DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office action is in response to communication filed on 11/25/2020.
Status of claims in the instant application:
Claims 1-20 are pending.
Election/Restrictions
No claim restrictions warranted at the applicant’s initial time of filing for patent.
Priority
This application claims benefit of 62/940,266 filed on 11/26/2019.
Information Disclosure Statement
Information Disclosure Statements (IDS) filed on 11/29/2020 and 06/21/2022 have been considered, and a signed copies of the IDS forms have been attached to this office action.
Drawings
Drawings filed on 11/25/2020 have been inspected, and it’s in compliance with MPEP 608.02.
Specification
Specification filed on 11/25/2020 has been inspected and it’s in compliance with MPEP 608.01.
Claim Objections
No claim objection warranted at the applicant’s initial time of filing for patent.
Claim Interpretation
No claim interpretation is warranted under 35 U.S.C. 112(f).
Claim Rejections - 35 USC § 112
No claim rejection is warranted under 35 U.S.C. 112.
Claim Rejections - 35 USC § 101
No claim rejection is warranted under 35 U.S.C. 101.
	Claims of the instant application fall under at-least one of “process, machine, manufacture, or composition of matter, or any new and useful improvement thereof”; and that none of the claims recite an abstract idea per “2019 Revised Patent Eligibility Guidance”
Double Patenting
No double patenting claim rejection is warranted at this time of prosecution.
Claim Rejections - 35 USC § 102
No claim rejection is warranted under 35 U.S.C. 102.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-4, 6, 8-13, 15 and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Pub. No.: US 20210216627 A1 to Grunwald et al. (hereinafter “Grunwald”; with priority date of 11/22/2019) in view of Pub. No.: US 20210099474 A1 to Huang et al. (hereinafter “Huang”).
Regarding Claim 1. Grunwald discloses A method of determining file-access patterns in at least one computer network (Grunwald, Abstract, Para [0197]: … An exemplary method includes a monitoring system detecting that a storage system receives a request to perform an operation that affects a capacity of a storage structure within the storage system, identifying an attribute of at least one of the request and the storage system … the method of any of the preceding statements, wherein: the identifying of the attribute comprises detecting an abnormal pattern of interaction with the storage system during a time period …), the network comprising a file-access server (Grunwald, Para [0059]: … In one embodiment, two storage controllers (e.g., 125a and 125b) provide storage services, such as a SCS) block storage array, a file server, an object server, a database or data analytics service, etc. …), the method comprising:
training, by a processor in communication with the computer network, a first machine learning (ML) algorithm with a first training dataset [comprising vectors] representing network traffic such that the first ML algorithm learns to determine network characteristics associated with file-access traffic (Grunwald, Para [0154-0157, 0191-0192]: … As described above, the storage systems described herein may be configured to support artificial intelligence applications, machine learning applications, big data analytics applications, and many other types of applications. The rapid growth in these sort of applications is being driven by three technologies: deep learning (DL), GPU processors, and Big Data. Deep learning is a computing model that makes use of massively parallel neural networks inspired by the human brain. Instead of experts handcrafting software, a deep learning model writes its own software by learning from lots of examples … Data is the heart of modern AI and deep learning algorithms. Before training can begin, one problem that must be addressed revolves around collecting the labeled data that is crucial for training an accurate AI model. A full scale AI deployment may be required to continuously collect, clean, transform, label, and store large amounts of data. Adding additional high quality data points directly translates to more accurate models and better insights … The storage systems described above may serve as an ideal AI data hub as the systems may service unstructured workloads. In the first stage, data is ideally ingested and stored on to the same data hub that following stages will use, in order to avoid excess data copying. The next two steps can be done on a standard compute server that optionally includes a GPU, and then in the fourth and last stage, full training production jobs are run on powerful GPU-accelerated servers. Often, there is a production pipeline alongside an experimental pipeline operating on the same dataset. Further, the GPU-accelerated servers can be used independently for different models or joined together to train on one larger model, even spanning multiple systems for distributed training … A method comprising: detecting, by a monitoring system, that a storage system receives an request to perform an operation that affects a capacity of a storage structure within the storage system … The method of statement 1, wherein: the identifying of the attribute comprises determining that the request is included in a plurality of requests of a similar type received by the storage system during a time period; and the determining that the request is indicative of the malicious action comprises determining that the plurality of requests exceeds a threshold …);
using the first ML algorithm, determining, by the processor, network characteristics based on highest interaction of traffic with the file-access server compared to other interactions in the at least one computer network (Grunwald, Para [0191-0192]: …The method of statement 1, wherein: the identifying of the attribute comprises determining that the request is included in a plurality of requests of a similar type received by the storage system during a time period; and the determining that the request is indicative of the malicious action comprises determining that the plurality of requests exceeds a threshold …; Examiner’s note: determination of the number of requests exceeding threshold discloses the highest interaction ..); and
determining, by the processor, file-access patterns in the at least one computer network based on the network characteristics associated with file-access traffic (Grunwald, Abstract, Para [0197]: … An exemplary method includes a monitoring system detecting that a storage system receives a request to perform an operation that affects a capacity of a storage structure within the storage system, identifying an attribute of at least one of the request and the storage system … the method of any of the preceding statements, wherein: the identifying of the attribute comprises detecting an abnormal pattern of interaction with the storage system during a time period …).
