DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant’s arguments, see page 8, filed 03/11/2022, with respect to 35 USC 101 rejection have been fully considered and are persuasive. The 35 USC 101 rejection has been withdrawn in light of claim amendment.

Applicant’s arguments, see page 8, filed 03/11/2022, with respect to 35 USC 112 rejection have been fully considered and are persuasive. The 35 USC 112 rejection has been withdrawn in light of claim amendment.

Applicant’s argument, see page 9-11, with respect to 35 USC 103, applicant argues that the combination of Kostyushko-Dreyfus-Bailey fails to teach “identifying a process that initiated the request; identifying an application that initiated the process; identifying an executable file for the application; determining, form metadata of the executable file, a date and time at which the executable file was saved to the computing device; and determining, form the date and time at which the executable file was saved to the computing device, a period of time for which the executable file for the application that initiated the request has been stored on the computing device”.

Kostyushko teaches “Identifying an application that initiated the process”. Kostyushko discloses “the system monitoring agent may be configured to monitor and save any requests for random or pseudorandom numbers from the system. Such requests may be made by innocent user processes or suspicious user processes alike. Detect a user process invoking system calls or application programming and operating systems [0037]”. This shows identifying an application that was made by innocent or suspicious process.

Kostyushko teaches “Identifying an executable file for the application”. Kostyushko discloses “the system monitoring agent 104 may detect when a user process attempts to access the special device file /dev/random (or/dev/urandom, or/dev/arandom) exposed by the Linux operating system to allow access to environmental noise collected from device drivers and other system sources [0037]. The system monitoring agent 104 may be configured to intercept requests by a user process to retrieve from performance counters exposed by the operating system 105 indicating how the operating system, application, service, or driver(s) are performing [0038]”. This shows identifying an executable file for the application.

Kostyushko teaches “determining, from metadata of the executable file, a date and time at which the executable was saved to the computing device”. Kostyushko discloses “the system monitoring agent 104 may detect and save when a user process 102 requests (113) for hardware identifiers of devices in the computer hardware 106. The system monitoring agent 104 may detect when a user process 102 requests file metadata of one or more files stored in the system, such metadata file creation times (e.g., timestamp), file names, and data from the file header [0038]”. The timestamp contains the date and time the file was created.

Kostyushko and Bailey teaches “determining, from the date and time at which the executable file was saved to the computing device, a period of time for which the executable file for the application that initiated the request has been stored on the computing device”. Kostyushko teaches “from the date and time at which the executable file was saved to the computing device”. Kostyushko discloses “the system monitoring agent 104 may detect and save when a user process 102 requests (113) for hardware identifiers of devices in the computer hardware 106. The system monitoring agent 104 may detect when a user process 102 requests file metadata of one or more files stored in the system, such metadata file creation times (e.g., timestamp), file names, and data from the file header [0038]”. The timestamp contains the date and time the file was created.
Since Kostyushko teaches “from the date and time at which the executable file was saved to the computing device”. Bailey further teaches “determining a period of time for which the executable file for the application that initiated the request has been stored on the computing device”. Bailey discloses “the threshold may include 10 files modified within the time period of one second [0030]. The attempted operation may be one of a creation, a deletion, a modification, and an encryption of the content. The detection engine 118 may further detect metadata associated with the attempted operation, such as the amount of the content being altered, the time period between alterations, a process initiating the alterations, content extensions before and after the alterations [0031]. The one or more processing server 314 may detect an operation attempted to be performed on the content by the user 320. compare the attempted operation to the model, including metadata associated with the attempted operation, to determine whether the attempted operation deviates in a statistically significant amount from the usage pattern. The attempted operation may deviate from the usage pattern if the type of altered content, the amount of altered content, and/or the amount of altered content within the time period (with which the attempted operation was executed) exceeds the threshold defined by the model [0057]. The attempted operation has been detected 404 may include, a message, such as, “we have detected a request to modify one or more items, files, and/or folders associated with the content” and we have detected a request to modify one or more items, files, and/or folders associated with the content on client device” [0067]”. Bailey does teach a threshold relating to period of time for which an executable file for an application that initiated the process has been stored on the computing device. That it detects a request to modify the file on the client. Detecting the attempted operation within the time period.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 4-6, 8-11, 14-16, and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Kostyushko et al. (US 20190018961, hereinafter as Kostyushko) in view of Dreyfus (US 9990511), and in further view of Bailey et al. (US 20180054480, hereinafter as Bailey).

