DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
Applicant’s response, filed 15 September 2021, to the last office action has been entered and made of record. 
In response to the amendments to the specification and claims, they are acknowledged, supported by the original disclosure, and no new matter is added.
In response to the amendments to the specification, the amended language has overcome the objections to the specification of the previous Office action, and the respective objections have been withdrawn.
In regards to Applicant’s remarks on p. 10 of Applicant’s reply, Examiner notes Applicants clarifies that the recited “1. Embodiments of Generating Adversarial Labels” after paragraph [0053] and “2. Alternative Embodiments of Generating Adversarial Labels” after paragraph [0070] corresponds to subsections “D.1.” and “D.2.”, respectively.
Amendments to the independent claims 1, 10, and 15 have necessitated an updated ground of rejection over the applied prior art. Please see below for the updated interpretations and rejections.

Response to Arguments
Applicant's arguments filed 15 September 2021 have been fully considered but they are not persuasive.
In response to Applicant’s arguments on p. 11-13 of Applicant’s reply, that the teachings of Jang fails to suggest or teach the amended independent claim subject matter of claims 1, 10, and 15 of “for each ground-truth label, generating a perturbed label based on the ground-truth label by altering the probability distribution in a probability simplex by performing steps comprising: decreasing a probability for the ground-truth class by a perturbation amount; and distributing the perturbation amount among the one or more non-ground-truth classes based on the gradient of a classification loss with respect to each non-ground-truth class” (claim 1), “replacing the ground-truth label by a targeted label with a selected non-ground truth class as the targeted class, which is a most confusing class having the minimum gradient of the classification loss among the one or more non-ground truth classes” (claim 10), and “generating, for each ground-truth label representation, a perturbed label representation based on the ground-truth label representation by altering the probability distribution for the ground truth label representation based on at least a gradient of a classification loss with respect to a non-ground-truth class”(claim 15), the Examiner respectfully disagrees. 
Examiner notes the claims are treated with their broadest reasonable interpretations consistent with the specification. See MPEP 2111. Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims. See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993). Additionally, the test for obviousness is what the combined teachings of the references would have suggested to those of ordinary skill in the art. See In re Keller, 642 F.2d 413, 208 USPQ871 (CCPA 1981). Furthermore, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).
Ioffe is relied upon to teach a method for regularizing training data for a neural network by modifying the training data, where the label distribution associated with a training image is modified by a smoothing distribution where the modified target label distribution is generated distribution based on (see Ioffe [0062]-[0063]), and that the modified distribution determined from a weighted sum of the initial target and smoothing label distribution suggests decreasing the probability for a ground truth class by a predetermined amount and increasing non-ground truth scores by a predetermined amount (see Ioffe [0051]-[0052]; see also Ioffe [0058]).
As Ioffe suggests that one or more soothing label distributions may be non-uniform and includes one or more smoothing scores that are capable of being different to other smoothing scores in the smoothing label distributions, Ioffe suggests determining other perturbations amounts for modifying the training label distributions. One of ordinary skill in the art would thus look to relevant and pertinent arts for Ioffe’s suggested other perturbation amounts.
Jang teaches in a relevant and pertinent gradient-descent based algorithm for finding adversarial samples, the technique of determining a decrease amount in the belief probability based on the minimum of a function of a gradient of the probability of a sample belonging to a class, which correspond to the minimal-norm solution to a gradient linear system function (see Jang sect. 3. Our Algorithm; see also Jang sect A.2 Generalizing the Solution of 3). 
One of ordinary skill in the art would thus find it obvious to apply Jang’s known technique to the teachings of Ioffe, Szegedy, and Chang would allow for determining a decrease amount to probability values of a label distribution where the decrease amount is determined based on a gradient of the probability of a sample belonging to class “l”, and lead to improved modified adversarial label distributions.
Examiner notes that while Jang teaches determining a perturbation to the input samples, i.e. “d”, Jang further teaches determining a perturbation amount to the belief probability that an input i = pi – pi+1”, in determining a corresponding perturbation to the input samples (see Jang sect. 3. and Eq. (6)). The technique of Jang for determining an amount to modify the distribution probability based on a gradient of the probability of a sample belonging to a class is applied to the teachings of Ioffe, Szegedy, and Chang for determining a perturbations amounts for modifying the training label distributions. 
