DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant's arguments filed have been fully considered but they are not persuasive.	
The Applicant argues that “Gupta does not disclose the “Disk Map” employed in the filing system in Figure 1.”
In response to applicant's argument that the references fail to show certain features of applicant’s invention, it is noted that the features upon which applicant relies (i.e., “Disk Map”) are not recited in the rejected claim(s).  Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims.  See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993).  Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.

It is argued:
“While Gupta generates a trap address in allocated by a process that executes the program, claim 1 requires specifying one or more saved file paths in a storage device to one or more trap files. Even assuming that that trap address range in Gupta is stored in a storage device, such addresses are associated with a running process that executes a program. There is no teaching or suggestion in Gupta for specifying one or more saved file paths in a storage device to one or more trap files such that a file access to a trap file indicates a probability of ransomware attack, as required by the claimed invention.”
The Examiner disagrees, as cited in the rejection below ”specifying one or more saved file paths in a storage device (logical addresses allocated to applications is saved, col. 5, lines 28-32) to one or more trap files (col. 5, lines 17-25 & 47-48), wherein a trap file is a file access to which indicates a probability of ransomware attack (col. 5, lines 40-48)”.  Gupta discloses mapping logical addresses allocation to applications (i.e. the claimed saved “file” paths) to a physical location where the data is stored in the storage device, see column 5, lines 28-32.  The teachings further disclose of execution “paths” at which the application process is executing the application code (i.e. related to the file paths), see column 5, lines 17-25.  The specifying of the saved file paths in the storage device to one or more trap files, see column 5, lines 17-25 and 47-48.  Gupta further discloses that the trap code is intended to allocate address or trap data that would not be accessed by the application program, and likely be accessed by a malicious program seeking access data to steal.  The trap code allocates a trap address range of address that map to invalid locations that would result in either a fault or alert, see column 5, lines 48-58.  The saved application files (i.e. claimed file paths) of Gupta are interpreted by the Examiner as residing at a storage location (i.e. mapped address) since a correct address path would have to result in retrieving the desired data file from a memory address location.  One of ordinary skill would recognize that file paths are linked to files, which would need to be accessed by going to the correct memory address location to retrieve it. The Examiner finds the Applicant’s arguments moot.

It is further argued:
“The preamble of claim 1 requires the computing device that employs a file system having a data structure used by an operating system of the computing device for accessing files based on file paths. The Action cite col. 5: lines 40-48 of Gupta, which described "the operating system 108 may further include a threat monitor program 122 to determine whether an application 126, executing in the computer system 100 or a remotely connected computer system over a network, issuing Input/ Output (I/O) requests comprises a potentially malicious program 126, such as malware, ransomware, virus, and other malicious code." However, nothing in the cited section refers to a file system having a data structure used by an operating system of the computing device for accessing files based on file paths.”
The Examiner disagrees, Gupta discloses mapping logical addresses allocation to applications (i.e. the claimed saved “file” paths) to a physical location where the data is stored in the storage device, see column 5, lines 28-32.  The teachings further disclose of execution “paths” at which the application process is executing the application code (i.e. related to the file paths), see column 5, lines 17-25.  The specifying of the saved file paths in the storage device to one or more trap files, see column 5, lines 17-25 and 47-48.  The saved application files (i.e. claimed file paths) of Gupta are interpreted by the Examiner as residing at a storage location (i.e. mapped address) since a correct address path would have to result in retrieving the desired data file from a memory address location.  One of ordinary skill would recognize that file paths are linked to files, which would need to be accessed by going to the correct memory address location to retrieve it. The Examiner finds the Applicant’s arguments moot.

