Notice of Pre-AIA  or AIA  Status
1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Election/Restrictions
2.    NO restrictions warranted at initial time of filing for patent.

Priority
3.    Applicant claims domestic priority under 35 USC 119e to provisional application filed on 11/08/2013.
Information Disclosure Statement
4.    The information disclosure statement (IDS) submitted on 09/30/2020, 01/22/2021, 06/22/2201, 08/30/2021, 10/22/2021, 12/22/2021, 01/28/2022, and 02/25/2022 the submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Oath/Declaration
5.    Applicant’s Oath was filed on 09/30/2020.

Drawings
6.    Applicant’s drawings filed on 09/30/2020 has been inspected and is in compliance with MPEP 608.01.
Specification
7.    Applicant’s specification filed on 09/30/2020 has been inspected and is in compliance with MPEP 608.02.
Claim Objections
8.    NO objections warranted at initial time of filing for patent.

Remarks
9.	Examiner request Applicant review relevant prior art under the conclusion of this office action.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

10.	Claims 1-12 and 15-20 are rejected under 35 U.S.C. 102(a)(1)/(a)(2) as being anticipated by U.S. Publication No. 20190303571 hereinafter Chelarescu.

	As per claim 1, Chelarescu discloses:
para 0015 “Example methods (e.g., algorithms) and systems (e.g., special-purpose machines) that detect and identify malware impacted files stored in a cloud storage system and provide detection notification with metadata to a client device of the cloud storage system are described.”) comprising:
receiving, by a storage system, attribute data representative of one or more attributes of a known attack that operated against data stored by a target system other than the storage system (Fig. 3, para 0038 “The feature extraction module 302 extracts features from a file stored at the data storage 206. In one example, the feature extraction module 302 extracts features from a last modified file or a new file received from the client storage application 108 via the server storage application 202. Examples of features (also referred to as attributes or properties in the present document) include, but are not limited to, attributes of the files such as file encryption status, extension name, date of creation, date of modification, versioning number, author name, type of media, and compression status .” Para 0043 “The learning engine 314 (e.g., a machine learning algorithm) manages a learning model for identifying malware files. The learning engine 314 accesses file information (associated with the client device 102) from the data storage 206. The file information includes attributes, extensions, and features (including user feedback) of old, new, and modified files associated with the client device 102. Using the file information, the learning engine 314 can identify trends or patterns. For example, the learning engine 314 learns, based on file extensions, that the new file is actually not related to a malware as confirmed by the user of the client device 102 because the user has named the Para 0045 “In other example embodiments, the learning engine 314 determines the number of files (in the account of the client device 102 in the data storage 206) being updated, deleted, created, encrypted, and with suspicious extensions, and generates a determination or confidence level that one of the files (or the user account) is impacted by a malware or malware attack .” para 0051 “In response to the request, in operation 404, the server storage application 202 accesses a storage account or user data structure (e.g., files, folder, directory) for the user from the data storage 206. The data storage 206 modifies an existing file in the user data structure (associated or registered with the client device 102). The user data structure includes copies of files corresponding to a folder or directory of the client device 102 indicated by the client storage application 108.” Para 0052 “ In operation 406, the malware analysis engine 210 determines features of the modified file received at operation 402. Examples of features include an encryption status, a file or extension naming pattern, a content analysis matching result, and user feedback related to files similar to the modified file.”); 
updating, by the storage system, an extensible attack monitoring process executed by the storage system with the attribute data; and monitoring, by the storage system using the extensible attack monitoring process updated with the attribute data, storage operation requests with respect to the storage system for para 0044 “Based on the learning model, the learning engine 314 can, in one embodiment, suggest to the impacted file identification module 310 that the new or modified file is likely or is not likely a malware. In a further embodiment, the learning engine 202 updates a list of files that have been confirmed or validated as safe (non-impacted by malware) from the client device 102. All of the trends or patterns identified by the learning engine 314 may be stored in the data storage 206 and provided to the impacted file identification module 310 for further processing.” Fig. 7, para 0069 “In operation 702, the user feedback module 312 receives previous user feedback (or other users feedback) related to the new or modified file stored at the storage system 106. Para 0070 “In operation 704, the learning engine 314 trains a malware detection model for the new or modified file based on the user's feedback.”)
	
