Notice of Pre-AIA  or AIA  Status
1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
2.	A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 05/09/2022 has been entered.
 
Response to Arguments
3.	Applicant’s arguments filed 05/09/2022, with respect to the 35 U.S.C 103 rejections of laims 1, 4, 5, 7, 8, 11-17, 19, and 20 as being unpatentable over U.S. Patent No. 9,317,686 (“Ye”) in view of U.S. Patent Application Publication No. 2018/0007069 (“Hunt”), dependent claims 2, 3, 9, and 10 were rejected as being unpatentable over the combination of Ye, Hunt, and U.S. Patent Application Publication No. 2018/0113638 (“Petersen”), dependent claim 6 was rejected as being unpatentable over the combination of Ye, Hunt, and U.S. Patent Application Publication No. 2019/0258426 (“Roh”), and dependent claim 18 was rejected as being unpatentable over the combination of Ye, Hunt, and U.S. Patent Application Publication No. 2010/0058122 (“Compton”) have been fully considered. However, upon further consideration, a new ground(s) of rejection is made in view of amended claims.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
4. 	Claim 1, 4, 5, 11-17, 19, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Patent No. 9,317,686 hereinafter Ye in view of U.S. Publication No. 20180007069 hereinafter Hunt and further in view of U.S. Publication No. 20190130097 hereinafter Berler.

As per claim 1, Ye discloses:
A method (Col. 2 Lines 27 -34 “In a first embodiment, system events are monitored and a file change event of a process is detected. If the process is determined to be suspicious, then the file to be changed is backed up and then the file is allowed to be changed by the process.”) comprising:
detecting, by a monitoring system, that a storage system receives a request to perform an operation (Fig. 2, Col. 5 Lines 11-16 “Step 212 determines whether an event has occurred indicating that a user process is attempting to change one of the files on the hard disk (for example, hooking of a system function indicates that a process is attempting to overwrite a file, write a new version of a file, encrypt a file, delete a file, etc.).”);
determining, by the monitoring system and based on the request being received by the storage system during the time period, that the request is indicative of a malicious action (Col. 5 Line 62 "If the process is suspicious, then control moves to step 220.” Col. 6 Lines 47-53 “Accordingly, step 224 determines whether the process is malware, or more specifically, whether the process is ransomware. In general, making a determination that the process is malware may be performed using any of the rules described above in step 216. For example, it may be concluded that a particular process is malicious if it satisfies a certain number of rules.”);
and performing, by the monitoring system in response to the determining that the request is indicative of the malicious action, a remedial action with respect to the requested operation (Col. 7 Lines 32-41 “In step 232 the process in question is blocked (because it is malware or, more specifically is ransomware) by sending a signal from the correlation engine to the system monitor driver. Driver 110 blocks the particular process or thread by making any of its file access request fail. In step 236 the correlation engine also sends a notification to the clean engine 180 to remove the malicious process and all of its artifacts from the computer. The information that the engine passes to the clean
engine is the file path of the malicious process in order to allow the cleaning to occur.”). 

