Notice of Pre-AIA  or AIA  Status
1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
2.	Applicant’s arguments filed on 07/08/2022, with respect to the 35 U.S.C. § 103 rejections of claim 1-8, 11-17, 19, and 20 as being unpatentable over U.S. Patent Application Publication No. 2018/0054454 (“Astigarraga’’) in view of U.S.
Patent Application Publication No. 2018/0113638 (“Petersen”), dependent claim 9 was rejected as being unpatentable over the combination of Astigarraga, Petersen, and
U.S. Patent Application Publication No. 2017/0364681 (“Roguine”) and dependent claim 18 was rejected under 35 U.S.C. § 103 as being unpatentable over the combination of Astigarraga, Petersen, and U.S. Patent Application Publication No. 2018/0024893 (“Sella”). Applicant have been fully considered but are persuasive.  
	Applicant alleges on pg. 12 of arguments “In contrast, the combination of Astigarraga and Petersen fails to teach or suggest each and every element recited in claim 1. For example, for at least the reasons described below, the combination of Astigarraga and Petersen fails to disclose “throttling, by the data protection system based on the determining that the request is possibly related to the security threat against the storage system, a performance of the operation, the throttling comprising limiting a rate of writes with respect to the storage system to a certain number of writes per second” as recited in claim 1 (emphasis added).
The Office Action acknowledges that Astigarraga does not disclose the “throttling” element of claim 1. Office Action, page 4.
Petersen does not cure the deficiencies of Astigarraga. For example, Petersen describes throttling write requests based on a time of day. Petersen, paragraph 0058. To illustrate, Petersen describes how write requests may be throttled outside of business hours. Petersen does not describe throttling the write requests based on a determination that the write requests are possibly related to a security threat. Hence, Petersen does not disclose “throttling, by the data protection system based on the determining that the request is possibly related to the security threat against the storage system, a performance of the operation, the throttling comprising limiting a rate of writes with respect to the storage system to a certain number of writes per second” as recited in claim 1 (emphasis added). Examiner respectfully disagrees.

Peterson discloses on paragraph 0052 “In another embodiment, the write rate may be assigned to each subset of storage space dependent upon a time period in which the write request is received. Typically, most write requests are received during business hours while users are interacting with data stored to the one or more media storage devices 302. Therefore, when write requests are received outside of time periods in which write requests are normally received (e.g., off-peak hours, non-business hours, etc.), when taking into account previously scheduled and authorized maintenance and/or updating processes, these write requests may be restricted and/or suspended until approval is received from an authorized user for these write requests to continue unrestrained. In this way, the amount of damage and/or harm that may be caused by a ransomware attack may be minimized or prevented without inhibiting authorized processes and writes that should be occurring during normal operating hours.
Peterson further discloses on paragraph 0093 “In another embodiment, method 400 may include restricting the write rate (from an initial value) in response to determining an action that is indicative of a ransomware attack or malicious code executing on the media storage device. The action may include, but is not limited to, any of the following: a frequency of write activity on the media storage device or the portion thereof that exceeds a predetermined write frequency threshold, a rate of change resulting from the write request being greater than an historical rate of change for the media storage device or the portion thereof, and the write request being received outside of a time period in which write requests are expected to be received for the media storage device or the portion thereof. Of course, any other actions described herein that are indicative of a ransomware attack or malicious code executing on the media storage device may be taken into consideration when determining whether to restrict the write rate and by how much to restrict the write rate, as would be understood by one of skill in the art upon reading the present descriptions.
Therefore, Peterson teaches or suggest throttling, by the data protection system based on the determining that the write request is possibly related to the security threat against the storage system, a performance of the operation, the throttling comprising limiting a rate of writes with respect to the storage system to a certain number of writes per second. For the reasons above, the rejection is maintained.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
3.	Claims 1-9, 11-17, 19 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Publication No. 20180054454 hereinafter Astigarraga in view of U.S. Publication no. 20180113638 hereinafter Petersen. 

