Notice of Pre-AIA  or AIA  Status
1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
2.	Applicant’s arguments filed on 08/01/2022, with respect to the 35 U.S.C 103 rejections of claims 1-20 were rejected under 35 U.S.C. § 103 as being unpatentable over U.S. Patent No. 9,317,686 (“Ye”) in view of U.S. Patent Application Publication No. 2020/0204589 (“Strogov’”) have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

3. 	Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Patent No. 9317686 hereinafter Ye in view of U.S. Publication No. 20170316210 hereinafter Patil. 

As per claim 1, Ye discloses: 
A method (Col. 2 Lines 27-28 “In a first embodiment, system events are monitored and a file change event of a process is detected.”) comprising: 
determining, by a data protection system, that data stored by a storage system is under a possible attack (Col. 5 Lines 11-16 “ Step 212 determines whether an event has occurred indicating that a user process is attempting to change one of the files on the hard disk (for example, hooking of a system function indicates that a process is attempting to overwrite a file, write a new version of a file, encrypt a file, delete a file, etc.).”); detecting, by the data protection system, a modify request with respect to the storage system while the data stored by the storage system is under the possible attack (Col. 5 Lines 11-20 “ Step 212 determines whether an event has occurred indicating that a user process is attempting to change one of the files on the hard disk (for example, hooking of a system function indicates that a process is attempting to overwrite a file, write a new version of a file, encrypt a file, delete a file, etc.). If no file change event is currently detected, it is likely that ransomware is not currently executing upon the computer and control returns to step 204 for more monitoring of events. On the other hand, if a file change event is detected, then control moves to step 216 to determine whether or not the file in question should be backed up.”):
determining, by the data protection system, that the modify request may be related to the possible attack (Col. 5 Lines 22-32 “Step 216 determines whether the process (or thread) that has requested the file change event is suspicious or not. In general, determining whether a process (or the file that created it) is suspicious may be accomplished using information obtained from operating system hooks installed in the system monitor driver 110, using information from a remote cloud service 170, or from information using a local white list 160. Once all of this information is obtained concerning a particular file or process, then heuristics such as rules may be used to make a determination as to whether the file or process is suspicious.”):
and performing, by the data protection system in response to determining that the modify request may be related to the possible attack, a remedial action with respect to the modify request (Col. 6 Lines 1-34 “Step 220 backs up any file or files that are about to be changed by the event detected in step 212. Bear in mind that the file change event that was hooked by driver 110 and detected in
step 212 has not yet changed the file in question. The hook function that detected the file change event allows steps 216 and 220 to occur before control returns to the system function that is attempting to change the file. In other words, the file change event is detected, a determination is made that the process is suspicious, and the file is backed up before the requesting process is allowed to change the file. Once the correlation engine makes the determination to back up the file, a trigger signal is sent to the backup engine which then saves the file in question from the hard disk to either database 150 or to database 140. For example, since the file has not been changed, the backup engine makes a copy of the file and saves it in a special backup folder. Then the engine adds a new record in the backup database. The record includes: the file path of the process, the path of the file to be modified, the backup file name and path, and other information. The database record is then later used to retrieve the backed up file. To reduce the disk usage, the backed up file may be compressed. It can be expanded later when the original file is needed.”). 

Ye does not discloses:
wherein an remedial action includes causing a modify request to be
redirected to a separate storage structure that is separate from one or more active storage structures of the storage system 

Patil discloses: 
wherein an remedial action includes causing a modify request to be redirected to a separate storage structure that is separate from one or more active storage structures of the storage system (Fig. 3, para 0036 “In accordance with embodiments of the present invention and regardless of the number of layers used to provide the operating system, applications, and user data, this layering technique can be employed to implement a security solution in which any I/O request that attempts to add a resource to or update a resource on a frozen layer is instead directed to write layer 302d where the added/updated resource will be isolated from the resources on the frozen layer(s). For example, OS layer 302a, application layer 302b, and user data layer 302c can be frozen (i.e., prevented from being modified) by redirecting any I/O request that would otherwise modify these layers to write layer 302d. Similarly, OS partition 312 can be frozen by redirecting any I/O request that would otherwise modify content on OS partition 312 to write layer 302d. Accordingly, FIGS. 3 and 3A each illustrate that a read only path exists for accessing layers 302a-302c and partition 312 respectively while a read/write path exists for write layer 302d. Each of these paths can “pass through” layering security system 301 thereby allowing the layering security system to perform any appropriate evaluation on the I/O requests”)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system events are monitored and a file change event of a process is detected of Ye to include wherein an remedial action includes causing a modify request to be redirected to a separate storage structure that is separate from one or more active storage structures of the storage system, as taught Patil.
The motivation would have been to properly protect a file system from modification request on a file.