Re. claim 1, Kostyushko discloses a computing device, comprising: a data processing apparatus (Kostyushko discloses the system 100 includes computer hardware 106 that includes a storage device 110 storing a plurality of files 101 [0025]); and a computer storage medium encoded with a computer program, the program comprising data processing apparatus instructions that when executed by the data processing apparatus cause the data processing apparatus to perform operations comprising (Stored as one or more instructions or code on a non-transitory computer-readable medium. Computer-readable medium includes data storage [0064]. The system 100 supports execution of one or more user processes 102 executing in an operating system (OS) environment provided by an operating system 105 [0025]): 
detecting a request for a cryptographic resource of the computing device to generate data for use in generating an encryption key at the computing device (A system monitoring agent 104 configured to collect and track information in the system that might be used by suspicious processes to create encryption keys [0036]. detect a user process 102 invoking system calls or application programming interface (API) calls to library functions that provide random or pseudorandom data from the operating system 105 [0037]);
obtaining a copy of encryption data for the encryption key, wherein the encryption data comprises at least one of (i) the data for use in generating the encryption key generated by the cryptographic resource or (ii) the encryption key (generated copies of the first blocks of the plurality of files and on the recorded random data [0055]. Generate a candidate key based on the recorded random data [0056]);
identifying a process that initiated the request (The system monitoring agent 104 may be configured to monitor and save any requests (113) for random or pseudorandom numbers from the system. Such requests 113 may be made by innocent user processes or suspicious user processes alike [0037]);
Identifying an application that initiated the process (Kostyushko discloses the system monitoring agent may be configured to monitor and save any requests for random or pseudorandom numbers from the system. Such requests may be made by innocent user processes or suspicious user processes alike. Detect a user process invoking system calls or application programming and operating systems [0037]. The system monitoring agent 104 may be configured to intercept requests by a user process to retrieve from performance counters exposed by the operating system 105 indicating how the operating system, application, service, or driver(s) are performing [0038]);
Identifying an executable file for the application (Kostyushko discloses the system monitoring agent 104 may detect when a user process attempts to access the special device file /dev/random (or/dev/urandom, or/dev/arandom) exposed by the Linux operating system to allow access to environmental noise collected from device drivers and other system sources [0037]);
Determining, from metadata of the executable file, a date and time at which the executable was saved to the computing device (Kostyushko discloses the system monitoring agent 104 may detect and save when a user process 102 requests (113) for hardware identifiers of devices in the computer hardware 106. The system monitoring agent 104 may detect when a user process 102 requests file metadata of one or more files stored in the system, such metadata file creation times (e.g., timestamp), file names, and data from the file header [0038], timestamp contains the date and time the file was created and saved);
determining, based at least on one or more characteristics of the process that initiated the request, whether or not to classify the process that initiated the request as a trusted process (monitor user processes 102 and OS thread processes 112 executing in the operating system 105 and check them against a database of known malicious software [0054]). 
Although Kostyushko disclose determining if the process is malicious or not and obtains a copy of the encryption key. Kostyushko does not explicitly teach but Dreyfus teaches whenever the process that initiated the request that initiated the request is not classified as a trusted process, storing the copy of the encryption data (Dreyfus teaches trusted server 140 generally includes a trusted key generator 142, which generates the trusted encryption and decryption keys which are used, as described above, by endpoint monitor 122 to create encrypted backup copies of files stored on endpoint system 120 and restore files from encrypted backup copies in response to file encryption or corruption by malware [Col 6 lines 47-59]); and 
whenever the process that initiated the request is classified as a trusted process, deleting the copy of the encryption data (the endpoint monitor 122 can delete encrypted backup copies upon determining that the application that triggered endpoint monitor 122 to generate an encrypted backup is a legitimate application [Col 5 lines 45-60]).
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the system discloses by Kostyushko to include whenever the process that initiated the request that initiated the request is not classified as a trusted process, storing the copy of the encryption data; and whenever the process that initiated the request is classified as a trusted process, deleting the copy of the encryption data as disclosed by Dreyfus. One of ordinary skill in the art would have been motivated for the purpose of preventing cryptolocker attacks from successfully compromising files on an endpoint system, such a policy may result in legitimate encryption operations failing or unencrypted copies of encrypted files remaining on an endpoint system after a legitimate encryption program accesses the files. The malware attack would not be able to modify. (Dreyfus [Col 1 lines 37-45] [Col 9 lines 12-35]).
Although Kostyushko-Dreyfus discloses the one or more characteristics of the process and executable file for an application that initiated the process has been stored on the computing device; from the date and time at which the executable file was saved to the computing device (Kostyushko [0038]), Kostyushko-Dreyfus do not explicitly teach but Bailey teaches determining a period of time for which the executable file for the application that initiated the request has been stored on the computing device (Bailey teaches the threshold may include 10 files modified within the time period of one second [0030]. The attempted operation may be one of a creation, a deletion, a modification, and an encryption of the content. The detection engine 118 may further detect metadata associated with the attempted operation, such as the amount of the content being altered, the time period between alterations, a process initiating the alterations, content extensions before and after the alterations [0031]. The one or more processing server 314 may detect an operation attempted to be performed on the content by the user 320. compare the attempted operation to the model, including metadata associated with the attempted operation, to determine whether the attempted operation deviates in a statistically significant amount from the usage pattern. The attempted operation may deviate from the usage pattern if the type of altered content, the amount of altered content, and/or the amount of altered content within the time period (with which the attempted operation was executed) exceeds the threshold defined by the model [0057]. The attempted operation has been detected 404 may include, a message, such as, “we have detected a request to modify one or more items, files, and/or folders associated with the content” and we have detected a request to modify one or more items, files, and/or folders associated with the content on client device” [0067]); wherein the one or more characteristics of the process comprises at least a period of time for which an executable file for an application that initiated the process has been stored on the computing device (Bailey teaches the threshold may include 10 files modified within the time period of one second [0030]. A synchronization process may be executed through the analysis application 106. The attempted operation may be one of a creation, a deletion, a modification, and an encryption of the content. Detect metadata associated with the attempted operation such as the time period between alterations [0031]. Content altered during the attempted operation exceeds the threshold defined by the model. The operation may be labeled as “unwanted” by the ransomware [0033]).
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the system discloses by Kostyushko-Dreyfus to include determining a period of time for which the executable file for the application that initiated the request has been stored on the computing device; wherein the one or more characteristics of the process comprises at least a period of time for which an executable file for an application that initiated the process has been stored on the computing device as disclosed by Dreyfus. One of ordinary skill in the art would have been motivated for the purpose of protecting user from accidental alterations of the content (Bailey [0025]).

