DETAILED ACTION
1.	This action is in response to the application filed 03/08/2019. Claims 1-20 are pending and have been considered.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 03/08/2019 and 06/02/2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Claim Objections
Claim 6 and 16 are objected to because of the following informalities:  The phrase "comprises measuring an effect on output of the computer model" is not grammatically correct and appears to be omitting a word before "output". Examiner will interpret the phrase as "measuring an effect on  Appropriate correction or clarification is required.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 11-19 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The claims do not fall within at least one of the four categories of patent eligible subject matter because the claim can be interpreted as signal per se. ¶[0073] of the specification states the computer readable storage medium is not to be construed as transitory signals per se, however the paragraph also states the computer readable storage medium can be a tangible device but is not limited to. There is no defined and clear definition of a computer readable storage medium recited in the specification. Therefore, under the broadest reasonable interpretation, this does not limit computer readable storage medium from being transitory signals. Examiner proposes the applicant to amend computer readable storage medium to be non-transitory computer readable storage medium. 


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1, 6, 9, 11, 16, 19, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Xiao et al. ("Spatially Transformed Adversarial Examples", cited by Applicant in the IDS filed on 06/02/2020, hereinafter "Xiao") in view of Zhou et al. ("Interpreting Deep Visual Representations via Network Dissection", hereinafter "Zhou"). 

Regarding claim 1, Xiao teaches A method, in a data processing system comprising at least one processor and at least one memory, the at least one memory comprising instructions which are executed by the at least one processor to specifically configure the at least one processor to implement an adversarial perturbation attack sensitivity (APAS) visualization system (See pg. 3, § Spatial Transformation, Xiao discloses computer vision which would imply the use of processors and memory to perform data processing. Xiao further discloses “Inspired by these successes, we also use the spatial transformers to deform the input images, but with a different goal: to generate realistic adversarial examples.”), the method comprising: 
receiving, by the APAS visualization system implemented by the at least one processor, a natural input dataset and a corresponding adversarial attack input dataset for evaluation by the APAS visualization system (“We use                         
                            
                                
                                    x
                                
                                
                                    (
                                    a
                                    d
                                    v
                                    )
                                
                                
                                    (
                                    i
                                    )
                                
                            
                             
                        
                     to denote the pixel value of the i-th pixel and 2D coordinate (                        
                            
                                
                                    u
                                
                                
                                    (
                                    a
                                    d
                                    v
                                    )
                                
                                
                                    (
                                    i
                                    )
                                
                            
                        
                    ,                         
                            
                                
                                    v
                                
                                
                                    (
                                    a
                                    d
                                    v
                                    )
                                
                                
                                    (
                                    i
                                    )
                                
                            
                        
                    ) to denote its location in the adversarial image                         
                            
                                
                                    x
                                
                                
                                    (
                                    a
                                    d
                                    v
                                    )
                                
                            
                        
                    . We assume that                         
                            
                                
                                    x
                                
                                
                                    (
                                    a
                                    d
                                    v
                                    )
                                
                                
                                    (
                                    i
                                    )
                                
                            
                             
                        
                    is transformed from the pixel                         
                            
                                
                                    x
                                
                                
                                    (
                                    i
                                    )
                                
                            
                             
                        
                    from the original image. We use the per-pixel flow (displacement) field f to synthesize the adversarial image                         
                            
                                
                                    x
                                
                                
                                    (
                                    a
                                    d
                                    v
                                    )
                                
                            
                        
                     using pixels from the input x.” [pg. 4, § 3.3 Our approach: Spatially Transformed Adversarial Examples, ¶2]), wherein data structures of the adversarial attack input dataset comprise perturbations intended to cause a misclassification by a computer model (“In a targeted attack, the adversary’s objective is to modify an input x such that the target model g classifies the perturbed input                         
                            
                                
                                    x
                                
                                
                                    (
                                    a
                                    d
                                    v
                                    )
                                
                            
                        
                     in a targeted class chosen, which differs from its ground truth. In a untargeted attack, the adversary’s objective is to cause the perturbed input                         
                            
                                
                                    x
                                
                                
                                    (
                                    a
                                    d
                                    v
                                    )
                                
                            
                        
                     to be misclassified in any class other than its ground truth.” [pg. 2, § 2 Related Work, ¶1]); 
determining, by the APAS visualization system, at least one sensitivity measure of the computer model to the perturbations in the adversarial attack input dataset based on a processing of the natural input dataset and corresponding adversarial attack input dataset by the computer model (“
    PNG
    media_image1.png
    127
    536
    media_image1.png
    Greyscale
” pg. 5, ¶2; Examiner is interpreting Ladv(x ,f) to be equivalent to a sensitivity measurement of the computer model as it is a likeliness calculation to change the prediction output. In addition, Ladv(x, f) uses xadv as part of the calculation where xadv is a transformation of x (i.e. the natural input data) using the flow field of eq. 1. (This shows that the sensitivity measure would be based off processing of the natural input data.)]); 
generating, by the APAS visualization system, a classification activation map (CAM) for the computer model based on results of the processing of the natural input dataset and adversarial attack input dataset (“Here we apply Class Activation Mapping (CAM), an implicit attention visualization technique for localizing the discriminative regions implicitly detected by a DNN. We use it to show the attention of the target ImageNet inception_v3 model for both original images and generated adversarial examples.” [pg. 10, §4.5 Visualizing Attention of Networks on Adversarial Examples, ¶1; See Figure 8 shows the CAM for the model after inputting an original image with adversarial examples.]); 
However Xiao fails to explicitly teach
generating, by the APAS visualization system, a sensitivity overlay based on the at least one sensitivity measure, wherein the sensitivity overlay graphically represents different classifications of perturbation sensitivities
applying, by the APAS visualization system, the sensitivity overlay to the CAM to generate a graphical visualization output of the computer model sensitivity to perturbations of adversarial attacks; 
and outputting, by the APAS visualization system, the graphical visualization output to a user computing device for visual display to a user.
	Zhou teaches 
generating, by the APAS visualization system, a sensitivity overlay based on the at least one sensitivity measure, wherein the sensitivity overlay graphically represents different classifications of perturbation sensitivities (“Figure 2 summarizes the whole process of scoring unit interpretability: By segmenting the annotation mask using the receptive field of units for the top activated images, we compute the IoU for each concept. Importantly, the IoU which evaluates the quality of the segmentation of a unit is an objective confidence score for interpretability that is comparable across networks, enabling us to compare interpretability of different representations and so lays the basis for the experiments below.” [pg. 3, left col, bottom para; Examiner is interpreting an annotation mask to be equivalent to the sensitivity overlay. Figure 2 discloses segmented annotations which graphically shows different classifications of perturbations.]) 
applying, by the APAS visualization system, the sensitivity overlay to the CAM to generate a graphical visualization output of the computer model sensitivity to perturbations of adversarial attacks (“To compare a low-resolution unit’s activation map to the input resolution annotation mask Lc for some concept c, the activation map is scaled up to the mask resolution Sk(x) from Ak(x) using bilinear interpolation, anchoring interpolants at the center of each unit’s receptive field.” [pg. 3, § 2.2 Scoring Unit Interpretability, ¶5; As noted above, the examiner is interpreting a sensitivity overlay to be equivalent to the annotation mask. Scaling the activation map to the mask resolution would be equivalent to applying. See Fig 2. for graphical visualization.]); and
outputting, by the APAS visualization system, the graphical visualization output to a user computing device for visual display to a user (“Fig. 4. The annotation interface used by human raters on Amazon Mechanical Turk. Raters are shown descriptive text in quotes together with fifteen images, each with highlighted patches, and must evaluate whether the quoted text is a good description for the highlighted patches.” [pg. 4, § 3.1 Human Evaluation of Interpretations]).
Xiao and Zhou are both in the same field of endeavor of adversarial learning and thus are analogous. Xiao discloses a method of generating perturbations using spatial transformations. Zhou discloses a method of quantifying the interpretability of images. It would have been obvious to one of ordinary skill in the art before the effective filing date to modify the sensitivity measurement and classification activation map disclosed by Xiao in order to apply the annotation mask as taught by Zhou to result in a graphical visualization of the output. One would have been motivated to make this modification in order to provide a visualization of perturbations and compare the interpretability of different perturbations. [pg. 3, § 2.2 Scoring Unit Interpretability, ¶5, Zhou]

