DETAILED ACTION

Response to Arguments
Applicant's arguments (“REMARKS”) filed September 9, 2022 have been fully considered but they are not persuasive.
Claims 1-6 are currently pending.

Applicant argues on pp. 5-6 of the REMARKS that:
 The honeypot in Dahan is used to “bait” attacks from malicious programs, which may or may not be exposed. In contrast, the claim limitations require “exposing” the target computer system, which is distinct from the act of baiting in Dahan.
 There is no motivation to modify Kostyushko with the teachings of Dahan.

In response to argument A: The Examiner respectfully disagrees. As the Applicant stated on pg. 6 of the REMARKS, the bait “may or may not actually be exposed to a malicious program”. However, there is nothing in the claims that state that the exposure of the target computing system is actually attacked by the ransomware algorithm. At best, the next step merely performs “monitoring” for API calls, which may or may not originate from the ransomware algorithm. Even if these API calls were caused by the ransomware algorithm, Kostyushko would disclose those features as discussed in the 103 rejection. 
Furthermore, the term “exposing” is conventionally understood in the realms of: to make something visible, or putting something in harm’s way. There is no further context within the claimed limitations to the aspects of “exposing”. A computer/network honeypot provides an environment that appears legitimate for enticing real malicious attacks. See [Dahan, ¶0072]. Additionally, Robertson (US 2019/0026460), ¶0014 discloses: “The concept of a “honeypot” trap allows intentionally exposed, but safely isolated, targets to be attacked for the purposes of security monitoring and keeping malicious attackers distracted.” In other words, a honeypot “exposes” itself to malicious attacks. Therefore, the limitation is understood as making a target computer system purposefully visible or vulnerable to a ransomware attack, similar to the role of any conventional honeypots in the computer security arts.
In response to argument B: The Examiner respectfully disagrees. In response to applicant’s argument that there is no teaching, suggestion, or motivation to combine the references, the examiner recognizes that obviousness may be established by combining or modifying the teachings of the prior art to produce the claimed invention where there is some teaching, suggestion, or motivation to do so found either in the references themselves or in the knowledge generally available to one of ordinary skill in the art.  See In re Fine, 837 F.2d 1071, 5 USPQ2d 1596 (Fed. Cir. 1988), In re Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir. 1992), and KSR International Co. v. Teleflex, Inc., 550 U.S. 398, 82 USPQ2d 1385 (2007).  
In this case, the motivation of incorporating Dahan with Kostyushko was to provide a safe computing environment in Kostyushko (e.g. a honeypot) to monitor API calls from ransomware programs without affecting legitimate files/data. Applicant’s argument that the ultimate purpose of Kostyushko is to decrypt a plurality of files accessed by ransomware is not persuasive. The decryption is a post-solution activity that is meant to recover any data encrypted by ransomware. The claims do not recite anything directed to decryption nor is that particular aspect of Kostyushko is used in the rejection. Furthermore, one cannot ignore the rest of Kostyushko, such as the monitoring features to detect and/or stop ransomware (see ¶0036-0038). Such features directed to stopping and stopping (i.e. the decryption using the recovered key), are similar to the general objectives of Dahan in ¶0005 (“…an anti-ransomware application that detects, stops, and removes ransomware….”) 
Furthermore, the test for obviousness is not whether the features of a secondary reference may be bodily incorporated into the structure of the primary reference; nor is it that the claimed invention must be expressly suggested in any one or all of the references. Rather, the test is what the combined teachings of the references would have suggested to those of ordinary skill in the art.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981).