However Grunwald does not explicitly teach, but Huang from same or similar field of endeavor teaches:
“training dataset comprising vectors representing network traffic (Huang, Para[0048-0052], FIG. 1-2: … During an example training operation, the preliminary encoder network manager 104 is configured to obtain the input sample 102. For example, during training the input sample 102 may be obtained from an opensource dataset (e.g., Ember dataset, etc.) and, as such, represented as a one-dimensional vector. In such a manner, the input sample 102 may be identified as a N×D matrix, in which N corresponds to the number of samples and D corresponds to the sample dimension. Therefore, during training operation the input sample 102 is a N×D matrix such that the minimum of every feature value across all samples is 0 and the maximum is 1.)”
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Huang into the teachings of Grunwald because it discloses that “Examples disclosed herein include optimizing an example overall (e.g., total) loss as weighted sum of three example losses. The three example losses may include an example adversarial loss, an example contextual loss, and an example encoder loss. The adversarial loss corresponds to a first distance (e.g., a L2-norm distance) between the feature representation of the original input sample (e.g., the first encoded sample) and the reconstructed sample. Such an example loss may be minimized to generate realistic samples. The contextual loss corresponds to a second distance (e.g., a L1-norm distance) between the original input sample and the reconstructed sample. Such an example loss ensures generated samples are contextually sound, rational, and/or accurate (Huang, Para [0027])”.
Regarding Claim 2. The combination of Grunwald-Huang discloses the method of claim 1, Huang further discloses, “further comprising:
training, by the processor, a second ML algorithm with a second training dataset comprising vectors representing network traffic such that the second ML algorithm identifies a file-access anomaly in the sampled network traffic based on the network characteristics learned by the first ML algorithm (Huang, Para [0027-0028]: …  Examples disclosed herein include training the first, second and/or third networks. As such, examples disclosed herein include utilizing save (e.g., benign) input samples to train the first, second, and/or third networks. Examples disclosed herein include optimizing an example overall (e.g., total) loss as weighted sum of three example losses … during operation, the example encoder loss may identify a score corresponding to the abnormity of a given input sample. If the score of the input sample is larger than a certain threshold, examples disclosed herein include classifying the input sample a malicious and/or an anomaly. Such an event may occur when there exists a dissimilarity within latent feature space for an input sample. Such a dissimilarity may exist for malicious input samples because the first, second, and third networks are trained using safe (e.g., benign) input samples …); and
determining, by the processor, a normalized difference between a new input vector representing sampled network traffic and the vectors in the second training dataset, wherein the anomaly is identified when a normalized difference that is larger than difference between the new input vector and the vectors in the second training dataset is determined (Huang, Para [0028, 0034-0035, 0043]: … during operation, the example encoder loss may identify a score corresponding to the abnormity of a given input sample. If the score of the input sample is larger than a certain threshold, examples disclosed herein include classifying the input sample a malicious and/or an anomaly… The secondary encoder network manager 108 is configured to determine whether the reconstructed sample 107 is received and/or otherwise available. In the event the secondary encoder network manager 108 determines the reconstructed sample 107 is received and/or otherwise available, the secondary encoder network manager 108 performs a second encoding operation on the reconstructed sample 107 to generate an example second encoded sample 109. Such a resulting second encoded sample 109 is a signal embedded representation of the reconstructed sample 107. In this manner, any noise existing in the reconstructed sample 107 may be amplified in the second encoded sample 109 … the secondary encoder network manager 108 is configured to identify an example first loss function 111 and an example second loss function 113. In examples disclosed herein, the first loss function 111 is an example encoder loss and corresponds to a difference (e.g., a distance) between the second encoded sample 109 and the first encoded sample 105 … in some examples disclosed herein, the optimization processor 112 may parse the first loss function 111 (e.g., the example encoder loss) to identify the overall loss function (e.g., a score corresponding to the abnormity of a given input sample). In such an example, if the overall loss function is larger than a loss threshold, examples disclosed herein include the optimization processor 112 to classify the input sample 102 a malicious and/or an anomaly … the input sample 102 may be normalized and/or otherwise transformed using an example transformation pre-processing method …).”
