Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions. 
DETAILED ACTION
1.	This action is responsive to:  an original application filed on 29 December 2020 with acknowledgement of a continuation of multiple applications 10/980,292 now patent 7,506,379, 12/098,256 now patent 9,928,384, 15/846,597 now patent 10,366,252, and 16/416,732 now patent 10,929,569 with an earliest filing date of 4 November 2004.
2.	Claims 1-20 are currently pending.  Claims 1, 6, and 14, are independent claims. 
3.	The IDS submitted on 29 December 2020 has been considered. 
Double Patenting
4.	The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.  A statutory obviousness-type double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and  In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting 
Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer. A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b).
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/forms/.
 The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. 
 An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, please refer to - http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp
 
5.	Claims 1-20 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1-17 application 12/098,256 now patent 9,928,384.  Although the conflicting claims are not identical, they are not patentably distinct from each other because all the elements/features in U.S. Patent 9,928,384 are present in the claimed application minus many claimed limitations.  Beginning on the next page is a table comparing claim 1 of the present application to claim 1 of the patented application.  Notice the present application has the same limitation that appear in the patented application 9,928,384 minus several details.   

PATENT 9,928,384
An intrusion detection and recovery system, comprising: a copying module that creates a point-in-time copy of a storage level logical unit, said point-in-time copy comprising a volume copy of said storage level logical unit and signatures of said storage level logical unit; 
a comparison module that compares at least a portion of said point-in-time copy with a previous copy of the storage level logical unit; 


and a judging module that, based on results of said comparison module, judges if a modification has occurred, 














wherein a signature of said point-in-time copy is compared with a signature of said previous copy to detect a sign of an intrusion, and wherein the signatures of said storage level logical unit comprise encoded data of files of said storage level logical unit that are monitored in said point-in-time copy.
comprising: creating a point-in-time copy of a storage level logical unit, said point-in-time copy comprising a volume copy of said storage level logical unit and a signature of said storage level logical unit; 
comparing at least a portion of said point-in-time copy with a previous copy of the storage level logical unit, said previous copy of the storage level logical unit comprising an original copy of the storage level logical unit; judging, based on said comparing, if a modification has occurred, 
wherein said modification comprises at least an intrusion and an unwanted modification; removing said point-in-time copy and saving said previous copy of the storage level logical unit for data recovery, if the intrusion has been judged; marking said point-in-time copy as a good copy and removing said previous copy of the storage level logical unit, if the 
wherein said point-in-time copy further comprises a plurality of signatures of different portions of said storage level logical unit, the signatures comprising encoding of data and metadata of the files, wherein the access rules define types of actions that are allowed to be performed on the files and types of actions on the files that are to be treated as the intrusion, wherein the signatures for files of interest are created based on said access rules, and wherein a signature of said point-in-time copy is compared with a signature of said previous copy to detect a sign of the intrusion.



Claim Rejections - 35 USC § 103

6.	The following is a quotation of pre-AIA  35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains.  Patentability shall not be negatived by the manner in which the invention was made.


7.	Claims 1, 6, and 13, are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Moran U.S. Patent No. 7,203,962 (hereinafter ‘962) in view of Anderson et al. U.S. Patent Application Publication 2003/0204609 (hereinafter ‘609).
	As to independent claim 1, “An intrusion detection and recovery system, comprising: a copying module that creates a point-in-time copy of a storage level logical unit” “and signatures of said storage level logical unit; a comparison module that compares at least a portion of said point-in-time copy with a previous copy of the storage level logical unit” is taught in ‘962 col. 4, lines 3-43;	“and a judging module that, based on results of said comparison module, judges if a modification has occurred” is taught in ‘962 Abstract, col. 4, lines 15-29, as well as col. 32 line 59 through col. 33, line 37;
	“wherein a signature of said point-in-time copy is compared with a signature of said previous copy to detect a sign of an intrusion” is disclosed in ‘962 col. 4, lines 15-33;
	“and wherein the signatures of said storage level logical unit comprise encoded data of files of said storage level logical unit that are monitored in said point-in-time copy” is shown in ‘962 in the Abstract, col. 4, lines 15-29, as well as col. 32 line 59 through col. 33, line 37;the following is not explicitly taught in ‘962:
	“said point-in-time copy comprising a volume copy of said storage level logical unit” however ‘609 teaches in order to ensure backup process integrity signature can be computed and exchanged which can be implanted in specific fields or across all fields in paragraphs 84-85, note the signature across ‘all fields’ is interpreted equivalent to a volume copy;
It would have been obvious to one of ordinary skill in the art at the time of the invention of a system and method for using timestamps to detect attacks taught in ‘962 to include a means to compare a volume copy as well as a signature of said volume copy.  One of ordinary skill in the art would have been motivated to perform such a modification because data protection security is important to insure the use of digital technology adoption see '609 (paragraph 5). 
As to independent claim 6, “A storage system, comprising: at least one data storage unit; an intrusion detection and recovery system that detects an intrusion at a file system level by creating a point-in-time copy of a storage level logical unit” “and signatures of said storage level logical unit; a unit that compares at least a portion of said point-in-time copy and said storage level logical unit information with a previous copy of said storage level logical unit” is taught in ‘962 col. 4, lines 3-43;
	“and a unit that judges, based on results of said unit that compares, if a modification has occurred” is taught in ‘962 Abstract, col. 4, lines 15-29, as well as col. 32 line 59 through col. 33, line 37;
“wherein a signature of said point-in-time copy is compared with a signature of said previous copy to detect a sign of an intrusion” is disclosed in ‘962 col. 4, lines 15-33;

