Notice of Pre-AIA  or AIA  Status
1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
2.	Applicant’s arguments filed on 09/01/2022, with respect to the 35 U.S.C. § 103 rejections of claim 1-5 and 7-20 as being unpatentable over U.S. Patent No. 10,438,000 (“Gu”) in view of U.S. Patent Application Publication No. 2011/0296237
(“Mandagere”) in further view of U.S. Patent Application Publication No. 2018/0007069
(“Hunt”) and in further view of U.S. Patent Application Publication No. 2016/0170823
(“Miller”), Dependent claim 6 was rejected as being unpatentable over the
combination of Gu, Mandagere, Hunt, Miller, and U.S. Patent Application Publication No. 2007/0220068 (“Thompson”) have been fully considered. However, upon further consideration, a new ground(s) of rejection is made in view of amended claims.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
3.	Claims 1, 2 , 4, 5, 7-16 and 18 -20 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Patent No. 10438000 hereinafter Gu in view of U.S. Publication No. 20110296237 hereinafter Mandagere, and further in view of U.S. Publication No. US 20200233959 hereinafter Spurlock.

As per claim 1, Gu discloses:
A method (Col. 1 Lines 38-42 “The content of each specific image file in a user's backup set (or other type of file set on an endpoint) is analyzed, for example during a backup of the endpoint to a server or the like. Each analyzed
image file is categorized based on the results of analyzing its content.”) comprising:
detecting, by a data protection system for a storage system, a potential data corruption in the storage system (Fig. 5, Col. 8 Lines 40-53 “The image modification detecting module 407 can quantify the degree of detected change, by weighting different types of modifications and/or degrees of change (at any desired level of granularity), at the level of individual image files 307 and/or across the image files 307 of the backup set 309. Where the quantification of the detected changes exceeds a given threshold level, then in response an adjudicating module 409 of the backup image based recovery manager 101 can adjudicate 509 that a cryptographic attack (or in some embodiments other form of file corrupting event) has occurred on the endpoint 300. It is to be understood that the specific value of use for the threshold is a variable design parameter that can be adjusted up or down as desired.”);
determining corruption-free recovery point for potential use by a storage system to recover from the potential data corruption (Col. 8 Line 65 — Col. 9 Line 17 “In one embodiment, the security action executing module 411 uses the categorization metadata 311 on the backed to identify 513 when the endpoint 300 was first compromised by the corruption event /attack, and then automatically recovers 515 all of the files of the backup set 309 (not just the image files 307), using the most recent backed-up version 313 from prior to the attack/corruption event (or prompts the user to initiate such a recovery operation). More specifically, successive prior backed-up versions 313 of one or more image files 307 detected as having been changed can be analyzed, categorized and compared to the corresponding categorization metadata 311, until a version 3193 is identified in which the image file(s) 307 being analyzed have not been modified to a degree in excess of a given threshold (e.g., the categorization of the given version 313 of the image files 307 matches the corresponding categorization metadata 311 within the threshold margin). Once the point of corruption is established, the all of the files (not just the image files 307) are recovered from the last backed-up version 313 of the backup set 309 prior to that point.”)

Gu does not disclose:
analyzing, one or more metrics of the storage system and one or more metrics of an additional storage system configured to replicate data stored by the storage system, the storage system comprising a controller configured to control operations of one or more storage structures within which one or more hosts connected to the storage system store the data; 
determining, by the data protection system based on the analyzing of the one or more metrics of the storage system and the one or more metrics of the additional storage system, that the storage system is possibly being targeted by a security threat that causes a potential data corruption

