifications by the determined machine and/or user.”).

As per claim 2, Hittel discloses:
The method of claim 1, wherein the determining that the data stored by the storage system is possibly being targeted by the security threat includes: determining that an attribute in the second attribute set associated with the second file satisfies an attribute threshold (para 0091, 0127 and 0156).


As per claim 3, Hittel discloses:
The method of claim 1, wherein the determining that the data stored by the storage system is possibly being targeted by the security threat includes: determining a difference between a first attribute in the first attribute set associated with the first file and a second attribute in the second attribute set associated with the second file; and determining that the difference between the first attribute and the second attribute satisfies a difference threshold (para 0065, 0066, 0178, and 0219).

As per claim 4, Hittel discloses:
The method of claim 1, wherein: the one or more attributes in at least one of the first attribute set or the second attribute set includes one or more of a file size, a file format, a compressibility ratio, or a bit pattern of the first file or the second file (para 0080 and 0177).

As per claim 6, Hittel discloses:
The method of claim 1, wherein: the first attribute set associated with the first file includes a source of the first file; the second attribute set associated with the second file includes a source of the second file; and the determining that the data stored by the storage system is possibly being targeted by the security threat includes determining that the source of the second file is different from the source of the first file (para 0063, 0065, and 0172).

As per claim 7, Hittel discloses:
The method of claim 1, wherein: the second attribute set associated with the second file includes a source of the second file; and the determining that the data stored by the storage system is possibly being targeted by the security threat includes one or more of: determining that the source of the second file is associated with an abnormal pattern; or determining that the source of the second file has been previously associated with one or more security threats against the storage system (para 0066, 0067, 0080, and 0091).

As per claim 8, Hittel discloses:
The method of claim 7, wherein the determining that the source of the second file is associated with the abnormal pattern includes: determining that the source of the second file is a source for more than a predetermined threshold number of file replacement requests with respect to the storage system during a predetermined time period (para 0065, 0066, 0090, and 0091).

As per claim 9, Hittel discloses:
The method of claim 1, further comprising: performing, by the data protection system in response to determining that the data stored by the storage system is possibly being targeted by the security threat, a remedial action with respect to the storage system (para 0169 and 0173). 

As per claim 10, Hittel discloses:


As per claim 15, the implementation of the method of claim 1 will execute the system of claim 15. The claim is analyzed with respect to claim 1. 

As per claim 16, the claim is analyzed with respect to claim 2. 

As per claim 17, the claim is analyzed with respect to claim 3. 

As per claim 18, the claim is analyzed with respect to claim 6. 

As per claim 19, the claim is analyzed with respect to claim 7. 

As per claim 20, the implementation of the method of claim 1 will execute the non-transitory computer-readable medium (Hittel paragraph 0200) of claim 20. The claim is analyzed with respect to claim 1. 




Claim Rejections - 35 USC § 103

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
12.	Claims 5 and 11-14 are rejected under 35 U.S.C. 103 as being unpatentable over Hittel in view of U.S. 20190109870 hereinafter Bedhapudi.

As per claim 5, Hittel discloses:
The method of claim 1, wherein: the determining that the first file is replaced with the second file includes determining that the second file is renamed (para 0066, 0177, and 0182). 

Hittel does not disclose:
second file is renamed from a temporary name of the second file to a name of the first file; and the determining that the data stored by the storage 

Bedhapudi discloses:
second file is renamed from a temporary name of the second file to a name of the first file; and the determining that the data stored by the storage system is possibly being targeted by the security threat is based on at least one of the temporary name of the second file or a difference between the temporary name of the second file and the name of the first file (para 0301 “Another type of ransomware may encrypt the data of an original file to a temporary file. After the ransomware finishes encrypting the original file, the ransomware may delete the original file and keep only the temporary file. In some cases, the ransomware may further rename the temporary file such that the temporary file has the file name of the original file.”)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention method of detecting and responding to a data attack on a local file system of a local device synchronized to a file system of an independent data store of Hittel to include second file is renamed from a temporary name of the second file to a name of the first file; and the determining that the data stored by the storage system is possibly being targeted by the security threat is based on at least one of the temporary name of 
The motivation would have been properly analyze the naming of a file to determine whether there is a possible attack.