Regarding claim 6, the combination of Xiao and Zhou teaches The method of claim 1, where Xiao further teaches wherein determining at least one sensitivity measure of the computer model to the perturbations in the adversarial attack input dataset based on a processing of the natural input dataset and corresponding adversarial attack input dataset by the computer model comprises measuring an effect on output of the computer model made by the presence, or lack thereof, of one or more perturbations in the corresponding adversarial attack input dataset by identifying a change in logit scores in the computer model at one or more granularities (“
    PNG
    media_image1.png
    127
    536
    media_image1.png
    Greyscale
”, pg. 5, ¶2; Examiner is interpreting the logit output to be equivalent to a logit score and thus would be a way to measure an effect of the output.]) comprising at least one of pixel-level, grid-level, or image-level granularities (“To compute Lflow, we calculate the sum of spatial movement distance for any two adjacent pixels. Given an arbitrary pixel p and its neighbors q ∈ N (p), we enforce the locally smooth spatial transformation perturbation Lflow based on the total variation.” [pg. 5, ¶3]).

Regarding claim 9, the combination of Xiao and Zhou teaches The method of claim 1, where Xiao further teaches wherein the computer model performs image analysis and classification operations to classify an input image into one of a plurality of predetermined classifications (See Figure 2: Adversarial examples generated by stAdv against different models on MNIST. The ground truth images are shown in the diagonal and the rest are adversarial examples that are misclassified to the targeted class shown on the top. [pg. 6, Figure 2]), 
wherein the natural input dataset is a digital image without a perturbation being introduced into the digital image, and the adversarial attack input dataset is the digital image with one or more perturbations introduced into the natural input dataset (“To better understand the spatial transformation applied to the original images, we visualize the optimized transformation flow for different datasets, respectively. Figure 5 visualizes a transformation on an MNIST instance, where the digit “0” is misclassified as “2.” We can see that the adjacent flows move in a similar direction in order to generate smooth results.” [pg. 6, § 4.2 Visualizing Spatial Transformation, ¶1]), 
and wherein the graphical visualization output presents a CAM comprising the digital image with regions highlighted to identify areas having different levels of influence on an output of the computer model (“
    PNG
    media_image2.png
    352
    535
    media_image2.png
    Greyscale
” [pg. 10, See Figure 8]), and
However Xiao fails to explicitly teach
the sensitivity overlay indicating areas where the computer model has different classifications of sensitivity to perturbations 
Zhou teaches the sensitivity overlay indicating areas where the computer model has different classifications of sensitivity to perturbations (“Figure 2 summarizes the whole process of scoring unit interpretability: By segmenting the annotation mask using the receptive field of units for the top activated images, we compute the IoU for each concept. Importantly, the IoU which evaluates the quality of the segmentation of a unit is an objective confidence score for interpretability that is comparable across networks, enabling us to compare interpretability of different representations and so lays the basis for the experiments below.” [pg. 3, left col, bottom para; Examiner is interpreting an annotation mask to be equivalent to the sensitivity overlay. Figure 2 discloses segmented annotations (i.e. areas in the images) which graphically shows different classifications of perturbations.])
Xiao and Zhou are both in the same field of endeavor of adversarial learning and thus are analogous. Xiao discloses a method of generating perturbations using spatial transformations. Zhou discloses a method of quantifying the interpretability of images. It would have been obvious to one of ordinary skill in the art before the effective filing date to modify the classification activation map disclosed by Xiao in order to apply the annotation mask as taught by Zhou to result in a graphical visualization of the output. One would have been motivated to make this modification in order to provide a visualization of perturbations and compare the interpretability of different perturbations. [pg. 3, § 2.2 Scoring Unit Interpretability, ¶5, Zhou]

Regarding claim 11, Xiao teaches A computer program product comprising a computer readable storage medium having a computer readable program stored therein, wherein the computer readable program, when executed on a data processing system, causes the data processing system to implement an adversarial perturbation attack sensitivity (APAS) visualization system (See pg. 3, § Spatial Transformation, Xiao discloses computer vision which would imply the use of processors and memory to perform data processing. Xiao further discloses “Inspired by these successes, we also use the spatial transformers to deform the input images, but with a different goal: to generate realistic adversarial examples.”) that operates to:
receive a natural input dataset and a corresponding adversarial attack input dataset for evaluation by the APAS visualization system (“We use                         
                            
                                
                                    x
                                
                                
                                    (
                                    a
                                    d
                                    v
                                    )
                                
                                
                                    (
                                    i
                                    )
                                
                            
                             
                        
                     to denote the pixel value of the i-th pixel and 2D coordinate (                        
                            
                                
                                    u
                                
                                
                                    (
                                    a
                                    d
                                    v
                                    )
                                
                                
                                    (
                                    i
                                    )
                                
                            
                        
                    ,                         
                            
                                
                                    v
                                
                                
                                    (
                                    a
                                    d
                                    v
                                    )
                                
                                
                                    (
                                    i
                                    )
                                
                            
                        
                    ) to denote its location in the adversarial image                         
                            
                                
                                    x
                                
                                
                                    (
                                    a
                                    d
                                    v
                                    )
                                
                            
                        
                    . We assume that                         
                            
                                
                                    x
                                
                                
                                    (
                                    a
                                    d
                                    v
                                    )
                                
                                
                                    (
                                    i
                                    )
                                
                            
                             
                        
                    is transformed from the pixel                         
                            
                                
                                    x
                                
                                
                                    (
                                    i
                                    )
                                
                            
                             
                        
                    from the original image. We use the per-pixel flow (displacement) field f to synthesize the adversarial image                         
                            
                                
                                    x
                                
                                
                                    (
                                    a
                                    d
                                    v
                                    )
                                
                            
                        
                     using pixels from the input x.” [pg. 4, § 3.3 Our approach: Spatially Transformed Adversarial Examples, ¶2]), wherein data structures of the adversarial attack input dataset comprise perturbations intended to cause a misclassification by a computer model (“In a targeted attack, the adversary’s objective is to modify an input x such that the target model g classifies the perturbed input                         
                            
