Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions. 
Detailed Action
1.	This action is responsive to communication filed on: 12 August 2022 with acknowledgement of an original application filed on 29 December 2020 and that this application is a continuation of multiple applications 10/980,292 now patent 7,506,379, 12/098,256 now patent 9,928,384, 15/846,597 now patent 10,366,252, and 16/416,732 now patent 10,929,569 with an earliest filing date of 4 November 2004.
2.	Claims 1, 3-8, 10-16, and 18-21, are currently pending.  Claims 1, 6, and 14, are independent claims.  Claims 1, 6, and 14, have been amended.  Claims 2, 9, and 17, have been canceled.
Response to Arguments

3.	Applicant's arguments filed 12 August 2022 have been fully considered however they are not persuasive.
I)	In response to Applicant’s argument beginning on page 7, “Claims 1-20 stand rejected on the ground of non-statutory double patenting over claims …Applicant respectfully disagrees with the Examiner…particularly in view of the claim amendments herein”.
	The Examiner disagrees with argument.  The independent claims have been amended to change the phrase:
“periodically creates a point-in-time copy” 
to 
“instantaneously creates a point-in-time copy”  
The Examiner notes using the broadest reasonable interpretation the one-word change does not change the meaning of the claims.  The claims themselves are directed to ‘creating a point-in-time copy’ adding the adjective instantaneously in lieu of periodically does not change the meaning of the claim.  The specification indicates in paragraph 18, the point in time copies are made so that the user will always have a recent copy to fall back when an intrusion is detected.  The words “point-in-time” always suggests instantaneously.  Therefore, the Double Patenting rejection is maintained because the claims at most are just a broader version of the Allowed claims in Patent 9,928,384.  The Examiner also notes “instantaneously creates a point-in-time copy” has always been suggested by the word periodically, note paragraph 29 shown below.  The underline portion teaches instantaneously.
“[0029] Unlike conventional intrusion detection methods discussed above, the present invention periodically copies storage logical units (LUNs) of interest (through fast and space efficient flash copy operations) and then monitors the copies to detect if any unwanted modification has been made. Meanwhile, there is no interruption of service and the original LUNs can be accessed without any limitations by the client machines or servers. The copying process is done such that there is always one "good" copy of the LUNs of interest. The frequency of making copies can be set at any predetermined interval by the system administrators. The higher the frequency, the faster an intrusion can be detected and the more recent and up to date the recovered data is.”The Examiner notes while reviewing the Applicant’s disclosure the word “instantaneously” appears in the specification three times in paragraphs 56-57, and 66.  Although the specification uses the term instantaneously, it does not change the meaning of a point-in-time copy rather it is another description of point-in-time copy.  Paragraph 57 states:
“Because the point-in-time copies 205 are made instantaneously, the present invention avoids coherence problems in the stored data”.  Below, is a 112 rejection requesting further clarification.

II)	In response to applicant’s argument beginning on page 8, “THE PRIOR ART REJECTIONS…does not teach or suggests “a copy module that instantaneously creates a point-in-time copy”
The Examiner disagrees with the argument.  The Moran/’962 clearly teaches/suggests creating backups periodically and/or instantaneously in col. 22, lines 53-64.

The Examiner notes although the previous rejection is repeated because the word change does not change the meaning of the claims.  An updated search was performed using limitations suggested below to overcome a 112 rejection.  The Examiner notes even with the clarifying amendment that indicates “comprising: creating a space efficient point-in-time copy operation, at time of creation, creating the storage level logical unit of an internal data structure set up that instantaneously creates a copying module that periodically 
Tremain U.S. Patent Application 2002/0069369 paragraph 104, note the storage subsystem creates snapshots (i.e. instantaneously) for roll-back purposes;
Koike et al. U.S. Patent No. 7,512,979 col. 5, lines 26-51, note in order to detect alteration with log information is instantly recorded;
Claim Rejections - 35 USC § 112
4.	The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


5.	Claims 1, 3-8, 10-16, and 18-21, are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.  As indicated above the independent claims have been amended that delete the word “periodically” and instead insert the work “instantaneously”.  The claims are indefinite because according to applicant’s disclosure see paragraphs 56-57, and 66 the term only applies to the first the copy operation is set up.  More details are needed in the claims to clarify what is meant by “instantaneously creates”.  Below is suggestion.  Appropriate Correctio is required.

