Notice of Pre-AIA  or AIA  Status
1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
2.	Applicant’s arguments filed on 06/08/2022, with respect to the 35 U.S.C. § 102(a)(1)/(a)(2) rejection of claims 1-8 and 10-20 were rejected under as being anticipated by U.S. Patent Application Publication No. 2018/0054454 (“Astigarraga’) have been fully considered. However, upon further consideration, a new ground(s) of rejection is made in view of amended claims.

3.	Applicant’s arguments filed on 06/08/2022, with respect to 35 U.S.C. 101 rejection of claims 1-20 have been fully considered and are persuasive.  The 101 rejection of claims 1-20 has been withdrawn. 

Claim Rejections - 35 USC § 103
4.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
5.	Claims 1-7 10-17, 19 and 20 are rejected under 35 U.S.C. 103 as being anticipated by U.S. Publication No. 20180054454 hereinafter Astigarraga in view of U.S. Publication No. 20190130097 hereinafter Berler.

As per claim 1, Astigarraga discloses:
A method (para 0003 “A computer-implemented method according to one embodiment includes identifying a cloud computing environment, establishing a baseline associated with input and output requests within the cloud computing environment, monitoring activity associated with the cloud computing environment, comparing the activity to the baseline, and performing one or more actions, based on the comparing.”) comprising:
identifying, by a data protection system, one or more input operations and one or more output operations performed between a source and a storage system (para 0003 “A computer-implemented method according to one embodiment includes identifying a cloud computing environment, establishing a baseline associated with input and output requests within the cloud computing environment, monitoring activity associated with the cloud computing environment, comparing the activity to the baseline, and performing one or more actions, based on the comparing.”):
identifying, by the data protection system, an anomaly in a relationship between the one or more input operations and the one or more output operations (para 0065 “In one embodiment, performing the one or more actions may include flagging the activity if the activity deviates from the baseline by more than a predetermined amount. For example, the activity may be flagged as an anomaly if the activity deviates from the baseline by more than a predetermined amount. For instance, the activity may include a downloading of an abnormally large volume of data from one or more storage devices of the cloud computing environment, an uploading of a large volume of write data in an abnormal pattern or to an abnormal location within the cloud computing environment, etc.”
and determining, by the data protection system based on the identifying of the anomaly, that the storage system is possibly being targeted by a security threat (Para 0066 “Further, in one embodiment, performing the one or more actions may include examining the activity if the activity is flagged as an anomaly. For example, examining the activity may include comparing the activity to one or more predetermined security threat criteria. For instance, the security threat criteria may include user-submitted criteria indicative of a security threat, criteria indicative of a threat that was developed based on previous monitoring of the cloud computing environment (e.g., before the current activity is monitored), etc.”).

Astigarraga does not disclose:
 identifying an anomaly comprising determining that each output operation initiated by a source is followed by an input operation initiated by the source within a threshold amount of time

