DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on October 29, 2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Priority
Acknowledgment is made of applicant’s claim for domestic priority under 35 U.S.C. 119 (e).

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-18 and 20 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Gupta et al, U.S. Patent 10,810.304.

As per claim 1, it is taught of a method for protecting a computing device of a target system against ransomware attacks, wherein the computing device employs a file system having a data structure used by an operating system of the computing device for accessing files based on file paths (col. 5, lines 40-48), the method comprising the steps of:
a. installing an agent in the computing device, wherein the agent is a software or a hardware that performs one or more actions autonomously on behalf of the target system, including specifying one or more saved file paths in a storage device (logical addresses allocated to applications is saved, col. 5, lines 28-32) to one or more trap files (col. 5, lines 17-25 & 47-48), wherein a trap file is a file access to which indicates a probability of ransomware attack (col. 5, lines 40-48);
b. monitoring access to the one or more trap files to detect the probability of ransomware attack (col. 5, line 49 through col. 6, line 1;
c. upon detecting access to a trap file, performing a remedial action against the probability of ransomware attack (col. 4, lines 59-67 and col. 5, lines 63-67).
As per claim 2, it is disclosed wherein the data structure of the file system is a tree structure (branch instructions interpreted as the claimed tree structure)(col. 8, lines 17-29).
As per claim 3, it is taught wherein a file path for a trap file is specified at the highest point of the tree structure (branch instructions interpreted as the claimed tree structure)(col. 8, lines 17-29).
As per claim 4, it is disclosed  wherein the one or more file paths to the trap files are specified using a search tree algorithm (all branches are available, col. 8, lines 45-52).
As per claim 5, it is taught wherein the search tree algorithm comprises binary search tree algorithm (address ranges in traversed branches, col. 4, lines 31-35 and col. 8, lines 45-62).
As per claim 6, it is disclosed wherein the search tree algorithm comprises a tree traversal algorithm (address ranges in traversed branches, col. 4, lines 31-35 and col. 8, lines 45-62).
As per claim 7, it is taught wherein the tree traversal algorithm is one of depth-first traversal, breadth-first traversal, Monte Carlo tree search, or random sampling algorithms (address ranges in traversed branches, col. 4, lines 31-35 and col. 8, lines 45-62).
As per claim 8, it is disclosed wherein the depth-first traversal algorithm is one of Pre-Order, In-Order, Reverse In-Order, or Post-order algorithm (address ranges in traversed branches, col. 4, lines 31-35 and col. 8, lines 45-62).
As per claim 9, it is taught wherein trap file attributes including name are set such that the trap files are encountered first during tree traversal operations (col. 4, lines 31-35 and col. 8, lines 45-62).
As per claim 10, it is disclosed wherein the remedial action includes notifying a user of the target system (col. 7, lines 5-16).
As per claim 11, it is taught wherein the remedial action includes automatically uploading a trap file for analysis or decryption (col. 1, lines 37-30; col. 4, lines 59-67; and col. 5, lines 63-67).  
As per claim 12, it is disclosed wherein the remedial action includes identifying a process that accesses the one or more trap files (col. 4, lines 59-67 and col. 5, lines 63-67).
As per claim 13, it is taught wherein the identified processes is either isolated, killed or suspended (col. 4, lines 59-67 and col. 5, lines 63-67).
As per claim 14, it is disclosed wherein the remedial action includes performing memory analytics to extract a cryptovariable (col. 1, lines 27-30 and col. 5, line 63 through col. 6, line 4).
As per claim 15, it is taught wherein the probability of ransomware attack is determined, based on one or more of access rate, permission level, file content or attribute changes, cryptographic activity, or source process to the one or more file traps (col. 1, lines 27-30 and col. 5, line 63 through col. 6, line 4).
As per claim 16, it is disclosed wherein the system is monitored for cryptovariable activity (col. 1, lines 27-30 and col. 5, line 63 through col. 6, line 4).
As per claim 17, it is taught wherein potential cryptovariables are captured and stored (col. 1, lines 27-30 and col. 5, line 63 through col. 6, line 4).
As per claim 18, it is disclosed wherein a process is monitored such as to allow in-progress file encryption to be completed, without allowing new files to be opened (observes operations in a honeypot to monitor operations to observe how they operate)(col. 5, line 63 through col. 6, line 4 and col. 6, line 63 through col. 7, line 16).
As per claim 20, it is taught wherein only those clients who directly accessing trap files on shared resource are alerted (col. 7, lines 5-16).

Allowable Subject Matter
Claim 19 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Nossik et al, U.S. Patent 10,609,066 is relied upon for disclosing of a trap object being used to detect ransomware, see abstract.
Freidrichs et al, US 2013/0276114 is relied upon for disclosing of correctly measuring files as being malicious (paragraph 0047) and looking at trap files (paragraph 0062).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER A REVAK whose telephone number is (571)272-3794. The examiner can normally be reached 5:30am - 3:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, LYNN FEILD can be reached on 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/CHRISTOPHER A REVAK/Primary Examiner, Art Unit 2431