(Examiner’s Amendment to overcome the 112 rejection) An intrusion detection and recover system, comprising: 
creating a space efficient point-in-time copy operation, at time of creation, creating the storage level logical unit of an internal data structure set up that instantaneously creates a copying module that periodically 
a comparison module that compares…
Double Patenting
6.	The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.  A statutory obviousness-type double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and  In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. 
Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer. A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b).
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/forms/.
 The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. 
 An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, please refer to - http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp
 7.	Claims 1, 3-8, 10-16, and 18-21are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1-17 application 12/098,256 now patent 9,928,384.  Although the conflicting claims are not identical, they are not patentably distinct from each other because all the elements/features in U.S. Patent 9,928,384 are present in the claimed application minus many claimed limitations.  Beginning on the next page is a table comparing claim 1 of the present application to claim 1 of the patented application.  Notice the present application has the same limitation that appear in the patented application 9,928,384 minus several details.   
PRESENT APPLICATION
PATENT 9,928,384
An intrusion detection and recovery system, comprising: a copying module that instantaneously creates a point-in-time copy of a storage level logical unit, said point-in-time copy comprising signatures of said storage level logical unit; 

a comparison module that compares at least a portion of said point-in-time copy with a previous copy of the storage level logical unit; 


and a judging module that, based on results of said comparison module, judges if a modification has occurred, 

wherein a signature of said point-in-time copy is compared with a signature of said previous copy to detect a sign of an intrusion, further comprising a removing module that, when the intrusion has been judged, removes said point-in-time copy and saves said previous copy of the storage level logical unit for data recovery, wherein the signatures of said storage level logical unit comprise encoded data of files of said storage level logical unit that are monitored in said point-in-time copy.
A method for detecting a modification to stored data, said method comprising: creating a point-in-time copy of a storage level logical unit, said point-in-time copy comprising a volume copy of said storage level logical unit and a signature of said storage level logical unit; 
comparing at least a portion of said point-in-time copy with a previous copy of the storage level logical unit, said previous copy of the storage level logical unit comprising an original copy of the storage level logical unit; judging, based on said comparing, if a modification has occurred, 


wherein said modification comprises at least an intrusion and an unwanted modification; removing said point-in-time copy and saving said previous copy of the storage level logical unit for data recovery, if the intrusion has been judged; marking said point-in-time copy as a good copy and removing said previous copy of the storage level logical unit, if the modification has not been judged; and preventing changes on certain logical blocks of the stored data to take place when the changes violate the predefined rules; defining access rules to identify which files of said storage level logical unit are monitored in said point-in-time copy, 
wherein said point-in-time copy further comprises a plurality of signatures of different portions of said storage level logical unit, the signatures comprising encoding of data and metadata of the files, wherein the access rules define types of actions that are allowed to be performed on the files and types of actions on the files that are to be treated as the intrusion, wherein the signatures for files of interest are created based on said access rules, and wherein a signature of said point-in-time copy is compared with a signature of said previous copy to detect a sign of the intrusion.


Claim Rejections - 35 USC § 103
8.	The following is a quotation of pre-AIA  35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains.  Patentability shall not be negatived by the manner in which the invention was made.


