DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 05/13/2021 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1, 8-9 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Nossik et al. (US Patent No. 10,609,066) in view of Kallos et al. (US Pub No. 2020/0082084).
Regarding independent claim 1, Nossik teaches a system for providing enhanced cryptography based response mechanism for malicious attacks, the system comprising: at least one network communication interface; at least one non-transitory storage device; and at least one processing device coupled to the at least one non-transitory storage device and the at least one network communication interface, wherein the at least one processing device is configured to: generate one or more tracker seeds (Nossik, column 6, lines 24-53; column 8, line 49-column 9, line 11, column 11, line 57-column 12, line 7 and column 13, lines 13-15; trap object setup/initialization); store the one or more tracker seeds in at least one entity system associated with an entity (Nossik, column 10, lines 24-28 and column 13, lines 13-21; deploy trap objects); identify a malicious event associated with data in the at least one entity system (Nossik, column 13, lines 16-29, column 10, lines 28-58 and column 7, lines 39-60; detect ransomware based on trap objects). 
Nossik discloses automatically triggering remedial actions (Nossik, column 10, lines 59-67) but does not explicitly teach in response to identifying the malicious event, identify an encryption algorithm and a key for the malicious event based on the one or more tracker seeds; and decrypt the data in the at least one entity system based on the encryption algorithm the key. 
Kallos teaches in response to identifying the malicious event, identify an encryption algorithm and a key for the malicious event based on the one or more tracker seeds (Kallos, page 5, paragraphs 0054-0055; determine encryption algorithm used for ransom algorithm and key based on seed parameters); and decrypt the data in the at least one entity system based on the encryption algorithm the key (Kallos, page 5, paragraphs 0054-0055; decrypt data with encryption key).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Nossik with the teaching of Kallos to categorize ransomware to provide the advantage of improving the mitigation of ransomware attack (Kallos, page 1, paragraphs 0002-0005).
Regarding claim 8, Nossik in view of Kallos teaches the system wherein the malicious event is a ransomware attack (Nossik, column 10, lines 25-27).
Regarding independent claim 9, Nossik teaches a s computer program product for providing enhanced cryptography based response mechanism for malicious attacks, the computer program product comprising a non-transitory computer-readable storage medium having computer executable instructions for causing a computer processor to perform the steps of: generating one or more tracker seeds (Nossik, column 6, lines 24-53; column 8, line 49-column 9, line 11, column 11, line 57-column 12, line 7 and column 13, lines 13-15; trap object setup/initialization); storing the one or more tracker seeds in at least one entity system associated with an entity (Nossik, column 10, lines 24-28 and column 13, lines 13-21; deploy trap objects); identifying a malicious event associated with data in the at least one entity system (Nossik, column 13, lines 16-29, column 10, lines 28-58 and column 7, lines 39-60; detect ransomware based on trap objects). 
Nossik discloses automatically triggering remedial actions (Nossik, column 10, lines 59-67) but does not explicitly teach in response to identifying the malicious event, identify an encryption algorithm and a key for the malicious event based on the one or more tracker seeds; and decrypting the data in the at least one entity system based on the encryption algorithm the key. 
Kallos teaches in response to identifying the malicious event, identify an encryption algorithm and a key for the malicious event based on the one or more tracker seeds (Kallos, page 5, paragraphs 0054-0055; determine encryption algorithm used for ransom algorithm and key based on seed parameters); and decrypting the data in the at least one entity system based on the encryption algorithm the key (Kallos, page 5, paragraphs 0054-0055; decrypt data with encryption key).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Nossik with the teaching of Kallos to categorize ransomware to provide the advantage of improving the mitigation of ransomware attack (Kallos, page 1, paragraphs 0002-0005).
Regarding independent claim 15, Nossik teaches a computer implemented method for providing enhanced cryptography based response mechanism for malicious attacks, the method comprising: generating one or more tracker seeds (Nossik, column 6, lines 24-53; column 8, line 49-column 9, line 11, column 11, line 57-column 12, line 7 and column 13, lines 13-15; trap object setup/initialization); storing the one or more tracker seeds in at least one entity system associated with an entity (Nossik, column 10, lines 24-28 and column 13, lines 13-21; deploy trap objects); identifying a malicious event associated with data in the at least one entity system (Nossik, column 13, lines 16-29, column 10, lines 28-58 and column 7, lines 39-60; detect ransomware based on trap objects). 