	As per claim 2, Chelarescu discloses:
The method of claim 1, further comprising: detecting, by the storage system during the monitoring, the one or more attributes of the storage operation requests that match the one or more attributes of the known attack; and determining, by the storage system based on the detecting of the one or more attributes of the storage operation requests that match the one or more attributes of the known attack, that data stored by the storage system is possibly being targeted by an attack (Fig. 7, para 0071 “In operation 706, the feature extraction module 302 determines features of the new or modified file. Examples of features Para 0072 “In operation 708, the impacted file identification module 310 detects a malware activity (e.g., ransomware) based on the features of the new or modified file as previously determined in operation 706 and based on the malware detection model as previously determined in operation 704. Para 0073 “In operation 710, the notification engine 214 generates a notification that identifies the new or modified file (based on the file identification from operation 708) as potential malware to the client device 102. The communication module 216 sends the notification to the client device 102.” Para 0074 “In operation 712, the malware analysis engine 210 receives a user confirmation of the malware activity of the modified file from the client device 102 via the communication module 216.”)

	As per claim 3, Chelarescu discloses:
The method of claim 2, further comprising performing, by the storage system in response to the determining that the storage system is possibly being targeted by the security threat, a remedial action (para 0060).

As per claim 4, Chelarescu discloses:
The method of claim 3, wherein the performing of the remedial action comprises one or more of generating a recovery dataset for the data stored by 

As per claim 5, Chelarescu discloses:
The method of claim 2, further comprising allowing, by the storage system based on the determining that the data stored by the storage system is possibly being targeted by the attack, the remote system to analyze the storage operation requests with respect to the storage system (Figs. 5-7, para 0089).

As per claim 6, Chelarescu discloses:
The method of claim 5, wherein the allowing comprises transmitting attribute data representative of the one or more of the attributes of the storage operation requests of the storage system to the remote system (para 0031, para 0089).

As per claim 7, Chelarescu discloses:
The method of claim 5, further comprising: receiving, by the storage system, confirmation from the remote system indicating that the remote system has determined, based on the analysis of the storage operation requests of the storage system, that the data stored by the storage system is being targeted by the attack; and performing, by the storage system in response to the receiving of the confirmation, an additional remedial action (Figs. 5-7, para 0089).

As per claim 8, Chelarescu discloses:
The method of claim 1, wherein the receiving of the attribute data comprises receiving the attribute data from a remote system by way of a network (para 0020).

As per claim 9, Chelarescu discloses:
The method of claim 8, wherein the remote system is in communication with a plurality of storage systems and configured to generate the attribute data based on an analysis of storage operation requests with respect to the plurality of storage systems.

As per claim 10, Chelarescu discloses:
The method of claim 1, wherein the receiving of the attribute data comprises receiving the attribute data directly from the target system by way of a network (Fig. 1, para 0028).

As per claim 11, Chelarescu discloses:
The method of claim 1, wherein the updating of the extensible attack monitoring process comprises dynamically updating the extensible attack monitoring process as the extensible attack monitoring process is being executed by the storage system (Fig. 7).

As per claim 12, Chelarescu discloses:


As per claim 15, Chelarescu discloses:
The method of claim 1, wherein the known attack comprises an encryption attack against the data stored by the target storage system (para 0039, 0040, and 0043).