As per claim 1, Astigarraga discloses: 
A method (para 0003 “A computer-implemented method according to one embodiment includes identifying a cloud computing environment, establishing a baseline associated with input and output requests within the cloud computing environment, monitoring activity associated with the cloud computing environment, comparing the activity to the baseline, and performing one or more actions, based on the comparing.”) comprising: 
detecting, by a data protection system, a request to perform an operation with respect to a storage system (para 0003 “A computer-implemented method according to one embodiment includes identifying a cloud computing environment, establishing a baseline associated with input and output requests within the cloud computing environment, monitoring activity associated with the cloud computing environment, comparing the activity to the baseline, and performing one or more actions, based on the comparing.”): 
identifying, by the data protection system, one or more attributes of the request, determining, by the data protection system based on the one or more attributes, that the request is possibly related to a security threat against the storage system and throttling, by the data protection system based on the determining that the request is possibly related to the security threat against the storage system, a performance of the operation (para 0065 “In one embodiment, performing the one or more actions may include flagging the activity if the activity deviates from the baseline by more than a predetermined amount. For example, the activity may be flagged as an anomaly if the activity deviates from the baseline by more than a predetermined amount. For instance, the activity may include a downloading of an abnormally large volume of data from one or more storage devices of the cloud computing environment, an uploading of a large volume of write data in an abnormal pattern or to an abnormal location within the cloud computing environment, etc.” Para 0066 “Further, in one embodiment, performing the one or more actions may include examining the activity if the activity is flagged as an anomaly. For example, examining the activity may include comparing the activity to one or more predetermined security threat criteria. For instance, the security threat criteria may include user-submitted criteria indicative of a security threat, criteria indicative of a threat that was developed based on previous monitoring of the cloud computing environment (e.g., before the current activity is monitored), etc.”). 

Astigarraga does not disclose:
throttling comprising limiting a rate of writes with respect to the storage system to a certain number of writes per second

Petersen discloses:
throttling comprising limiting a rate of writes with respect to the storage system to a certain number of writes per second (para 0093 “In another embodiment, method 400 may include restricting the write rate (from an initial value) in response to determining an action that is indicative of a ransomware attack or malicious code executing on the media storage device. The action may include, but is not limited to, any of the following: a frequency of write activity on the media storage device or the portion thereof that exceeds a predetermined write frequency threshold, a rate of change resulting from the write request being greater than an historical rate of change for the media storage device or the portion thereof, and the write request being received outside of a time period in which write requests are expected to be received for the media storage device or the portion thereof. Of course, any other actions described herein that are indicative of a ransomware attack or malicious code executing on the media storage device may be taken into consideration when determining whether to restrict the write rate and by how much to restrict the write rate, as would be understood by one of skill in the art upon reading the present descriptions.”)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of identifying a cloud computing environment and establishing a baseline associated with input and output requests within the cloud computing environment of Astigarraga to include throttling comprising limiting a rate of writes with respect to the storage system to a certain number of writes per second, as taught by Petersen.
The motivation would have been to restrict write request outside authorized times associated with an attack. 

As per claim 2, Astigarraga in view of Peterson discloses:
The method of claim 1, further comprising: detecting, by the data protection system, an additional request to perform an additional operation with respect to the storage system; identifying, by the data protection system, one or more attributes of the additional request; determining, by the data protection system based on the one or more attributes of the additional request, that the additional request is not related to the security threat against the storage system; and abstaining, by the data protection system based on the determining that the additional operation is not related to the security threat against the storage system, from throttling a performance of the additional operation (Astigarraga para 0058- 0065).

As per claim 3, Astigarraga in view of Peterson discloses:
The method of claim 1, further comprising: determining, by the data protection system prior to the detecting of the request to perform the operation, that a dataset stored by the storage system is in a compromised state in which the dataset is possibly being targeted by the security threat; wherein the throttling of the performance of the operation is further based on the determining that the dataset stored by the storage system is in the compromised state (Astigarraga para 0061 and 0062). 