Ye does not disclose:
 	detecting, by a monitoring system, an abnormal pattern of interaction with a storage system during a time period, the storage system comprising a plurality of storage structures configured to store data, the detecting the abnormal pattern comprising determining that operations performed with respect to the storage system during the time period differ by more than a threshold amount from historical operations performed with respect to the storage system
detecting, by a monitoring system, that a controller of the storage system receives, from a host remote from and in communication by way of a network with the storage system, a request
 determining, by the monitoring system, that the request is received by the storage system during the time period; 
determining, by the monitoring system and based on the request being received by the storage system during the time period, that the request is indicative of a malicious action
Hunt discloses:
detecting, by a monitoring system, that a controller of the storage system receives, from a host remote from and in communication by way of a network with the storage system, a request (para 0036 “ In block 210, file operation requests made by the user workstation 110 are detected and analyzed.” Para 0066 “ hook into a cloud storage server application programming interface; intercept cloud storage operations requested by an endpoint device; record the requested cloud storage operations; analyze the recorded cloud storage operations to determine whether ransomware activity is occurring; and block ransomware activity on the cloud storage server responsive to the analysis.”); 
 determining, by the monitoring system, that the request is received by the storage system during the time period (para 0036, 0037, and 0066)
 determining, by the monitoring system and based on the request being received by the storage system during the time period, that the request is indicative of a malicious action (para 0036, 0037, and 0066)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method monitoring storage events of Ye to include detecting that a controller of storage system comprising a plurality of storage structures configured to store data receives, from a host remote from and in communication by way of a network with the storage system, a request to perform an operation that affects a capacity of a storage structure included in the plurality of storage structures and identifying, by the monitoring system based on the controller receiving the request from the host, an attribute, as taught by Hunt.
The motivation would have been to properly analyze request from a remote host in order to properly detect ransomware activity.

Ye does not disclose:
 	detecting, by a monitoring system, an abnormal pattern of interaction with a storage system during a time period, the storage system comprising a plurality of storage structures configured to store data, the detecting the abnormal pattern comprising determining that operations performed with respect to the storage system during the time period differ by more than a threshold amount from historical operations performed with respect to the storage system

Berler discloses:
	detecting, by a monitoring system, an abnormal pattern of interaction with a storage system during a time period, the storage system comprising a plurality of storage structures configured to store data, the detecting the abnormal pattern comprising determining that operations performed with respect to the storage system during the time period differ by more than a threshold amount from historical operations performed with respect to the storage system (para 0023 “ Furthermore, the anti-ransomware module may be configured to monitor read and/or write accesses to the NVM with the same LBA ranges. The anti-ransomware module may identify historical norms, patterns, and/or anomalies of read and/or write access to the NVM. For example, if a read and later write accesses to the same LBA ranges is detected, this may be activity indicative of ransomware. In some protocols (e.g., F2FS) where user data is not written to the same LBA range, the amount of data that was read and later written, and the difference in entropy thereof, may be used to detect activity indicative of ransomware. In some instances, anomalous timelines of read and/or write access may be activity indicative of ransomware. For example, if a LBA range has been historically accessed once per day or less, frequent accesses over a short time period may be activity indicative of ransomware.” para 0031 “The anti-ransomware module 150 may monitor the data path 125 between the controller 130 and the NVM 140. In some embodiments, the anti-ransomware module 150 may monitor the data path 125 by calculating the entropy of data to be written to the NVM. In some embodiments, the anti-ransomware module 150 may monitor the data path 125 by identifying abnormal read-write patterns to the NVM. For example, a fast (e.g., 50% faster than the historic norm) read-write to the same LBA may be deemed abnormal—activity indicative of ransomware. As another example, a read to a first LBA quickly followed (e.g., 50% quicker than the historic norm) by a write to a second LBA, wherein the amount of data in each is comparable, may be deemed abnormal—activity indicative of ransomware. In some embodiments, only when such an abnormal read-write pattern is identified, the anti-ransomware module 150 may calculate the entropy of the data written to the NVM. In some embodiments, the anti-ransomware module 150 may calculate the entropy of the data written to the NVM for all writes to the NVM. The anti-ransomware module 150 may determine whether the calculated entropy is above a pre-defined threshold value. If so, a suspected ransomware attack deemed to be detected. The anti-ransomware module 150 may respond by taking remedial action, for example: block suspicious writes to NVM 140, inform the host system 110 that a suspected ransomware attack has been detected, and/or automatically backup LBA ranges of NVM 140 that were deemed to be attacked.”)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method monitoring storage events of Ye in view of to Hunt include detecting, by a monitoring system, an abnormal pattern of interaction with a storage system during a time period, the storage system comprising a plurality of storage structures configured to store data, the detecting the abnormal pattern comprising determining that operations performed with respect to the storage system during the time period differ by more than a threshold amount from historical operations performed with respect to the storage system, as taught by Berler.
The motivation would have been to properly analyze abnormal pattern with request to a storage system in order to properly detect ransomware activity.

