Notice of Pre-AIA  or AIA  Status
1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
2.	Applicant’s arguments filed on 06/07/2022, with respect to the  35 U.S.C. § 102(a)(1)/(a)(2) rejection of claims 1-12 and 15-20 were rejected under as being anticipated by U.S. Patent Application Publication No. 2019/0303571 (“Chelarescu’’) have been fully considered.  However, upon further consideration, a new ground(s) of rejection is made in view of amended claims.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

3.	Claims 1-12 and 15-20 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Publication No. 20190303571 hereinafter Chelarescu in view of U.S. Publication No. 20200285737 hereinafter Kraus.

As per claim 1, Chelarescu discloses:
A method (para 0015 “Example methods (e.g., algorithms) and systems (e.g., special-purpose machines) that detect and identify malware impacted files stored in a cloud storage system and provide detection notification with metadata to a client device of the cloud storage system are described.”) comprising:
receiving, by a storage system, attribute data representative of one or
more attributes of a known attack that operated against data stored by a target system other than the storage system (Fig. 3, para 0038 “The feature extraction module 302 extracts features from a file stored at the data storage 206. In one example, the feature extraction module 302 extracts features from a last modified file or a new file received from the client storage application 108 via the server storage application 202. Examples of features (also referred to as attributes or properties in the present document) include, but are not limited to, attributes of the files such as file encryption status, extension name, date of creation, date of modification, versioning number, author name, type of media, and compression status .” Para 0043 “The learning engine 314 (e.g., a machine learning algorithm) manages a learning model for identifying malware files. The learning engine 314 accesses file information (associated with the client device 102) from the data storage 206. The file information includes attributes, extensions, and features (including user feedback) of old, new, and modified files associated with the client device 102. Using the file information, the learning engine 314 can identify trends or patterns. For example, the learning engine 314 learns, based on file extensions, that the new file is actually not related to a malware as confirmed by the user of the client device 102 because the user has named the file to a name similar to a known malware. In another example, the learning engine 314 learns that a file that is encrypted and has a file extension name with a particular naming pattern (e.g., previously associated with existing malware) is likely a ransomware .” Para 0045 “In other example embodiments, the learning engine 314 determines the number of files (in the account of the client device 102 in the data storage 206) being updated, deleted, created, encrypted, and with suspicious extensions, and generates a determination or confidence level that one of the files (or the user account) is impacted by a malware or malware attack.” para 0051 “In response to the request, in operation 404, the server storage application 202 accesses a storage account or user data structure (e.g., files, folder, directory) for the user from the data storage 206. The data storage 206 modifies an existing file in the user data structure (associated or registered with the client device 102). The user data structure includes copies of files corresponding to a folder or directory of the client device 102 indicated by the client storage application 108.” Para 0052 “ In operation 406, the malware analysis engine 210 determines features of the modified file received at operation 402. Examples of features include an encryption status, a file or extension naming pattern, a content analysis matching result, and user feedback related to files similar to the modified file.”);
updating, by the storage system, an extensible attack monitoring process
executed by the storage system with the attribute data; and monitoring, by the storage system using the extensible attack monitoring process updated with the attribute data, storage operation requests with respect to the storage system for one or more attributes that match the one or more attributes of the known attack (para 0044 “Based on the learning model, the learning engine 314 can, in one embodiment, suggest to the impacted file identification module 310 that the new or modified file is likely or is not likely a malware. In a further embodiment, the learning engine 202 updates a list of files that have been confirmed or validated as safe (non-impacted by malware) from the client device 102. All of the trends or patterns identified by the learning engine 314 may be stored in the data storage 206 and provided to the impacted file identification module 310 for further processing.” Fig. 7, para 0069 “In operation 702, the user feedback module 312 receives previous user feedback (or other users feedback) related to the new or modified file stored at the storage system 106. Para 0070 “In operation 704, the learning engine 314 trains a malware detection model for the new or modified file based on the user's feedback.”)

