Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Priority
	This application claims a benefit of, and priority to, India Provisional Patent Application No. 201741014571, filed Apr. 25, 2017, the contents of which is incorporated by reference in its entirety.
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 06/10/2022 has been entered.
DETAILED ACTION
This Office Action is in response to a Request for Continued Examination (RCE) application received on 06/10/2022. In the RCE, applicant has amended claims 1, 3-4, 7, 10, 13-14 and 17. Claims 2, 8-9, 15-16 and 20-23 remain original. Claims 5-6, 11-12 and 18-19 have been cancelled. Claims 24-26 have been added as new claims. 
For this Office Action, claims 1-4, 7-10, 13-17 and 20-26 have been received for consideration and have been examined. 


Response to Arguments
Rejection under 35 USC § 103
Applicant’s arguments, filed 06/10/2022, with respect to the rejection(s) of claim(s) under 35 USC § 103 have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of new amendments to the claims.

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

Claims 1-4, 7-10, 13-17 and 20-26 are rejected under 35 U.S.C. 112(a), as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, at the time the application was filed, had possession of the claimed invention.
Independent claims 1, 7 and 14 recite:
“perform, for each of the identified files that is encrypted, a journal walk to restore an unencrypted version of the identified file, wherein the instruction to perform the journal walk comprises instructions to: determine an entropy score for a first data block in a previous backup in a first backup cycle; retrieve, responsive to the entropy score for the first data block in the first backup cycle exceeding the threshold, a second data block in a second backup cycle occurred early than the first backup cycle; determine an entropy score of the second data block to determine that the second data block is not encrypted; and restore the unencrypted version of the identified file using the second data block”.
Specification discloses:
“In one embodiment, the entropy detection module 330 generates the entropy score restoring the block of the file in the portion of the backup. The entropy detection module 330 obtains the entropy score for the block of the file. If an anomaly corresponding to a large number of file activities (e.g., addition, removal, modification) is flagged in a portion of the backup, the entropy detection module 330 performs a journal walk (i.e., restoring one or more backup cycles) to identify files updated or added in the given restore point. For each file object found, the entropy detection module 330 restores a block (e.g., 1 Kilobytes) of file, and obtains an entropy of the block to determine whether the block may include ransomwares. Entropy represents a randomness of distribution of bits for a given block of file. Ransomware using block cipher algorithms results in uniform distribution of byte octets (0, 255) with a higher entropy compared to general application file formats having a higher density of ASCII and text separators” [0050],
However, the specification is silent about ‘’a journal walk comprises instructions to perform the steps of determine an entropy score of first data block, retrieve, a second data block in a second backup cycle occurred early than the first backup cycle, determine an entropy score of the second data block and restore the unencrypted version of the identified file using the second data block”. 
Examiner consulted the specification for the support ‘restore unencrypted version of identified file’ and noticed that only [0059] in light of FIG. 6A briefly discloses about computing entropy score for an unencrypted file which fails to elaborate the above mentioned phrase or any of the amended claim language. 
Examiner also consulted paragraphs [0043-0055] as per applicant’s remarks filed on 06/10/2022 for the support of the amended language, however, examiner could not find support for the amended language performing the above mentioned steps. 
Dependent claims inherit this deficiency. 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 7-9, and 14-16 are rejected under 35 U.S.C. 103 as being unpatentable over Cobb et al., (WO2007022392A2) in view of Humphries et al., (US20170359370A1) in view of Gu et al., (US20170223031A1) and further in view of Muttik et al., (US20180173874A1).
Regarding claim 1, Cobb discloses:
A server manager, comprising: 
a server interface configured to: 
retrieve, from a storage device, a plurality of backups stored by a client device ([0021] FIG. 2 broadly illustrates a process flow in one embodiment. In step 100, it is determined whether the object is infected with malware. This determination may be made through analysis of the object, system behavior, and backup copies, or through an antivirus or malware scan, as described herein. If the object is infected, a backup copy of the object is located in the backup, step 102); and 
the plurality of backups (i.e., backup copies) correspond to images to the client device in a plurality of backup cycles ([0019] In an embodiment, there may be a plurality of backup copies. It should be understood that "backup copies" may be used to refer to complete backup copies as well as updates that are taken periodically and can be combined with backup copies to permit restoration to a point in time); 
a detection module communicatively coupled to the server interface and comprising memory configured to store computer code that comprises instructions, wherein the instructions, when executed by one or more processors, cause the one or more processors to: 
generate a standard pattern of file activities of the client device for a time period that encompasses a plurality of prior backups (i.e. backup copies; see [0025]) in previous backup cycles (See Cobb [0025-0029] for Size trending and monitoring object size changes which is construed as additions, deletions, and modifications of files) ([0025] Methods for detection and analysis of anomalous changes in objects may range from monitoring object size changes to performing pattern recognition on the objects' binary patterns. This may be done before or after the objects have been accessed. Based on this evaluation, the system can identify a point in time that most likely represents the infection point; [0026] FIG. 3 is a flowchart illustrating a process in one embodiment for identifying anomalies. In step 200, the backup copies of an object are analyzed to determine a pattern (including trends) of usage, size, etc. as described herein. Step 202 involves monitoring for deviations from the pattern, and the deviation may be flagged as an anomaly possibly indicating infection by malware, step 204; [0029] Size trending may in one embodiment be used as an indicator of an anomalous change. If an object's size is expected to remain static throughout its life, then a change in the object's size would be a clear indication that some anomaly has occurred. In an example, an object is suspected of being infected and has a current size of 256KB. A search through the backup pool shows that object's size is consistent with all the versions retained within the backup pool. However, when the search is extended into the archive, it is found that until 120 days ago, all versions were 168KB and have been 168KB since the object was originally archived. This would lead to the conclusion that the 168KB version of the object is a version that is free of the infection. If the 168KB version appeared six months ago and that prior to that time the object was 80KB, this would imply that the 80KB object is the clean version and not the 168KB object. The more versions that are kept in the backup, the greater the chance that a clean version will be found - if one ever existed.
Examiner’s Note: comparison of object size [which is interpreted as comparison of file size to see if file size has been increased, decreased or stayed the same] by Cobb reference and deviation from the expected file size is construed as indicating that there could potentially be malicious activity in the files), 
the standard pattern being generated by analyzing the plurality of prior backups ([0026] FIG. 3 is a flowchart illustrating a process in one embodiment for identifying anomalies. In step 200, the backup copies of an object are analyzed to determine a pattern (including trends) of usage, size, etc. as described herein); 
perform a statistical behavior analysis (See [0026] i.e. identify deviations from the pattern) on a particular backup based on the standard pattern identified in the previous backup cycles, the statistical behavior analysis identifying a portion (i.e. an object or portions of the object; See [0039]) of the particular backup corresponding to a statistical anomaly different from the standard 2pattern, the statistical anomaly corresponding to an abnormal file activity ([0015] any system in which files or objects are stored, either on a local or remote device, and the device may comprise one or more storage devices; [0026] Step 202 involves monitoring for deviations from the pattern, and the deviation may be flagged as an anomaly possibly indicating infection by malware, step 204. The point in time at which the infection occurred may be determined, step 206; [0030] Dynamically changing objects will likely have changing sizes in normal use. By analyzing object size changes over time, a trend of the size changes can be established. Using this information and applying statistical analysis, objects with anomalous changes may be identified, and the point of infection may be determined; [0039] Pattern recognition and/or trend analysis may be performed on an object or portions of the object, and the results compared with the backup to identify deviations; [0040] In an embodiment, the system may determine, measure, and track the degree of changes within the object. For example, an object may be expected to change in random amounts in various locations, but there are portions of the object that are never expected to change);
identify, for the portion of the particular backup corresponding to the statistical anomaly, one or more files that are new or modified ([0026] FIG. 3 is a flowchart illustrating a process in one embodiment for identifying anomalies. In step 200, the backup copies of an object are analyzed to determine a pattern (including trends) of usage, size, etc. as described herein; [0027] In an embodiment, an access log analysis may be performed to search for anomalous activity … Other cases might involve a multitude of reads of objects by an application or user other than the one that created or modified them, giving rise to a suspicion that malware is attempting to steal data and transmit it over the network to a remote location; [0030] Dynamically changing objects will likely have changing sizes in normal use. By analyzing object size changes over time, a trend of the size changes can be established. Using this information and applying statistical analysis, objects with anomalous changes may be identified, and the point of infection may be determined).
