Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

	This action is in response to the original claims filed 7/08/2020.  Claims 1-20 are pending.  Claims 1 (a machine) and 11 (a method) are independent.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-10 rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because claim 1 is directed to a software computing system.  Software is none of a process, machine, apparatus, or composition of matter and is not statutory for § 101 purposes.
Claim 1 comprises a “storage device” and a “processor”.
The storage device is defined in Applicant’s specification to potentially be “Certain embodiments are described herein as including logic or a number of routines, subroutines, applications, or instructions. These may constitute either software (e.g., code embodied on a machine-readable medium or in a transmission signal) or hardware.” (Applicant’s ¶ 109).
The processor may be interpreted as “a computer program (such as a compiler) that puts another program into a form acceptable to the computer” (Merriam-Webster online dictionary).  
Transmission media storing instructions and software processors are not physical machines for § 101 purposes and are not statutory. 


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1-7 and 11-17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Dahan, US 2018/0293379 (filed 2018-04), in view of Breiman et al., US 2018/0211038 (filed 2017-01).
	As to claims 1 and 11, Dahan discloses a machine/method comprising: 
a persistent storage device having a filesystem defined therein (“Each storage device may be configured to store a plurality of data files in a plurality of file directories” Dahan ¶ 11), the filesystem comprising a protection system (“The system may further comprise a ransomware detection component connected to a select number of the plurality of computing devices and storage devices via the network, wherein the ransomware detection component may be configured to detect possible ransomware attacks.” Dahan ¶ 11) and a data exclusions list stored thereon, the data exclusions list identifying one or more excluded filesystem folders; (excluded from protection, i.e. a honeypot: “creating a backup copy of at least a portion of the files that are in same directory or subdirectory of the honeypot file to which an access request was made” Dahan ¶ 115. “the ransomware process starts encrypting files stored on the first and last shared drives, which are honeypot drives populated with honeypot data…. the ransomware process will only be able to encrypt honeypot data.” Dahan ¶¶ 123-124. Honeypot drives comprising honeypot folders, Dahan ¶ 72.)
a processor communicatively coupled to the persistent storage device, the processor programmed to: (“Operational embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor” Dahan ¶ 134)
creating a canary file in at least one of one or more excluded filesystem folders stored in a filesystem of a persistent storage device coupled to a computing system; (“the honeypot deployment module, a plurality of honeypot data items into a select number of the plurality of storage devices, wherein a select number of the plurality of deployed honeypot data items are accessible to selected users of the system, wherein the honeypot data items comprise honeypot drives, honeypot files” Dahan ¶ 27. “the Honeypot Deployment Module 208 deploys honeypot drives within a majority of the valid shared resources. In a more preferred embodiment, the Honeypot Deployment Module 208 deploys honeypot drives surrounding each valid shared resource.” Dahan ¶ 73)
…
determining, based on at least one file identifier, that at least one of the respective target filesystem objects is the canary file; and (“monitor selected activities performed with respect to one or more of the deployed honeypot drives and/or honeypot files.” Dahan ¶ 75)
replacing each respective target filesystem object with its respective backup copy. (“any encrypted files on the shared mapped drives E-Z may be restored from the last backup.” Dahan ¶ 124)

Dahan does not explicitly disclose:
intercepting one or more input/output (I/O) events, each of the I/O events being directed to a respective target filesystem object stored in the filesystem; 
storing system event metadata associated with each of the I/O events, the system event metadata including, for each I/O event, a file identifier of the respective target filesystem object to which the I/O event is directed; 
for each respective target filesystem object, creating a respective backup copy in the filesystem; 
releasing the I/O events, thereby enabling each I/O event to be performed on its respective target filesystem object; 

