DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Election/Restriction
REQUIREMENT FOR UNITY OF INVENTION
As provided in 37 CFR 1.475(a), a national stage application shall relate to one invention only or to a group of inventions so linked as to form a single general inventive concept (“requirement of unity of invention”). Where a group of inventions is claimed in a national stage application, the requirement of unity of invention shall be fulfilled only when there is a technical relationship among those inventions involving one or more of the same or corresponding special technical features. The expression “special technical features” shall mean those technical features that define a contribution which each of the claimed inventions, considered as a whole, makes over the prior art.
The determination whether a group of inventions is so linked as to form a single general inventive concept shall be made without regard to whether the inventions are claimed in separate claims or as alternatives within a single claim. See 37 CFR 1.475(e).
When Claims Are Directed to Multiple Categories of Inventions:
As provided in 37 CFR 1.475 (b), a national stage application containing claims to different categories of invention will be considered to have unity of invention if the claims are drawn only to one of the following combinations of categories:

(2) A product and a process of use of said product; or
(3) A product, a process specially adapted for the manufacture of the said product, and a use of the said product; or
(4) A process and an apparatus or means specifically designed for carrying out the said process; or
(5) A product, a process specially adapted for the manufacture of the said product, and an apparatus or means specifically designed for carrying out the said process.
Otherwise, unity of invention might not be present. See 37 CFR 1.475 (c).
Restriction is required under 35 U.S.C. 121 and 372.
This application contains the following inventions or groups of inventions which are not so linked as to form a single general inventive concept under PCT Rule 13.1. 
In accordance with 37 CFR 1.499, applicant is required, in reply to this action, to elect a single invention to which the claims must be restricted.
Group I, claim(s) 1-5, 13 and 14, drawn to a method of detecting malware in which a characteristic is extracted from output data and compared with a threshold of determining randomness in the result.
Group II, claim(s) 6-12, drawn to a method of detecting malware in which a characteristic is extracted and compared with a registered characteristic value.
The groups of inventions listed above do not relate to a single general inventive concept under PCT Rule 13.1 because, under PCT Rule 13.2, they lack the same or corresponding special technical features for the following reasons:

In Group I, the comparison is made with a threshold value, expressed as a matching ratio of randomness of each characteristic value. In ¶109 of the specification, the thresholds are set using percentage values of overlap between the two data elements that are being compared. 
In Group II, the comparison is made with a registered value, and notably there is no reliance on “randomness” in this group (none of claims 6-12 disclose “randomness”). Rather, the extracted characteristic is compared with the registered characteristic value. 
Because the groups are both drawn to methods, there are no notable features that are common to both because of the integral nature of how the extracted characteristic value is compared and then used in making the determination of a ransomware attack. Thus the examiner determines that the disclosed claims lack unity of invention a priori as not all claimed inventions share the same or corresponding technical features. 

Election over the phone
During a telephone conversation with Heungsoo Choi on 02/10/2022 a provisional election was made without traverse to prosecute the invention of Group I, claim1-5,13 and 14.  Affirmation of this election must be made by applicant in replying to this Office action.  Claims 6-12 are withdrawn from further consideration by the examiner, 37 CFR 1.142(b), as being drawn to a non-elected invention. Further details are disclosed in the accompanying interview summary form, PTO-413/413b. 


Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claim 14 is rejected under 35 U.S.C. § 101 because the claimed invention is directed to non-statutory subject matter.  The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because the claim is directed to a "computer program product" that is "stored in a non-transitory memory". However, the fact that the "computer program product" is "stored in a non-transitory memory" means that the "computer program product" as outlined in the claim is considered "software per se" and thus does not fall under one of the statutory categories. It should be further noted that computer programs, software or executable code by itself is not one of the four statutory subject matters under 35 U.S.C. § 101.
How to overcome the rejection:
Because the applicant already discloses a “non-transitory computer readable medium” in claim 13, the examiner cannot make any suggestions as to re-write claim 14 as a non-transitory computer readable medium claim. 
Alternatively, the applicant may consider another statutory matter, such as a system claim comprising sufficient hardware, if sufficient support is given in the specification, that carries out the method. It should be noted that the examiner cannot determine whether such a hypothetical claim would indeed be statutory or not without further examination. 
As a last resort, the applicant can always elect to cancel the claim to overcome the rejection. 

