Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .




Detailed Action

Allowable Subject Matter
Claims 10 – 14 and 19 – 20 are objected to as being dependent upon a rejected based claim, but would be allowable if rewritten in independent form including all the limitations of the base claim and any intervening claims.

Response to Arguments
Applicant asserts the applied art does not teach "determining, by the anomaly response system and based on the comparing the subset of blocks, a security anomaly on the computer system". 
In response, The Examiner respectfully disagrees because the combination of cited art is relied upon to teach this limitation. The Examiner initially notes neither Applicant’s disclosure nor Applicant’s 05/16/2022 arguments provide a limiting definition of security anomaly (see Arguments page 10 and as-filed disclosure para 0002 and 0015); but rather, use the language of anomalies may be which one of ordinary skill in the art would not find limiting. As a result, the prior art of record is relied upon to teach determining (reads on the combination of detecting anomalies based on comparing normal to current behaviors/signatures, and the deviation of the current signature from the normal signature, of the dynamic system within the current region and determining the filesystem behaves abnormally in the time interval by determining a pattern of the file operations in the backup/snapshot in the time interval and comparing the pattern of the file operations to a normal pattern, see Chen para 0004 and claim 1 and see Miller Figure 37 blocks 3710, 3712 and para 0009, 0011, 0055), by the anomaly response system (reads on an anomaly detection system, see Miller Figure 37) and based on the comparing (reads on comparing normal to current behavior signatures, see Miller Figure 37 block 3710 and para 0009, 0011, 0055, 0197, 0310) the subset of blocks (reads on a plurality of operational regions in sufficiently small regions of the dynamic system, see Miller para 0011, 0055, 0154, 0197 and 0199), a security anomaly on (reads on anomaly which is a deviation of the current signature from a normal signature according to a particular threshold, see Miller para 0009, 0055, 0263 and 0310 and Figure 37 block 3712) the computer system (reads on any suitable system, see Miller para 0013 and 0271). As a result, the combined teachings of the prior art of record read on Applicant’s claim language.
Applicant asserts the applied art does not teach "the security action comprises one of: a lock of processing of the computer system; a message to an operating system of the computer system; running an antivirus program on the computer system; and transmission of a notification to an elevated privilege application of the computer system” and within the context of the Miller document, it would not have been obvious to modify Miller to use any of these types of security actions. 
In response, The Examiner respectfully disagrees because the combination of cited art is relied upon to teach this limitation. The combined prior art suggests the security action comprises running an antivirus program on the computer system (reads on remediation actions may include but are not limited to initiating a virus/malware scan of the computing device, see Karin para 0066 and 0080 — 0081). Before the effective filing date of the invention it would have been obvious to one of ordinary skill in the art to modify the security action teachings of the primary references (reads on the specific method of remediation is highly dependent on the type of anomaly detected, see Dodson para 0026, 0051 and 0165) by incorporating the security action teachings of Karin (reads on remediation actions may include but are not limited to initiating a virus/malware scan of the computing device, see Karin para 0066 and 0080 — 0081) to realize the instant limitations. One or more of the underpinning rational(s), as discussed in KSR international Co, v, Teleflex inc,s etai,s 550 U,S. 398 (2007) U.S.P.Q.2d 1385, also see MPEP § 2141 {IN), are used to support this conclusion of obviousness. Accordingly, it would have been obvious to one of ordinary skill in the computer art to include a remediation action that initiates a virus/malware scan of the computing device, as taught in Karin, into the method of remediation that is highly dependent on the type of anomaly detected, see Dodson para 0026, 0051 and 0165, as taught by the prior art references in order to more completely identify and remediate unwanted system behavior, since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized the results of the combination were predictable. The motivation to combine the references is applied to all dependent claims under this heading.


Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Claims 1 – 9 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Miller (US Pub. No. 2007/0028220 A1) in view of Dodson (US Pub. No. 2018/0316707 A1) in view of Chen (US Pub. No. 2020/0034537 A1).