	Chelarescu does not disclose:
a storage system from a remote system communicatively coupled to the storage system and a plurality of storage systems other than the storage system by way of a network 
attribute data generated based on an analysis of storage operation requests with respect to the plurality of storage systems other than the storage system 

	Kraus discloses:
a storage system from a remote system communicatively coupled to the storage system and a plurality of storage systems other than the storage system by way of a network (Figs. 1 and 2, para 0226 “With reference to FIG. 1, an operating environment 100 for an embodiment includes at least one computer system 102. The computer system 102 may be a multiprocessor computer system, or not. An operating environment may include one or more machines in a given computer system, which may be clustered, client-server networked, and/or peer-to-peer networked within a cloud. An individual machine is a computer system, and a group of cooperating machines is also a computer system.” Para 0233 “In some embodiments, the system includes multiple computers connected by a wired and/or wireless network 108. Networking interface equipment 128 can provide access to networks 108, using network components such as a packet-switched network interface card, a wireless transceiver, or a telephone network interface, for example, which may be present in a given computer system. Virtualizations of networking interface equipment and other network components such as switches or routers or firewalls may also be present, e.g., in a software defined network or a sandboxed or other secure cloud computing environment.”  Para 0234 “FIG. 3 illustrates examples of event list sources. Illustrated examples include logs 302, e.g., syslog format logs, event tracing logs, application logs, logs generated by kernels, transaction logs, and other records of events which occurred or report state of one or more machines 102. A log is often ordered chronologically, but a composite log may include events from machines whose timestamps are not fully synchronized, and thus may be only partially ordered. Illustrated examples of event list sources 214 also include sniffers 304, which is defined broadly above to include more than merely network analyzers, and SIEM tools 306.”)
attribute data generated based on an analysis of storage operation requests with respect to the plurality of storage systems other than the storage system (para 0195 “ 1022 storage requests, e.g., requests to read or write from cloud storage; a request is an example of an event 204.” Para 0263 “FIG. 11 illustrates a method 1100 which is an example of methods performed or assisted by a model 402 and sequence anomaly detector 408. This method includes acquiring 1102 an event sequence 410 to test 1104 for anomalies, e.g., by receiving or otherwise selecting 1208 an anchor event and selecting 1210 additional events. Then a corresponding vector to score is formed, e.g., by vectorizing 800 the event sequence 410 and embedding 1106 the vector in a vector space by submitting 1206 the vector to the model 402. Next, the method computes 1108 an anomaly score 414, e.g., by using leveraged implementations of machine learning libraries which implement calculations 700. Then the system 400 or related components 426, 428, 430, 122 performing the method 1100 take 1110 some action 900 based on the anomaly score. Some possible actions 900 include preventing 910 access to the storage item or resource identified in a request 1022, terminating 912 an access-in-progress to the storage item or resource identified in a request, configuring 904 a firewall, IDS, or other tool 122, alerting 914 an administrator (a person), or actively allowing 924 the access after comparison of the anomaly score to pertinent threshold(s) 1020.”)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the methods (e.g., algorithms) and systems (e.g., special-purpose machines) that detect and identify malware impacted files stored in a cloud storage system of Chelarescu to include a storage system from a remote system communicatively coupled to the storage system and a plurality of storage systems other than the storage system by way of a network and attribute data generated based on an analysis of storage operation requests with respect to the plurality of storage systems other than the storage system, as taught by Kraus.
The motivation would have been to properly receive data from a remote computing device in order to properly assess data.

