DETAILED ACTION
This office action is in response amendments received on 1 November 2021 for application 16/779285, filed 31 January 2020. It is again noted that an English translation of the certified copy of the Chinese application (CN201910583556) to which the instant application claims priority is not currently on file. Currently claims 21-40 are pending. Claims 1-20 have been canceled. Claim objections and rejections under 35 USC 112(a) have been withdrawn in light of the amendments.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant's arguments filed 1 November 2021 have been fully considered but they are not persuasive. 

Specifically the Applicants Argue:
The Applicant submits that the introduction of these new features merits further search and/or consideration. Withdrawal of all rejections, reconsideration and further examination are requested. The Applicant has made an earnest attempt to place this case in condition for allowance. The absence of a reply to a specific rejection, issue, or comment does not signify agreement with or concession of that rejection, issue, or comment. Because the arguments made above may not be exhaustive, there may be reasons for patentability of any or all pending claims 

Examiner’s Response:
	The Examiner appreciates the clarifications of the claims as expressed in the new set of claims and concurs that the new set merits further search and consideration. However, as set forth in the current office action, the Examines maintains that the claims, even with the new elements and clarifications, are taught by Wu, Neurukar, and Frichmann.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 21-23, 25-30, 32-37, 39, and 40 are rejected under are rejected under 35 U.S.C. 103 as being unpatentable over Wu et al. (“Privately Evaluating Decision Trees and Random Forests”, Proceedings on Privacy Enhancing Technologies, 2016(4), pp. 335-355), hereinafter referred to as Wu, in view of Nerurkar et al. (US2019/0026489, published 24 January 2019), hereinafter referred to as Nerurkar.