	Berler discloses:
identifying an anomaly comprising determining that each output operation initiated by a source is followed by an input operation initiated by the source within a threshold amount of time (para 0023 “Furthermore, the anti-ransomware module may be configured to monitor read and/or write accesses to the NVM with the same LBA ranges. The anti-ransomware module may identify historical norms, patterns, and/or anomalies of read and/or write access to the NVM. For example, if a read and later write accesses to the same LBA ranges is detected, this may be activity indicative of ransomware. In some instances, anomalous timelines of read and/or write access may be activity indicative of ransomware. For example, if a LBA range has been historically accessed once per day or less, frequent accesses over a short time period may be activity indicative of ransomware.” Para 0032 “The anti-ransomware module 150 may contain values for the pre-defined threshold value and/or a listing of abnormal read-write patterns. The values and/or listing may be included in firmware and stored on the data storage device 120. The values and/or listing may be updatable. For example, firmware updates for the data storage device 120 may update the pre-defined threshold values and/or listing of abnormal read-write patterns. As another example, the data storage device 120 may log entropy values and/or read-write patterns during periods of normal use. The log may define statistical boundaries for entropy values and/or read-write patterns deemed to be normal. Any read-write pattern outside of the statistical boundaries may be deemed to be abnormal, and thereby included in the listing. As another example, a user of the data storage device 120 may be able to update the pre-defined threshold values and/or listing of abnormal read-write patterns. In some embodiments, security settings may be included on the data storage device restricting the circumstances under which the pre-defined threshold values and/or listing of abnormal read-write patterns may be updated. In some embodiments, the security settings may be updatable. In some embodiments, the anti-ransomware module may include policy settings, for example what action to take in the event of detection of a suspected ransomware attack. In some embodiments, the policy settings may be updatable. In some embodiments, the pre-defined threshold values, listing of abnormal read-write patterns, security settings, and/or policy settings may be updated by a combination of one or more of stored firmware, updatable firmware, logged usage, statistical boundaries, user updates, and security settings restrictions.”)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of establishing a baseline associated with input and output requests within the cloud computing environment of Astigarraga to include identifying an anomaly comprising determining that each output operation initiated by a source is followed by an input operation initiated by the source within a threshold amount of time, as taught by Berler.
The motivation would have  provide an improved ransomware detector and method of detecting ransomware in a data storage device based on read and write patterns .

As per claim 2, Astigarraga in view of Berler discloses:
The method of claim 1, wherein the identifying of the anomaly in the relationship between the one or more input operations and the one or more output operations further comprises: identifying a timing between the one or more input operations and the one or more output operations; and determining, based on the timing, that the one or more input operations and the one or more output operations are correlated. (Astigarraga para 0057 and 0058).

As per claim 3, Astigarraga in view of Berler discloses:
The method of claim 1, wherein the identifying of the anomaly in the relationship between the one or more input operations and the one or more output operations further comprises determining that the one or more input operations and the one or more output operations are performed in accordance with an identifiable pattern (Astigarraga para 0056, 0059 and 0062).

As per claim 4, Astigarraga in view of Berler discloses:
The method of claim 3, wherein the determining that the one or more input operations and the one or more output operations are performed in accordance with the identifiable pattern further comprises determining that the one or more input operations and the one or more output operations progress through sequentially numbered logical storage units of a storage structure within the storage system (Astigarraga para 0058, 0060 0062, 0065, and 0067).

As per claim 5, Astigarraga in view of Berler discloses:
The method of claim 4, wherein the sequentially numbered logical storage units comprise sectors of the storage structure (Astigarraga para 0073, 0074, and 0078).

As per claim 6, Astigarraga in view of Berler discloses:
The method of claim 3, wherein the determining that the one or more input operations and the one or more output operations are performed in accordance with the identifiable pattern comprises determining that the one or more input operations and the one or more output operations are continuous from a beginning of a partition within a storage structure of the storage system (Astigarraga para 0073, 0074, and 0078). 

As per claim 7, Astigarraga in view of Berler discloses:

The method of claim 1, wherein the identifying of the anomaly in the relationship between the one or more input operations and the one or more output operations further comprises: determining that the one or more output operations include read operations that cause data stored by the storage system for more than a predetermined amount of time to be transmitted from the storage system to the source; identifying a total amount of the data transmitted from the storage system to the source; determining that the one or more input operations include write operations that write new data to the source; and determining that a total amount of the new data is within a threshold amount of the total amount of the data transmitted from the storage system to the source (Astigarraga para 0056-0065).

As per claim 10, Astigarraga in view of Berler discloses:
The method of claim 7, wherein the identifying of the anomaly in the relationship between the one or more input operations and the one or more output operations further comprises determining that each data instance included in the data transmitted from the storage system to the source is only transmitted one time to the source (Astigarraga para 0061, 0067, 0068, 0073, 0074, and 0078).