Per claim 1, Miller suggests a method comprising: monitoring (reads on monitoring/comparing the current behaviors of the system with the normal operational behavior of the system in order to calculate the degree of deviation from the normal operational behavior, see Miller Figure 37 block 3708 and para 0011, 0055, 0197 and 0310), by an anomaly response system (reads on an anomaly detection system, see Miller Figure 37), a plurality of blocks of a first storage device (reads on a plurality of operational regions of the dynamic system, see Miller para 0011, 0055, 0197 and 0199), the first storage device related to a computer system (reads on a run-time environment on a computing system, see Miller para 0013 and 0310); comparing (reads on comparing normal to current behavior signatures, see Miller Figure 37 block 3710 and para 0009, 0011, 0055, 0197, 0310), by the anomaly response system (reads on an anomaly detection system, see Miller Figure 37), a subset of blocks of the plurality (reads on a plurality of operational regions in sufficiently small regions of the dynamic system, see Miller para 0011, 0055, 0154, 0197 and 0199) to a first storage signature (reads on the normal operational behavior/signature/model of the operational region, see Miller para 0009, 0011, 0055, 0197, 0200, 0310) of the first storage device (reads on a run-time environment on a computing system, see Miller para 0013 and 0310); determining (reads on detecting anomalies based on comparing normal to current behaviors/signatures, and the deviation of the current signature from the normal signature, of the dynamic system within the current region, see Miller Figure 37 blocks 3710, 3712 and para 0009, 0011, 0055), by the anomaly response system (reads on an anomaly detection system, see Miller Figure 37) and based on the comparing (reads on comparing normal to current behavior signatures, see Miller Figure 37 block 3710 and para 0009, 0011, 0055, 0197, 0310) the subset of blocks  (reads on a plurality of operational regions in sufficiently small regions of the dynamic system, see Miller para 0011, 0055, 0154, 0197 and 0199), a security anomaly on (reads on anomaly which is a deviation of the current signature from a normal signature according to a particular threshold, see Miller para 0009, 0055, 0263 and 0310 and Figure 37 block 3712) the computer system (reads on any suitable system, see Miller para 0013 and 0271). The prior art of record is silent on explicitly stating storage devices; and performing, by the anomaly response system and in response to the security anomaly, a security action related to the computer system.
[0009] In another aspect of the present invention, a method for identifying root causes of anomalies in a tested system is disclosed. The method includes detecting anomalies in the tested system by generating comparison data representing a comparison between actual operational behavior of the tested system to normal operational behavior of the tested system. The method further includes compressing the comparison data into patterns. The method further includes determining a set of probable root causes for each of the anomalies based on the patterns generated from the comparison data. 

[0011] In a further aspect, a method of detecting a performance anomaly in a dynamic system is disclosed. The method includes identifying a current operational region of a plurality of operational regions based on the operation of the dynamic system. The method further includes comparing the operation of the dynamic system with normal operational behavior within the current operational region to calculate a performance indication of a degree of deviation from the normal operational behavior within the current region.
[0055] The control software and various hardware components used on the vehicle usually exhibit nonlinear behaviors. This is especially true for control software. Therefore, once these software and hardware components are integrated in a vehicle and communicate with each other, they create a large number of operational regions. Those interactions are sometimes too complicated to understand even for experienced engineers. In addition, the driver inputs and external environmental conditions vastly vary and create infinite patterns of conditions in which the vehicle operates. Signatures describing system behaviors for different driver inputs and external influences are quite different. With infinitely many behavioral patterns, anomaly detection and localization are complex, because one has to compare the behavioral signatures to appropriate behavioral regimes. The best way to find anomalies is to compare the signatures within the same behavior regime, and the deviation of the current signature from a normal signature is the indication of the severity of the anomalies.
[0060] The behavior of the tested system should be partitioned into a plurality of operational regions having predictable behavior. Normal operational behavior is determined within any operational region from performance related features extracted from a distribution or model in that operational region. The performance related features can be extracted from a time-frequency distribution. The model can be a local model of any form, such as a local linear model or a local recurrent neural network fitted to the signals emitted by the system in the operational region.
[0154] Diagnostic agents can use local models to detect anomalous system behavior by setting a threshold on residual error. In one possible embodiment, a local linear model can be used. The threshold on residual error is set with respect to each operational region in order to avoid detection of anomalies in regions sparsely populated during the training process, which would result in high missed detection and false alarm rates. By splitting the entire operational space of the tested system into sufficiently small regions at places where nonlinearity is high, a linear model provides an acceptable and easily computable estimate of actual system operation.

[0197] The regionalization tool 2402 is linked to a performance assessment tool 2404 and can communicate the current operational region to that tool. The performance assessment tool 2404 compares actual operational behavior of the tested system in the current operational region to normal operational behavior of the tested system in the current operational region. The tested system can be partitioned into a plurality of operational regions, each having a relatively consistent system behavior. The tested system determines normal operational behavior from a model for the current operational region. The model can be a local linear model as described below.

[0198] Referring now to FIG. 25, a schematic representation of methods and systems 2500 for training an anomaly detector for a system are shown according to an exemplary embodiment of the present disclosure. In general, such methods and systems are used to provide a prediction of system behavior based on a discrete number of training observations, and may be embodied in a variety of hardware or software tools. System 2500 includes a collection module 2502. The collection module 2502 accepts data representative of the inputs and outputs of the tested system.

[0199] The system 2500 further includes a partition module 2504. The partition module 2504 is configured to partition the tested system into a plurality of operational regions. The partition module 2504 can train a regionalization tool in the anomaly detector in accordance with data. The data can be, for example, the data collected by the collection module 2502.