In regard to claim 21, Wu teaches A computer-implemented method comprising: transmitting, by a computing device of a data owner of service data, and to a model owner of a model that is kept secret from the data owner, a data type associated with the service data of the data owner, wherein the data owner keeps the service data itself secret from the model owner just as the model owner keeps the model itself secret from the data owner;  ([Abstract, p. 339, Section 3.1, Figure 1, p. 353, Section A] We operate in the standard two-party setting where the server holds a model (either a tree or a forest), and the client holds an input (a feature vector). At the conclusion of the protocol, the client learns only the model’s output on its input and a few generic parameters concerning the model; the server learns nothing.,  The client’s private data consists of a feature vector x = (x1, . . . , xn) ∈ Z n, where xi ≥ 0 for all i. Let t be the bit-length of each entry in the feature vector., – Client input: A feature vector x ∈ Z n p where each xi is at most t bits. Let xi,j denote the j th bit of x. ….1. Client: For each i ∈ [n] and j ∈ [t], compute and send Encpk (xi,j ) to the server., In practice, feature vectors might contain categorical variables in addition to numeric variables…. For instance, if xi is a categorical variable that can take on values from a set S = {s1, . . . , sn}, then a branching criterion is more naturally phrased in the form 1 {xi ∈ S 0} for some S 0 ⊆ S., wherein a client (data owner) has data in the form of a database of feature vectors x (service data) such that any vector of that set of feature vectors is a portion of the service data and such that any attribute of the service data may be considered a data type and, in addition, numerical and categorical attributes may be considered distinct types by virtue of numerical vs. categorical distinction but also by virtue of any other attribute characteristics within numerical or within categorical data variables and wherein this feature vector is transmitted to a model owner to initiate a protocol for evaluating a decision tree held by the model owner in which the model and the service data are kept secret at their respective locations from the respective participants in the protocol through various encryption schemes.) receiving, by the computing device of the data owner, (i) criteria that is associated with a particular burst node of a decision tree of the model, and (ii) data that is sufficient for the computing device of the data owner to reconstruct a topology of the decision tree of the model, wherein the particular burst mode is a burst node of the model that the model owner identified as having a data type that matches the transmitted data type of the service data of the data owner and is thus identified as being as associated with the service data of the data owner …, ([p. 338, Section 2.2, p. 340, Section 3.2, Figure 1, p. 349, Section 6, p. 353, Section A] We specify a path by a bit string b = b1 · · · bd ∈ {0, 1} d ,… . In specifying the path s, the decision string also specifies the index of the leaf node at the end of the path. We let φ : {0, 1} m → {0, . . . , m} be the function that maps a decision string s for a complete binary tree with m decision nodes onto the index of the corresponding leaf node in the path induced by s in T., The server homomorphically computes encryptions of r1z1, . . . , rtzt where r1, . . . , rt r←− Zp, and sends the ciphertexts back to the client in random order. To learn if x < y, the client checks whether any of the ciphertexts decrypt to 0., . Client … For each k ∈ [`], it sets b 0 k = 1 if there exists j ∈ [t] such that ct˜ k,j is an encryption of 0. Otherwise, it sets b 0 k = 0., To test whether x = y, the client sends Encpk(x) to the server…. The key observation is that r(x − y) is 0 if x = y, and otherwise, is uniform in Zp., wherein, in response to receiving cyphertexts from the model owner that encode the matching (or non-matching) of particular feature data attributes (data types) to a burst node in a decision tree, the data owner, after decrypting this information, determines if the data type/feature attribute matches a (burst) node by virtue of the decryption of one of the respective cyphyertexts to zero and uses this information over successive feature data attributes (data types) over the successive nodes in a tree to determine (again by the data owner) a path sequence of particular nodes in a decision tree that are matched (a decision string) beginning at an initial node of the tree and extending to a final burst node leading to a leaf node (in other words, the absence of a zero in the string is indicative of the matching of a sequence of nodes including any leaf nodes that may be at the end of the determined path/decision string which reconstructs a topology of the decision tree), wherein the determination of the matching at a single node by the data owner and the reconstruction of the decision path through that tree is based on criteria that is associated with a particular burst node of a decision tree of the model provided by the model owner in the form of the encrypted cyphertexts which encode the match (splitting criteria) and is based on sufficient data also provided by the model owner to reconstruct the topology by virtue of the protocol of determining this match over successive nodes in the decision tree).) and wherein the computing device of the data owner does not receive criteria that is associated with other burst nodes of the decision tree of the model that are associated with the service data of the model owner nor does the computing device of the data owner receive respective leaf values of any of the leaf nodes in the decision tree; ([Abstract, p. 340, Section 3.2, Figure 1, p. 353] At the conclusion of the protocol, the client learns only the model’s output on its input and a few generic parameters concerning the model; the server learns nothing,, The client and server engage in a comparison protocol for each decision node in T 0 . At the end of this phase, the client learns the result of each comparison in T 0 , and therefore, the decision string corresponding to its input in T 0 . 3. Using the decision string, the client determines the index i that contains its value zi = T (x). The client engages in an OT protocol with the server to obtain the value zi ., wherein, as shown in Figure 1, the model owner only sends responses indicative of splitting criteria satisfaction for those specific nodes (along the decision path) associated with the service data of the data owner (i.e., the service data of the model owner does not come into play but, in general, the parameters of the model, including any details of the model formed using, for example, the model owner’s data are not revealed to the data owner) is nonetheless not revealed in the course of the protocol and the model owner does not receive any particular values associated with the decision path (interpreted as being the final leaf/decision node in that path) but rather relies on oblivious transfer with the data owner at the end to determine that value (by the data owner). It is recommended, however, that this claim limitation be recited more positively with respect to the association between the service data of the model owner and the “other burst nodes”.)   reconstructing, by the computing device of the data owner, the topology of the decision tree of the model based on the received data; ([p. 340, Section 3.2, Figure 1, p. 353] The client and server engage in a comparison protocol for each decision node in T 0 . At the end of this phase, the client learns the result of each comparison in T 0 , and therefore, the decision string corresponding to its input in T 0 . 3. Using the decision string, the client determines the index i that contains its value zi = T (x). The client engages in an OT protocol with the server to obtain the value zi ., wherein, as shown in Figure 1, the model owner determines the decision path along the tree (which is a reconstruction of the decision tree topology) according to the information received from the model owner as previously noted (i.e., through the reception and decryption of sigma’ in step 5 of Figure 1).)  determining, by the computing device of the data owner and based on the reconstructed topology, that a particular leaf node of a prediction path that includes the particular burst node is capable of being reached based on comparing the service data of the data owner, which was kept secret from the model owner, to the criteria that is associated with the particular burst node of the decision tree of the model, which was received from the model owner; ([Figure 1] The server homomorphically computes Encpk(σ 0 ) (each bit is encrypted individually) and sends the result to the client. This computation only requires additive homomorphism because the server knows the plaintext values of bk and sk and has the encryptions of b 0 k for all k ∈ [`]. 5. Client and Server: The client decrypts the server’s message to obtain σ 0., wherein, based on the reception (from the model owner) and decryption of sigma’ (which reconstructs the topology based on the set of burst node matching decisions that form the sequence of the bks – corresponding to the comparison of the service data of the data owner with the criteria supplied by the model owner as indicated previously), the data owner has determined the decision path through the decision tree which includes the last burst node (as previously indicated) which is a determination that, since the last burst node has been reached and processed in the decision tree, that a leaf of the tree can be reached according to the last burst node in that decision path topology.)  in response to determining that the particular leaf node of the prediction path that includes the particular burst node is capable of being reached, selecting, by the computing device of the data owner, a first data selection value that is associated with selecting first data from a data pair generated by the model owner, the data selection value selected from among a first data selection value that is associated with selecting the first data from the data pair generated by the model owner and a second data selection value that is associated with selecting second data from the data pair generated by the model owner;([pp. 337-338, Section 2.2, p. 340, Section 3.2, Figure 1, p. 353] if vi is an internal node, let v2i be its left child and v2i+1 be its right child. For convenience, we also define a separate index from 0 to 2 d − 1 for the leaf nodes. Specifically, if vi is the parent of a leaf node, then we denote its left and right children by z2i−m−1 and z2i−m, where m is the number of internal nodes in T . With this indexing scheme, the leaves of the tree, when read from left-to-right, correspond with the ordering z0, . . . , z2 d−1 .Thus, we also refer to the path induced by a decision string s in T . In specifying the path s, the decision string also specifies the index of the leaf node at the end of the path. We let φ : {0, 1} m → {0, . . . , m} be the function that maps a decision string s for a complete binary tree with m decision nodes onto the index of the corresponding leaf node in the path induced by s in T ., The client and server engage in a comparison protocol for each decision node in T 0 . At the end of this phase, the client learns the result of each comparison in T 0 , and therefore, the decision string corresponding to its input in T 0 . 