                                
                                    x
                                
                                
                                    (
                                    a
                                    d
                                    v
                                    )
                                
                            
                        
                     in a targeted class chosen, which differs from its ground truth. In a untargeted attack, the adversary’s objective is to cause the perturbed input                         
                            
                                
                                    x
                                
                                
                                    (
                                    a
                                    d
                                    v
                                    )
                                
                            
                        
                     to be misclassified in any class other than its ground truth.” [pg. 2, § 2 Related Work, ¶1]); 
determine at least one sensitivity measure of the computer model to the perturbations in the adversarial attack input dataset based on a processing of the natural input dataset and corresponding adversarial attack input dataset by the computer model (“
    PNG
    media_image1.png
    127
    536
    media_image1.png
    Greyscale
” pg. 5, ¶2; Examiner is interpreting Ladv(x ,f) to be equivalent to a sensitivity measurement of the computer model as it is a likeliness calculation to change the prediction output. In addition, Ladv(x, f) uses xadv as part of the calculation where xadv is a transformation of x (i.e. the natural input data) using the flow field in eq. 1. (This shows that the sensitivity measure would be based off processing of the natural input data.]); 
generate a classification activation map (CAM) for the computer model based on results of the processing of the natural input dataset and adversarial attack input dataset (“Here we apply Class Activation Mapping (CAM), an implicit attention visualization technique for localizing the discriminative regions implicitly detected by a DNN. We use it to show the attention of the target ImageNet inception_v3 model for both original images and generated adversarial examples.” [pg. 10, §4.5 Visualizing Attention of Networks on Adversarial Examples, ¶1; See Figure 8 shows the CAM for the model after inputting an original image with adversarial examples.]); 
However Xiao fails to explicitly teach
generate a sensitivity overlay based on the at least one sensitivity measure, wherein the sensitivity overlay graphically represents different classifications of perturbation sensitivities
apply the sensitivity overlay to the CAM to generate a graphical visualization output of the computer model sensitivity to perturbations of adversarial attacks; 
and output the graphical visualization output to a user computing device for visual display to a user.
	Zhou teaches 
generate a sensitivity overlay based on the at least one sensitivity measure, wherein the sensitivity overlay graphically represents different classifications of perturbation sensitivities (“Figure 2 summarizes the whole process of scoring unit interpretability: By segmenting the annotation mask using the receptive field of units for the top activated images, we compute the IoU for each concept. Importantly, the IoU which evaluates the quality of the segmentation of a unit is an objective confidence score for interpretability that is comparable across networks, enabling us to compare interpretability of different representations and so lays the basis for the experiments below.” [pg. 3, left col, bottom para; Examiner is interpreting an annotation mask to be equivalent to the sensitivity overlay. Figure 2 discloses segmented annotations which graphically shows different classifications of perturbations.])
apply the sensitivity overlay to the CAM to generate a graphical visualization output of the computer model sensitivity to perturbations of adversarial attacks (“To compare a low-resolution unit’s activation map to the input resolution annotation mask Lc for some concept c, the activation map is scaled up to the mask resolution Sk(x) from Ak(x) using bilinear interpolation, anchoring interpolants at the center of each unit’s receptive field.” [pg. 3, § 2.2 Scoring Unit Interpretability, ¶5; As noted above, the examiner is interpreting a sensitivity overlay to be equivalent to the annotation mask. Scaling the activation map to the mask resolution would be equivalent to applying. See Fig 2. for graphical visualization.]); and
output the graphical visualization output to a user computing device for visual display to a user (“Fig. 4. The annotation interface used by human raters on Amazon Mechanical Turk. Raters are shown descriptive text in quotes together with fifteen images, each with highlighted patches, and must evaluate whether the quoted text is a good description for the highlighted patches.” [pg. 4, § 3.1 Human Evaluation of Interpretations]).
Xiao and Zhou are both in the same field of endeavor of adversarial learning and thus are analogous. Xiao discloses a method of generating perturbations using spatial transformations. Zhou discloses a method of quantifying the interpretability of images. It would have been obvious to one of ordinary skill in the art before the effective filing date to modify the sensitivity measurement and classification activation map disclosed by Xiao in order to apply the annotation mask as taught by Zhou to result in a graphical visualization of the output. One would have been motivated to make this modification in order to provide a visualization of perturbations and compare the interpretability of different perturbations. [pg. 3, § 2.2 Scoring Unit Interpretability, ¶5, Zhou]

Regarding claim 16, the combination of Xiao and Zhou teaches The computer program product of claim 11, where Xiao further teaches wherein determining at least one sensitivity measure of the computer model to the perturbations in the adversarial attack input dataset based on a processing of the natural input dataset and corresponding adversarial attack input dataset by the computer model comprises measuring an effect on output of the computer model made by the presence, or lack thereof, of one or more perturbations in the corresponding adversarial attack input dataset by identifying a change in logit scores in the computer model at one or more granularities (“
    PNG
    media_image1.png
    127
    536
    media_image1.png
    Greyscale
”, pg. 5, ¶2; Examiner is interpreting the logit output to be equivalent to a logit score and thus would be a way to measure an effect of the output.]) comprising at least one of pixel-level, grid-level, or image-level granularities (“To compute Lflow, we calculate the sum of spatial movement distance for any two adjacent pixels. Given an arbitrary pixel p and its neighbors q ∈ N (p), we enforce the locally smooth spatial transformation perturbation Lflow based on the total variation.” [pg. 5, ¶3]).

Regarding claim 19, the combination of Xiao and Zhou teaches The computer program product of claim 11, where Xiao further teaches wherein the computer model performs image analysis and classification operations to classify an input image into one of a plurality of predetermined classifications (See Figure 2: Adversarial examples generated by stAdv against different models on MNIST. The ground truth images are shown in the diagonal and the rest are adversarial examples that are misclassified to the targeted class shown on the top. [pg. 6, Figure 2]), 
wherein the natural input dataset is a digital image without a perturbation being introduced into the digital image, and the adversarial attack input dataset is the digital image with one or more perturbations introduced into the natural input dataset (“To better understand the spatial transformation applied to the original images, we visualize the optimized transformation flow for different datasets, respectively. Figure 5 visualizes a transformation on an MNIST instance, where the digit “0” is misclassified as “2.” We can see that the adjacent flows move in a similar direction in order to generate smooth results.” [pg. 6, § 4.2 Visualizing Spatial Transformation, ¶1]), 
and wherein the graphical visualization output presents a CAM comprising the digital image with regions highlighted to identify areas having different levels of influence on an output of the computer model (“
    PNG
    media_image2.png
    352
    535
    media_image2.png
    Greyscale
” [pg. 10, See Figure 8]), and 
However Xiao fails to explicitly teach
the sensitivity overlay indicating areas where the computer model has different classifications of sensitivity to perturbations 
Zhou teaches the sensitivity overlay indicating areas where the computer model has different classifications of sensitivity to perturbations (“Figure 2 summarizes the whole process of scoring unit interpretability: By segmenting the annotation mask using the receptive field of units for the top activated images, we compute the IoU for each concept. Importantly, the IoU which evaluates the quality of the segmentation of a unit is an objective confidence score for interpretability that is comparable across networks, enabling us to compare interpretability of different representations and so lays the basis for the experiments below.” [pg. 3, left col, bottom para; Examiner is interpreting an annotation mask to be equivalent to the sensitivity overlay. Figure 2 discloses segmented annotations (i.e. areas in the images) which graphically shows different classifications of perturbations.])
Xiao and Zhou are both in the same field of endeavor of adversarial learning and thus are analogous. Xiao discloses a method of generating perturbations using spatial transformations. Zhou discloses a method of quantifying the interpretability of images. It would have been obvious to one of ordinary skill in the art before the effective filing date to modify the classification activation map disclosed by Xiao in order to apply the annotation mask as taught by Zhou to result in a graphical visualization of the output. One would have been motivated to make this modification in order to provide a visualization of perturbations and compare the interpretability of different perturbations. [pg. 3, § 2.2 Scoring Unit Interpretability, ¶5, Zhou]
Regarding claim 20, An apparatus comprising: at least one processor; and at least one memory coupled to the at least one processor, wherein the at least one memory comprises instructions which, when executed by the at least one processor, cause the at least one processor to implement an adversarial perturbation attack sensitivity (APAS) visualization system (See pg. 3, § Spatial Transformation, Xiao discloses computer vision which would imply the use of processors and memory to perform data processing. Xiao further discloses “Inspired by these successes, we also use the spatial transformers to deform the input images, but with a different goal: to generate realistic adversarial examples.”)  that operates to:
receive a natural input dataset and a corresponding adversarial attack input dataset for evaluation by the APAS visualization system (“We use                         
                            