The motivation to further combine Huang remains same as in claim 1.
Regarding Claim 3. The combination of Grunwald-Huang discloses the method of claim 2, Huang further discloses, “wherein the second ML algorithm comprises at least one of: an auto-encoder deep-learning network architecture and a generative adversarial network (GAN) architecture (Huang, Para [0019]: … Examples disclosed herein include methods and apparatus to perform malware detection using a generative adversarial network (GAN) and an autoencoder network model. Examples disclosed herein include utilizing a GAN in an unsupervised manner to perform malware detection. Examples disclosed herein include a ML and/or AI model utilizing autoencoders and GANs. More specifically, examples disclosed herein utilize a ML and/or AI model including a plurality of neural networks such as a first and second encoder network, a generator network, and a discriminator network. In some examples disclosed herein, the first and second encoder networks may be operable as a single encoder network …).”
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to further combine the teachings of Huang because it discloses that “As mentioned above, approaches utilizing a supervised or an unsupervised ML and/or AI model cannot efficiently detect malware. For example, an approach utilizing a supervised or an unsupervised ML and/or AI model to detect malware may be trained to detect malware that performs a specific function. If such a specific function is altered over time, the trained supervised or unsupervised ML and/or AI models may not reliably detect such a concept drift  … Examples disclosed herein utilize a GAN to generate deepfakes of malware to predict zero-day malware, concept drift malware, etc. Accordingly, examples disclosed herein can be used to detect whether an input sample is malicious regardless of whether the input sample includes zero-day malware, concept drift malware, etc. (Huang, Para [0018-0021]).”
Regarding Claim 4. The combination of Grunwald-Huang discloses the method of claim 2, Huang further discloses, “wherein the second ML algorithm is trained for input reconstruction, and wherein the second ML algorithm outputs a larger normalized loss for anomaly input in file-access traffic than for file-access traffic without anomalies (Huang, Para [0028, 0075-0076], FIG. 2-5: … during operation, the example encoder loss may identify a score corresponding to the abnormity of a given input sample. If the score of the input sample is larger than a certain threshold, examples disclosed herein include classifying the input sample a malicious and/or an anomaly. Such an event may occur when there exists a dissimilarity within latent feature space for an input sample. Such a dissimilarity may exist for malicious input samples because the first, second, and third networks are trained using safe (e.g., benign) input samples… FIG. 5 is a flowchart representative of a process that may be executed to implement the secondary encoder network manager 108 of FIG. 1 to identify the first loss function 111 and the second loss function 113 of FIG. 1. In the example of FIG. 5, the secondary encoder network manager 108 obtains the reconstructed sample 107. (Block 502). In addition, the secondary encoder network manager 108 performs a second encoding operation on the reconstructed sample 107 to generate an example second encoded sample 109. (Block 504) …  the secondary encoder network manager 108 identifies the example first loss function 111 of FIG. 1. (Block 506). For example, the secondary encoder network manager 108 may utilize Equation 1 to identify the first loss function 111. In addition, the secondary encoder network manager 108 identifies the example second loss function 113. (Block 508). For example, the secondary encoder network manager 108 may utilize Equation 2 to identify the second loss function 113. …).”
The motivation to further combine Huang remains same as in claim 2.
