DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1-11 and 13-25 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Boutnaru, U.S. Patent 10,671,724.

As per claim 1, it is taught of an apparatus comprising:
a processor (col. 4, lines 24-33); and
a memory device coupled to the processor, the memory device having instructions stored thereon that, in response to execution by the processor (col. 4, lines 24-33), cause the processor to:
receive operating system (OS) read/write data from an OS, the OS read/write data describing (col. 6, lines 38-48) at least one of reads from and writes to a storage device over a file system interface of the OS (col. 4, lines 43-50 & 53-55; and col. 5, lines 14-21);
collect storage device read/write data, the storage device read/write data describing at least one of reads from and writes to the storage device (col. 4, lines 62-66 and col. 5, lines 16-21);
compare the OS read/write data to the storage device read/write data (col. 6, lines 19-30);
determine if there is a discrepancy between the OS read/write data and the storage device read/write data (col. 6, lines 31-36 & 48-54);
if there is a discrepancy, determine if there is an anomaly detected between OS read/write data and the storage device read/write data (col. 5, lines 51-55 and col. 6, lines 31-36 & 48-54); and
if there is an anomaly, cause a remediation action to be taken to stop a malware attack (col. 6, lines 54-55 and col. 8, lines 15-31).
As per claim 2, it is disclosed wherein the malware attack is a ransomware attack (col. 5, lines 54-55).
As per claim 3, it is taught wherein the ransomware attack includes writing encrypted data to the storage device over a rogue file system interface (col. 4, lines 43-53).
As per claim 4, it is disclosed wherein the OS read/write data and the storage device read/write data comprise at least one self-monitoring, analysis and reporting (SMART) technology (Boutnaru’s system is an automated self-reporting system) attribute of read/write activity of the storage device (col. 8, lines 15-31).
As per claim 5, it is taught wherein the OS read/write data is untrusted (malware) and the storage device read/write data is trusted (col. 4, lines 43-53).
As per claim 6, it is disclosed wherein the remediation action comprises preventing further write operations by the malware (col. 6, lines 54-55 and col. 8, lines 15-31).
As per claim 7, it is taught wherein the remediation action comprises stopping operation of the malware (col. 6, lines 54-55 and col. 8, lines 15-31).
As per claim 8, it is disclosed wherein the storage device is a solid-state drive (SSD)(col. 9, lines 60-66).
As per claim 9, it is taught wherein the anomaly indicates a pattern of write operations to the storage device indicating unauthorized cryptographic processing of data (col. 4, lines 43-53).
As per claim 10, it is disclosed wherein the anomaly indicates an abnormal ratio of reads to writes in a selected time period (col. 6, lines 39-54 and col. 5, lines 42-46).
As per claim 11, it is taught of further comprising instructions to compare the collected storage device read/write data to storage device read/write data of a known benign program and detect an anomaly when the storage device read/write data is more than a predetermined threshold apart from the read/write data of the known benign program (col. 6, lines 34-54 and col. 7, lines 38-47).
As per claim 13, it is disclosed of a method comprising:
receiving operating system (OS) read/write data from an OS, the OS read/write data describing (col. 6, lines 38-48) at least one of reads from and writes to a storage device over a file system interface of the OS (col. 4, lines 43-50 & 53-55; and col. 5, lines 14-21);
collecting storage device read/write data, the storage device read/write data describing at least one of reads from and writes to the storage device (col. 4, lines 62-66 and col. 5, lines 16-21);
comparing the OS read/write data to the storage device read/write data (col. 6, lines 19-30);
determining if there is a discrepancy between the OS read/write data and the storage device read/write data (col. 6, lines 31-36 & 48-54);
if there is a discrepancy, determining if there is an anomaly detected between OS read/write data and the storage device read/write data (col. 5, lines 51-55 and col. 6, lines 31-36 & 48-54); and Preliminary AmendmentPage 5 Serial Number: 17/132,934Atty. Dkt. AC4814-US Filing Date: December 23, 2020 Title: RANSOMWARE DETECTION AND REMEDIATION
if there is an anomaly, causing a remediation action to be taken to stop a malware attack (col. 6, lines 54-55 and col. 8, lines 15-31).
