Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
The amendment filed on 7/1/2022 has been entered. Claims 1- 18 remain pending in the application. Claims 1-2, 7-8, 13-14 have been amended.  
Applicant’s arguments with respect to claim(s) 1-18 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 1-18 are rejected under 35 U.S.C. 103 as being unpatentable over Liao (US 7962956 B1), hereinafter Liao, in view of Stocker (US 20210034994 A1), hereinafter Stock, in further view of Bolding (US-20190347578-A1), hereinafter Bolding.
Regarding claim 1, Liao, as shown below, discloses a detection system comprising the following limitations:
An anomaly and ransomware detection system, comprising: a storage device configured to store one or more snapshots of a primary machine; (“FIG. 2 schematically shows snapshots of online data being created and stored in a backup data storage device.” (column 3 rows 44-46))
taking a first snapshot of a primary machine and a second snapshot of the primary machine; (“the snapshot 401-1 may be taken at a time T1 (i.e., after time T0)” col 4, row 55-56) (“the snapshot 401-2 may be taken at time T2 (i.e., after time T1)” col 4, row 56-57)
storing the first snapshot in the storage device and storing the first snapshot and the second snapshot in the storage device; (“The snapshots 401 and the full backup 431 may be stored in separate backup storage devices, but are shown as in a single backup storage device 109 for illustration purposes only. The snapshots 401 may also be stored in the data storage device 106.” col 4, rows 42-46)	
Liao does not appear to teach the following, but in an analogous art, Stock teaches a system to determine event observations based on varying data and further teaches:
generating or accessing a differential filesystem metadata (diff FMD) file that indicates one or more changes of at least one file of the primary machine occurring between the first snapshot and the second snapshot, the one or more changes of the at least one file being represented by respective changes in snapshot-based filesystem metadata of the diff FMD file (“model that may be applied to point in time snapshot of the data to identify anomalies, change points, patterns and/or outliers in the data”(34)) (“The event observation for each change-points, outliers, patterns, and/or anomalies may take the form of a separate file linked to the respective change-point, outlier, pattern, or anomaly, or may take the form of metadata of the change-point, outlier, pattern, or anomaly”(53))
based on the one or more changes filesystem metadata (“the association model 320 may combine the associated change-points, outliers, patterns, and anomalies into a single anomaly including, e.g., the metadata and other change-points, outliers, patterns, and/or anomalies information to form an event observation for each change-point, outlier, pattern, and/or anomaly”(46))
Furthermore, it would have been obvious to one skilled in the art, before the effective filing date of the claimed invention, to modify the detection system disclosed by Liao with the system to determine event observations based on varying data of Stock. One would have been motivated to do so in order to (“may automatically determine associations amongst the change-points, outliers, patterns, and/or anomalies to produce the event observations.”(106))
Liao and Stock does not appear to teach the following. However, Bolding, in the same or in a similar field of endeavor, discloses:
generating training data “the data ingestion is “differential” to ensure that optimal data is used for the machine learning, and an associated training data reassembling technique ensures that the machine learning is not carried out on data that has already been seen and processed into the model.”(Bolding 0048)
and training one or more machine-learning models using the training data. (“According a preferred implementation, a machine learning model is trained to identify suspicious behavior using a training data set, where the training data set is derived from data ingested from the SIEM” (Bolding 91)) 
Furthermore, it would have been obvious to one skilled in the art, before the effective filing date of the claimed invention, to modify the detection system disclosed by Liao and the system to determine event observations based on varying data of Stock with the machine learning technique disclosed by Bolding. 
One would have been motivated to do so in order to provide and offer better real-time and comprehensive protection than a normal program can provide (“By implementing the techniques (namely, adaptive object monitoring, differential data ingestion and training data reassembly), CPU and memory usage in the computing system(s) on which the SIEM executes are significantly reduced, thereby enhancing performance of the overall process of building, updating and applying the ML model” (Bolding 0063).
Regarding claim 2, the combination of Liao, Stock, and Bolding, hereinafter LSB, as shown in the rejection above, discloses all of the limitations of claim 1. Liao further discloses: wherein the storage device is a backup storage device and the one or more changes in the filesystem metadata are received from a backup system that includes backup storage device. (“The snapshots 401 and the full backup 431 may be stored in separate backup storage devices, but are shown as in a single backup storage device 109 for illustration purposes only. The snapshots 401 may also be stored in the data storage device 106 (See at least col 4, rows 42-46).”)

Regarding claim 3, LSB, as shown in the rejection above, discloses all of the limitations of claim 1. Liao further discloses: wherein the anomaly and ransomware detection operations are performed without impacting the production system. (“In embodiments of the present invention, the preferred backup procedure involves creation of incremental backups while the computer system is online. This allows the backup procedure to proceed with minimal impact on system performance and normal operations (col 3, rows 32-37).”)