The Applicant additional argues:
“Moreover, the Action is silent about what is deemed to be a "file" in Gupta. In the cited, the only entity that qualify as a file is the "application 126", which is "a potentially malicious program," but not a file that, as claimed, is being protected against such malicious program.
The Examiner respectfully disagrees, Gupta discloses mapping logical addresses allocation to applications (i.e. the claimed saved “file” paths) to a physical location where the data is stored in the storage device, see column 5, lines 28-32.  The teachings further disclose of execution “paths” at which the application process is executing the application code (i.e. related to the file paths), see column 5, lines 17-25.  "The identical invention must be shown in as complete detail as is contained in the ... claim." Richardson v. Suzuki Motor Co., 868 F.2d 1226, 1236, 9 USPQ2d 1913, 1920 (Fed. Cir. 1989). The elements must be arranged as required by the claim, but this is not an ipsissimis verbis test, i.e., identity of terminology is not required. In re Bond, 910 F.2d 831, 15 USPQ2d 1566 (Fed. Cir. 1990).  See MPEP 2131.  The rejection is hereby maintained by the Examiner.

It is further argued:
Indeed, there is no reference in Gupta regarding "file paths." Instead, Gupta describes a processor that speculatively execute application code ahead of the application process in the execution path to make parameters and data available to the application process when it eventually reaches the point in the program at which the speculative execution of the application code occurred. (Emphasis added) (See Gupta at 4:15-20) FIG. 2 of Gupta illustrates an embodiment of operations to inject trap code into an execution path of a process executing application code to allocate a trap address range. (See Gupta at 3:59-61). According to Gupta, if the speculative execution reaches a conditional branch of different paths of execution depending on a condition, such as a value of a previously determined parameter, then the processor speculative execution will process the application code in all the conditional branches to pre-calculate parameters and values to be available regardless of which path of the conditional branches the application process will traverse. (Gupta 4:20-27) It is respectfully submitted that execution path of a process has no relevance to the claimed requirement for "accessing files based on file paths."”
The Examiner has addressed similar arguments above, and the Applicant’s arguments are not persuasive. 

On page 9 of the remarks, it is argued:
With respect to claimed limitation (a), requiring specifying one or more saved file paths in a storage device to one or more trap files, wherein a trap file is a file access to which indicates a probability of ransomware attack, the Action relying on Gupta at 5: 28-32, cites "logical addresses allocated" to applications in which states [t]he operating system 108 maintains an address table 118, also known as a hardware page table (HPT), providing a mapping of logical addresses allocated to applications 114 to a physical location of where the data is stored in a local cache 120 in the memory 104 or in the storage device 106." However, it is well known that a page table as describe d in Gupta is the data structure used by a virtual memory system in a computer operating system to store the mapping between virtual addresses and physical addresses. Virtual addresses are used by the program executed by the accessing process, while physical addresses are used by the hardware, or more specifically, by the random-access memory (RAM) subsystem. The page table is a key component of virtual address translation that is necessary to access data in memory. Therefore, Gupta describes code execution paths in memory to allocated addresses, and not file paths for files stored in the storage device (106).  As best understood, the Action equates the claimed requirement for a file system having a data structure used by an operating system of the computing device for accessing files based on file paths with Gupta's "an address table 118" which provides a "mapping of logical addresses allocated to applications 114, where allocated logical addresses to applications 114 are deemed to file paths for accessing files. Once again, the Action has not identified the entity deemed to be the claimed "one or more trap files, wherein a trap file is a file access to which indicates a probability of ransomware 
attack." Instead, Gupta allocates memory addresses that indicate a malicious activity when accessed. For this reason, it is respectfully submitted that Gupta fails to disclose specifying one or more saved file paths in a storage device to one or more trap files, wherein a trap file is a file access to which indicates a probability of ransomware attack. For this reason alone, Gupta fails to disclose monitoring access to the one or more trap files to detect the probability of ransomware attack. Because Gupta discless detecting access to an address range, it fails to disclose detecting access to a trap file before performing a remedial action against the probability of ransomware attack. 
	The Examiner respectfully disagrees, as previously addressed above, Gupta teaches of mapping logical addresses allocation to applications (i.e. the claimed saved “file” paths) to a physical location where the data is stored in the storage device, see column 5, lines 28-32.  The teachings further disclose of execution “paths” at which the application process is executing the application code (i.e. related to the file paths), see column 5, lines 17-25.  The specifying of the saved file paths in the storage device to one or more trap files, see column 5, lines 17-25 and 47-48.  The saved application files (i.e. claimed file paths) of Gupta are interpreted by the Examiner as residing at a storage location (i.e. mapped address) since a correct address path would have to result in retrieving the desired data file from a memory address location.  One of ordinary skill would recognize that file paths are linked to files, which would need to be accessed by going to the correct memory address location to retrieve it. The Examiner finds the Applicant’s arguments moot.

