DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claims 1-19 are presented for examination.

Priority
The claim for priority from US application 16/132,639, now US Patent 10,938,854, filed on 17 September 2019, which claims priority to US Provisional 62/561,725 filed 22 September 2017, is duly noted.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-19 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-21 of U.S. Patent No. 10,938,854 B2. Although the claims at issue are not identical, they are not patentably distinct from each other because the instant claims are anticipated by the ‘854 patent. It is noted that claims 10-19 are similar to claims 1-9 as shown, and are therefore similarly rejected.
17/164,902
US Patent 10,938,854 B2
1. A method for detecting a suspicious process in an operating system environment, the method comprising:
generating, by a hardware processor, a file honeypot in a directory in a file system;
receiving a directory enumeration request from a process executing in the operating system environment;
determining whether the process is identified in a list of trusted processes;
in response to determining that the process is not in the list of trusted processes, providing, to the process by the file system, a file list including the file honeypot responsive to the directory enumeration request;
intercepting, by a file system filter driver, a file modification request for the file honeypot from the process; and
identifying the process as a suspicious object responsive to intercepting the file modification request from the process.
2. The method of claim 1, further comprising:
in response to determining that the process is in the list of trusted processes, providing, to the process by the file system, a file list excluding the file honeypot responsive to the directory enumeration request.
3. The method of claim 1, wherein determining whether the process is identified in the list of trusted processes is based on one or more of a certificate, fingerprint, name, and process identifier.
1. A method for detecting ransomware and malicious programs, the method comprising: 
generating, by a hardware processor, a file honeypot in a directory in a filesystem, wherein the file honeypot is included on a file list of contents of the directory; 
receiving a directory enumeration request from a process executing in an operating system environment; 
determining whether the process is identified in a list of trusted processes based on one or more of a certificate, fingerprint, name, and process identifier; 
when the process is not found in the list of trusted processes, providing, by the filesystem, the file list including the file honeypot to the process responsive to receiving the directory enumeration request and otherwise, providing the file list excluding the file honeypot to the process; 
intercepting, by a filesystem filter driver, a file modification request for the file honeypot from the process when the file honeypot is included in the file list; and identifying the process as a suspicious object responsive to intercepting the file modification request from the process.

4. The method of claim 1, wherein generating the file honeypot further comprises at least one of: creating a special file corresponding to the file honeypot in the directory; and
updating the file list to add a filename of the special file at a first position of the file list.
2. The method of claim 1, wherein generating the file honeypot further comprises at least one of: creating a special file corresponding to the file honeypot in the directory, and updating the file list to add a filename of the special file at a first position of the file list.
5. The method of claim 1, wherein generating the file honeypot further comprises: adding a filename of a nonexistent file to the file list associated with the directory.
3. The method of claim 1, wherein generating the file honeypot further comprises: adding a filename of a nonexistent file to the file list associated with the directory.
6. The method of claim 1, further comprising: assigning to the generated file honeypot a filename having at least one steganographic element.
4. The method of claim 1, further comprising: assigning to the generated file honeypot a filename having at least one steganographic element.
7. The method of claim 1, further comprising: modifying a file attribute of the generated file honeypot to indicate a hidden file.
5. The method of claim 1, further comprising: modifying a file attribute of the generated file honeypot to indicate a hidden file.
8. The method of claim 1, wherein generating the file honeypot further comprises: generating the file honeypot according to a template that specifies a document type and one or more file naming rules comprising at least one steganographic element.
6. The method of claim 1, wherein generating the file honeypot further comprises: generating the file honeypot according to a template that specifies a document type and one or more file naming rules comprising at least one steganographic element.
9. The method of claim 1, further comprising: responsive to receiving the directory enumeration request, performing a machine learning analysis on a stack trace of the directory enumeration request using machine learning; and adding a file honeypot to the provided file list responsive to the directory enumeration request based on the machine learning analysis.
7. The method of claim 1, further comprising: responsive to receiving the directory enumeration request, performing a machine learning analysis on a stack trace of the directory enumeration request using machine learning; and adding a file honey pot to the provided file list responsive to the directory enumeration request based on the machine learning analysis.


Prior Art Made of Record
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Aharoni et al. (US 2021/0256117 A1) discloses a system and method for preventing ransomware from encrypting files on a target machine.
Aziz (US Patent 9,027,135 B1) discloses a system and method for prospective client identification using malware attack detection.
Lamastra et al. (WO 2007/110105 A1) discloses a system and method for mobile network security.
Sallam (WO 2012/135192 A1) discloses a system and method for virtual machine monitor based anti-malware security).
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SARAH SU whose telephone number is (571)270-3835. The examiner can normally be reached 7:30 AM - 4:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/SARAH SU/Primary Examiner, Art Unit 2431