Notice of Pre-AIA  or AIA  Status
1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
2.	Applicant’s arguments filed on 05/06/0222, with respect to 35 U.S.C 101 rejection of claims 1-20 have been fully considered and are persuasive.  The 101 rejection of claims 1-20 has been withdrawn. 

3.	Applicant’s arguments filed on 05/06/2022, with respect to the 35 U.S.C § 102(a)(1)/(a)(2) rejection of claims 1-4, 6-10, and 15-20 as being anticipated by U.S. Patent Application Publication No. 2018/0048658 (“Hittel’’) and dependent claims 5 and 11-14 were rejected as being unpatentable over the combination of Hittel and U.S. Patent Application Publication No. 2019/0109870 (“Bedhapudi’) have been fully considered. However, upon further consideration, a new ground(s) of rejection is made in view of amended claims.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
4.	Claims 1-4, 6-10 and 15-20 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Publication No. 20180048658 hereinafter Hittel in view of U.S. Publication No. 20170331892 hereinafter Crofton.

As per claim 1, Hittel discloses:
A method (para 0024 “In accordance with an aspect of the present disclosure a method of detecting and responding to a data attack on a local file system of a local device synchronized to a file system of an independent data store is provided.”) comprising:
identifying, by a data protection system, a first attribute set associated with
a first file stored in a storage system (para 0063 “Inspective agent 194 leverages API connections to inspect content that is already resident in the cloud storage 142, 144, irrespective of when the content was uploaded or when it was created. In particular, the cloud storage 142, 144 is communicably interfaced with network 160 via an API through which content from the cloud storage 142, 144 and metadata about the content is observed, listened to, monitored, tracked, collected, aggregated, assembled, retrieved, etc. Such content is, for example, files, folders, documents, images, and videos and content metadata is, for example, file or folder level details like who the file or folder owner is, which cloud application is hosting the file or folder, when was the file or folder created, posted, edited, modified, an audit trail of user activity, version history, file type, and others. In other implementations, the collected content metadata provides details on file exposure, including whether files are private, shared internally, shared externally with specific people or shared publicly via a link. This metadata can be obtained for each file and/or content on the cloud storage 142, 144 based on information assembled from a file system list for the respective files and/or content and from file headers of the respective files and/or contents. Additionally, content properties of the payloads of the respective files can be obtained for the respective files and/or contents. The obtained metadata and the obtained content properties of the respective files stored on the cloud storage 142, 144 can be stored on a historical metadata or content properties store 196 as historical metadata and historical content properties .” para 0095 “In FIG. 2, a client, such as a computer 154 attempts to perform a transmission 202 by uploading/updating files 187 on the cloud storage 142 (e.g., an independent data store). Before the files 187 are transmitted/updated on the cloud storage 142, the active agent 192 will obtain current metadata and/or current content properties for the files 187 from the headers and/or payloads of the files 187.”);
determining, by the data protection system, that the first file is replaced in the storage system with a second file (para 0065 “Further, during or after the transmission of files and/or contents from management clients 130 and client devices 150 to the cloud storage 142, 144 via the network 160, the inspective agent 194 can (repeatedly) scan the files and/or contents or scan a list of the files and/or contents to identify files and/or contents in the file system of the cloud storage 142, 144 that have been updated within a determined time frame.” Para 0096 “The historical metadata or content properties store 196 stores the historical metadata and/or historical content properties 206 of the files. In an implementation, the historical metadata or content properties store 196 is maintained independently from and not under control of the file system and the historical metadata or content properties store 196 preserves generations of metadata describing files in the file system, such that prior generation metadata remains available after a file and file metadata have been updated in the file system and/or preserves generations of content properties describing files in the file system, such that prior generation content properties remains available after a file and file content properties have been updated in the file system. Accordingly, the historical metadata or content properties store 196 includes historical metadata and/or historical content properties 206 for each of the files stored on the cloud storage 142.” Para 0097 “The active agent 192 then compares the current metadata and/or current content properties to the historical metadata and/or historical content properties 206 to determine whether or not malware (e.g., malicious activity) is present on the files 187.”);
identifying, by the data protection system, a second attribute set associated with the second file (para 0101 “As discussed supra, the inspective agent 194 inspects content that resides in the cloud storage 142 after the content has been uploaded/updated on the cloud storage 142. Specifically, the inspective agent 194 detects malicious activity using historical metadata and/or historical content properties 306 stored on a historical metadata or content properties store 196 and using current metadata and/or current content properties 308 obtained from files stored on the cloud storage 142. In FIG. 3, a client, such as a computer 154 may update/transfer files to the cloud storage 142 via the network 160 and a mobile device 134 may update/transfer files to the cloud storage 142 via a network other than the network 160. One of the advantages of the inspective agent 194 is that malicious activity can detected by analyzing files updated and/or transferred to the cloud storage 142 outside of the network 160.”); and
determining, by the data protection system based on the determining
that the first file is replaced in the storage system with the second file and on one or more attributes in at least one of the first attribute set or the second attribute set, that data stored by the storage system is possibly being targeted by a security threat (para 0067 “Additionally, the inspective agent 194 can determine whether or not malicious activity is in process by analyzing the current metadata and/or current content properties of the respective files/contents and known patterns of malicious metadata and/or malicious content properties that indicate a known malicious file modification to identify a match between the current metadata and/or content properties of the respective files and the known patterns of malicious metadata and/or content properties that indicate the known malicious file modification.” Para 0068 “After determining that malicious activity is in process, the inspective agent 194 can invoke or facilitate a determination of a machine and/or user that initiated the malicious activity. Additionally, after determining the machine and/or user that initiated the malicious activity, the inspective agent 194 can invoke or facilitate an implementation of a response mechanism that restricts file modifications by the determined machine and/or user.”). 