Re. claim 4, Kostyushko-Dreyfus-Bailey teach the computing device of claim 1, Kostyushko discloses copy of the encryption data for the encryption key, Kostyushko does not explicitly teach but Dreyfus teaches wherein storing the copy of the encryption data comprises storing the copy of the encryption data in a data storage location inaccessible to an application that initiated the process (Dreyfus teaches At step 360, the endpoint system stores the trusted encrypted file in a secure location. the secure location may generally be a location in which a malware attack would not be able to modify the contents of the trusted encrypted file. For example, the secure location may be a protected directory in local storage attached to the endpoint system, a hidden partition in local storage attached to the endpoint system, or a remote storage repository [Col 9 lines 12-35]).
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the system discloses by Kostyushko to include wherein storing the copy of the encryption data comprises storing the copy of the encryption data in a data storage location inaccessible to an application that initiated the process as disclosed by Dreyfus. One of ordinary skill in the art would have been motivated for the purpose of preventing cryptolocker attacks from successfully compromising files on an endpoint system, such a policy may result in legitimate encryption operations failing or unencrypted copies of encrypted files remaining on an endpoint system after a legitimate encryption program accesses the files. The malware attack would not be able to modify (Dreyfus [Col 1 lines 37-45] [Col 9 lines 12-35]).

Re. claim 5, Kostyushko-Dreyfus-Bailey teach the computing device of claim 4, Kostyushko does not explicitly teach but Dreyfus teaches wherein the data storage location comprises at least one of a key escrow service that is remote from the computing device or hardware-backed secure storage of the computing device (Dreyfus teaches stores the encrypted backup copies in backup store 540 in storage 510 [Col 11 lines 8-15]).
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the system discloses by Kostyushko to include wherein storing the copy of the encryption data comprises storing the copy of the encryption data in a data storage location inaccessible to an application that initiated the process as disclosed by Dreyfus. One of ordinary skill in the art would have been motivated for the purpose of protected against encryption or modification by malicious applications (Dreyfus [Col 11 lines 8-15]).
 
Re. claim 6, Kostyushko-Dreyfus-Bailey teach the computing device of claim 1, Kostyushko-Dreyfus discloses storing the copy of the encryption data for the encryption key, Kostyushko-Dreyfus do not explicitly teach but Bailey teaches wherein the operations comprise determining a period of time for which to store the copy of the encryption data based on the one or more characteristics of the process (Bailey teaches the threshold may include 10 files modified within the time period of one second [0030]. A synchronization process may be executed through the analysis application 106. The attempted operation may be one of a creation, a deletion, a modification, and an encryption of the content. Detect metadata associated with the attempted operation such as the time period between alterations [0031].  Content altered during the attempted operation exceeds the threshold defined by the model. The operation may be labeled as “unwanted” by the ransomware [0033]).
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the system discloses by Kostyushko-Dreyfus to include wherein the one or more characteristics of the process comprises at least a period of time for which an executable file for an application that initiated the process has been stored on the computing device as disclosed by Dreyfus. One of ordinary skill in the art would have been motivated for the purpose of protecting user from accidental alterations of the content (Bailey [0025]).

