Notice of Pre-AIA  or AIA  Status
1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
2.	A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 5/9/2022 has been entered.
 
Response to Arguments
3.	Applicant’s arguments filed 05/09/2022, with respect to the 103 rejection of claims 1, 3-7, 9-14, and 16-23 as being unpatentable over U.S. Patent Application Publication No. 2019/0319987 (“Levy”) in view of U.S. Patent Application Publication No. 2019/0303572 (“Chelarescu’’) have been fully considered. However, upon further consideration, a new ground(s) of rejection is made in view of amended claims.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

4. Claims 1, 3-7, 9-14 and 16-23 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Publication No. 20190319987 hereinafter Levy in view of U.S. Publication no. 20140196115 hereinafter Pelykh. 

As per claim 1, Levy discloses: 
A method (para 0175 “FIG. 15 shows a method for using dynamic entity models to improve network security.”) comprising: 
performing, by a data protection system for a storage system, a first security threat detection process (para 0064 “The event collection facility 164 may be used to collect events from any of a wide variety of sensors that may provide relevant events from an asset, such as sensors on any of the compute instances 10-26, the application protection facility 150, a cloud computing instance 109 and so on. The events that may be collected may be determined by the entity models. There may be a variety of events collected. Events may include, for example, events generated by the enterprise facility 102 or the compute instances 10-26, such as by monitoring streaming data through a gateway such as firewall 10 and wireless access point 11, monitoring activity of compute instances, monitoring stored files/data on the compute instances 10-26 such as desktop computers, laptop computers, other mobile computing devices, and cloud computing instances 19, 109 .” para 0176 “As shown in step 1502, the method 1500 may include instrumenting a compute instance in the enterprise network with a number of sensors to detect events from a number of computing objects associated with the compute instance. This may more generally include instrumenting any number of compute instances, such as any of the compute instances described herein, with any number of sensors.”);
determining, by the data protection system based on the performing of the
first security threat detection process, that the storage system is possibly being targeted by a security threat (para 0177 “As shown in step 1504, the method 1500 may include providing entity models such as a first entity model for local use at a compute instance and a second model for use at a threat management facility. For example, the first entity model may be a model characterizing a pattern of events expected from the number of sensors in a vector space, also referred to herein as the event vector space or the event feature space, that characterizes events that are modeled within the system. The method 1500 may include storing a second entity model for the entity at a threat management facility for the enterprise network. The second entity model may characterize a second pattern of events expected from the number of sensors in the vector space.” Para 0179 “As shown in step 1506, the method 1500 may include collecting a plurality of the events into an event vector in the vector space. As noted above, this may include tokenizing, normalizing, encrypting, compressing, prioritizing, or otherwise processing individual events and/or the event vector
formed from these individual events.” Para 0180 “As shown in step 1508, the method 1500 may include calculating a first risk score with the local security agent based on a first distance between the event vector and the first entity model in the vector space.”):
and performing, by the data protection system, a second security threat detection process, the second security threat detection process providing higher confidence threat detection than the first security threat detection process (para 0183 “As shown in step 1514, the method 1500 may include calculating a second risk score with the threat management facility based on a second distance between the event vector and the second entity model.”) 
confirming, by the data protection system based on the performing of the

second security threat detection process, that the storage system is possibly being targeted by the security threat; and performing, by the data protection system based on the confirming that the storage system is possibly being targeted by the security threat, a remedial action with respect to the storage system (para 0120 “As shown in step 916, the method 900 may include receiving a user disposition of an intermediate threat, for example using any of the techniques described herein. For example, this may include receiving a user- initiated remedial action for one of the intermediate threats in the user interface. This may also or instead include receiving a user risk assessment for one of the intermediate threats in the user interface, such as by explicitly categorizing the intermediate threat as safe, unsafe, unknown, or appropriate for increased monitoring. In another aspect, the method 900 may include remediating a risk to
a high business value computing object in response to a user input in the user interface.”) 

Levy does not disclose:
remedial action comprising modifying a data protection parameter set snapshot of data stored by the storage system 

Pelykh discloses:
remedial action comprising modifying a data protection parameter set snapshot of data stored by the storage system (para 0136 “Upon notification, security service 206 can take various counter-measures, which can be configured per cluster. Thus, security service 206 can notify an administrative contact and report the event. In doing so, it reports about the user accounts with changed policies that it has detected. Further, security service 206 can temporarily block such users issue a forceful logout. Optionally, it can suspend access to the cluster until the administrative contact resolves the event manually. As an alternative option, it can stop cluster operation in order to prevent further fraudulent actions. If security service 206 is configured only to send notifications to administrative contact, then it can start returning "temporarily unavailable" error status code as a response 264 to the users while updating defected security policy 258 with a baseline snapshot copy 254).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of claimed invention to modify the method for using dynamic entity models to improve network security of Levy to include remedial action comprising modifying a data protection parameter set snapshot of data stored by the storage system , as taught by Pelykh.
The motivation would have been to protect the computing system from a threat by restore the computing/storage system to an earlier time.