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. § 102 and § 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1-5, 13 and 14 are rejected under 35 U.S.C. § 102(a)(1) and (a)(2) as being anticipated by U.S. PGPub. No. 2018/0075234 A1 (hereinafter "Boutnaru").

Regarding claim 1:
Boutnaru discloses:
A data processing method for coping with ransomware in a computer apparatus having a processor and a memory (see ¶67: “…includes at least one instance of an integrated circuit (processor) 710 coupled to an external memory 715…”), comprising: 
setting a threshold as a criterion for determining randomness, by the processor, for each of at least one characteristic value representing characteristics of data (in ¶51, BoutnaClaim 
ru discloses how an entropy level of the original content is calculated (examiner equates the calculated entropy level of the original content as the threshold for determining randomness), i.e. ¶51: “…using a calculated entropy level of the original content, and then comparing that to a calculated entropy level for the altered content…”); 
when output subject data to be outputted from the processor to the memory is generated, dividing the output subject data into a plurality of segments, each having a predetermined size, and extracting the at least one characteristic value for the output subject data by and analyzing the plurality of segments (in ¶52, Boutnaru discloses how data that is outputted from the processor is divided into a plurality of ‘portions’ (=segments), i.e. ¶52: “…as a degree of randomness of data … file portion … analyzing particular portions of data relative to particular other portions …” ); 
determining randomness of the output subject data by comparing at least one extracted characteristic value with the corresponding threshold (in ¶52, Boutnaru discloses how Entropy is a calculation of the degree of randomness of data presented in a file, i.e. ¶52: “Entropy can be calculated as a degree of randomness of data in a file or file portion in some embodiments. For example, an entropy level on a 0-100 scale could be determined by analyzing particular portions of data relative to particular other portions of data for a particular data segment or file.”, as discussed later in ¶52 and cited above, a portion of the data is then compared with a previously calculated entropy, i.e. ¶52: “…using a calculated entropy level of the original content, and then comparing that to a calculated entropy level for the altered content…”); 
determining whether a ransomware attack occurred to the output subject data according to a randomness determination result (in ¶42, Boutnaru discloses how the output of a particular process is used to determine if a ransomware attack occurred, i.e.: “…analysis of modified content for operation 420 may include determining that a particular process (e.g., ransomware 130) has read a first copy of content from a file (which is now stored in a cache), then attempted to write a modified version of that content back to the file (with the modified version being stored in cache at least temporarily before being written to permanent storage)..”); and 
executing an output operation for the output subject data according to a ransomware attack determination result (see Fig. 4 of Boutnaru that depicts in step 440: “Prevent original content from being deleted if altered content has been encrypted”), 
wherein the at least one characteristic value comprises a bit position ratio characteristic value that represents a statistical value for a ratio at which a predetermined bit value appears at each bit position in the plurality of segments or a segment bit number ratio characteristic value that represents a statistical value for the number of bits having a particular bit value in the plurality of segments (in ¶52, Boutnaru discloses how an entropy can be calculated based on the randomness of the data, the examiner notes that the entropy is measured in percentages and interprets that the Entropy is based on the bit pattern found in the data and how much individual bits deviate from the expected bits (the more deviation the higher the percentage of Entropy), i.e. see ¶52: “Using the 0-100 scale, a particular threshold shift could indicate encryption. This threshold shift could be measured in absolute terms (e.g., +50 points on a 100 point scale) or could be measured in percentage terms (e.g., 50%+). A lower threshold of either could be taken as well (e.g., if a file garners at least a 50 point jump or a 50% increase, an encryption event will have been deemed to occur). Many different threshold levels may be set in various embodiments, of course. Different entropy threshold levels may also be set for different types of files (originally higher compressed files such as ZIPs, MP3s, MP4s, JPGs etc. may have different threshold entropy difference levels set relative to other file types such as plain text, MS-WORD docs, GIF, etc.). ”).

Regarding claim 2:
Boutnaru discloses:
The data processing method of claim 1, wherein the output subject data is 25processed in a file unit or a kernel buffer unit (see ¶41 of Boutnaru, ‘kernel cache’).  