9.	Claims 1, 2-6, 7-13, and 21, are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Moran U.S. Patent No. 7,203,962 (hereinafter ‘962) in view of Anderson et al. U.S. Patent Application Publication 2003/0204609 (hereinafter ‘609) in further view of NPL Intrusion Detection, Diagnosis, and Recovery with Self-Securing Storage May 2002 by John D. Strunk, Garth R. Goodson, Adam G. Pennington Craig A.N. Soules, and Gregory R. Ganger (hereinafter Strunk).
	As to independent claim 1, “An intrusion detection and recovery system, comprising: a copying module that instantaneously creates a point-in-time copy of a storage level logical unit” “and signatures of said storage level logical unit; a comparison module that compares at least a portion of said point-in-time copy with a previous copy of the storage level logical unit” is taught in ‘962 col. 4, lines 3-43, note backups are created periodically see col. 22, lines 53-64;	“and a judging module that, based on results of said comparison module, judges if a modification has occurred” is taught in ‘962 Abstract, col. 4, lines 15-29, as well as col. 32 line 59 through col. 33, line 37;
	“wherein a signature of said point-in-time copy is compared with a signature of said previous copy to detect a sign of an intrusion” is disclosed in ‘962 col. 4, lines 15-33;
	“wherein the signatures of said storage level logical unit comprise encoded data of files of said storage level logical unit that are monitored in said point-in-time copy” is shown in ‘962 in the Abstract, col. 4, lines 15-29, as well as col. 32 line 59 through col. 33, line 37;the following is not explicitly taught in ‘962:
“said point-in-time copy comprising a volume copy of said storage level logical unit” however ‘609 teaches in order to ensure backup process integrity signature can be computed and exchanged which can be implanted in specific fields or across all fields in paragraphs 84-85, note the signature across ‘all fields’ is interpreted equivalent to a volume copy;
It would have been obvious to one of ordinary skill in the art at the time of the invention of a system and method for using timestamps to detect attacks taught in ‘962 to include a means to compare a volume copy as well as a signature of said volume copy.  One of ordinary skill in the art would have been motivated to perform such a modification because data protection security is important to insure the use of digital technology adoption see '609 (paragraph 5). the following is not explicitly taught in ‘962 and ‘609:
“further comprising a removing module that, when the intrusion has been judged, removes said point-in-time copy and saves said previous copy of the storage level logical unit for data recovery” however Strunk teaches utilizing previous versions (point-in-time copy) for recovery on page 5, section 3.2 and on page 18 in section 5.1, Note page 5, section 2.2 clearly teaches/suggests that previous versions of data are maintained.  Note page 18, states “All storage in conventional system is suspect after an intrusion has occurred.  As a result, full recovery necessitates wiping all information (i.e. removing) via a reformat of the storage device, re-installing the operating from its distribution media, and restoring users’ data from the most recent pre-intrusion backup (i.e. saves previous copy of the storage level logical unit for data recovery)”. 
	It would have been obvious to one of ordinary skill in the art at the time of the invention of a system and method for using timestamps to detect attacks taught in ‘962 and ‘609 to include a means to utilize previously stored point-in-time copies for recovery after an attack.  One of ordinary skill in the art would have been motivated to perform such a modification because today’s recovery approaches require re-install the OS from scratch which is time consuming see Strunk page 1.
As to dependent claim 3, “The intrusion detection and recovery system according to claim 2, further comprising: a marking module that, when the modification has not been judged, marks said point-in-time copy as a good copy and removes said previous copy of the storage level logical unit” is taught in Strunk page 5, note old versions are saved in the device’s history pool for a guaranteed amount of time and are used for recovery from intrusion, this clearly suggests that if no modification has been judged the previous copy will be deleted after expiration of time.
As to dependent claim 4, “The intrusion detection and recovery system according to claim 3, further comprising: a preventing module that prevents changes on certain logical blocks of the stored data to take place when the changes violate predefined rules” is taught in Struck page 5 and section 3.2 on pages 12-13, note utilizing previous versions (point-in-time copy) for recovery, Strunk also teaches on page 18 in section 5.1, and page 21 in section 5.3, a recovery process would remove the infected “point-in-time copy” by copying the previous of the file by restoring the system;