                                
                                    x
                                
                                
                                    (
                                    a
                                    d
                                    v
                                    )
                                
                                
                                    (
                                    i
                                    )
                                
                            
                             
                        
                     to denote the pixel value of the i-th pixel and 2D coordinate (                        
                            
                                
                                    u
                                
                                
                                    (
                                    a
                                    d
                                    v
                                    )
                                
                                
                                    (
                                    i
                                    )
                                
                            
                        
                    ,                         
                            
                                
                                    v
                                
                                
                                    (
                                    a
                                    d
                                    v
                                    )
                                
                                
                                    (
                                    i
                                    )
                                
                            
                        
                    ) to denote its location in the adversarial image                         
                            
                                
                                    x
                                
                                
                                    (
                                    a
                                    d
                                    v
                                    )
                                
                            
                        
                    . We assume that                         
                            
                                
                                    x
                                
                                
                                    (
                                    a
                                    d
                                    v
                                    )
                                
                                
                                    (
                                    i
                                    )
                                
                            
                             
                        
                    is transformed from the pixel                         
                            
                                
                                    x
                                
                                
                                    (
                                    i
                                    )
                                
                            
                             
                        
                    from the original image. We use the per-pixel flow (displacement) field f to synthesize the adversarial image                         
                            
                                
                                    x
                                
                                
                                    (
                                    a
                                    d
                                    v
                                    )
                                
                            
                        
                     using pixels from the input x.” [pg. 4, § 3.3 Our approach: Spatially Transformed Adversarial Examples, ¶2]), wherein data structures of the adversarial attack input dataset comprise perturbations intended to cause a misclassification by a computer model (“In a targeted attack, the adversary’s objective is to modify an input x such that the target model g classifies the perturbed input                         
                            
                                
                                    x
                                
                                
                                    (
                                    a
                                    d
                                    v
                                    )
                                
                            
                        
                     in a targeted class chosen, which differs from its ground truth. In a untargeted attack, the adversary’s objective is to cause the perturbed input                         
                            
                                
                                    x
                                
                                
                                    (
                                    a
                                    d
                                    v
                                    )
                                
                            
                        
                     to be misclassified in any class other than its ground truth.” [pg. 2, § 2 Related Work, ¶1]); 
determine at least one sensitivity measure of the computer model to the perturbations in the adversarial attack input dataset based on a processing of the natural input dataset and corresponding adversarial attack input dataset by the computer model (“
    PNG
    media_image1.png
    127
    536
    media_image1.png
    Greyscale
” pg. 5, ¶2; Examiner is interpreting Ladv(x ,f) to be equivalent to a sensitivity measurement of the computer model as it is a likeliness calculation to change the prediction output. In addition, Ladv(x, f) uses xadv as part of the calculation where xadv is a transformation of x (i.e. the natural input data) using the flow field in eq. 1. (This shows that the sensitivity measure would be based off processing of the natural input data.]); 
generate a classification activation map (CAM) for the computer model based on results of the processing of the natural input dataset and adversarial attack input dataset (“Here we apply Class Activation Mapping (CAM), an implicit attention visualization technique for localizing the discriminative regions implicitly detected by a DNN. We use it to show the attention of the target ImageNet inception_v3 model for both original images and generated adversarial examples.” [pg. 10, §4.5 Visualizing Attention of Networks on Adversarial Examples, ¶1; See Figure 8 shows the CAM for the model after inputting an original image with adversarial examples.]); 
 However Xiao fails to explicitly teach
generate a sensitivity overlay based on the at least one sensitivity measure, wherein the sensitivity overlay graphically represents different classifications of perturbation sensitivities;
apply the sensitivity overlay to the CAM to generate a graphical visualization output of the computer model sensitivity to perturbations of adversarial attacks; 
and output the graphical visualization output to a user computing device for visual display to a user.
	Zhou teaches 
generate a sensitivity overlay based on the at least one sensitivity measure, wherein the sensitivity overlay graphically represents different classifications of perturbation sensitivities (“Figure 2 summarizes the whole process of scoring unit interpretability: By segmenting the annotation mask using the receptive field of units for the top activated images, we compute the IoU for each concept. Importantly, the IoU which evaluates the quality of the segmentation of a unit is an objective confidence score for interpretability that is comparable across networks, enabling us to compare interpretability of different representations and so lays the basis for the experiments below.” [pg. 3, left col, bottom para; Examiner is interpreting an annotation mask to be equivalent to the sensitivity overlay. Figure 2 discloses segmented annotations which graphically shows different classifications of perturbations.]);
apply the sensitivity overlay to the CAM to generate a graphical visualization output of the computer model sensitivity to perturbations of adversarial attacks (“To compare a low-resolution unit’s activation map to the input resolution annotation mask Lc for some concept c, the activation map is scaled up to the mask resolution Sk(x) from Ak(x) using bilinear interpolation, anchoring interpolants at the center of each unit’s receptive field.” [pg. 3, § 2.2 Scoring Unit Interpretability, ¶5; As noted above, the examiner is interpreting a sensitivity overlay to be equivalent to the annotation mask. Scaling the activation map to the mask resolution would be equivalent to applying. See Fig 2. for graphical visualization.]); and
output the graphical visualization output to a user computing device for visual display to a user (“Fig. 4. The annotation interface used by human raters on Amazon Mechanical Turk. Raters are shown descriptive text in quotes together with fifteen images, each with highlighted patches, and must evaluate whether the quoted text is a good description for the highlighted patches.” [pg. 4, § 3.1 Human Evaluation of Interpretations]).
Xiao and Zhou are both in the same field of endeavor of adversarial learning and thus are analogous. Xiao discloses a method of generating perturbations using spatial transformations. Zhou discloses a method of quantifying the interpretability of images. It would have been obvious to one of ordinary skill in the art before the effective filing date to modify the sensitivity measurement and classification activation map disclosed by Xiao in order to apply the annotation mask as taught by Zhou to result in a graphical visualization of the output. One would have been motivated to make this modification in order to provide a visualization of perturbations and compare the interpretability of different perturbations. [pg. 3, § 2.2 Scoring Unit Interpretability, ¶5, Zhou]
Claims 2, 7, 8, 12, 17 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Xiao in view of Zhou and further in view of Wang et al. ("Detecting Adversarial Samples for Deep Neural Networks through Mutation Testing", hereinafter "Wang").

