Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The present Office Action is responsive to communication received 7/28/2022. Claims 1-20 are pending.

Response to Arguments
Applicant’s arguments received on 7/28/2022 are considered and are respectfully addressed as follows:
Regarding the prior art rejection, Applicant argues that the prior art does not teach all the limitations in the amended independent claims. The examiner respectfully disagrees, as all the amendments are taught or suggested by the cited prior art, as presented below. 

Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
 

Claims 1-17 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over US 20180121650 to Brown et al., hereinafter Brown, and further in view of US 20190108340 to Bedhapudi et al., hereinafter Bedhapudi.

Regarding claim 1, Brown discloses
An apparatus, comprising: a memory element operable to store instructions; and a processor operable to execute the instructions, such that the apparatus is configured to ([0058], Fig. 5): receive data identifying a process ([0027]: detect process, [0049]: specify identifier of the process) and a plurality of files accessed by the process ([0028]: record number of unique files accessed ...); identify a plurality of access indicators for each of the plurality of files accessed by the process, wherein the plurality of access indicators  are selected from the group of a file type ([0028] a plurality of access indicators include file access records e.g.  a number of unique file extensions or type, unique file accessed, a number of time a file is accessed ...), a number of files per file type that were accessed ([0053]: record file name, extension, type of file(s) ...and uniquely count any of this data); determine whether a threshold based on two or more of the plurality of access indicators is satisfied ([0055]: confidence score calculated based on one or more file access patterns or file access records, if confidence score exceeds a threshold, the process is malicious); interrupt, based on a determination that the threshold is satisfied, the process ([0056]: when threshold is exceeded, take preventive action e.g. stop the process); and prompt a user to allow or disallow the process to proceed ([0065]: seek user authorization before committing the preventative action).  
Brown does not explicitly teach the access indicators include an age of a file that was accessed and a frequency that files were accessed.
In an analogous art, Bedhapudi discloses detecting ransomware by counting I/O operations in a time period, compared to historical data  ([0321]), the operations include determining an age of a file that was accessed ([0309] note timestamp associated with file create, open ... events; [0332] number of files creation in a period of time can exceed a threshold number and [0360] timestamps for first and last file created i.e age of created files) and a frequency that files were accessed ([0224][0322]: number of file access such as file renaming, deletion, creation per time period). It would have been obvious to a skilled artisan before the instant application was filed to determine an age of files and a frequency of access of files as taught by Bedhapudi because it would add more indicators of malware affecting files and facilitate flagging suspicious activities, and detecting patterns in I/O operations over time, enhancing the identification of  malware.

Regarding claim 2, Brown in view of Bedhapudi discloses the apparatus of claim 1; Brown discloses counting the number of types of file extension accessed ([0053]), and comparing a corresponding confidence score to a threshold ([0100][0055]). Brown does not disclose explicitly wherein the threshold partially based on 12 file types being accessed by the process.  In an analogous art, Bedhapudi discloses detecting ransomware by analyzing I/O request of a process ([0308]), comparing the number of operations in a time period to a threshold ([0310]). A threshold is user-specific or machine specific or based on historical I/O activities ([00311]). Therefore, it would have been obvious to a skilled artisan before the instant application was filed to specify a threshold equal to 12 file types based on specific context or policies, as it would yield to a reasonable expectation of success. 

Regarding claim 3 Brown in view of Bedhapudi discloses the apparatus of claim 1, further configured to: determine whether a second threshold based on the plurality of access indicators is satisfied (Brown [0100]: confidence metric determined from and aggregated over instances of any of the information contained in the record, the record including a number of distinct files accessed, a record of distinct file types; also  [0051]: record threshold periodically).  

Regarding claim 4 Brown in view of Bedhapudi discloses the apparatus of claim 1, wherein a first access indicator from the plurality of access indicators is a file type (Brown [0028]) and a second access indicator from the plurality of access indicators is a number of files accessed for each file type (Brown][0053][0086]).

