Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 6/30/2022 was filed after the mailing date of the Non-Final Office Action on 4/01/2022.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Response to Amendment
	The objections to the specification have been overcome by amendment or cancellation.

Response to Arguments
Applicant’s arguments, see Pg. 9-10, filed 6/30/2022, with respect to the 112(a) rejection of claims 1-10 have been fully considered and are persuasive.  The 112(a) rejection of claims 1-10 has been withdrawn. 
Applicant’s arguments with respect to the 103 rejection of claim 1 have been fully considered but are not persuasive.
Regarding applicant’s response to the 103 rejection of claim 1, applicant argues that Tamir does not expressly or impliedly teach exposure of a target computer system to a ransomware algorithm, the examiner respectfully disagrees. The applicant argues that the “exposing” is an affirmative action not disclosed by Tamir. While it could be the case that a sample ransomware is exposed to the target computer for purposes of training a classifier, this is neither claimed nor disclosed in the instant specification. There is no differentiating, within the claims of the present disclosure, between simply allowing a ransomware attack to occur and intentionally infecting the target computer with a sample ransomware.
Regarding applicant’s argument that there is no indication in Tamir of an index as a feature of an encryption algorithm, the examiner respectfully disagrees. Referring to [0047], “The ransomware detector 210 may collect various features such as the number and frequency of changes, the location of changes, the patterns of the changes…, user information…, and so on.” Ransomware is known in the art as a malicious software that encrypts a target computer’s data. This necessarily means that there exists an encryption algorithm being used by the ransomware algorithm to encrypt the data and in order to encrypt the data, the ransomware must access the data. The ransomware must index the data in order to access it. Through this reasoning, Tamir discloses the indexing of changes to the data, which includes the location of changes, however, the broadest reasonable interpretation also includes the number and frequency and the patterns of changes as well. This indexing of changes is then used to train the classifier. This is consistent with the definition of the index of the present invention on pg. 8 ln. 1-5, which defines the index as “a series of locations within the encrypted form of data 208.” However, the difference between Tamir and the present invention, is that Tamir does not disclose a searchable encryption algorithm used as the encryption algorithm. This is remedied by combining Tamir with Wang, which teaches an attack model against a searchable encryption algorithm that mirrors the present invention. The difference between Wang and the present invention is that Wang does not teach using the searchable encryption index to train a classifier to identify the searchable encryption algorithm. Since the indexing is a feature of the encryption algorithm used by the ransomware, one of ordinary skill in the art would be able to combine Tamir with Wang by substituting the encryption algorithm used by the ransomware in Tamir with a searchable encryption algorithm, specifically an index-based searchable encryption scheme as suggested by Wang, and to use the indexing of the searchable encryption algorithm to train a classifier to identify the searchable encryption algorithm.
Regarding applicant’s argument that modifying Tamir with Wang improperly changes the principle of operation of Tamir under MPEP 2143.01(VI), the examiner respectfully disagrees. The mere fact that Tamir is directed to restoring data changed by a ransomware attack is moot because Tamir still discloses, as part of the invention, a method and apparatus of training a classifier to detect ransomware ([0047-0050]). This is within the scope of the present invention. With the modifications discussed above, Tamir is fully capable of performing the method of the present invention as originally claimed.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.

Claims 1, 9 and 10 are rejected under 35 U.S.C. 103 as being unpatentable over Tamir et al. (US-PGPUB 2018/02112987 A1), in view of Wang, G. et al. “Leakage Models and Inference Attacks on Searchable Encryption for Cyber-Physical Social Systems.” IEEE Access 6 (2018): 21828-21839, hereinafter Tamir and Wang.

	Regarding claim 1, Tamir discloses a computer implemented method of identifying a ransomware algorithm (Fig. 6) the ransomware algorithm having associated a predetermined responsive action for mitigating effects of the ransomware algorithm in use ([0058]) the method comprising:
exposing a target computer system to the ransomware algorithm ([0014], “resulting from a ransomware attack”), the target computer system containing a predetermined set of sample data stored therein that is encrypted by the ransomware algorithm ([0014], “changes to the data”)
and training an autoencoder ([0047], “neural network”) based on the index to provide a trained autoencoder adapted to identify the ransomware algorithm based on an index ([0047], “features such as the number and frequency of changes, the location of changes, the patterns of the changes…, user information…, and so on.”). 
Ransomware is known in the art as a malicious software that encrypts a target computer’s data. This necessarily means that there exists an encryption algorithm being used by the ransomware algorithm to encrypt the data and in order to encrypt the data, the ransomware must access the data. The ransomware must index the data in order to access it. The features listed by Tamir are consistent with an “index” as defined by the instant specification on pg. 8 ln. 1-5, “a series of locations within the encrypted form of data 208.” Therefore, Tamir discloses the indexing of changes to the data, which includes the location, the number and frequency, and the patterns of changes.
The difference between Tamir and the present invention, is that Tamir does not disclose the ransomware algorithm using a searchable encryption algorithm or intercepting an index of the searchable encryption algorithm. This is remedied by combining Tamir with Wang, which teaches an attack model against a searchable encryption algorithm that mirrors the present invention.
Wang teaches a searchable encryption algorithm (Sect. I, Pg. 21828, Col. 1 In. 1-10) and intercepting an index of the searchable encryption algorithm (Sect. Il-A, Pg. 21830, Col 1 In. 51-54, “communications”).
The difference between Wang and the present invention is that Wang does not teach training an autoencoder based on the index to provide a trained autoencoder adapted to identify the searchable encryption algorithm based on the index. Since the indexing is a feature of the encryption algorithm used by the ransomware, one of ordinary skill in the art would be able to combine Tamir with Wang by substituting the encryption algorithm used by the ransomware in Tamir with a searchable encryption algorithm, specifically an index-based searchable encryption scheme as suggested by Wang, and to use the indexing of the searchable encryption algorithm to train a classifier to identify the searchable encryption algorithm as suggested by Tamir.
Therefore, it would be obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Tamir to incorporate the teachings of Wang to include a searchable encryption algorithm to encrypt the sample data, and intercepting an index of the searchable encryption algorithm to use as the training data set for the autoencoder to detect new types of ransomware.

Claims 9-10 are substantially similar to claim 1, and are therefore rejected as being obvious over Tamir in view of Wang on similar grounds as claim 1.

	Regarding claims 2-8, the claims remain in their original form and depend on claim 1. For the reasons outlined above, claims 2-10 remain rejected under the 103 rejections made in the prior Non-Final office action filed 4/01/2022.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOSHUA NEIL GONZALES whose telephone number is (571)272-0286. The examiner can normally be reached 10:00 AM-7:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado can be reached on (571) 272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/J.N.G./Examiner, Art Unit 2496                                                                                                                                                                                                        
/TAE K KIM/Primary Examiner, Art Unit 2496