Detailed Action


Continuation
	A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on August 29, 2022 has been entered.

Response to Arguments
	 
Applicant’s arguments filed August 29, 2022 have been fully considered. A new ground of rejection is presented because of Applicant’s amendment.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.



Claims 1 – 2, 4 – 9, 11 – 16 and 18 – 20 are rejected under 35 U.S.C. 103 as being unpatentable over Kharraz (UNVEIL:A Large-Scale, Automated Approach to Detecting Ransomware, 2016) in view of Gezalov (US Pub. No. 2019/0392146 A1).

Per claim 15, Kharraz suggests a system, comprising: logic being configured to: monitor file access activity (reads on a filesystem activity monitor which for every read and write request to a file captured in an I/O trace computing the entropy of the read and write request, see Kharraz Section 3.1.2 Subsection I/O Data Buffer Entropy); generate an audit log based on the file access activity (reads on logging all read and write activity, see Kharraz Section 4.2 and Section 6 col. 2 1st full paragraph); collect samples of file usage activity (reads on constructing access patterns by identifying write and delete operations in I/O sequences, see Kharraz Section 3.1.2 Subsection Constructing Access Patterns) by collecting live event notifications for file accesses from the distributed file system (reads on logging all read and write activity, see Kharraz Section 4.2 and Section 6 col. 2 1st full paragraph); run a pattern recognition algorithm on the samples of the file usage activity for detecting malware activity (reads on after generating I/O access sequences identifying write and delete operations in each sequences, where the patterns of encrypting, overwriting and deleting are detected as suspicious, see Kharraz Section 3.1.2 Subsection Constructing Access Patterns). The prior art of record is silent on explicitly stating a system comprising a processor and logic integrated with the processor; the audit log includes backup events and snapshot events; in response to detecting malware activity, restore at least one file based on the audit log, wherein restoring at least one file includes restoring the at least one file to a last copy of the file in a backup referred to in a backup event in the audit log.  
Gezalov suggests 
a system, comprising (reads on any combination of hardware and software, see Gezalov para 0040 – 0043): a processor (reads on a processor, see Gezalov para 0041 – 0042); and logic integrated with the processor, executable by the processor, or integrated with and executable by the processor, the logic being configured to (reads on any combination of hardware and software, see Gezalov para 0040 – 0042): in response to detecting malware activity (reads on in response to identifying which files a malicious process has modified, see Gezalov para 0035), restore at least one file based on the audit log (reads on rolls back the identified files edited by the process, see Gezalov para 0035) wherein restoring at least one file includes restoring the at least one file (reads on rolls back the identified files edited by the process, see Gezalov para 0035) to a last copy of the file in a backup referred to in a backup event in the audit log (reads on a restore saved copies of the original file by rolling back the identified files according to the identified logged events in log storage, see Gezalov para 0035).  
[0035] The restore module 212 restores a file to a saved copy of the original file when the changes to the file were determined to be caused by malware. The restore module 212 may receive a notification from the server 105 indicating that a process corresponds to malware. The restore module 212 may identify files for rollback by identifying logged events in log storage 220 associated with the process to determine which files the process modified. The restore module 212 then rolls back the identified files edited by the process (e.g., restore saved copies of the original file prior to being modified by the process). Alternatively, the restore module 212 may receive instructions from the server 105 to roll back files edited by a process corresponding to malware, and the restore module 212 can restore the files to the saved copy of the original file prior to the file being edited by the process corresponding to malware. In one embodiment, the restore module 212 may purge a portion of logged events in log storage 220 and only keep logged events relevant to rollback.

Before the effective filing date of the invention it would have been obvious to one of ordinary skill in the art to modify the suspicious/malware activity teachings of the prior art of record by integrating the rollback of suspicious/malware activity teachings of Gezalov to realize the instant limitation. One or more of the underpinning rational(s), as discussed in KSR international Co, v, Teleflex inc,s etai,s 550 U,S. 398 (2007) U.S.P.Q.2d 1385, also see MPEP § 2141 {IN), are used to support this conclusion of obviousness.  Accordingly, it would have been obvious to one of ordinary skill in the art to include in the file access monitoring system of Kharraz the ability to roll back files identified as being impacted by the result of malicious activity as taught by Gezalov since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized the results of the combination were predictable. The motivation to combine is applied to all claims under this heading.