the following is not explicitly taught in ‘962: “said point-in-time copy comprising a volume copy of said storage level logical unit” however ‘609 teaches in order to ensure backup process integrity signature can be computed and exchanged which can be implanted in specific fields or across all fields in paragraphs 84-85, note the signature across ‘all fields’ is interpreted equivalent to a volume copy;
It would have been obvious to one of ordinary skill in the art at the time of the invention of a system and method for using timestamps to detect attacks taught in ‘962 to include a means to compare a volume copy as well as a signature of said volume copy.  One of ordinary skill in the art would have been motivated to perform such a modification because data protection security is important to insure the use of digital technology adoption see '609 (paragraph 5). 

	As to dependent claim 13, “The storage system according to claim 6, wherein said previous copy of the storage level logical unit comprises an original copy of the storage level logical unit” is shown in ‘962 col. 34, lines 1-6.

8.	Claims 2-3, 5, and 7-12,  are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Moran U.S. Patent No. 7,203,962 (hereinafter ‘962) in view of Anderson et al. U.S. Patent Application Publication 2003/0204609 (hereinafter ‘609) in further view of NPL Intrusion Detection, Diagnosis, and Recovery with Self-Securing Storage May 2002 by John D. .

As to dependent claim 2, the following is not explicitly taught in ‘962 and ‘609: “The intrusion detection and recovery system according to claim 1, further comprising: a removing module that, when the intrusion has been judged, removes said point-in-time copy and saves said previous copy of the storage level logical unit for data recovery” however Strunk teaches utilizing previous versions (point-in-time copy) for recovery on page 5, section 3.2 on pages 12-13, in addition on page 18 in section 5.1, and page 21 in section 5.3, the Strunk references clearly suggests that a recovery process would remove the infected “point-in-time copy” by copying the previous of the file by restoring the system.  It is known in the art to restore a system after attack the infected files are removed.  After recovery Stunk does use the infected files for analysis to determine the point of intrusion however using the broadest reasonable interpretation since the files are not active they are removed.
	It would have been obvious to one of ordinary skill in the art at the time of the invention of a system and method for using timestamps to detect attacks taught in ‘962 and ‘609 to include a means to utilize previously stored point-in-time copies for recovery after an attack.  One of ordinary skill in the art would have been motivated to perform such a modification because today’s recovery approaches require re-install the OS from scratch which is time consuming see Strunk page 1.



As to dependent claim 4, “The intrusion detection and recovery system according to claim 3, further comprising: a preventing module that prevents changes on certain logical blocks of the stored data to take place when the changes violate predefined rules” is taught in Struck page 5 and section 3.2 on pages 12-13, note utilizing previous versions (point-in-time copy) for recovery, Strunk also teaches on page 18 in section 5.1, and page 21 in section 5.3, a recovery process would remove the infected “point-in-time copy” by copying the previous of the file by restoring the system;
As to dependent claim 5, “The intrusion detection and recovery system according to claim 1, further comprising: a defining module that defines access rules to identify which files of said storage level logical unit are monitored in said point-in-time copy” is shown in Strunk section 3.2 pages 12-13, note as a concrete example of our prototype the server has been extended to support rule-based detection of suspect modifications...enforcing a rule set similar to Tripwire.

	

As to dependent claim 8, “The storage system according to claim 7, wherein said intrusion detection and recovery system, said management console, and said point-in-time copy of the storage level logical unit are maintained in a secure perimeter, and wherein said secure perimeter is accessible only by a storage system administrator” is shown in Strunk on page 2, Figure 1 as well as page section 2.3 page 6. 
As to dependent claim 9, “The storage system according to claim 6, further comprising: a unit that, when the intrusion has been judged, removes said point-in-time copy and saves said previous copy of the storage level logical unit for data recovery” is shown in Strunk page 5 and section 3.2 on pages 12-13, note utilizing previous versions (point-in-time copy) for recovery, Strunk also teaches on page 18 in section 5.1, and page 21 in section 5.3, a recovery process would remove the infected “point-in-time copy” by copying the previous of the file by restoring the system.
As to dependent claim 10, “The storage system according to claim 9, further comprising: a unit that, when the modification has not been judged, marks said point-in-time copy as a good copy and removes said previous copy of the storage level logical unit” is taught in Strunk page 5, note old versions are saved in the device’s history pool for a guaranteed amount of time and are used for recovery from intrusion, this clearly suggests that if no modification has been judged the previous copy will be deleted after expiration of time.