Cobb fails to disclose: 
the portion of the particular backup comprising a plurality of files and the statistical behavior analysis comprising determining a number of additions, deletions, and modifications of the plurality of files associated with the portion of the particular backup, identify, for the portion of the particular backup corresponding to the statistical anomaly, one or more files that are new or modified; a ransomware detection module; transmit information describing whether the backup includes the ransomware for display on the client device; generate, for each of the one or more identified files that is new or modified, an entropy score, the entropy score representing a randomness of a distribution of bits in each of the identified files; determine, for each of the one or more identified files whose entropy score exceeds a threshold, whether header information of the identified file has been changed by comparing the header information to corresponding header information in one of the prior backups; determine, for each of the one or more identified files that is new or modified, the identified file is encrypted if the identified file has the entropy 3score that exceeds the threshold and the header information of the identified file has been changed; and perform, for each of the identified files that is encrypted, a journal walk to restore an unencrypted version of the identified file, wherein the instruction to perform the journal walk comprises instructions to: determine an entropy score for a first data block in a previous backup in a first backup cycle; retrieve, responsive to the entropy score for the first data block in the first backup cycle exceeding the threshold, a second data block in a second backup cycle occurred early than the first backup cycle; determine an entropy score of the second data block to determine that the second data block is not encrypted; and restore the unencrypted version of the identified file using the second data block. 
However, Humphries discloses:
	the portion of the particular backup comprising a plurality of files and the statistical behavior analysis comprising determining a number of additions, deletions, and modifications of the plurality of files [number of additions, deletions, and modifications to the total number] associated with the portion of the particular backup ([0007] The indication of compromise may include a pattern of access to the files indicating potentially malicious automated file access. The indication of compromise may include access to a number of files beyond a predetermined threshold within a predetermined time interval; [0116] An indication of compromise (IOC) monitor 421 may be provided to instrument the endpoint 402 so that any observable actions by or involving various objects 418 can be detected … For example, for files or the like, an API for a file system may be used to detect reads, writes, and other access (e.g., open, read, write, move, copy, delete, etc.), and may be configured to report to or otherwise initiate monitoring of the action taken with the file through the file system).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Cobb reference and monitor and analyze patterns of access to files, as disclosed by Humphries. 
The motivation to monitor and analyze patterns of access to number of files is to detect unusual pattern of file access to detect malicious activities such as malware (See Humphries: [0007]).
The combination of Cobb and Humphries fails to disclose:
a ransomware detection module; transmit information describing whether the backup includes the ransomware for display on the client device; generate, for each of the one or more identified files that is new or modified, an entropy score, the entropy score representing a randomness of a distribution of bits in each of the identified files; determine, for each of the one or more identified files whose entropy score exceeds a threshold, whether header information of the identified file has been changed by comparing the header information to corresponding header information in one of the prior backups; determine, for each of the one or more identified files that is new or modified, the identified file is encrypted if the identified file has the entropy score that exceeds the threshold and the header information of the identified file has been changed; and perform, for each of the identified files that is encrypted, a journal walk to restore an unencrypted version of the identified file, wherein the instruction to perform the journal walk comprises instructions to: determine an entropy score for a first data block in a previous backup in a first backup cycle; retrieve, responsive to the entropy score for the first data block in the first backup cycle exceeding the threshold, a second data block in a second backup cycle occurred early than the first backup cycle; determine an entropy score of the second data block to determine that the second data block is not encrypted; and restore the unencrypted version of the identified file using the second data block.
However, Gu discloses:
	a ransomware detection module (i.e. Detection Module 104; See FIG. 1) ([0025] As illustrated in FIG. 1, exemplary system 100 may include one or more modules 102 for performing one or more tasks. For example, and as will be explained in greater detail below, exemplary system 100 may include a detection module 104 that may detect, during a file backup process, an anomaly that may be potentially indicative of ransomware on a computing device); 
transmit information describing whether the backup includes the ransomware for display [i.e. generating confirmation of ransomware in the backup on client computing device 202 construes as displaying the confirmation of the existence of ransomware; See FIG. 2] on the client device ([0032] Computing device 202 may then receive a confirmation of ransomware 212 from antivirus software 210; [0044] Confirmation module 108 may confirm that anomaly 208 is indicative of ransomware in a variety of ways. In some examples, confirmation module 108 may identify ransomware on computing device 202. In the example of FIG. 2, confirmation module 108 may receive confirmation of ransomware 212 from antivirus software 210 installed on computing device 202. In this example, antivirus software 210 may identify the ransomware on computing device 202 and send information about the ransomware to confirmation module 108. In other examples, confirmation module 108 may receive confirmation of ransomware 212 from a user of computing device 202);
generate, for each of the one or more identified files that is new or modified, an entropy score (i.e. generating a high and low entropy is construed as generating an entropy score; See FIG. 4), the entropy score representing a randomness of a distribution of bits in each of the identified files ([0038] Detection module 104 may detect anomaly 208 in a variety of ways. In some examples, detection module 104 may detect anomaly 208 by determining that the content of at least one file in the file backup process is anomalous … The term “file entropy,” as used herein, generally refers to a measure of randomness of the data values within a file);
determine, for each of the one or more identified files whose entropy score exceeds a threshold (i.e. entropy score is high; See FIG. 4), whether header information of the identified file has been changed by comparing the header information to corresponding header information in one of the prior backups ([0038] Detection module 104 may detect anomaly 208 in a variety of ways. In some examples, detection module 104 may detect anomaly 208 by determining that the content of at least one file in the file backup process is anomalous; [0039] For example, as shown in FIG. 4, detection module 104 may detect information about a file 400(1), a file 400(2), and a file 400(3) during the file backup process. In this example, file 400(2) may have a file header (e.g., “text header”) that does not match the file's type (e.g., “image”). In addition, file 400(2) may have a high file entropy value);
determine, for each of the one or more identified files that is new or modified, the identified file is encrypted if the identified file has the entropy score that exceeds the threshold and the header information of the identified file has been changed ([0038] Detection module 104 may detect anomaly 208 in a variety of ways. In some examples, detection module 104 may detect anomaly 208 by determining that the content of at least one file in the file backup process is anomalous. In these examples, determining that the content of the file is anomalous may include determining that the content of the file does not match the file's type, determining that the file's header does not match the file's type, and/or determining that the file's entropy is higher than expected. The term “file entropy,” as used herein, generally refers to a measure of randomness of the data values within a file. In particular, encrypted files may seem more random and have a higher value of file entropy than unencrypted versions of the files; [0039] For example, as shown in FIG. 4, detection module 104 may detect information about a file 400(1), a file 400(2), and a file 400(3) during the file backup process. In this example, file 400(2) may have a file header (e.g., “text header”) that does not match the file's type (e.g., “image”). In addition, file 400(2) may have a high file entropy value. Thus, detection module 104 may detect anomaly 208 based on the anomalous content of file 400(2)).
It would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to modify the Cobb and Humphries references and include a ransomware detection module on the client device to detect presence of ransomware in the backup process, as disclosed by Gu.
The motivation to include the ransomware detection module on the client device is to prevent ransomware from affecting file backup copies (See Gu: [0031]).
The combination of Cobb, Humphries and Gu fails to disclose:
	perform, for each of the identified files that is encrypted, a journal walk to restore an unencrypted version of the identified file, wherein the instruction to perform the journal walk comprises instructions to: determine an entropy score for a first data block in a previous backup in a first backup cycle; retrieve, responsive to the entropy score for the first data block in the first backup cycle exceeding the threshold, a second data block in a second backup cycle occurred early than the first backup cycle; determine an entropy score of the second data block to determine that the second data block is not encrypted; and restore the unencrypted version of the identified file using the second data block.
However, Muttik discloses:
	perform, for each of the identified files that is encrypted, a journal walk (i.e., steps presented through [0108-0113] in light of FIG. 5’s ‘backup chain 502’ are construed as a walk/process of determining an encrypted backup due to malware attack and retrieving the good backup version which is not encrypted by the malware) to restore an unencrypted version of the identified file, wherein the instruction to perform the journal walk comprises instructions to: 
determine a reputation [an entropy] for a first data block in a previous backup in a first backup cycle ([0112] discloses in Fig. 5 ‘version 4’ of backup chain 502 which is construed as ‘first data block of first backup cycle’ indicates potential malware/ransomware attack with low reputation of 60 due to number and/or type of changes exceed a delta threshold in files; [0041-0042] discloses that reputation of the backup version is based on context which includes entropy);
retrieve, responsive to the reputation [the entropy] for the first data block in the first backup cycle exceeding the threshold, a second data block in a second backup cycle occurred early than the first backup cycle ([0112] discloses in Fig. 5 ‘version 3’ of backup chain 502 which is construed as ‘second data block of second backup cycle’ indicates a last good version of the backup before the malware/ransomware attack occurred; [0041-0042] discloses that reputation of the backup version is based on context which includes entropy); 
determine a reputation [an entropy] of the second data block to determine that the second data block is not encrypted ([0113] discloses when a user tries to access a file in version 4 and discovers that ransomware has encrypted the data in that version, then version 3 (which has a very high reputation) may be flagged as a likely candidate for the last good version of those files; [0041-0042] discloses that reputation of the backup versions is based on context which includes entropy); and 
restore the unencrypted version of the identified file using the second data block ([0113] discloses that the user can retrieve version 3, inspect the files, and upon determining that the files are the desired good files, restore the files from version 3 which is interpreted as files in version 3 of the backup are unencrypted files).
It would have been obvious to an ordinary skill in the art before the effective filing date of the claimed invention to modify the Cobb, Humphries and Gu references and include a method of creating intelligent backup with plurality of versions, as disclosed by Muttik.