Breiman discloses:
intercepting one or more input/output (I/O) events, each of the I/O events being directed to a respective target filesystem object stored in the filesystem; (“The hooking may be done by various processes which intercept function calls or messages or events passed between applications and the OS.” Breiman ¶ 45)
storing system event metadata associated with each of the I/O events, (“The metadata may include an indication of the length of the data contained in the file, the number of blocks allocated for the file or a byte count, the time that the file was last modified, for instance a timestamp, a file creation time, the time the file was last accessed, the time the metadata was changed, and/or the time the file was last backed up. Other information may include the file's type, an owner user identifier (ID), a group ID, access permissions, a submitting process IP, and/or other file attributes (e.g. whether the file is read-only). Optionally, when backing up the file and respective metadata a unique identifier of the process that performed the operation(s) and triggers the backup is stored, optionally with a timestamp.” Breiman ¶ 51. See also Breiman ¶ 58)
for each respective target filesystem object, creating a respective backup copy in the filesystem;  (“a copy or copies of files designated by the guarded file operation request(s) is temporarily stored in a backup storage in response to the detection of the guarded file operation request(s).” Breiman ¶ 50)
releasing the I/O events, thereby enabling each I/O event to be performed on its respective target filesystem object; (“after a copy of the file is temporarily stored at the temporal backup space, the delayed and detected guarded file operation request is released to be executed by the operating system.” Breiman ¶ 50)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Dahan with Breiman by utilizing the backup mechanisms of Breiman to perform the backup disclosed in Dahan (¶ 16).  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Dahan with Breiman in order to prevent information loss due to malware, Breiman ¶¶ 4-5.

Dahan in view of Breiman does not explicitly disclose:
the system event metadata including, for each I/O event, a file identifier of the respective target filesystem object to which the I/O event is directed;

However, it would be necessary to have some manner of identifier, such as a filename and path, for the system to restore the file.  In other words, the system must necessarily have an identifier for the stored backed up files in order to allow their use in remediating the files modified by a malicious process (e.g. Brieman ¶ 64).
A person of ordinary skill in the art would have modified the explicit disclosure of Dahan in view of Breiman by including file identifiers in the backup storage.  It would have been obvious to a person of ordinary skill in the art before the effective filing date to include file identifiers in the backup storage in order to allow identification and use of the respective files to remediate lost or encrypted information, as suggested by Dahan ¶ 124 and Breiman ¶ 32.

As to claims 2 and 12, Dahan in view of Breiman disclose the system/method of claims 1 and 11 and further disclose:
wherein the system event metadata further includes, for each I/O event, a process identifier (PID) of a respective process from which the I/O event is received, said processor further programmed to: (“The metadata may include an indication of the length of the data contained in the file, the number of blocks allocated for the file or a byte count, the time that the file was last modified, for instance a timestamp, a file creation time, the time the file was last accessed, the time the metadata was changed, and/or the time the file was last backed up. Other information may include the file's type, an owner user identifier (ID), a group ID, access permissions, a submitting process IP, and/or other file attributes (e.g. whether the file is read-only). Optionally, when backing up the file and respective metadata a unique identifier of the process that performed the operation(s) and triggers the backup is stored, optionally with a timestamp.” Breiman ¶ 51. See also Breiman ¶ 58)
event directed to the canary file as an unauthorized process; (“monitor selected activities performed with respect to one or more of the deployed honeypot drives and/or honeypot files.” Dahan ¶ 75)

Dahan in view of Breiman, as combined in claim 1, does not explicitly disclose:
identify, from the stored system event metadata, the respective process identified by the PID associated with the I/O 
and terminate the unauthorized process.

Breiman further discloses:
identify, from the stored system event metadata, the respective process identified by the PID associated with the I/O 
and terminate the unauthorized process.
(“this allows to identify the files accessed by the process performing the attack and to perform one or more remediation operations thereon. For example, all the files that include the unique identifier of the process and respective metadata may be restored. This may be performed in addition to the termination of the process.”Breiman ¶ 58)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Dahan with Breiman by utilizing the backup mechanisms of Breiman to perform the backup disclosed in Dahan (¶ 16).  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Dahan with Breiman in order to prevent information loss due to malware, Breiman ¶¶ 4-5.

As to claims 3 and 13, Dahan in view of Breiman disclose the system/method of claims 2 and 11 and further discloses:
said processor further programmed to temporarily pause processes executing on the computing system (“action script may comprise at least one security action selected from the group consisting of preventing at least one process from accessing data files stored in at least one of the plurality of storage devices; suspending at least one process executing on data files stored in at least one of the plurality of storage devices;” Dahan ¶ 32) upon determining that at least one of the respective target filesystem objects is the canary file. (Dahan ¶¶ 110-111, access of honeypot file triggering action script.)