	As to dependent claim 12, “The storage system according to claim 6, further comprising: a unit that defines access rules to identify which files of said storage level logical unit are monitored in said point-in-time copy” is disclosed in Strunk section 3.2 pages 12-13, note as a concrete example of our prototype the server has been extended to support rule-based detection of suspect modifications...enforcing a rule set similar to Tripwire.

9. 	Claims 14-20 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over NPL Intrusion Detection, Diagnosis, and Recovery with Self-Securing Storage May 2002 by John D. Strunk, Garth R. Goodson, Adam G. Pennington Craig A.N. Soules, and Gregory R. Ganger (hereinafter Strunk) in view of Anderson et al. U.S. Patent Application Publication 2003/0204609 (hereinafter ‘609) in further view of Moran U.S. Patent No. 7,203,962 (hereinafter ‘962).

	As to independent claim 14, “A computer system, comprising: at least one client machine; and a storage system, said at least one client machine being connected to said storage system, said storage system comprising: at least one data storage unit; an intrusion detection and 
the following is not explicitly taught in Strunk:
“said point-in-time copy comprising a volume copy of said storage level logical unit and signatures of said storage level logical unit” however ‘609 teaches in order to ensure backup process integrity signature can be computed and exchanged which can be implanted in specific fields or across all fields in paragraphs 84-85, note the signature across ‘all fields’ is interpreted equivalent to a volume copy;
	It would have been obvious to one of ordinary skill in the art at the time of the invention of a system and method for Intrusion Detection and Diagnosis and Recovery method taught in Strunk to include a means to compare a volume copy as well as a signature of said volume copy.  One of ordinary skill in the art would have been motivated to perform such a modification because data protection security is important to insure the use of digital technology adoption see '609 (paragraph 5).the following is not explicitly taught in Strunk and ‘609:

	“a unit that compares at least a portion of said point-in-time copy and said storage level logical unit information with a previous copy of said storage level logical unit” however ‘962 teaches comparing signatures of an active and stored files to determine if rules are being violated based on predefined rules in the Abstract, col. 4, lines 15-29, col. 32 line 59 through col. 33, lines 37, and col. 34, lines 1-6;


It would have been obvious to one of ordinary skill in the art at the time of the invention of a system and method for Intrusion Detection and Diagnosis and Recovery method taught in Strunk to include a means to monitor signatures to identify intrusion.  One of ordinary skill in the art would have been motivated to perform such a modification because there is a need, for an improved system for detecting computer intrusions see ‘962 (col. 3, lines 20-29).

	As to dependent claim 15, “The computer system according to claim 14, wherein said previous copy of the storage level logical unit comprises an original copy of the storage level logical unit” is taught in ‘962 col. 34, lines 1-6.
As to dependent claim 16, “The computer system according to claim 14, wherein said intrusion detection and recovery system, said management console, and said point-in-time copy of the storage level logical unit are maintained in a secure perimeter, and wherein said secure perimeter is accessible only by a storage system administrator” is shown in in Strunk on page 2, Figure 1 as well as page section 2.3 page 6. 
	As to dependent claim 17, “The computer system according to claim 14, wherein said storage system further comprises: a unit that, when the intrusion has been judged, removes said point-in-time copy and saves said previous copy of the storage level logical unit for data 
	As to dependent claim 18, “The computer system according to claim 17, wherein said storage system further comprises: a unit that, when the modification has not been judged, marks said point-in-time copy as a good copy and removes said previous copy of the storage level logical unit” is taught in Strunk page 5, note old versions are saved in the device’s history pool for a guaranteed amount of time and are used for recovery from intrusion, this clearly suggests that if no modification has been judged the previous copy will be deleted after expiration of time.
	As to dependent claim 19, “The computer system according to claim 18, wherein said storage system further comprises: a unit that prevents changes on certain logical blocks of the stored data to take place when the changes violate predefined rules” is shown in Strunk page 5 and section 3.2 on pages 12-13, note utilizing previous versions (point-in-time copy) for recovery, Strunk also teaches on page 18 in section 5.1, and page 21 in section 5.3, a recovery process would remove the infected “point-in-time copy” by copying the previous of the file by restoring the system.
	As to dependent claim 20, “The computer system according to claim 14, wherein said storage system further comprises: a unit that defines access rules to identify which files of said storage level logical unit are monitored in said point-in-time copy” is disclosed in Strunk section 3.2 pages 12-13, note as a concrete example of our prototype the server has been extended to support rule-based detection of suspect modifications...enforcing a rule set similar to Tripwire.

Conclusion
10.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to Ellen Tran whose telephone number is (571) 272-3842.  The examiner can normally be reached from 7:30 am to 4:00 pm.
Examiner interviews are available via telephone and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
		If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeff Pwu can be reached at (571) 272-6798.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/ELLEN TRAN/Primary Examiner, Art Unit 2433                                                                                                                                                                                                        25 February 2022