Mandagere discloses:
analyzing, one or more metrics of the storage system (para 0028 “In step 208, a problem description query for an entity with corrupted data is received, the problem description query is parsed, and a problem search criterion is generated based on information parsed from the problem description query. The query parser 108 receives a problem description query for an entity with corrupted data, parses the problem description query, and generates a problem search criterion based on information parsed from the problem description query.” Para 0030 “In step 210, dependencies relied on by the entity to function are determined and the dependencies are correlated in an entity dependency graph. For example, the dependencies are at different levels in an end-to-end system associated with the entity. In one embodiment, the dependency generator 110 determines the entity's application-level dependencies, system-level dependencies, and storage-level dependencies relied on by the entity to function. In another embodiment, the dependency generator 110 correlates the dependencies in an entity dependency graph. For example, the dependency graph captures relationships of dependencies among entities.” Para 0037 “In step 214, at least one event signature match for the problem search criterion is found. In one embodiment, the event analyzer 112 matches at least one event signature in the event signature repository 114 with the problem search criterion. For example, the problem search criterion comprises problem description information, which includes an entity with corrupted data, a type of error encountered by the entity, and a time when the error occurred. In an exemplary embodiment, the event analyzer 112 matches at least one event signature searched for in the event signature repository 114 with the problem search criterion.”); and
determining, by the data protection system based on the analyzing of the one or more metrics of the storage system (para 0038 “In step 216, at least one data restore point is selected that was created prior to an occurrence of a particular event in the at least one signature match event.”)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of analyzing user’s data of Gu to include the method of analyzing, by a data protection system in response to the detecting of the potential data corruption, one or more metrics of the storage system, as taught by Mandagere.
The motivation would have been to properly verify that a file is corrupted file.

Gu in view of Mandagere does not disclose:
analyzing, one or more metrics of the storage system and one or more metrics of an additional storage system configured to replicate data stored by the storage system, the storage system comprising a controller configured to control operations of one or more storage structures within which one or more hosts connected to the storage system store the data
determining, by the data protection system based on the analyzing of the one or more metrics of the storage system and the one or more metrics of the additional storage system, that the storage system is possibly being targeted by a security threat that causes a potential data corruption

Spurlock discloses:
analyzing, one or more metrics of the storage system and one or more metrics of an additional storage system configured to replicate data stored by the storage system, the storage system comprising a controller configured to control operations of one or more storage structures within which one or more hosts connected to the storage system store the data (para 0054 “First, the system 100 provides monitoring and data collection. Optimization of data protection infrastructure and operations begins with comprehensive and ongoing discovery, data collection, and monitoring of all aspects of the data protection environment. The ADP DATs may perform ongoing health, capacity, and performance monitoring and data collection of all data protection, cloud, storage, and network products and services. The monitoring and data collection may include the gathering of capacity and performance metrics (e.g., utilization rates, storage capacities, data throughput rates, I/O rates, etc.) and current health status (e.g., offline, online, in-progress, failed, failing, etc.) of all components and aspects of the data protection environment. A variety of events within the environment (e.g., a failed storage or network device, a fire, a security breach, a backup job completion, a database failure, a power outage, a business audit, etc.) and events outside of but associated with the environment (e.g., weather events, government alerts, etc.) may also be monitored and assessed. Conditions of the components, operations, and entire data protection environment may include an assessment of events, metrics, and current health status of all components and aspects of the data protection environment. For example, storage utilization, data throughput rates, and other metrics being within acceptable ranges assessed along with a health status of all devices being online may constitute a normal operating condition for a storage array. As a further example, metrics on a data protection operation (e.g., number of backups running, number of failed backups, amount of data and files backed up daily per client computing device, deduplication rates, etc.) may be assessed as normal operating conditions for data protection operations.” Fig. 4, para 0102 “Next, in step 404, the analytics director module 206 may determine that the high-fidelity data collection has expired or may determine that events and conditions have returned to normal and may automatically adjust data collection back to a normal level. The monitoring alerting reporting director module 208 of the ADP analytics server computing device 104 may perform ongoing health, capacity, and performance monitoring and data collection for all components across the data protection environment including the ADP data acquisition tools. In addition, the monitoring alerting reporting director module 208 may perform ongoing monitoring of events and conditions across the data protection environment. As shown in FIG. 4, this high-fidelity data collection may occur with the ADP data acquisition tools (DATs) including the data protection acquisition tool, the storage acquisition tool, the cloud acquisition tool, and the network acquisition tool.” Paragraph 0103 “Under normal operating conditions in the communications network, the ADP analytics server computing device 104 may obtain a first level of data from at least one hardware device in the communications network 108. However, the ADP analytics server computing device 104 may detect that one of a condition and an event has occurred in the communications network 108 and may automatically transmit an instruction to modify the first level of data obtained from the at least one hardware device to a second level of data more robust than the first level of data when one of the condition and the event has occurred. By more robust, this may mean that the data is collected more often at a higher frequency of time and/or more detailed or higher fidelity data is collected. The condition and the event may comprise one of a hardware device failure, a hardware device error, and a hardware device warning, among other conditions or events such as a failure, an error, and a warning in backup server tooling software. At this point, the ADP analytics server computing device 104 may collect the second level of data from the at least one hardware device and store the second level of data obtained from the at least one hardware device. In addition, the second level of data obtained may include an increased frequency of data collection as well as an increased fidelity of data collected.”)
determining, by the data protection system based on the analyzing of the one or more metrics of the storage system and the one or more metrics of the additional storage system, that the storage system is possibly being targeted by a security threat that causes a potential data corruption (para 0105 “FIG. 5 illustrates a flowchart of a process 500 for automated operational response to ransomware or cyber-attacks according to an example embodiment. In a first step 502, the analytics director module 206 of the ADP analytics server computing device 104 may continually analyze various metrics, events, and conditions in the data protection environment for indications of a ransomware attack. Next, in step 504, the analytics director module 206 may detect an indication of a ransomware attack based on the analysis of the metrics, events, and conditions in the data protection environment. In step 506, the analytics director module 206 may analyze the metrics to determine the systems and data in the data protection environment that have been infected. After determining what has been infected, the analytics director module 206 may identify at least one of directories, files, databases, and data associated with the at least one hardware device that has been infected. In step 508, the analytics director module 206 may create an audit report and instruct the dynamic authorization control director module 214 to restrict or remove access to the systems and data that have been infected. In step 510, the analytics director module 206 may instruct the backup server tooling software module 312 to make off-site copies of previous versions of the data that are now infected and/or take other automated actions to avert, minimize, and remediate damage from the attack.”)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of analyzing user’s data of Gu in view of Mandagere to include the method of analyzing, one or more metrics of the storage system and one or more metrics of an additional storage system configured to replicate data stored by the storage system, as taught by Spurlock.
The motivation would have been to analyze data several database based on replication in order to detect a potential corruption. 