	As per claim 16, Chelarescu discloses:
A method (para 0015 “Example methods (e.g., algorithms) and systems (e.g., special-purpose machines) that detect and identify malware impacted files stored in a cloud storage system and provide detection notification with metadata to a client device of the cloud storage system are described.”) comprising:
receiving, by a storage system, attribute data representative of one or more attributes of a known attack against data stored by a system other than the storage system (Figs. 1 and 3, para 0038 “The feature extraction module 302 extracts features from a file stored at the data storage 206. In one example, the feature extraction module 302 extracts features from a last modified file or a new file received from the client storage application 108 via the server storage application 202. Examples of features (also referred to as attributes or properties in the present document) include, but are not limited to, attributes of  Para 0043 “The learning engine 314 (e.g., a machine learning algorithm) manages a learning model for identifying malware files. The learning engine 314 accesses file information (associated with the client device 102) from the data storage 206. The file information includes attributes, extensions, and features (including user feedback) of old, new, and modified files associated with the client device 102. Using the file information, the learning engine 314 can identify trends or patterns. For example, the learning engine 314 learns, based on file extensions, that the new file is actually not related to a malware as confirmed by the user of the client device 102 because the user has named the file to a name similar to a known malware. In another example, the learning engine 314 learns that a file that is encrypted and has a file extension name with a particular naming pattern (e.g., previously associated with existing malware) is likely a ransomware .” Para 0045 “In other example embodiments, the learning engine 314 determines the number of files (in the account of the client device 102 in the data storage 206) being updated, deleted, created, encrypted, and with suspicious extensions, and generates a determination or confidence level that one of the files (or the user account) is impacted by a malware or malware attack .” para 0051 “In response to the request, in operation 404, the server storage application 202 accesses a storage account or user data structure (e.g., files, folder, directory) for the user from the data storage 206. The data storage 206 modifies an existing file in the user data structure (associated or  Para 0052 “ In operation 406, the malware analysis engine 210 determines features of the modified file received at operation 402. Examples of features include an encryption status, a file or extension naming pattern, a content analysis matching result, and user feedback related to files similar to the modified file.”); 
using, by the storage system, the attribute data to detect one or more attributes of storage operation requests with respect to the storage system that match the one or more attributes of the known attack ; and determining, by the storage system based on the detecting that the one or more attributes of the storage operation requests match the one or more attributes of the known attack, that data stored by the storage system is possibly being targeted by an attack (para 0044 “Based on the learning model, the learning engine 314 can, in one embodiment, suggest to the impacted file identification module 310 that the new or modified file is likely or is not likely a malware. In a further embodiment, the learning engine 202 updates a list of files that have been confirmed or validated as safe (non-impacted by malware) from the client device 102. All of the trends or patterns identified by the learning engine 314 may be stored in the data storage 206 and provided to the impacted file identification module 310 for further processing.” Para 0054 “In operation 410, the notification engine 214 generates a notification that identifies the suspicious files (e.g., the modified file(s)) in the storage account as malware to the client device 102. The notification ”)

	As per claim 17, Chelarescu discloses:
The method of claim 16, wherein the using the attribute data comprises updating, by the storage system, an extensible attack monitoring process executed by the storage system with the attribute data (para 0044, 0069 and 0070).

As per claim 18, the implementation of the method of claim 1 will execute the system of claim 18. The claim is analyzed with respect to claim 1. 

	As per claim 19, the implementation of the method of claim 2.

	As per claim 20, the implementation of the method of claim 3.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
11.	Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Chelarescu in view of U.S. Publication No. 20140283061 hereinafter Quinlan.

As per claim 13, Chelarescu discloses:
The method of claim 1, wherein the monitoring for the one or more attributes of the storage operation requests that match the one or more attributes of the known attack (Figs. 4-7) 

	Chelarescu does not disclose:


