Notice of Pre-AIA  or AIA  Status
1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Election/Restrictions
2.    NO restrictions warranted at initial time of filing for patent.

Priority
3.    Applicant claims domestic priority under 35 USC 119e to provisional application filed on 11/22/2019.
Information Disclosure Statement
4.    The information disclosure statement (IDS) submitted on 06/08/2021, 08/30/20201,10/22/2021, 12/22/2021, 01/28/2022, 02/25/2022, 03/31/2022, 04/29/2022, 06/28/2022, and 08/02/2022, the submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Oath/Declaration
5.    Applicant’s Oath was filed on 06/08/2021.

Drawings
6.    Applicant’s drawings filed on 06/08/2021 has been inspected and is in compliance with MPEP 608.01.
Specification
7.    Applicant’s specification filed on 06/08/2021 has been inspected and is in compliance with MPEP 608.02.
Claim Objections
8.    NO objections warranted at initial time of filing for patent.

Remarks
9.	Examiner request Applicant review relevant prior art under the conclusion of this office action.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

10.	Claims 1-20 are rejected under 35 U.S.C. 102(a)(1)/(a)(2) as being anticipated by U.S. Publication No. 20180024893 hereinafter Sella.

	As per claim 1, Sella discloses:
A method (para 0009 “A method for ransomware-aware file backup is implemented on a computing device and includes: backing up a target population of files from a target file location in a backup transaction, computing a backup delta score for the backup transaction, where the computing comprises comparing backup data from the backup transaction with backup data from a previous backup transaction, determining whether the computer backup delta score exceeds a pre-defined threshold; and upon the computed backup delta score exceeding the pre-defined threshold: determining that the backup transaction is indicative of a ransomware infection, and performing at least one counter-measure in response to the ransomware infection.”) comprising:
determining, by a data protection system, a delta metric between a first recovery dataset generated by a storage system at a first time and a second recovery dataset generated by the storage system at a second time subsequent to the first time (para 0012 “For each transaction, intelligent backup server 100 is configured to compute and maintain a “delta-score” that represents changes in the characteristics of the current backup vis-à-vis the files backed up in a previous transaction. Accordingly, the delta-score may be derived by first scoring one or more of a series of scoring factors for some, or all, of the files backed up in a given backup transaction, and then comparing the resulting scores with those received from one or more previous backup transactions. It will be appreciated that there is no previous transaction for comparison at the time of the first backup transaction for client computing device 20. For first-time backup transactions, the delta-scores may be derived in comparison with pre-configured default values that represent scores that may be typical for a client computing device 20 that is not infected by ransomware.” Para 0013 “As detailed hereinbelow, the delta-score may be computed according to one, some, or all, of a number of scoring factors, such as, for example: a number of new files in the backup transaction; a number of old files missing from a previous backup transaction; a number of files that have been modified since a previous transaction; file access patterns for modified, new, or deleted files; the entropy level of the files included in a transaction; etc.”);
 and determining, by the data protection system based on the delta metric, whether data maintained by the storage system is possibly being targeted by a security threat (Fig. 4, para 0021 “System 1 may benchmark and/or maintain scoring histories of delta-scores on a per individual user basis. It will be appreciated that usage patterns and individual preferences may differ according to the backup user. If the delta-score for the current transaction is significantly higher than previous, typical delta-scores of that user, system 1 is configurable to provide a variety of responses under the assumption that the originating PC has been contaminated by ransomware.”).

As per claim 2, Sella discloses:
The method of claim 1, wherein the determining whether the data maintained by the storage system is possibly being targeted by the security threat comprises determining that the data maintained by the storage system is possibly being targeted by the security threat if the delta metric is greater than a threshold (Fig. 4, para 0014 “Accordingly, when computing the score there may be a compensation factor to account for specific known software applications and their known behaviors. A score based on the number of new files backed up may also be assigned progressively, where a series of new file thresholds may be defined, such that the scoring factor may increase as the number of new files increases.” Para 0045 “If the delta-score computed in step 230 is not less than the defined threshold (step 240), i.e., the delta-score appears to indicate that the target computer system (e.g., client computing device 20) is infected with ransomware, backup manager 130 may alert (step 250) an authorized user of client computing device 20 regarding the likelihood of infection. As described hereinabove, depending upon the configuration of backup manager 130, this alert may be in the form of an email, an IM message, a text message, etc.”).

