Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 11/1/2022 has been entered.
 
Response to Amendment
	U.S.C. 103 rejections on claims 1 and 9 are not overcome by amendment.


Response to Arguments
Applicant's arguments filed 11/1/2022 have been fully considered but they are not persuasive.  
In response to applicant's argument that Tamir et al. (US 2018/02112987 A1) teaches away from the claimed invention as stated on Pg. 7, “detection of a ransomware attack to facilitate backup of data is not necessary where a target computer system is intentionally exposed to the ransomware algorithm”, a recitation of the intended use of the claimed invention must result in a structural difference between the claimed invention and the prior art in order to patentably distinguish the claimed invention from the prior art.  If the prior art structure is capable of performing the intended use, then it meets the claim. 
Furthermore, an intended outcome of claim 1 in the preamble is for “mitigating effects of the ransomware algorithm.” Applicant appears to contradict the claim language in their arguments. It is true that claim 1 is directed to identifying a ransomware algorithm by way of intentionally exposing a target computer with a known ransomware, however, the intended outcome also includes mitigating the effects of the ransomware algorithm. Applicant’s argument appears to ignore the limitation of “the ransomware algorithm having associated a predetermined responsive action for mitigating effects of the ransomware algorithm in use,” of claim 1 of the present disclosure. Since limitations in the preamble do not necessarily weight on patentability, one of ordinary skill in the art does not necessarily need to include this “feature” in the prior art for it to read on the claim, however, Tamir does teach “mitigating effects of the ransomware,” by way of restoring data backups. 
In response to applicant’s argument that there is no teaching, suggestion, or motivation to combine the references, the examiner recognizes that obviousness may be established by combining or modifying the teachings of the prior art to produce the claimed invention where there is some teaching, suggestion, or motivation to do so found either in the references themselves or in the knowledge generally available to one of ordinary skill in the art.  See In re Fine, 837 F.2d 1071, 5 USPQ2d 1596 (Fed. Cir. 1988), In re Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir. 1992), and KSR International Co. v. Teleflex, Inc., 550 U.S. 398, 82 USPQ2d 1385 (2007). 
In this case, applicant argues it would not have been obvious to modify Tamir by Wang to intercept an index of the searchable encryption algorithm, and train an autoencoder based on the index to provide a trained autoencoder adapted to identify the ransomware algorithm based on the index. Applicant argues, such combination would not be motivated because it would require one of ordinary skill in the art to elect not to backup data upon detecting ransomware. Again, a recited limitation in the preamble of claim 1 as amended is “the ransomware algorithm having associated a predetermined responsive action for mitigating effects of the ransomware algorithm in use”. The prior art it does not necessarily need to include the limitation of “mitigating the effects of ransomware”, however, in this case, the prior art does teach this limitation. Moreover, the motivation to combine may differ from applicant’s motivations. 
Regarding applicant’s argument that the prior office action mischaracterizes the terms “exposing” and “allowing”, it should be noted that the definition of “to deprive of shelter, protection, or care: subject to risk from a harmful action or condition” does not contradict examiner’s use of the term “expose”. In the instant case, the claimed method deprives the target computer of protection from ransomware exposure, thereby exposing the target computer to the ransomware. In other words, the claimed method exposes the target computer to the ransomware by doing nothing to stop it or allowing it to occur. It should also be noted, restoring backups as disclosed by Tamir is not a means for protecting against exposure to ransomware, it is a means for mitigating effects of the ransomware, Tamir refers to this as remediation. Furthermore, this point is moot because both Tamir and the claimed invention of the present disclosure require the target computer to be exposed to ransomware in order to detect it, or to be trained to detect it. If the target computer was not exposed to ransomware, there would not be any ransomware to detect. Both Tamir and the claimed invention detect ransomware by what it does to the target computer, therefore the target computer must necessarily be exposed to the ransomware. 


Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.



Claims 1-10 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.