As per claim 14, it is taught wherein the malware attack is a ransomware attack (col. 5, lines 54-55).
As per claim 15, it is disclosed wherein the ransomware attack includes writing encrypted data to the storage device over a rogue file system interface (col. 4, lines 43-53).
As per claim 16, it is taught wherein the OS read/write data and the storage device read/write data comprise at least one self-monitoring, analysis and reporting (SMART) technology (Boutnaru’s system is an automated self-reporting system) attribute of read/write activity of the storage device (col. 8, lines 15-31).
As per claim 17, it is disclosed wherein the remediation action comprises preventing further write operations by the malware (col. 6, lines 54-55 and col. 8, lines 15-31).
As per claim 18, it is taught wherein the remediation action comprises stopping operation of the malware (col. 6, lines 54-55 and col. 8, lines 15-31).
As per claim 19, it is disclosed wherein the anomaly indicates a pattern of write operations to the storage device indicating unauthorized cryptographic processing of data (col. 4, lines 43-53).
As per claim 20, it is taught wherein the anomaly indicates an abnormal ratio of reads to writes in a selected time period (col. 6, lines 39-54 and col. 5, lines 42-46).
As per claim 21, it is disclosed of at least one non-transitory machine-readable storage medium comprising instructions that, when executed, cause at least one processing device to at least:
receive operating system (OS) read/write data from an OS, the OS read/write data describing (col. 6, lines 38-48) at least one of reads from and writes to a storage device over a file system interface of the OS (col. 4, lines 43-50 & 53-55; and col. 5, lines 14-21);
collect storage device read/write data, the storage device read/write data describing at least one of reads from and writes to the storage device (col. 4, lines 62-66 and col. 5, lines 16-21);
compare the OS read/write data to the storage device read/write data (col. 6, lines 19-30);
determine if there is a discrepancy between the OS read/write data and the storage device read/write data (col. 6, lines 31-36 & 48-54);
if there is a discrepancy, determine if there is an anomaly detected between OS read/write data and the storage device read/write data (col. 5, lines 51-55 and col. 6, lines 31-36 & 48-54); and
if there is an anomaly, cause a remediation action to be taken to stop a malware attack (col. 6, lines 54-55 and col. 8, lines 15-31).
As per claim 22, it is taught wherein the OS read/write data and the storage device read/write data comprise at least one self-monitoring, analysis and reporting (SMART) technology (Boutnaru’s system is an automated self-reporting system) attribute of read/write activity of the storage device (col. 8, lines 15-31).
As per claim 23, it is disclosed wherein the anomaly indicates a pattern of write operations to the storage device indicating unauthorized cryptographic processing of data (col. 4, lines 43-53).
As per claim 24, it is taught wherein the anomaly indicates an abnormal ratio of reads to writes in a selected time period (col. 6, lines 39-54 and col. 5, lines 42-46).
As per claim 25, it is disclosed of further comprising instructions to compare the collected storage device read/write data to storage device read/write data of a known benign program and detect an anomaly when the storage device read/write data is more than a predetermined threshold apart from the read/write data of the known benign program (col. 6, lines 34-54 and col. 7, lines 38-47).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Kang et al, U.S. Patent 11,126,712 is relied upon for disclosing of predicting hacking operations by looking at read and write data used by an operating system, see column 5, lines 4-27.
Gantman et al, U.S. Patent 9,122,402 is relied upon for disclosing of detecting suspicious read write operations, see column 1, lines 23-38.
Todd et al, U.S. Patent 10,009,360 is relied upon for detecting encryption patterns from read/write traffic indicative of ransomware, see column 7, lines 19-41.
Sallam, US 2012/0255013 is relied upon for protecting memory against malware attempts involving read, write, or hook operations, see paragraph 0270.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER A REVAK whose telephone number is (571)272-3794. The examiner can normally be reached 5:30am - 3:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, LYNN FEILD can be reached on 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/CHRISTOPHER A REVAK/Primary Examiner, Art Unit 2431