Regarding claim 5 Brown in view of Bedhapudi discloses the apparatus of claim 4; although the cited art does not explicitly teach wherein the threshold is 10 different file types being accessed at least 10 times, Brown discloses also counting the number of file types and the number of any file accessed ([0028][0053][0100]), and comparing to a threshold according to a defined policy ([0055]). Brown does not teach the specific threshold amount as claimed. Bedhapudi also discloses detecting ransomware by analyzing I/O request of a process ([0308]), number of file access in a time period ([0322]), comparing the number of operations in a time period to a threshold ([0310]). A threshold is user-specific or machine specific or based on historical I/O activities ([00311]). Therefore, it would have been obvious to a skilled artisan before the instant application was filed to specify:  wherein the threshold is equal to 10 different file types accessed at least 10 times.  One would be motivated to specifically define the claimed numbers based on historical activities, context and policies, as it would yield to a reasonable expectation of success.

Regarding claim 6 Brown in view of Bedhapudi discloses the apparatus of claim 1, but does not explicitly teach wherein a first access indicator from the plurality of access indicators is a file type (Brown [0028]) and a second threshold is based on an age of the files accessed (Bedhapudi [0309][0360] indicator is timestamp associated with file access).  

Regarding claim 7 Brown in view of Bedhapudi discloses the apparatus of claim 6. Brown discloses also counting the number of file types and the number of any file accessed ([0028][0053][0100]), and comparing to a threshold according to a defined policy ([0055]). Brown in view of Bedhapudi does not teach the specific thresholds amount as claimed. Bedhapudi teaches detecting a number of new files creation in a period of time, compared to normal activity ([0332]). The thresholds are based on historical data ([0223][0311]). Therefore it would have been obvious to a skilled artisan before the instant application was filed to set the threshold is equal to 10 file types that were accessed and the 10 files that were accessed being more than 6 months old because setting such threshold based on empirical data is reliable, compared to using heuristics, and would enhance malware detection.

Regarding claim 8 Brown in view of Bedhapudi discloses the apparatus of claim 1, wherein the a first access indicator from the plurality of access indicators is a file type (Brown [0028] and a second access indicator is based on a frequency of accessing the plurality of files (Bedhapudi [0332]: frequency of creation, renaming files ... for a time period).  
Regarding claim 9 Brown in view of Bedhapudi discloses the apparatus of claim 8; although the cited art does not explicitly teach wherein the threshold is based on 20 different file types being accessed in 30 seconds or less, the limitation is obvious or suggested by the following teaching: Brown discloses counting the number of times a file type is accessed ([0053][0086][0100]), Bedhapudi discloses counting a number of file access in a time period ([0332]), the numbers or threshold set based on historical I/O file observations ([0311]). Therefore, it would have been obvious to a skilled artisan before the instant application was filed to set the numbers as claimed because it would actually be based on empirical evidence rather than pure theory, and would be more efficient and specific to the context the files are being accessed.

Regarding claim 10, Brown in view of Bedhapudi discloses the apparatus of claim 1, further configured to: monitor the process accessing the plurality of files (Brown fig. 4, 402); and store the plurality of access indicators identified for each of the plurality of files accessed by the process (Brown [0028][0046]).  

Regarding claim 11, Brown in view of Bedhapudi discloses the apparatus of claim 1, further configured to: send, to a cloud server, metadata and access data associated with the process to determine whether the process includes ransomware (Bedhapudi [0296][0297]: clients sends I/O data collected to cloud, which detect ransomware from the I/O data).  It would have been obvious to a skilled artisan before the instant application was filed to send to a cloud server the metadata for ransomware detection because it would offload the client computing devices from performing the detection, freeing resources on the client.
Regarding claim 12, the claim recites substantially the same content as claim 1 and is rejected by the same rationales as claim 1.
Regarding claim 13, the claim is rejected by the same rationales as claim 2.
Regarding claim 14, the claim recites substantially the same content as claim 3 and is rejected by the same rationales as claim 3.
Regarding claim 15, the claim recites substantially the same content as claim 4 and is rejected by the same rationales as claim 4.
Regarding claim 16, the claim is rejected by the same rationales as claim 5.
Regarding claim 17, the claim recites substantially the same content as claim 1 and is rejected by the same rationales as claim 1.
Regarding claim 20, Brown in view of Bedhapudi discloses the sending, to a cloud server, metadata and access data associated with the process to determine whether the process includes ransomware; receiving, from the cloud server, processed data identifying whether the process includes ransomware (Bedhapudi [0297]: clients sends I/O data collected to cloud, [0334] detection can be performed by any component of system i.e by cloud ; Fig. 11 see ransomware detection in a server); identifying, based on a determination that the process includes ransomware, a corrective action; and prompting the user to take the corrective action (Bedhapudi: [0313]: present warning to user, to clear or ignore the anomaly; [0314]: disable operation).  