The term “more” in claims 1 and 9 is a relative term which renders the claim indefinite. The term “more susceptible” is not defined by the claim, the specification does not provide a standard for ascertaining the requisite degree, and one of ordinary skill in the art would not be reasonably apprised of the scope of the invention. Applicant cites paragraphs [0011], [0029], [0038]-[0040], [0050] and [0052] of the Pre-Grant Publication of the present disclosure for support, but none of the cited paragraphs provide any mention of how “more susceptible” is defined.
Claims 2-8 and 10 fall together accordingly.

The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 1-10 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claims contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.
The limitation in question does not satisfy the written description requirement under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph. The specification does not describe the limitation(s) in sufficient detail so that one of ordinary skill in the art would recognize that the applicant had possession of the claimed invention.
	In this case, regarding claims 1 and 9, the specification does not provide any mention of “the target computer is more susceptible to the ransomware algorithm”. The following excerpts of the Pre-Grant Publication of the present disclosure are cited by the applicant for support: 

[0011] “In some embodiments the autoencoder is trained using multiple training examples based on indices from a plurality of ransomware algorithms to which the target computer system is exposed so as to discriminate the ransomware algorithms.”, 
[0029] “Embodiments of the present disclosure exploit the method of operation of ransomware and the mechanism of ransomware attacks to identify ransomware attacks undertaken using an identifiable ransomware algorithm such that responsive actions 214 known to be effective, appropriate, occasioned or otherwise warranted in response to a particular ransomware 204 can be effected. Thus, a ransomware identifier 216 component is a hardware, software, firmware or combination component communicatively connected to the target computer system 206 and a communication means through which the ransomware server 202 communicates therewith, such as a computer network. The ransomware identifier 216 actively exposes the target computer system 206 to the ransomware algorithm 204. The data 208 stored by target computer system 206 is a predetermined data set such that it can be reconstituted, replicated and reused. In some embodiments, the data 208 includes data that may be actively indexed by ransomware such as data of value to a malicious entity including, inter alia: personal sensitive information such as names, addresses, contact information; financial information such as bank account information, credit card details, debit card details, online banking credentials and the like; payment information; data marked confidential; data marked secret; a private encryption key; a digital signature; username information; password, passphrase, personal identification number, or other access control credentials; and other data as will be apparent to those skilled in the art.”, 
[0038]-[0040] “Once trained, the autoencoder 218 can be further used to determine if a subsequent ransomware matches the one used to train the autoencoder. Thus, responsive to a subsequent ransomware attack using an unknown ransomware, the ransomware identifier 216 exposes a computer system having the predetermined set of sample data to the unknown ransomware to effect encryption of the data by a searchable encryption algorithm of the unknown ransomware. Subsequently, an index generated by the unknown ransomware can be intercepted and used to generate an input vector for the trained autoencoder 218 using the steps outlined above. The input vector so processed is then fed into the autoencoder 218 to determine if the autoencoder 218 is able to recognize the input vector as indicative that the index generated by the unknown ransomware is indicative of the unknown ransomware being the same as the ransomware 204 used to train the autoencoder 218. Thus, in this way appropriate responsive actions 214 associated with a ransomware 204 can be selected for the unknown ransomware as appropriate.
In one embodiment, the autoencoder 218 is trained using multiple training examples based on indices generated from repeated exposures of the target computer system 206 to the ransomware 204. Further, in a preferred embodiment, the autoencoder 218 is trained using multiple training examples based on indices from a plurality of different ransomware algorithms to which the target computer system 206 is exposed to discriminate ransomware algorithms.
FIG. 3 is a flowchart of a method of identifying a ransomware algorithm according to embodiments of the present disclosure. Initially, at 302, the method exposes the target computer system 206 to the ransomware 204. At 304 a searchable encryption index 212 is intercepted and used to generate training input vector(s) to train the autoencoder 218 at 306. At 308 the method determines if a new ransomware attack is detected, and if so, 308 exposes a computer system with the predetermined sample data to the ransomware in the attack. At 310 the method executes the trained autoencoder 218 using an input vector generated from a searchable index of the ransomware used in the attack. At 312 the method determines if the ransomware is recognized by the autoencoder 218 and, if recognized, the method selects and effects responsive actions associated with the recognized ransomware at 314.”, 
[0050] “In some embodiments, the timing of the monitoring by the monitor 642 is selected to coincide with a period when generation of the encryption key can be expected. Thus, the target computer system 206 is exposed to the ransomware 204 intentionally and, at the point of initial exposure and before encryption commences, monitoring of the API calls is performed. The commencement of encryption can be detected by a sudden increase in storage activity—such as disk input/output activity—arising from the process of reading, encrypting and writing data 208 to storage device(s).”,
and [0052] “FIG. 7 is a flowchart of a method for determining a plurality of data sources providing seed parameters of an encryption algorithm according to embodiments of the present disclosure. At 702 the method exposes the target computer system 206 to the ransomware 204. At 704 the monitor 642 monitors API calls to or via the operating system 40 to identify calls retrieving (or possibly useful for retrieving) data about hardware components of the target computer system. At 706 the method determines data about hardware retrieved via the API calls detected at 704 to constitute seed parameters for the generation of an encryption key for the ransomware 204.”

