Detailed Action

The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This is in response to Application with case number 16/476,939, filed on 7/10/2019 in which claims 1-20 are presented for examination.
Status of Claims
	Claims 1-20 are pending, of which claims 1, 9, and 17 are in independent form.
Specification
The examiner notes that the Specification does not include any URL links and Trademark terms requiring capitalization.
The examiner notes that the abstract is in narrative form and is limited to a single paragraph on a separate sheet within the range of 50 to 150 words in length. The examiner also notes that Abstract includes no legal phraseology.
Claims 17-20 is/are directed to a computer-readable storage medium which is distinguished from computer readable communication media that can include a carrier wave according to instant application paragraphs [0092]-[0093]. Thus the computer-readable storage medium excludes the signal per se and meet 35 USC section 101 requirement(s).
The examiner notes that no claims invoke 35 SUC 112(f) paragraph.
Priority
Applicant’s claim for benefit of priority date based on previously filed US Provisional Application 62/445,015 filed on 1/11/2017 is acknowledged by the examiner.


Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1-4, 7-12, 15-20 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Maciejak et al. (US Patent 10,169,586 B2) hereinafter Maciejak.
As to claim 1, Maciejak teaches a method for malware prevention performed by a computing device (see abstract for ransomware detection and damage mitigation), comprising: 
creating one or more decoy files in a file directory that stores one or more other files (see Fig. 2B, step 254; see also col. 4, lines 53-56 “…then the file system event monitoring module deploys a decoy file within the directory at issue and notifies the driver and/or a thread associated therewith to monitor the decoy file.”); 
determining that one or more file access operations are being performed with respect to at least one of the one or more decoy files (see col. 7, lines 51-57 “…file tampering detection module 206 is configured to monitor and detect, through the monitoring driver (which may also be simply referred to as the "driver" herein), whether a deployed decoy file is attempted to be tampered with, determines whether the process at issue is ransomware and terminates the ransomware process upon such detection.”); 
analyzing the one or more file access operations to determine whether the one or more file access operations originate from a malicious process (see col. 8, lines 18-22 “…a tampering attempt on the deployed decoy file by the detected ransomware process can be any or a combination of an access, write, read, encrypt, delete, or lock operation.”; see col. 13, lines 55-58); and 
in response to determining that the one or more file access operations originate from the malicious process (e.g., the process that triggered the deployment of the decoy file(s)), performing an action to neutralize the malicious process (see col. 12, lines 24-30 “At step 554, responsive to detection by the driver and/or a thread associated therewith of an attempt by a process that caused the decoy file to be deployed to tamper with (e.g., access, open, read, write or delete) the decoy file, the driver and/or a thread associated therewith identifies the process as a ransomware process and causes the ransomware process to be terminated at step 556”). 
As to claims 9 and 17, claims 9 and 17 include similar limitations as claim 1 and thus claims 9 and 17 are rejected under the same rationale.
As to claims 2, 10, and 18,  in view of claims 1, 9, and 17, respectively, Maciejak teaches wherein the performing the action comprises at least one of: terminating the malicious process (see col. 12, lines 24-30 “At step 554, responsive to detection by the driver and/or a thread associated therewith of an attempt by a process that caused the decoy file to be deployed to tamper with (e.g., access, open, read, write or delete) the decoy file, the driver and/or a thread associated therewith identifies the process as a ransomware process and causes the ransomware process to be terminated at step 556.”); suspending the malicious process; performing a backup of the one or more other files stored in the file directory; checking an integrity of the one or more other files; activating an anti-virus program; recording in an event log an event that indicates that the malicious process performed the one or more file access operations to the one or more decoy files; or prompting a user of the computing device to indicate an operation to perform. 
As to claims 3, 11, and 19, in view of claims 1, 9, and 17, respectively, Maciejak teaches further comprising: periodically modifying one or more attributes of the one or more decoy files such that a sorting operation performed on the files stored in the directory causes the one or more decoy files to be listed before the other one or more files in a list generated by the sorting operation (see col. 7, lines 46-50 “In an aspect, file attribute(s), file content, file type, or any other attribute of the decoy file can be adapted in such a way that the randomness of the file content/attribute(s) and/or the file type can defeat identification of the decoy file by ransomware processes.”). 
As to claims 4, 12, and 20, in view of claims 3, 11, and 19, respectively, Maciejak teaches wherein the one or more attributes comprise at least one of: a file name; a file size; a creation date; a modification date; a file type; or file content  (see col. 7, lines 46-50 “In an aspect, file attribute(s), file content, file type, or any other attribute of the decoy file can be adapted in such a way that the randomness of the file content/attribute(s) and/or the file type can defeat identification of the decoy file by ransomware processes.”). 