The motivation to create backup with plurality of versions is to be able to retrieve a good and usable version of the backup in case there is malicious activity occurred on current version of the backup which makes the current version of backup unfeasible. 
Regarding claim 2, the combination of Cobb, Humphries, Gu and Muttik discloses:
	The server manager of claim 1, further comprising:
a backup log module communicatively coupled to the ransomware detection module and configured to store file activities comprising additions, deletions, and modifications of the files of the particular backup (Cobb: [0023] The antivirus program and/or backup program may be part of the program executing on computer system 10, another program, or executing on another computer system; [0027] an access log analysis may be performed to search for anomalous activity. Reads and writes may be logged together with a timestamp and optionally with other metadata such as source ID, application ED, user, etc.).
Regarding claim 3, the combination of Cobb, Humphries, Gu and Muttik discloses:
The server manager of claim 1, wherein the instruction to generate the standard pattern of file activities comprises instructions to:
analyze the file activities of the particular backup of the files of the backup for the time period to generate a histogram; and generate the standard pattern of file activities based on the histogram, the standard pattern of file activities is further defined by at least a ratio of a number of the plurality of files modified to a total number of the plurality of files in the portion of the particular backup (Cobb: [0034] At step 320, entropy is calculated within Sample blocks inside of the Source. An embodiment consistent with the invention starts at the beginning of the Source and takes as input a Sample-sized continuous portion of the block (See FIG. 4). For purposes of this discussion, it is assumed that the Source is X bytes in size, and the Sample is Y bytes in size where Y is no larger than 0.5*X. The entropy calculation is applied to this Sample; [0035] At step 330, the Sample window is advanced forward such that it overlaps with the previous Sample (See FIG. 4). In an exemplary embodiment, this overlap window is 25%. In other words, the first Sample measured entropy between bytes 0 and Y inside of the Source. The second Sample measures entropy between bytes 0.75(Y) and (0.75(Y)+Y). Much like alphabet and Sample size selection, this is tunable; [0036] At step 340, the Sample window is advanced repeatedly, as in step 330 above, until the end of the data block is reached and there is an entropy value for every Sample window (See FIG. 4). At step 350, a statistical method is applied across the entropy values from all of the Samples. In an exemplary embodiment consistent with the present invention, the mean and standard deviation of all entropy values from all Samples is calculated. The aggregate entropy for the Source (hereafter Sample Source Entropy) is then derived by taking the mean and adding one standard deviation to it; [0037] At step 360, the Sample Source Entropy and Global Entropy are compared to a threshold (See FIG. 4)).
Regarding claim 7, Cobb discloses:
A method for detecting malware, comprising:
retrieving, from a storage device, a plurality of backups stored by a client device ([0021] FIG. 2 broadly illustrates a process flow in one embodiment. In step 100, it is determined whether the object is infected with malware. This determination may be made through analysis of the object, system behavior, and backup copies, or through an antivirus or malware scan, as described herein. If the object is infected, a backup copy of the object is located in the backup, step 102),
the plurality of backups (i.e., backup copies) correspond to images to the client device in a plurality of backup cycles ([0019] In an embodiment, there may be a plurality of backup copies. It should be understood that "backup copies" may be used to refer to complete backup copies as well as updates that are taken periodically and can be combined with backup copies to permit restoration to a point in time); 
a detection module communicatively coupled to the server interface and comprising memory configured to store computer code that comprises instructions, wherein the instructions, when executed by one or more processors, cause the one or more processors to: 
generate a standard pattern of file activities of the client device for a time period that encompasses a plurality of prior backups (i.e. backup copies; see [0025]) in previous backup cycles (See Cobb [0025-0029] for Size trending and monitoring object size changes which is construed as additions, deletions, and modifications of files) ([0025] Methods for detection and analysis of anomalous changes in objects may range from monitoring object size changes to performing pattern recognition on the objects' binary patterns. This may be done before or after the objects have been accessed. Based on this evaluation, the system can identify a point in time that most likely represents the infection point; [0026] FIG. 3 is a flowchart illustrating a process in one embodiment for identifying anomalies. In step 200, the backup copies of an object are analyzed to determine a pattern (including trends) of usage, size, etc. as described herein. Step 202 involves monitoring for deviations from the pattern, and the deviation may be flagged as an anomaly possibly indicating infection by malware, step 204; [0029] Size trending may in one embodiment be used as an indicator of an anomalous change. If an object's size is expected to remain static throughout its life, then a change in the object's size would be a clear indication that some anomaly has occurred. In an example, an object is suspected of being infected and has a current size of 256KB. A search through the backup pool shows that object's size is consistent with all the versions retained within the backup pool. However, when the search is extended into the archive, it is found that until 120 days ago, all versions were 168KB and have been 168KB since the object was originally archived. This would lead to the conclusion that the 168KB version of the object is a version that is free of the infection. If the 168KB version appeared six months ago and that prior to that time the object was 80KB, this would imply that the 80KB object is the clean version and not the 168KB object. The more versions that are kept in the backup, the greater the chance that a clean version will be found - if one ever existed.
Examiner’s Note: comparison of object size [which is interpreted as comparison of file size to see if file size has been increased, decreased or stayed the same] by Cobb reference and deviation from the expected file size is construed as indicating that there could potentially be malicious activity in the files), 
the standard pattern being generated by analyzing the plurality of prior backups ([0026] FIG. 3 is a flowchart illustrating a process in one embodiment for identifying anomalies. In step 200, the backup copies of an object are analyzed to determine a pattern (including trends) of usage, size, etc. as described herein); 
perform a statistical behavior analysis (See [0026] i.e. identify deviations from the pattern) on a particular backup based on the standard pattern identified in the previous backup cycles, the statistical behavior analysis identifying a portion (i.e. an object or portions of the object; See [0039]) of the particular backup corresponding to a statistical anomaly different from the standard 2pattern, the statistical anomaly corresponding to an abnormal file activity ([0015] any system in which files or objects are stored, either on a local or remote device, and the device may comprise one or more storage devices; [0026] Step 202 involves monitoring for deviations from the pattern, and the deviation may be flagged as an anomaly possibly indicating infection by malware, step 204. The point in time at which the infection occurred may be determined, step 206; [0030] Dynamically changing objects will likely have changing sizes in normal use. By analyzing object size changes over time, a trend of the size changes can be established. Using this information and applying statistical analysis, objects with anomalous changes may be identified, and the point of infection may be determined; [0039] Pattern recognition and/or trend analysis may be performed on an object or portions of the object, and the results compared with the backup to identify deviations; [0040] In an embodiment, the system may determine, measure, and track the degree of changes within the object. For example, an object may be expected to change in random amounts in various locations, but there are portions of the object that are never expected to change);
identify, for the portion of the particular backup corresponding to the statistical anomaly, one or more files that are new or modified ([0026] FIG. 3 is a flowchart illustrating a process in one embodiment for identifying anomalies. In step 200, the backup copies of an object are analyzed to determine a pattern (including trends) of usage, size, etc. as described herein; [0027] In an embodiment, an access log analysis may be performed to search for anomalous activity … Other cases might involve a multitude of reads of objects by an application or user other than the one that created or modified them, giving rise to a suspicion that malware is attempting to steal data and transmit it over the network to a remote location; [0030] Dynamically changing objects will likely have changing sizes in normal use. By analyzing object size changes over time, a trend of the size changes can be established. Using this information and applying statistical analysis, objects with anomalous changes may be identified, and the point of infection may be determined).
Cobb fails to disclose: 
the portion of the particular backup comprising a plurality of files and the statistical behavior analysis comprising determining a number of additions, deletions, and modifications of the plurality of files associated with the portion of the particular backup, identify, for the portion of the particular backup corresponding to the statistical anomaly, one or more files that are new or modified; a ransomware detection module; transmit information describing whether the backup includes the ransomware for display on the client device; generate, for each of the one or more identified files that is new or modified, an entropy score, the entropy score representing a randomness of a distribution of bits in each of the identified files; determine, for each of the one or more identified files whose entropy score exceeds a threshold, whether header information of the identified file has been changed by comparing the header information to corresponding header information in one of the prior backups; determine, for each of the one or more identified files that is new or modified, the identified file is encrypted if the identified file has the entropy 3score that exceeds the threshold and the header information of the identified file has been changed; and perform, for each of the identified files that is encrypted, a journal walk to restore an unencrypted version of the identified file, wherein the instruction to perform the journal walk comprises instructions to: determine an entropy score for a first data block in a previous backup in a first backup cycle; retrieve, responsive to the entropy score for the first data block in the first backup cycle exceeding the threshold, a second data block in a second backup cycle occurred early than the first backup cycle; determine an entropy score of the second data block to determine that the second data block is not encrypted; and restore the unencrypted version of the identified file using the second data block. 