3. Using the decision string, the client determines the index i that contains its value zi = T (x). , The client decrypts the server’s message to obtain σ 0 and then computes the index i of the leaf node containing the response (the client computes i ← φ(σ 0 ), with φ(·) as defined in Section 2.2).wherein, based on the decryption of sigma’, the data owner computes an index (first data selection value) that is indicative that a particular leaf node in the decision tree has been reached but corresponds to one of the two potential leaf values (the data pair generated by the model owner) stemming from the last burst node even though this does not reveal to the data owner in itself either a leaf value or what specific leaf node was reached at the end of the decision tree (i.e., left or right since that information is held by the model owner and the decision tree itself has undergone a permutation that is encoded in the function phi) but, nonetheless, such that the selection of i determines which particular leaf value (first data) will be selected (with distinction relative to the alternative second data that would have corresponded to a second/alternative selection value).)and for the particular leaf node of the prediction path that includes the particular burst node, selecting, by the computing device of the data owner, the first data from the data pair generated by the model owner that is associated with the first data selection value that was selected by the computing device of the data owner.  ([Figure 1] In the OT protocol, the client supplies the index i and the server supplies the permuted leaf values z 0 0 , . . . , z0m of T 0 . The client outputs z˜ and the server outputs nothing., wherein, as part of the OT protocol, the model owner provides a set of permuted leaf values (interpreted as being a set of all leaf values in the decision tree including the first and second data associated with the final burst node along the decision path) from which the data owner selects the actual leaf value (first data) appropriately corresponding to the index i (and selected according to the OT protocol).)
However, Wu does not explicitly teach  … and not being associated with service data of the model owner. In other words, although Wu teaches that the association of the data owner service data (attributes, type) with a burst node, he does not teach that this indicates that the data is not associated with the service data of the model owner. In other words, Wu does not teach that the model owner has service data that is to be kept private from the data owner.     
However, Nerurkar, in the analogous art of designing and implementing decision trees with privacy protection, teaches wherein the particular burst mode is a burst node of the model that the model owner identified as having a data type that matches the transmitted data type of the service data of the data owner and is thus identified as being as associated with the service data of the data owner and not being associated with service data of the model owner,.   ([0041, 0067, 0068, 0130, 0161, 0165, 0170, 0171, 0172, Figure 1, Figure 2, Figure 7A, Figure 7B, Figure 13], Such models may be retained and executed within the differentially private security system 102 . For example , an analyst can issue an analytical query 108 that causes the differentially private security system 102 to interact with the restricted data in the database 106 to build the machine learned models . The differentially private security system 102 can then store the models within the system or an associated system . The analyst can use a new analytical query 108 or another interface to the system 102 to apply the data describing the new entity to the models . The differentially private security system 102 can execute the new data on the stored models and output the classification of the entity as a DP response 112 ., The database integrator 158 receives the access commands to one or more databases 106 , collects the required databases, and merges them into a single data object . The data object has a structure similar to that of a database structure described in reference to FIG . 2 . The data object is provided to the privacy system 160 ., The privacy system 160 receives the data object from the database integrator 158, appropriate function calls from the query handling engine 156 indicating the type of query 108 submitted by the client 104 , and privacy parameters specified for the query 108., As discussed in reference to the random forest engine 316 , classification models in general is trained on training data ( Xtrain, Ytrain) to learn the correlation between selected features of an entry and the category the entry belongs to . The training data ( Xtraino Y train ) may be extracted from a subset of entries contained in the data object X . Upon being trained, the classifier is able to receive a new data entry containing values for the selected features and generate an estimate of the category for the new entry., Alternatively , an entry classified using the random forest classifier 1300 produces a probability that the entry is one or more classification options based on the counts at each leaf node reached by the entry . For example , if the entry reaches leaf nodes b2 , bg, and b , as illustrated in FIG . 13 , the entry ' s classification can depend upon the relative count of each classification option at each of those three leaf nodes and at the other leaf nodes associated with the same splits , leaf nodes b? , b7 , and bio ., The graph of FIG . 14A also illustrates the utility gain threshold 1405 . This threshold 1405 is the amount of information gain at or below which a split with such an information gain is considered to be unusable for decision tree construction .,This potential leakage of information is undesirable , par ticularly when the training data includes restricted data . As a result , use of databases to support analytical queries on restricted data in order to ascertain whether an entry has a particular condition , and particularly queries that involve construction and use of machine learned models such as random forest classifiers , is impeded .This issue is overcome by using a differentially private mechanism to select the splits for the nodes of the binary decision trees forming the random forest classifier . Rather than selecting the splits in descending order of information gain , an exponential mechanism uses the infor mation gain of each split as a score for the quality function for that split . The splits for a binary decision tree are then selected responsive to evaluation of the exponential mechanism using the splits ' respective scores .,The exponential mechanism maps a set of n inputs from domain D to a range R . The mapping may be randomized , in which case each element of the domain D corresponds to the probability distribution over the range R. The mechanism selects a result r from the range R biased by the quality function . The quality function thus represents the quality of the result r . The quality function selects the result r based in part on the privacy parameter € , which enforces ( 8 , 8 ) - differentially privacy on the selections., wherein a model owner (Differential Private Security System) possesses a data object obtained from a database which is service data not held by the model owner but not by the data owner (client) who is making a query (i.e., providing a new data entry to be processed by a model held by the Differential Private Security System) and used by the model owner to (at least partly) train and test a model such that the resultant model is predictive not only of the service data held by the data owner (i.e., the determination of a prediction result by processing a new data entry through the burst nodes of a random forest model identified in the protocol by the data owner) but also predictive of the service data held by the model owner and not held by the data owner while preventing any revelation of the association of the service data of the model owner with the splitting criteria, burst node decisions, and the topology of the decision tree; in other words, in response to a query by the client to create this model (and then later process service data owned by the client), the model owner uses this private data to determine the splitting criteria at the burst nodes with the differentially private exponential mechanism for selecting the splits to prevent any leakage of that data which is being interpreted as meaning that in the process of identifying the responses at each burst node, the data owner cannot associate the splitting criteria or the responses with service data of the model owner that is intended to remain private so that for any burst node that is associated with the service data of the model instead of the service data of the data owner, the protocol that reveals a satisfaction of criteria at a given burst node does not associate that result with the service data of the model owner.) 
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Wu to incorporate the teachings of Nerurkar to use service data not held by the data owner in the determination of a secure decision tree classification through evaluations of data owner service data at each burst node such that the particular burst mode is a burst node of the model that the model owner identified as having a data type that matches the transmitted data type of the service data of the data owner and is thus identified as being as associated with the service data of the data owner and not being associated with service data of the model owner. The modification would have been obvious because one of ordinary skill would have been motivated to protect sensitive data used to develop and implement decision tree models by enabling the model owner/developer to have controlled access to that sensitive data using differential privacy technology for training, testing, and implementing the decision tree classification models (Nerurkar, [0007, 0008, 0009, 0014]).