It is argued:
“With respect to claims 2-9, the Action interprets instruction branches as the claimed tree structures. According to Gupta "the processor 102 executes (at block 208) the processed command and continues processing the application code 112, such as speculatively processing code in all conditional branches. (Gupta at 6:54-57) It is respectfully submitted that conditional branches dictated by processed commands cannot be equaled with branches specified for file structures. For example, according to Gupta, the processor 102 processes (at block 602) conditional branches in the application code 112, where a condition or parameter value set during previously executed application code 112 determines which branch in the code to take. (Gupta at 8:21-26) In other words, the branching in Gupta is based on a "parameter value set." It is well known that filing structure used in an operating system does not rely on any parameter value set for branching.”
The Examiner disagrees, the data structure of the file system is a tree structure that is interpreted as branch instructions, column 8, lines 17-29.  "The identical invention must be shown in as complete detail as is contained in the ... claim." Richardson v. Suzuki Motor Co., 868 F.2d 1226, 1236, 9 USPQ2d 1913, 1920 (Fed. Cir. 1989). The elements must be arranged as required by the claim, but this is not an ipsissimis verbis test, i.e., identity of terminology is not required. In re Bond, 910 F.2d 831, 15 USPQ2d 1566 (Fed. Cir. 1990).  See MPEP 2131.  The claim language fail to specifically distinguish from the teachings of Gupta and are given the broadest reasonable interpretation. The rejection is hereby maintained by the Examiner.

In summary, the Applicant provides various and numerous arguments about what the teachings of Gupta are, and assert that is not what is actually claimed.  It appears that the Applicant has a different interpretation of the claim language in view of the originally filed specification, and under the broadest reasonable interpretation, the Examiner maintains the current grounds of the rejection since the claim language fails to distinguish from the prior art teachings of Gupta.  Gupta has been shown for specifying one or more saved file paths in a storage device to one or more trap files such that a file access to a trap file indicates a probability of ransomware attack as is addressed by the Examiner above.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-18 and 20 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Gupta et al, U.S. Patent 10,810,304.