Regarding claim 2, the combination of Xiao and Zhou teaches The method of claim 1, where Zhou further teaches wherein the different classifications of perturbation sensitivities graphically represented by the sensitivity overlay (“Figure 2 summarizes the whole process of scoring unit interpretability: By segmenting the annotation mask using the receptive field of units for the top activated images, we compute the IoU for each concept. Importantly, the IoU which evaluates the quality of the segmentation of a unit is an objective confidence score for interpretability that is comparable across networks, enabling us to compare interpretability of different representations and so lays the basis for the experiments below.” [pg. 3, left col, bottom para; Figure 2 discloses segmented annotations (i.e. areas in the images) which graphically shows different classifications of perturbations.])
However the combination fails to explicitly teach comprises a first classification indicating promotion dominated perturbations which promote an output of the computer model corresponding to a target output of the adversarial attack input dataset, and a second classification indicating suppression dominated perturbations which suppress the output of the computer model corresponding to a true output of the natural input dataset.
Wang teaches comprises a first classification indicating promotion dominated perturbations which promote an output of the computer model corresponding to a target output of the adversarial attack input dataset, and a second classification indicating suppression dominated perturbations which suppress the output of the computer model corresponding to a true output of the natural input dataset (“The basic idea of our algorithm is to use acceptance sampling to test the hypothesis that κ(x) > µ · κ1 with strength α, β and σ, where µ is a hyper parameter, α, β, and σ are the parameters controlling the strength and indifference region of the test. Recall that κ(x) is the measured sensitivity of sample x. The detailed algorithm is shown in Algorithm 1. There are two possible outcomes. If the hypothesis is accepted, it means that the sample has a higher sensitivity than a normal sample. Thus, we report that the input x is an adversarial sample with error bounded by β. If the hypothesis is rejected, we report that the input is a normal sample with error bounded by α.” [pg. 5, § The algorithm, ¶1-2; Examiner is interpreting a first classification to be when the hypothesis is accepted and a second classification to be when the hypothesis is rejected. Examiner also interprets promotion dominated perturbations to be equivalent to κ(x) > µ · κ1. (i.e. when confidence score determines an adversarial input) and a suppression dominated perturbations to be equivalent to κ(x) ≤ µ · κ1 (i.e. when confidence score determines a normal input]).
Xiao, Zhou, and Wang are all in the same field of endeavor of adversarial learning and thus are analogous. Xiao discloses a method of generating perturbations using spatial transformations. Zhou discloses a method of quantifying the interpretability of images. Wang discloses a method to detect adversarial samples for deep neural networks. It would have been obvious to one of ordinary skill in the art before the effective filing date to modify the sensitivity measurement and classification activation map disclosed by Xiao and the annotation mask taught by Zhou with the promotion and suppression perturbations of Wang. One would have been motivated to make this modification in order to graphically display the classified output corresponding to either an attack dataset or natural dataset based off the induced perturbations. 

Regarding claim 7, the combination of Xiao and Zhou teaches The method of claim 1, however fails to explicitly teach wherein determining at least one sensitivity measure of the computer model to perturbations in the adversarial attack input dataset comprises generating a promotion-suppression ratio (PSR) for each perturbation in the adversarial attack input dataset, and wherein the PSR is a measure of the promotion effects and suppression effects of a corresponding perturbation on misclassification of the computer model.
Wang teaches wherein determining at least one sensitivity measure of the computer model to perturbations in the adversarial attack input dataset comprises generating a promotion-suppression ratio (PSR) for each perturbation in the adversarial attack input dataset (“Secondly, as we increase the StepSize for generating mutations, both                         
                            
                                
                                     
                                    κ
                                
                                
                                    n
                                    o
                                    r
                                
                            
                        
                     and                         
                            
                                
                                     
                                    κ
                                
                                
                                    a
                                    d
                                    v
                                
                            
                        
                     increase (expectedly) and the relative distance between                          
                            
                                
                                     
                                    κ
                                
                                
                                    n
                                    o
                                    r
                                
                            
                        
                     and                         
                            
                                
                                     
                                    κ
                                
                                
                                    a
                                    d
                                    v
                                
                            
                             
                        
                    reduces. In the following, we measure the relative distance between                         
                            
                                
                                     
                                    κ
                                
                                
                                    n
                                    o
                                    r
                                
                            
                        
                     and                         
                            
                                
                                     
                                    κ
                                
                                
                                    a
                                    d
                                    v
                                
                            
                        
                    using their ratio                         
                            
                                
                                    
                                        
                                             
                                            κ
                                        
                                        
                                            a
                                            d
                                            v
                                        
                                    
                                
                                
                                    
                                        
                                             
                                            κ
                                        
                                        
                                            n
                                            o
                                            r
                                        
                                    
                                
                            
                        
                    .”[pg. 6, § Hypothesis evaluation, ¶3; Examiner is interpreting the ratio of                         
                            
                                
                                    
                                        
                                             
                                            κ
                                        
                                        
                                            a
                                            d
                                            v
                                        
                                    
                                
                                
                                    
                                        
                                             
                                            κ
                                        
                                        
                                            n
                                            o
                                            r
                                        
                                    
                                
                            
                        
                      to be equivalent to a promotion-suppression ratio.]), and wherein the PSR is a measure of the promotion effects and suppression effects of a corresponding perturbation on misclassification of the computer model (“The last column of Table 1 shows the average κ(x) value of the randomly selected wrongly-labeled samples. We can observe that the sensibility of these wrongly-labeled samples to random perturbations are comparable to those generated by four kinds of attacks, which are significantly larger than the sensibility of normal samples. We also run our algorithm against these wrongly-labeled samples (WL) and report our detection result in Table 2. We can observe that our algorithm is able to detect these wrongly-labeled samples effectively and efficiently similar to detecting the adversarial samples. This suggests that wrongly-labeled samples are the same as the adversarial samples in our explanatory model from a statistical point of view.” [pg. 7, § Adversarial sample detection, ¶5]).
Xiao, Zhou, and Wang are all in the same field of endeavor of adversarial learning and thus are analogous. Xiao discloses a method of generating perturbations using spatial transformations. Zhou discloses a method of quantifying the interpretability of images. Wang discloses a method to detect adversarial samples for deep neural networks. It would have been obvious to one of ordinary skill in the art before the effective filing date to modify the sensitivity measurement disclosed by Xiao and the annotation mask taught by Zhou with promotion and suppression ratio of Wang. One would have been motivated to modify the sensitivity measurements disclosed by Xiao in order to include an additional sensitivity measurement such as a ratio of promotion and suppression effects taught by Wang in order to prevent the model from misclassifying data and improve the robustness of the model. 