Regarding Claim 6. The combination of Grunwald-Huang discloses the method of claim 2, Huang further discloses, “further comprising normalizing, by the processor, a loss determined by the second ML algorithm based on the output of the first ML algorithm for the new input vector, wherein the output of the first ML algorithm is different from the output of the second ML algorithm for the second training dataset, and wherein the second ML algorithm is configured to allow a model trained in one installation to serve as a base model in another installation by normalizing the loss vectors of each installation (Huang, Para [0007, 0035-0038, 0042, 0046]; FIG. 1, 4-5: … FIG. 5 is a flowchart representative of a process that may be executed to implement the secondary encoder network of FIG. 1 to identify the first loss function and the second loss function of FIG. 1 … the secondary encoder network manager 108 is configured to identify an example first loss function 111 and an example second loss function 113 … In Equation 2, the variable L.sub.2 corresponds to the second loss function 113 (e.g., the contextual loss function), the variable x corresponds to the input sample 102, and the variable {circumflex over (x)} corresponds to the reconstructed sample 107. The second loss function 113 (e.g., the contextual loss function) corresponds to a distance (e.g., a L1-norm distance) between the original input sample (e.g., the input sample 102) and the reconstructed sample (e.g., the reconstructed sample 107 … the optimization processor 112 parses the obtained loss functions (e.g., the first, second, and third loss functions 111, 113, 117) to identify an overall loss function. In examples disclosed herein, the optimization processor 112 may identify the overall loss function as a weighted sum of the first, second, and third loss functions 111, 113, 117 …).”
The motivation to further combine Huang remains same as in claim 2.
Regarding Claim 8. The combination of Grunwald-Huang discloses the method of claim 1, Grunwald further discloses, “wherein the sampled network traffic is sampled on a network attached storage (NAS) (Grunwald, Para [0007, 0070, 0106]:  … FIG. 2A is a perspective view of a storage cluster with multiple storage nodes and internal storage coupled to each storage node to provide network attached storage, in accordance with some embodiments. … a cloud storage gateway may operate as a bridge between local applications that are executing on the storage array 306 and remote, cloud-based storage that is utilized by the storage array 306. Through the use of a cloud storage gateway, organizations may move primary iSCSI or NAS to the cloud services provider 302, thereby enabling the organization to save space on their on-premises storage systems …).
Regarding Claim 9. The combination of Grunwald-Huang discloses the method of claim 1, Huang further discloses, “wherein the sampled network traffic comprises vectors each representing a different time interval (Huang, Para [0057-0058]:  … in the illustrated example of FIG. 2, the discriminator vector set 212 illustrates example compression steps taken by the discriminator network manager 110 of FIG. 1. As such, the discriminator vector set 212 illustrates the compression, encoding, downscaling, and/or otherwise down sampling process to generate an example third encoded vector 207 (e.g., the third encoded sample 115 of FIG. 1) … While an example manner of implementing the malware detection system 100 of FIG. 1 is illustrated in FIGS. 1 and/or 2, one or more of the elements, processes and/or devices illustrated in FIG. 1 may be combined, divided, re-arranged, omitted, eliminated and/or implemented in any other way … As used herein, the phrase “in communication,” including variations thereof, encompasses direct communication and/or indirect communication through one or more intermediary components, and does not require direct physical (e.g., wired) communication and/or constant communication, but rather additionally includes selective communication at periodic intervals, scheduled intervals, aperiodic intervals, and/or one-time events …).”
The motivation to further combine Huang remains same as in claim 1.
Regarding Claim 10. This is a device claim that recites all the same or similar limitations as claim 1, and hence similarly rejected as claim 1.
**** Note: Grunwald also discloses memory (Para [0017, 0184], FIG. 3D: …  storage device 356 …)
Regarding Claim 11. This is a device claim that recites all the same or similar limitations as claim 2, and hence similarly rejected as claim 2.
Regarding Claim 12. This is a device claim that recites all the same or similar limitations as claim 3, and hence similarly rejected as claim 3.
Regarding Claim 13. This is a device claim that recites all the same or similar limitations as claim 4, and hence similarly rejected as claim 4.
Regarding Claim 15. This is a device claim that recites all the same or similar limitations as claim 6, and hence similarly rejected as claim 6.
Regarding Claim 17. This is a device claim that recites all the same or similar limitations as claim 8, and hence similarly rejected as claim 8.
Regarding Claim 18. This is a device claim that recites all the same or similar limitations as claim 9, and hence similarly rejected as claim 9.
