Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
Claims 1-4, 6-11, 13-18, and 20 have been amended. 
Rejection to claims 2-6, 9-13, and 16-20 has been withdrawn.
Objection to claims 6, 13 and 20 has been withdrawn based on the filed corrections
Rejection to claims 1-6, 8-13, and 15-19 under USC 101 has been withdrawn based on filed amendments.
Claims 1-20 are pending 
Response to Arguments 
Applicants arguments filed on November 3, 2022 have been fully considered. 
With respect to the arguments regarding USC 101 rejection of claims 1-6, 8-13, and 15-19, the argument is persuasive and therefore the USC 101 abstract idea rejection is withdrawn.
With respect to the objection to claims 6, 13 and 20, the filed corrections have been accepted and the objection is withdrawn.
With respect to the argument that KOSTER fails to teach access requests, examiner respectfully disagrees. KOSTER teaches of detecting abnormal activity through the use of monitoring ([KOSTER, Col. 3 lines 59-60] “calls to kernel function patterns is monitored at block 204 where data is sampled periodically.”) and as recited in the non-final office action ([KOSTER, Col. 3 lines 63-67, Col. 4 lines 1-16] “As indicated at a decision block 206, checking for an anomaly or abnormal activity is performed. Introspection optionally is used to monitor container metrics, such as kernel API calls, looking for abnormal patterns.). The monitoring of API calls to the kernel to sample data is analogous to monitoring for malicious access requests. 
With respect to the argument that the threshold interest in VASIREDDY is to provide efficient access to data storage and not blocking malicious access requests containing ‘malicious patterns’ examiner respectfully disagrees. As recited in the rejection VASIREDDY teaches of providing secure access to a storage container and blocking malicious users. Furthermore, VASIREDDY mentions ([VASIREDDY, para. 0102] “In order to ensure secure access by the computing node and not a malicious user or another entity who may later acquire the node from the legitimate computing node, the vault 906, in one or more examples, can note the IP address of the computing node, and configure the token so that it only grants access to the data from the IP address corresponding to the computing node.”), this clearly states that VASIREDDY teaches of analyzing the content of the request in this case checking the IP address to see if the request is malicious or not. 
Additional arguments are moot in view of new grounds of rejection necessitated by the claims= amendments.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 8, and 15 are rejected under 35 U.S.C. 103 as being unpatentable over KOSTER (US-9794287-B1), in view of VASIREDDY (US-20200366660-A1), hereinafter KOSTER-VASIREDDY.
Regarding claim 1, KOSTER teaches “A method performed in a cloud infrastructure, the method comprising: maintaining a plurality of malicious patterns indicating respective malicious attacks to access non-volatile storages provided to clouds in the cloud infrastructure; ([KOSTER, Abstract] “A method, and a system are provided for implementing cloud based malware container protection. A container is provisioned for a user. The container is monitored, and when an abnormal activity is detected based upon historical metric data”) ([KOSTER, claim 5] “The method as recited in claim 1 includes storing and checking learned attack patterns for detecting abnormal activity.”) ([KOSTER, Col. 4 lines 13-16] “As indicated at a block 209, learned attack patterns and false positives are stored. As indicated at a decision block 210, checking is performed to determine whether a threshold is exceeded or if a known attack pattern.”) ……. checking whether the data stream contains a malicious pattern of the plurality of malicious patterns, …. ; ([KOSTER, Col. 3 lines 63-67, Col. 4 lines 1-16] “As indicated at a decision block 206, checking for an anomaly or abnormal activity is performed. Introspection optionally is used to monitor container metrics, such as kernel API calls, looking for abnormal patterns. The monitored container data is compared with existing data using data mining techniques for anomaly detection against usage patterns at decision block 206, and checking for known pattern is performed as indicated at a block 208. When an abnormal activity is detected, for example, based on a threshold that gets smarter over the lifetime of the system, an anomaly flag is set to true at decision block 206. At block 208, the abnormal pattern is checked against known patterns. If the pattern is known to not be an attack, it is ignored. If the pattern is a known pattern for bad actor activity, it is flagged as an attack. This technique involves machine learning and categorization. One example is through the use of a Naive Bayes classifier. As indicated at a block 209, learned attack patterns and false positives are stored. As indicated at a decision block 210, checking is performed to determine whether a threshold is exceeded or if a known attack pattern.”) ([KOSTER, Col. 4 lines 25-27] “If the threshold is not exceeded, or not a known attack patterns, operations continue returning to block 204.”) and if the data stream does contain the malicious pattern, concluding that the access request is a malicious attack corresponding to the malicious pattern … ([KOSTER, Col. 4 lines 16-25] “If the threshold is exceeded or if a known attack pattern, then container is removed from the multi-tenant container pool and rapidly provisioned as a unikernel as indicated at a block 212. The removal and unikernel provisioning operations at block 212 isolate the tenant or user from other tenants while not allowing the user to wreak havoc, for example, attack other tenants and cause system harm, while preserving the forensic data and keeping the tenant running in the case the anomaly was a false positive.”)