Hittel does not discloses:
identifying, a first attribute set associated with a first file stored at a first location in a storage system
determining that the first file is deleted from the first location in response to one or more requests from a source and a second file is written to the storage system at a second location distinct from the first location in response to the one or more requests from the source; 
determining, by the data protection system and based at least on the determining that the first file is deleted from the first location and the second file is written to the second location, the file 

	Crofton discloses:
identifying, a first attribute set associated with a first file stored at a first location in a storage system (para 0189 “Upon identifying a new or modified file of a first file type, at step 1102, a synchronization client, aggregation provider, or storage manager may identify a first cloud storage provider having a policy matching the first file type, the policy indicating that the cloud storage provider will perform additional processing of the file and/or generate updated metadata for the file.”)
determining that the first file is deleted from the first location in response to one or more requests from a source and a second file is written to the storage system at a second location distinct from the first location in response to the one or more requests from the source (para 0191 “At step 1108, in some implementations, the client device may select a second cloud storage provider for long term storage of the file, using any of the methods discussed above in connection with FIGS. 4A-5D. The client device may transmit the file to the selected second cloud storage provider. As discussed above, in some implementations, this may comprise moving the file from a first monitored folder corresponding to the first cloud storage provider to a second monitored folder corresponding to the second cloud storage provider. Similarly, at step 1110, the client device may transmit a command to delete the file to the first cloud storage provider. In some implementations, this may be triggered as a result of moving the file from the first monitored folder.”); 
determining, by the data protection system and based at least on the determining that the first file is deleted from the first location and the second file is written to the second location, the file is replaced (para 0188 “As discussed above, in some implementations, metadata may be generated for files provided to a first cloud storage provider. In other implementations, a cloud storage provider may replace a file, such as replacing a low bitrate audio file with a high bitrate audio file. In still other implementations, the cloud storage provider may modify a file, such as performing processing on the file (e.g. normalization of audio files, removal of “red eye” from photos or automatic white balancing or modifications of color, brightness, and contrast, etc.). In yet still other implementations, the cloud storage provider may perform analysis of files and return other metadata representative of a subset of the files, such as identifying all photos in a collection including photos of a specific person. Accordingly, generation of metadata may also include generating, modifying, replacing, or otherwise altering a file, group of files, information about the files or group of files, or other such steps.” para 0204 “ The method further includes selecting, by the storage manager responsive to a storage policy associated with the client device, a second cloud storage provider; transmitting, by the storage manager to the client device, an identification of the second cloud storage provider, receipt of the identification of the second cloud storage provider triggering the client device to transmit the first file to the second cloud storage provider; and transmitting, by the storage manager to the first cloud storage provider, a request to delete the first file.” The file is modified, deleted from the first location and the modified file (second file) to the second folder. Furthermore, account identifiers and a matching policy further identify that the file has been replaced.)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention method of detecting and responding to a data attack on a local file system of a local device synchronized to a file system of an independent data store of Hittel to include the method of determining that the first file is deleted from the first location in response to one or more requests from a source and a second file is written to the storage system at a second location distinct from the first location in response to the one or more requests from the source, as taught by Crofton.
The motivation would have been properly analyze a file that is deleted and replace in order to properly monitor file activity.