[0200] The system 2500 also includes a compute module 2506. The compute module 2506 computes a model 2508 of normal operational behavior of the tested system. The compute module 2506 may do such a computation for each of the plurality of regions created by the partition module 2504, and does so for at least one of the plurality of regions of the tested system. The compute module 2506 can be configured to operate on each of the plurality of regions serially, producing a model for each region on a "one region at a time" basis.
[0201] Referring now to FIG. 26, a schematic representation of methods and systems 2600 for anomaly detection are shown according to an exemplary embodiment of the present disclosure. The system 2600, as shown, is instantiated by a start module 2602. Following the start module 2602, operational flow is passed to a collection module 2604. The collection module 2604 accepts data from a tested system. The data should be representative of the inputs and outputs of the tested system. From observed outputs, initial conditions of the outputs can be estimated as well. For example, the collection module 2604 can accept inputs and known state values for a tested system. The tested system can be a system for which normal operation is expected, and to which the anomaly detection system 2600 can compare subsequent performance.

[0202] The system 2600 includes a partition module 2606. The partition module 2606 is configured to partition the tested system into a number of operational regions. The partition module 2606 can train a regionalization tool, such as regionalization module 2610 below, in accordance with data. The data used to partition the tested system can be, for example, the data collected by the collection module 2604.

[0203] The system 2600 includes a compute module 2608. The compute module 2608 is configured to compute a local model of normal operational behavior. The model of normal operational behavior can be based on the data collected by the data collection module. The compute module 2608 can do such a computation for each of the plurality of regions created by the partition module, and preferably does so for at least one of the plurality of regions of the tested system.

[0204] In the operation of a possible embodiment, the collection module 2604, partition module 2606, and compute module 2608 execute concurrently. For example, the collection module 2604 can collect a variety of data samples from a "baseline" normally operating system to be tested. The partition module 2606 may partition the tested system into a number of operational regions, or may partition those operational regions into a larger number of smaller-sized operational regions as additional data is collected by the collection module 2604.

[0205] The compute module 2608 can generate a model, such as a local linear model, from the collected data in the current operational region. The current operational region can be determined, for example, by a regionalization module 2610, described below. The compute module 2608 can update an estimated model using subsequent data it can receive from the collection module 2604. Further, the compute module 2608 can be configured to participate in generation or updating of an estimated model in other regions, such as neighbor regions to the current operational region.

[0206] The combination of the collection module 2604, the partition module 2606, and the execute module 2608 produce an estimated model of the tested system representative of normal operational behavior based on the data collected by the collection module 2604.

[0207] The system 2600 further includes a regionalization module 2610. The regionalization module 2610 is responsive to data indicative of the tested system's operation. The regionalization module 2610 is configured to identify a current operational region of the tested system. The regionalization module 2610 may accept as inputs the inputs and outputs of a hardware or software system to be tested. The regionalization module 2610 determines the current operational region of the tested system based on those inputs and outputs. The regionalization module 2610 selects from among the plurality of operational regions created by the partition module 2606.

[0208] The system 2600 includes a performance module 2612. In operation, the performance module 2612 compares actual operational behavior of the tested system in the current operational region to normal operational behavior of the tested system in the current operational region. The normal operational behavior of the tested system is based on a model derived from data collected from a normally operating system.

[0209] The system 2600 determines normal operational behavior from an estimated model for the current operational region. The estimated model, as generated by the compute module 2608, can be a local linear model. In an alternate embodiment, Time Frequency Analysis can be used.

[0210] Operational flow among the operations 2604-2612 is again ordered generally from training to testing. However, this does not require strict ordering, in that operations can execute in various orders, or in serial or parallel. Some ordering is apparent, in that some amount of initial data collection will take place before any partitioning module 2606 can execute and the compute module 2608 can derive a model. Furthermore, at least one operational region must exist for the regionalization module 2610 to determine the current operational region, and some "normal" and actual operational behavior must be available to determine performance in the performance module 2612.

[0211] The system 2600 terminates at an end module 2614.

[0212] FIG. 27 is a flow chart representing logical operations of a learning model-based diagnostic system 2700. System 2700 can be used to implement aspects of the present disclosure, specifically when used in conjunction with the systems described below in FIGS. 30-32. Entrance to the operational flow of the learning model-based diagnostic system 2700 begins at a flow connection 2702. A detect operation 2704 detects an anomaly. It is noted that anomaly detection agents, such as those previously described herein, continuously monitor a vehicle's functions. Such agents can be located within the RTE, such as RTE 900 of FIG. 9, operating on a vehicle. A found module 2706 determines if an anomaly has been found. If the found module 2706 determines that a failure has not been found, operational flow branches "No" to the detect operation 2704. In this manner, the vehicle is continuously monitored for failures.