As per claim 2, Gu in view of Mandagere and Spurlock discloses:
The method of claim 1, further comprising: selecting, by the data protection system based on the corruption-free recovery point, a recovery dataset corresponding to the corruption-free recovery point; and restoring, by the data protection system based on the selected recovery dataset, data stored by the storage system to an uncorrupted state (Gu Col. 8 Line 65 — Col. 9 Line 17). 


As per claim 4, Gu in view of Mandagere and Spurlock discloses:
The method of claim 3, wherein the recovery dataset comprises one or more of a recovery dataset generated prior to the determining that the storage system is possibly being targeted by the security threat or a recovery dataset generated after the determining that the storage system is possibly being targeted by the security threat (Gu Fig. 5, Col. 8 Line 65 — Col. 9 Line 17 and Col. 9 Lines 18-30).

As per claim 5, Gu in view of Mandagere and Spurlock discloses:
The method of claim 4, wherein the recovery dataset generated prior to the determining that the storage system is possibly being targeted by the security threat comprises a provisional ransomware recovery structure that can only be deleted or modified in accordance with one or more ransomware recovery parameters (Gu Col. 9 Lines 18-30).

As per claim 7, Gu in view of Mandagere and Spurlock discloses:
The method of claim 5, wherein the one or more ransomware recovery parameters specify a retention duration before which the provisional ransomware recovery structure can be deleted or modified (Gu Col. 9 Lines 18-30).

As per claim 8, Gu in view of Mandagere and Spurlock discloses:
The method of claim 3, further comprising: receiving, by the data protection system, user input; wherein the determining that the storage system is possibly being targeted by the security threat is further based on the user input (Gu Col. 8 Lines 40-53, Col. 8 Line 65 — Col. 9 Line 5).

As per claim 9, Gu in view of Mandagere and Spurlock discloses:
The method of claim 3, further comprising: identifying, by the data protection system based on the analyzing of the one or more metrics of the storage system and the one or more metrics of the additional storage system, an anomaly with respect to both the storage system and the additional storage system; wherein the determining that the storage system is possibly being targeted by the security threat is based on the identifying of the anomaly (Gu Fig. 5, Col. 8 Lines 40-53) and (Spurlock para 0054, 0102-0105, the motivation would have been to analyze data several database based on replication in order to detect a potential corruption). 