Nossik discloses automatically triggering remedial actions (Nossik, column 10, lines 59-67) but does not explicitly teach in response to identifying the malicious event, identify an encryption algorithm and a key for the malicious event based on the one or more tracker seeds; and decrypting the data in the at least one entity system based on the encryption algorithm the key. 
Kallos teaches in response to identifying the malicious event, identify an encryption algorithm and a key for the malicious event based on the one or more tracker seeds (Kallos, page 5, paragraphs 0054-0055; determine encryption algorithm used for ransom algorithm and key based on seed parameters); and decrypting the data in the at least one entity system based on the encryption algorithm the key (Kallos, page 5, paragraphs 0054-0055; decrypt data with encryption key).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Nossik with the teaching of Kallos to categorize ransomware to provide the advantage of improving the mitigation of ransomware attack (Kallos, page 1, paragraphs 0002-0005).

Allowable Subject Matter
Claims 2-7, 10-14 and 16-20 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.


Examiner’s Statement of Reasons for Indicating Allowable Subject Matter
The following is a statement of reasons for the indication of allowable subject matter:  The prior art Nossik et al. (US Patent No. 10,609,066) discloses a key management system for data encryption keys (Nossik, column 14, lines 1-14 and 46-column 15, line 3),  Kallos et al. (US Pub No. 2020/0082084) disclose an encryption algorithm used by a ransomware will require the generation of an encryption key. Ransomware servers may not manage keys for all infected target computer systems because such management is resource intensive and introduces a vulnerability of key storage. Accordingly, a ransomware will utilize immutable characteristics of a target computer system to generate a key at the time of ransomware infection in order that the same key can be reliably generated by a ransomware server in respect of the same target computer system subsequently. The key will, thus, be generated based on seed data or parameters arising from the target computer system that cannot be expected to change. (Kallos, page 4, paragraph 0049), Wueest et al. (US Patent No. 10,554,688) discloses monitoring traffic into and out of an organization-level network. A request for an encryption key from ransomware infecting a computer in the organization-level network to a remote command and control server is detected. A simulated reply to the ransomware is generated. A known encryption key for which the corresponding decryption key is also known is substituted for the encryption key supplied by the C&C server. The simulated reply containing the substituted known key is then supplied to the ransomware, such that the ransomware uses the known encryption key to encrypt files accessible from the computing device, and requests payment in order to provide a decryption key. Instead of paying the ransom, the encrypted files are decrypted using the known decryption key corresponding to the known encryption key which was provided to the ransomware. (Wueest, Abstract), and Underwood et al. (US Pub No. 2021/0026961) discloses protecting a computing device of a target system against ransomware attacks employs a file system having a data structure used by an operating system of the computing device for managing files. A software or a hardware installed agent in the computing device performs one or more actions autonomously on behalf of the target system. The agent autonomously creates one or more trap files in the data structure of the filing system. A trap file is a file access to which indicates a probability of ransomware attack. The agent monitors access to the one or more trap files. Upon detecting access to a trap file, remedial action is performed by the target system against the probability of ransomware attack.  Additionally added to the trap file are details of the node or client or machine, file location, and Ransomware Rewind software installation unique identifiers to trace an individual trap file back to its source in case of data theft. The details also capture environment information useful for later forensic analysis. This is encrypted and encoded into the trap file using a selection of modern steganographic techniques that are available. The particular technique and encryption key is shared between a trap file and the Ransomware Rewind database. (Underwood, Abstract and page 7, paragraph 0089), however, the prior art on record taken alone or in combination does not teach or suggest “ generate one or more encryption algorithm key pairs for the one or more tracker seeds; and store the one or more encryption algorithm key pairs in one or more rainbow tables” (as recited in claims 2, 10 and 16), in combination with the remaining claim limitations.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHAQUEAL D WADE whose telephone number is (571)270-0357. The examiner can normally be reached M-F 8:00-5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached on 571-272-4063. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/SHAQUEAL D WADE-WRIGHT/Primary Examiner, Art Unit 2437