/17/2022Notice of Pre-AIA  or AIA  Status
1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
2.	Applicant’s arguments filed on 12/17/2021, with respect to 35 U.S.C 101 rejection of claims 1-20 have been fully considered and are persuasive.  The 101 rejection of claims 1-20 has been withdrawn. 

3.	Applicant’s arguments filed on 12/17/2021, with respect to the 35 U.S.C 102 rejection of claims 1-20 as being anticipated by have been fully considered and are persuasive.  However, upon further consideration, a new ground(s) of rejection is made in view of amended claims.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:

2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
4.	Claims 1, 3-7, 9-14 and 16-23 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Publication No. 20190319987 hereinafter Levy in view of U.S. Publication no. 20190303572 hereinafter Chelarescu.

As per claim 1, Levy discloses:
A method (para 0175 “FIG. 15 shows a method for using dynamic entity models to improve network security.”) comprising:
performing, by a data protection system for a storage system, a first
security threat detection process (para 0064 “The event collection facility 164 may be used to collect events from any of a wide variety of sensors that may provide relevant events from an asset, such as sensors on any of the compute instances 10-26, the application protection facility 150, a cloud computing instance 109 and so on. The events that may be collected may be determined by the entity models. There may be a variety of events collected. Events may include, for example, events generated by the enterprise facility 102 or the compute instances 10-26, such as by monitoring streaming data through a gateway such as firewall 10 and wireless access point 11, monitoring activity of compute instances, monitoring stored files/data on the compute instances 10-26 para 0176 “As shown in step 1502, the method 1500 may include instrumenting a compute instance in the enterprise network with a number of sensors to detect events from a number of computing objects associated with the compute instance. This may more generally include
instrumenting any number of compute instances, such as any of the compute instances described herein, with any number of sensors.”);
determining, by the data protection system based on the performing of the first security threat detection process, that the storage system is possibly being targeted by a security threat (para 0177 “As shown in step 1504, the method 1500 may include providing entity models such as a first entity model for local use at a compute instance and a second model for use at a threat management facility. For example, the first entity model may be a model characterizing a pattern of events expected from the number of sensors in a vector space, also referred to herein as the event vector space or the event feature space, that characterizes events that are modeled within the system. The method 1500 may include storing a second entity model for the entity at a threat management facility for the enterprise network. The second entity model may characterize a second pattern of events expected from the number of sensors in the vector space.” Para 0179 “As shown in step 1506, the method 1500 may include collecting a plurality of the events into an event vector in the vector space. As noted above, this may include tokenizing, normalizing, encrypting, compressing, prioritizing, or otherwise processing individual events and/or the event vector 
and performing, by the data protection system, a second security threat detection process, the second security threat detection process providing higher confidence threat detection than the first security threat detection process (para 0183 “As shown in step 1514, the method 1500 may include calculating a second risk score with the threat management facility based on a second distance between the event vector and the second entity model.”)
confirming, by the data protection system based on the performing of the second security threat detection process, that the storage system is possibly being targeted by the security threat; and performing, by the data protection system based on the confirming that the storage system is possibly being targeted by the security threat, a remedial action with respect to the storage system (para 0120 “As shown in step 916, the method 900 may include receiving a user disposition of an intermediate threat, for example using any of the techniques described herein. For example, this may include receiving a user-initiated remedial action for one of the intermediate threats in the user interface. This may also or instead include receiving a user risk assessment for one of the intermediate threats in the user interface, such as by explicitly categorizing the intermediate threat as safe, unsafe, unknown, or appropriate for increased monitoring. In another aspect, the method 900 may include remediating a risk to 

	Levy does not disclose:
remedial action comprising one or more of generating a recovery dataset for data stored by the storage system, preventing a recovery dataset for data stored by the storage system from being deleted or modified, or modifying a data protection parameter set for a recovery dataset for data stored by the storage system

	Chelarescu discloses:
remedial action comprising one or more of generating a recovery dataset for data stored by the storage system, preventing a recovery dataset for data stored by the storage system from being deleted or modified, or modifying a data protection parameter set for a recovery dataset for data stored by the storage system (para 0017 “In another example embodiment, the cloud storage system determines the suggested restore point based on a combination of date-based factor and file-based factor. The cloud storage system further generates a recovery user interface that indicates a preselected restore point for the client device and provides additional information (e.g., file content change activity) to enable the user of the client device to select a restore point. This additional information includes, for example, the file name, the name of the user who modified the file, the name of the device that modified the file, the name 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of claimed invention to modify the method for using dynamic entity models to improve network security of Levy to include remedial action comprising one or more of generating a recovery dataset for data stored by the storage system, preventing a recovery dataset for data stored by the storage system from being deleted or modified, or modifying a data protection parameter set for a recovery dataset for data stored by the storage system, as taught by Chelarescu.
The motivation would have been to protect the computing system from a threat by restore the computing/storage system to an earlier time.