	 As per claim 2, Hittel in view of Crofton discloses:
The method of claim 1, wherein the determining that the data stored by the storage system is possibly being targeted by the security threat includes: determining that an attribute in the second attribute set associated with the second file satisfies an attribute threshold (Hittel para 0091, 0127 and 0156).

As per claim 3, Hittel in view of Crofton discloses:
The method of claim 1, wherein the determining that the data stored by the storage system is possibly being targeted by the security threat includes: determining a difference between a first attribute in the first attribute set associated with the first file and a second attribute in the second attribute set associated with the second file; and determining that the difference between the first attribute and the second attribute satisfies a difference threshold (Hittel para 0065, 0066, 0178, and 0219).

As per claim 4, Hittel in view of Crofton discloses:
The method of claim 1, wherein: the one or more attributes in at least one of the first attribute set or the second attribute set includes one or more of a file size, a file format, a compressibility ratio, or a bit pattern of the first file or the second file (Hittel para 0080 and 0177).

As per claim 6, Hittel in view of Crofton discloses:
The method of claim 1, wherein: the first attribute set associated with the first file includes a source of the first file; the second attribute set associated with the second file includes a source of the second file; and the determining that the data stored by the storage system is possibly being targeted by the security threat includes determining that the source of the second file is different from the source of the first file (Hittel para 0063, 0065, and 0172).

As per claim 7, Hittel in view of Crofton discloses:
The method of claim 1, wherein: the second attribute set associated with the second file includes a source of the second file; and the determining that the data stored by the storage system is possibly being targeted by the security threat includes one or more of: determining that the source of the second file is associated with an abnormal pattern; or determining that the source of the second file has been previously associated with one or more security threats against the storage system (Hittel para 0066, 0067, 0080, and 0091).

As per claim 8, Hittel in view of Crofton discloses:
The method of claim 7, wherein the determining that the source of the second file is associated with the abnormal pattern includes: determining that the source of the second file is a source for more than a predetermined threshold number of file replacement requests with respect to the storage system during a predetermined time period (Hittel para 0065, 0066, 0090, and 0091).

As per claim 9, Hittel in view of Crofton discloses:
The method of claim 1, further comprising: performing, by the data protection system in response to determining that the data stored by the storage system is possibly being targeted by the security threat, a remedial action with respect to the storage system (Hittel para 0169 and 0179).

As per claim 10, Hittel in view of Crofton discloses:
The method of claim 9, wherein the performing the remedial action with respect to the storage system includes: directing the storage system to generate a recovery dataset for the data stored by the storage system (Hittel para 0169 and 0173). 

As per claim 15, the implementation of the method of claim 1 will execute the system of claim 15. The claim is analyzed with respect to claim 1. 