As per claim 3, Sella discloses:
The method of claim 2, further comprising performing, by the data protection system based on the determining that the storage system is possibly being targeted by the security threat, a remedial action with respect to the storage system (para 0045 and 0046).

As per claim 4, Sella discloses:
The method of claim 3, wherein the performing the remedial action comprises preventing one or more recovery datasets from being deleted until one or more conditions are fulfilled (para 0052 “Alternatively, or in addition, file manager 130 may discard (step 266) the entire backup transaction, i.e., delete the data from the backup transaction.”).

As per claim 5, Sella discloses:
The method of claim 4, wherein the one or more recovery datasets are generated by the storage system prior to the first time (para 0012 “Similar to typical backup systems, intelligent backup system 1 is configured to keep multiple backup copies. Intelligent backup system 1 is further configured to check each “backup-transaction” (hereafter, “transaction”), either scheduled or manual, in order to assess a likelihood for whether or not any of the files in the current backup transaction (i.e., the files currently being backed up) have been contaminated by ransomware.”).

As per claim 6, Sella discloses:
The method of claim 3, wherein the performing the remedial action comprises using one or more recovery datasets to restore the data maintained by the storage system to a state that corresponds to a point in time that precedes a point in time at which the data protection system determines that the data maintained by the storage system is possibly being targeted by the security threat (para 0023 “System 1 may also provide an interactive graphical user interface (GUI) accessible by the alerted user to facilitate examination of the transaction details and/or the causes for the high delta-score. The user may use the GUI to provide instructions to system 1 regarding the disposition of the backup from the transaction and/or changes in policy going forward. In the event that a file restore is to be performed (either as determined autonomously by system 1 and/or in response to a proactive instruction from the user), the user may also use the GUI to select to perform the restore from among stored backup versions.” Para 0045 “ If the delta-score computed in step 230 is not less than the defined threshold (step 240), i.e., the delta-score appears to indicate that the target computer system (e.g., client computing device 20) is infected with ransomware, backup manager 130 may alert (step 250) an authorized user of client computing device 20 regarding the likelihood of infection. As described hereinabove, depending upon the configuration of backup manager 130, this alert may be in the form of an email, an IM message, a text message, etc.”).

As per claim 7, Sella discloses:
The method of claim 3, wherein the performing the remedial action comprises providing a notification (para 0045).

As per claim 8, Sella discloses:
The method of claim 2, wherein the threshold is based on a historical average of delta metrics between recovery datasets generated prior to the first time (para 0027 “System 1 may also provide support recovery from a ransomware situation. For example, system 1 may be configured to determine a most recent “trusted” baseline backup version based on historical delta-scores computed as per the description hereinabove. Such determination may comprise pinpointing a date in which the scoring pattern began to change significantly. System 1 may also be configured to identify and report the time-window (using the same method), in which the ransomware has infected the machine. This may be leveraged by downstream functionality for tracking the ransomware's distribution.” para 0049 “Accordingly, backup manager 130 may determine the baseline version based at least in part on a historical trend in delta-scores. For example, while the delta-score for the previous transaction, T.sub.−1, may not have been sufficiently high to indicate (in and of itself) an infection, it may still have been higher than the delta-score for transaction T.sub.−2, i.e., the transaction that preceded T.sub.−1. The difference between the delta scores for transactions T.sub.−1 and T.sub.−2 may indicate that the infection actually began prior to T.sub.−1. In such manner, backup manager 130 may identify a change in the historical trend of delta-scores and determine which of the stored transactions T.sub.n to use as the baseline version.”).