Per claim 16, the prior art of record further suggests wherein running the pattern recognition algorithm comprises analyzing elements associated with the file usage activity selected from the group consisting of: read/write offsets, and real time entropy calculations (reads on comparing the entropy of read and write requests to and from the same file offset, see Kharraz Section 3.1.2 Subsection I/O Data Buffer Entropy).  
Per claim 18, the prior art of record further suggests wherein the file access activity and the file usage activity are associated with files stored in a distributed file system (The Examiner construes this to be an obvious limitation of the disclosure of the prior art of record because one of ordinary skill in the art would know file access and usage activity can be associated with files stored in any type of file system because that is within the realm of conventional computer science in order to meet the needs of the business, see Kharraz Section 3.1.2 Subsection I/O Data Buffer Entropy, Kharraz Section 3.1.2 Subsection Constructing Access Patterns and Gezalov para 0035).  
Per claim 19, the prior art of record further suggests wherein the samples of the file usage activity include live event notifications received from the nodes (The Examiner construes this to be an obvious limitation of the disclosure of the prior art of record because one of ordinary skill in the art would know logging all read and write activity can be associated with live event notifications because either the events are live or they are not and without undue experimentation one of ordinary skill in the art could design the logging for either situation in order to meet the needs of the business, see Kharraz Section 3.1.2 Subsection I/O Data Buffer Entropy, Kharraz Section 3.1.2 Subsection Constructing Access Patterns and Gezalov para 0035).  
Per claim 20, the prior art of record further suggests wherein applications are not blocked during collection of the file usage activity (The Examiner construes this to be an obvious limitation of the prior art of record because the prior art teaches the use of applications and does not teach those applications being blocked during collection of file usage activity, see Kharraz Section 4.2 and Section 6 col. 2 1st full paragraph. As a result of one of ordinary skill in the art also being one of ordinary creativity, based on the teachings of the prior art of record it would be obvious to allow normal application activity during collection of the file usage activity because it is at least implied by the teachings of the prior art).
Claim 8 the computer program product (reads on any combination of hardware and software, see Gezalov para 0040 – 0043) is analyzed with respect to claim 15, the prior art of record further suggests stores the events in memory (The Examiner construes this to be an obvious limitation of logging all read and write activity, see Kharraz Section 4.2 and Section 6 col. 2 1st full paragraph, because within the conventional practice of logging/computer science, a log is stored in some form of memory), wherein the collecting is scalable to the distributed file system and an increasing number of nodes (reads on using the kernel to process events and log file usage activity, see Kharraz Section 4.2 and Section 6 and Figure 1. The Examiner asserts having the invention in the local kernel is obviously scalable to any number of nodes based on the needs of the business).
Claim 9 is analyzed with respect to claim 16.
Per claim 11, the prior art of record further suggests wherein the file access activity and the file usage activity are associated with files stored in the distributed file system (reads on logging all read and write activity, see Kharraz Section 3.1.2 Subsection I/O Data Buffer Entropy, Section 4.2 and Section 6 col. 2 1st full paragraph. The Examiner asserts based on the prior art’s disclosure of logging/storing all file read and write activity, having that file activity be associated with a distributed file system would be obvious because the prior art’s disclosure does not preclude the use of a distributed file system and one of ordinary creativity would have used the prior art’s teaching with the file system most suited for the particular business need).
Claim 12 is analyzed with respect to claim 19.
Claim 13 is analyzed with respect to claim 20.
Per claim 14, the prior art of record further suggests detecting an attack pattern consisting of overwriting (see Kharraz Section 3.1.2 Subsection I/O Data Buffer Entropy, Kharraz Section 3.1.2 Subsection Constructing Access Patterns).
Claim 1 is analyzed with respect to claim 8. The prior art of record further suggests nodes locally process events that are collected over a period of time in memory buffers in the respective nodes.
Claim 2 is analyzed with respect to claim 9. 
Claim 4 is analyzed with respect to claim 11.