The cited paragraphs make no mention of “the target computer is more susceptible to the ransomware algorithm”, nor can support for this limitation be found anywhere in the original disclosure as filed. Therefore, this limitation is considered new matter.
	For purposes of examination, the limitation of “the target computer is more susceptible to the ransomware algorithm” is interpreted to mean that the target computer is more susceptible to the ransomware algorithm after exposure than before exposure.
Claims 2-8 and 10 fall together accordingly.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.

Claims 1-3 and 9-10 are rejected under 35 U.S.C. 103 as being unpatentable over Tamir et al. (US 2018/02112987 A1), in view of 
Wang, G. et al. “Leakage Models and Inference Attacks on Searchable Encryption for Cyber-Physical Social Systems.” IEEE Access 6 (2018): 21828-21839, 
hereinafter Tamir and Wang.

	Tamir discloses a computer implemented method of identifying a ransomware algorithm, (Tamir, Fig. 6)the ransomware algorithm having associated a predetermined responsive action for mitigating effects of the ransomware algorithm in use, the method comprising: (Tamir, [0058])	exposing a target computer system to the ransomware algorithm such that the target computer system is more susceptible to the ransomware algorithm, ([0014], “resulting from a ransomware attack”) It is noted, the target computer is necessarily more susceptible to the ransomware algorithm while being attacked by the ransomware, than when it is not being attacked.	the target computer system containing a predetermined set of sample data stored therein that is encrypted by the ransomware algorithm using a searchable encryption algorithm; ([0014], “changes to the data”) 
Ransomware is known in the art as a malicious software that encrypts a target computer’s data. This necessarily means that there exists an encryption algorithm being used by the ransomware algorithm to encrypt the data and in order to encrypt the data, the ransomware must access the data. The ransomware must index the data in order to access it. The features listed by Tamir are consistent with an “index” as defined by the instant specification on pg. 8 In. 1-5, “a series of locations within the encrypted form of data 208.” Therefore, Tamir discloses the indexing of changes to the data, which includes the location, the number and frequency, and the patterns of changes.
Tamir does not disclose the ransomware algorithm using a searchable encryption algorithm or intercepting an index of the searchable encryption algorithm. 
Wang teaches intercepting an index of the searchable encryption algorithm; and (Wang, Sec. I, Pg. 21828, Col. 1 ln. 1-10) 	training an autoencoder based on the index to provide a trained autoencoder adapted to identify the ransomware algorithm based on the index. (Sec. II-A, Pg. 21830, Col. 1 ln. 51-54, “communications") 
The difference between Wang and Tamir is Wang does not teach training a classifier based on the index to provide a trained classifier adapted to identify the searchable encryption algorithm based on the index. However, indexing is a feature of ransomware encryption algorithms and Wang’s attack model against a searchable encryption algorithm mirrors the method of detecting ransomware of the present disclosure. One of ordinary skill in the art would recognize an index based searchable encryption algorithm could be used in ransomware knowing the common traits of encrypting data, and indexing data. Therefore, it would be obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Tamir to incorporate the teachings of Wang to include intercepting an index of the searchable encryption algorithm and training an autoencoder based on the index to provide a trained autoencoder adapted to identify the ransomware algorithm based on the index. Such modifications would be motivated to detect new types of ransomware.