[0213] If the found module 2706 determines that an anomaly has been found, operational flow branches "Yes" to a known module 2708. The known module 2708 determines if the failure is a known failure. If the known module 2708 determines that the failure is a known failure, operational flow branches "Yes" to an identify operation 2710. The identify operation 2710 identifies the remedy for the known failure. Operational flow ends at termination point 2712.

[0214] If the known module 2708 determines that the failure is not a known failure, operational flow branches "No" to a write operation 2714. The write operation 2714 writes the failure information to a link, such as the DRD link 899 of FIG. 9. A read operation 2716 reads the failure information from the link. The failure is read into the IDE, such as IDE 800 of FIG. 8. A model operation 2718 identifies the model error, which may be an error is the requirements, design, or implementation level of the IDE. Operational flow ends at termination point 2712.
[0271] Preferably, the system 3101 is a vehicle 3120; however, the system 3120 can be any suitable system. FIG. 32 illustrates a vehicle 3220 in more detail. The vehicle 3220 includes an engine 3222, a drivetrain 3224, other components 3226, and vehicle dynamics 3228. A driver 3230 can provide inputs 3202 into the system 3201,
[0290] FIG. 34 illustrates a logical flow diagram of an anomaly detector 3400. Operational flow begins at a start terminal 3402. An output operation 3404 allocates a current output, and its corresponding inputs and initial conditions, into an operational region. A calculate operation 3406 calculates a quantization error.

[0291] An error module 3408 determines if the quantization error is smaller than a preset threshold, which is the distance from the observed vector or inputs and initial conditions to the best matching unit in the SOM. If the error module 3408 determines that the quantization error is not smaller than the predetermined threshold, operational flow branches "NO", indicating the presence of a newly observed operating condition. Operational flow proceeds to a learning module 3413, which triggers additional development of the anomaly models or distributions consistent with the disclosure above. No alert is triggered, because no model exists for the region near the newly observed vector of inputs and initial conditions. If the error module 3408 determines that the quantization error is smaller, operational flow branches "YES" to an anomaly operation 3410 and an anomaly detection alert is triggered in an output module 3412. Operational flow ends at terminal point 3414.
[0310] FIG. 37 is an example flow diagram of an anomaly detection system 3700 according to a specific embodiment. The anomaly detection system 3700 can be used, for example, in multiple aspects of the error detection system, such as in the diagnostic agent or for the failure mode root cause detection described above. Operational flow begins at a start point 3702. A partition operation 3704 partitions a run-time environment into at least one operational region. This partitioning can be called regionalization. A learn operation 3706 learns known behaviors operating within the operational region. This learning can be called training. A monitor operation 3708 monitors current behaviors. A compare operation 3710 compares the known behaviors to the current operating behaviors. A detect operation 3712 detects behavior modes when a deviation exists between the current operating behaviors and the known operating behaviors. A trace operation 3714 can trace the unknown behavior modes back to an integrated development environment through a link. An identify operation 3716 identifies the unknown anomalies in the integrated development environment based on the tracing of the anomalies.

[0311] As discussed herein, a novel root cause identification system that is capable of localizing anomalies is disclosed. The proposed approaches do not require detailed knowledge of the system dynamics. The existence of normal inputs and outputs signals is the only assumption for the proposed method.
[0314] One skilled in the art would recognize that the system described herein can be implemented using any number of software configurations, network configurations, hardware configurations, and the like.

[0315] The logical operations of the various embodiments illustrated herein are implemented (1) as a sequence of computer implemented steps or program modules running on a computing system and/or (2) as interconnected logic circuits or circuit modules within the computing system. The implementation is a matter of choice dependent on the performance requirements of the computing system implementing the invention. Accordingly, the logical operations making up the embodiments of the present invention described herein are referred to variously as operations, steps, engines, or modules.









    PNG
    media_image1.png
    1468
    741
    media_image1.png
    Greyscale


    PNG
    media_image2.png
    1101
    918
    media_image2.png
    Greyscale


    PNG
    media_image3.png
    1505
    462
    media_image3.png
    Greyscale



Dodson suggests 
performing (reads on once an anomaly has been detected the specific method of remediation is highly dependent on the type of anomaly detected, see Dodson para 0026, 0051 and 0165), by the anomaly response system (reads on the anomaly detection system, see Dodson para 0026 and 0051) and in response to the security anomaly (reads on once the anomaly has been detected, see Dodson para 0026, 0051 and 0165), a security action related to the computer system (reads on the specific method of remediation is highly dependent on the type of anomaly detected, see Dodson para 0026, 0051 and 0165).