Re. claim 8, Kostyushko-Dreyfus-Bailey teach the computing device of claim 1, wherein the operations comprise: identifying an application that initiated the process (Kostyushko discloses the system monitoring agent 104 may be configured to monitor and save any requests (113) for random or pseudorandom numbers from the system. Such requests 113 may be made by innocent user processes or suspicious user processes alike [0037]); monitoring behavior of the application after identifying the application that initiated the process (the system monitoring agent 104 may detect a user process 102 invoking system calls or application programming interface (API) calls to library functions that provide random or pseudorandom data from the operating system 105. he system monitoring agent 104 may detect a user process 102 attempting to access special files exposed by the operating system [0037]).
Although Kostyushko disclose determining if the process is malicious or not and obtains a copy of the encryption key. Kostyushko does not explicitly teach but Dreyfus teaches determining, based on the monitored behavior, whether or not to delete the copy of the encryption data (Dreyfus teaches the endpoint system determines whether the application is a trusted application. As discussed above, the endpoint system can obtain information about the trust status of an application by querying a reputation service, examining a local reputation repository (e.g., local whitelists and/or blacklists), or some combination of both. If the application is not a trusted application (e.g., the application has an unknown trust status or is “untrusted,” or the application is not listed in a local reputation repository), at step 350, the endpoint system generates an encrypted copy of the file using the trusted encryption key. The endpoint system may retrieve the trusted encryption key, which may have been generated when endpoint monitor 122 is initially installed on an endpoint system or when a user initially registers endpoint monitor 122 with an online service, from local storage or a remote key repository. At step 360, the endpoint system stores the trusted encrypted file in a secure location [Col 9 lines 12-35]).
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the system discloses by Kostyushko to include determining, based on the monitored behavior, whether or not to delete the copy of the encryption data as disclosed by Dreyfus. One of ordinary skill in the art would have been motivated for the purpose of preventing cryptolocker attacks from successfully compromising files on an endpoint system, such a policy may result in legitimate encryption operations failing or unencrypted copies of encrypted files remaining on an endpoint system after a legitimate encryption program accesses the files. The malware attack would not be able to modify. (Dreyfus [Col 1 lines 37-45] [Col 9 lines 12-35]).

 Re. claim 9, Kostyusho-Dreyfus-Bailey teach the computing device of claim 8, wherein the monitored behavior of the application includes at least one of (i) a number of files encrypted by the application (Kostyushko discloses responsive to detecting that the plurality of files have been encrypted by a malicious program [0055]).

Re. claim 10, Kostyushko-Dreyfus-Bailey teach the computing device of claim 1, wherein the data for use in generating the encryption key comprises random data for generating the encryption key (Kostyushko discloses generating encryption keys [0038].To generate a pseudo-random number [0053]).