In regard to claim 22, the rejection of claim 21 is incorporated and Wu further teaches wherein, by selecting the first data from the data pair, the first computing device of the data owner performs oblivious transfer of the first data with the model owner. ([Figure 1] In the OT protocol, the client supplies the index i and the server supplies the permuted leaf values z 0 0 , . . . , z0m of T 0 . The client outputs z˜ and the server outputs nothing., wherein, as part of the OT protocol, the model owner provides a set of permuted leaf values (interpreted as being a set of all leaf values in the decision tree including the first and second data associated with the final burst node along the decision path) from which the data owner selects the actual leaf value (first data) appropriately corresponding to the index i (and selected according to the OT protocol).)
 It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Wu to incorporate the teachings of Nerurkar, for the same reasons as pointed out for claim 21.

In regard to claim 23, the rejection of claim 21 is incorporated and Wu further teaches  wherein the first data from the data pair is a first prediction result.  ([pp. 337-338, Section 2.2, p. 340, Section 3.2, Figure 1, p. 353] With this indexing scheme, the leaves of the tree, when read from left-to-right, correspond with the ordering z0, . . . , z2 d−1 .Thus, we also refer to the path induced by a decision string s in T . In specifying the path s, the decision string also specifies the index of the leaf node at the end of the path. We let φ : {0, 1} m → {0, . . . , m} be the function that maps a decision string s for a complete binary tree with m decision nodes onto the index of the corresponding leaf node in the path induced by s in T ., 3. Using the decision string, the client determines the index i that contains its value zi = T (x). ,.wherein, the data owner determines an index (first data selection value) that is indicative that a particular leaf node in the decision tree has been reached but corresponds to one of the two potential leaf values (the data pair generated by the model owner) stemming from the last burst node which form the output/predicted decision tree result.)
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Wu to incorporate the teachings of Nerurkar, for the same reasons as pointed out for claim 21.