[0026] In one embodiment, the system 105 comprises a processor 115 and memory 120 for storing instructions. The memory 120 can include an input stream interface module 125, an input stream parser module 130, an anomaly detection module 135, a counterfactual processing module 140, and a remediation module 145. As used herein, the terms “module” may also refer to any of an application-specific integrated circuit (“ASIC”), an electronic circuit, a processor (shared, dedicated, or group) that executes one or more software or firmware programs, a combinational logic circuit, and/or other suitable components that provide the described functionality.

[0051] Once an anomaly has been detected and a cause or causes isolated, the remediation module 145 may be executed to remediate the cause or causes in some embodiments. In various embodiments, the specific methods by which the remediation module 145 remediates a cause are highly dependent upon the type of anomaly detected. For example, if the anomaly includes a high rate of access to a particular database, the remediation module 145 may restrict access privileges for the database until the anomaly is reviewed. If the anomaly is unusually frequent file transfers (e.g., exfiltration) of high volumes of data outside a protected network, the remediation module 145 may restrict file transfers by specifically identified machines in the network. This could occur through changing firewall policies or preventing access to any external network by the machines.
[0165] While specific embodiments of, and examples for, the system are described above for illustrative purposes, various equivalent modifications are possible within the scope of the system, as those skilled in the relevant art will recognize. For example, while processes or steps are presented in a given order, alternative embodiments may perform routines having steps in a different order, and some processes or steps may be deleted, moved, added, subdivided, combined, and/or modified to provide alternative or sub-combinations. Each of these processes or steps may be implemented in a variety of different ways. Also, while processes or steps are at times shown as being performed in series, these processes or steps may instead be performed in parallel, or may be performed at different times.

Before the effective filing date of the invention it would have been obvious to one of ordinary skill in the art to modify the anomaly detection teachings of the prior art of record by integrating the anomaly detection and remediation teachings of Dodson to realize the instant limitations. One or more of the underpinning rational(s), as discussed in KSR international Co, v, Teleflex inc,s etai,s 550 U,S. 398 (2007) U.S.P.Q.2d 1385, also see MPEP § 2141 {IN), are used to support this conclusion of obviousness. Accordingly, it would have been obvious to one of ordinary skill in the art to include in the anomaly detection teachings of the prior art of record the ability to remediate the specific anomalies as taught by Dodson, since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized the results of the combination were predictable. The motivation to combine the references is applied to all dependent claims under this heading.
Chen suggests 
a plurality of blocks of (reads on backup data of a plurality of machines, see Chen para 0004) a first storage device (reads on a data storage device where the backup/snapshot is obtained, see Chen para 0015 and 0048), the first storage device related to a computer system (reads on the storage devices are part of the computing system of Figure 3, Chen Figure 3 and para 0032 and 0048); comparing (reads on comparing the pattern of the file operations of the backup/snapshot to the normal pattern to analyze the filesystem’s behavior, see Chen para 0004 – 0005, 0013, 0015 and 0048), by the anomaly response system (reads on the ransomware detection module, see Chen para 0004 – 0005, 0013, 0015 and 0048), a subset of blocks of (reads on the backup/snapshot of one of the plurality of machines, see Chen para 0004 – 0005, 0013, 0015 and 0048) the plurality (reads on backup data of a plurality of machines, see Chen para 0004) to a first storage signature of (reads on the backup/snapshot/filesystem’s normal behavior, see Chen para 0004) the first storage device (reads on a data storage device where the backup/snapshot is obtained, see Chen para 0015 and 0048); determining, by the anomaly response system and based on the comparing the subset of blocks, a security anomaly on the computer system (reads on determining the filesystem behaves abnormally in the time interval by determining a pattern of the file operations in the backup/snapshot in the time interval and comparing the pattern of the file operations to a normal pattern, see Chen para 0004 and claim 1).

[0004] Described herein is a system that detects ransomware infection in filesystems. The system detects ransomware infection by using backup data of machines. The backup data of the machine records the filesystem's behavior. The system detects ransomware infection in two stages. In the first stage, the system analyzes a filesystem's behavior. The filesystem's behavior can be obtained by loading the backup data and crawling the filesystem to create a filesystem metadata. The filesystem metadata includes a list of entries including information about file operations that took place during a time interval. The filesystem determines a pattern of the file operations and compares the pattern to a normal patter to analyze the filesystem's behavior. If the filesystem's behavior is abnormal, the system proceeds to the second stage. In the second stage, the system analyzes the content of the files corresponding to the file operations to determine whether the files are encrypted. The system generates entropy features of the files and calculates an encryption score reflecting a probability of encryption in the filesystem. The system combines the analysis of both stages to determine an infection score reflecting a probability of ransomware infection in the filesystem. The infection score is an average of the abnormal score and the encryption score. The infection score is used to determine whether the filesystem is infected.
[0005] The system may employ machine learning models to analyze the filesystem's behavior as well as the content of the files. The machine learning models are trained by using data from different sources. The machine learning models are trained by using unsupervised training methods. A machine learning model detects anomalous filesystem behavior based on features that represent the filesystem's behavior. A machine learning model detects encryption in files based on entropy features that represent a level of randomness in file content.

