Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in a telephone interview with Attorney/Agent Alan Harrison, on 02/05/2021.


CLAIMS:
The application claim 21 is canceled.

The application claims 1, 19 and 20 are amended as follows:
Referring to claim 1: Please replace claim 1 as follows:
1. (Currently Amended) A method for protecting a machine learning model, the method comprising: 
	generating a first adversarial example by modifying an original input in accordance with an attack tactic, wherein the machine learning model accurately classifies the original input but does not accurately classify at least the first adversarial example; 
	training a defender to protect the machine learning model from the first adversarial example at least in part by updating at least one strategy of the defender based on 
	updating the attack tactic based on the predictive results obtained from the machine learning model classifying the first adversarial example; 
	generating a second adversarial example by modifying the original input in accordance with the updated attack tactic, wherein the trained defender does not protect the machine learning model from the second adversarial example; 
	training the defender to protect the machine learning model from the second adversarial example at least in part by updating the at least one strategy of the defender based on predictive results obtained from the machine learning model classifying the second adversarial example,
	wherein the defender is separate from the machine learning model and  processes input data before the input data reaches the machine learning model, wherein the defender reduces degrees of freedom available to an adversary by applying a feature squeezer to the original input and to each adversarial example, and wherein the feature squeezer implements a defense strategy of squeezing out unnecessary input features from the input data of the machine learning model such that the output of the machine learning model remains unchanged.


Referring to claim 19: Please replace claim 19 as follows:
19. (Currently Amended) An apparatus for protecting a machine learning model, comprising: 

	at least one processor coupled to the memory, the processor being operative: 
to generate a first adversarial example by modifying an original input in accordance with an attack tactic, wherein the machine learning model accurately classifies the original input but does not accurately classify at least the first adversarial example;
to train a defender to protect the machine learning model from the first adversarial example at least in part by updating at least one strategy of the defender based on predictive results from the machine learning model classifying the first adversarial example; 
to update the attack tactic based on the predictive results obtained from the machine learning model classifying the first adversarial example; 
to generate a second adversarial example by modifying the original input in accordance with the updated attack tactic, wherein the trained defender does not protect the machine learning model from the second adversarial example; and 
to train the defender to protect the machine learning model from the second adversarial example at least in part by updating the at least one strategy of the defender based on predictive results obtained from the machine learning model classifying the second adversarial example,
	wherein the defender is separate from the machine learning model and  processes input data before the input data reaches the machine learning model, wherein the defender reduces degrees of freedom available to an adversary by applying a feature squeezer to the original input and to each adversarial example, and wherein the feature squeezer implements a defense strategy of squeezing out unnecessary input features from the input data of the machine learning model such that the output of the machine learning model remains unchanged.


Referring to claim 20: Please replace claim 20 as follows:
20. (Currently Amended) A computer program product comprising a non-transitory machine-readable storage medium having machine-readable program code embodied therewith, said machine-readable program code comprising machine-readable program code configured: 
to generate a first adversarial example by modifying an original input in accordance with an attack tactic, wherein the machine learning model accurately classifies the original input but does not accurately classify at least the first adversarial example; 
to train a defender to protect the machine learning model from the first adversarial example at least in part by updating at least one strategy of the defender based on predictive results from the machine learning model classifying the first adversarial example; 
to update the attack tactic based on the predictive results obtained from the machine learning model classifying the first adversarial example; 
to generate a second adversarial example by modifying the original input in accordance with the updated attack tactic, wherein the trained defender does not protect the machine learning model from the second adversarial example; and 
to train the defender to protect the machine learning model from the second adversarial example at least in part by updating the at least one strategy of the defender based on predictive results obtained from the machine learning model classifying the second adversarial example,
	wherein the defender is separate from the machine learning model and  processes input data before the input data reaches the machine learning model, wherein the defender reduces degrees of freedom available to an adversary by applying a feature squeezer to the original input and to each adversarial example, and wherein the feature squeezer implements a defense strategy of squeezing out unnecessary input features from the input data of the machine learning model such that the output of the machine learning model remains unchanged.


Claim 21. Canceled.


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAYESH M JHAVERI whose telephone number is (571)270-7584.  The examiner can normally be reached on Mon-Fri 9 AM to 5 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JEFFREY PWU can be reached on (571)272-6798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/JAYESH M JHAVERI/Primary Examiner, Art Unit 2433