In regard to claim 25, the rejection of claim 21 is incorporated and Wu further teaches wherein the first data is summed with other prediction results to generate a classification result.  ([p. 352, Section A] In the case where the output of the random forest is the average (or any affine function) of the individual classifications, we can do better by using additive secret sharing. Specifically, suppose that the value of each leaf of Ti (for all i) is an element of Zp. Then, at the beginning of the protocol, the server chooses blinding values r1, . . . , rn r←− Zp. For each tree Ti , the server blinds each of its leaf values v ∈ Zp by computing v ← v + ri . Since ri is uniform over Zp, v is now uniformly random over Zp. The protocol execution proceeds as before, except that the server also sends the client the value r ← P i∈[n] ri . At the conclusion of the protocol, the client learns the values {vi + ri}i∈[n] where vi = Ti(x). In order to compute the mean of v1, . . . , vn, the client computes the sum P i∈[n] (vi + ri) − r = P i∈[n] vi which is sufficient for computing the mean provided the client knows the number of trees in the forest., wherein, in order to compute the total (mean) result over the set of trees in the random forest, the data owner determines the result for each tree as indicated above (but with an attached random number) and then performs a sum at the end to evaluate the final ensemble result.)
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Wu to incorporate the teachings of Nerurkar, for the same reasons as pointed out for claim 21.

In regard to claim 26, the rejection of claim 21 is incorporated and Wu further teaches wherein the data that is received by the computing device of the data owner that is sufficient for the computing device of the data owner to reconstruct the topology comprises a location of the burst node within the decision tree of the model.  ([p. 340, Section 3.2, Figure 1] The client and server engage in a comparison protocol for each decision node in T 0 . At the end of this phase, the client learns the result of each comparison in T 0 , and therefore, the decision string corresponding to its input in T 0 . 3. Using the decision string, the client determines the index i that contains its value zi = T (x). The client engages in an OT protocol with the server to obtain the value zi ., wherein, as shown in Figure 1, the model owner determines the decision path along the tree (which is a reconstruction of the decision tree topology) according to the information received from the model owner as previously noted (i.e., through the reception and decryption of sigma’ in step 5 of Figure 1) in which each successive component of this decision string corresponds to a corresponding succession of layers in the decision tree.)  
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Wu to incorporate the teachings of Nerurkar, for the same reasons as pointed out for claim 21.