Re. claim 11, Kostyushko discloses a computer-implemented method, comprising: detecting a request for a cryptographic resource of a computing device to generate data for use in generating an encryption key at the computing device (Kostyushko discloses a system monitoring agent 104 configured to collect and track information in the system that might be used by suspicious processes to create encryption keys [0036]. detect a user process 102 invoking system calls or application programming interface (API) calls to library functions that provide random or pseudorandom data from the operating system 105 [0037]);
obtaining a copy of encryption data for the encryption key, wherein the encryption data comprises at least one of (i) the data for use in generating the encryption key generated by the cryptographic resource or (ii) the encryption key (generated copies of the first blocks of the plurality of files and on the recorded random data [0055]. Generate a candidate key based on the recorded random data [0056]);
identifying a process that initiated the request (The system monitoring agent 104 may be configured to monitor and save any requests (113) for random or pseudorandom numbers from the system. Such requests 113 may be made by innocent user processes or suspicious user processes alike [0037]);
Identifying an application that initiated the process (Kostyushko discloses the system monitoring agent may be configured to monitor and save any requests for random or pseudorandom numbers from the system. Such requests may be made by innocent user processes or suspicious user processes alike. Detect a user process invoking system calls or application programming and operating systems [0037]);
Identifying an executable file for the application (Kostyushko discloses the system monitoring agent 104 may detect when a user process attempts to access the special device file /dev/random (or/dev/urandom, or/dev/arandom) exposed by the Linux operating system to allow access to environmental noise collected from device drivers and other system sources [0037]. The system monitoring agent 104 may be configured to intercept requests by a user process to retrieve from performance counters exposed by the operating system 105 indicating how the operating system, application, service, or driver(s) are performing [0038]);
Determining, from metadata of the executable file, a date and time at which the executable was saved to the computing device (Kostyushko discloses the system monitoring agent 104 may detect and save when a user process 102 requests (113) for hardware identifiers of devices in the computer hardware 106. The system monitoring agent 104 may detect when a user process 102 requests file metadata of one or more files stored in the system, such metadata file creation times (e.g., timestamp), file names, and data from the file header [0038], timestamp contains the date and time the file was created and saved);
determining, based at least on one or more characteristics of the process that initiated the request, whether or not to classify the process that initiated the request as a trusted process (monitor user processes 102 and OS thread processes 112 executing in the operating system 105 and check them against a database of known malicious software [0054]). 
Although Kostyushko disclose determining if the process is malicious or not and obtains a copy of the encryption key. Kostyushko does not explicitly teach but Dreyfus teaches whenever the process that initiated the request that initiated the request is not classified as a trusted process, storing the copy of the encryption data (Dreyfus teaches trusted server 140 generally includes a trusted key generator 142, which generates the trusted encryption and decryption keys which are used, as described above, by endpoint monitor 122 to create encrypted backup copies of files stored on endpoint system 120 and restore files from encrypted backup copies in response to file encryption or corruption by malware [Col 6 lines 47-59]); and 
whenever the process that initiated the request is classified as a trusted process, deleting the copy of the encryption data (the endpoint monitor 122 can delete encrypted backup copies upon determining that the application that triggered endpoint monitor 122 to generate an encrypted backup is a legitimate application [Col 5 lines 45-60]).
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the system discloses by Kostyushko to include whenever the process that initiated the request that initiated the request is not classified as a trusted process, storing the copy of the encryption data; and whenever the process that initiated the request is classified as a trusted process, deleting the copy of the encryption data as disclosed by Dreyfus. One of ordinary skill in the art would have been motivated for the purpose of preventing cryptolocker attacks from successfully compromising files on an endpoint system, such a policy may result in legitimate encryption operations failing or unencrypted copies of encrypted files remaining on an endpoint system after a legitimate encryption program accesses the files. The malware attack would not be able to modify. (Dreyfus [Col 1 lines 37-45] [Col 9 lines 12-35]).
Although Kostyushko-Dreyfus discloses the one or more characteristics of the process and executable file for an application that initiated the process has been stored on the computing device; from the date and time at which the executable file was saved to the computing device (Kostyushko [0038]), Kostyushko-Dreyfus do not explicitly teach but Bailey teaches determining a period of time for which the executable file for the application that initiated the request has been stored on the computing device (Bailey teaches the threshold may include 10 files modified within the time period of one second [0030]. The attempted operation may be one of a creation, a deletion, a modification, and an encryption of the content. The detection engine 118 may further detect metadata associated with the attempted operation, such as the amount of the content being altered, the time period between alterations, a process initiating the alterations, content extensions before and after the alterations [0031]. The one or more processing server 314 may detect an operation attempted to be performed on the content by the user 320. compare the attempted operation to the model, including metadata associated with the attempted operation, to determine whether the attempted operation deviates in a statistically significant amount from the usage pattern. The attempted operation may deviate from the usage pattern if the type of altered content, the amount of altered content, and/or the amount of altered content within the time period (with which the attempted operation was executed) exceeds the threshold defined by the model [0057]. The attempted operation has been detected 404 may include, a message, such as, “we have detected a request to modify one or more items, files, and/or folders associated with the content” and “we have detected a request to modify one or more items, files, and/or folders associated with the content on client device” [0067]); wherein the one or more characteristics of the process comprises at least a period of time for which an executable file for an application that initiated the process has been stored on the computing device (Bailey teaches the threshold may include 10 files modified within the time period of one second [0030]. A synchronization process may be executed through the analysis application 106. The attempted operation may be one of a creation, a deletion, a modification, and an encryption of the content. Detect metadata associated with the attempted operation such as the time period between alterations [0031].  Content altered during the attempted operation exceeds the threshold defined by the model. The operation may be labeled as “unwanted” by the ransomware [0033]).
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the system discloses by Kostyushko-Dreyfus to include determining a period of time for which the executable file for the application that initiated the request has been stored on the computing device; wherein the one or more characteristics of the process comprises at least a period of time for which an executable file for an application that initiated the process has been stored on the computing device as disclosed by Dreyfus. One of ordinary skill in the art would have been motivated for the purpose of protecting user from accidental alterations of the content (Bailey [0025]).

Re. claim 14, Kostyushko-Dreyfus-Bailey teach the method of claim 11. Kostyushko discloses the copy of the encryption data for the encryption key, Kostyushko do not explicitly teach but Dreyfus teaches wherein storing the copy of the encryption data comprises storing the copy of the encryption data in a data storage location inaccessible to an application that initiated the process (Dreyfus teaches At step 360, the endpoint system stores the trusted encrypted file in a secure location. the secure location may generally be a location in which a malware attack would not be able to modify the contents of the trusted encrypted file. For example, the secure location may be a protected directory in local storage attached to the endpoint system, a hidden partition in local storage attached to the endpoint system, or a remote storage repository [Col 9 lines 12-35]).
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the system discloses by Kostyushko to include wherein storing the copy of the encryption data comprises storing the copy of the encryption data in a data storage location inaccessible to an application that initiated the process as disclosed by Dreyfus. One of ordinary skill in the art would have been motivated for the purpose of preventing cryptolocker attacks from successfully compromising files on an endpoint system, such a policy may result in legitimate encryption operations failing or unencrypted copies of encrypted files remaining on an endpoint system after a legitimate encryption program accesses the files. The malware attack would not be able to modify (Dreyfus [Col 1 lines 37-45] [Col 9 lines 12-35]).

Re. claim 15, Kostyushko-Dreyfus-Bailey teach the method of claim 14, Kostyushko does not explicitly teach but Dreyfus teaches wherein the data storage location comprises at least one of a key escrow service that is remote from the computing device or hardware-backed secure storage of the computing device (Dreyfus teaches stores the encrypted backup copies in backup store 540 in storage 510 [Col 11 lines 8-15]).
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the system discloses by Kostyushko to include wherein the data storage location comprises at least one of a key escrow service that is remote from the computing device or hardware-backed secure storage of the computing device as disclosed by Dreyfus. One of ordinary skill in the art would have been motivated for the purpose of protecting against encryption or modification by malicious application (Dreyfus [Col 11 lines 30-50]).