As per claim 4, Ye in view Hunt and Berler discloses:

The method of claim 1, further comprising: determining a source of the request; and the determining that the request is indicative of the malicious action is further based on determining that the source is a malicious source (Ye Col. 6 Lines 47-53).

As per claim 5, Ye in view Hunt and Berler discloses:
The method of claim 1, further comprising determining that the request comprises a write request; and the determining that the request is indicative of the malicious action comprises determining that the write request is further based on an attempt to overwrite compressible data in the storage structure with incompressible data (Ye Fig. 2, Col. 5 Lines 11-16)

As per claim 11, Ye in view Hunt and Berler discloses:
The method of claim 1, further comprising: the determining that the request is indicative of the malicious action is further based on determining that the request is for a particular storage structure that is flagged as being the ransomware recovery structure (Ye Col. 7 Lines 22- 31).

As per claim 12, Ye in view Hunt and Berler discloses:
The method of claim 11, further comprising the performing of the remedial action comprises requiring data from multiple sources for the operation to be performed (Ye Fig. 2).

As per claim 13, Ye in view Hunt and Berler discloses:
The method of claim 1, further comprising the performing of the remedial action comprises providing a notification indicating that the request is indicative of the malicious action (Ye Col. 7 Lines 37-41).

As per claim 14, Ye in view Hunt and Berler discloses:
The method of claim 1, further comprising the performing of the remedial action comprises directing the storage system to abstain from actually performing the operation for a predetermined time period subsequent to the storage system receiving the request (Ye Col. 5 Lines 11-67).

As per claim 15, Ye in view Hunt and Berler discloses:
The method of claim 14, further comprising directing, by the monitoring system, the storage system to encrypt data in the storage structure so that the data is encrypted during the predetermined time period (Ye Col. 7 Lines 42-50). 

As per claim 16, Ye in view Hunt and Berler discloses:
The method of claim 1, further comprising the performing of the remedial action comprises directing the storage system to abstain from actually performing the operation until a garbage collection process is to be performed with respect to the storage structure (Ye Col. 7 Lines 37-61).

As per claim 17, Ye in view Hunt and Berler discloses:
The method of claim 1, further comprising the performing of the remedial action comprises at least one of blocking the request, throttling a performance of the operation, and disabling the storage system (Ye Col. 7 Lines 32-36).

As per claim 19, the implementation of the method of claim 1 will execute the system of claim 19. The claim is analyzed with respect to claim 1.

As per claim 20, the implementation of the method of claim 1 will execute the storage system including a plurality of storage elements (Ye Figs. 1 and 2, Col. 3 Lines 52-67 storage, backups) of claim 19. The claim is analyzed with respect to claim 1.

5. 	Claims 2, 3, 9 and 10 are rejected under 35 U.S.C. 103 as being unpatentable over Ye in view Hunt, and further in view of  Berler, and further in view of U.S. Publication No. 20180113638 hereinafter Petersen. 

As per claim 2, Ye in view Hunt and Berler discloses: 
The method of claim 1, further comprising determining a request (Ye Col. 5 Lines 22-32) 

Ye in view Hunt and Berler does not disclose: 
determining that a request is included in a plurality of requests of a similar type received by the storage system during the time period; and the determining that the request is indicative of the malicious action is further based on determining that the plurality of requests of similar type exceeds a threshold