As per claim 11, Hittel discloses:
The method of claim 1, wherein the determining that the first file is replaced with the second file (para 0065, 0096 and 0097)

Hittel does not disclose:
determining that the first file is included in a first set of files deleted from a first location within the storage system after the first set of files has been stored at the first location for longer than a predetermined amount of time; determining that the second file is included in a second set of files written to a second location within the storage system; and determining that the second set of files is related to the first set of files

	Bedhapudi discloses:
determining that the first file is included in a first set of files deleted from a first location within the storage system after the first set of files has been stored at the first location for longer than a predetermined amount of time (para 0079 “Primary data 112 is generally stored on primary storage device(s) 104 and is organized via a file system operating on the client computing device 102. Thus, Para 0080 “Metadata generally includes information about data objects and/or characteristics associated with the data objects. For simplicity herein, it is to be understood that, unless expressly stated otherwise, any reference to primary data 112 generally also includes its associated metadata, but references to metadata generally do not include the primary data. Metadata can include, without limitation, one or more of the following: the data owner (e.g., the client or user that generates the data), the last modified time (e.g., the time of the most recent modification of the data object), a data object name (e.g., a file name), a data object size (e.g., a number of bytes of data), information about the content (e.g., an indication as to the existence of a particular search term), user-supplied tags, to/from information for email (e.g., an email sender, recipient, etc.), creation date, file type (e.g., format or application type), last accessed time, application type (e.g., type of application that generated the data object), location/network (e.g., a current, past or future such as a time period, in which the data object is migrated to secondary or long term storage.” Para 0084 “Primary data 112 stored on primary storage devices 104 may be compromised in some cases, such as when an employee deliberately or accidentally deletes or overwrites primary data 112.”) 
determining that the second file is included in a second set of files written to a second location within the storage system; and determining that the second set of files is related to the first set of files (para 0084 “Accordingly, system 100 includes one or more secondary storage computing devices 106 and one or more secondary storage devices 108 configured to create and store one or more secondary copies 116 of primary data 112 including its associated metadata. The secondary storage computing devices 106 and the secondary storage devices 108 may be referred to as secondary storage subsystem 118.”)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention method of detecting and responding to a data attack on a local file system of a local device synchronized to a file system of an independent data store of Hittel to include determining that the first file is included in a first set of files deleted from a first location within the storage system after the first set of files has been stored at the first location for 
The motivation would have been determine the location and modification of data of first and second files to properly analyze whether there is a possible attack within a storage system.

As per claim 12, Hittel in view of Bedhapudi discloses:
The method of claim 11, wherein the determining that the second set of files is related to the first set of files includes: determining that the second set of files has a total number of files that is within a predetermined amount of a total number of files included in the first set of files (Hittel para 0066, 0132, 0138 and 0177).

As per claim 13, Hittel in view of Bedhapudi discloses:
The method of claim 11, wherein the determining that the second set of files is related to the first set of files includes: determining that the second set of files has an overall compressibility that is less than an overall compressibility of the first set of files (Bedhapudi para 0190, The motivation would have been to properly identify the difference from between first and second files).

As per claim 14, Hittel in view of Bedhapudi discloses:
Bedhapudi para 0276 “ Indeed, the secondary storage subsystem 218 in such environments can be treated simply as a read/write NFS target for primary storage subsystem 217, without the need for information management software to be installed on client computing devices 202. As one example, an enterprise implementing a cloud production computing environment can add VM client computing devices 202 without installing and configuring specialized information management software on these VMs. Rather, backups and restores are achieved transparently, where the new VMs simply write to and read from the designated NFS path.” Para 0278 “The illustrated system 200 includes a grid 245 of media agents 244 logically organized into a control tier 231 and a secondary or storage tier 233. Media agents assigned to the storage tier 233 can be configured to manage a secondary storage pool 208 as a deduplication store, and be configured to receive client write and read requests from the primary storage subsystem 217, and direct those requests to the secondary tier 233 for servicing.” The motivation would have been to properly read data from a primary storage and write data in a secondary storage).

	Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.

U.S. Publication No. 20160371152 discloses 0043 “In this aspect, the detection module 160, on the basis of the process parameters of the cryptor program received from the activity tracking module 120 (such as the path to the application running the process, the process descriptor, the log of operations executed by the process, for example) which is modifying the Microsoft Office® document, determines the threat level of the process to the integrity of the document. In one example aspect, the threat level is calculated by analyzing the possibility of irretrievable loss of the content of the document being modified. For example, files may be irretrievably deleted or renamed, the attributes and rights of files may be changed, the content of files may be encrypted without the possibility of decryption on the user's computer due to absence of the corresponding key, and the like. Since the process, not being trusted from the standpoint of the detection module 160 (e.g., a system file signed by a trusted digital signature and the like), is performing operations of writing to file and renaming of file, these actions are taken by the detection module 160 as representing a threat to the data of the document. Furthermore, in one example aspect, the results of the analysis of the received log of operations performed by the process (e.g., numerous requests for writing and renaming of documents in different folders, including temporary ones) indicate that the cryptor program running the process being analyzed is malicious and carries a potential loss to the user's files.”
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GARY S GRACIA whose telephone number is (571)270-5192. The examiner can normally be reached Monday-Friday 9am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 5712723972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/GARY S GRACIA/Primary Examiner, Art Unit 2491