As to dependent claim 5, “The intrusion detection and recovery system according to claim 1, further comprising: a defining module that defines access rules to identify which files of said storage level logical unit are monitored in said point-in-time copy” is shown in Strunk section 3.2 pages 12-13, note as a concrete example of our prototype the server has been extended to support rule-based detection of suspect modifications...enforcing a rule set similar to Tripwire.
As to dependent claim 21, “The intrusion detection and recovery system according to claim 1, wherein the removing module performs the removal on a basis of a result” is shown in Strunk page 18 section 5.1;
“of the comparison between the signature of said point-in-time copy and signature of said previous copy” is disclosed in in ‘962 col. 4, lines 15-33.
As to independent claim 6, “A storage system, comprising: at least one data storage unit; an intrusion detection and recovery system that detects an intrusion at a file system level by instantaneously creating a point-in-time copy of a storage level logical unit” “and signatures of said storage level logical unit; a unit that compares at least a portion of said point-in-time copy and said storage level logical unit information with a previous copy of said storage level logical unit” is taught in ‘962 col. 4, lines 3-43, note backups are created periodically see col. 22, lines 53-64;
	“and a unit that judges, based on results of said unit that compares, if a modification has occurred” is taught in ‘962 Abstract, col. 4, lines 15-29, as well as col. 32 line 59 through col. 33, line 37;
“wherein a signature of said point-in-time copy is compared with a signature of said previous copy to detect a sign of an intrusion” is disclosed in ‘962 col. 4, lines 15-33;
“wherein the signatures of said storage level logical unit comprise encoded data of files of said storage level logical unit that are monitored in said point-in-time copy” is shown in ‘962 in the Abstract, col. 4, lines 15-29, as well as col. 32 line 59 through col. 33, line 37;the following is not explicitly taught in ‘962: “said point-in-time copy comprising a volume copy of said storage level logical unit” however ‘609 teaches in order to ensure backup process integrity signature can be computed and exchanged which can be implanted in specific fields or across all fields in paragraphs 84-85, note the signature across ‘all fields’ is interpreted equivalent to a volume copy;
It would have been obvious to one of ordinary skill in the art at the time of the invention of a system and method for using timestamps to detect attacks taught in ‘962 to include a means to compare a volume copy as well as a signature of said volume copy.  One of ordinary skill in the art would have been motivated to perform such a modification because data protection security is important to insure the use of digital technology adoption see '609 (paragraph 5). 
the following is not explicitly taught in ‘962 and ‘609:
“a unit that, when the intrusion has been judged, removes said point-in-time copy and saves said previous copy of the storage level logical unit for data recovery” however Strunk teaches utilizing previous versions (point-in-time copy) for recovery on page 5, section 3.2 and on page 18 in section 5.1, Note page 5, section 2.2 clearly teaches/suggests that previous versions of data are maintained.  Note page 18, states “All storage in conventional system is suspect after an intrusion has occurred.  As a result, full recovery necessitates wiping all information (i.e. removing) via a reformat of the storage device, re-installing the operating from its distribution media, and restoring users’ data from the most recent pre-intrusion backup (i.e. saves previous copy of the storage level logical unit for data recovery)”. 
	It would have been obvious to one of ordinary skill in the art at the time of the invention of a system and method for using timestamps to detect attacks taught in ‘962 and ‘609 to include a means to utilize previously stored point-in-time copies for recovery after an attack.  One of ordinary skill in the art would have been motivated to perform such a modification because today’s recovery approaches require re-install the OS from scratch which is time consuming see Strunk page 1.
As to dependent claim 7, “The storage system according to claim 6, further comprising: a management console that controls an operation of said intrusion detection and recovery system” is shown in Strunk in section 2.3, pages 6-7. 
As to dependent claim 8, “The storage system according to claim 7, wherein said intrusion detection and recovery system, said management console, and said point-in-time copy of the storage level logical unit are maintained in a secure perimeter, and wherein said secure perimeter is accessible only by a storage system administrator” is shown in Strunk on page 2, Figure 1 as well as page section 2.3 page 6. 