Regarding Claim 19. Grunwald discloses A method of identifying an anomaly in at least one computer network comprising a file-access server Grunwald, Abstract, Para [0197, 0059]: … An exemplary method includes a monitoring system detecting that a storage system receives a request to perform an operation that affects a capacity of a storage structure within the storage system, identifying an attribute of at least one of the request and the storage system … the method of any of the preceding statements, wherein: the identifying of the attribute comprises detecting an abnormal pattern of interaction with the storage system during a time period … In one embodiment, two storage controllers (e.g., 125a and 125b) provide storage services, such as a SCS) block storage array, a file server, an object server, a database or data analytics service, etc. … …), the method comprising:
applying, by a processor in communication with the computer network, a first machine learning (ML) algorithm trained to learn to determine network characteristics associated with sampled file-access traffic (Grunwald, Para [0154-0157, 0191-0192]: … As described above, the storage systems described herein may be configured to support artificial intelligence applications, machine learning applications, big data analytics applications, and many other types of applications. The rapid growth in these sort of applications is being driven by three technologies: deep learning (DL), GPU processors, and Big Data. Deep learning is a computing model that makes use of massively parallel neural networks inspired by the human brain. Instead of experts handcrafting software, a deep learning model writes its own software by learning from lots of examples … Data is the heart of modern AI and deep learning algorithms. Before training can begin, one problem that must be addressed revolves around collecting the labeled data that is crucial for training an accurate AI model. A full scale AI deployment may be required to continuously collect, clean, transform, label, and store large amounts of data. Adding additional high quality data points directly translates to more accurate models and better insights … The storage systems described above may serve as an ideal AI data hub as the systems may service unstructured workloads. In the first stage, data is ideally ingested and stored on to the same data hub that following stages will use, in order to avoid excess data copying. The next two steps can be done on a standard compute server that optionally includes a GPU, and then in the fourth and last stage, full training production jobs are run on powerful GPU-accelerated servers. Often, there is a production pipeline alongside an experimental pipeline operating on the same dataset. Further, the GPU-accelerated servers can be used independently for different models or joined together to train on one larger model, even spanning multiple systems for distributed training … A method comprising: detecting, by a monitoring system, that a storage system receives an request to perform an operation that affects a capacity of a storage structure within the storage system … The method of statement 1, wherein: the identifying of the attribute comprises determining that the request is included in a plurality of requests of a similar type received by the storage system during a time period; and the determining that the request is indicative of the malicious action comprises determining that the plurality of requests exceeds a threshold …), wherein the network characteristics associated with file-access traffic are determined based on highest interaction with the file-access server  (Grunwald, Para [0191-0192]: …The method of statement 1, wherein: the identifying of the attribute comprises determining that the request is included in a plurality of requests of a similar type received by the storage system during a time period; and the determining that the request is indicative of the malicious action comprises determining that the plurality of requests exceeds a threshold …; Examiner’s note: determination of the number of requests exceeding threshold discloses the highest interaction ..); and
However Grunwald does not explicitly teach, but Huang from same or similar field of endeavor teaches:
“applying, by the processor, a second ML algorithm trained to identify an anomaly in the sampled network traffic based on the determined network characteristics (Huang, Para [0027-0028]: …  Examples disclosed herein include training the first, second and/or third networks. As such, examples disclosed herein include utilizing save (e.g., benign) input samples to train the first, second, and/or third networks. Examples disclosed herein include optimizing an example overall (e.g., total) loss as weighted sum of three example losses … during operation, the example encoder loss may identify a score corresponding to the abnormity of a given input sample. If the score of the input sample is larger than a certain threshold, examples disclosed herein include classifying the input sample a malicious and/or an anomaly. Such an event may occur when there exists a dissimilarity within latent feature space for an input sample. Such a dissimilarity may exist for malicious input samples because the first, second, and third networks are trained using safe (e.g., benign) input samples …),
wherein the anomaly is identified, using the second ML algorithm, based on a calculated normalized difference between training datasets and new sampled network traffic, and wherein a large normalized difference corresponds to a file-access anomaly in the sampled network traffic (Huang, Para [0028, 0034-0035, 0043]: … during operation, the example encoder loss may identify a score corresponding to the abnormity of a given input sample. If the score of the input sample is larger than a certain threshold, examples disclosed herein include classifying the input sample a malicious and/or an anomaly… The secondary encoder network manager 108 is configured to determine whether the reconstructed sample 107 is received and/or otherwise available. In the event the secondary encoder network manager 108 determines the reconstructed sample 107 is received and/or otherwise available, the secondary encoder network manager 108 performs a second encoding operation on the reconstructed sample 107 to generate an example second encoded sample 109. Such a resulting second encoded sample 109 is a signal embedded representation of the reconstructed sample 107. In this manner, any noise existing in the reconstructed sample 107 may be amplified in the second encoded sample 109 … the secondary encoder network manager 108 is configured to identify an example first loss function 111 and an example second loss function 113. In examples disclosed herein, the first loss function 111 is an example encoder loss and corresponds to a difference (e.g., a distance) between the second encoded sample 109 and the first encoded sample 105 … in some examples disclosed herein, the optimization processor 112 may parse the first loss function 111 (e.g., the example encoder loss) to identify the overall loss function (e.g., a score corresponding to the abnormity of a given input sample). In such an example, if the overall loss function is larger than a loss threshold, examples disclosed herein include the optimization processor 112 to classify the input sample 102 a malicious and/or an anomaly … the input sample 102 may be normalized and/or otherwise transformed using an example transformation pre-processing method …).”