As per claim 4, Astigarraga in view of Peterson discloses:
The method of claim 3, further comprising: determining, by the data protection system subsequent to the throttling of the performance of the operation, that the dataset stored by the storage system is no longer in the compromised state; detecting, by the data protection system while the dataset stored by the storage system is no longer in the compromised state, an additional request to perform an additional operation with respect to the storage system; and abstaining, by the data protection system based on the dataset stored by the storage system no longer being in the compromised state, from throttling the performance of the additional operation (Astigarraga Fig. 4 and 5, para 0081 “If no deviation is detected (e.g., the monitored read/write I/O data patterns and statistics did return to the expected baseline), the SDS controller may continue to monitor current read/write I/O data patterns and statistics and compare the read/write I/O data patterns and statistics to the baseline.”).

As per claim 5, Astigarraga in view of Peterson discloses:
The method of claim 1, wherein the operation includes one or more of a write operation or a read operation (Astigarraga para 0056, 0059, and 0062).

As per claim 6, Astigarraga in view of Peterson discloses:
The method of claim 1, wherein: the request comprises a request to write data to the storage system; the identifying of the one or more attributes of the request comprises identifying a compressibility of the data; and the determining that the request is possibly related to the security threat comprises determining that the compressibility is below a threshold (Astigarraga para 0055-0065, 0073, 0080 and 0082).

As per claim 7, Astigarraga in view of Peterson discloses:
The method of claim 1, wherein: the request comprises a request to write data to the storage system; the identifying of the one or more attributes of the request comprises identifying a format of the data; and the determining that the request is possibly related to the security threat comprises determining that the format does not match an expected format for the data (Astigarraga para 0061, 0062, and 0068 Fibre Channel).

As per claim 8, Astigarraga in view of Peterson discloses:
The method of claim 1, wherein: the identifying of the one or more attributes of the request comprises identifying a source of the request; and the determining that the request is possibly related to the security threat comprises one or more of determining that the source has been previously associated with one or more security threats against the storage system, determining that the source is the source for more than a predetermined threshold number of requests to perform operations with respect to the storage system during a predetermined time period, or identifying an anomaly in a pattern of requests provided by the source (Astigarraga para 0062-0065) 

As per claim 10, Astigarraga in view of Peterson discloses:
The method of claim 1, wherein the throttling comprises limiting a rate of writes with respect to the storage system to a certain number of writes per second (Astigarraga para 0058 and 0059).

As per claim 11, Astigarraga in view of Peterson discloses:
The method of claim 1, further comprising: determining, by the data protection system prior to the detecting of the request to perform the operation, one or more of a current storage state or a current workload state of the storage system; wherein the throttling of the performance of the operation is further based on one or more of the current storage state or the current workload state (Astigarraga para 0052-0062).