Thus, the combined teachings of Ioffe, Szegedy, Chang, and Jang suggest the broadest reasonable interpretations of the amended claim limitations of “generating a perturbed label based on the ground-truth label by altering the probability distribution in a probability simplex by performing steps comprising: decreasing a probability for the ground-truth class by a perturbation amount; and distributing the perturbation amount among the one or more non-ground-truth classes based on the gradient of a classification loss with respect to each non-ground-truth class” (claim 1), “replacing the ground-truth label by a targeted label with a selected non-ground truth class as the targeted class, which is a most confusing class having the minimum gradient of the classification loss among the one or more non-ground truth classes” (claim 10), and “generating, for each ground-truth label representation, a perturbed label representation based on the ground-truth label representation by altering the probability distribution for the ground truth label representation based on at least a gradient of a classification loss with respect to a non-ground-truth class”(claim 15).
Claim Objections
Claim 13 is objected to because of the following informalities:  
Claim 13 recites in the body of the claim, the amended limitation, “and distributing the perturbation amount among at least one one or more of the one or more non-ground-truth classes”, where a typographical error is exists and the Examiner assumes “and distributing the perturbation amount among at least one of the one or more non-ground-truth classes” is intended.  Appropriate correction is required.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
Claim 1-11 and 13-20 are rejected under 35 U.S.C. 103 as being unpatentable over Ioffe (US 20170132512), in view of Szegedy et al. (“Rethinking the Inception Architecture for Computer Vision”), herein Szegedy, Chang et al. (“Efficient Two-Step Adversarial Defense for Deep Neural Networks”), herein Chang, and Jang et al. (“Objective Metrics and Gradient Descent Algorithms for Adversarial Examples in Machine Learning”), herein Jang.
Regarding claim 1, Ioffe discloses a computer-implemented method for training an image classification model to improve robustness against adversarial attacks, the method comprising: 
receiving a dataset of clean images and corresponding ground-truth labels (see Ioffe [0061], where a set of training data is obtained; see Ioffe [0038], where the set of training data includes training items with associated labels; and see Ioffe [0042]-[0043], where the training data items are training images), each ground-truth label comprising a probability distribution across a plurality of classifications comprising a ground-truth class and one or more non-ground- truth classes (see Ioffe [0043]-[0045], where the training image are associated with training label distributions for a set of labels indicating a correct label among other labels); 
for each ground-truth label, generating a perturbed label based on the ground-truth label by altering the probability distribution (see Ioffe [0063], where a modified target label distribution is generated based on the initial training distribution and a smoothing label distribution) by performing 
decreasing a probability for the ground-truth class by a perturbation amount (see Ioffe [0062]-[0063], where a smoothing label distribution is determined and is used to regularize and generate a modified target label distribution based on a calculated weighted sum of the initial target label distribution and smoothing label distribution; see also Ioffe [0051]-[0052] and [0058], where the modified distribution determined from weighted sum of the initial target and smoothing label distribution suggests decreasing the probability for a ground truth class by a predetermined amount); and
distributing the perturbation amount among the one or more non-ground-truth classes (see Ioffe [0062]-[0063], where a smoothing label distribution is determined and is used to regularize and generate a modified target label distribution based on a calculated weighted sum of the initial target label distribution and smoothing label distribution; see also Ioffe [0051]-[0052] and [0058], where the modified distribution determined from weighted sum of the initial target and smoothing label distribution suggests increasing the probability for a non-ground truth class by a predetermined amount); and
training the image classification model using the perturbed images and the corresponding perturbed labels (see Ioffe [0064], where the regularized training data is used to train the neural network model).
Although Ioffe teaches that the training label distribution may be a one hot distribution where the correct label is a positive value “1” and the other labels are assigned a value of “0” (see Ioffe [0045]); Ioffe does not explicitly disclose the probability distribution is in a probability simplex. 
Szegedy teaches in a related and pertinent model regularization using label smoothing of training examples for neural network models (see Szegedy sect. 7. Model Regularization via Label Smoothing), where the ground truth distribution, q(k|x), for training examples are normalized so that (see Szegedy sect. 7. Model Regularization via Label Smoothing).
At the time of filing, one of ordinary skill in the art would have found it obvious to apply the teachings of Szegedy to the teachings of Ioffe to normalize the label / ground truth distributions so that the sum of the distribution is equal to 1, and thus equivalent to being in a claimed “probability simplex” as defined in the instant specification paragraph [0042] as “a subset of the unit simplex in which each element in the vector is non-negative and the sum of the elements of the vector is one”. This modification is rationalized as an application of a known technique to a known device ready for improvement to yield predictable results. In this instance, Ioffe disclose a base method for regularizing training data for a neural network by modifying the training data, where the label distribution associated with a training image is modified by a smoothing distribution and that the training label distribution may be a one hot distribution vector. Szegedy teaches a known technique in performing label smoothing where the ground truth distribution for training examples are normalized so that the sum of the distribution over labels is equal to 1. One of ordinary skill in the art would have recognized that by applying Szegedy’s technique would allow for the Ioffe’s label distributions to be normalized such that the sum of the label distributions would equal to one, leading to an improved representation of the label distribution for subsequent computations. 
