Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

                    DETAILED ACTION	

1. 	This action is response to the amendment filed on 11 February 2022 in which claims 1-20 are presented for future examination. 

                                                Allowable Subject Matter

2.	Claims 1-20 are allowable considering the Applicant’s argument with amendments and in light of the prior art made of record.

                 Reasons for Allowance

3.	The following is an examiner's statement of reasons for allowance: 
Upon searching variety of databases, the examiner considering Applicant’s provided prior-art and examiner research of prior-art with are mention in form-892 and with the respect of Applicant’s arguments clarify the difference and uniqueness of invention. It still holds the novelty even if the closest prior art US Patent No. 1005558 and the US Publication no. 20190042744 combined. 
Claims 1, 8 and 15 in conjunction with all other limitations of the dependent claims, "determining, based at least in part on the comparing, that the file-read instructions in the subset of unique file operations are abnormal based at least in part on a deviation between the pattern of the file-read instructions in the time interval and the normal pattern of file-read instructions.” and independent claims are not taught nor suggested by the prior art of record (PTO-892). 
Therefore, Claims 1-20 are hereby allowed in view of applicant’s persuasive arguments and in the light of amendments to the claims.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

        Conclusion

4. 	The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure (see form “PTO-892 Notice of Reference Cited”).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Monjour Rahim whose telephone number is (571)270-3890. The examiner can normally be reached on 7:00 AM -5:00 PM (Mo-Th).
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on 571-272-2419.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
	Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (in USA or CANADA) or 571-272-1000.

 /Monjur Rahim/
Patent Examiner
United States Patent and Trademark Office
Art Unit: 2436; Phone: 571.270.3890
E-mail: monjur.rahim@uspto.gov
Fax: 571.270.4890