Regarding claim 8, the combination of Xiao, Zhou, and Wang teaches The method of claim 7, where Zhou further teaches wherein determining at least one sensitivity measure of the computer model further comprises generating an interpretability score to quantify interpretability of adversarial perturbations (“Figure 2 summarizes the whole process of scoring unit interpretability: By segmenting the annotation mask using the receptive field of units for the top activated images, we compute the IoU for each concept. Importantly, the IoU which evaluates the quality of the segmentation of a unit is an objective confidence score for interpretability that is comparable across networks, enabling us to compare interpretability of different representations and so lays the basis for the experiments below.” [pg. 3, left col, bottom para]).
Xiao, Zhou, and Wang are all in the same field of endeavor of adversarial learning and thus are analogous. Xiao discloses a method of generating perturbations using spatial transformations. Zhou discloses a method of quantifying the interpretability of images. Wang discloses a method to detect adversarial samples for deep neural networks. It would have been obvious to one of ordinary skill in the art before the effective filing date to modify the sensitivity measurement disclosed by Xiao and the additional promotional and suppression ratio taught by Wang with the interpretability scores of Zhou. One would have motivated to make this combination in order to add an additional sensitivity measurement to include interpretability as another method of measuring the model’s robustness towards adversarial attacks. 

Regarding claim 12, the combination of Xiao and Zhou teaches The computer program product of claim 11, where Zhou further teaches wherein the different classifications of perturbation sensitivities graphically represented by the sensitivity overlay (“Figure 2 summarizes the whole process of scoring unit interpretability: By segmenting the annotation mask using the receptive field of units for the top activated images, we compute the IoU for each concept. Importantly, the IoU which evaluates the quality of the segmentation of a unit is an objective confidence score for interpretability that is comparable across networks, enabling us to compare interpretability of different representations and so lays the basis for the experiments below.” [pg. 3, left col, bottom para; Figure 2 discloses segmented annotations (i.e. areas in the images) which graphically shows different classifications of perturbations.])
However the combination fails to explicitly teach comprises a first classification indicating promotion dominated perturbations which promote an output of the computer model corresponding to a target output of the adversarial attack input dataset, and a second classification indicating suppression dominated perturbations which suppress the output of the computer model corresponding to a true output of the natural input dataset.
Wang teaches comprises a first classification indicating promotion dominated perturbations which promote an output of the computer model corresponding to a target output of the adversarial attack input dataset, and a second classification indicating suppression dominated perturbations which suppress the output of the computer model corresponding to a true output of the natural input dataset (“The basic idea of our algorithm is to use acceptance sampling to test the hypothesis that κ(x) > µ · κ1 with strength α, β and σ, where µ is a hyper parameter, α, β, and σ are the parameters controlling the strength and indifference region of the test. Recall that κ(x) is the measured sensitivity of sample x. The detailed algorithm is shown in Algorithm 1. There are two possible outcomes. If the hypothesis is accepted, it means that the sample has a higher sensitivity than a normal sample. Thus, we report that the input x is an adversarial sample with error bounded by β. If the hypothesis is rejected, we report that the input is a normal sample with error bounded by α.” [pg. 5, § The algorithm, ¶1-2; Examiner is interpreting a first classification to be when the hypothesis is accepted and a second classification to be when the hypothesis is rejected. Examiner also interprets promotion dominated perturbations to be equivalent to κ(x) > µ · κ1. (i.e. when confidence score determines an adversarial input) and a suppression dominated perturbations to be equivalent to κ(x) ≤ µ · κ1 (i.e. when confidence score determines a normal input]).
Xiao, Zhou, and Wang are all in the same field of endeavor of adversarial learning and thus are analogous. Xiao discloses a method of generating perturbations using spatial transformations. Zhou discloses a method of quantifying the interpretability of images. Wang discloses a method to detect adversarial samples for deep neural networks. It would have been obvious to one of ordinary skill in the art before the effective filing date to modify the sensitivity measurement and classification activation map disclosed by Xiao and the annotation mask taught by Zhou with the promotion and suppression perturbations of Wang. One would have been motivated to make this modification in order to graphically display the classified output corresponding to either an attack dataset or natural dataset based off the induced perturbations.

Regarding claim 17, the combination of Xiao and Zhou teaches The computer program product of claim 11, however fails to explicitly teach wherein determining at least one sensitivity measure of the computer model to perturbations in the adversarial attack input dataset comprises generating a promotion-suppression ratio (PSR) for each perturbation in the adversarial attack input dataset, and wherein the PSR is a measure of the promotion effects and suppression effects of a corresponding perturbation on misclassification of the computer model.
Wang teaches wherein determining at least one sensitivity measure of the computer model to perturbations in the adversarial attack input dataset comprises generating a promotion-suppression ratio (PSR) for each perturbation in the adversarial attack input dataset (“Secondly, as we increase the StepSize for generating mutations, both                         
                            
                                
                                     
                                    κ
                                
                                
                                    n
                                    o
                                    r
                                
                            
                        
                     and                         
                            
                                
                                     
                                    κ
                                
                                
                                    a
                                    d
                                    v
                                
                            
                        
                     increase (expectedly) and the relative distance between                          
                            
                                
                                     
                                    κ
                                
                                
                                    n
                                    o
                                    r
                                
                            
                        
                     and                         
                            
                                
                                     
                                    κ
                                
                                
                                    a
                                    d
                                    v
                                
                            
                             
                        
                    reduces. In the following, we measure the relative distance between                         
                            
                                
                                     
                                    κ
                                
                                
                                    n
                                    o
                                    r
                                
                            
                        
                     and                         
                            
                                
                                     
                                    κ
                                
                                
                                    a
                                    d
                                    v
                                
                            
                        
                    using their ratio                         
                            
                                
                                    
                                        
                                             
                                            κ
                                        
                                        
                                            a
                                            d
                                            v
                                        
                                    
                                
                                
                                    
                                        
                                             
                                            κ
                                        
                                        
                                            n
                                            o
                                            r
                                        
                                    
                                
                            
                        
                    .”[pg. 6, § Hypothesis evaluation, ¶3; Examiner is interpreting the ratio of                         
                            
                                
                                    
                                        
                                             
                                            κ
                                        
                                        
                                            a
                                            d
                                            v
                                        
                                    
                                
                                
                                    
                                        
                                             
                                            κ
                                        
                                        
                                            n
                                            o
                                            r
                                        
                                    
                                
                            
                        
                      to be equivalent to a promotion-suppression ratio.]), and wherein the PSR is a measure of the promotion effects and suppression effects of a corresponding perturbation on misclassification of the computer model (“The last column of Table 1 shows the average κ(x) value of the randomly selected wrongly-labeled samples. We can observe that the sensibility of these wrongly-labeled samples to random perturbations are comparable to those generated by four kinds of attacks, which are significantly larger than the sensibility of normal samples. We also run our algorithm against these wrongly-labeled samples (WL) and report our detection result in Table 2. We can observe that our algorithm is able to detect these wrongly-labeled samples effectively and efficiently similar to detecting the adversarial samples. This suggests that wrongly-labeled samples are the same as the adversarial samples in our explanatory model from a statistical point of view.” [pg. 7, § Adversarial sample detection, ¶5]).
Xiao, Zhou, and Wang are all in the same field of endeavor of adversarial learning and thus are analogous. Xiao discloses a method of generating perturbations using spatial transformations. Zhou discloses a method of quantifying the interpretability of images. Wang discloses a method to detect adversarial samples for deep neural networks. It would have been obvious to one of ordinary skill in the art before the effective filing date to modify the sensitivity measurement disclosed by Xiao and the annotation mask taught by Zhou with promotion and suppression ratio of Wang. One would have been motivated to modify the sensitivity measurements disclosed by Xiao in order to include an additional sensitivity measurement such as a ratio of promotion and suppression effects taught by Wang in order to prevent the model from misclassifying data and improve the robustness of the model. 