As per claim 16, the claim is analyzed with respect to claim 2. 

As per claim 17, the claim is analyzed with respect to claim 3. 

As per claim 18, the claim is analyzed with respect to claim 6. 

As per claim 19, the claim is analyzed with respect to claim 7. 

As per claim 20, the implementation of the method of claim 1 will execute the non-transitory computer-readable medium (Hittel in view of Crofton paragraph 0200) of claim 20. The claim is analyzed with respect to claim 1.

5. 	Claims 5 and 11-14 are rejected under 35 U.S.C. 103 as being unpatentable over Hittel in view of Crofton in view of U.S. 20190109870 hereinafter Bedhapudi.

As per claim 5, Hittel in view of Crofton discloses:
The method of claim 1, wherein: the determining that the first file is
replaced with the second file includes determining that the second file is renamed
(Hittel para 0066, 0177, and 0182).

Hittel in view of Crofton does not disclose:
second file is renamed from a temporary name of the second file to a name of the first file; and the determining that the data stored by the storage system is possibly being targeted by the security threat is based on at least one of the temporary name of the second file or a difference between the temporary name of the second file and the name of the first file 

Bedhapudi discloses:
second file is renamed from a temporary name of the second file to a name of the first file; and the determining that the data stored by the storage system is possibly being targeted by the security threat is based on at least one of the temporary name of the second file or a difference between the temporary name of the second file and the name of the first file (para 0301 “Another type of ransomware may encrypt the data of an original file to a temporary file. After the ransomware finishes encrypting the original file, the ransomware may delete the original file and keep only the temporary file. In some cases, the ransomware may further rename the temporary file such that the temporary file has the file name of the original file.”)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention method of detecting and responding to a data attack on a local file system of a local device synchronized to a file system of an independent data store of Hittel in view of Crofton to include second file is renamed from a temporary name of the second file to a name of the first file; and the determining that the data stored by the storage system is possibly being
targeted by the security threat is based on at least one of the temporary name of the second file or a difference between the temporary name of the second file and the name of the first file, as taught by Bedhapudi.
The motivation would have been properly analyze the naming of a file to determine whether there is a possible attack. 

As per claim 11, Hittel in view of Crofton discloses:
The method of claim 1, wherein the determining that the first file is replaced with the second file (Hittel para 0065, 0096 and 0097) 

Hittel in view of Crofton does not disclose:
determining that the first file is included in a first set of files deleted from a first location within the storage system after the first set of files has been stored at the first location for longer than a predetermined amount of time; determining that the second file is included in a second set of files written to a second location within the storage system; and determining that the second set of files is related to the first set of files 