However, Humphries discloses:
	the portion of the particular backup comprising a plurality of files and the statistical behavior analysis comprising determining a number of additions, deletions, and modifications of the plurality of files [number of additions, deletions, and modifications to the total number] associated with the portion of the particular backup ([0007] The indication of compromise may include a pattern of access to the files indicating potentially malicious automated file access. The indication of compromise may include access to a number of files beyond a predetermined threshold within a predetermined time interval; [0116] An indication of compromise (IOC) monitor 421 may be provided to instrument the endpoint 402 so that any observable actions by or involving various objects 418 can be detected … For example, for files or the like, an API for a file system may be used to detect reads, writes, and other access (e.g., open, read, write, move, copy, delete, etc.), and may be configured to report to or otherwise initiate monitoring of the action taken with the file through the file system).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Cobb reference and monitor and analyze patterns of access to files, as disclosed by Humphries. 
The motivation to monitor and analyze patterns of access to number of files is to detect unusual pattern of file access to detect malicious activities such as malware (See Humphries: [0007]).
The combination of Cobb and Humphries fails to disclose:
a ransomware detection module; transmit information describing whether the backup includes the ransomware for display on the client device; generate, for each of the one or more identified files that is new or modified, an entropy score, the entropy score representing a randomness of a distribution of bits in each of the identified files; determine, for each of the one or more identified files whose entropy score exceeds a threshold, whether header information of the identified file has been changed by comparing the header information to corresponding header information in one of the prior backups; determine, for each of the one or more identified files that is new or modified, the identified file is encrypted if the identified file has the entropy score that exceeds the threshold and the header information of the identified file has been changed; and perform, for each of the identified files that is encrypted, a journal walk to restore an unencrypted version of the identified file, wherein the instruction to perform the journal walk comprises instructions to: determine an entropy score for a first data block in a previous backup in a first backup cycle; retrieve, responsive to the entropy score for the first data block in the first backup cycle exceeding the threshold, a second data block in a second backup cycle occurred early than the first backup cycle; determine an entropy score of the second data block to determine that the second data block is not encrypted; and restore the unencrypted version of the identified file using the second data block.
However, Gu discloses:
	a ransomware detection module (i.e. Detection Module 104; See FIG. 1) ([0025] As illustrated in FIG. 1, exemplary system 100 may include one or more modules 102 for performing one or more tasks. For example, and as will be explained in greater detail below, exemplary system 100 may include a detection module 104 that may detect, during a file backup process, an anomaly that may be potentially indicative of ransomware on a computing device); 
transmit information describing whether the backup includes the ransomware for display [i.e. generating confirmation of ransomware in the backup on client computing device 202 construes as displaying the confirmation of the existence of ransomware; See FIG. 2] on the client device ([0032] Computing device 202 may then receive a confirmation of ransomware 212 from antivirus software 210; [0044] Confirmation module 108 may confirm that anomaly 208 is indicative of ransomware in a variety of ways. In some examples, confirmation module 108 may identify ransomware on computing device 202. In the example of FIG. 2, confirmation module 108 may receive confirmation of ransomware 212 from antivirus software 210 installed on computing device 202. In this example, antivirus software 210 may identify the ransomware on computing device 202 and send information about the ransomware to confirmation module 108. In other examples, confirmation module 108 may receive confirmation of ransomware 212 from a user of computing device 202);
generate, for each of the one or more identified files that is new or modified, an entropy score (i.e. generating a high and low entropy is construed as generating an entropy score; See FIG. 4), the entropy score representing a randomness of a distribution of bits in each of the identified files ([0038] Detection module 104 may detect anomaly 208 in a variety of ways. In some examples, detection module 104 may detect anomaly 208 by determining that the content of at least one file in the file backup process is anomalous … The term “file entropy,” as used herein, generally refers to a measure of randomness of the data values within a file);
determine, for each of the one or more identified files whose entropy score exceeds a threshold (i.e. entropy score is high; See FIG. 4), whether header information of the identified file has been changed by comparing the header information to corresponding header information in one of the prior backups ([0038] Detection module 104 may detect anomaly 208 in a variety of ways. In some examples, detection module 104 may detect anomaly 208 by determining that the content of at least one file in the file backup process is anomalous; [0039] For example, as shown in FIG. 4, detection module 104 may detect information about a file 400(1), a file 400(2), and a file 400(3) during the file backup process. In this example, file 400(2) may have a file header (e.g., “text header”) that does not match the file's type (e.g., “image”). In addition, file 400(2) may have a high file entropy value);
determine, for each of the one or more identified files that is new or modified, the identified file is encrypted if the identified file has the entropy score that exceeds the threshold and the header information of the identified file has been changed ([0038] Detection module 104 may detect anomaly 208 in a variety of ways. In some examples, detection module 104 may detect anomaly 208 by determining that the content of at least one file in the file backup process is anomalous. In these examples, determining that the content of the file is anomalous may include determining that the content of the file does not match the file's type, determining that the file's header does not match the file's type, and/or determining that the file's entropy is higher than expected. The term “file entropy,” as used herein, generally refers to a measure of randomness of the data values within a file. In particular, encrypted files may seem more random and have a higher value of file entropy than unencrypted versions of the files; [0039] For example, as shown in FIG. 4, detection module 104 may detect information about a file 400(1), a file 400(2), and a file 400(3) during the file backup process. In this example, file 400(2) may have a file header (e.g., “text header”) that does not match the file's type (e.g., “image”). In addition, file 400(2) may have a high file entropy value. Thus, detection module 104 may detect anomaly 208 based on the anomalous content of file 400(2)).
It would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to modify the Cobb and Humphries references and include a ransomware detection module on the client device to detect presence of ransomware in the backup process, as disclosed by Gu.
The motivation to include the ransomware detection module on the client device is to prevent ransomware from affecting file backup copies (See Gu: [0031]).
The combination of Cobb, Humphries and Gu fails to disclose:
	perform, for each of the identified files that is encrypted, a journal walk to restore an unencrypted version of the identified file, wherein the instruction to perform the journal walk comprises instructions to: determine an entropy score for a first data block in a previous backup in a first backup cycle; retrieve, responsive to the entropy score for the first data block in the first backup cycle exceeding the threshold, a second data block in a second backup cycle occurred early than the first backup cycle; determine an entropy score of the second data block to determine that the second data block is not encrypted; and restore the unencrypted version of the identified file using the second data block.
However, Muttik discloses:
	perform, for each of the identified files that is encrypted, a journal walk (i.e., steps presented through [0108-0113] in light of FIG. 5’s ‘backup chain 502’ are construed as a walk/process of determining an encrypted backup due to malware attack and retrieving the good backup version which is not encrypted by the malware) to restore an unencrypted version of the identified file, wherein the instruction to perform the journal walk comprises instructions to: 
determine a reputation [an entropy] for a first data block in a previous backup in a first backup cycle ([0112] discloses in Fig. 5 ‘version 4’ of backup chain 502 which is construed as ‘first data block of first backup cycle’ indicates potential malware/ransomware attack with low reputation of 60 due to number and/or type of changes exceed a delta threshold in files; [0041-0042] discloses that reputation of the backup version is based on context which includes entropy);
retrieve, responsive to the reputation [the entropy] for the first data block in the first backup cycle exceeding the threshold, a second data block in a second backup cycle occurred early than the first backup cycle ([0112] discloses in Fig. 5 ‘version 3’ of backup chain 502 which is construed as ‘second data block of second backup cycle’ indicates a last good version of the backup before the malware/ransomware attack occurred; [0041-0042] discloses that reputation of the backup version is based on context which includes entropy); 
determine a reputation [an entropy] of the second data block to determine that the second data block is not encrypted ([0113] discloses when a user tries to access a file in version 4 and discovers that ransomware has encrypted the data in that version, then version 3 (which has a very high reputation) may be flagged as a likely candidate for the last good version of those files; [0041-0042] discloses that reputation of the backup versions is based on context which includes entropy); and 
restore the unencrypted version of the identified file using the second data block ([0113] discloses that the user can retrieve version 3, inspect the files, and upon determining that the files are the desired good files, restore the files from version 3 which is interpreted as files in version 3 of the backup are unencrypted files).
It would have been obvious to an ordinary skill in the art before the effective filing date of the claimed invention to modify the Cobb, Humphries and Gu references and include a method of creating intelligent backup with plurality of versions, as disclosed by Muttik.
The motivation to create backup with plurality of versions is to be able to retrieve a good and usable version of the backup in case there is malicious activity occurred on current version of the backup which makes the current version of backup unfeasible. 
Regarding claim 8, the combination of Cobb, Humphries, Gu and Muttik discloses:
The method of claim 7, further comprising: 
storing file activities comprising the additions, deletions, and modifications of the files of the particular backup (Cobb: [0023] The antivirus program and/or backup program may be part of the program executing on computer system 10, another program, or executing on another computer system; [0027] an access log analysis may be performed to search for anomalous activity. Reads and writes may be logged together with a timestamp and optionally with other metadata such as source ID, application ED, user, etc.); and 
retrieving the file activities for generating the standard pattern of file activities (Cobb: [0023] When anomalous behavior by a computer system is detected, that system's logs may be used to identify the objects that initiated or are in some way related to the anomalous behavior, such as objects altered by execution of the malware. The inspection may be performed on native system log files, agent- based files (which may be more robust), or other data sources (such as processes) that may provide information helpful to identifying the object(s) relevant to the anomalous behavior. After identifying a relevant object, the system may search for copies of the object, to find a version of the object that is not infected with the presumed malware).