As to dependent claim 9, “The storage system according to claim 6, further comprising: a unit that, when the intrusion has been judged, removes said point-in-time copy and saves said previous copy of the storage level logical unit for data recovery” is shown in Strunk page 5 and section 3.2 on pages 12-13, note utilizing previous versions (point-in-time copy) for recovery, Strunk also teaches on page 18 in section 5.1, and page 21 in section 5.3, a recovery process would remove the infected “point-in-time copy” by copying the previous of the file by restoring the system.
As to dependent claim 10, “The storage system according to claim 9, further comprising: a unit that, when the modification has not been judged, marks said point-in-time copy as a good copy and removes said previous copy of the storage level logical unit” is taught in Strunk page 5, note old versions are saved in the device’s history pool for a guaranteed amount of time and are used for recovery from intrusion, this clearly suggests that if no modification has been judged the previous copy will be deleted after expiration of time.
As to dependent claim 11, “The storage system according to claim 10, further comprising: a unit that prevents changes on certain logical blocks of the stored data to take place when the changes violate predefined rules” is shown in Strunk page 5 and section 3.2 on pages 12-13, note utilizing previous versions (point-in-time copy) for recovery, Strunk also teaches on page 18 in section 5.1, and page 21 in section 5.3, a recovery process would remove the infected “point-in-time copy” by copying the previous of the file by restoring the system.
	As to dependent claim 12, “The storage system according to claim 6, further comprising: a unit that defines access rules to identify which files of said storage level logical unit are monitored in said point-in-time copy” is disclosed in Strunk section 3.2 pages 12-13, note as a concrete example of our prototype the server has been extended to support rule-based detection of suspect modifications...enforcing a rule set similar to Tripwire.
	As to dependent claim 13, “The storage system according to claim 6, wherein said previous copy of the storage level logical unit comprises an original copy of the storage level logical unit” is shown in ‘962 col. 34, lines 1-6.
10. 	Claims 14-20 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over NPL Intrusion Detection, Diagnosis, and Recovery with Self-Securing Storage May 2002 by John D. Strunk, Garth R. Goodson, Adam G. Pennington Craig A.N. Soules, and Gregory R. Ganger (hereinafter Strunk) in view of Anderson et al. U.S. Patent Application Publication 2003/0204609 (hereinafter ‘609) in further view of Moran U.S. Patent No. 7,203,962 (hereinafter ‘962).
	As to independent claim 14, “A computer system, comprising: at least one client machine; and a storage system, said at least one client machine being connected to said storage system, said storage system comprising: at least one data storage unit; an intrusion detection and recovery system” is disclosed in Strunk on, pages 4-5 and page 7;
	“a unit that, when the intrusion has been judged, removes said point-in-time copy and saves said previous copy of the storage level logical unit for data recovery” is taught in Strunk page 5, section 3.2 and on page 18 in section 5.1, Note page 5, section 2.2 clearly teaches/suggests that previous versions of data are maintained.  Note page 18, states “All storage in conventional system is suspect after an intrusion has occurred.  As a result, full recovery necessitates wiping all information (i.e. removing) via a reformat of the storage device, re-installing the operating from its distribution media, and restoring users’ data from the most recent pre-intrusion backup (i.e. saves previous copy of the storage level logical unit for data recovery)”. 
the following is not explicitly taught in Strunk:
“said point-in-time copy comprising a volume copy of said storage level logical unit and signatures of said storage level logical unit” however ‘609 teaches in order to ensure backup process integrity signature can be computed and exchanged which can be implanted in specific fields or across all fields in paragraphs 84-85, note the signature across ‘all fields’ is interpreted equivalent to a volume copy;
	It would have been obvious to one of ordinary skill in the art at the time of the invention of a system and method for Intrusion Detection and Diagnosis and Recovery method taught in Strunk to include a means to compare a volume copy as well as a signature of said volume copy.  One of ordinary skill in the art would have been motivated to perform such a modification because data protection security is important to insure the use of digital technology adoption see '609 (paragraph 5).the following is not explicitly taught in Strunk and ‘609:
	“that detects an intrusion at a file system level by instantaneously creating a point-in-time copy of a storage level logical unit” however ‘962 teaches detecting intrusions at the file system level by analyzing point-in-time copies in col. 4, lines 3-43 and that backups are created periodically in col. 22, lines 53-64;