As per claim 2, Chelarescu in view of Kraus discloses:
The method of claim 1, further comprising: 
detecting, by the storage system during the monitoring, the one or more attributes of the storage operation requests that match the one or more attributes of the known attack; and determining, by the storage system based on the detecting of the one or more attributes of the storage operation requests that match the one or more attributes of the known attack, that data stored by the storage system is possibly being targeted by an attack (Chelarescu Fig. 7, para 0071 “In operation 706, the feature extraction module 302 determines features of the new or modified file. Examples of features include an encryption status, a file or extension naming pattern, a content analysis matching result, and user feedback related to files similar to the new or modified file. Para 0072 “In operation 708, the impacted file identification module 310 detects a malware activity (e.g., ransomware) based on the features of the new or modified file as previously determined in operation 706 and based on the malware detection model as previously determined in operation 704. Para 0073 “In operation 710, the notification engine 214 generates a notification that identifies the new or modified file (based on the file identification from operation 708) as potential malware to the client device 102. The communication module 216 sends the notification to the client device 102.” Para 0074 “In operation 712, the malware analysis engine 210 receives a user confirmation of the malware activity of the modified file from the client device 102 via the communication module 216.”) 

As per claim 3, Chelarescu in view of Kraus discloses:

The method of claim 2, further comprising performing, by the storage system in response to the determining that the storage system is possibly being targeted by the security threat, a remedial action (Chelarescu para 0060).

As per claim 4, Chelarescu in view of Kraus discloses:
The method of claim 3, wherein the performing of the remedial action
comprises one or more of generating a recovery dataset for the data stored by
the storage system, providing a notification, or preventing one or more of the storage operation requests from being performed (Chelarescu para 0054 and 0060). 

As per claim 5, Chelarescu in view of Kraus discloses:
The method of claim 2, further comprising allowing, by the storage system based on the determining that the data stored by the storage system is possibly being targeted by the attack, the remote system to analyze the storage operation requests with respect to the storage system (Chelarescu Figs. 5-7, para 0089).

As per claim 6, Chelarescu in view of Kraus discloses:
The method of claim 5, wherein the allowing comprises transmitting attribute data representative of the one or more of the attributes of the storage operation requests of the storage system to the remote system (Chelarescu para 0031, para 0089).

As per claim 7, Chelarescu in view of Kraus discloses:
The method of claim 5, further comprising: receiving, by the storage system, confirmation from the remote system indicating that the remote system has determined, based on the analysis of the storage operation requests of the storage system, that the data stored by the storage system is being targeted by the attack; and performing, by the storage system in response to the receiving of the confirmation, an additional remedial action (Chelarescu Figs. 5-7, para 0089).

As per claim 8, Chelarescu in view of Kraus discloses:
The method of claim 1, wherein the receiving of the attribute data comprises receiving the attribute data from a remote system by way of a network (Chelarescu para 0020).

As per claim 9, Chelarescu in view of Kraus discloses:
The method of claim 8, wherein the remote system is in communication with a plurality of storage systems and configured to generate the attribute data based on an analysis of storage operation requests with respect to the plurality of storage systems (Chelarescu Figs. 5-7, para 0089).

As per claim 10, Chelarescu in view of Kraus discloses:
The method of claim 1, wherein the receiving of the attribute data comprises receiving the attribute data directly from the target system by way of a network (Chelarescu Fig. 1, para 0028).
As per claim 11, Chelarescu in view of Kraus discloses:
The method of claim 1, wherein the updating of the extensible attack monitoring process comprises dynamically updating the extensible attack monitoring process as the extensible attack monitoring process is being executed by the storage system (Chelarescu Fig. 7).

As per claim 12, Chelarescu in view of Kraus discloses:
The method of claim 1, wherein the attribute data comprises data representative of a pattern associated with the known attack, a compressibility of data being written to the target system, or a format of data being written to the target system (Chelarescu para 0038).

As per claim 15, Chelarescu in view of Kraus discloses:
The method of claim 1, wherein the known attack comprises an encryption attack against the data stored by the target storage system (Chelarescu para 0039, 0040, and 0043).