As per claim 3, Levy in view of Chelarescu discloses:
The method of claim 1, further comprising: performing, by the data protection system based on the determining that the storage system is possibly being targeted by the security threat, a first remedial action with respect to the storage system (Levy para 0181)


As per claim 4, Levy in view of Chelarescu discloses:
The method of claim 3, wherein the first remedial action is different than the remedial action (Levy para 0181 and 0185).

As per claim 5, Levy in view of Chelarescu discloses:
The method of claim 3, wherein the first remedial action comprises one or more of providing a notification, generating a first recovery dataset, preventing a second recovery dataset from being deleted or modified, modifying a data protection parameter set for a third recovery dataset, or restoring data stored by the storage system to an uncorrupted state (Levy para 0181 and 0185).

As per claim 6, Levy in view of Chelarescu discloses:
The method of claim 1, further comprising determining, by the data protection system subsequent to confirming, that the storage system is no longer being targeted by the security threat (Levy para 0185 and 0187).

As per claim 7, Levy in view of Chelarescu discloses:
The method of claim 6, further comprising reverting back, by the data protection system based on the determining that the storage system is no longer being targeted by the security threat, to performing the first security threat detection process (Levy para 0184 and 0188 “In one aspect, recalculation of the baseline may be dynamically triggered, e.g., by an increase in detected deviations above a predetermined threshold (which may be statically or Para 0215 “According to the foregoing, in one aspect, selecting the authentication model includes selecting a model that uses an additional authentication factor to permit access when at least one of the first risk score and the second risk score is below a threshold and withholds the additional authentication factor to prevent access when at least one of the first risk score and the second risk score is above a threshold.” Also see, para 0219). 

As per claim 9, Levy in view of Chelarescu discloses:
The method of claim 1, wherein the performing of the second security threat detection process is performed in response to the determining that the storage system is possibly being targeted by the security threat (Levy para 0181 and 0185).

As per claim 10, Levy in view of Chelarescu discloses:
The method of claim 1, wherein the performing of the second security threat detection process is performed in parallel with the performing of the first security threat detection process (Levy para 0184).

As per claim 11, Levy in view of Chelarescu discloses:
The method of claim 1, wherein the data protection system is implemented by a controller within the storage system (Levy para 0033, 0038 and 0064).

As per claim 12, Levy in view of Chelarescu discloses:
The method of claim 1, wherein the data protection system is implemented by a computing system communicatively coupled to the storage system by way of a network (Levy Figs. 1-6).

As per claim 13, Levy in view of Chelarescu discloses:
The method of claim 1, wherein the determining that the storage system is possibly being targeted by the security threat comprises determining that a ransomware attack is possibly operating against the storage system (Levy para 0155). 

As per claim 14, the implementation of the method of claim 1 will execute the system of claim 1. The claim is analyzed with respect to claim 1.

As per claim 15, the claim is analyzed with respect to claim 2.

As per claim 16, the claim is analyzed with respect to claim 3.

As per claim 17, the claim is analyzed with respect to claim 4.

As per claim 18, the claim is analyzed with respect to claim 5.

As per claim 19, the claim is analyzed with respect to claim 5.

As per claim 20, the implementation of the method of claim 1 will execute
the non-transitory computer-readable medium (Levy in view of Chelarescu paragraph 0204, 0205, and 0231) of claim 1. The claim is analyzed with respect to claim 1.

As per claim 21, Levy in view of Chelarescu discloses:
The system of claim 19, wherein the processor is further configured to execute the instructions to revert back, by the data protection system based on the determining that the storage system is no longer being targeted by the security threat, to performing the first security threat detection process (Chelarescu Figs. 7 and 8, the motivation would have been to properly determine that a threat is occurring.).

As per claim 22, Levy in view of Chelarescu discloses:
The non-transitory computer-readable medium of claim 20, wherein the instructions are further configured to direct the processor to perform, based on the determining that the storage system is possibly being targeted by the security threat, a first remedial action with respect to the storage system (Chelarescu Fig. 5, the motivation would have been to properly determine that a threat is occurring.).


As per claim 23, Levy in view of Chelarescu discloses:
The non-transitory computer-readable medium of claim 20, wherein the first remedial action is different than the remedial action (Chelarescu Figs. 7 and 8, the motivation would have been to properly determine that a threat is occurring.).

	
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GARY S GRACIA whose telephone number is (571)270-5192. The examiner can normally be reached Monday-Friday 9am-6pm.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 5712723972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/GARY S GRACIA/Primary Examiner, Art Unit 2491                                                                                                                                                                                                        2