As to claims 4 and 14, Dahan in view of Breiman disclose the system/method of claims 2 and 11 but does not explicitly disclose:
wherein the operation of replacing each respective target filesystem object comprises said processor programmed to automatically replace each respective target filesystem object to which an I/O event received from the unauthorized process is directed with its respective backup copy. 

Breiman further discloses:
wherein the operation of replacing each respective target filesystem object comprises said processor programmed to automatically replace each respective target filesystem object to which an I/O event received from the unauthorized process is directed with its respective backup copy. 
(“this allows to identify the files accessed by the process performing the attack and to perform one or more remediation operations thereon. For example, all the files that include the unique identifier of the process and respective metadata may be restored. This may be performed in addition to the termination of the process.”Breiman ¶ 58)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Dahan with Breiman by utilizing the backup mechanisms of Breiman to perform the backup disclosed in Dahan (¶ 16).  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Dahan with Breiman in order to prevent information loss due to malware, Breiman ¶¶ 4-5.


As to claims 5 and 15, Dahan in view of Breiman disclose the system/method of claims 1 and 11 and further discloses:
said processor further programmed to present, in response to determining that at least one of the respective target filesystem objects is the canary file, an alert to a user of the computing system. (“Action Script may include protective security responses, including, but not limited to: preventing a new process from accessing other files stored within the affected component or system; stopping a new process; generating an alert to at least one of the system administrator or user;” Dahan ¶ 115. Dahan ¶¶ 110-111, access of honeypot file triggering action script.)

As to claims 6 and 16, Dahan in view of Breiman disclose the system/method of claims 5 and 15 but does not explicitly disclose:
wherein the alert comprises one or more of the following: an audible indicator and a visual indicator. 

However, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to provide the alert (“generating an alert to at least one of the system administrator or user;” Dahan ¶ 115.) in a manner that is recognizable human senses of vision and hearing, for example an email.  A person of ordinary skill in the art before the effective filing date of the claimed invention would have provided the alert in the form of an email so that the human administrator of Dahan could perceive the alert and perform actions based thereupon; thereby fulfilling the purpose of the administrator alert of Dahan ¶ 115.

As to claims 7 and 17, Dahan in view of Breiman disclose the system/method of claims 1 and 11 and further discloses:
said processor further programmed to parse the data exclusions list to identify the one or more excluded filesystem folders. (excluded from protection: “creating a backup copy of at least a portion of the files that are in same directory or subdirectory of the honeypot file to which an access request was made” Dahan ¶ 115. “the ransomware process starts encrypting files stored on the first and last shared drives, which are honeypot drives populated with honeypot data…. the ransomware process will only be able to encrypt honeypot data.” Dahan ¶¶ 123-124. Honeypot drives comprising honeypot folders, Dahan ¶ 72.)


Claim(s) 8, 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Dahan, US 2018/0293379 (filed 2018-04), in view of Breiman et al., US 2018/0211038 (filed 2017-01), and Chelarescu et al., US 2020/0342106 (filed 2019-04).

As to claims 8 and 18, Dahan in view of Breiman disclose the system/method of claims 1 and 11 and further discloses:
wherein the system event metadata further includes, for each I/O event, a time  and date of the I/O event (“The metadata may include …. and/or the time the file was last backed up.” Breiman ¶ 51. Where the time is also a “date”, Breiman ¶ 17), wherein the operation of replacing each respective target filesystem object comprises said processor programmed to:
identify, from the stored system event metadata, each I/O event having a time and date (“The metadata may include …. and/or the time the file was last backed up.” Breiman ¶ 51. Where the time is also a “date”, Breiman ¶ 17)

Dahan in view of Breiman, as combined in claim 1, does not explicitly disclose:
within a predetermined period; 
identify each respective target filesystem object to which each identified I/O event is directed; and 
automatically replace each identified respective target filesystem object with its respective backup copy. 