As per claim 16, the implementation of the method of claim 1 including the limitation of “using, by the storage system, the attribute data to detect one or more attributes of storage operation requests with respect to the storage system that match the one or more attributes of the known attack ; and determining, by the storage system based on the detecting that the one or more attributes of the storage operation requests match the one or more attributes of the known attack, that data stored by the storage system is possibly being targeted by an attack (Chelarescu para 0044 “Based on the learning model, the learning engine 314 can, in one embodiment, suggest to the impacted file identification module 310 that the new or modified file is likely or is not likely a malware. In a further embodiment, the learning engine 202 updates a list of files that have been confirmed or validated as safe (non-impacted by malware) from the client device 102. All of the trends or patterns identified by the learning engine 314 may be stored in the data storage 206 and provided to the impacted file identification module 310 for further processing.” Para 0054 “In operation 410, the notification engine 214 generates a notification that identifies the suspicious files (e.g., the modified file(s)) in the storage account as malware to the client device 102. The notification engine 214 further retrieves and identifies metadata related to the suspicious files and provides the metadata. The notification engine 214 provides a malware confirmation GUI that indicates the suspicious files (or a subset of the suspicious files) and the corresponding metadata and enable a user of the client device 102 to identify and select which of the suspicious files are impacted. In another example embodiment, the malware analysis engine 210 generates the malware confirmation GUI. The communication module 216 provides the notification (e.g., the malware confirmation GUI) to the client device 102.”)” of claim 1. The claim is analyzed with respect claim 1. 

As per claim 17, Chelarescu in view of Kraus discloses:
The method of claim 16, wherein the using the attribute data comprises updating, by the storage system, an extensible attack monitoring process executed by the storage system with the attribute data (Chelarescu para 0044, 0069 and 0070).

As per claim 18, the implementation of the method of claim 1 will execute the system of claim 18. The claim is analyzed with respect to claim 1.

As per claim 19, the implementation of the method of claim 2.

As per claim 20, the implementation of the method of claim 3.

4. 	Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Chelarescu in view of Kraus in view of U.S. Publication No. 20140283061 hereinafter Quinlan.

As per claim 13, Chelarescu in view of Kraus discloses:
The method of claim 1, wherein the monitoring for the one or more
attributes of the storage operation requests that match the one or more attributes
of the known attack (Chelarescu Figs. 4-7)

Chelarescu in view of Kraus does not disclose:
determining that the one or more attributes of the storage operation requests satisfy a similarity threshold with respect to the one or more attributes of the known attack 

Quinlan discloses:
determining that the one or more attributes of the storage operation requests satisfy a similarity threshold with respect to the one or more attributes of the known attack (para 0006 “In one example, a method includes receiving, by a security device and from a device, network traffic directed to one or more computing devices protected by the security device, responsive to receiving the network traffic, sending, by the security device and to the device, a request fora plurality of data points for the device, wherein the data points include characteristics associated with the device, and receiving, by the security device and from the device, at least a portion of the requested plurality of data points. The method may also include comparing, by the security device, the received portion of the requested plurality of data points to respective sets of data points associated with one or more known attacker devices, determining, based on the comparison, whether a first respective set of data points associated with a first known attacker device satisfies a similarity threshold, and selectively manage, based on the determination, additional network traffic directed to the one or more computing devices protected by the security device and received from the device.” Para 0027 “In some cases a fingerprint to be considered to "match" another fingerprint, as the term is used herein, even when one or more data points and/or data values for a particular data point may be different between the two fingerprints. That is, techniques of this disclosure enable a "fuzzy" matching of fingerprints. The term "fuzzy" refers to an imperfect, e.g., non-identical, match of data points and/or data values. Each fingerprint may include a sufficiently large number of data points that, even though only a portion of the data points match a previously classified fingerprint, security service 16 determines that the fingerprints match without returning a meaningful number of false positives. That is, if the matching process returns a sufficiently high match confidence value (e.g., satisfies a threshold confidence value, also referred to herein as a similarity threshold or a threshold level of similarity), security service 16 determines that the received fingerprint effectively matches a previously received fingerprint that corresponds to an attacker device. In some instances, more than one fingerprint may be determined to match the received fingerprint (e.g., more than one fingerprint satisfies the threshold confidence value). In these instances, security service servers 24 may determine that the fingerprint that is the most similar to the received fingerprint is the matching fingerprint.”)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the methods (e.g., algorithms) and systems (e.g., special-purpose machines) that detect and identify malware impacted files stored in a cloud storage system of Chelarescu in view of Kraus to include determining that the one or more attributes of the storage operation requests satisfy a similarity threshold with respect to the one or more attributes of the known attack, as taught by Quinlan.
The motivation would have been to properly detect a threshold to determine accurate determination of a known attack.