As per claim 2, Ye in view of Patil discloses:
The method of claim 1, wherein the determining that the modify request may be related to the possible attack includes: identifying one or more attributes associated with the modify request; and determining that the modify request may be related to the possible attack based on the one or more attributes (Ye Col. 5 Lines 33-48).

As per claim 3, Ye in view of Patil discloses:
The method of claim 2, wherein the one or more attributes associated with the modify request includes one or more of a name of a data item associated with the modify request, a size of the data item, a format of the data item, a compressibility ratio of the data item, a bit pattern of the data item, or a source of the modify request (Ye Col. 5 Lines 11-21 and 33-66).

As per claim 4, Ye in view of Patil discloses:
The method of claim 2, wherein the determining that the modify request may be related to the possible attack based on the one or more attributes includes: determining that an attribute associated with the modify request satisfies an attribute threshold (Ye Col. 7 Lines 11-21).

As per claim 5, Ye in view of Patil discloses:
The method of claim 2, wherein the determining that the modify request may be related to the possible attack based on the one or more attributes includes one or more of: determining that a source of the modify request is associated with an abnormal pattern; or determining that the source of the modify request has been previously associated with one or more security threats against the storage system (Ye Col. 5 Lines 44-53).

As per claim 6, Ye in view of Patil discloses:
The method of claim 1, wherein the performing the remedial action with respect to the modify request includes one or more of: blocking the modify request; or instructing the storage system to block the modify request (Ye Col. 5 Lines 44-53).

As per claim 7, Ye in view of Patil discloses:
The method of claim 1, wherein the performing the remedial action with respect to the modify request includes: identifying a source of the modify request; and instructing the storage system to block requests by the source to the storage system (Ye Col. 4 Lines 35-45 and Col. 5 Lines 44-53).

As per claim 8, Ye in view of Patil discloses:
The method of claim 1, further comprising: determining, by the data protection system, that the data stored by the storage system is no longer under the possible attack; and performing, by the data protection system, an action in response to the determining that the data stored by the storage system is no longer under the possible attack (Ye Col. 5 Lines 24-34).

As per claim 9, Ye in view of Patil discloses:
The method of claim 1, wherein the performing the remedial action with respect to the modify request includes: instructing the storage system to redirect the modify request to a separate storage structure that is separate from one or more active storage structures of the storage system, the separate storage structure being within the storage system or within another storage system (Ye Col. 5 Lines 1-23). 

As per claim 10, Ye in view of Patil discloses:
The method of claim 9, wherein the performing the remedial action with respect to the modify request further includes: identifying a source of the modify request (Ye Col. 4 Lines 35-45 and Col. 5 Lines 44-53).
and instructing the storage system to redirect read requests from the source to the separate storage structure (Ye Col. 3 Lines 24-34, Col. 5 Lines 54- 60 and Col. 6 Lines 32-62).

As per claim 11, Ye in view of Patil discloses:
The method of claim 9, further comprising: determining, by the data protection system, that the data stored by the storage system is no longer under the possible attack; and performing, by the data protection system in response to determining that the data stored by the storage system is no longer under the possible attack, an action with respect to data stored in the separate storage structure (Ye Fig. 2).

As per claim 12, the implementation of the method of claim 1 will execute the system of claim 12. The claim is analyzed with respect to claim 1. 

As per claim 13, the claim is analyzed with respect to claim 2.

As per claim 14, the claim is analyzed with respect to claim 3.

As per claim 15, the claim is analyzed with respect to claim 4.

As per claim 16, the claim is analyzed with respect to claim 6.

As per claim 17, the claim is analyzed with respect to claim 7.

As per claim 18, the claim is analyzed with respect to claim 8.

As per claim 19, the claim is analyzed with respect to claims 9 and 11.

As per claim 20, the implementation of the method of claim 1 will execute
the non-transitory computer-readable medium (Col. 8 Lines 10-31) of claim
12. The claim is analyzed with respect to claim 1.


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GARY S GRACIA whose telephone number is (571)270-5192. The examiner can normally be reached Monday-Friday 9am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 5712723972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/GARY S GRACIA/Primary Examiner, Art Unit 2499