In regard to claim 27, the rejection of claim 21 is incorporated and Wu further teaches wherein, by selecting the first data from the data pair, the computing device of the data owner is able to obtain a prediction result of the decision tree without having access to the decision tree or to the service data of the model owner that is associated with the other burst nodes of the decision tree.  ([Abstract, p. 339, Section 3.1, Figure 1, p. 353, Section A] We operate in the standard two-party setting where the server holds a model (either a tree or a forest), and the client holds an input (a feature vector). At the conclusion of the protocol, the client learns only the model’s output on its input and a few generic parameters concerning the model; the server learns nothing., ([p. 338, Section 2.2, Figure 1] We specify a path by a bit string b = b1 · · · bd ∈ {0, 1} d ,… . In specifying the path s, the decision string also specifies the index of the leaf node at the end of the path. We let φ : {0, 1} m → {0, . . . , m} be the function that maps a decision string s for a complete binary tree with m decision nodes onto the index of the corresponding leaf node in the path induced by s in T., wherein, as previously pointed out, the data owner determines a decision path through the decision tree by evaluating the correspondence between each node and the feature data (attributes/type) of the data owner such that this process is based only on the service data of the data owner (i.e., the service data of the model owner does not come into play).)
However, Wu does not explicitly teach  … that is associated with the other burst nodes of the decision tree,. In other words, although Wu teaches that the association of the data owner service data (attributes, type) with a burst node, he does not teach that this indicates that the data is not associated with the service data of the model owner. In other words, Wu does not teach that the model owner has service data that is to be kept private from the data owner.  particular burst model service data/feature vector of the client/data owner is predicted through the association of the of that feature vector with learned features of a given decision tree (i.e., the determination that a given set of features is predicted through the splitting logic of the decision tree to generate the path through the tree to a leaf node) and although Wu discloses the use of real datasets (service data) to train the decision tree, he does not explicitly disclose that the client/data owner may not hold all of the data or that data not owned by the data owner is also predicted by the decision tree framework.   
However, Nerurkar, in the analogous art of designing and implementing decision trees with privacy protection, teaches wherein, by selecting the first data from the data pair, the computing device of the data owner is able to obtain a prediction result of the decision tree without having access to the decision tree or to the service data of the model owner that is associated with the other burst nodes of the decision tree,.   ([0041, 0067, 0068, 0130, 0161, 0165, 0170, 0171, 0172, Figure 1, Figure 2, Figure 7A, Figure 7B, Figure 13], Such models may be retained and executed within the differentially private security system 102 . For example , an analyst can issue an analytical query 108 that causes the differentially private security system 102 to interact with the restricted data in the database 106 to build the machine learned models . The differentially private security system 102 can then store the models within the system or an associated system . The analyst can use a new analytical query 108 or another interface to the system 102 to apply the data describing the new entity to the models . The differentially private security system 102 can execute the new data on the stored models and output the classification of the entity as a DP response 112 ., The database integrator 158 receives the access commands to one or more databases 106 , collects the required databases, and merges them into a single data object . The data object has a structure similar to that of a database structure described in reference to FIG . 2 . The data object is provided to the privacy system 160 ., The privacy system 160 receives the data object from the database integrator 158, appropriate function calls from the query handling engine 156 indicating the type of query 108 submitted by the client 104 , and privacy parameters specified for the query 108., As discussed in reference to the random forest engine 316 , classification models in general is trained on training data ( Xtrain, Ytrain) to learn the correlation between selected features of an entry and the category the entry belongs to . The training data ( Xtraino Y train ) may be extracted from a subset of entries contained in the data object X . Upon being trained, the classifier is able to receive a new data entry containing values for the selected features and generate an estimate of the category for the new entry., Alternatively , an entry classified using the random forest classifier 1300 produces a probability that the entry is one or more classification options based on the counts at each leaf node reached by the entry . For example , if the entry reaches leaf nodes b2 , bg, and b , as illustrated in FIG . 13 , the entry ' s classification can depend upon the relative count of each classification option at each of those three leaf nodes and at the other leaf nodes associated with the same splits , leaf nodes b? , b7 , and bio ., The graph of FIG . 14A also illustrates the utility gain threshold 1405 . This threshold 1405 is the amount of information gain at or below which a split with such an information gain is considered to be unusable for decision tree construction .,This potential leakage of information is undesirable , par ticularly when the training data includes restricted data . As a result , use of databases to support analytical queries on restricted data in order to ascertain whether an entry has a particular condition , and particularly queries that involve construction and use of machine learned models such as random forest classifiers , is impeded .This issue is overcome by using a differentially private mechanism to select the splits for the nodes of the binary decision trees forming the random forest classifier . Rather than selecting the splits in descending order of information gain , an exponential mechanism uses the infor mation gain of each split as a score for the quality function for that split . The splits for a binary decision tree are then selected responsive to evaluation of the exponential mecha nism using the splits ' respective scores .,The exponential mechanism maps a set of n inputs from domain D to a range R . The mapping may be randomized , in which case each element of the domain D corresponds to the probability distribution over the range R. The mechanism selects a result r from the range R biased by the quality function . The quality function thus represents the quality of the result r . The quality function selects the result r based in part on the privacy parameter € , which enforces ( 8 , 8 ) - differentially privacy on the selections., wherein a model owner (Differential Private Security System) possesses a data object obtained from a database which is service data not held by the model owner but not by the data owner (client) who is making a query (i.e., providing a new data entry to be processed by a model held by the Differential Private Security System) and used by the model owner to (at least partly) train and test a model such that the resultant model is predictive not only of the service data held by the data owner (i.e., the determination of a prediction result by processing a new data entry through the burst nodes of a random forest model identified in the protocol by the data owner) but also predictive of the service data held by the model owner and not held by the data owner while preventing any revelation of the association of the service data of the model owner with the splitting criteria, burst node decisions, and the topology of the decision tree, including the selection of the decision/output result at any leaf node; in other words, in response to a query by the client to create this model (and then later process service data owned by the client), the model owner uses this private data to determine the splitting criteria at the burst nodes with the differentially private exponential mechanism for selecting the splits to prevent any leakage of that data which is being interpreted as meaning that in the process of identifying the responses at each burst node leading up to and including the burst node prior to the leaf node, the data owner cannot associate the splitting criteria or the responses with service data of the model owner that is intended to remain private so that for any burst node that is associated with the service data of the model (i.e., any node based on data that is to remain private to the data owner) instead of the service data of the data owner, on which the leaf output is formed, the protocol that reveals a satisfaction of criteria at a given burst node and ultimately produces the output decision does not associate those results with the service data of the model owner.) 
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Wu to incorporate the teachings of Nerurkar so that by selecting the first data from the data pair, the computing device of the data owner is able to obtain a prediction result of the decision tree without having access to the decision tree or to the service data of the model owner that is associated with the other burst nodes of the decision tree. The modification would have been obvious because one of ordinary skill would have been motivated to protect sensitive data used to develop and implement decision tree models by enabling the model owner/developer to have controlled access to that sensitive data using differential privacy technology for training, testing, and implementing the decision tree classification models (Nerurkar, [0007, 0008, 0009, 0014]).