Re. claim 16, Kostyushko-Dreyfus-Bailey teach the method of claim 11, Kostyushko-Dreyfus discloses storing the copy of the encryption data for the encryption key, Kostyushko-Dreyfus do not explicitly teach but Bailey teaches wherein the operations comprise determining a period of time for which to store the copy of the encryption data based on the one or more characteristics of the process (Bailey teaches the threshold may include 10 files modified within the time period of one second [0030]. A synchronization process may be executed through the analysis application 106. The attempted operation may be one of a creation, a deletion, a modification, and an encryption of the content. Detect metadata associated with the attempted operation such as the time period between alterations [0031].  Content altered during the attempted operation exceeds the threshold defined by the model. The operation may be labeled as “unwanted” by the ransomware [0033]).
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the system discloses by Kostyushko-Dreyfus to include wherein the one or more characteristics of the process comprises at least a period of time for which an executable file for an application that initiated the process has been stored on the computing device as disclosed by Dreyfus. One of ordinary skill in the art would have been motivated for the purpose of protecting user from accidental alterations of the content (Bailey [0025]).

Re. claim 8, Kostyushko-Dreyfus-Bailey teach the method of claim 11, wherein the operations comprise: identifying an application that initiated the process (Kostyushko discloses the system monitoring agent 104 may be configured to monitor and save any requests (113) for random or pseudorandom numbers from the system. Such requests 113 may be made by innocent user processes or suspicious user processes alike [0037]); monitoring behavior of the application after identifying the application that initiated the process (the system monitoring agent 104 may detect a user process 102 invoking system calls or application programming interface (API) calls to library functions that provide random or pseudorandom data from the operating system 105. he system monitoring agent 104 may detect a user process 102 attempting to access special files exposed by the operating system [0037]).
Although Kostyushko disclose determining if the process is malicious or not and obtains a copy of the encryption key. Kostyushko does not explicitly teach but Dreyfus teaches determining, based on the monitored behavior, whether or not to delete the copy of the encryption data (Dreyfus teaches the endpoint system determines whether the application is a trusted application. As discussed above, the endpoint system can obtain information about the trust status of an application by querying a reputation service, examining a local reputation repository (e.g., local whitelists and/or blacklists), or some combination of both. If the application is not a trusted application (e.g., the application has an unknown trust status or is “untrusted,” or the application is not listed in a local reputation repository), at step 350, the endpoint system generates an encrypted copy of the file using the trusted encryption key. The endpoint system may retrieve the trusted encryption key, which may have been generated when endpoint monitor 122 is initially installed on an endpoint system or when a user initially registers endpoint monitor 122 with an online service, from local storage or a remote key repository. At step 360, the endpoint system stores the trusted encrypted file in a secure location [Col 9 lines 12-35]).
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the system discloses by Kostyushko to include determining, based on the monitored behavior, whether or not to delete the copy of the encryption data as disclosed by Dreyfus. One of ordinary skill in the art would have been motivated for the purpose of preventing cryptolocker attacks from successfully compromising files on an endpoint system, such a policy may result in legitimate encryption operations failing or unencrypted copies of encrypted files remaining on an endpoint system after a legitimate encryption program accesses the files. The malware attack would not be able to modify. (Dreyfus [Col 1 lines 37-45] [Col 9 lines 12-35]).

 Re. claim 19, Kostyushko-Dreyfus-Bailey teach the method of claim 18, wherein the monitored behavior of the application includes at least one of (i) a number of files encrypted by the application (Kostyushko discloses responsive to detecting that the plurality of files have been encrypted by a malicious program [0055]).