Regarding claim 18, the combination of Xiao, Zhou, and Wang teaches The computer program product of claim 17, where Zhou further teaches wherein determining at least one sensitivity measure of the computer model further comprises generating an interpretability score to quantify interpretability of adversarial perturbations (“Figure 2 summarizes the whole process of scoring unit interpretability: By segmenting the annotation mask using the receptive field of units for the top activated images, we compute the IoU for each concept. Importantly, the IoU which evaluates the quality of the segmentation of a unit is an objective confidence score for interpretability that is comparable across networks, enabling us to compare interpretability of different representations and so lays the basis for the experiments below.” [pg. 3, left col, bottom para]).
Xiao, Zhou, and Wang are all in the same field of endeavor of adversarial learning and thus are analogous. Xiao discloses a method of generating perturbations using spatial transformations. Zhou discloses a method of quantifying the interpretability of images. Wang discloses a method to detect adversarial samples for deep neural networks. It would have been obvious to one of ordinary skill in the art before the effective filing date to modify the sensitivity measurement disclosed by Xiao and the additional promotional and suppression ratio taught by Wang with the interpretability scores of Zhou. One would have motivated to make this combination in order to add an additional sensitivity measurement to include interpretability as another method of measuring the model’s robustness towards adversarial attacks.

Claims 3-5, 10, and 13-15 are rejected under 35 U.S.C. 103 as being unpatentable over Xiao in view of Zhou and further in view of Papernot et al. ("Distillation as a Defense to Adversarial Perturbations against Deep Neural Networks", cited by Applicant in the IDS filed 06/02/2020, hereinafter "Papernot").

Regarding claim 3, the combination of Xiao and Zhou teaches The method of claim 1, however the combination fails to explicitly teach further comprising:
 modifying, by an expanded training dataset generation engine, a training dataset for training the computer model based on the generated sensitivity overlay, to generate an expanded training dataset; and 
outputting the expanded training dataset to a computing model training system that trains the computer model based on the expanded training dataset.
Papernot teaches modifying, by an expanded training dataset generation engine, a training dataset for training the computer model based on the generated sensitivity overlay, to generate an expanded training dataset; and 
outputting the expanded training dataset to a computing model training system that trains the computer model based on the expanded training dataset. (“
    PNG
    media_image3.png
    242
    705
    media_image3.png
    Greyscale
”, [pg. 4, Fig. 3; Fig. 3 discloses the input image going through the sensitivity estimation block and an expanded dataset would generated based off the input image going through that process. Outputting the expanded training dataset and feeding it back into the algorithm would be equivalent to training the model based on the expanded training dataset.])
Xiao, Zhou, and Papernot are all in the same field of endeavor of adversarial learning and thus are analogous. Xiao discloses a method of generating perturbations using spatial transformations. Zhou discloses a method of quantifying the interpretability of images. Papernot discloses a defense distillation method to defend against adversarial perturbations. It would have been obvious to one of ordinary skill in the art before the effective filing date to modify the classification activation map disclosed by Xiao and the annotation mask taught by Zhou with the defense distillation algorithm as taught by Papernot. One would have been motivated to use defense distillation in order to improve the DNN’s robustness towards adversarial attacks. [pg. 7, § B. Distillation as a Defense, Papernot]

Regarding claim 4, the combination of Xiao, Zhou, and Papernot teaches The method of claim 3, where Papernot further teaches wherein modifying the training data set comprises: 
generating, by the expanded training dataset generation engine (Papernot discloses use of machines equipped with GPUs, [pg. 11, § Architecture Characteristics, ¶4]), at least one adversarial version of one or more natural input datasets in the training dataset by introducing one or more perturbations into the natural input dataset in one or more areas identified in the sensitivity overlay as having a specified classification of perturbation sensitivity; and adding, by the expanded training dataset generation engine, the at least one adversarial version of the one or more natural input datasets to the training dataset to generate the expanded training dataset (“Step (1) evaluates the sensitivity of model F at the input point corresponding to sample X. Step (2) uses this knowledge to select a perturbation affecting sample X’s classification.” [pg. 4, Fig. 3; note: X ← X + δX, X would be the natural input dataset and δX corresponds to introducing perturbations into the natural dataset. X* in Fig. 3 would correspond to an adversarial sample. Additionally, see Fig. 4 and associated description, X and X* are shown in Fig. 4 to be used in a larger training dataset. (i.e. expanded dataset)]).
Xiao, Zhou, and Papernot are all in the same field of endeavor of adversarial learning and thus are analogous. Xiao discloses a method of generating perturbations using spatial transformations. Zhou discloses a method of quantifying the interpretability of images. Papernot discloses a defense distillation method to defend against adversarial perturbations. It would have been obvious to one of ordinary skill in the art before the effective filing date to modify the classification activation map disclosed by Xiao and the annotation mask taught by Zhou with the defense distillation algorithm as taught by Papernot. One would have been motivated to use defense distillation in order to improve the DNN’s robustness towards adversarial attacks. [pg. 7, § B. Distillation as a Defense, Papernot]

Regarding claim 5, the combination of Xiao, Zhou, and Papernot teaches The method of claim 3, where Papernot further teaches further comprising: executing, by the computing model training system, a machine learning operation on the computer model based on the expanded training dataset to train the computer model to be hardened against adversarial attacks (“We now introduce defensive distillation, which is the technique we propose as a defense for DNNs used in adversarial settings, when adversarial samples cannot be permitted. Defensive distillation is adapted from the distillation procedure, presented in section II, to suit our goal of improving DNN classification resilience in the face of adversarial perturbations.” [pg. 7, § B. Distillation as a Defense]).  
Xiao, Zhou, and Papernot are all in the same field of endeavor of adversarial learning and thus are analogous. Xiao discloses a method of generating perturbations using spatial transformations. Zhou discloses a method of quantifying the interpretability of images. Papernot discloses a defense distillation method to defend against adversarial perturbations. It would have been obvious to one of ordinary skill in the art before the effective filing date to modify the classification activation map disclosed by Xiao and the annotation mask taught by Zhou with the defense distillation algorithm as taught by Papernot. One would have been motivated to use defense distillation in order to improve the DNN’s robustness towards adversarial attacks. [pg. 7, § B. Distillation as a Defense, Papernot]