Allowable Subject Matter
Regarding claim 18, Brown in view of Bedhapudi discloses the method of claim 17; although the cited art does not explicitly teach, Brown discloses counting the number of times a file type is accessed ([0053][0086][0100]), Bedhapudi discloses counting a number of file access in a time period ([0332]), the numbers or threshold set based on historical I/O file observations ([0311]). Therefore, it would have been obvious to a skilled artisan before the instant application was filed to set the threshold equal to 8 or more different file types being accessed by the process in 30 seconds or less because it would actually be based on empirical evidence rather than pure theory, and would be more efficient and specific to the context the files are being accessed.
Bedhapudi additionally discloses recording the time a file is created, accessed or modified along with the file name, type ... ([0080]), but does not associate the age of the accessed files with the detection process. The prior art of the record does not explicitly teach:  wherein the threshold is equal to 8 or more different file types being accessed by the process in 30 seconds or less, where at least 10 of the files that were accessed are more than 6 months old.  Therefore, claim 18 is found allowable. 
Regarding claim 18, Brown in view of Bedhapudi discloses the method of claim 17; although the cited art does not explicitly teach, Brown discloses counting the number of times a file type is accessed ([0053][0086][0100]), Bedhapudi discloses counting a number of file access in a time period ([0332]), the numbers or threshold set based on historical I/O file observations ([0311]). Therefore, it would have been obvious to a skilled artisan before the instant application was filed to set the threshold equal to 12 or more different file types accessed by the process in 60 seconds or less and at least 10 files of each of the 12 or more different file types were accessed because it would actually be based on empirical evidence rather than pure theory, and would be more efficient and specific to the context the files are being accessed.
  Bedhapudi additionally discloses recording the time a file is created, accessed or modified along with the file name, type ... ([0080]), but does not associate the age of the accessed files with the detection process. The prior art of the record does not explicitly teach:  wherein the threshold is equal to 12 or more different file types accessed by the process in 60 seconds or less, where at least 10 of the files that were accessed are more than 6 months old and at least 10 files of each of the 12 or more different file types were accessed.  
Therefore claim 19 is found allowable.
Claims 18-19 are being objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Singh et al 10621346 disclose detecting ransomware by storing metadata such as file date, file name, extension, comparing the metadata collected for current version of file to previous versions of the same file.
Chelarescu et al 20190303571 disclose  detecting malware based on features  such as file name of a modified file, extension, content, versions of files new and old, date of file creation, date of file modification ...
Bhave et al 20180307839  discloses a server manager for detecting ransomware, including a server interface to retrieve, from a storage device, a backup of a plurality of files stored by a client device. A ransomware detection module includes a statistical filter to generate a standard pattern of file activities of the client device for a time period. 
Dahan 20180293379 discloses an anti-ransomware application for monitoring activities that occur within occur within the computing system. In one embodiment, the at least one monitoring module monitors selected activities, including, but not limited to, file accesses, network accesses, application accesses, registry accesses, file creations, file modifications, process calls, and process creations ... setting a threshold level to determine the malware activity.
Turner 9785775 disclose estimating an age value associated with an identified process,  comparing it to an age value associated with the at least one file; if process newer than file it wants to modify, quarantine the process, detect malware comprising ransomware.

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CATHERINE B THIAW whose telephone number is (571)270-1138. The examiner can normally be reached Monday-Friday 7am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, CARL G COLIN can be reached on 571-272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/Catherine Thiaw/Primary Examiner, Art Unit 2493                                                                                                                                                                                                        10/5/2022