As per claim 9, Sella discloses:
The method of claim 8, wherein the threshold is set to be a certain number of standard deviations above the historical average of delta metrics between recovery datasets generated prior to the first time (para 0027 “System 1 may also provide support recovery from a ransomware situation. For example, system 1 may be configured to determine a most recent “trusted” baseline backup version based on historical delta-scores computed as per the description hereinabove. Such determination may comprise pinpointing a date in which the scoring pattern began to change significantly. System 1 may also be configured to identify and report the time-window (using the same method), in which the ransomware has infected the machine. This may be leveraged by downstream functionality for tracking the ransomware's distribution.” para 0049 “Accordingly, backup manager 130 may determine the baseline version based at least in part on a historical trend in delta-scores. For example, while the delta-score for the previous transaction, T.sub.−1, may not have been sufficiently high to indicate (in and of itself) an infection, it may still have been higher than the delta-score for transaction T.sub.−2, i.e., the transaction that preceded T.sub.−1. The difference between the delta scores for transactions T.sub.−1 and T.sub.−2 may indicate that the infection actually began prior to T.sub.−1. In such manner, backup manager 130 may identify a change in the historical trend of delta-scores and determine which of the stored transactions T.sub.n to use as the baseline version.”).

As per claim 10, Sella discloses:
The method of claim 2, wherein the threshold is set to be a certain amount above a maximum delta between recovery datasets generated during a predetermined time period prior to the first time (para 0032, 0041, 0043, and 0045).


As per claim 11, Sella discloses:
The method of claim 1, wherein the determining whether the data maintained by the storage system is possibly being targeted by the security threat comprises determining that the data maintained by the storage system is not being targeted by the security threat if the delta metric is less than a threshold.

As per claim 12, Sella discloses:
The method of claim 1, wherein the delta metric comprises a size difference between the first and second recovery datasets (para 0016 and 0018).

As per claim 13, Sella discloses:
The method of claim 1, wherein the delta metric comprises a compressibility difference between the first and second recovery datasets (para 0018).

As per claim 14, Sella discloses:
The method of claim 1, wherein the data protection system is implemented by a controller within the storage system (Figs. 1-3, para 0011, 0012, and 0037).




As per claim 15, Sella discloses:
The method of claim 1, wherein the data protection system is implemented by a computing system communicatively coupled to the storage system by way of a network (Figs. 1-3, para 0011, 0012, and 0037).

As per claim 16, Sella discloses:
The method of claim 1, wherein the security threat comprises a ransomware attack (Fig. 4, para 0012).

As per claim 17, the implementation of the method of claim 1 will execute the system of claim 17. The claim is analyzed with respect to claim 1. 

As per claim 18, the claim is analyzed with respect to claim 2. 

As per claim 19, the claim is analyzed with respect to claim 3. 

As per claim 20, the implementation of the method of claim 1 will execute the non-transitory computer readable medium (Fig. 2, para 0033) of claim 20. The claim is analyzed with respect to claim 1. 




Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
U.S. Publication No. 20180139053 on paragraph 0031 “In the embodiment of FIG. 2, the BRT 112 has initially backed-up file 110 to the TSR 106 by creating backup file 202 comprising a full copy of the initial version (e.g., V1) of file 110 in SSR 104. The change trigger module 114 of BRT 112 may detect subsequent triggers to back up the file 110, e.g., changes to file 110 that result in multiple versions of the file 110 (e.g., V1, V2 and V3 each time a user closes the file after making changes). The backup manager module 116 creates associated file deltas 204 and 206 comprising the incremental changes to data of file 110 between V1 and V2 and between V2 and V3 respectively. The file deltas 204 and 206 are associated with the original backup file 202 (of file 110) in TSR 106 and they correspond to the multiple versions of the file 110 since it was last backed-up to the TSR 106 (e.g., V2 and V3). The file deltas 204 and 206 (and any other associated file deltas) allow the user to recover file 110 to a last know version (e.g., V1, V2 and V3), which may be the last known safe state before the file 110 was encrypted or infected, e.g., according to the last file delta (e.g., 204, 206, etc.) before a malware attack alert has been issued, as explained below with respect to FIG. 4.”

Any inquiry concerning this communication or earlier communications from the examiner should be directed to GARY S GRACIA whose telephone number is (571)270-5192. The examiner can normally be reached Monday-Friday 9am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 5712723972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/GARY S GRACIA/           Primary Examiner, Art Unit 2499