Regarding claim 9, the combination of Cobb, Humphries, Gu and Muttik discloses:
The method of claim 7, wherein the generating of the standard pattern of file activities comprises: 
analyzing the file activities of the files of the particular backup  for the time period to generate a histogram; and generating the standard pattern of file activities based on the histogram, the standard pattern of file activities is further defined by at least a ratio of a number of the plurality of files modified to the total number of the plurality of files in the portion of the particular backup (Cobb: [0034] At step 320, entropy is calculated within Sample blocks inside of the Source. An embodiment consistent with the invention starts at the beginning of the Source and takes as input a Sample-sized continuous portion of the block (See FIG. 4). For purposes of this discussion, it is assumed that the Source is X bytes in size, and the Sample is Y bytes in size where Y is no larger than 0.5*X. The entropy calculation is applied to this Sample; [0035] At step 330, the Sample window is advanced forward such that it overlaps with the previous Sample (See FIG. 4). In an exemplary embodiment, this overlap window is 25%. In other words, the first Sample measured entropy between bytes 0 and Y inside of the Source. The second Sample measures entropy between bytes 0.75(Y) and (0.75(Y)+Y). Much like alphabet and Sample size selection, this is tunable; [0036] At step 340, the Sample window is advanced repeatedly, as in step 330 above, until the end of the data block is reached and there is an entropy value for every Sample window (See FIG. 4). At step 350, a statistical method is applied across the entropy values from all of the Samples. In an exemplary embodiment consistent with the present invention, the mean and standard deviation of all entropy values from all Samples is calculated. The aggregate entropy for the Source (hereafter Sample Source Entropy) is then derived by taking the mean and adding one standard deviation to it; [0037] At step 360, the Sample Source Entropy and Global Entropy are compared to a threshold (See FIG. 4)).
Regarding claim 14, Cobb discloses:
A computer program product for detecting malware, the computer program product comprising a computer-readable non-transitory storage medium comprising computer program code executable by a computer processor, the program code when executed causes the computer processor to at least:
retrieve, from a storage device, a plurality of backups stored by a client device ([0021] FIG. 2 broadly illustrates a process flow in one embodiment. In step 100, it is determined whether the object is infected with malware. This determination may be made through analysis of the object, system behavior, and backup copies, or through an antivirus or malware scan, as described herein. If the object is infected, a backup copy of the object is located in the backup, step 102); and 
the plurality of backups (i.e., backup copies) correspond to images to the client device in a plurality of backup cycles ([0019] In an embodiment, there may be a plurality of backup copies. It should be understood that "backup copies" may be used to refer to complete backup copies as well as updates that are taken periodically and can be combined with backup copies to permit restoration to a point in time); 
a detection module communicatively coupled to the server interface and comprising memory configured to store computer code that comprises instructions, wherein the instructions, when executed by one or more processors, cause the one or more processors to: 
generate a standard pattern of file activities of the client device for a time period that encompasses a plurality of prior backups (i.e. backup copies; see [0025]) in previous backup cycles (See Cobb [0025-0029] for Size trending and monitoring object size changes which is construed as additions, deletions, and modifications of files) ([0025] Methods for detection and analysis of anomalous changes in objects may range from monitoring object size changes to performing pattern recognition on the objects' binary patterns. This may be done before or after the objects have been accessed. Based on this evaluation, the system can identify a point in time that most likely represents the infection point; [0026] FIG. 3 is a flowchart illustrating a process in one embodiment for identifying anomalies. In step 200, the backup copies of an object are analyzed to determine a pattern (including trends) of usage, size, etc. as described herein. Step 202 involves monitoring for deviations from the pattern, and the deviation may be flagged as an anomaly possibly indicating infection by malware, step 204; [0029] Size trending may in one embodiment be used as an indicator of an anomalous change. If an object's size is expected to remain static throughout its life, then a change in the object's size would be a clear indication that some anomaly has occurred. In an example, an object is suspected of being infected and has a current size of 256KB. A search through the backup pool shows that object's size is consistent with all the versions retained within the backup pool. However, when the search is extended into the archive, it is found that until 120 days ago, all versions were 168KB and have been 168KB since the object was originally archived. This would lead to the conclusion that the 168KB version of the object is a version that is free of the infection. If the 168KB version appeared six months ago and that prior to that time the object was 80KB, this would imply that the 80KB object is the clean version and not the 168KB object. The more versions that are kept in the backup, the greater the chance that a clean version will be found - if one ever existed.
Examiner’s Note: comparison of object size [which is interpreted as comparison of file size to see if file size has been increased, decreased or stayed the same] by Cobb reference and deviation from the expected file size is construed as indicating that there could potentially be malicious activity in the files), 
the standard pattern being generated by analyzing the plurality of prior backups ([0026] FIG. 3 is a flowchart illustrating a process in one embodiment for identifying anomalies. In step 200, the backup copies of an object are analyzed to determine a pattern (including trends) of usage, size, etc. as described herein); 
perform a statistical behavior analysis (See [0026] i.e. identify deviations from the pattern) on a particular backup based on the standard pattern identified in the previous backup cycles, the statistical behavior analysis identifying a portion (i.e. an object or portions of the object; See [0039]) of the particular backup corresponding to a statistical anomaly different from the standard 2pattern, the statistical anomaly corresponding to an abnormal file activity ([0015] any system in which files or objects are stored, either on a local or remote device, and the device may comprise one or more storage devices; [0026] Step 202 involves monitoring for deviations from the pattern, and the deviation may be flagged as an anomaly possibly indicating infection by malware, step 204. The point in time at which the infection occurred may be determined, step 206; [0030] Dynamically changing objects will likely have changing sizes in normal use. By analyzing object size changes over time, a trend of the size changes can be established. Using this information and applying statistical analysis, objects with anomalous changes may be identified, and the point of infection may be determined; [0039] Pattern recognition and/or trend analysis may be performed on an object or portions of the object, and the results compared with the backup to identify deviations; [0040] In an embodiment, the system may determine, measure, and track the degree of changes within the object. For example, an object may be expected to change in random amounts in various locations, but there are portions of the object that are never expected to change);
identify, for the portion of the particular backup corresponding to the statistical anomaly, one or more files that are new or modified ([0026] FIG. 3 is a flowchart illustrating a process in one embodiment for identifying anomalies. In step 200, the backup copies of an object are analyzed to determine a pattern (including trends) of usage, size, etc. as described herein; [0027] In an embodiment, an access log analysis may be performed to search for anomalous activity … Other cases might involve a multitude of reads of objects by an application or user other than the one that created or modified them, giving rise to a suspicion that malware is attempting to steal data and transmit it over the network to a remote location; [0030] Dynamically changing objects will likely have changing sizes in normal use. By analyzing object size changes over time, a trend of the size changes can be established. Using this information and applying statistical analysis, objects with anomalous changes may be identified, and the point of infection may be determined).
Cobb fails to disclose: 
the portion of the particular backup comprising a plurality of files and the statistical behavior analysis comprising determining a number of additions, deletions, and modifications of the plurality of files associated with the portion of the particular backup, identify, for the portion of the particular backup corresponding to the statistical anomaly, one or more files that are new or modified; a ransomware detection module; transmit information describing whether the backup includes the ransomware for display on the client device; generate, for each of the one or more identified files that is new or modified, an entropy score, the entropy score representing a randomness of a distribution of bits in each of the identified files; determine, for each of the one or more identified files whose entropy score exceeds a threshold, whether header information of the identified file has been changed by comparing the header information to corresponding header information in one of the prior backups; determine, for each of the one or more identified files that is new or modified, the identified file is encrypted if the identified file has the entropy 3score that exceeds the threshold and the header information of the identified file has been changed; and perform, for each of the identified files that is encrypted, a journal walk to restore an unencrypted version of the identified file, wherein the instruction to perform the journal walk comprises instructions to: determine an entropy score for a first data block in a previous backup in a first backup cycle; retrieve, responsive to the entropy score for the first data block in the first backup cycle exceeding the threshold, a second data block in a second backup cycle occurred early than the first backup cycle; determine an entropy score of the second data block to determine that the second data block is not encrypted; and restore the unencrypted version of the identified file using the second data block. 
However, Humphries discloses:
	the portion of the particular backup comprising a plurality of files and the statistical behavior analysis comprising determining a number of additions, deletions, and modifications of the plurality of files [number of additions, deletions, and modifications to the total number] associated with the portion of the particular backup ([0007] The indication of compromise may include a pattern of access to the files indicating potentially malicious automated file access. The indication of compromise may include access to a number of files beyond a predetermined threshold within a predetermined time interval; [0116] An indication of compromise (IOC) monitor 421 may be provided to instrument the endpoint 402 so that any observable actions by or involving various objects 418 can be detected … For example, for files or the like, an API for a file system may be used to detect reads, writes, and other access (e.g., open, read, write, move, copy, delete, etc.), and may be configured to report to or otherwise initiate monitoring of the action taken with the file through the file system).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Cobb reference and monitor and analyze patterns of access to files, as disclosed by Humphries. 