Regarding claim 2, Tamir in view of Wang discloses the method of claim 1 as set forth above, and further comprising, responsive to a ransomware attack, exposing a computer system containing the predetermined set of sample data to the ransomware attack (Tamir, [0014], “resulting from a ransomware attack”)
and executing (Tamir, [0043], “is used”) the trained autoencoder using a searchable encryption algorithm index arising from the ransomware attack as input to determine that the ransomware attack uses the ransomware algorithm (Tamir, [0043], “to identify ransomware”) in order to effect the predetermined responsive action to mitigate effects of the ransomware attack (Tamir, [0058]).

Regarding claim 3, discloses Tamir in view of Wang discloses the method of claim 1 as set forth above, and wherein the predetermined set of sample data includes a plurality of types of data including one or more of: access control credentials (Tamir, [0033], “credentials”).
It is noted that “one or more of’ is an alternative form, therefore the prior art need only satisfy at least one of: personal data; financial information; payment information; data marked confidential: data marked secret; a private encryption key; a digital signature; username information: password information; or access control credentials.

	Claims 9-10 are substantially similar to that of claim 1. Therefore, claims 9-10 are rejected on similar grounds as claim 1 over Tamir in view of Wang.

	Claim 4-7 are rejected under 35 U.S.C. 103 as being unpatentable over Tamir and Wang in
view of 
CHEN Z.G., et al., "Automatic Ransomware Detection and Analysis Based on Dynamic API Calls Flow Graph", In Proceedings of the International Conference on Research in Adaptive and Convergent Systems, September 2017, pp. 196-201, 
hereinafter Chen.

Regarding claim 4, Tamir in view of Wang discloses the method of claim 1 as set forth above, but fails to disclose, wherein the index is converted to an input vector for the autoencoder by normalizing index entries and applying discretization of the normalized index entries to allocate normalized index entries to discrete input units of the autoencoder.
However, Chen teaches, wherein the index is converted to an input vector for the autoencoder by normalizing index entries (Chen, Sect. 3.4 Pe. 198 Cal 2, “rescaling data”) and
applying discretization of the normalized index entries to allocate normalized index entries to discrete input units of the autoencoder (Chen Sect. 3.4 Pg. 198 Cal 2, “After normalizing’). 
Therefore, it would be obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Tamir in view of Wang to incorporate the teachings of Chen to include, wherein the index is converted to an Input vector for the autoencoder by normalizing index entries and applying discretization of the normalized index entries to allocate normalized index entries to discrete input units of the autoencoder. Such modifications would be motivated to “improve the performance of classification algorithms” (Chen, Sect. 3.4 Pg. 198 Col 2).

Regarding claim 5, Tamir and Wang in view of Chen discloses the method of claim 4 as set forth above, and wherein an input value for each input unit of the autoencoder is normalized prior to training the autoencoder (Chen, Sec. 3.3 Pg. 198, Fig. 1).