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Huang into the teachings of Grunwald because it discloses that “Examples disclosed herein include optimizing an example overall (e.g., total) loss as weighted sum of three example losses. The three example losses may include an example adversarial loss, an example contextual loss, and an example encoder loss. The adversarial loss corresponds to a first distance (e.g., a L2-norm distance) between the feature representation of the original input sample (e.g., the first encoded sample) and the reconstructed sample. Such an example loss may be minimized to generate realistic samples. The contextual loss corresponds to a second distance (e.g., a L1-norm distance) between the original input sample and the reconstructed sample. Such an example loss ensures generated samples are contextually sound, rational, and/or accurate (Huang, Para [0027])”.
Regarding Claim 20. The combination of Grunwald-Huang discloses the method of claim 19, Huang further discloses, “further comprising:
applying, by the processor, a third ML algorithm to detect at least one [ransom] attack property based on at least one communication [pattern] in the anomaly sampled network traffic (Huang; Para [0066, 0070]; FIG. 3, 6: …  FIG. 3 is a flowchart representative of a process that may be executed to implement the malware detection system 100 of FIG. 1 to train the system and/or determine whether the example input sample 102 is malicious. In the example of FIG. 3, the malware detection system 100 of FIG. 1 is configured to train the model during an example training phase. (Block 302). Detailed instructions to execute model training are illustrated and described in connection with FIG. 4 …  FIG. 6 is a flowchart representative of a process that may be executed to implement the discriminator network manager 110 of FIG. 1 to identify the third loss function 117 of FIG. 1. In the example illustrated in FIG. 6, the discriminator network manager 110 obtains the input sample 102. (Block 602). Similarly, the discriminator network manager 110 obtains the reconstructed sample 107. (Block 604). In response, the discriminator network manager 110 identifies the third loss function 117 (e.g., the adversarial loss function). (Block 606). For example, the third loss function 117 (e.g., the adversarial loss function) may be identified using Equation 3 …  In FIG. 3, the example optimization processor 112 of FIG. 1 determines whether the input sample 102 is malicious. (Block 316). Detailed execution of the control to determine whether the input sample 102 is malicious is explained and illustrated in FIG. 7 …),
The motivation to further combine Huang remains same as in claim 19.
Grunwald further discloses:
“a communication pattern (Grunwald, Para[0197]: … The method of any of the preceding statements, wherein: the identifying of the attribute comprises detecting an abnormal pattern of interaction with the storage system during a time period; and the determining that the request is indicative of the malicious action comprises determining that the request is received by the storage system during the time period.);
wherein the at least one ransom attack property is determined based on largest interaction frequency with the file-access server (Grunwald, Para [0197, 0224, 0237-0239]: … Request 504 may originate from a source (e.g., a host in communication with storage system 502) and may be provided by an entity, such as a person or software application. Request 504 may include instructions for controller 508 to perform one or more operations that affect a capacity of one or more storage structures 506. Such operations include eradication of a storage structure 506, deletion of the storage structure 506, replacement of data in the storage structure 506 with less compressible or incompressible data (a common, or a host system that can issue requests to storage system 502, a ransomware attack on the storage structure 506, and/or any other operation that destroys, modifies, renders unusable, or otherwise affects the storage structure 506 and/or original data within the storage structure 506 …  In some examples, system 400 may identify the attribute by determining that request 504 is included in a plurality of requests of a similar type (e.g., all eradication requests, all write requests, etc.) received by storage system 502 during a time period. In these examples, system 400 may determine that request 504 is indicative of a malicious action by determining that the plurality of requests received by storage system 502 during the time period exceeds a threshold …  the threshold number of requests may be set to N, where N is an integer greater than zero. During a predetermined time period, system 400 may detect that storage system 502 receives N+1 requests, all of which are eradication requests. In response, system 400 may determine that at least the N+1th request is indicative of a malicious action (and, in some examples, that all of the N+1 requests received during the predetermined time period are indicative of malicious actions) …).