The motivation to monitor and analyze patterns of access to number of files is to detect unusual pattern of file access to detect malicious activities such as malware (See Humphries: [0007]).
The combination of Cobb and Humphries fails to disclose:
a ransomware detection module; transmit information describing whether the backup includes the ransomware for display on the client device; generate, for each of the one or more identified files that is new or modified, an entropy score, the entropy score representing a randomness of a distribution of bits in each of the identified files; determine, for each of the one or more identified files whose entropy score exceeds a threshold, whether header information of the identified file has been changed by comparing the header information to corresponding header information in one of the prior backups; determine, for each of the one or more identified files that is new or modified, the identified file is encrypted if the identified file has the entropy score that exceeds the threshold and the header information of the identified file has been changed; and perform, for each of the identified files that is encrypted, a journal walk to restore an unencrypted version of the identified file, wherein the instruction to perform the journal walk comprises instructions to: determine an entropy score for a first data block in a previous backup in a first backup cycle; retrieve, responsive to the entropy score for the first data block in the first backup cycle exceeding the threshold, a second data block in a second backup cycle occurred early than the first backup cycle; determine an entropy score of the second data block to determine that the second data block is not encrypted; and restore the unencrypted version of the identified file using the second data block.
However, Gu discloses:
	a ransomware detection module (i.e. Detection Module 104; See FIG. 1) ([0025] As illustrated in FIG. 1, exemplary system 100 may include one or more modules 102 for performing one or more tasks. For example, and as will be explained in greater detail below, exemplary system 100 may include a detection module 104 that may detect, during a file backup process, an anomaly that may be potentially indicative of ransomware on a computing device); 
transmit information describing whether the backup includes the ransomware for display [i.e. generating confirmation of ransomware in the backup on client computing device 202 construes as displaying the confirmation of the existence of ransomware; See FIG. 2] on the client device ([0032] Computing device 202 may then receive a confirmation of ransomware 212 from antivirus software 210; [0044] Confirmation module 108 may confirm that anomaly 208 is indicative of ransomware in a variety of ways. In some examples, confirmation module 108 may identify ransomware on computing device 202. In the example of FIG. 2, confirmation module 108 may receive confirmation of ransomware 212 from antivirus software 210 installed on computing device 202. In this example, antivirus software 210 may identify the ransomware on computing device 202 and send information about the ransomware to confirmation module 108. In other examples, confirmation module 108 may receive confirmation of ransomware 212 from a user of computing device 202);
generate, for each of the one or more identified files that is new or modified, an entropy score (i.e. generating a high and low entropy is construed as generating an entropy score; See FIG. 4), the entropy score representing a randomness of a distribution of bits in each of the identified files ([0038] Detection module 104 may detect anomaly 208 in a variety of ways. In some examples, detection module 104 may detect anomaly 208 by determining that the content of at least one file in the file backup process is anomalous … The term “file entropy,” as used herein, generally refers to a measure of randomness of the data values within a file);
determine, for each of the one or more identified files whose entropy score exceeds a threshold (i.e. entropy score is high; See FIG. 4), whether header information of the identified file has been changed by comparing the header information to corresponding header information in one of the prior backups ([0038] Detection module 104 may detect anomaly 208 in a variety of ways. In some examples, detection module 104 may detect anomaly 208 by determining that the content of at least one file in the file backup process is anomalous; [0039] For example, as shown in FIG. 4, detection module 104 may detect information about a file 400(1), a file 400(2), and a file 400(3) during the file backup process. In this example, file 400(2) may have a file header (e.g., “text header”) that does not match the file's type (e.g., “image”). In addition, file 400(2) may have a high file entropy value);
determine, for each of the one or more identified files that is new or modified, the identified file is encrypted if the identified file has the entropy score that exceeds the threshold and the header information of the identified file has been changed ([0038] Detection module 104 may detect anomaly 208 in a variety of ways. In some examples, detection module 104 may detect anomaly 208 by determining that the content of at least one file in the file backup process is anomalous. In these examples, determining that the content of the file is anomalous may include determining that the content of the file does not match the file's type, determining that the file's header does not match the file's type, and/or determining that the file's entropy is higher than expected. The term “file entropy,” as used herein, generally refers to a measure of randomness of the data values within a file. In particular, encrypted files may seem more random and have a higher value of file entropy than unencrypted versions of the files; [0039] For example, as shown in FIG. 4, detection module 104 may detect information about a file 400(1), a file 400(2), and a file 400(3) during the file backup process. In this example, file 400(2) may have a file header (e.g., “text header”) that does not match the file's type (e.g., “image”). In addition, file 400(2) may have a high file entropy value. Thus, detection module 104 may detect anomaly 208 based on the anomalous content of file 400(2)).
It would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to modify the Cobb and Humphries references and include a ransomware detection module on the client device to detect presence of ransomware in the backup process, as disclosed by Gu.
The motivation to include the ransomware detection module on the client device is to prevent ransomware from affecting file backup copies (See Gu: [0031]).
The combination of Cobb, Humphries and Gu fails to disclose:
	perform, for each of the identified files that is encrypted, a journal walk to restore an unencrypted version of the identified file, wherein the instruction to perform the journal walk comprises instructions to: determine an entropy score for a first data block in a previous backup in a first backup cycle; retrieve, responsive to the entropy score for the first data block in the first backup cycle exceeding the threshold, a second data block in a second backup cycle occurred early than the first backup cycle; determine an entropy score of the second data block to determine that the second data block is not encrypted; and restore the unencrypted version of the identified file using the second data block.
However, Muttik discloses:
	perform, for each of the identified files that is encrypted, a journal walk (i.e., steps presented through [0108-0113] in light of FIG. 5’s ‘backup chain 502’ are construed as a walk/process of determining an encrypted backup due to malware attack and retrieving the good backup version which is not encrypted by the malware) to restore an unencrypted version of the identified file, wherein the instruction to perform the journal walk comprises instructions to: 
determine a reputation [an entropy] for a first data block in a previous backup in a first backup cycle ([0112] discloses in Fig. 5 ‘version 4’ of backup chain 502 which is construed as ‘first data block of first backup cycle’ indicates potential malware/ransomware attack with low reputation of 60 due to number and/or type of changes exceed a delta threshold in files; [0041-0042] discloses that reputation of the backup version is based on context which includes entropy);
retrieve, responsive to the reputation [the entropy] for the first data block in the first backup cycle exceeding the threshold, a second data block in a second backup cycle occurred early than the first backup cycle ([0112] discloses in Fig. 5 ‘version 3’ of backup chain 502 which is construed as ‘second data block of second backup cycle’ indicates a last good version of the backup before the malware/ransomware attack occurred; [0041-0042] discloses that reputation of the backup version is based on context which includes entropy); 
determine a reputation [an entropy] of the second data block to determine that the second data block is not encrypted ([0113] discloses when a user tries to access a file in version 4 and discovers that ransomware has encrypted the data in that version, then version 3 (which has a very high reputation) may be flagged as a likely candidate for the last good version of those files; [0041-0042] discloses that reputation of the backup versions is based on context which includes entropy); and 
restore the unencrypted version of the identified file using the second data block ([0113] discloses that the user can retrieve version 3, inspect the files, and upon determining that the files are the desired good files, restore the files from version 3 which is interpreted as files in version 3 of the backup are unencrypted files).
It would have been obvious to an ordinary skill in the art before the effective filing date of the claimed invention to modify the Cobb, Humphries and Gu references and include a method of creating intelligent backup with plurality of versions, as disclosed by Muttik.
The motivation to create backup with plurality of versions is to be able to retrieve a good and usable version of the backup in case there is malicious activity occurred on current version of the backup which makes the current version of backup unfeasible. 
Regarding claim 15, the combination of Cobb, Humphries, Gu and Muttik discloses:
The computer program product of claim 14, further comprising computer program code that when executed by the computer processor causes the computer processor to: 
store file activities comprising the additions, deletions, and modifications of the files of the particular backup (Cobb: [0023] The antivirus program and/or backup program may be part of the program executing on computer system 10, another program, or executing on another computer system; [0027] an access log analysis may be performed to search for anomalous activity. Reads and writes may be logged together with a timestamp and optionally with other metadata such as source ID, application ED, user, etc.); and 
retrieve the file activities for generating the standard pattern of file activities (Cobb: [0023] When anomalous behavior by a computer system is detected, that system's logs may be used to identify the objects that initiated or are in some way related to the anomalous behavior, such as objects altered by execution of the malware. The inspection may be performed on native system log files, agent- based files (which may be more robust), or other data sources (such as processes) that may provide information helpful to identifying the object(s) relevant to the anomalous behavior. After identifying a relevant object, the system may search for copies of the object, to find a version of the object that is not infected with the presumed malware).