As per claim 1, it is taught of a method for protecting a computing device of a target system against ransomware attacks, wherein the computing device employs a file system having a data structure used by an operating system of the computing device for accessing files based on file paths (col. 5, lines 40-48), the method comprising the steps of:
a. installing an agent in the computing device, wherein the agent is a software or a hardware that performs one or more actions autonomously on behalf of the target system, including specifying one or more saved file paths in a storage device (logical addresses allocated to applications is saved, col. 5, lines 28-32) to one or more trap files (col. 5, lines 17-25 & 47-48), wherein a trap file is a file access to which indicates a probability of ransomware attack (col. 5, lines 40-48);
b. monitoring access to the one or more trap files to detect the probability of ransomware attack (col. 5, line 49 through col. 6, line 1;
c. upon detecting access to a trap file, performing a remedial action against the probability of ransomware attack (col. 4, lines 59-67 and col. 5, lines 63-67).
As per claim 2, it is disclosed wherein the data structure of the file system is a tree structure (branch instructions interpreted as the claimed tree structure)(col. 8, lines 17-29).
As per claim 3, it is taught wherein a file path for a trap file is specified at the highest point of the tree structure (branch instructions interpreted as the claimed tree structure)(col. 8, lines 17-29).
As per claim 4, it is disclosed  wherein the one or more file paths to the trap files are specified using a search tree algorithm (all branches are available, col. 8, lines 45-52).
As per claim 5, it is taught wherein the search tree algorithm comprises binary search tree algorithm (address ranges in traversed branches, col. 4, lines 31-35 and col. 8, lines 45-62).
As per claim 6, it is disclosed wherein the search tree algorithm comprises a tree traversal algorithm (address ranges in traversed branches, col. 4, lines 31-35 and col. 8, lines 45-62).
As per claim 7, it is taught wherein the tree traversal algorithm is one of depth-first traversal, breadth-first traversal, Monte Carlo tree search, or random sampling algorithms (address ranges in traversed branches, col. 4, lines 31-35 and col. 8, lines 45-62).
As per claim 8, it is disclosed wherein the depth-first traversal algorithm is one of Pre-Order, In-Order, Reverse In-Order, or Post-order algorithm (address ranges in traversed branches, col. 4, lines 31-35 and col. 8, lines 45-62).
As per claim 9, it is taught wherein trap file attributes including name are set such that the trap files are encountered first during tree traversal operations (col. 4, lines 31-35 and col. 8, lines 45-62).
As per claim 10, it is disclosed wherein the remedial action includes notifying a user of the target system (col. 7, lines 5-16).
As per claim 11, it is taught wherein the remedial action includes automatically uploading a trap file for analysis or decryption (col. 1, lines 37-30; col. 4, lines 59-67; and col. 5, lines 63-67).  
As per claim 12, it is disclosed wherein the remedial action includes identifying a process that accesses the one or more trap files (col. 4, lines 59-67 and col. 5, lines 63-67).
As per claim 13, it is taught wherein the identified processes is either isolated, killed or suspended (col. 4, lines 59-67 and col. 5, lines 63-67).
As per claim 14, it is disclosed wherein the remedial action includes performing memory analytics to extract a cryptovariable (col. 1, lines 27-30 and col. 5, line 63 through col. 6, line 4).
As per claim 15, it is taught wherein the probability of ransomware attack is determined, based on one or more of access rate, permission level, file content or attribute changes, cryptographic activity, or source process to the one or more file traps (col. 1, lines 27-30 and col. 5, line 63 through col. 6, line 4).
As per claim 16, it is disclosed wherein the system is monitored for cryptovariable activity (col. 1, lines 27-30 and col. 5, line 63 through col. 6, line 4).
As per claim 17, it is taught wherein potential cryptovariables are captured and stored (col. 1, lines 27-30 and col. 5, line 63 through col. 6, line 4).
As per claim 18, it is disclosed wherein a process is monitored such as to allow in-progress file encryption to be completed, without allowing new files to be opened (observes operations in a honeypot to monitor operations to observe how they operate)(col. 5, line 63 through col. 6, line 4 and col. 6, line 63 through col. 7, line 16).
As per claim 20, it is taught wherein only those clients who directly accessing trap files on shared resource are alerted (col. 7, lines 5-16).

Allowable Subject Matter
Claim 19 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Baskerville et al, US 2008/0133531 is relied upon for disclosing of sending a query with obfuscated data along a randomized path, see paragraph 0011.  Conrad et al, U.S. Patent 8,769,685 is relied upon for disclosing of a randomly generated file path being potentially malicious, see column 1, lines 41-47.
The prior art fails to disclose of a file path comprising pseudorandom file paths and contents of trap files including steganographic material when used in combination with the remaining features of independent claim 1

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER A REVAK whose telephone number is (571)272-3794. The examiner can normally be reached 5:30am - 3:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, LYNN FEILD can be reached on 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.













/CHRISTOPHER A REVAK/Primary Examiner, Art Unit 2431