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted 9/09/2022 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-6 are rejected under 35 U.S.C. 103 as being unpatentable over US 2019/0018961 to Kostyushko et al. (hereinafter, “Kostyushko”) in view of US 2018/0293379 to Dahan (hereinafter, “Dahan”). 
As per claim 1: Kostyushko discloses: A computer implemented method for determining a plurality of data sources providing seed parameters for generation of an encryption key by a ransomware algorithm (a system and method for protecting file data from malicious programs, such as ransomware; for example, techniques are described for intercepting requests to random number generator libraries or requests to retrieve system information for seeds to pseudorandom data [Kostyushko, ¶0007]), the method comprising: system to identify a set of API calls for retrieving data about one or more hardware components of the target computer system, the data about the one or more hardware components being determined to constitute the seed parameters (a system monitoring agent 104 is configured to collect any requests for random or pseudorandom numbers from the system 100, such as requests for hardware identifiers to be used in generating encryption keys [Kostyushko, ¶0036-0038]; “In some aspects, the system monitoring agent 104 may detect a user process 102 invoking system calls or application programming interface (API) calls to library functions that provide random or pseudorandom data from the operating system 105.” [Kostyushko, ¶0037]).
Kostyushko does not disclose: “exposing a target computer system to the ransomware algorithm”. However, Dahan is directed to analogous art of an anti-ransomware application or component that detects, stops, and removes ransomware from a computing system [Dahan, ¶0005]. Dahan discloses: exposing a target computer system to the ransomware algorithm (a honeypot deployment module 208 implements honeypot drives and/or files to bait access by a process, such as ransomware programs [Dahan, ¶0072]).
Thus, it would have been obvious to a person having ordinary skill in the art before the claimed invention was effectively filed to implement honeypot files in the system of Kostyushko, such as suggested in Dahan, to bait (e.g. “exposing”) ransomware programs, thereby further improving the security of the system when monitoring for ransomware programs. Honeypots contain fake data that appear important and would have enabled the system to detect, deflect, or counteract attempts to gain unauthorized access by an attack without putting real files at risk [Dahan, ¶0072].

As per claim 2: Kostyushko in view of Dahan disclose all limitations of claim 1. Furthermore, Kostyushko discloses: wherein each of the one or more hardware components includes one or more of: a central processing unit; a memory; a storage device; a peripheral device; a basic input/output subsystem; an output device; an input device; or a network device of the target computer system (requesting hardware identifiers of devices in the computer hardware 106, such as a serial number of a hard disk drive, network interface card, PCI interface or device, USB interface or device [Kostyushko, ¶0038]).

As per claim 3: Kostyushko in view of Dahan disclose all limitations of claim 1. Furthermore, Kostyushko discloses: wherein the data about the one or more hardware components includes one or more of: a reference number; an identifier; a version; a date; a time; an address; a serial number; or unique information about the hardware component (“For example, the system monitoring agent 104 may detect and save when a user process 102 requests (113) for hardware identifiers of devices in the computer hardware 106, such as a serial number of a hard disk drive, network interface card, and PCI interface or device, USB interface or device. In other examples, the system monitoring agent 104 may detect when a user process 102 requests file metadata of one or more files stored in the system, such metadata file creation times (e.g., timestamp), file names, and data from the file header. In some aspects, the system monitoring agent 104 may be configured to intercept requests by a user process 102 to retrieve metadata related to one or more processes or threads executing in the system, metadata such as process identifiers (PID) or thread identifiers (tid).” [Kostyushko, ¶0038]).

As per claim 4: Kostyushko in view of Dahan disclose all limitations of claim 1. Furthermore, Kostyushko discloses: wherein the monitoring includes using a process monitor to determine operating system API calls are made (“…the system monitoring agent 104 may detect a user process 102 invoking system calls or application programming interface (API) calls to library functions that provide random or pseudorandom data from the operating system 105” [Kostyushko, ¶0037]).

As per claim 5: Claim 5 is different in overall scope from claim 1 but recites substantially similar subject matter as claim 1. Claim 5 is directed to a computer system for performing steps corresponding to the method of claim 1. Thus, the response provided above for claim 1 is equally applicable to claim 5.

As per claim 6: Claim 6 is different in overall scope from claim 1 but recites substantially similar subject matter as claim 1. Claim 6 is directed to a non-transitory computer-readable storage medium with code for performing steps corresponding to the method of claim 1. Thus, the response provided above for claim 1 is equally applicable to claim 5.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 2019/0026460: The concept of a honeypot is to intentionally expose targets to attacks for the purpose of security monitoring and keeping malicious attackers distracted. See ¶0014.

THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to ROBERT B LEUNG whose telephone number is (571)270-1453. The examiner can normally be reached Mon - Thurs: 10am-7pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JUNG KIM can be reached on 571-272-3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/ROBERT B LEUNG/Primary Examiner, Art Unit 2494                                                                                                                                                                                                        11-28-2022