Regarding claim 16, the combination of Cobb, Humphries, Gu and Muttik discloses:
The computer program product of claim 14, wherein the program code to generate the standard pattern of file activities further comprises program code that when executed by the computer processor causes the computer processor to:
analyze the file activities of the backup of the files of the particular backup for the time period to generate a histogram; and generate the standard pattern of file activities based on the histogram, the standard pattern of file activities is further defined by at least a ratio of a number of the plurality of files modified to a total number of the plurality of files in the portion of the particular backup (Cobb: [0034] At step 320, entropy is calculated within Sample blocks inside of the Source. An embodiment consistent with the invention starts at the beginning of the Source and takes as input a Sample-sized continuous portion of the block (See FIG. 4). For purposes of this discussion, it is assumed that the Source is X bytes in size, and the Sample is Y bytes in size where Y is no larger than 0.5*X. The entropy calculation is applied to this Sample; [0035] At step 330, the Sample window is advanced forward such that it overlaps with the previous Sample (See FIG. 4). In an exemplary embodiment, this overlap window is 25%. In other words, the first Sample measured entropy between bytes 0 and Y inside of the Source. The second Sample measures entropy between bytes 0.75(Y) and (0.75(Y)+Y). Much like alphabet and Sample size selection, this is tunable; [0036] At step 340, the Sample window is advanced repeatedly, as in step 330 above, until the end of the data block is reached and there is an entropy value for every Sample window (See FIG. 4). At step 350, a statistical method is applied across the entropy values from all of the Samples. In an exemplary embodiment consistent with the present invention, the mean and standard deviation of all entropy values from all Samples is calculated. The aggregate entropy for the Source (hereafter Sample Source Entropy) is then derived by taking the mean and adding one standard deviation to it; [0037] At step 360, the Sample Source Entropy and Global Entropy are compared to a threshold (See FIG. 4)).


Claims 4, 10, 17 and 21-23 are rejected under 35 U.S.C. 103 as being unpatentable over Cobb et al., (WO2007022392A2) in view of Humphries et al., (US20170359370A1) in view of Gu et al., (US20170223031A1) in view of Muttik et al., (US20180173874A1) and further in view of Weaver et al., (US10055582B1).
Regarding claim 4, the combination of Cobb, Humphries, Gu and Muttik discloses:
The server manager of claim 1, wherein identify the portion of the particular backup corresponding to the statistical anomaly (Cobb: [0015] any system in which files or objects are stored, either on a local or remote device, and the device may comprise one or more storage devices; [0026] Step 202 involves monitoring for deviations from the pattern, and the deviation may be flagged as an anomaly possibly indicating infection by malware, step 204. The point in time at which the infection occurred may be determined, step 206; [0030] Dynamically changing objects will likely have changing sizes in normal use. By analyzing object size changes over time, a trend of the size changes can be established. Using this information and applying statistical analysis, objects with anomalous changes may be identified, and the point of infection may be determined; [0039] Pattern recognition and/or trend analysis may be performed on an object or portions of the object, and the results compared with the backup to identify deviations; [0040] In an embodiment, the system may determine, measure, and track the degree of changes within the object. For example, an object may be expected to change in random amounts in various locations, but there are portions of the object that are never expected to change).
The combination of Cobb, Humphries, Gu and Muttik fails to disclose:
	generate an anomaly score that indicates a degree of anomalies of file activities; and determine that the file activities corresponds to the statistical anomaly, responsive to the anomaly score exceeding a second threshold.
However, Weaver discloses:
	generate an anomaly score that indicates a degree of anomalies of file activities (Col. 6, Line # 27-42; The ransomware detector 125 comprises a file analyzer 130, a file history database 132, a detection score generator 134 and an alert generator 136. The file analyzer 130 is configured to compare characteristics relating to a current state of the files with information stored in the file history database 132. For example, the file analyzer 130 in some embodiments inspects files as they are stored on the storage device 106 and/or by direct access inspection on the storage device 106. Analysis is then performed on each file by comparing a current state of the file to its history as maintained in the file history database 132. Additional or alternative information that can be used in the analysis includes characteristics of the file, such as metadata of the file or its corresponding directory, and its relationships to other files. Combined information for multiple files can also be used, such as overall file change rate for a designated set of files. The detection score generator 134 comprises a weighting module 140 for applying weights to respective comparison results from the file analyzer 130 in generating the detection score for the one or more sets of files); and
determine that the file activities corresponds to the statistical anomaly, responsive to the anomaly score exceeding a second threshold (Col. 6, Line # 42-45; The alert generator 136 is configured to generate an alert if the detection score for the one or more sets of files exceeds a specified threshold).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the references of Cobb, Humphries, Gu and Muttik and include a ransomware detector in a security appliance, as disclosed by Weaver.
	The motivation to include the ransomware detector is to analyze files and compare characteristics relating to a current state of the files in a file history database to detect presence of ransomware (See Weaver: Abstract).
Regarding claim 10, the combination of Cobb, Humphries, Gu and Muttik discloses:
The method of claim 7, wherein identifying of the portion of the particular backup corresponding to the statistical anomaly (Cobb: [0015] any system in which files or objects are stored, either on a local or remote device, and the device may comprise one or more storage devices; [0026] Step 202 involves monitoring for deviations from the pattern, and the deviation may be flagged as an anomaly possibly indicating infection by malware, step 204. The point in time at which the infection occurred may be determined, step 206; [0030] Dynamically changing objects will likely have changing sizes in normal use. By analyzing object size changes over time, a trend of the size changes can be established. Using this information and applying statistical analysis, objects with anomalous changes may be identified, and the point of infection may be determined; [0039] Pattern recognition and/or trend analysis may be performed on an object or portions of the object, and the results compared with the backup to identify deviations; [0040] In an embodiment, the system may determine, measure, and track the degree of changes within the object. For example, an object may be expected to change in random amounts in various locations, but there are portions of the object that are never expected to change).
The combination of Cobb, Humphries, Gu and Muttik fails to disclose:
	generate an anomaly score that indicates a degree of anomalies of file activities; and determine that the file activities corresponds to the statistical anomaly, responsive to the anomaly score exceeding a second threshold.
However, Weaver discloses:
	generating an anomaly score that indicates a degree of anomalies of file activities (Col. 6, Line # 27-42; The ransomware detector 125 comprises a file analyzer 130, a file history database 132, a detection score generator 134 and an alert generator 136. The file analyzer 130 is configured to compare characteristics relating to a current state of the files with information stored in the file history database 132. For example, the file analyzer 130 in some embodiments inspects files as they are stored on the storage device 106 and/or by direct access inspection on the storage device 106. Analysis is then performed on each file by comparing a current state of the file to its history as maintained in the file history database 132. Additional or alternative information that can be used in the analysis includes characteristics of the file, such as metadata of the file or its corresponding directory, and its relationships to other files. Combined information for multiple files can also be used, such as overall file change rate for a designated set of files. The detection score generator 134 comprises a weighting module 140 for applying weights to respective comparison results from the file analyzer 130 in generating the detection score for the one or more sets of files); and
determining that the file activities corresponds to the statistical anomaly, responsive to the anomaly score exceeding a second threshold (Col. 6, Line # 42-45; The alert generator 136 is configured to generate an alert if the detection score for the one or more sets of files exceeds a specified threshold).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the references of Cobb, Humphries, Gu and Muttik and include a ransomware detector in a security appliance, as disclosed by Weaver.
	The motivation to include the ransomware detector is to analyze files and compare characteristics relating to a current state of the files in a file history database to detect presence of ransomware (See Weaver: Abstract).
Regarding claim 17, the combination of Cobb, Humphries, Gu and Muttik discloses:
The computer program product of claim 14, wherein the program code to identify the portion of the particular backup corresponding to the statistical anomaly (Cobb: [0015] any system in which files or objects are stored, either on a local or remote device, and the device may comprise one or more storage devices; [0026] Step 202 involves monitoring for deviations from the pattern, and the deviation may be flagged as an anomaly possibly indicating infection by malware, step 204. The point in time at which the infection occurred may be determined, step 206; [0030] Dynamically changing objects will likely have changing sizes in normal use. By analyzing object size changes over time, a trend of the size changes can be established. Using this information and applying statistical analysis, objects with anomalous changes may be identified, and the point of infection may be determined; [0039] Pattern recognition and/or trend analysis may be performed on an object or portions of the object, and the results compared with the backup to identify deviations; [0040] In an embodiment, the system may determine, measure, and track the degree of changes within the object. For example, an object may be expected to change in random amounts in various locations, but there are portions of the object that are never expected to change).
The combination of Cobb, Humphries, Gu and Muttik fails to disclose:
	generate an anomaly score that indicates a degree of anomalies of file activities; and determine that the file activities corresponds to the statistical anomaly, responsive to the anomaly score exceeding a second threshold.