Bedhapudi discloses:
determining that the first file is included in a first set of files deleted from a first location within the storage system after the first set of files has been stored at the first location for longer than a predetermined amount of time (para 0079 “Primary data 112 is generally stored on primary storage device(s) 104 and is
organized via a file system operating on the client computing device 102. Thus, client computing device(s) 102 and corresponding applications 110 may create, access, modify, write, delete, and otherwise use primary data 112. Primary data 112 is generally in the native format of the source application 110. Primary data 112 is an initial or first stored body of data generated by the source application 110. Primary data 112 in some cases is created substantially directly from data generated by the corresponding source application 110. It can be useful in performing certain tasks to organize primary data 112 into units of different granularities. In general, primary data 112 can include files, directories, file system volumes, data blocks, extents, or any other hierarchies or organizations of data objects.” Para 0080 “Metadata generally includes information about data objects and/or characteristics associated with the data objects. For simplicity herein, it is to be understood that, unless expressly stated otherwise, any reference to primary data 112 generally also includes its associated metadata, but references to metadata generally do not include the primary data. Metadata can include, without limitation, one or more of the following: the data owner (e.g., the client or user that generates the data), the last modified time (e.g., the time of the most recent modification of the data object), a data object name (e.g., a file name), a data object size (e.g., a number of bytes of data), information about the content (e.g., an indication as to the existence of a particular search term), user-supplied tags, to/from information for email (e.g., an email sender, recipient, etc.), creation date, file type (e.g., format or application type), last accessed time, application type (e.g., type of application that generated the data object), location/network (e.g., a current, past or future location of the data object and network pathways to/from the data object), geographic location (e.g., GPS coordinates), frequency of change (e.g., a period in which the data object is modified), business unit (e.g., a group or department that generates, manages or is otherwise associated with the data object), aging information (e.g., a schedule, such as a time period, in which the data object is migrated to secondary or long term storage.” Para 0084 “Primary data 112 stored on primary storage devices 104 may be compromised in some cases, such as when an employee deliberately or accidentally deletes or overwrites primary data 112.”)
determining that the second file is included in a second set of files written to a second location within the storage system; and determining that the second set of files is related to the first set of files (para 0084 “Accordingly, system 100 includes one or more secondary storage computing devices 106 and one or more secondary storage devices 108 configured to create and store one or more secondary copies 116 of primary data 112 including its associated metadata. The secondary storage computing devices 106 and the secondary storage devices 108 may be referred to as secondary storage subsystem 118.”) 
Therefore, it would have been obvious to one of ordinary skill in the art
before the effective filing date of the claimed invention method of detecting and responding to a data attack on a local file system of a local device synchronized to a file system of an independent data store of Hittel in view of Crofton to include determining that the first file is included in a first set of files deleted from a first location within the storage system after the first set of files has been stored at the first location for longer than a predetermined amount of time; determining that the second file is included in a second set of files written to a second location within the storage system; and determining that the second set of files is related to the first set of files, as taught by Bedhapudi.
The motivation would have been determine the location and modification of data of first and second files to properly analyze whether there is a possible attack within a storage system.

As per claim 12, Hittel in view of Crofton and Bedhapudi discloses:
The method of claim 11, wherein the determining that the second set of files is related to the first set of files includes: determining that the second set of files has a total number of files that is within a predetermined amount of a total number of files included in the first set of files (Hittel in view of Crofton para 0066, 0132, 0138 and 0177).

As per claim 13, Hittel in view of Crofton and Bedhapudi discloses:
The method of claim 11, wherein the determining that the second set of files is related to the first set of files includes: determining that the second set of files has an overall compressibility that is less than an overall compressibility of the first set of files (Bedhapudi para 0190, The motivation would have been to properly identify the difference from between first and second files).

As per claim 14, Hittel in view of Crofton and Bedhapudi discloses:
The method of claim 11, wherein the determining that the second set of files is related to the first set of files includes: determining that a read operation that reads the first set of files from the storage system is performed at a first time; and determining that a write operation that writes the second set of files to the storage system is performed at a second time subsequent to the first time (Bedhapudi para 0276 “Indeed, the secondary storage subsystem 218 in such environments can be treated simply as a read/write NFS target for primary storage subsystem 217, without the need for information management software to be installed on client computing devices 202. As one example, an enterprise implementing a cloud production computing environment can add VM client computing devices 202 without installing and configuring specialized information management software on these VMs. Rather, backups and restores are achieved transparently, where the new VMs simply write to and read from the designated NFS path.” Para 0278 “The illustrated system 200 includes a grid 245 of media agents 244 logically organized into a control tier 231 and a secondary or storage tier 233. Media agents assigned to the storage tier 233 can be configured to manage a secondary storage pool 208 as a deduplication store, and be configured to receive client write and read requests from the primary storage subsystem 217, and direct those requests to the secondary tier 233 for servicing.” The motivation would have been to properly read data from a primary storage and write data in a secondary storage).




Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to GARY S GRACIA whose telephone number is (571)270-5192. The examiner can normally be reached Monday-Friday 9am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 5712723972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/GARY S GRACIA/Primary Examiner, Art Unit 2499