As per claim 12, Astigarraga discloses:
A method (para 0003 “A computer-implemented method according to one embodiment includes identifying a cloud computing environment, establishing a baseline associated with input and output requests within the cloud computing environment, monitoring activity associated with the cloud computing environment, comparing the activity to the baseline, and performing one or more actions, based on the comparing.”) comprising: 
detecting, by a data protection system, a plurality of requests to perform a plurality of operations with respect to a storage system while a dataset stored by the storage system is in a compromised state in which the dataset stored by the storage system is possibly being targeted by a security threat (para 0056 “In one embodiment, the baseline may indicate an expected input/output (I/O) read and write pattern to the environment, an expected I/O read and write pattern within the environment, etc. In another embodiment, the baseline may indicate one or more of an amount of read and write requests received by the environment, an amount of read and write requests executed within the environment, a ratio or percentage of reads to writes made to the cloud computing environment, etc.” Para 0057 “Further, in one embodiment, the baseline may have one or more associated temporal constraints. For example, the baseline may be linked to a predetermined time of day, day of the week, period of the year, etc.”)
identifying, by the data protection system, one or more attributes of the requests; determining, by the data protection system based on the one or more attributes, that a first subset of requests within the plurality of requests are possibly related to the security threat, the first subset of requests comprising requests to perform a first subset of operations included in the plurality of options (para 0056 “In one embodiment, the baseline may indicate an expected input/output (I/O) read and write pattern to the environment, an expected I/O read
and write pattern within the environment, etc. In another embodiment, the baseline may indicate one or more of an amount of read and write requests received by the environment, an amount of read and write requests executed within the environment, a ratio or percentage of reads to writes made to the cloud computing environment, etc.” Para 0057 “Further, in one embodiment, the baseline may have one or more associated temporal constraints. For example, the baseline may be linked to a predetermined time of day, day of the week, period of the year, etc.”)
determining, by the data protection system based on the one or more attributes, that a second subset of requests within the plurality of requests are not related to the security threat, the second subset of requests comprising requests to perform a second subset of operations included in the plurality of operations (para 0056 “In another embodiment, the baseline may indicate one or more of an amount of read and write requests received by the environment, an amount of read and write requests executed within the environment, a ratio or percentage of reads to writes made to the cloud computing environment, etc.” Para 0060 “In another example, the baseline may indicate predetermined percentages of reads and writes to the cloud computing environment (e.g., 80% reads, 20% writes, etc.).”);
throttling, by the data protection system based on the determining that the first subset of requests are related to the security threat, a performance of the first subset of operations; and abstaining, by the data protection system based on the determining that the second subset of requests are not related to the security threat, from throttling a performance of the second subset of operations (para 0065 “In one embodiment, performing the one or more actions may include flagging the activity if the activity deviates from the baseline by more than a predetermined amount. For example, the activity may be flagged as an anomaly if the activity deviates from the baseline by more than a predetermined amount. For instance, the activity may include a downloading of an abnormally large volume of data from one or more storage devices of the cloud computing environment, an uploading of a large volume of write data in an abnormal pattern or to an abnormal location within the cloud computing environment, etc.” Para 0066 “Further, in one embodiment, performing the one or more actions may include examining the activity if the activity is flagged as an anomaly. For example, examining the activity may include comparing the activity to one or more predetermined security threat criteria. For instance, the security threat criteria may include user-submitted criteria indicative of a security threat, criteria indicative of a threat that was developed based on previous monitoring of the cloud computing environment (e.g., before the current activity is monitored), etc.”). 

Astigarraga does not disclose:
throttling comprising limiting a rate of writes with respect to the storage system to a certain number of writes per second 

Petersen discloses:
throttling comprising limiting a rate of writes with respect to the storage system to a certain number of writes per second (para 0093 “In another embodiment, method 400 may include restricting the write rate (from an initial value) in response to determining an action that is indicative of a ransomware attack or malicious code executing on the media storage device. The action may include, but is not limited to, any of the following: a frequency of write activity on the media storage device or the portion thereof that exceeds a predetermined write frequency threshold, a rate of change resulting from the write request being greater than an historical rate of change for the media storage device or the portion thereof, and the write request being received outside of a time period in which write requests are expected to be received for the media storage device or the portion thereof. Of course, any other actions described herein that are indicative of a ransomware attack or malicious code executing on the media storage device may be taken into consideration when determining whether to restrict the write rate and by how much to restrict the write rate, as would be understood by one of skill in the art upon reading the present descriptions.”)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of identifying a cloud computing environment and establishing a baseline associated with input and output requests within the cloud computing environment of Astigarraga to include throttling comprising limiting a rate of writes with respect to the storage system to a certain number of writes per second, as taught by Petersen.
The motivation would have been to restrict write request outside
authorized times associated with an attack.

As per claim 13, the implementation of the method of claim 1 will execute the system of claim 13. The claim is analyzed with respect to claim 1.

As per claim 14, the claim is analyzed with respect to claim 2.

As per claim 15, the claim is analyzed with respect to claim 3.

As per claim 16, the claim is analyzed with respect to claim 4.

As per claim 17, the claim is analyzed with respect to claim 5.

As per claim 19, the claim is analyzed with respect to claim 7.

As per claim 20, the claim is analyzed with respect to claim 8.

4. 	Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Astigarraga in view of Peterson in view of U.S. Publication No. 20170364681 hereinafter Roguine.