5. 	Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Chelarescu in view of Kraus in view of U.S. Publication No. 10122740 hereinafter Finkelshtein. 

As per claim 14, Chelarescu in view of Kraus discloses: 
The method of claim 1, further comprising: maintaining, by the storage system (Chelarescu Figs. 4-7) 

Chelarescu in view of Kraus does not disclose: 
maintaining, historical attribute data representative of one or more attributes of the storage operation requests over time that precedes an attack against the data stored by the storage system that was not detected during the monitoring; and transmitting, by the storage system to a remote system, the historical attribute data for analysis by the remote system 

Finkelshtein discloses: 
maintaining, historical attribute data representative of one or more attributes of the storage operation requests over time that precedes an attack against the data stored by the storage system that was not detected during the monitoring; and transmitting, by the storage system to a remote system, the historical attribute data for analysis by the remote system (Col. 12 Lines 10-20
“In step 602, the analytic server computing device 20 generates a model and one or more configuration updates. The model or configuration updates can be sent periodically or at other specified times and do not have to be sent concurrently. The model can be generated based on initial baseline threshold values for one or more signals, thresholds learned over time based on historical observations of signal data, or anomalous traffic patterns received from the centralized analytic server computing device 20(2), for example, although other inputs can be used in order to generate the model.” Col. 12 Lines 21-34 “Accordingly, models can be generated dynamically based on historical information regarding what signals or signal data are more or less indicative of a malicious anomaly in view of the specific characteristics of network traffic observed in the storage network 12. For example, in some storage networks HTTP traffic may have been observed to include a relatively high number of HTTP headers. Accordingly, increased HTTP traffic with a high number of HTTP headers may not be indicative of an anomaly in these storage networks, although such traffic may be considered anomalous in other storage networks. Therefore, in these storage networks, the associated threshold for the number of HTTP headers signal may be set relatively high in the generated model.”)
and transmitting, by the storage system to a remote system, the historical
attribute data for analysis by the remote system (Col. 12 Lines 56-63 “ In step 604 in this example, the one of the analytic server computing devices sends the model and configuration update(s) to the one of the traffic management computing devices. Steps 602 and 604 are optional and not necessarily
performed during each iteration. The model and configuration update(s) can be
received by the traffic management computing device as described and
illustrated earlier with reference to step 404 in FIG. 4, for example.”)
Therefore, it would have been obvious to one of ordinary skill in the art
before the effective filing date of the claimed invention to modify the methods
(e.g., algorithms) and systems (e.g., special-purpose machines) that detect and
identify malware impacted files stored in a cloud storage system of Chelarescu in view of Kraus to include maintaining, historical attribute data representative of one or more attributes of the storage operation requests over time that precedes an attack against the data stored by the storage system that was not detected during the monitoring; and transmitting, by the storage system to a remote system, the historical attribute data for analysis by the remote system, as taught by Finkelshtein.
The motivation would have been to properly assess data in order to determine accurate determination of a known attack.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GARY S GRACIA whose telephone number is (571)270-5192. The examiner can normally be reached Monday-Friday 9am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 5712723972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/GARY S GRACIA/           Primary Examiner, Art Unit 2499