As per claim 10, Gu in view of Mandagere and Spurlock discloses:
The method of claim 2, wherein the restoring is further based on a version of the data stored by the storage system that resides on a system other than the storage system (Gu Fig. 3).

As per claim 11, Gu in view of Mandagere and Spurlock discloses:
The method of claim 1, further comprising presenting, by the data protection system, a visualization of at least one metric included in the one or more metrics of the storage system or the one or more metrics of the additional storage system (Mandagere para 0022, The motivation would have been to properly view the metrics to determine a potential file corruption) and (Spurlock para 0050 and 0094, The motivation would have been to properly view the metrics to determine a potential file corruption)

As per claim 12, Gu in view of Mandagere and Spurlock discloses:
The method of claim 11, further comprising: receiving, by the data protection system, user input based on the visualization (Gu Col. 8 Lines 40-53, Col. 8 Line 65 — Col. 9 Line 5) and (Mandagere para 0022, The motivation would have been to properly view the metrics to determine a potential file corruption)
wherein the determining of the corruption-free recovery point is further based on the user input (Gu Col. 8 Lines 40-53, Col. 8 Line 65 — Col. 9 Line 5) 

As per claim 13, Gu in view of Mandagere and Spurlock discloses:
The method of claim 1, wherein the data protection system is implemented by a controller within the storage system (Gu Figs. 1 and 3). 

As per claim 14, Gu in view of Mandagere and Spurlock discloses:
The method of claim 1, wherein the data protection system is implemented by a computing system communicatively coupled to the storage system by way of a network (Gu Figs. 1 and 3). 

As per claim 15, the implementation of the method of claim 1 will execute the system of claim 1. The claim is analyzed with respect to claim 1. 

As per claim 16, the claim is analyzed with respect to claim 2.

As per claim 18, the claim is analyzed with respect to claim 4. 

As per claim 19, the claim is analyzed with respect to claim 5. 

As per claim 20, the implementation of the method of claim 1 will execute the non-transitory computer-readable medium (Mandagere paragraph 0008) of claim 1. The claim is analyzed with respect to claim 1.

5. 	Claims 6 is rejected under 35 U.S.C. 103 as being unpatentable over Gu in view of Mandagere, and in view of Spurlock, and further in view of U.S. Publication No. 20070220068 hereinafter Thompson. 

As per claim 6, Gu in view of Mandagere and Spurlock discloses: 
The method of claim 5, wherein the one or more ransomware recovery parameters (Gu Fig. 5, Col. 8 Line 65 — Col. 9 Line 17 and Col. 9 Lines 18-30) 

Gu in view of Mandagere and Spurlock does not disclose: 
specify a number or type of authenticated entities that have to approve a deletion or modification of the provisional ransomware recovery structure before the provisional ransomware recovery structure can be deleted or modified

Thompson discloses:
specify a number or type of authenticated entities that have to approve a deletion or modification of the provisional ransomware recovery structure before the provisional ransomware recovery structure can be deleted or modified (para 0081 “As noted above, the file a user works on is placed in an under revision directory, and the system maintains a mirror copy of the file. In this regard, users access files on the server, and back-up/mirror copies are maintained. Therefore, when users access the system it appears to the users that the files they are editing are actually being changed. In this regard, each of the clients is allowed to write information to the files on the system. This is particularly useful since the client is enabled to make virtually whatever modifications to the files as the client may desire; however, the mirror files are not modified until the changes are authorized by an approver, thus, the system allows for readily restoring files after authorized changes. Further, such restoration may be automated.”)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of analyzing user’s data of Gu in view of Mandagere and Spurlock to include to specify a number or type of authenticated entities that have to approve a deletion or modification of the provisional ransomware recovery structure before the provisional ransomware recovery structure can be deleted or modified, as taught by Thompson.
The motivation would have been to have a single approver to delete a copy of a file before the copy of the file is can be modified in order to properly allow access to files by authorized users.


Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GARY S GRACIA whose telephone number is (571)270-5192. The examiner can normally be reached Monday-Friday 9am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 5712723972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/GARY S GRACIA/           Primary Examiner, Art Unit 2499