As per claim 9, Astigarraga in view of Peterson discloses:
The method of claim 1, wherein: the request (para 0055-0065) 

Astigarraga in view of Peterson does not disclose:
a request to delete or modify data stored by the storage system; and the identifying of the one or more attributes of the request comprises identifying an attribute of the data 

Roguine discloses:
a request to delete or modify data stored by the storage system; and the identifying of the one or more attributes of the request comprises identifying an attribute of the data (para 0005 “The present disclosure provides systems, methods and computer program products for protecting user data from modification or loss due to malware. In one example aspect, a method according to the disclosure includes monitoring a file system of a computer, the file system containing a plurality of files, for the creation of a copy of a file in the file system; upon detection of a copy of at least one file, determining whether the copy is encrypted or modified by comparing the copy to the file; upon determining that the copy is encrypted or modified, suspending a process of the computer that would overwrite the file with the copy; warning a user of the computer that an encrypted or modified copy has been detected; and receiving authorization from the user to allow or deny the overwriting of the file with the encrypted or modified copy.” Para 0053 “A malware may infect a system that has a monitoring system according to the present disclosure installed on it and start the process of data encryption. During the encryption, the software may open a source file for reading and a target file for writing, read the contents of the source file, encrypt the contents in memory or in the stream, and write the encrypted contents to the target. Thereafter, the malware may close the source file and the target file, and then delete the source file. The monitoring system may be configured such that the closing of the target file will cause system to check for known "read-write- delete" behavior, such as: (1) known extension patterns (e.g. ransomware uses the format [name].doc.encrypted); known extension and missing signature (as discussed in the previous example above); or other behavioral patterns. At this stage, the system may raise a "Suspicion" flag, marking the closed file size and naming pattern but will not take any action yet, because no data is lost.”)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of identifying a cloud computing environment and establishing a baseline associated with input and output requests within the cloud computing environment of Astigarraga in view of Peterson to include t a request to delete or modify data stored by the storage system; and the identifying of the one or more attributes of the request comprises identifying an attribute of the data, as taught by Roguine.
The motivation would have been to determining whether a data file stored by a storage system is deleted or overwritten in order to properly identify a ransomware attack.

5.	Claim 18 is rejected under 35 U.S.C. 103 as being unpatentable over Astigarraga in view of Peterson, and further in view of U.S. Publication No. 20180024893 hereinafter Sella.

As per claim 18, Astigarraga in view of Peterson discloses:
The system of claim 13, wherein: the request comprises a request to write data to the storage system; the identifying of the one or more attributes of the request (Astigarraga para 0055-0065)

Astigarraga in view of Peterson does not disclose:
identifying a compressibility of the data and the determining that the request is possibly related to the security threat comprises determining that the compressibility is below a threshold.

Sella discloses:
identifying a compressibility of the data; and the determining that the request is possibly related to the security threat comprises determining that the compressibility is below a threshold (para 0018 “The entropy level of the files included in the transaction may also be scored relative to an expected entropy level based on file type. It will be appreciated by one of ordinary skill in the art that the entropy of encrypted data may tend to be different than that of pictures, video, etc. It will similarly be appreciated that the greater the sample size of the files to be scored, the greater the likelihood that an increase in observed entropy consistent with encrypted files may be indicative of a ransomware infection. Alternatively, or in addition, the compressibility of files in the backup transaction may be scored to detect encrypted files. Backup systems, such as system 1, are often configured to compress non-compressed files (e.g., pictures, movies, etc.) Application/Control Number: 17/039,536 Page 21 Art Unit: 2491 in order to save storage space. However, when files are encrypted, they may become uncompressible. A high delta-score for non- compressible files may therefore be indicative of an increase in encrypted files, which in turn may be may be indicative of a ransomware infection.”)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of identifying a cloud computing environment and establishing a baseline associated with input and output requests within the cloud computing environment of Astigarraga in view of Peterson to include the method of identifying a compressibility of the data and the determining that the request is possibly related to the security threat comprises determining that the compressibility is below a threshold, as taught by Sella.
The motivation would have been to detecting of an anomaly determining that an overall compressibility of data in order to properly identify a ransomware attack.
 
Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GARY S GRACIA whose telephone number is (571)270-5192. The examiner can normally be reached Monday-Friday 9am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 5712723972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/GARY S GRACIA/           Primary Examiner, Art Unit 2499