[0013] FIG. 1 illustrates an example ransomware detection module 102, according to one embodiment. The ransomware detection module 102 detects ransomware infection in a filesystem. The filesystem can reside on a virtual machine or a physical machine. As described herein, a machine can be physical or virtual unless specified. To detect whether a filesystem is infected by ransomware, the ransomware detection module 102 analyzes behavior the filesystem's behavior. The ransomware detection module 102 analyzes the filesystem's behavior by examining operations to files in the filesystem. If there is suspicious behavior, the ransomware detection module 102 analyzes the content of the files in the filesystem. Content of the files to which that have been operated is further analyzed to identify whether the files are encrypted. The ransomware detection module 102 can combine results of the behavior analysis and the content analysis to determine whether the filesystem is infected by ransomware.
[0015] The filesystem module 104 interfaces with another system such as a virtual machine, a physical machine, or a data storage device to obtain data including content of a filesystem to be analyzed. As one example, the filesystem module 104 interfaces with a data store to obtain a snapshot of a machine. A snapshot can be used to restore a machine at a particular time point. The snapshot includes data of a machine at the particular time point. As another example, the filesystem module 104 interfaces with a machine to take a snapshot of the machine. From the snapshot, the filesystem module 104 records the changes in the filesystem during a time interval. The changes in the filesystem includes file operations that took place during the time interval. The file operations can be of different types corresponding to different operations applied to the files. Example file operations include a read operation, a write operation, a modify operation, an add operation, a move operation, a delete operation, a create operation, a rename operation, and the like. In some embodiments, the filesystem module 104 generates filesystem metadata of a filesystem of the machine, for example, by crawling the filesystem. The filesystem metadata includes a list of entries that correspond to filesystem changes during a time interval. The filesystem metadata describes the filesystem such as a structure of the filesystem and sizes of files in the filesystem. 
[0048] The components shown in FIG. 3 also include storage devices, which for example can be a hard disk drive (HDD), a magnetic tape drive, a solid-state drive (SSD), or a disk array (e.g., a storage area network (SAN) storage device, or a networked-attached storage (NAS) device). A storage device can be separate from or integrated with a physical machine.

1. A method for detecting ransomware infection in filesystems, comprising: recording changes in a filesystem during a time interval, the changes including file operations within the time interval; determining whether the filesystem behaves abnormally in the time interval by determining a pattern of the file operations in the time interval and comparing the pattern of the file operations to a normal pattern; responsive to determining the filesystem's behavior is abnormal, determining whether files corresponding to the file operations in the time interval are encrypted by analyzing the content of the files; and determining whether the filesystem is infected based on the determinations that the filesystem behaves abnormally and that the files are encrypted.

Before the effective filing date of the invention it would have been obvious to one of ordinary skill in the art to modify the anomaly/abnormal behavior detection teachings of the prior art of record by integrating the anomaly/abnormal behavior detection teachings of Chen to realize the instant limitations. One or more of the underpinning rational(s), as discussed in KSR international Co, v, Teleflex inc,s etai,s 550 U,S. 398 (2007) U.S.P.Q.2d 1385, also see MPEP § 2141 {IN), are used to support this conclusion of obviousness. Accordingly, it would have been obvious to one of ordinary skill in the art to include in the anomaly/abnormal behavior detection teachings of the prior art of record the ability to have a plurality of blocks of a first storage device be reasonably scoped as backups/snapshots stored on a storage device as taught by Chen, since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized the results of the combination were predictable. The motivation to combine the references is applied to all dependent claims under this heading.