	Regarding claim 6, Tamir in view of Wang discloses the method of claim 1 as set forth above, but fails to disclose wherein the autoencoder is trained using multiple training examples based on indices generated from repeated exposures of the target computer system to the ransomware algorithm.
However, Chen teaches wherein the autoencoder is trained using multiple training examples based on indices generated from repeated exposures of the target computer system to the ransomware algorithm (Sect. 4.3 Pg. 200).
Therefore, it would be obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Tamir in view of Wang to incorporate the teachings of Chen to include wherein the autoencoder is trained using multiple training examples based on indices generated from repeated exposures of the target computer system to the ransomware algorithm. Such modifications would be motivated to evaluate the performance of the classifier (Chen, Sect. 4.3 Pg. 200).

	Regarding claim 7, Tamir in view of Wang discloses the method of claim 1 as set forth above, but
fails to disclose wherein the autoencoder is trained using multiple training examples based on indices from 4 plurality of ransomware algorithms to which the target computer system is exposed so as to discriminate the plurality of ransomware algorithms.
However, Chen teaches wherein the autoencoder is trained using multiple training examples based on indices from a plurality of ransomware algorithms to which the target computer system is exposed so as to discriminate the plurality of ransomware algorithms (Sect. 4.1 Pg. 199).
Therefore, it would be obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Tamir in view of Wang to incorporate the teachings of Chen to include wherein the autoencoder is trained using multiple training examples based on indices from a plurality of ransomware algorithms to which the target computer system is exposed so as to discriminate the plurality of ransomware algorithms. Such modifications would be motivated “since there is no standard dataset for comparison” (Chen, 4.1 Pg. 199).

Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Tamir and Wang in view of Krasser et al. (US-PGPUB 2019/0026466 A1), hereinafter Krasser.

Regarding claim 8, Tamir in view of Wang discloses the method of claim 1 as set forth above, and wherein the target computer system is one of a set of target computer systems (Tamir, [0030]), “using one or more servers”) but fails to disclose each containing 2 different predetermined set of sample data, and the autoencoder is trained using multiple training examples based on indices from each of the target computer systems in the set.
However, Krasser teaches each containing a different predetermined set of sample data (Fig. 1 #118, [0048], “data streams”), and the autoencoder is trained using multiple training examples based on indices from each of the target computer systems in the set (Fig. 1 #112, [0048]).
Therefore, it would be obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Tamir in view of Wang to incorporate the teachings of Krasser to include each containing a different predetermined set of sample data, and the autoencoder is trained using multiple training examples based on indices from each of the target computer systems in the set. Such modifications would be motivated to determine whether the sample data is associated with ransomware (Krasser, [0048]).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Stickle et al. (US Patent No. 11,170,104 B1) – Regarding preventing cryptovirus attacks in a computing service environment by way of monitoring read and write operations and constructing a MLM to detect unexpected changes.
Continella et al. (US 2018/0157834 A1) – Regarding protecting a computer system against ransomware attacks by way of detecting the effects of ransomware attacks by combining automatic detection and transparent file-recovery capabilities.
Thornton et al. (US 2020/0279043 A1) – Regarding analyzing sensor data based on a predictive model, the predictive model is trained to detect malware. Involving simulating ransomware encryption on a computing device to train the predictive model.
Stepanek et al. (US 2019/0251259 A1) – Regarding a computing device collecting ransomware behavioral data of a known ransomware, the behavioral data is based on one or more file writing features, and training a ransomware classifier with the behavioral data.
Fralick et al. (US 2019/0332769 A1) – Regarding statistical techniques and data analytics to develop and apply a model that identifies and halts malware (e.g., ransomware) before the malware actually infects the system and malignantly changes a file (e.g., encrypts the file).
Rivera (US 2018/0357413 A1) – Regarding defending a computing system against malware with an active or passive mode of an Active Defense System (ADS) leveraging hooks to monitor and log API calls.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOSHUA NEIL GONZALES whose telephone number is (571)272-0286. The examiner can normally be reached 10:00 AM-2:00 PM; 3:00 PM-7:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado can be reached on (571) 272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
	





/J.N.G./Examiner, Art Unit 2496                                                                                                                                                                                                        
/JORGE L ORTIZ CRIADO/Supervisory Patent Examiner, Art Unit 2496