Regarding claim 10, the combination of Xiao, Zhou, and Papernot teaches The method of claim 5, wherein generating the at least one adversarial version of one or more natural input datasets in the training dataset, adding the at least one adversarial version of the one or more natural input datasets to the training dataset to generate the expanded training dataset (“Step (1) evaluates the sensitivity of model F at the input point corresponding to sample X. Step (2) uses this knowledge to select a perturbation affecting sample X’s classification.” [pg. 4, Fig. 3; note: X ← X + δX, X would be the natural input dataset and δX corresponds to introducing perturbations into the natural dataset. X* in Fig. 3 would correspond to an adversarial sample. Additionally, see Fig. 4 and associated description, X and X* are shown in Fig. 4 to be used in a larger training dataset. (i.e expanded dataset)]), and executing the machine learning operation on the computer model based on the expanded training dataset are performed automatically (“Fig. 3: Adversarial crafting framework: Existing algorithms for adversarial sample crafting are a succession of two steps: (1) direction sensitivity estimation and (2) perturbation selection. Step (1) evaluates the sensitivity of model F at the input point corresponding to sample X. Step (2) uses this knowledge to select a perturbation affecting sample X’s classification. If the resulting sample X +δX is misclassified by model F in the adversarial target class (here 4) instead of the original class (here 1), an adversarial sample X* has been found. If not, the steps can be repeated on updated input X ← X + δX.” [pg. 4, Fig. 3; algorithm is performing the machine learning operation which would be done automatically.])
Xiao, Zhou, and Papernot are all in the same field of endeavor of adversarial learning and thus are analogous. Xiao discloses a method of generating perturbations using spatial transformations. Zhou discloses a method of quantifying the interpretability of images. Papernot discloses a defense distillation method to defend against adversarial perturbations. It would have been obvious to one of ordinary skill in the art before the effective filing date to modify the classification activation map disclosed by Xiao and the annotation mask taught by Zhou with the defense distillation algorithm as taught by Papernot. One would have been motivated to use defense distillation in order to improve the DNN’s robustness towards adversarial attacks. [pg. 7, § B. Distillation as a Defense, Papernot]

Regarding claim 13, the combination of Xiao and Zhou teaches The computer program product of claim 11, wherein the computer readable program further causes the APAS visualization system to: however the combination fails to explicitly teach modify, by an expanded training dataset generation engine, a training dataset for training the computer model based on the generated sensitivity overlay, to generate an expanded training dataset; and 
output the expanded training dataset to a computing model training system that trains the computer model based on the expanded training dataset.
Papernot teaches modify, by an expanded training dataset generation engine (Papernot discloses use of machines equipped with GPUs, [pg. 11, § Architecture Characteristics, ¶4]), a training dataset for training the computer model based on the generated sensitivity overlay, to generate an expanded training dataset; and 
output the expanded training dataset to a computing model training system that trains the computer model based on the expanded training dataset. (“
    PNG
    media_image3.png
    242
    705
    media_image3.png
    Greyscale
”, [pg. 4, Fig. 3; Fig. 3 discloses the input image going through the sensitivity estimation block and an expanded dataset would generated based off the input image going through that process. Outputting the expanded training dataset and feeding it back into the algorithm would be equivalent to training the model based on the expanded training dataset.])
Xiao, Zhou, and Papernot are all in the same field of endeavor of adversarial learning and thus are analogous. Xiao discloses a method of generating perturbations using spatial transformations. Zhou discloses a method of quantifying the interpretability of images. Papernot discloses a defense distillation method to defend against adversarial perturbations. It would have been obvious to one of ordinary skill in the art before the effective filing date to modify the classification activation map disclosed by Xiao and the annotation mask taught by Zhou with the defense distillation algorithm as taught by Papernot. One would have been motivated to use defense distillation in order to improve the DNN’s robustness towards adversarial attacks. [pg. 7, § B. Distillation as a Defense, Papernot]

Regarding claim 14, the combination of Xiao, Zhou, and Papernot teaches The computer program product of claim 13, wherein the computer readable program further causes the APAS visualization system to modify the training data set at least by: where Papernot further teaches 
generating, by the expanded training dataset generation engine (Papernot discloses use of machines equipped with GPUs, [pg. 11, § Architecture Characteristics, ¶4]), at least one adversarial version of one or more natural input datasets in the training dataset by introducing one or more perturbations into the natural input dataset in one or more areas identified in the sensitivity overlay as having a specified classification of perturbation sensitivity; and adding, by the expanded training dataset generation engine, the at least one adversarial version of the one or more natural input datasets to the training dataset to generate the expanded training dataset (“Step (1) evaluates the sensitivity of model F at the input point corresponding to sample X. Step (2) uses this knowledge to select a perturbation affecting sample X’s classification.” [pg. 4, Fig. 3; note: X ← X + δX, X would be the natural input dataset and δX corresponds to introducing perturbations into the natural dataset. X* in Fig. 3 would correspond to an adversarial sample. Additionally, see Fig. 4 and associated description, X and X* are shown in Fig. 4 to be used in a larger training dataset. (i.e. expanded dataset)]).
Xiao, Zhou, and Papernot are all in the same field of endeavor of adversarial learning and thus are analogous. Xiao discloses a method of generating perturbations using spatial transformations. Zhou discloses a method of quantifying the interpretability of images. Papernot discloses a defense distillation method to defend against adversarial perturbations. It would have been obvious to one of ordinary skill in the art before the effective filing date to modify the classification activation map disclosed by Xiao and the annotation mask taught by Zhou with the defense distillation algorithm as taught by Papernot. One would have been motivated to use defense distillation in order to improve the DNN’s robustness towards adversarial attacks. [pg. 7, § B. Distillation as a Defense, Papernot]

Regarding claim 15, the combination of Xiao, Zhou, and Papernot teaches The computer program product of claim 13, wherein the computer readable program further causes the APAS visualization system to: where Papernot further teaches execute, by the computing model training system, a machine learning operation on the computer model based on the expanded training dataset to train the computer model to be hardened against adversarial attacks (“We now introduce defensive distillation, which is the technique we propose as a defense for DNNs used in adversarial settings, when adversarial samples cannot be permitted. Defensive distillation is adapted from the distillation procedure, presented in section II, to suit our goal of improving DNN classification resilience in the face of adversarial perturbations.” [pg. 7, § B. Distillation as a Defense]).  
Xiao, Zhou, and Papernot are all in the same field of endeavor of adversarial learning and thus are analogous. Xiao discloses a method of generating perturbations using spatial transformations. Zhou discloses a method of quantifying the interpretability of images. Papernot discloses a defense distillation method to defend against adversarial perturbations. It would have been obvious to one of ordinary skill in the art before the effective filing date to modify the classification activation map disclosed by Xiao and the annotation mask taught by Zhou with the defense distillation algorithm as taught by Papernot. One would have been motivated to use defense distillation in order to improve the DNN’s robustness towards adversarial attacks. [pg. 7, § B. Distillation as a Defense, Papernot]

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Fong et al. ("Interpretable Explanations of Black Boxes by Meaningful Perturbation") discloses interpretable explanations on perturbed images.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL H HOANG whose telephone number is (571)272-8491.  The examiner can normally be reached on Mon-Fri 8:30AM-4:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kakali Chaki can be reached on (571) 272-3719.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/M.H.H./Examiner, Art Unit 2122                                                                                                                                                                                                        




/KAKALI CHAKI/           Supervisory Patent Examiner, Art Unit 2122