Claims 5 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Pub. No.: US 20210216627 A1 to Grunwald et al. (hereinafter “Grunwald”; with priority date of 11/22/2019) in view of Pub. No.: US 20210099474 A1 to Huang et al. (hereinafter “Huang”), as applied to claim 2 above, and further in view of Pub. No.: US 20190303573 A1 to Chelarescu et al. (hereinafter “Chelarescu”).
Regarding Claim 5. The combination of Grunwald-Huang discloses the method of claim 2, however it does not explicitly teach, but Chelarescu from same or similar field of endeavor teaches, “further comprising applying an active learning mechanism to update at least one detection model based on a user feedback loop (Chelarescu , Para[0013]: … Example methods (e.g., algorithms) and systems (e.g., special-purpose machines) detect a ransomware-impacted storage account in a cloud storage system and improve the ransomware detection using feedback from users of the cloud storage system. The files stored in the storage account at the cloud storage system (also referred to as cloud storage server) are synced to a drive or folder at a corresponding client device registered with the cloud storage server. In another example embodiment, the files are stored only in the storage account in the cloud storage server (and not at the corresponding client device). The cloud storage system performs a series of tests on the files in the storage account to determine whether the storage account is compromised by ransomware activity. Examples of tests include computing a file churn based on changes to one or more files in the storage account within a predefined period of time, computing a number of files being encrypted within the predefined period of time, identifying a name extension and a naming pattern for the one or more files in the storage account, identifying a content type for the one or more files in the storage account, accessing results from anti-malware applications operating on the client device, and using machine learning based on user feedback to determine whether the files are impacted by ransomware. Once the cloud storage server determines that the storage account is compromised by ransomware, the cloud storage server notifies the corresponding client device and presents an option to the client device to remediate the ransomware attack by restoring the impacted files to a previous (non-impacted) version of the files prior to the ransomware attack …).”
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Chelarescu into the combined teachings of Grunwald-Huang because it discloses that “the storage system 106 detects whether the storage account of the client device 102 (or the client storage application 108) at the storage system 106 is impacted (also referred to as “infected”) by ransomware (or malware). The storage system 106 generates a notification to the client storage application 108 that the storage account has been impacted by ransomware and provides remediation options to the client device 102. In another example embodiment, the storage system 106 receives user feedback (e.g., validation/confirmation) from the client storage application 108 that provides additional reference data to a learning engine of the storage system 106 to increase its accuracy in detecting future ransomware activity at the storage system 106 and avoiding false positives (Chelarescu, Para [0022])”
Regarding Claim 14. This is a device claim that recites all the same or similar limitations as claim 5, and hence similarly rejected as claim 5.
Allowable Subject Matter
Claims 7 and 16 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Examiner further notes that should the Applicant amends claims 7 and 16 as noted for condition of allowability, method claim 19 also needs to include at-least all the limitations of the amended independent method claim 1 (or 7) or be cancelled.
As allowable subject matter has been indicated, applicant's reply must either comply with all formal requirements or specifically traverse each requirement not complied with.  See 37 CFR 1.111(b) and MPEP § 707.07(a).
Reasons for allowance will be furnished upon allowance.
Pertinent Prior Art
The following prior arts made of record and not relied upon are considered pertinent to applicant's disclosure.
	US 10248577 B2; Borlick et al.: Borlick discloses a computer program product, system, and method for detecting a security breach in a system managing access to a storage. Process Input/Output (I/O) activity by a process accessing data in a storage is monitored. A determination is made of a characteristic of the data subject to the I/O activity from the process. A determination is made as to whether a characteristic of the process I/O activity as compared to the characteristic of the data satisfies a condition. The process initiating the I/O activity is characterized as a suspicious process in response to determining that the condition is satisfied. A security breach is indicated in response to characterizing the process as the suspicious process. The present invention relates to a computer program product, system, and method for using a characteristic of a process I/O activity and data subject to the i/o activity to determine whether the process is a suspicious process.