1. (Currently Amended) A method for detection of a threat in a file system  the method comprising: accessing audit events in [[a]] the file system for a time interval, the audit events including unique file operations and duplicative file operations within the time interval; de-duplicating the audit events to remove the duplicative file operations and retain the unique file operations from the audit events;  generating time series data that comprises the unique file operations and is devoid of the duplicative file operations; analyzing the time series data to determine whether a subset of the unique file operations includes file-read instructions to copy files corresponding to the subset of unique file operations; comparing a pattern of the file-read instructions in the time interval to a normal pattern of file-read instructions; determining, based at least in part on the comparing, that the file-read instructions in the subset of unique file operations are abnormal based at least in part on a deviation between the pattern of the file-read instructions in the time interval and the normal pattern of file-read instructions  responsive to determining that the file-read instructions in the subset of unique file operations are abnormal, determining that the file system is subject to a based at least in part on determining that the file system is subject to the threat.  
2. (Original) The method of claim 1, wherein the audit events include information comprising, for each audit event, a user id, a file name, a type of access, and a timestamp.  
3. (Currently Amended) The method of claim 1, wherein de-duplicating the audit events is based at least in part on an identification of successive file operations that do not lead to a change in a file state.  
4. (Original) The method of claim 1, further comprising: generating a finite state machine including one or more file states, the file states including a file open state, a file read state, a file write state, a file read/write state, and a file close state; and storing the file states in the finite state machine in a key-value object store.  
5. (Currently Amended) The method of claim 1, wherein determining that the file-read instructions in the subset of [[the]] unique file operations machine learning models trained to determine the pattern or a number of the file-read instructions and to compare the pattern or the number of the file-read instructions to the normal pattern of file-read instructions or a normal number of file-read instructions based on features representing a normal or expected behavior of the file system.  
6. (Original) The method of claim 4, wherein de-duplicating the audit events includes maintaining a file system state based on the finite state machine.  
7. (Currently Amended) The method of claim 1, wherein determining that the file- read instructions in the subset of [[the]] unique file operations are abnormal comprises applying Seasonal-Trend Decomposition Procedure Based on Loess (STL) decomposition to file delete audit events to remove seasonal and trend components and using a residue of the decomposition to generate the time series data, and performing an Exploratory Data Analysis (ESD) test on the time series data.  
8. (Currently Amended) A system for threat in a file system the file system for a time interval, the audit events including unique file operations and duplicative file operations within the time interval; de-duplicating the audit events to remove the duplicative file operations and retain the unique file operations from the audit events; generating time series data that comprises the unique file operations and is devoid of the duplicative file operations; analyzing the time series data to determine whether a subset of the unique file operations includes file-read instructions to copy files corresponding to the subset of unique file operations; comparing a pattern of the file-read instructions in the time interval to a normal pattern of file-read instructions; determining, based at least in part on the comparing, that the file-read instructions in the subset of unique file operations are abnormal at least in part on deviation between the pattern of the file-read instructions in the time interval and the normal pattern of file-read instructions based at least in part on determining that the file system is subject to the threat.  
9. (Original) The system of claim 8, wherein the audit events include information comprising, for each audit event, a user id, a file name, a type of access, and a timestamp.  
10. (Currently Amended) The system of claim 8, wherein de-duplicating the audit events is based at least in part on an identification of successive file operations that do not lead to a change in a file state.  
11. (Original) The system of claim 8, wherein the operations further comprise: generating a finite state machine including one or more file states, the file states including a file open state, a file read state, a file write state, a file read/write state, and a file close state; and storing the file states in the finite state machine in a key-value object store.  
12. (Currently Amended) The system of claim 8, wherein determining that the file-read instructions in the subset of [[the]] unique file operations a number of the file-read instructions and to compare the pattern or the number of the file-read instructions to the normal pattern of file-read instructions or a normal number of file-read instructions based on features representing a normal or expected behavior of the file system.  
13. (Original) The system of claim 11, wherein de-duplicating the audit events includes maintaining a file system state based on the finite state machine.  
14. (Currently Amended) The system of claim 8, wherein determining that the file- read instructions in the subset of [[the]] unique file operations are abnormal comprises applying Seasonal-Trend Decomposition Procedure Based on Loess (STL) decomposition to file delete audit events to remove seasonal and trend components and using a residue of the decomposition to generate the time series data, and performing an Exploratory Data Analysis (ESD) test on the time series data.  
15. (Currently Amended) A non-transitory, machine-readable medium storing instructions which, when read by a machine, cause the machine to perform operations comprising, at least: Page 5 of 12Application. No. 16/263,319PATENT Amendment dated February 11, 2022 Reply to Office Action dated November 12, 2021 accessing audit events in a file system for a time interval, the audit events including unique file operations and duplicative file operations within the time interval; de-duplicating the audit events to remove the duplicative file operations and retain the unique file operations from the audit events; generating time series data that comprises the unique file operations and is devoid of the duplicative file operations; analyzing the time series data to determine whether a subset of the unique file operations includes file-read instructions to copy files corresponding to the subset of unique file operations; comparing a pattern of the file-read instructions in the time interval to a normal pattern of file-read instructions; determining, based at least in part on the comparing, that the file-read instructions in the subset of unique file operations are abnormal at least in part on deviation between the pattern of the file-read instructions in the time interval and the normal pattern of file-read instructions based at least in part on determining that the file system is subject to the threat.  
16. (Original) The medium of claim 15, wherein the audit events include information comprising, for each audit event, a user id, a file name, a type of access, and a timestamp.  
17. (Currently Amended) The medium of claim 15, wherein de-duplicating the audit events is based at least in part on an identification of successive file operations that do not lead to a change in a file state.  
18. (Original) The medium of claim 15, wherein the operations further comprise: Page 6 of 12Application. No. 16/263,319PATENT Amendment dated February 11, 2022 Reply to Office Action dated November 12, 2021 generating a finite state machine including one or more file states, the file states including a file open state, a file read state, a file write state, a file read/write state, and a file close state; and storing the file states in the finite state machine in a key-value object store.  
19. (Currently Amended) The medium of claim 15, wherein determining that the file-read instructions in the subset of [[the]] unique file operations a number of the file-read instructions and to compare the pattern or the number of the file-read instructions to the normal pattern of file-read instructions or a normal number of file-read instructions based on features representing a normal or expected behavior of the file system.  
20. (Original) The medium of claim 18, wherein de-duplicating the audit events includes maintaining a file system state based on the finite state machine.