DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Applicant's amendments filed on 05/11/2022 has been received and entered.  Claims 1, 3, 6-10, 12-16, 18-25 are pending. 

Response to Arguments
Applicant argues on page 9 of applicant’s remarks that Filimonov does not teach that a machine learning model "is trained using historical time-series data for each of a plurality of file types”.
The examiner respectfully disagrees.  Filimonov teaches training classifiers with time series data points to classify data as normal or anomalous type (column 1, [lines 50-53]; column 3, [lines 23-28]).  Therefore, Filimonov teaches limitations of the claims.

Applicant argues on pages 10-11 of applicant’s remarks that Hittel and Filimonov, alone or in combination, do not disclose or suggest “wherein the comparison comprises a comparison of the file name extension attribute of the encrypted file to one or more corresponding historical baseline values to identify a deviation from an expected file name extension distribution” as recited in the amended claims.
The examiner respectfully disagrees.  The examiner refers to the below 103 rejection of the claims.  In particular, Hittel teaches provides for detecting an uploaded file was encrypted with ransomware based on analyzing metadata change velocity by comparing current metadata with historical metadata, and also provides the expected file was a normally encrypted file.  Metadata includes file name extension ([0177]-[0184]).  Hittel teaches encrypted files encrypted via a normal backup service encryption application Bitlocker ([178-180]).  Hittel teaches detected uploaded file was encrypted with ransomware ([177-184]).  Therefore, Hittel teaches limitations of the claims.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

7.	Claims 1, 6-7, 9-10, 12-13, 15-16, 18-19 , 22-25 are rejected under 35U.S.C 103 as being unpatentable over Sean Hittel (US 2018/0048658), Vitaly Filimonov (US 9652354),hereinafter Filimonov.

Regarding claim 1:
	Hittel discloses a method comprising:
performing the following steps, in response to receiving an encrypted file, secured by a first encryption, sent from a user to a backup service (cloud-based file system) as part of a backup of the encrypted file (Hittel: Fig 7, 9; [0166], [0141] provides for receiving files that are being synchronized to a cloud-based storage system, and performing various actions at an intermediary network security system in response to receiving the uploaded files; see [0178]-[0180] for the intentional encryption by the user, such as via Boxcryptor, Bitlocker, etc. for their normally uploaded sync’d files):
Obtaining metadata for the file, wherein the metadata comprises a file name extension attribute of the encrypted file (Hittel: [0142]-[0143] for obtaining both current metadata for the uploaded file and historical metadata for previous versions of the file; See also [0180]-[0183] for specifically obtaining historical metadata for a normally encrypted uploaded file; [0177], [0184], [0193], [0207], metadata for files include file name extensions); 
applying, using at least one processing device, an anomaly detection technique to the metadata to compare at least one attribute in the metadata to one or more corresponding historical baseline values for the at least one attribute, a plurality of file types each having a corresponding file name extension attribute (Hittel: [0144] for determining metadata change velocity has exceeded a threshold; [0066], [0174]-[0185] provides for detecting irregularities in encrypted file metadata compared to its historical metadata; [0177], [0184], [0193], [0207], plurality of files types having file name extension), and 
 determining, using the at least one processing device, whether the encrypted file, secured by the first encryption and, was also encrypted using a ransomware encryption, in addition to the first encryption, based at least in part on the comparison, wherein the ransomware encryption is distinct from the first encryption, wherein the comparison comprises a comparison of the file name extension attribute of the encrypted file to one or more corresponding historical baseline values to identify a deviation from an expected file name extension distribution (Hittel: [0177]-[0184] provides for detecting an uploaded file was encrypted with ransomware based on analyzing metadata change velocity by comparing current metadata with historical metadata, and also provides the expected file was a normally encrypted file. Metadata includes file name extension; [178-180], encrypted files encrypted via a normal backup service encryption application Bitlocker; [177-184], detected uploaded file was encrypted with ransomware). Therefore, the detected encrypted with ransomware is not the same from the first encryption with Bitlocker application. 
However, Hittel fails to disclose wherein the anomaly detection technique comprises a machine learning technique that employs at least one trained machine learning model that is trained using historical time- 15series data for each of a plurality of file types statistical, signal procession and machine learning techniques can be applied to identify anomalies in time series (Filimonov, column 1, [lines 50-53]); and further deducing the normal and abnormal behavior of a component quickly means there is typically not enough time to wait for a very large statistical sample to make predictions regarding the characteristics (normal versus anomalous) of a piece of data within a time series (Filimonoy, column 3, [lines 23-28]). It would have been obvious to someone skilled in the art before the effective filling date of claimed invention to combine the teaching of Hittel with that of Filimonoy in order to enable automatic detection of values that are abnormal to a high degree of probability in any time series sequence.