However, Weaver discloses:
	generate an anomaly score that indicates a degree of anomalies of file activities (Col. 6, Line # 27-42; The ransomware detector 125 comprises a file analyzer 130, a file history database 132, a detection score generator 134 and an alert generator 136. The file analyzer 130 is configured to compare characteristics relating to a current state of the files with information stored in the file history database 132. For example, the file analyzer 130 in some embodiments inspects files as they are stored on the storage device 106 and/or by direct access inspection on the storage device 106. Analysis is then performed on each file by comparing a current state of the file to its history as maintained in the file history database 132. Additional or alternative information that can be used in the analysis includes characteristics of the file, such as metadata of the file or its corresponding directory, and its relationships to other files. Combined information for multiple files can also be used, such as overall file change rate for a designated set of files. The detection score generator 134 comprises a weighting module 140 for applying weights to respective comparison results from the file analyzer 130 in generating the detection score for the one or more sets of files); and
determine that the file activities corresponds to the statistical anomaly, responsive to the anomaly score exceeding a second threshold (Col. 6, Line # 42-45; The alert generator 136 is configured to generate an alert if the detection score for the one or more sets of files exceeds a specified threshold).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the references of Cobb, Humphries, Gu and Muttik and include a ransomware detector in a security appliance, as disclosed by Weaver.
	The motivation to include the ransomware detector is to analyze files and compare characteristics relating to a current state of the files in a file history database to detect presence of ransomware (See Weaver: Abstract).
Regarding claim 21, the combination of Cobb, Humphries, Gu, Muttik and Weaver discloses:
The method of claim 7, wherein the threshold is configurable (Weaver: Col. 11, Line # 55-65; As a more particular example, assume that the ransomware detector 125 detects a change in a spreadsheet file that had not previously been modified. Although this alone would not be considered sufficient to generate an alert, it could contribute to a composite detection score. Further assume that the ransomware detector 125 additionally detects that the file header of the spreadsheet file is now unreadable. These two detected features when combined into a composite detection score could be sufficient to trigger an alert, depending on implementation-specific factors such as the applied weights and the alert threshold).
Regarding claim 22, the combination of Cobb, Humphries, Gu, Muttik and Weaver discloses:
The method of claim 7, wherein the threshold is configurable (Weaver: Col. 11, Line # 55-65; As a more particular example, assume that the ransomware detector 125 detects a change in a spreadsheet file that had not previously been modified. Although this alone would not be considered sufficient to generate an alert, it could contribute to a composite detection score. Further assume that the ransomware detector 125 additionally detects that the file header of the spreadsheet file is now unreadable. These two detected features when combined into a composite detection score could be sufficient to trigger an alert, depending on implementation-specific factors such as the applied weights and the alert threshold).
Regarding claim 23, the combination of Cobb, Humphries, Gu, Muttik and Weaver discloses:
The computer program product of claim 14, wherein the threshold is configurable (Weaver: Col. 11, Line # 55-65; As a more particular example, assume that the ransomware detector 125 detects a change in a spreadsheet file that had not previously been modified. Although this alone would not be considered sufficient to generate an alert, it could contribute to a composite detection score. Further assume that the ransomware detector 125 additionally detects that the file header of the spreadsheet file is now unreadable. These two detected features when combined into a composite detection score could be sufficient to trigger an alert, depending on implementation-specific factors such as the applied weights and the alert threshold).

Claims 13, 20 and 24-26 are rejected under 35 U.S.C. 103 as being unpatentable over Cobb et al., (WO2007022392A2) in view of Humphries et al., (US20170359370A1) in view of Gu et al., (US20170223031A1) in view of Muttik et al., (US20180173874A1) and further in view of Rattner et al., (US20150278031A1).
Regarding claim 13, the combination of Cobb, Humphries, Gu and Muttik discloses:
The method of claim 7, wherein the determining whether the particular backup includes the ransomware (Gu: [0039] For example, as shown in FIG. 4, detection module 104 may detect information about a file 400(1), a file 400(2), and a file 400(3) during the file backup process. In this example, file 400(2) may have a file header (e.g., “text header”) that does not match the file's type (e.g., “image”). In addition, file 400(2) may have a high file entropy value. Thus, detection module 104 may detect anomaly 208 based on the anomalous content of file 400(2); [0043] Returning to FIG. 3, at step 306, one or more of the systems described herein may confirm that the anomaly is indicative of ransomware on the computing device. For example, confirmation module 108 may, as part of computing device 202 in FIG. 2, confirm that anomaly 208 is indicative of ransomware on computing device 202).
The combination of Cobb, Humphries, Gu and Muttik fails to disclose:
	determining whether the backup includes: MIME information for the file changing from an initial value.
However, Rattner discloses:
MIME information for the file changing from an initial value ([0030] At step 304, the client device determines a backup urgency score (U) for a file stored on the user device based on metrics of one or more file parameters of the file. The file may be included in the backup set 216. The one or more file parameters may include: file size, multipurpose internet mail extensions (MIME) type, file modification, file access, file creation, file backup, and file creator).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the references of Cobb, Humphries, Gu and Muttik and include determination of multipurpose internet mail extensions (MIME) type information in the file, as disclosed by Rattner.
The motivation to determine MIME information in the file is to detect any change in the initial value of MIME information in the file and alert the user of potential malware activity (See Rattner: [0030-0034]).
Regarding claim 20, the combination of Cobb, Humphries, Gu and Muttik discloses:
The computer program product of claim 14, wherein the determining whether the particular backup includes the ransomware (Gu: [0039] For example, as shown in FIG. 4, detection module 104 may detect information about a file 400(1), a file 400(2), and a file 400(3) during the file backup process. In this example, file 400(2) may have a file header (e.g., “text header”) that does not match the file's type (e.g., “image”). In addition, file 400(2) may have a high file entropy value. Thus, detection module 104 may detect anomaly 208 based on the anomalous content of file 400(2); [0043] Returning to FIG. 3, at step 306, one or more of the systems described herein may confirm that the anomaly is indicative of ransomware on the computing device. For example, confirmation module 108 may, as part of computing device 202 in FIG. 2, confirm that anomaly 208 is indicative of ransomware on computing device 202).
The combination of Cobb, Humphries, Gu and Muttik fails to disclose:
determining whether the backup includes: MIME information for the file changing from an initial value.
However, Rattner discloses:
MIME information for the file changing from an initial value ([0030] At step 304, the client device determines a backup urgency score (U) for a file stored on the user device based on metrics of one or more file parameters of the file. The file may be included in the backup set 216. The one or more file parameters may include: file size, multipurpose internet mail extensions (MIME) type, file modification, file access, file creation, file backup, and file creator).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the references of Cobb, Humphries, Gu and Muttik and include determination of multipurpose internet mail extensions (MIME) type information in the file, as disclosed by Rattner.
The motivation to determine MIME information in the file is to detect any change in the initial value of MIME information in the file and alert the user of potential malware activity (See Rattner: [0030-0034]).
Regarding claim 24, the combination of Cobb, Humphries, Gu and Muttik fails to disclose:
The server manager of claim 1, wherein the header information includes Multipurpose Internet Mail Extensions information.
However, Rattner discloses:
wherein the header information includes Multipurpose Internet Mail Extensions information ([0030] The file may be included in the backup set 216. The one or more file parameters may include: file size, multipurpose internet mail extensions (MIME) type, file modification, file access, file creation, file backup, and file creator).	
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the references of Cobb, Humphries, Gu and Muttik and include determination of multipurpose internet mail extensions (MIME) type information in the file, as disclosed by Rattner.
The motivation to determine MIME information in the file is to detect any change in the initial value of MIME information in the file and alert the user of potential malware activity (See Rattner: [0030-0034]).
Regarding claim 25, the combination of Cobb, Humphries, Gu and Muttik fails to disclose:
The method claim 7, wherein the header information includes Multipurpose Internet Mail Extensions information.
However, Rattner discloses:
wherein the header information includes Multipurpose Internet Mail Extensions information ([0030] The file may be included in the backup set 216. The one or more file parameters may include: file size, multipurpose internet mail extensions (MIME) type, file modification, file access, file creation, file backup, and file creator).	
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the references of Cobb, Humphries, Gu and Muttik and include determination of multipurpose internet mail extensions (MIME) type information in the file, as disclosed by Rattner.
The motivation to determine MIME information in the file is to detect any change in the initial value of MIME information in the file and alert the user of potential malware activity (See Rattner: [0030-0034]).
Regarding claim 26, the combination of Cobb, Humphries, Gu and Muttik fails to disclose:
The computer program product of claim 14, wherein the header information includes Multipurpose Internet Mail Extensions information.
However, Rattner discloses:
wherein the header information includes Multipurpose Internet Mail Extensions information ([0030] The file may be included in the backup set 216. The one or more file parameters may include: file size, multipurpose internet mail extensions (MIME) type, file modification, file access, file creation, file backup, and file creator).	
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the references of Cobb, Humphries, Gu and Muttik and include determination of multipurpose internet mail extensions (MIME) type information in the file, as disclosed by Rattner.
The motivation to determine MIME information in the file is to detect any change in the initial value of MIME information in the file and alert the user of potential malware activity (See Rattner: [0030-0034]).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SYED M AHSAN whose telephone number is (571)272-5018. The examiner can normally be reached 8:30 AM - 6:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffery L. Nickerson can be reached on 469-295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/SYED M AHSAN/Patent Examiner, Art Unit 2432                                                                                                                                                                                                        07/16/2022