Breiman further discloses:
identify each respective target filesystem object to which each identified I/O event is directed; and (“each one of the files is marked with a unique identifier of the process that performed the operation(s)…. all the files that include the unique identifier of the process and respective metadata may be restored.” Dahan ¶ 58)
automatically replace each identified respective target filesystem object with its respective backup copy. (“each one of the files is marked with a unique identifier of the process that performed the operation(s)…. all the files that include the unique identifier of the process and respective metadata may be restored.” Dahan ¶ 58)
A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Dahan with Breiman by utilizing the backup mechanisms of Breiman to perform the backup disclosed in Dahan (¶ 16).  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Dahan with Breiman in order to prevent information loss due to malware, Breiman ¶¶ 4-5.

Dahan in view of Breiman does not disclose:
within a predetermined period; 

Chelarescu discloses:
within a predetermined period; 
(“the cloud service can assess and/or ascertain when the infection occurred and/or which version of the impacted file(s) was first corrupted. Based on this determination, the system can automatically rollback the damaged file version(s) to earlier versions in which no infection had yet occurred or caused damage in a thirteenth stage 870.” Chelarescu ¶ 66. The period being a period before the damage)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Dahan in view of Breiman with Chelarescu by determining the time of infection and restoring to a prior backup file.  A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Dahan in view of Breiman with Chelarescu in order to restore the system to a state prior to infection, thereby resolving the known intrusion to the system. 


Claim(s) 9, 10, 19, and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Dahan, US 2018/0293379 (filed 2018-04), in view of Breiman et al., US 2018/0211038 (filed 2017-01), and Sallam US 2012/0254982 (filed 2011-03).
As to claims 9 and 19, Dahan in view of Breiman disclose the system/method of claims 1 and 11 but does not disclose:
said processor further programmed to compare each respective backup copy to its respective target filesystem object to determine whether the respective backup copy and its respective target filesystem object are substantially identical.

Sallam discloses:
said processor further programmed to compare each respective backup copy to its respective target filesystem object to determine whether the respective backup copy and its respective target filesystem object are substantially identical.  (“Disk mapping bitmap 928 may specify the location of a protected file on storage device 906 and may also provide a previously generated hash value for the protected file. Disk mapping bitmap 928 may be consulted to identify the location of a protected file, a hash may be computed using the contents of the protected file, and the computed hash may be compared to the previously generated hash value from disk mapping bitmap 928. If the hash values do not match, the protected file has been altered, possibly by malware, and the file is restored from backup storage device 920.” Sallam ¶ 213)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Dahan in view of Breiman with Sallam by performing a hash comparison before restoring the file from the backup storage, e.g. Dahan ¶ 124, in order to determine if the file to be restored has changed before restoration.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Dahan in view of Breiman with Sallam in order to prevent copying an identical file during a restoration process, needlessly occupying computer resources to perform an act that will not change the system. 

As to claims 10 and 20, Dahan in view of Breiman and Sallam discloses the system/method of claims 9 and 19 and further discloses:
wherein the comparing operation comprises one or more of the following: said processor programmed to perform a byte-for-byte comparison of each respective backup copy to its respective target filesystem object; (non required alternative)
and said processor programmed to generate a first hash value for each respective backup copy and a second hash value for its respective target filesystem object and compare the first and second hash values. (“Disk mapping bitmap 928 may specify the location of a protected file on storage device 906 and may also provide a previously generated hash value for the protected file. Disk mapping bitmap 928 may be consulted to identify the location of a protected file, a hash may be computed using the contents of the protected file, and the computed hash may be compared to the previously generated hash value from disk mapping bitmap 928. If the hash values do not match, the protected file has been altered, possibly by malware, and the file is restored from backup storage device 920.” Sallam ¶ 213)

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892, particularly:
Demaio et al., US 2006/0190505, discloses backup and remediation policies.
Ye et al., US 9,317,686, discloses backing up files utilized by suspicious software and potentially restoring the files if the software is deemed malicious.
Scrimsher et al., US 2006/0179484, discloses backing up data and detecting intruders using honeypots.
Singh et al., US 10,503,904, discloses backing up data and detecting malicious alterations of files using honeypots for subsequent restoration.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL W CHAO whose telephone number is (571)272-5165. The examiner can normally be reached M, W-F 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MICHAEL W CHAO/           Examiner, Art Unit 2492