Regarding claim 5, the combination of LSB, as shown in the rejection above, discloses all of the limitations of claims 1. 
Liao does not disclose: The anomaly and detection system of claim 1, wherein the one or more machine-learning models includes an anomaly model and/or an encryption model.
However, Bolding further teaches: The anomaly and detection system of claim 1, wherein the one or more machine-learning models includes an anomaly model, an encryption model, or both. (“To this end, ML application 504 queries the event database 506 and obtain the training data. The UBA (as well as the SEIM itself) also mechanisms (not shown) to update users risk scores, to issue alerts or other notifications, etc., and to interact with other network systems. A higher risk score typically is indicative of more anomalous or malicious behaviors.”(0047))
Furthermore, it would have been obvious to one skilled in the art, before the effective filing date of the claimed invention, to modify the detection system disclosed by Liao and the system to determine event observations based on varying data of Stock with the machine learning technique disclosed by Bolding. 
One would have been motivated to do so in order to provide and offer better real-time and comprehensive protection than a normal program can provide (“By implementing the techniques (namely, adaptive object monitoring, differential data ingestion and training data reassembly), CPU and memory usage in the computing system(s) on which the SIEM executes are significantly reduced, thereby enhancing performance of the overall process of building, updating and applying the ML model” (Bolding 0063).

 Regarding claim 6, LSB as shown in the rejection above, discloses all of the limitations of claims 1. 

Liao further teaches snapshot-based metadata: (“For example, the mapping module 420 may backtrack from a sector, the meta data entry for that sector, and then to the file associated with the meta data entry. As will be more apparent below, this allows the backup selection module 410 to read a snapshot 401 to find a sector that has been overwritten, identify the file whose data is in that sector, and scan that file for malwares using the file-based antivirus 421.” (col 6, rows 39-46)
However, Liao fails to teach the following. However, Bolding, in the same or in a similar field of endeavor, discloses: 
wherein the training of the one or more machine-learning models is based on training data derived solely on the metadata (“In a typical operation, the training data is ingested by queries to the security platform (the SIEM) that serves as a host to both UBA 502 and ML 504 applications. To this end, ML application 504 queries the event database 506 and obtain the training data.” (Bolding 0047))
Furthermore, it would have been obvious to one skilled in the art, before the effective filing date of the claimed invention, to modify the detection system disclosed by Liao and the system to determine event observations based on varying data of Stock with the machine learning technique disclosed by Bolding. 
One would have been motivated to do so in order to provide and offer better real-time and comprehensive protection than a normal program can provide (“By implementing the techniques (namely, adaptive object monitoring, differential data ingestion and training data reassembly), CPU and memory usage in the computing system(s) on which the SIEM executes are significantly reduced, thereby enhancing performance of the overall process of building, updating and applying the ML model” (Bolding 0063).

Regarding claims 7-9, 11-15, 17-18 applicant recites limitations of the same or substantially the same scope as claims 1-3, 5-6. Accordingly, claims 7-9, 11-15, 17-18, are rejected in the substantially the same manner as claims 1-3, 5-6 as shown above. 

Claims 4,10, and 16 are rejected under 35 U.S.C. 103 as being unpatentable over the combination of LSB in view of Muddu (US 9516053 B1), hereinafter Muddu.
Regarding claim 4, LSB, as shown in the rejection above, discloses all of the limitations of claims 1 and 3. 
LSB does not disclose: wherein one or more changes in the filesystem anomaly and ransomware detection operations are offloaded to a cloud-based software-as-a-service platform. However, in the same or in a similar field of endeavor, Muddu teaches the method further: 
wherein one or more of the anomaly and ransomware detection operations are offloaded to a cloud-based software-as-a-service platform (“The security platform may be cloud-based and may employ big data techniques to process a vast quantity of high data rate information in a highly scalable manner. In certain embodiments, the security platform may be hosted in the cloud and provided as a service. In certain embodiments, the security platform is provided as a platform-as-a-service (PaaS) (Muddu, col 10, 47-53).”)
It would have been obvious to one skilled in the art to modify the method of Liao and technique of Bolding and system of Stock by offloading the anomaly and ransomware detections to a cloud-based service software-as-a-service platform, as disclosed by Muddu.
One of ordinary skill in the art would have been motivated to include offloading the anomaly and ransomware detections to a cloud-based service software-as-a-service to offload the burden on the user’s systems and allow for the many benefits of cloud computing (“Among its many advantages, cloud computing permits or facilitates redundancy, fault tolerance, easy scalability, low implementation cost and freedom from geographic restrictions. The concept of cloud computing and the various cloud computing operating systems or infrastructures are known.” (Muddu, col 12, rows 59-64) As can be seen, SAAS/cloud-based computing have a great many services that allow would further offload the burden that is placed on the computer being used by resource intensive snapshots and comparisons.). 

Regarding claims 10 and 16, applicant recites limitations of the same or substantially the same scope as claims 4. Accordingly, claims 10 and 16, are rejected in the substantially the same manner as claims 4 as shown above. 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 
US-9779240-B2
US-7802300-B1

Any inquiry concerning this communication or earlier communications from the examiner should be directed to AUSTIN W COLLIER whose telephone number is (571)272-0066. The examiner can normally be reached Mon-Fri.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Philip Chea can be reached on 571-272-3951. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/AUSTIN W COLLIER/Examiner, Art Unit 2499                                                                                                                                                                                                        U/PHILIP J CHEA/
/PHILIP J CHEA/Supervisory Patent Examiner, Art Unit 2499