Re. claim 20, Kostyushko discloses a non-transitory computer storage medium encoded with a computer program (Kostyushko discloses stored as one or more instructions or code on a non-transitory computer-readable medium [0064]), the program comprising instructions that when executed by one or more data processing apparatus cause the data processing apparatus to perform operations comprising: 
detecting a request for a cryptographic resource of the computing device to generate data for use in generating an encryption key at the computing device (A system monitoring agent 104 configured to collect and track information in the system that might be used by suspicious processes to create encryption keys [0036]. detect a user process 102 invoking system calls or application programming interface (API) calls to library functions that provide random or pseudorandom data from the operating system 105 [0037]);
obtaining a copy of encryption data for the encryption key, wherein the encryption data comprises at least one of (i) the data for use in generating the encryption key generated by the cryptographic resource or (ii) the encryption key (generated copies of the first blocks of the plurality of files and on the recorded random data [0055]. Generate a candidate key based on the recorded random data [0056]);
identifying a process that initiated the request (The system monitoring agent 104 may be configured to monitor and save any requests (113) for random or pseudorandom numbers from the system. Such requests 113 may be made by innocent user processes or suspicious user processes alike [0037]);
Identifying an application that initiated the process (Kostyushko discloses the system monitoring agent may be configured to monitor and save any requests for random or pseudorandom numbers from the system. Such requests may be made by innocent user processes or suspicious user processes alike. Detect a user process invoking system calls or application programming and operating systems [0037]);
Identifying an executable file for the application (Kostyushko discloses the system monitoring agent 104 may detect when a user process attempts to access the special device file /dev/random (or/dev/urandom, or/dev/arandom) exposed by the Linux operating system to allow access to environmental noise collected from device drivers and other system sources [0037]. The system monitoring agent 104 may be configured to intercept requests by a user process to retrieve from performance counters exposed by the operating system 105 indicating how the operating system, application, service, or driver(s) are performing [0038]);
Determining, from metadata of the executable file, a date and time at which the executable was saved to the computing device (Kostyushko discloses the system monitoring agent 104 may detect and save when a user process 102 requests (113) for hardware identifiers of devices in the computer hardware 106. The system monitoring agent 104 may detect when a user process 102 requests file metadata of one or more files stored in the system, such metadata file creation times (e.g., timestamp), file names, and data from the file header [0038], timestamp contains the date and time the file was created and saved);
determining, based at least on one or more characteristics of the process that initiated the request, whether or not to classify the process that initiated the request as a trusted process (monitor user processes 102 and OS thread processes 112 executing in the operating system 105 and check them against a database of known malicious software [0054]). 
Although Kostyushko disclose determining if the process is malicious or not and obtains a copy of the encryption key. Kostyushko does not explicitly teach but Dreyfus teaches whenever the process that initiated the request that initiated the request is not classified as a trusted process, storing the copy of the encryption data (Dreyfus teaches trusted server 140 generally includes a trusted key generator 142, which generates the trusted encryption and decryption keys which are used, as described above, by endpoint monitor 122 to create encrypted backup copies of files stored on endpoint system 120 and restore files from encrypted backup copies in response to file encryption or corruption by malware [Col 6 lines 47-59]); and 
whenever the process that initiated the request is classified as a trusted process, deleting the copy of the encryption data (the endpoint monitor 122 can delete encrypted backup copies upon determining that the application that triggered endpoint monitor 122 to generate an encrypted backup is a legitimate application [Col 5 lines 45-60]).
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the system discloses by Kostyushko to include whenever the process that initiated the request that initiated the request is not classified as a trusted process, storing the copy of the encryption data; and whenever the process that initiated the request is classified as a trusted process, deleting the copy of the encryption data as disclosed by Dreyfus. One of ordinary skill in the art would have been motivated for the purpose of preventing cryptolocker attacks from successfully compromising files on an endpoint system, such a policy may result in legitimate encryption operations failing or unencrypted copies of encrypted files remaining on an endpoint system after a legitimate encryption program accesses the files. The malware attack would not be able to modify. (Dreyfus [Col 1 lines 37-45] [Col 9 lines 12-35]).
Although Kostyushko-Dreyfus discloses the one or more characteristics of the process and executable file for an application that initiated the process has been stored on the computing device; from the date and time at which the executable file was saved to the computing device (Kostyushko [0038]), Kostyushko-Dreyfus do not explicitly teach but Bailey teaches determining a period of time for which the executable file for the application that initiated the request has been stored on the computing device (Bailey teaches the threshold may include 10 files modified within the time period of one second [0030]. The attempted operation may be one of a creation, a deletion, a modification, and an encryption of the content. The detection engine 118 may further detect metadata associated with the attempted operation, such as the amount of the content being altered, the time period between alterations, a process initiating the alterations, content extensions before and after the alterations [0031]. The one or more processing server 314 may detect an operation attempted to be performed on the content by the user 320. compare the attempted operation to the model, including metadata associated with the attempted operation, to determine whether the attempted operation deviates in a statistically significant amount from the usage pattern. The attempted operation may deviate from the usage pattern if the type of altered content, the amount of altered content, and/or the amount of altered content within the time period (with which the attempted operation was executed) exceeds the threshold defined by the model [0057]. The attempted operation has been detected 404 may include, a message, such as, “we have detected a request to modify one or more items, files, and/or folders associated with the content” and we have detected a request to modify one or more items, files, and/or folders associated with the content on client device” [0067]); wherein the one or more characteristics of the process comprises at least a period of time for which an executable file for an application that initiated the process has been stored on the computing device (Bailey teaches the threshold may include 10 files modified within the time period of one second [0030]. A synchronization process may be executed through the analysis application 106. The attempted operation may be one of a creation, a deletion, a modification, and an encryption of the content. Detect metadata associated with the attempted operation such as the time period between alterations [0031].  Content altered during the attempted operation exceeds the threshold defined by the model. The operation may be labeled as “unwanted” by the ransomware [0033]).
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the system discloses by Kostyushko-Dreyfus to include determining a period of time for which the executable file for the application that initiated the request has been stored on the computing device; wherein the one or more characteristics of the process comprises at least a period of time for which an executable file for an application that initiated the process has been stored on the computing device as disclosed by Dreyfus. One of ordinary skill in the art would have been motivated for the purpose of protecting user from accidental alterations of the content (Bailey [0025]).