Claim 28 is also rejected because it is just a system implementation of the same subject matter of claim 21 which can be found in Wu and Nerurkar. In addition, it is noted that claim 28 recites computer memory devices that are coupled with machine readable memory with instructions which can also be found in Wu ([p. 345, Section 6], Our implementation is written in C++…. We compile our code using g++ 4.8.2 on a machine running Ubuntu 14.04.1. In our experiments, we run the client-side code on a commodity laptop with a multicore 2.30 GHz Intel Core i7-4712HQ CPU and 16 GB of RAM. We run the server on a compute-optimized Amazon EC2 instance with a dual-core 2.60GHz Intel Xeon E5-2666 v3 processor and 3.75 GB of RAM.).

Claim 29/28 is also rejected because it is just a system implementation of the same subject matter of claim 22/21 which can be found in Wu and Nerurkar.

Claim 30/28 is also rejected because it is just a system implementation of the same subject matter of claim 23/21 which can be found in Wu and Nerurkar.

Claim 32/28 is also rejected because it is just a system implementation of the same subject matter of claim 25/21 which can be found in Wu and Nerurkar.

Claim 33/28 is also rejected because it is just a system implementation of the same subject matter of claim 26/21 which can be found in Wu and Nerurkar.

Claim 34/28 is also rejected because it is just a system implementation of the same subject matter of claim 27/21 which can be found in Wu and Nerurkar.

Claim 35 is also rejected because it is just a computer readable memory implementation of the same subject matter of claim 21 which can be found in Wu and Nerurkar. In addition, it is noted that claim 35 recites computer readable memory with instructions which can also be found in Wu ([p. 345, Section 6], Our implementation is written in C++…. We compile our code using g++ 4.8.2 on a machine running Ubuntu 14.04.1. In our experiments, we run the client-side code on a commodity laptop with a multicore 2.30 GHz Intel Core i7-4712HQ CPU and 16 GB of RAM. We run the server on a compute-optimized Amazon EC2 instance with a dual-core 2.60GHz Intel Xeon E5-2666 v3 processor and 3.75 GB of RAM.).

Claim 36/35 is also rejected because it is just a computer readable memory implementation of the same subject matter of claim 22/21 which can be found in Wu and Nerurkar.

Claim 37/35 is also rejected because it is just a computer readable memory implementation of the same subject matter of claim 23/21 which can be found in Wu and Nerurkar.

Claim 39/35 is also rejected because it is just a computer readable memory implementation of the same subject matter of claim 25/21 which can be found in Wu and Nerurkar.

Claim 40/35 is also rejected because it is just a computer readable memory implementation of the same subject matter of claim 26/21 which can be found in Wu and Nerurkar.
	
Claims 24, 31, and 38 are rejected under are rejected under 35 U.S.C. 103 as being unpatentable over Wu, in view of Nerurkar, and in further view of Fritchman et al. (“Privacy-Preserving Scoring of Tree Ensembles: A Novel Framework for AI in Healthcare”, 2018 IEEE International Conference on Big Data, 2018, pp. 2413-2422), hereinafter referred to as Fritchman.