However, KOSTER does not teach of “receiving an access request directed to a first non-volatile storage, the access request being in the form of a data stream specified following TCP (Transmission Control Protocol) port numbers in a TCP/IP (Transmission Control Protocol/ Internet Protocol) packet; …… if the data stream does not contain the malicious pattern, forwarding the access request to the first non-volatile storage …… and blocking the access request to the first non-volatile storage”.
In analogous teaching, VASIREDDY teaches “receiving an access request directed to a first non-volatile storage, the access request being in the form of a data stream specified following TCP (Transmission Control Protocol) port numbers in a TCP/IP (Transmission Control Protocol/ Internet Protocol) packet;”. ([VASIREDDY, para. 0102] “In one or more examples, the vault 906 can receive access requests for data from a cloud-based computing node and then issue one or more tokens to the cloud-based computing node for access to the appropriate storage container. In order to ensure secure access by the computing node and not a malicious user or another entity who may later acquire the node from the legitimate computing node”) ([VASIREDDY, abstract] “In one or more examples, a computing hub can receive one or more access requests to data stored within a persistent data storage computing resources that in connected to the computing hub. The computing hub can be configured to determine if the access request is from an authorized computing resource”). ([VASIREDDY, 0106] “each cloud-based computing node can communicate with the computing system using a TCP/IP protocol. Therefore each computing node that is part of computing system 200 may have an IP address associated with it. The IP address of a computing node can be used as an identifier that the vault 906 can use to ensure that access to the a particular data set stored within a container is granted to a legitimate user of that data.”) …… if the data stream does not contain the malicious pattern, forwarding the access request to the first non-volatile storage ([VASIREDDY, para. 0107] “Once the IP address of a particular request is determined at step 1004, the process can move to step 1006 wherein the vault 906 can determine the duration of time in which the token will be valid.”) ([VASIREDDY, para. 0109] “Once the token has been generated at step 1008, the process can move to step 1010 wherein the token can be transmitted to the appropriate computing node seeking access to the data. Finally, once the token has been transmitted at step 1010, the process can be terminated at step 1012.”) ([VASIREDDY, para. 0120] “generating one or more tokens for access to the data set to the data set stored in the in the one or more containers within the first computing resource includes determining a duration of time for allowing access to the data set and generating the one or more tokens for access to the data set based on the determined duration of time for allowing access to the data set.”) and blocking the access request to the first non-volatile storage ([VASIREDDY, para. 0102] “ensure secure access by the computing node and not a malicious user or another entity who may later acquire the node from the legitimate computing node, the vault 906, in one or more examples, can note the IP address of the computing node, and configure the token so that it only grants access to the data from the IP address corresponding to the computing node”) ([VASIREDDY, para. 0068] “can allow for secure access to the data by preventing non-authorized users or entities from accessing the data.”) [Examiner’s note: TCP/IP protocol packets as recited by VASIREDDY inherently include port numbers within the packet.]
Thus, given the teaching of VASIREDDY, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of access requests in the form of data streams to a cloud container by VASIREDDY into the teaching of method to detect malicious patterns in cloud storages as taught by KOSTER. One of ordinary skill in the art would have been motivated to do so because VASIREDDY recognizes the need to provide a secure and efficient method to access stored data. ([VASIREDDY, para. 0089] “As an example, one of the features that the computing system 200 can include to ensure secure and efficient access is to include a system and method for preparing and organizing the data in the persistent data store in such a manner so as to make access to that data efficient, while at the same time only allowing for access of data belonging to a particular user. In order to ensure that data is secure (i.e., not accessible to malicious users, and does not propose a threat to the persistent data source)”)