Claim 5 is analyzed with respect to claim 19. The prior art of record further suggests wherein applications are not blocked during collection of the file usage activity (The Examiner construes this to be an obvious limitation of the prior art of record because the prior art teaches the use of applications and does not teach those applications being blocked during collection of file usage activity, see Kharraz Section 4.2 and Section 6 col. 2 1st full paragraph. As a result of one of ordinary skill in the art also being one of ordinary creativity, based on the teachings of the prior art of record it would be obvious to allow normal application activity during collection of the file usage activity because it is at least implied by the teachings of the prior art).
Per claim 6, the prior art of record further suggests file access activity on the nodes in the distributed file system includes activities selected from the group consisting of: file updates, deletions, snapshots, and backup events (reads on logging all read and write activity, see Kharraz Section 4.2 and Section 6 col. 2 1st full paragraph and Gezalov para 0035); wherein the samples of file usage activity correspond to live events processed locally on the nodes, wherein each node collects the samples for activities occurring on that node (reads on logging and have full visibilities into interactions with user files on the local system, see Kharraz Figure 1. The Examiner construes Figure 1 to represent the local system).
Claim 7 is analyzed with respect to claim 14.


Claims 3, 10 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Kharraz in view of Gezalov in view of Murphy (US Pub. No. 2021/0160274 A1).

Per claim 17, the prior art of record suggests the system of claim 15. The prior art of record is silent on explicitly stating running the pattern recognition algorithm comprises feeding the audit log into an artificial intelligence (Al) model trained by machine learning. 
Murphy suggests 
running the pattern recognition algorithm comprises feeding the audit log into an artificial intelligence (Al) model trained by machine learning (reads on a threat mitigation process utilizing artificial intelligence/machine learning to identify one or more patterns/trends within the log files, see Murphy para 0235).

[0235] Threat mitigation process 10 may process 1452 this platform information (e.g., log files) to generate processed platform information. And when processing 1452 this platform information (e.g., log files) to generate processed platform information, threat mitigation process 10 may: parse 1454 the platform information (e.g., log files) into a plurality of subcomponents (e.g., columns, rows, etc.) to allow for compensation of varying formats and/or nomenclature; enrich 1456 the platform information (e.g., log files) by including supplemental information from external information resources; and/or utilize 1458 artificial intelligence/machine learning (in the manner described above) to identify one or more patterns/trends within the platform information (e.g., log files).

Before the effective filing date of the invention it would have been obvious to one of ordinary skill in the art to modify the pattern recognition teachings of the primary references by incorporating the artificial intelligence/machine learning to identify one or more patterns/trends within the log files teachings of Murphy to realize the instant limitations. One or more of the underpinning rational(s), as discussed in KSR international Co, v, Teleflex inc,s etai,s 550 U,S. 398 (2007) U.S.P.Q.2d 1385, also see MPEP § 2141 {IN), are used to support this conclusion of obviousness. Accordingly, it would have been obvious to one of ordinary skill in the security art to include in the pattern recognition teachings of the primary references, the ability to perform that pattern recognition via artificial intelligence/machine learning, as taught by Murphy, since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable and resulting in the expected benefit of using a known in the art method to accomplish the pattern recognition taught in the primary references. The motivation to combine the references is applied to all claims under this heading.

Claim 10 is analyzed with respect to claim 17.
Claim 3 is analyzed with respect to claim 10.

Contact
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Brian Shaw whose telephone number is (571)270-5191.  The examiner can normally be reached on Mon-Thurs from 6:00 AM-3:30 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's Supervisor, Jorge Ortiz-Criado can be reached on (571) 272-7624.  The fax phone number for the organization where this application or proceeding is assigned is 703-872-9306.  Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/BRIAN F SHAW/Primary Examiner, Art Unit 2496