As to claims 7, 15, in view of claims 1, and 9, respectively, Maciejak teaches wherein the analyzing comprises: identifying a pattern associated with the one or more file access operations that are performed with respect to the one or more decoy files; and applying one or more rules to the pattern to determine whether the one or more file access operations originate from the malicious process (see col. 10, lines 18-29 “In the present example, the tampering/manipulation of the decoy file is represented by a write operation 320. In response to determining (by the monitoring driver) that a tampering operation has been attempted on the deployed decoy file by a process (i.e., xkccnma.exe) having a PID (i.e., 2840) that previously triggered deployment of the decoy file, an alert 322 can be generated to notify the monitoring file about the tampering attempt by the now confirmed ransomware process.”; It is noted that any attempt to access and tamper with an decoy file to make changes by a process that triggered the deployment of the decoy files is considered as detection of ransomware according to a rule.). 
As to claims 8, and 16, in view of claims 7 and 15, respectively, Maciejak teaches wherein the pattern associated with the one or more file access operations comprises a read operation to the decoy file or to a portion thereof and a write operation to the same decoy file or the same portion thereof (see col. 8, lines 19-22 “In an aspect, a tampering attempt on the deployed decoy file by the detected ransomware process can be any or a combination of an access, write, read, encrypt, delete, or lock operation.”). 
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claim(s) 5 and 13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Maciejak, in view of Continella et al. (US 2018/0157834 A1) hereinafter Continella.
As to claims 5 and 13, in view of claims 1 and 9, respectively, Maciejak does not explicitly teach but Continella teaches wherein the analyzing comprises: identifying a pattern associated with the one or more file access operations that are performed with respect to the one or more decoy files; and providing the pattern as an input to a machine-learning-based algorithm that outputs an indication of whether the pattern is a legal file access pattern or an illegal file access pattern, the machine-learning-based algorithm being trained on observed file access patterns for the one or more other files see para. [0051]-[0058] “[0051] The detector module 3 is a custom machine-learning classifier trained on the filesystem-activity features defined in FIG. 3, extracted from a large corpus of IRP logs obtained from clean and infected machines. Once trained, this classifier is leveraged at runtime to decide whether the features extracted from a live system fit the learned feature distributions (i.e., no signs of malicious activity) or not. [0052] The detector module 3 keeps track of the filesystem-activity feature values in the long-term and short-term horizon, and cast a final decision based on both data. [0053] Particularly, the detector module 3 uses automatically created detection models 4, 5 that distinguish ransomware from benign processes at runtime. The detector module 3 adapts the detection models to the system usage habits observed on the protected system.”). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Maciejak and Continella before him or her, to modify the scheme of Maciejak by including Continella. The suggestion/motivation for doing so would have been to use machine learning-based classifier trained on file system event data set of ransomware and benign application such that the trained model can automatically generate determination feedback on whether the application sending the file system related run-time features is ransomware or not.
Claim(s) 6 and 14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Maciejak, in view of Continella, and further in view of Natanzon et al. (US 10409981 B1) hereinafter Natanzon.
As to claims 6 and 14, in view of claims 5 and 13, respectively, the combination of Jaciejak, Continella does not explicitly teach but Natanzon teaches wherein the machine-learning based algorithm outputs a probability that the pattern is a legal file access pattern and the analyzing further comprises: comparing the probability to a threshold (see col. 8, lines 21-39 “In some embodiments, the ransomware detection processor determines (1) a probability that data written by the host is actually encrypted and (2) a probability that data written by the host is expected to be encrypted. In certain embodiments, the ransomware detection processor calculates a ransomware probability using both these actual and expected probabilities. Referring again to FIG. 3, if the ransomware probability exceeds one or more predetermined thresholds, then the DPA 300 may take actions to mitigate the effects of a potential ransomware attack. In some embodiments, the ransomware probability may be compared against both a first threshold value and a second threshold value (great than the first threshold value). If the ransomware probability exceeds the first threshold value, a first mitigation action may be taken. If the ransomware probability exceeds the second threshold value, a second mitigation action may be taken. In one embodiment, the lower threshold value is about 50% and the upper threshold value is about 75%.”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Maciejak, Continella and Natanzon before him or her, to modify the scheme of Maciejak and Continella by including Natanzon. The suggestion/motivation for doing so would have been to use machine learning-based classifier trained on file system IO event data set of ransomware and benign application such that the trained model can automatically the calculated probability of ransomware exceeding a predetermined threshold value.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HEE K SONG whose telephone number is (571)270-3260. The examiner can normally be reached on M-F 9:00 am – 5:00 pm. 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni Shiferaw can be reached on (571)272-3867 .  The fax phone number for the organization where this application or proceeding is assigned is 571-273-7291.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/HEE K SONG/PRIMARY Examiner, Art Unit 2497