Notice of Pre-AIA  or AIA  Status
1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

EXAMINER'S AMENDMENT
2.	An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.

3.	Authorization for this examiner’s amendment was given in an interview with Travis Laird on 02/18/2022.

The application has been amended as follows: 

1. 	(Currently Amended)  A method comprising:
	determining, by a data protection system, that a total amount of read traffic and write traffic processed by a storage system during a time period exceeds a threshold, the read traffic representing data read from the storage system during the time period and the write traffic representing data written to the storage system during the time period;
determining, by the data protection system, a first compressibility metric associated with the write traffic, the first compressibility metric indicating an amount of storage space saved if the write traffic is compressed;
determining, by the data protection system, a second compressibility metric associated with the read traffic, the second compressibility metric indicating an amount of storage space saved if the read traffic is compressed;
determining, by the data protection system based on a comparison of the first compressibility metric with the second compressibility metric, that the write traffic is less compressible than the read traffic; 
	determining, by the data protection system based on the total amount of read traffic and write traffic exceeding the threshold and on the write traffic being less compressible than the read traffic, that the storage system is possibly being targeted by a security threat; and
performing, by the data protection system based on the determining that the storage system is possibly being targeted by the security threat, a remedial action with respect to the storage system.

	2. 	(Previously Presented)  The method of claim 1, further comprising:
	identifying, by the data protection system, an attribute associated with one or more of the data read from the storage system or the data written to the storage system;
	wherein the determining that the storage system is possibly being targeted by the security threat is further based on the attribute.

	3. 	(Previously Presented)  The method of claim 2, wherein the attribute comprises one or more of:

	an attribute of a source of the read traffic and the write traffic;
	an attribute of a storage structure within the storage system and from which the data is being read or to which the data is being written; or
	a storage format attribute associated with a storage format used by the storage system.

	4. 	(Previously Presented)  The method of claim 1, further comprising:
	identifying, by the data protection system, a format type of a data instance included in the data written to the storage system; and
	determining, by the data protection system, that a content of the data instance does not match what would be expected to be received by the storage system for the identified format type;
	wherein the determining that the storage system is possibly being targeted by the security threat is further based on the determination that the content of the data instance does not match what would be expected to be received by the storage system for the identified format type.

	5. 	(Previously Presented)  The method of claim 1, further comprising:
	identifying, by the data protection system, a pattern associated with one or more of the read traffic or the write traffic;


	6. 	(Previously Presented)  The method of claim 1, further comprising:
	determining, by the data protection system, that the data written to the storage system does not include identifiable header information or that the data written to the storage system includes header information that does not match content included in the data written to the storage system;
	wherein the determining that the storage system is possibly being targeted by the security threat is further based on the determining that the data written to the storage system does not include the identifiable header information or that the data written to the storage system includes header information that does not match the content included in the data written to the storage system.

	7. 	(Previously Presented)  The method of claim 6, further comprising:
	determining, by the data protection system, that the data read from the storage system is at least partially compressed and includes the identifiable header information;
	wherein the determining that the storage system is possibly being targeted by the security threat is further based on the determining that the data read from the storage system is compressed and includes the identifiable header information.


	determining, by the data protection system, that the data written to the storage system includes data that is not decryptable with by any of one or more keys maintained by an authorized key management system external to the storage system;
	wherein the determining that the storage system is possibly being targeted by the security threat is further based on the determining that the data written to the storage system includes data that is not decryptable with the key maintained by the key management system.

	9. 	(Previously Presented)  The method of claim 1, further comprising:
	determining, by the data protection system, that the data written to the storage system does not include a correct cryptographic signature associated with an external data encryption service associated with the storage system;
	wherein the determining that the storage system is possibly being targeted by the security threat is further based on the determining that the data written to the storage system does not include the correct cryptographic signature.

	10. 	(Previously Presented)  The method of claim 1, further comprising:
	determining, by the data protection system, that data already stored by the storage system is deleted or overwritten by the data written to the storage system;


	11. 	(Previously Presented)  The method of claim 1, further comprising:
	accessing, by the data protection system, phone home data transmitted by the storage system; and
	detecting, by the data protection system based on the phone home data, an anomaly associated with the storage system;
	wherein the determining that the storage system is possibly being targeted by the security threat is further based on the detected anomaly.

	12. 	(Previously Presented)  The method of claim 11, wherein the detecting of the anomaly comprises determining that an overall compressibility of data stored by the storage system is below a historical norm associated with one or more of the storage system or a different storage system.

	13. 	(Previously Presented)  The method of claim 1, further comprising:
	detecting, by the data protection system, a rate at which data is read from the storage system and written back to the storage system in encrypted form;
	wherein the determining that the storage system is possibly being targeted by the security threat is further based on the detected rate.

	14. 	(Previously Presented)  The method of claim 1, further comprising:
	inputting, by the data protection system, data representative of one or more attributes of the read traffic, the write traffic, or the storage system into a machine learning model;
	wherein the determining that the storage system is possibly being targeted by the security threat is further based on an output of the machine learning model.

	15. 	(canceled)

	16. 	(Currently Amended)  The method of claim [[15]] 1, wherein the performing of the remedial action comprises directing the storage system to generate a recovery dataset for data stored by the storage system.