	“a unit that compares at least a portion of said point-in-time copy and said storage level logical unit information with a previous copy of said storage level logical unit” however ‘962 teaches comparing signatures of an active and stored files to determine if rules are being violated based on predefined rules in the Abstract, col. 4, lines 15-29, col. 32 line 59 through col. 33, lines 37, and col. 34, lines 1-6;
	“and a unit that judges, based on results of said unit that compares, if a modification has occurred, wherein a signature of said point-in-time copy is compared with a signature of said previous copy to detect a sign of an intrusion and wherein the signatures of said storage level logical unit comprise encoded data of files of said storage level logical unit that are monitored in said point-in-time copy” however ‘962 teaches an intrusion detection system in the Abstract, col. 4, lines 15-29, as well as col. 32 line 59 through col. 33, line 37;
It would have been obvious to one of ordinary skill in the art at the time of the invention of a system and method for Intrusion Detection and Diagnosis and Recovery method taught in Strunk to include a means to monitor signatures to identify intrusion.  One of ordinary skill in the art would have been motivated to perform such a modification because there is a need, for an improved system for detecting computer intrusions see ‘962 (col. 3, lines 20-29).
As to dependent claim 15, “The computer system according to claim 14, wherein said previous copy of the storage level logical unit comprises an original copy of the storage level logical unit” is taught in ‘962 col. 34, lines 1-6.
As to dependent claim 16, “The computer system according to claim 14, wherein said intrusion detection and recovery system, said management console, and said point-in-time copy of the storage level logical unit are maintained in a secure perimeter, and wherein said secure perimeter is accessible only by a storage system administrator” is shown in in Strunk on page 2, Figure 1 as well as page section 2.3 page 6. 
	As to dependent claim 17, “The computer system according to claim 14, wherein said storage system further comprises: a unit that, when the intrusion has been judged, removes said point-in-time copy and saves said previous copy of the storage level logical unit for data recovery” is disclosed in Strunk page 5, section 3.2 on pages 12-13, in addition on page 18 in section 5.1, and page 21 in section 5.3, the references clearly suggests that a recovery process would remove the infected “point-in-time copy” by copying the previous of the file by restoring the system.
	As to dependent claim 18, “The computer system according to claim 17, wherein said storage system further comprises: a unit that, when the modification has not been judged, marks said point-in-time copy as a good copy and removes said previous copy of the storage level logical unit” is taught in Strunk page 5, note old versions are saved in the device’s history pool for a guaranteed amount of time and are used for recovery from intrusion, this clearly suggests that if no modification has been judged the previous copy will be deleted after expiration of time.
	As to dependent claim 19, “The computer system according to claim 18, wherein said storage system further comprises: a unit that prevents changes on certain logical blocks of the stored data to take place when the changes violate predefined rules” is shown in Strunk page 5 and section 3.2 on pages 12-13, note utilizing previous versions (point-in-time copy) for recovery, Strunk also teaches on page 18 in section 5.1, and page 21 in section 5.3, a recovery process would remove the infected “point-in-time copy” by copying the previous of the file by restoring the system.
	As to dependent claim 20, “The computer system according to claim 14, wherein said storage system further comprises: a unit that defines access rules to identify which files of said storage level logical unit are monitored in said point-in-time copy” is disclosed in Strunk section 3.2 pages 12-13, note as a concrete example of our prototype the server has been extended to support rule-based detection of suspect modifications...enforcing a rule set similar to Tripwire.                                                            
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
11.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to ELLEN C TRAN whose telephone number is (571) 272-3842.  The examiner can normally be reached from M-F 9 AM to 6PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
		If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeff Pwu can be reached at 571-272-6798.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/ELLEN TRAN/Primary Examiner, Art Unit 2433                                                                                                                                                                                                        29 October 2022