Per claim 2, the prior art of record further suggests wherein the comparing (reads on comparing the pattern of the file operations of the backup/snapshot to the normal pattern to analyze the filesystem’s behavior, see Chen para 0004 – 0005, 0013, 0015 and 0048) the subset of blocks of  (reads on the backup/snapshot of one of the plurality of machines, see Chen para 0004 – 0005, 0013, 0015 and 0048) the plurality (reads on backup data of a plurality of machines, see Chen para 0004) to the first storage signature (reads on the backup/snapshot/filesystem’s normal behavior, see Chen para 0004) occurs at a second time (reads on occurs after the training stage where the normal filesystem model/pattern/behavior of the backup/snapshot is learned, see Chen para 0004 and Miller para 0310, Figure 25, Figure 37 blocks 3706, 3708, 3710 and 3712), and wherein the method further comprises: monitoring (reads on monitor the current behaviors, see Miller Figure 37 block 3708), by the anomaly response system (reads on the combination of the ransomware detection module and the anomaly detection system, see Miller Figure 37, Dodson para 0026, 0051 and Chen para 0004 – 0005, 0013, 0015 and 0048), one or more storage devices (reads on a data storage device where the backup/snapshot is obtained, see Chen para 0015 and 0048) at a first time that precedes the second time (reads on the learning occurs before the monitoring, see Miller Figure 37), the one or more storage devices related to the computer system  (reads on the storage devices are part of the computing system of Figure 3, Chen Figure 3 and para 0032 and 0048), the one or more storage devices including the first storage device  (reads on the storage devices are part of the computing system of Figure 3, Chen Figure 3 and para 0032 and 0048); and generating (reads on generating a model/pattern of normal operational behavior data, see Miller para 0009, 0011, 0197, 0200, Figure 25, Chen para 0004, claim 1), based on the plurality of blocks of (reads on the backup/snapshot of one of the plurality of machines, see Chen para 0004 – 0005, 0013, 0015 and 0048) the first storage device (reads on a data storage device where the backup/snapshot is obtained, see Chen para 0015 and 0048) at the first time (reads on during the training stage where the normal filesystem model/pattern/behavior of the backup/snapshot is learned, see Chen para 0004 and Miller para 0310, Figure 25, Figure 37 blocks 3706, 3708, 3710 and 3712), the first storage signature of the first storage device (reads on generating a model/pattern of normal operational behavior data, see Miller para 0009, 0011, 0197, 0200, Figure 25, Chen para 0004, claim 1).
Per claim 3, the prior art of record further suggests wherein the first storage signature is (reads on the generated model/pattern of normal operational behavior data, see Miller para 0009, 0011, 0197, 0200, Figure 25, Chen para 0004, claim 1) based on a range of block writes (reads on determine write operations via time frequency analysis, see Chen para 0015 and Miller para 0060 and 0209. The Examiner asserts write operations to the filesystem over a time frame is the same as a range of block writes) to the subset of blocks of (reads on the backup/snapshot of one of the plurality of machines, see Chen para 0004 – 0005, 0013, 0015 and 0048) the first storage device (reads on a data storage device where the backup/snapshot is obtained, see Chen para 0015 and 0048).
Per claim 4, the prior art of record further suggests wherein the security anomaly is determined based on (reads on the anomaly is detected based on deviation from the model/known operating behaviors, see Miller Figure 37 and para 0310) a number of block writes to the subset of blocks being outside of the range (reads on an anomaly is determined when the monitored write/read operations deviate from the normal operating behaviors, see Miller para 0310 and Figure 37 and Chen para 0015).
Per claim 5, the prior art of record further suggests wherein the security anomaly is related to a standard deviation of the range of block writes (reads on an anomaly is determined when the monitored write/read operations deviate from the normal operating behaviors, see Miller para 0310 and Figure 37 and Chen para 0015).
Per claim 6, the prior art of record further suggests wherein the security anomaly of the computer system is determined without information of a name of any files of the computer system (reads on an anomaly is determined when the monitored write/read operations deviate from the normal operating behaviors, see Miller para 0310 and Figure 37 and Chen para 0015).
Per claim 7, the prior art of record further suggests wherein the security anomaly of the computer system is determined without awareness of a folder of any files of the computer system (reads on an anomaly is determined when the monitored write/read operations deviate from the normal operating behaviors, see Miller para 0310 and Figure 37 and Chen para 0015).
Per claim 8, the prior art of record further suggests wherein the security anomaly of the computer system is determined without access to any content of any files of the computer system (reads on an anomaly is determined when the monitored write/read operations deviate from the normal operating behaviors, see Miller para 0310 and Figure 37 and Chen para 0015).
Per claim 9, the prior art of record further suggests wherein the security anomaly of the computer system is determined without access to an application that operates on files of the computer system (reads on an anomaly is determined when the monitored write/read operations deviate from the normal operating behaviors, see Miller para 0310 and Figure 37 and Chen para 0015).
Claim 18 the computer program product is analyzed with respect to claim 1 the method. The prior art of record further suggests comprising: one or more computer readable storage media; and program instructions collectively stored on the one or more computer readable storage media (see Chen claim 20).

Claims 15 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Miller in view of Dodson in view of Chen in view of AAPA (Applicant Admitted Prior Art as disclosed in background of Applicant’s as-filed disclosure).


Claim 15 the system is analyzed with respect to claim 1 the method. The prior art of record further suggests a memory, the memory containing one or more instructions; and a processor, the processor communicatively coupled to the memory, the processor, in response to reading the one or more instructions (see Chen claim 20). The prior art of record is silent on explicitly stating the security anomaly comprises a threat toward the computer system. 
AAPA suggests 
the security anomaly comprises a threat toward the computer system (see AAPA para 0002).
[0002]    Anomaly detection may be the analysis, scanning, and detection of various security issues related to computer systems. Security anomalies may be software or hardware threats to computer security and may come in the form of viruses, trojans, malware, or other kinds of attacks towards a computer system. Often, the performance of anomaly detection may be based on application or file-specific monitoring and verification.