Petersen discloses: 
determining that a request is included in a plurality of requests of a similar type received by the storage system during the time period; and the determining that the request is indicative of the malicious action is further based on determining that the plurality of requests of similar type exceeds a threshold (para 0048 “In one embodiment, the controller 304 is configured to assign a write and overwrite rate (which may be a single overall write rate or separate rates depending on whether the request is to write new data to unoccupied space or overwrite existing data, hereinafter referred to as a "write rate") to each of the
applications 306, thereby restricting the rate at which each application 306, such as the first application 316, is able to write data to the one or more media storage devices 302. A write rate, as used herein, describes an amount of data that is written to a particular media storage device, such as the first media storage device 314, or a portion thereof, over a given time period.” para 0093 “In another embodiment, method 400 may include restricting the write rate (from an initial value) in response to determining an action that is indicative of a ransomware attack or malicious code executing on the media storage device. The action may include, but is not limited to, any of the following: a frequency of write activity on the media storage device or the portion thereof that exceeds a predetermined write frequency threshold, a rate of change resulting from the write request being greater than an historical rate of change for the media storage device or the portion thereof, and the write request being received outside of a time period in which write requests are expected to be received for the media storage device or the portion thereof.”)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method monitoring storage events of Ye in view Hunt and Berler to include the method of an attribute comprises determining that the request is included in a plurality of requests of a similar type received by the storage system during a time period, as taught by Petersen.
The motivation would have been to properly detect a rate of write request
in order to detect an attack.

As per claim 3, Ye in view Hunt and Berler discloses:
The method of claim 1, further comprising: determining (Ye Col. 5 Lines 22-32)

	Ye in view Hunt and Berler does not disclose:
determining that the request is included in a plurality of requests received by the storage system during a time period, for a number of storage structures within the storage system; and wherein the determining that the request is indicative of the malicious action is further based on determining that the number of storage structures compared to a total number of storage structures within the storage system exceeds a predetermined ratio

Peterson discloses:
determining that the request is included in a plurality of requests received by the storage system during a time period, for a number of storage structures within the storage system; and wherein the determining that the request is indicative of the malicious action is further based on determining that the number of storage structures compared to a total number of storage structures within the storage system exceeds a predetermined ratio (para 0048, 0051, and 0098)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method monitoring storage events of Ye in view Hunt and Berler to include the method of an attribute comprises determining that the request is included in a plurality of requests of a similar type received by the storage system during a time period, as taught by Petersen.
The motivation would have been to properly detect a rate of write request in order to detect an attack.

As per claim 9, Ye in view Hunt and Berler discloses:
The method of claim 1, further comprising: determining (Ye Col. 5 Lines 22-32)

Ye in view Hunt and Berler does not disclose:
determining an age of one or more storage structures within the storage system; and the determining that the request is indicative of the malicious action is further based on determining that the age is older than a predetermined age

Petersen discloses:
determining an age of other storage structures within the storage system; and the determining that the request is indicative of the malicious action comprises determining that the age is older than a predetermined age (para 0069 “In a further embodiment, an age of an existing subset of storage space (how long it has been since the subset of storage space was written) may be used to determine whether a write request which targets the existing subset of storage space to determine a risk level for this write request and calculate the associated score. A correlation that may be used dictates that the greater the age of the existing subset of storage space, the greater the score is for the write request which targets the existing subset of storage space. This is because any request to overwrite data which has been written and unchanged for a long period of time is suspicious and may be an attempted ransomware attack that is overwriting the existing data with encrypted data.”)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method monitoring storage events of Ye in view Hunt and Berler to include the method of an attribute comprises determining an age of other storage structures within the storage system, as taught by Petersen.
The motivation would have been to properly detect age of other storage structures in order to detect an attack in other storage structures.