Regarding claim 6:
	Hittel discloses wherein the at least one attribute in the metadata comprises a file extension attribute and wherein the comparison to the one or more corresponding historical baseline values reveals one or more of a renaming of at least one file extension attribute and a deviation from an expected file extension distribution a length of a filename and/or extension can be considered. For example, a consideration can be made as to whether the filename or extension is a certain length that is known to ransomware. This might be reliable preliminary check, before implementing a more thorough scanning/detection. This could be implemented on standalone files or using current and historical metadata of header information, and/or current and historical content properties of payloads of files. When comparing current and historical information, a pattern of changes between the current and historical information that exceeds a predetermined change velocity may indicate the presence of an attack (Hittel, [para 181]).


	Regarding claim 7:
	Hittel discloses wherein the at least one attribute in the metadata comprises a file size attribute of the encrypted file and wherein the comparison to the one or more corresponding14 111833.01 historical baseline values reveals one or more of a deviation in size of one or more increments of an incremental backup and a file size of the encrypted file is larger than a corresponding historical baseline value the block size of a file can be calculated and then compared to multiples of the known file sizes. This can also be done by checking to see if existing files are a multiple of frequently used block sizes of encryption. This could be implemented on standalone files, using current and historical metadata of header information, and/or current and historical content properties of payloads of files. This could be implemented on standalone files or using current and historical metadata of header information, and/or current and historical content properties of payloads of files. When comparing current and historical information, a pattern of changes between the current and historical information that exceeds a predetermined change velocity may indicate the presence of an attack (Hittel, [para 192]).

	Regarding claim 9:
	Hittel discloses further comprising the step of evaluating a number of encrypted 10 files sent within a predefined time window identify files in the local file system of the independent data store that have been updated within a determined timeframe (Hittel, para 24).

Regarding claim 10:
Claim 10 is rejected under the same reason set forth in rejection of claim 1.


Regarding claim 12:
Claim 12 is rejected under the same reason set forth in rejection of claim 6.

Regarding claim 13:
Claim 13 is rejected under the same reason set forth in rejection of claim 7.


Regarding claim 15:
Claim 15 is rejected under the same reason set forth in rejection of claim 9.

Regarding claim 16:
Claim 16 is rejected under the same reason set forth in rejection of claim 1.

Regarding claim 18:
Claim 18 is rejected under the same reason set forth in rejection of claim 6.

Regarding claim 19:
Claim 19 is rejected under the same reason set forth in rejection of claim 7.

Regarding claim 22:
Hittel discloses further comprising the step of evaluating a number of encrypted 10 files sent within a predefined time window identify files in the local file system of the independent data store that have been updated within a determined timeframe (Hittel, para 24).

Regarding claim 23:
Hittel disclose obtaining metadata for the file (Hittel: [0142]-[0143] for obtaining both current metadata for the uploaded file and historical metadata for previous versions of the file; See also [0180]-[0183] for specifically obtaining historical metadata for a normally encrypted uploaded file); but fail to disclose wherein the historical time- series data is further used to evaluate a behavior. Filimonoy teaches  determine the behavior the data stream exhibits and consequently classify the time series into either one that follows a Gaussian distribution pattern or one that does not follow Gaussian distribution, the standard Z-test algorithm can be applied on the raw data (Filimonoy, column 4, [lines 24-28]), and further anomaly detector 156 can automatically detect anomalies in any performance counter in any application in real-time by continuously monitoring and evaluating performance counter data points ( Filimonoy, column 6, [line 12-16]).It would have been obvious to someone skilled in the art before the effective filling date of claimed invention to combine the teaching of Hittel with that of Filimonoy in order to enable automatic detection of values that are abnormal to a high degree of probability in any time series sequence.