As per claim 11, Astigarraga in view of Berler discloses:
The method of claim 1, further comprising performing, by the data protection system in response to the determining that the storage system is possibly being targeted by the security threat, a remedial action with respect to the storage system (Astigarraga para 0066).

As per claim 12, the implementation of the method of claim 1 will execute the system of claim 12. The claim is analyzed with respect to claim 1.

As per claim 13, the claim is analyzed with respect to claim 2.

As per claim 14, the claim is analyzed with respect to claim 3.

As per claim 15, the claim is analyzed with respect to claim 4.

As per claim 16, the claim is analyzed with respect to claim 6.

As per claim 17, the claim is analyzed with respect to claim 7.

As per claim 19, the claim is analyzed with respect to claim 10.

As per claim 20, the implementation of the method of claim 1 will
execute the non-transitory computer-readable medium (paragraph 0084) of
claim 20. The claim is analyzed with respect to claim 1.


As per claim 21, Astigarraga in view of Berler discloses:
The non-transitory computer-readable medium of claim 20, wherein the identifying of the anomaly in the relationship between the one or more input operations and the one or more output operations further comprises: identifying a timing between the one or more input operations and the one or more output operations; and determining, based on the timing, that the one or more input operations and the one or more output operations are correlated (Berler para 0023 and 0032, the motivation would have  provide an improved ransomware detector and method of detecting ransomware in a data storage device based on read and write patterns).

As per claim 22, Astigarraga in view of Berler discloses:
The non-transitory computer-readable medium of claim 20, wherein the identifying of the anomaly in the relationship between the one or more input operations and the one or more output operations further comprises determining that the one or more input operations and the one or more output operations are performed in accordance with an identifiable pattern (Berler para 0023 and 0032, the motivation would have  provide an improved ransomware detector and method of detecting ransomware in a data storage device based on read and write patterns).

6. 	Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Astigarraga in view of Berler, and further in view of U.S. Publication No. 20130036465 hereinafter Chuan.

As per claim 9, Astigarraga in view of Berler discloses:
The method of claim 7, wherein the identifying of the anomaly in the relationship between the one or more input operations and the one or more output operations (Astigarraga para 0056-0065)

Astigarraga in view of Berler does not disclose:
determining that a data transmitted from a storage system to a source has not been read from the storage system for more than a threshold amount of time prior to the read operations being performed 

Chuan discloses:
determining that a data transmitted from a storage system to a source has not been read from the storage system for more than a threshold amount of time prior to the read operations being performed (para 0027 “The tracking data store may comprise storage locations for storing tracking data for a predetermined number of outstanding read requests issued by the second read request path. Typically, maintenance of an entry in the tracking store requires a certain area and processing overhead, and so to conserve area and power consumption, the tracking data store would store entries for a limited number of outstanding read requests. The present technique recognizes that it is likely that only a few read requests at a time would be latency-critical and so it will often be sufficient for the second read request path to handle only a predetermined number of outstanding read requests at a time. On the rare occasions when the tracking data store becomes fully occupied with tracking data for the predetermined number of outstanding read requests which have not yet completed, then the second read request path may prevent further read requests entering the second read request path until one of the predetermined number of outstanding read requests has completed. This maintains security of the read data because read requests are prevented from being issued using the second read request path if it would not be possible to store the tracking data indicating whether a security violation occurred for that request.”)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of establishing a baseline associated with input and output requests within the cloud computing environment of Astigarraga in view of Berler to include determining that a data transmitted from a storage system to a source has not been read from the storage system for more than a threshold amount of time prior to the read operations being performed, as taught by Chuan.
The motivation would have to motivation would have been to maintain security of the read data since read requests are prevented from being issued using a second read request path thereby whether indicating a security violation occurred for that request (Chuan paragraph 0027).

	Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GARY S GRACIA whose telephone number is (571)270-5192. The examiner can normally be reached Monday-Friday 9am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 5712723972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/GARY S GRACIA/Primary Examiner, Art Unit 2499