Before the effective filing date of the invention it would have been obvious to one of ordinary skill in the art to modify the file-specific monitoring and verification teachings of the primary references (reads on an anomaly is determined when the monitored write/read operations deviate from the normal operating behaviors, see Miller para 0310 and Figure 37 and Chen para 0015) by incorporating the anomaly detection based on file-specific monitoring and verification teachings of AAPA to realize the instant limitations. One or more of the underpinning rational(s), as discussed in KSR international Co, v, Teleflex inc,s etai,s 550 U,S. 398 (2007) U.S.P.Q.2d 1385, also see MPEP § 2141 {IN), are used to support this conclusion of obviousness. Accordingly, it would have been obvious to one of ordinary skill in the computer art to incorporate the defining of an anomaly as a software/hardware threat to the computer system, as taught in AAPA, into the system of anomaly detection taught by the prior art references in order to more completely identify and remediate unwanted system behavior.  The motivation to combine the references is applied to all dependent claims under this heading.

Claim 16 is analyzed with respect to claim 2. The prior art of record further suggests wherein the security anomaly of the computer system is determined without knowledge of a name of any files of the computer system (reads on an anomaly is determined when the monitored write/read operations deviate from the normal operating behaviors, see Miller para 0310 and Figure 37 and Chen para 0015).


Claim 21 is rejected under 35 U.S.C. 103 as being unpatentable over Miller in view of Dodson in view of Chen in view of AAPA in view of Karin (US Pub. No. 2020/0287921 A1).


Per claim 21, The prior art of record suggests the system of claim 15. The prior art of record is silent on explicitly stating wherein the security action comprises running an antivirus program on the computer system. 
Karin suggests 
the security action comprises running an antivirus program on the computer system (reads on remediation actions may include but are not limited to initiating a virus/malware scan of the computing device, see Karin para 0066 and 0080 – 0081).

[0066] In some further implementations, such as in an enterprise solution in which a network or systems administrator may remotely configure or has access to configuration or network settings of one of network entities 116 (e.g., such as remotely installing or configuring an anti-virus solution, network configuration settings, remote configuration of a network entity through a Mobile Device Management (MDM) solution, etc.), remediation actions may also include one or more remotely initiated actions. For instance, in such implementations, remediation actions may include, but are not limited to, initiating a scan, such as a virus or malware scan, of a particular network entity (such as a computing device on the network), installing remediation software (e.g., anti-virus or anti-malware packages), or any other installation or configuration of the remotely located entity such that a network anomaly may be remediated, blocking traffic, and/or filtering traffic. In some other examples, a remediation action may comprise adding a machine to a blacklist (e.g., to prevent the network entity from communicating over a network or a subnetwork over certain ports, all ports, etc.). These actions are illustrative only, and may include any other type of remediation action not expressly stated. Furthermore, any one or more of such illustrative actions could be performed automatically or be performed manually (e.g., with the aid of a network administrator that may identify such actions through a suitable interface).


Before the effective filing date of the invention it would have been obvious to one of ordinary skill in the art to modify the security action teachings of the primary references (reads on the specific method of remediation is highly dependent on the type of anomaly detected, see Dodson para 0026, 0051 and 0165) by incorporating the security action teachings of Karin  (reads on remediation actions may include but are not limited to initiating a virus/malware scan of the computing device, see Karin para 0066 and 0080 – 0081) to realize the instant limitations. One or more of the underpinning rational(s), as discussed in KSR international Co, v, Teleflex inc,s etai,s 550 U,S. 398 (2007) U.S.P.Q.2d 1385, also see MPEP § 2141 {IN), are used to support this conclusion of obviousness. Accordingly, it would have been obvious to one of ordinary skill in the computer art to include a remediation action that initiates a virus/malware scan of the computing device, as taught in Karin, into the method of remediation that is highly dependent on the type of anomaly detected, see Dodson para 0026, 0051 and 0165, as taught by the prior art references in order to more completely identify and remediate unwanted system behavior, since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized the results of the combination were predictable.  The motivation to combine the references is applied to all dependent claims under this heading.


Conclusion
Applicant’s amendment necessitates the new ground(s) of rejection presented in this action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.

Contact
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Brian Shaw whose telephone number is ((571)270-5191.  The examiner can normally be reached on Mon-Thurs from 6:00 AM-3:30 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's Supervisor, Jorge Criado can be reached on (571) 272-7624.  The fax phone number for the organization where this application or proceeding is assigned is 703-872-9306.  Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/BRIAN F SHAW/Primary Examiner, Art Unit 2496