Regarding claim 3:
Boutnaru discloses:
The data processing method of claim 1, wherein the at least one characteristic value for the output subject data further comprises a segment pattern frequency characteristic value representing a statistical value for a frequency of 30occurrences of different segment patterns appearing in the plurality of segments (see “¶52: “Using the 0-100 scale, a particular threshold shift could indicate encryption. This threshold shift could be measured in absolute terms (e.g., +50 points on a 100 point scale) or could be measured in percentage terms (e.g., 50%+). A lower threshold of either could be taken as well (e.g., if a file garners at least a 50 point jump or a 50% increase, an encryption event will have been deemed to occur). Many different threshold levels may be set in various embodiments, of course. Different entropy threshold levels may also be set for different types of files (originally higher compressed files such as ZIPs, MP3s, MP4s, JPGs etc. may have different threshold entropy difference levels set relative to other file types such as plain text, MS-WORD docs, GIF, etc.). ”).


Regarding claim 4:
Boutnaru discloses:
The data processing method of claim 1, wherein determining the randomness of the output subject data comprises: determining that each of the at least one characteristic value has the randomness if a randomness matching ratio of the characteristic value is greater than a 5corresponding threshold  (see Boutnaru ¶52: “Using the 0-100 scale, a particular threshold shift could indicate encryption. This threshold shift could be measured in absolute terms (e.g., +50 points on a 100 point scale) or could be measured in percentage terms (e.g., 50%+). A lower threshold of either could be taken as well (e.g., if a file garners at least a 50 point jump or a 50% increase, an encryption event will have been deemed to occur). Many different threshold levels may be set in various embodiments, of course. Different entropy threshold levels may also be set for different types of files (originally higher compressed files such as ZIPs, MP3s, MP4s, JPGs etc. may have different threshold entropy difference levels set relative to other file types such as plain text, MS-WORD docs, GIF, etc.). ”).
.  
Regarding claim 5:
Boutnaru discloses:
The data processing method of claim 4, wherein determining whether the ransomware attack occurred comprises: determining that the ransomware attack occurred to the output subject data in 10case that it is determined that more than a predetermined number of characteristic values have the randomness (see Boutnaru ¶42: “The analysis of modified content for operation 420 may include determining that a particular process (e.g., ransomware 130) has read a first copy of content from a file (which is now stored in a cache), then attempted to write a modified version of that content back to the file (with the modified version being stored in cache at least temporarily before being written to permanent storage).” in relation with the entropy used in the cache comparison as outlined in ¶52).

Regarding claim(s) 13 and 14:
A corresponding reasoning as given earlier in this section (see rejection of claim(s) 1) applies, mutatis mutandis, to the subject-matter of claim(s) 13 and 14, and therefore is/are also considered rejected under the grounds given in the rejection of claim(s) 1.   
In addition, Claim 13 is directed to a non-transitory computer-readable storage medium, which is disclosed by Boutnaru in ¶64, ‘computer-readable medium’. 
In addition, Claim 14 is directed to a computer program product, which is disclosed by Boutnaru in ¶65, ‘program instructions’. 

How to overcome the rejection of claims 1-5, 13 and 14:
	It is strongly recommended that the applicant considers incorporating all or a combination of equations 1-7 (¶84, 87, 91, 95, 98, 103, 106) into the independent claims to overcome the prior art on record. Applicant is advised to argue how any incorporated equations are not anticipated by the Boutnaru reference. 


Related Art
The following prior art made of record and cited on PTO-892, but not relied upon, is considered pertinent to applicant’s disclosure: 
U.S. Pub. No. 2018/0307839 A1 to “Bhave” – Bhave disclose a detection method for ransomware whether backups are retrieved to determine if they are infected with ransomware by searching for randomness in a distribution of bits in a block of file. 
U.S. Patent No. 2019/0130097 A1 to “Berler” -Berler discloses whether a ransomware attack is in progress by calculating cross-entropy and signaling the LBA that data should not be written. 

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Alexander Lagor whose telephone number is (571)270-5143. The examiner can normally be reached Monday thru Friday, 9:00 AM to 5:00 PM (EST).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashokkumar B. Patel can be reached on (571) 272-3972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: 





/ALEXANDER LAGOR/Primary Examiner, Art Unit 2491