Claims 2, 3, 12, and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Kostyushko et al. (US 20190018961, hereinafter as Kostyushko), Dreyfus (US 9990511), Bailey et al. (US 20180054480, hereinafter as Bailey), and in further view of Satish (US 8499350).

Re. claim 2, Kostyushko-Dreyfus-Bailey teach the computing device of claim 1, Kostyushko-Dreyfus-Bailey do not explicitly teach but teaches wherein the one or more characteristics of the process comprise whether the executable file is a signed file (Satish teaches the trust module 302 includes whether the file includes a digital signature [Col 6 lines 10-17]).
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the system discloses by Kostyushko-Dreyfus-Bailey to include wherein the one or more characteristics of the process comprise whether the executable file is a signed file as disclosed by Satish. One of ordinary skill in the art would have been motivated for the purpose of having a more trustworthy file by having it signed, improves security (Satish [Col 6 lines 10-17]).

Re. claim 3, Kostyushko-Dreyfus-Bailey teach the computing device of claim 2, Kostyushko-Dreyfus-Bailey do not explicitly teach but Satish teaches wherein the one or more characteristics of the process comprise data identifying an entity that signed the file (Satish teaches the trust module 302 can also determine the identity of the entity that signed the file [Col 6 lines 10-17]).
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the system discloses by Kostyushko-Dreyfus-Bailey to include wherein the one or more characteristics of the process comprise whether the executable file is a signed file as disclosed by Satish. One of ordinary skill in the art would have been motivated for the purpose of having a more trustworthy file by having it signed, improves security (Satish [Col 6 lines 10-17]).

Re. claim 12, rejection of claim 11 is included and claim 12 with the same rationale as applied in claim 2.

Re. claim 13, rejection of claim 12 is included and claim 13 with the same rationale as applied in claim 3.

Claims 7 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Kostyushko et al. (US 20190018961, hereinafter as Kostyushko), Dreyfus (US 9990511), Bailey et al. (US 20180054480, hereinafter as Bailey), Litichever et al. (US 20180225230, hereinafter as Litichever), and in further view of Reese et al. (US 20160283937, hereinafter as Reese).

Re. claim 7, Kostyushko-Dreyfus-Bailey teach the computing device of claim 1, wherein the operations comprise: detecting a second request to generate data for a second encryption key at the computing device (Kostyushko teaches a system monitoring agent 104 configured to collect and track information in the system that might be used by suspicious processes to create encryption keys [0036]); 
identifying a second process that initiated the second request (Kostyushko teaches The system monitoring agent 104 may be configured to monitor and save any requests (113) for random or pseudorandom numbers from the system. Such requests 113 may be made by innocent user processes or suspicious user processes alike [0037]).
Although Kostyushko-Dreyfus-Bailey disclose storing keys and storing the copy of the data for the encryption key, Kostyushko-Dreyfus-Bailey do not explicitly teach but Litichever teaches determining, based at least on one or more characteristics of the second process that initiated the second request, whether or not to store a second copy of the data for the second encryption key (Litichever teaches a second dongle is adapted to be connected to the remote computer, and includes a second program memory for storing a copy of the encryption algorithm and a non-volatile memory for storing a copy of the key for use with the copy of said encryption algorithm [0227]).
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the system discloses by Kostyushko-Dreyfus-Bailey to include determining, based at least on one or more characteristics of the second process that initiated the second request, whether or not to store a second copy of the data for the second encryption key as disclosed by Litichever. One of ordinary skill in the art would have been motivated for the purpose of connecting to the remote computer and indicating the start and end of, improves security by indicating when was the last time the information was accessed for security for the propose of detect and preventing malware (Litichever [0227]).
Kostyushko-Dreyfus-Bailey-Litichever do not explicitly teach but Reese teaches deleting the second copy of the data for the second encryption key (Reese teaches delete all cryptographic key [0052]. Delete the key encryption key in response to generation of the second key encryption key part [0054]).
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the system discloses by Kostyushko-Dreyfus-Bailey-Litichever to include deleting the second copy of the data for the second encryption key as disclosed by Litichever. One of ordinary skill in the art would have been motivated for the purpose of not having a duplicate key, prevents hijack/ransomware and improves security (Reese [0054]).

Re. claim 17, rejection of claim 11 is included and claim 17 with the same rationale as applied in claim 7.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Rajasekharan et al. (US 20190042744) discloses detecting the onset of a ransomware attack. File backup metadata for each of a plurality of computing devices is accessed and analyzed to detect anomalous file backup activity.
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KEVIN A AYALA whose telephone number is (571)270-3912. The examiner can normally be reached Monday-Thursday 8AM-5PM; Friday: Variable EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge Ortiz-Criado can be reached on 571-272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/K.A./Examiner, Art Unit 2496                                                                                                                                                                                                        KA

/JORGE L ORTIZ CRIADO/Supervisory Patent Examiner, Art Unit 2496