	The considered characteristics of the process I/O activity and the data being accessed comprise characteristics that are empirically observed as typical of malicious code. For instance, malicious code, such as ransomware, may access a large amount of data at a faster than normal rate to encrypt as much data as possible, thus resulting in an I/O rate that exceeds a peak I/O rate for data in the system by a substantial amount. Further, malicious code, such as ransomware or other viruses, may attempt to access all data in the system, including data not accessed in a long time. If these characteristics of the I/O activity exceeds the same characteristics with respect to the data being accessed, such as I/O rate, time of access, etc., by a threshold amount, then such detected conditions may indicate that the monitored process comprises a suspicious process potentially having malicious code.
	Described embodiments thus flag processes as being suspicious based on the behavior of the process as well as characteristics of the data, because the context of the data being accessed may determine whether the process is acting in a manner indicative of malicious code. For instance, a process having an apparent high I/O rate may not in fact indicate malicious code if the data being accessed has a high peak I/O rate. Described embodiments are advantageous over malware identification techniques that analyze the code, which are process intensive and require use of large virus definition files that need to be constantly updated.
	US 20190332769 A1; FRALICK et al.: FRALICK discloses A method for halting malware includes: monitoring plural file system events with a system driver to detect an occurrence of a file system event having a predetermined file type and log event type; triggering a listening engine for file system event stream data of a file associated with the detection of the file system event, the file system event stream data indicating data manipulation associated with the file due to execution of a process; obtaining one or more feature values for each of plural different feature combinations of plural features of the file based on the file system event stream data; inputting one or more feature values into a data analytics model to predict a target label value based on the one or more feature values of the plural different feature combinations and agnostic to the process; and performing a predetermined operation based on the target label value.
	US 20180007069 A1; Hunt et al.: Hunt discloses A cloud storage server-based approach allows detection of ransomware activity in cloud storage systems caused by ransomware infections on an endpoint device. A heuristic or rule-based technique is employed for recognizing sequences of file operations that may indicate ransomware activity. In some embodiments, users may be offered an opportunity to approve or disapprove of the possible ransomware activity. In others, cloud system file activity may be suspended or halted for the affected user upon recognition of possible ransomware actions. Enhanced recovery of files affected prior to recognition of the ransomware activity may be performed in some embodiments.  Embodiments described herein generally relate to cloud file storage and in particular to techniques for protecting against ransomware for cloud file storage.
	US 20180212987 A1; TAMIR et al.: TAMIR discloses An anti-ransomware system protects data in cloud storage of a cloud services provider against a ransomware attack. A backup handler is configured to at least one of: selectively retrieve backup data generated by the cloud services provider from the cloud storage; and selectively generate backup data based on the data in the cloud storage and output the backup data to a storage device. A ransomware detector is configured to detect data changes to the data resulting from a ransomware attack. A ransomware remediator communicates with the ransomware detector and the backup handler and is configured to restore the data to a state prior to the ransomware attack based upon the backup data.
	In examples shown in FIG. 4C, the ransomware detector 210 includes a rules filter 550. The rules filter 550 includes one or more rules that are used to filter the data or event data and to identify ransomware based upon changes in frequency, timing, file types, user profiles, packet data such as source, destination, etc., file extensions, and/or information, etc. For example, the rules filter 550 may look for changes to honeypot data and/or changes to file extensions that are indicators of a ransomware attack, although other rules may be used.
	In some examples, the ransomware detector 210 may use data analytics to help distinguish between legitimate changes and malicious changes. The ransomware detector 210 may use various machine-learning techniques, such as a support vector machine, a Bayesian network, learning regression, a neural network, big data analytics, an evolutionary algorithm, and so on to detect malicious changes. The ransomware detector 210 may collect various features such as the number and frequency of changes, the location of changes, the patterns of the changes (extensions, headers, entropy changes, types), user information (e.g., organization or location), and so on. After collecting the features, the ransomware detector 210 may learn a classifier on a per-user basis, a per-organization basis, or on the basis of some other division of users. For example, the ransomware detector 210 may use various clustering techniques to generate clusters of users based on various attributes of the users (e.g., business user or personal user and frequency of computer usage).
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MAHABUB S AHMED whose telephone number is (571)272-0364.  The examiner can normally be reached on 9AM-5PM EST M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571)272-3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/MAHABUB S AHMED/Examiner, Art Unit 2434
/KAMBIZ ZAND/Supervisory Patent Examiner, Art Unit 2434