As per claim 3, Levy in view of Pelykh discloses:
The method of claim 1, further comprising: performing, by the data protection system based on the determining that the storage system is possibly being targeted by the security threat, a first remedial action with respect to the storage system (Levy para 0181)
As per claim 4, Levy in view of Pelykh discloses:
The method of claim 3, wherein the first remedial action is different than the remedial action (Levy para 0181 and 0185).

As per claim 5, Levy in view of Pelykh discloses:
The method of claim 3, wherein the first remedial action comprises one or more of providing a notification, generating a first recovery dataset, preventing a second recovery dataset from being deleted or modified, modifying a data protection parameter set for a third recovery dataset, or restoring data stored by the storage system to an uncorrupted state (Levy para 0181 and 0185).

As per claim 6, Levy in view of Pelykh discloses:
The method of claim 1, further comprising determining, by the data protection system subsequent to confirming, that the storage system is no longer being targeted by the security threat (Levy para 0185 and 0187).

As per claim 7, Levy in view of Pelykh discloses:
The method of claim 6, further comprising reverting back, by the data protection system based on the determining that the storage system is no longer being targeted by the security threat, to performing the first security threat detection process (Levy para 0184 and 0188 “In one aspect, recalculation of the baseline may be dynamically triggered, e.g., by an increase in detected deviations above a predetermined threshold (which may be statically or dynamically evaluated), or the additional or removal of compute instances from the enterprise network.” Para 0215 “According to the foregoing, in one aspect, selecting the authentication model includes selecting a model that uses an additional authentication factor to permit access when at least one of the first risk score and the second risk score is below a threshold and withholds the additional authentication factor to prevent access when at least one of the first risk score and the second risk score is above a threshold.” Also see, para 0219). 

As per claim 9, Levy in view of Pelykh discloses:
The method of claim 1, wherein the performing of the second security threat detection process is performed in response to the determining that the storage system is possibly being targeted by the security threat (Levy para 0181 and 0185).

As per claim 10, Levy in view of Pelykh discloses:
The method of claim 1, wherein the performing of the second security threat detection process is performed in parallel with the performing of the first security threat detection process (Levy para 0184).

As per claim 11, Levy in view of Pelykh discloses:
The method of claim 1, wherein the data protection system is implemented
by a controller within the storage system (Levy para 0033, 0038 and 0064).

As per claim 12, Levy in view of Pelykh discloses: 
The method of claim 1, wherein the data protection system is implemented by a computing system communicatively coupled to the storage system by way of a network (Levy Figs. 1-6). 

As per claim 13, Levy in view of Pelykh discloses: 
The method of claim 1, wherein the determining that the storage system is possibly being targeted by the security threat comprises determining that a ransomware attack is possibly operating against the storage system (Levy para 0155). 

As per claim 14, the implementation of the method of claim 1 will execute the system of claim 1. The claim is analyzed with respect to claim 1. 

As per claim 16, the claim is analyzed with respect to claim 3. 

As per claim 17, the claim is analyzed with respect to claim 4. 

As per claim 18, the claim is analyzed with respect to claim 5. 

As per claim 19, the claim is analyzed with respect to claim 6.

As per claim 20, the implementation of the method of claim 1 will execute the non-transitory computer-readable medium (Levy 0232) of claim 1. The claim is analyzed with respect to claim 1. 

As per claim 21, Levy in view of Pelykh discloses:
The system of claim 19, wherein the processor is further configured to execute the instructions to revert back, by the data protection system based on the determining that the storage system is no longer being targeted by the security threat, to performing the first security threat detection process (Pelykh para 0134- 0136, the motivation would have been to properly determine that a threat is occurring.).

As per claim 22, Levy in view of Pelykh discloses:
The non-transitory computer-readable medium of claim 20, wherein the instructions are further configured to direct the processor to perform, based on the determining that the storage system is possibly being targeted by the security threat, a first remedial action with respect to the storage system (Pelykh para 0136, the motivation would have been to properly determine that a threat is occurring.).

As per claim 23, Levy in view of Pelykh discloses:
The non-transitory computer-readable medium of claim 20, wherein the

first remedial action is different than the remedial action (Pelykh para 0136, the motivation would have been to properly determine that a threat
is occurring.).


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GARY S GRACIA whose telephone number is (571)270-5192. The examiner can normally be reached Monday-Friday 9am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 5712723972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/GARY S GRACIA/Primary Examiner, Art Unit 2499