As per claim 10, Ye in view Hunt and Berler discloses:
The method of claim 1, further comprising: determining (Ye Col. 5 Lines 22-32) 

Ye in view Hunt and Berler discloses:
determining an amount of undisturbed capacity of the storage system, the undisturbed capacity not affected by a plurality of requests that includes the request; and the determining that the request is indicative of the malicious action is further based on determining that the undisturbed capacity is less than a threshold 

Petersen discloses:
an attribute comprises determining an amount of undisturbed capacity of the storage system, the undisturbed capacity not affected by a plurality of requests that includes the request; and the determining that the request is indicative of the malicious action comprises determining that the undisturbed capacity is less than a threshold (para 0048 “In one embodiment, the controller 304 is configured to assign a write and overwrite rate (which may be a single overall write rate or separate rates depending on whether the request is to write new data to unoccupied space or overwrite existing data, hereinafter referred to as a "write rate") to each of the applications 306, thereby restricting the rate at which each application 306, such as the first application 316, is able to write data to the one or more media storage devices 302.”)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method monitoring storage events of Ye in view Hunt and Berler to include the method of an attribute comprises determining an amount of undisturbed capacity of the storage system, as taught by Petersen. 
The motivation would have been to properly determine an amount of undisturbed capacity in order to assess an attack in a storage structure.

6. 	Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Ye in view Hunt, and further in view of Berler, and further in view of U.S. Publication No. 20190258426 hereinafter Roh. 

As per claim 6, Ye in view Hunt and Berler discloses: 
The method of claim 1, further comprising: determining (YeCol. 5 Lines 22-32) 
Ye in view Hunt and Berler does not discloses: 
determining that the storage system receives a request to change an operation time delay associated with the storage system; and the determining that the request is indicative of the malicious action is further based on determining that the request to change the operation time delay is received by the storage system within a predetermined amount of time of the request

Roh not disclose:
determining that the storage system receives a request to change an operation time delay associated with the storage system; and the determining that the request is indicative of the malicious action is further based on determining that the request to change the operation time delay is received by the storage system within a predetermined amount of time of the request (para 0053 “When the access request has been received the preset number of times or more, the attack detector 620 determines that the received access request corresponds to a memory attack, and the data controller 610 may postpone processing the access request. On the other hand, when the access request has been received fewer than the preset number of times, the attack detector 620 determines that the received access request does not correspond to the memory attack, and the data controller 610 may process the access request without delay.” When certain number of request is received within a certain number of times, the request to change the time delay is initiated.)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method monitoring storage events of Ye in view Hunt and Berler to include the method of an attribute comprises determining that the storage system receives a request to change an operation time delay associated with storage structures within the storage system, as taught by Roh.
The motivation would have been to properly request a change in time delay operation in order to detect storage attacks.

7. 	Claim 18 is rejected under 35 U.S.C. 103 as being unpatentable over Ye in view Hunt, and further in view of Berler in view of U.S. Publication No. 20100058122 hereinafter Roh. 

As per claim 18, Ye in view Hunt and Berler discloses: 
The method of claim 1, further comprising the detecting that the storage system receives the request (Ye Col. 5 Lines 22-32) 

Ye in view Hunt and Berler does not disclose: 
receiving, by way of a network, phone-home logs from the storage system; and extracting data representative of the request from the phone-home logs 

Compton discloses:
 receiving, by way of a network, phone-home logs from the storage system and extracting data representative of the request from the phone-home logs (para 0038 “In one embodiment, the one or more data package sources 102 are configured to compile, collect, gather, transfer, or otherwise provide data packages. A data package, in one embodiment, may comprise a report, an update, a request, a status, or other data that is packaged for transmission over a network. A data package, in a further embodiment, may comprise a call home package that is transmitted from a remote system or device, such as the one or more data package sources 102, to a central system, device, repository, or the like. Data packages may comprise predefined formats to facilitate processing of
the data packages by the data prioritization module 104. The one or more data
package sources 102, in another embodiment, may collect data and assemble
the data into a data package, such as a call home package.”)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method monitoring storage events of Ye in view Hunt and Berler to include receiving, by way of a network, phone-home logs from the storage system and extracting data representative of the request from the phone-home logs, as taught by Compton.
The motivation would have been to monitor home call records to properly assess and classify data.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GARY S GRACIA whose telephone number is (571)270-5192. The examiner can normally be reached Monday-Friday 9am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 5712723972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/GARY S GRACIA/           Primary Examiner, Art Unit 2499