	Quinlan discloses:
determining that the one or more attributes of the storage operation requests satisfy a similarity threshold with respect to the one or more attributes of the known attack (para 0006 “In one example, a method includes receiving, by a security device and from a device, network traffic directed to one or more computing devices protected by the security device, responsive to receiving the network traffic, sending, by the security device and to the device, a request for a plurality of data points for the device, wherein the data points include characteristics associated with the device, and receiving, by the security device and from the device, at least a portion of the requested plurality of data points. The method may also include comparing, by the security device, the received portion of the requested plurality of data points to respective sets of data points associated with one or more known attacker devices, determining, based on the comparison, whether a first respective set of data points associated with a first known attacker device satisfies a similarity threshold, and selectively manage, based on the determination, additional network traffic directed to the one or more computing devices protected by the security device and received from the device.” Para 0027 “In some cases a fingerprint to be considered to "match" another fingerprint, as the term is used herein, even when one or more data 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the methods (e.g., algorithms) and systems (e.g., special-purpose machines) that detect and identify malware impacted files stored in a cloud storage system of Chelarescu to include determining that the one or more attributes of the storage operation requests satisfy a similarity threshold with respect to the one or more attributes of the known attack, as taught by Quinlan.
.

12.	Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Chelarescu in view of U.S. Publication No. 10122740 hereinafter Finkelshtein.

As per claim 14, Chelarescu discloses:
The method of claim 1, further comprising: maintaining, by the storage system (Figs. 4-7) 

	Chelarescu does not disclose:
maintaining, historical attribute data representative of one or more attributes of the storage operation requests over time that precedes an attack against the data stored by the storage system that was not detected during the monitoring; and transmitting, by the storage system to a remote system, the historical attribute data for analysis by the remote system

	Finkelshtein discloses:
maintaining, historical attribute data representative of one or more attributes of the storage operation requests over time that precedes an attack against the data stored by the storage system that was not detected during the monitoring; and transmitting, by the storage system to a remote system, the historical attribute data for analysis by the remote system (Col. 12 Lines 10-20 “n Col. 12 Lines 21-34 “Accordingly, models can be generated dynamically based on historical information regarding what signals or signal data are more or less indicative of a malicious anomaly in view of the specific characteristics of network traffic observed in the storage network 12. For example, in some storage networks HTTP traffic may have been observed to include a relatively high number of HTTP headers. Accordingly, increased HTTP traffic with a high number of HTTP headers may not be indicative of an anomaly in these storage networks, although such traffic may be considered anomalous in other storage networks. Therefore, in these storage networks, the associated threshold for the number of HTTP headers signal may be set relatively high in the generated model.”)
and transmitting, by the storage system to a remote system, the historical attribute data for analysis by the remote system (Col. 12 Lines 56-63 “ In step 604 in this example, the one of the analytic server computing devices sends the model and configuration update(s) to the one of the traffic management computing devices. Steps 602 and 604 are optional and not necessarily 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the methods (e.g., algorithms) and systems (e.g., special-purpose machines) that detect and identify malware impacted files stored in a cloud storage system of Chelarescu to include maintaining, historical attribute data representative of one or more attributes of the storage operation requests over time that precedes an attack against the data stored by the storage system that was not detected during the monitoring; and transmitting, by the storage system to a remote system, the historical attribute data for analysis by the remote system, as taught by Finkelshtein.
The motivation would have been to properly assess data in order to determine accurate determination of a known attack.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
A.	U.S. Publication No. 20170155652 discloses on paragraph 0059 “FIG. 4 is an exemplary and non-limiting decision model tree 400 illustrating computation of a risk score according to an embodiment. The decision model tree 400 may be based on, for example, attributes associated with previous access attempts that were granted. In an embodiment, the decision model tree 400 may be based on user attributes identified by a user (e.g., a systems administrator of an enterprise) as indicators of valid access attempts. In an embodiment, the decision model tree 400 may be developed automatically based on detection of one or more velocity events. In a further embodiment, the decision model tree 400 may be dynamically updated based on user activities such as, e.g., user access attempts.”

Any inquiry concerning this communication or earlier communications from the examiner should be directed to GARY S GRACIA whose telephone number is (571)270-5192. The examiner can normally be reached Monday-Friday 9am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 5712723972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/GARY S GRACIA/Primary Examiner, Art Unit 2491