Regarding claim 24:
Hittel and Filimonoy disclose wherein the historical time- series data is further used to evaluate a behavior of one or more of the encrypted file and the metadata for the encrypted file determine the behavior the data stream exhibits and consequently classify the time series into either one that follows a Gaussian distribution pattern or one that does not follow Gaussian distribution, the standard Z-test algorithm can be applied on the raw data (Filimonoy, column 4, [lines 24-28]), and further anomaly detector 156 can automatically detect anomalies in any performance counter in any application in real-time by continuously monitoring and evaluating performance counter data points ( Filimonoy, column 6, [line 12-16]).It would have been obvious to someone skilled in the art before the effective filling date of claimed invention to combine the teaching of Hittel with that of Filimonoy in order to enable automatic detection of values that are abnormal to a high degree of probability in any time series sequence.

Regarding claim 25:
Hittel and Filimonoy disclose wherein the historical time- series data is further used to evaluate a behavior of one or more of the encrypted file and the metadata for the encrypted file determine the behavior the data stream exhibits and consequently classify the time series into either one that follows a Gaussian distribution pattern or one that does not follow Gaussian distribution, the standard Z-test algorithm can be applied on the raw data (Filimonoy, column 4, [lines 24-28]), and further anomaly detector 156 can automatically detect anomalies in any performance counter in any application in real-time by continuously monitoring and evaluating performance counter data points ( Filimonoy, column 6, [line 12-16]).It would have been obvious to someone skilled in the art before the effective filling date of claimed invention to combine the teaching of Hittel with that of Filimonoy in order to enable automatic detection of values that are abnormal to a high degree of probability in any time series sequence.

8.	Claims 3, 8, 14 and 20-21 are rejected under 35U.S.C 103 as being unpatentable over Sean Hittel (US 10469525) Vitaly Filimonov (US 9652354), and further in view of in view of  Aishwary Bhashkar (US 20160378988), hereinafter Bhashkar.

Regarding claim 3:
	Hittel discloses a network security system 120 detecting and responding to a data attack (e.g., malicious activity) on a file system 402 (including files) stored on a cloud storage (i.e., independent data store) 142 by performing analysis of files stored on the independent data store 142 (Hittel, [para 114]); but fails to disclose wherein the encrypted file is one or more of a portion of an incremental file backup and a snapshot. However, Erofeev teaches creates a snapshot of the storage volume containing the first file. The snapshot represents the data stored in the storage volume at the point of creation of the snapshot, i.e., upon opening of the first file of step 210. As is well known, when multiple processes open the respective first files in the same storage volume, the snapshot for the first process may be entire data stored on the storage volume, but snapshots for subsequent processes may contain only incremental data (i.e., those changes from the previous snapshot) (Bhashkar , paragraph 37). It would have been obvious to someone skilled in the art before the effective filling date of claimed invention to combine the teaching of Hittel with that of Bhashkar in order to detect potential malicious (Bhaskar, paragraph 13).

	Regarding claim 8:
	Hittel discloses wherein the at least one attribute in the metadata comprises a file name attribute of the encrypted file and wherein the comparison to the one or more corresponding historical baseline values reveals that a snapshot file has been sent more than once using current and historical metadata of header information, and/or current and historical content properties of payloads of files. As mentioned above, for standalone files, specific entropies could indicate an attack. Further, an attack may be present if entropies of a certain number of files change significantly enough between current versions and historical versions of the files to establish a pattern of changes that exceeds a predetermined change velocity. (Hittel, [para 180]), but fails to disclose a snapshot file. Bhaskar teaches the Snapshot mapping of file system data is also updated to reflect the changed block(s) at that particular point in time. In some other cases, a Snapshot includes a full physical copy of all or substantially all of the data represented by the Snapshot (Bhaskar, paragraph 198). It would have been obvious to someone skilled in the art before the effective filling date of claimed invention to combine the teaching of Hittel with that of Bhashkar in order to detect potential malicious (Bhaskar, paragraph 13).

Regarding claim 14:
Claim 14 is rejected under the same reason set forth in rejection of claim 8.

Regarding claim 20:
Claim 20 is rejected under the same reason set forth in rejection of claim 8.

Regarding claim 21:
Claim 21 is rejected under the same reason set forth in rejection of claim 3.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HENRY TSANG whose telephone number is (571)270-7959. The examiner can normally be reached M-F 8am - 5pm EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on (571) 272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/HENRY TSANG/Primary Examiner, Art Unit 2495