Regarding claim 8, this claim recites a server system that includes the features of claim 1. Therefore, claim 8 is rejected in a similar manner as in the rejection of claim 1. 

Regarding claim 15, this claim recites a non-transitory machine readable medium storing instruction that which executed perform the step of claim 1. Therefore, claim 15 is rejected in a similar manner as in the rejection of claim 1.

Claims 7 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over KOSTER-VASIREDDY in view of DESHMUKH (US-20180159729-A1) and further in view of ZHENG (US-20200250310-A1).
Regarding claim 7 and 14, KOSTER-VASIREDDY teaches all limitations of claims 1 and 8. However, KOSTER-VASIREDDY does not teach “wherein the access request is a write request specifying a file name specified following the port numbers, the file name specifying a file which contains data to be written, wherein the checking comprises examining the data to be written for the malicious pattern”.
In analogous teaching DESHMUKH teaches “wherein the access request is a write request specifying a file name specified following the port numbers, the file name specifying a file which contains data to be written” ([DESHMUKH, para. 0065] “configuring traffic segmentation, additional steps may take place to configure additional related information, such as, by way of example and not limitation: … IP addresses … port numbers”) ([DESHMUKH, para. 0116] “FIG. 5 illustrates an example method for accessing data in a virtualized file server according to particular embodiments. The client system 330 may access the data, such as a specified folder, as follows. At step 502, the client system 330 receives a storage access request from an application executing in a user VM. Each storage access request references a file path (e.g., \\FS1.share.com\share-1\Folder-1), which includes a file or folder name and further includes or can be used to identify a share name (e.g., FS1.share.com\share-1) or an NFS remote file system name (e.g., fs1.share.com:/share-1. The storage access request may also include an operation type (e.g., read, write, delete, rename, etc.), a position in the file (for read/write requests), data to be written (for write requests), quantity of data to be read (for read requests), a new file path (for rename requests), folder name (for folder creation requests) or other information appropriate for the operation type.”).
Thus, given the teaching of DESHMUKH, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of access requests to write to a file by DESHMUKH into the teaching of method to detect malicious patterns in cloud storages as taught by KOSTER-VASIREDDY. One of ordinary skill in the art would have been motivated to do so because DESHMUKH recognizes the need for quick file access between a user and a storage ([DESHMUKH, para. 0029] “In particular embodiments, the virtualized file server determines the location, e.g., host machine, at which to store a storage item such as a file or folder when the storage item is created …… file access operations between the user VM that is known to be associated with the storage item and is thus likely to access the storage item again (e.g., in the near future and/or on behalf of the same user) may use local communication or short-distance communication to improve performance, e.g., by reducing access times or increasing access throughput.”).
However, KOSTER-VASIREDDY-DESHMUKH does not teach “…… wherein the checking comprises examining the data to be written for the malicious pattern”.
In analogous teaching ZHENG teaches “…… wherein the checking comprises examining the data to be written for the malicious pattern” ([ZHENG, para. 0025] “An application analysis involves analyzing the application and exploring and interacting with the application to try and determine what operating system calls are made, what kind of data being written, what data is being transferred, what types of data are being accessed, what input is being requested, etc. The results of the application analysis can be analyzed to determine if there is some type of malicious activity, if there are privacy issues, the application has user interface issues, the application is benign, etc.”).
Thus, given the teaching of ZHENG, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of analyzing data to determine malicious activity by ZHENG into the teaching of method to detect malicious patterns in cloud storages as taught by KOSTER-VASIREDDY. One of ordinary skill in the art would have been motivated to do so because ZHENG recognizes the need to prevent malicious software ([ZHENG, para. 0034] “Malicious software (“malware”) that infects a host computer may be able to perform any number of malicious actions, such as stealing sensitive information from a business or individual associated with the host computer …… One-way security systems try to mitigate malware is to analyze applications and try to determine their risk to exploitation from malware or a malicious operator.”)

Allowable Subject Matter
Claims 2-6, 9-13, and 16-20 objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.


The prior arts made of record and not relied upon is considered pertinent to applicant’s disclosure. 
GOLDFARB (US-10114970-B2): This prior art teaches of a process including: receiving a request to access a distributed data store, wherein the distributed data store stores a plurality of units of content that are each distributed among multiple computing entities hosting different subsets of data of the distributed data store; and causing, with one or more processors of a computing device configured to participate in combining the information from the plurality of computing entities to access units of content, logging of the request in an entry in a tamper-evident log.
KOZLOVSKY (US-9866573-B2): This prior art teaches of a technique involving comparing access patterns in a storage system to expected access patterns under similar circumstances. An intrusion detection system, in response to a suspected malicious application workload, collects information about a current session on the storage processor, e.g., application workload s running, users logged in, and timestamp, as well as parameters such as storage allocation requests sampled at prespecified intervals over a period of time. In a database that stores such sampled parameter values by application workload, user, and time, the system extracts the sampled parameter values having the application workload, user, and time corresponding to the current session. The system then compares the extracted sampled parameter values with the current parameter values and computes a difference. Based on the difference, the system determines whether the storage system is accessed by a malicious application workload.


Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AFAQ ALI whose telephone number is (571)272-1571. The examiner can normally be reached Mon - Fri 7:30am - 5:30pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571)272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/AFAQ ALI/Examiner, Art Unit 2434                                                                                                                                                                                                        
/KAMBIZ ZAND/               Supervisory Patent Examiner, Art Unit 2434