	17. 	(Currently Amended)  The method of claim [[15]] 1, further comprising:
	directing, by the data protection system, the storage system to generate recovery datasets over time in accordance with a data protection parameter set, the recovery datasets usable to restore data maintained by the storage system to a state corresponding to a selectable point in time;
	wherein the performing of the remedial action comprises directing, in response to the determining that the storage system is possibly being targeted by 

	18. 	(Previously Presented)  The method of claim 1, further comprising:
	determining, by the data protection system, that the read traffic is within a threshold amount of the write traffic during the time period;
	wherein the determining that the storage system is possibly being targeted by the security threat is further based on the determining that the read traffic is within the threshold amount of the write traffic during the time period.

	19. 	(Currently Amended)  A system comprising:
	a memory storing instructions;
	a physical processor communicatively coupled to the memory and configured to execute the instructions to:
		determine that a total amount of read traffic and write traffic processed by a storage system during a time period exceeds a threshold, the read traffic representing data read from the storage system during the time period and the write traffic representing data written to the storage system during the time period;
determine a first compressibility metric associated with the write traffic, the first compressibility metric indicating an amount of storage space saved if the write traffic is compressed;
determine a second compressibility metric associated with the read traffic, the second compressibility metric indicating an amount of storage space saved if the read traffic is compressed;		
determine, based on a comparison of the first compressibility metric with the second compressibility metric, that the write traffic is less compressible than the read traffic; 
		determine, based on the total amount of read traffic and write traffic exceeding the threshold and on the write traffic being less compressible than the read traffic, that the storage system is possibly being targeted by a security threat;
perform, based on the determining that the storage system is possibly being targeted by the security threat, a remedial action with respect to the storage system.

	20. 	(Currently Amended)  A non-transitory computer-readable medium storing instructions that, when executed, direct a processor of a computing device to:
determine that a total amount of read traffic and write traffic processed by a storage system during a time period exceeds a threshold, the read traffic representing data read from the storage system during the time period and the 
determine a first compressibility metric associated with the write traffic, the first compressibility metric indicating an amount of storage space saved if the write traffic is compressed;
determine a second compressibility metric associated with the read traffic, the second compressibility metric indicating an amount of storage space saved if the read traffic is compressed;
determine, based on a comparison of the first compressibility metric with the second compressibility metric, that the write traffic is less compressible than the read traffic; 
determine, based on the total amount of read traffic and write traffic exceeding the threshold and on the write traffic being less compressible than the read traffic, that the storage system is possibly being targeted by a security threat
perform, based on the determining that the storage system is possibly being targeted by the security threat, a remedial action with respect to the storage system. 


Reasons for Allowance
4.	Claims 1-14 and 16-20 including all of the limitations of the base claim and any intervening claims are allowed.

Closest Prior Art:
U.S. Publication No. 20170242788 discloses on paragraph 0063 “In block 1104 process 1100 determines whether specific regrouping thresholds have been met in order that regrouping metadata should be generated for data associated with the write TOP. For example, regrouping metadata may only be generated for data pages whose compressibility is below a threshold value and/or for data pages whose data heat is below a threshold value. In various embodiments, regrouping metadata for data associated with a write TOP is generated that indicates an associated stream for the data. The associated stream may be indicated by one or more of a data heat, a stream identifier (ID) supplied by a host, a host address, a thread ID, and a logical unit number (LUN) ID. In response to the regrouping threshold not being met in block 1104, control transfers to block 1114. In response to the regrouping threshold being met in block 1104 control transfers to block 1106, where process 1100 generates regrouping metadata for the data associated with the write TOP. The generated regrouping metadata may be stored together with the data written in the physical page of a block stripe 600, stored in a separate physical page holding metadata information either in the same block stripe 600, maintained in GPP memory 134, or flash controller memory 142.”

U.S. Publication No. 20190196731 discloses on paragraph 0173 “In one embodiment, in which decrypted data is compared to raw data, processing logic (e.g., of storage array controller 410) stores the raw data (e.g., and does not store the decrypted data), which may be the originally received data that is decrypted with a null encryption algorithm, if the first compressibility value is greater than or equal to the second 

U.S. Publication No. 20180004659 discloses on paragraph 0091 “In one embodiment, if the memory location is cached, 406 YES branch, the cache controller can process the access request based on the request type (e.g., read or write) and a compressibility flag, 424. In one embodiment, if the memory location is not cached, 406 NO branch, the cache controller allocates a cache entry for the memory location, 408. The cache controller fetches the data from main memory corresponding to the identified memory location, 410, for storage in the cache storage.”

U.S. Publication No. 20200201777 discloses on paragraph 0043 “The cache controller 310 includes a compression engine 312. When a read request is received for retrieving compressed data that is in the cache (resulting in a cache hit), the 

 	The following is an Examiner’s Statement of Reasons for Allowance: 
 	Claims 1-14 and 16-20 are allowable over prior art references taken individually or in combination fails to particularly disclose, fairly suggests or render obvious are argued by the applicant which examiner considers persuasive as set forth above.
 	Although the prior art discloses determining, by a data protection system, that a total amount of read traffic and write traffic processed by a storage system during a time period exceeds a threshold, the read traffic representing data read from the storage system during the time period and the write traffic representing data written to the storage system during the time period, no one or two references anticipates or obviously suggest determining, by the data protection system, a first compressibility 
	Further, determining, by the data protection system based on a comparison of the first compressibility metric with the second compressibility metric, that the write traffic is less compressible than the read traffic and determining, by the data protection system based on the total amount of read traffic and write traffic exceeding the threshold and on the write traffic being less compressible than the read traffic, that the storage system is possibly being targeted by a security threat.
Lastly, performing, by the data protection system based on the determining that the storage system is possibly being targeted by the security threat, a remedial action with respect to the storage system.

 Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”




Conclusion

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 5712723972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/GARY S GRACIA/Primary Examiner, Art Unit 2491