In regard to claim 24, the rejection of claim 21 is incorporated and Wu and Nerurkar do not further teach wherein the first data from the data pair is included as a component of a vector that represents a classification result.  Wu does not clearly disclose that the outputs of the decision tree (leaf values) are vectors in which a selected first data is a component of a vector. Although Nerurkar discloses the perturbation of a classification result at each leaf node ([0121, Figure 5]) which comprises 2 values (a vector in a BRI sense), he does not clearly disclose how the data owner makes a selection to receive that information (or a component therein) according to the privacy-preserving protocol (except as a display on an interface). 
However, Fritchman, in the analogous art of designing privacy-preserving encryption frameworks for securely processing service data on random forest decision trees, teaches wherein the first data from the data pair is included as a component of a vector that represents a classification result ([pp. 2416-2417, Section IIIC , p. 2418, Section IIID, Figure 1, Figure 2, Figure 3] For privacy-preserving scoring with decision trees, we propose a novel protocol that improves the method proposed in [20]. In [20], Bob has an input feature vector x = (x1, . . . , xn) ∈ R n and Alice has a single decision tree used to classify Bob’s feature vector. At the end of the privacypreserving scoring protocol in [20], the inferred class label is opened to Bob. The case that we consider in this paper is more general: instead of a single decision tree, Alice has an ensemble of decision trees, that have each been trained to output probabilities associated with the class labels (as opposed to only the class labels themselves, as in [20])…. Let zi be the Boolean variable denoting the result of the comparison, i.e. zi = 1 if xH(i) ≥ wi , and zi = 0 otherwise. Each leaf node specifies a probability distribution over the k possible classes c1, . . . , ck. The classification algorithm for a stand-alone decision tree proceeds as follows: … Inspired by the ideas of Bost et al. [17], we perform inference with a decision tree D by evaluating a polynomial PD: {0, 1} 2 d−1 → {1, . . . , 2 d}. On input z = (z1, . . . , z2 d−1 ), PD gives the index of the selected leaf level. This polynomial is a sum of terms such that each term corresponds to one possible path in the tree. Given z, the term corresponding to the path taken by x in the tree evaluates to the inference result (i.e., the index of the leaf), while the remaining terms evaluate to zero., We assume that Alice has an ensemble of decision trees D1, D2, . . . , Dm, each with an associated confidence factor or weight α1, α2, . . . , αm, and Bob wants to classify his input x = (x1, . . . , xn) with this ensemble. For each tree Dj individually, the inference algorithm produces a class distribution vector [pDj (c1), pDj (c2), . . . , pDj (ck)] in which pDj (ci) is the probability that x belongs to class ci according to decision tree Dj . To obtain a final classification result, these intermediate results are aggregated as follows: c = arg k max i=1 Xm j=1 αj · pDj (ci) (1) i.e. the predicted label is that of the class with the highest weighted average of probabilities among the individual decision trees….First, for each tree Dj in the ensemble we use the protocol πDT for scoring x, obtaining as a result a secret sharing of the weighted probability vector, i.e. the probability vector multiplied by the weight αj of the tree Dj . After that, a secure bitwise addition protocol [38] is used to add these weighted vectors and obtain one accumulator for each of the possible categories (note that these accumulators are still kept as secret sharings)., wherein, a data owner (Bob), after securely comparing feature data and splitting criteria at each node in a succession of nodes that traverses a path in a decision tree (with that path parametrically represented by the polynomial sigma used to evaluate the leaf node), obtains/selects a first data from the pair of potential leaf outputs from the last burst node (after the while loop in figure 2 is complete) in which the securely computed output (securely selected first data) is a vector of class distribution results (Figure 1) such that any single dominant class result (e.g., c1 in the first leaf of figure 1) may be considered the selected first data that is a component of that vector (in general this does not exclude a scenario in which, for any or all of the leafs, this distribution consists at each leaf only of a single value of 1 and 2 values of 0) and wherein this process is repeated for each tree in the ensemble of decision trees.) 
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Wu and Nerurkar to incorporate the teachings of Fritchman for the first data from the data pair is included as a component of a vector that represents a classification result. The modification would have been obvious because one of ordinary skill would have been motivated to achieve practical and efficient secure multi-party processing of service data in random forests while not sacrificing accuracy for the case in which the output of the each decision tree leaf is a vector distribution of class probabilities (Fritchman, [Abstract, p. 2421, Conclusion, Table 1]).

Claim 31/28 is also rejected because it is just a system implementation of the same subject matter of claim 24/21 which can be found in Wu,  Nerurkar, and Fritchman.

Claim 38/35 is also rejected because it is just a computer readable memory implementation of the same subject matter of claim 24/21 which can be found in Wu,  Nerurkar, and Fritchman.


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Emekci et al. (“Privacy preserving decision tree learning over multiple parties”, Data and Knowledge Engineering 63, 2007, pp. 348-361) teach privacy-preserving decision tree training methods based on a plurality of data sets over a set of parties without revealing the data from one part to any other party. 
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ROBERT LEWIS KULP whose telephone number is (571)272-7983. The examiner can normally be reached M, Th, F 8-5:30; Tu 8-3.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Miranda Huang, can be reached on 571-270-7092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ROBERT LEWIS KULP/Examiner, Art Unit 2124                                                                                                                                                                                                        
/MIRANDA M HUANG/Supervisory Patent Examiner, Art Unit 2124