Ioffe and Szegedy does not explicitly disclose generating perturbed images based on the clean images by applying adversarial image attacks; and training the image classification model using the perturbed images. 
Chang teaches in a related and pertinent method for adversarial attacks and defense for deep neural networks (see Chang Abstract), where adversarial examples are generated per each clean input based on an adversarial image attack (see Chang sect. 3.2. Proposed Efficient Two-Step Adversarial Defense, and sect. 2.1 White Box Attacks), and that the generated adversarial images are used with (see Chang sect. 3.1. Adversarial Training, sect. 3.2.3 The final loss function, and sect. 3.3. The training process).
At the time of filing, one of ordinary skill in the art would have found it obvious to apply the teachings of Chang to the teachings of Ioffe and Szegedy to generate adversarial training images using the acquired clean training image dataset based on adversarial attacks and training the neural network with the training dataset augmented with the adversarial image examples. This modification is rationalized as an application of a known technique to a known device ready for improvement to yield predictable results. In this instance, Ioffe and Szegedy disclose a base method for regularizing training data for a neural network by modifying the training data, where normalized label distributions associated with a training image is modified by a smoothing distribution and that the training label distribution may be a one hot distribution vector. Chang teaches a known technique for performing adversarial training for deep neural networks, where adversarial examples are generated from clean training inputs based on adversarial image attacks and training the neural network using training data augmented with adversarial examples and with label smoothing performed. One of ordinary skill in the art would have recognized that by applying Chang’s technique would allow for improved adversarial training using a combination of generated adversarial images in the training data set and label smoothing of Ioffe and Szegedy’s modified label distributions. 
Although Ioffe teaches that the smoothing label distribution may be a non-uniform distribution that includes one or more smoothing scores that are capable of being different from one or more other smoothing scores in the same smoothing label distribution (see Ioffe [0062]); Ioffe, Szegedy, and Chang do not explicitly disclose that distributing the perturbation amount among the one or more non-ground-truth classes based on the gradient of a classification loss with respect to each non-ground- truth class.
Jang teaches in a related and pertinent gradient-descent based algorithm for finding adversarial samples (see Jang Abstract), where the decrease from a probability of a sample, “xi” belonging in class i” to a chosen probability value to be achieved, denoted as “pi+1”, where the decrease is denoted as “δi = pi – pi+1”, is determined as a minimum of a function of a gradient of the probability of a sample belonging to class “l”, denoted as “gi”, and corresponds to the minimal-norm solution to a gradient linear system function described at equation (4) (see Jang sect. 3. Our Algorithm; see also Jang sect A.2 Generalizing the Solution of 3). 
At the time of filing, one of ordinary skill in the art would have found it obvious to apply the teachings of Jang to the teachings of Ioffe, Szegedy, and Chang to determine a corresponding amount to decrease the label distribution probabilities based on a gradient of the probability of a sample belonging to a particular label class, reading upon the broadest reasonable interpretation of the gradient of a classification loss function. This modification is rationalized as an application of a known technique to a known device ready for improvement to yield predictable results. In this instance, Ioffe, Szegedy, and Chang disclose a base method for regularizing training data for a neural network by modifying the training data, where normalized label distributions associated with a training image is modified by a smoothing distribution, and the smoothing label distribution may be a non-uniform distribution that includes one or more smoothing scores that are capable of being different from one or more other smoothing scores in the same smoothing label distribution. Jang teaches a known technique for finding adversarial samples for training deep neural networks, where the decrease in a probability amount is determined based on a gradient of the probability of a sample belonging to class “l”.  One of ordinary skill in the art would have recognized that by applying Jang’s technique to the teachings of Ioffe, Szegedy, and Chang would allow for determining an amount to modify the probability values of a label distribution, in which the highest label score in the training label distribution is reduced and the lowest scores in the training label distribution is increased by a predetermined amount, where the amount is determined based on a gradient of the probability of a sample belonging to class “l”, suggesting the broadest reasonable interpretation of decreasing a probability for the ground-truth class by a 
	
	Regarding claim 2, please see the above rejection of claim 1. Ioffe, Szegedy, Chang, and Jang disclose the computer-implement method of Claim 1 wherein the perturbed images are generated in one or two project gradient descent steps (see Chang sect. 2.1 White Box attacks and sect. 3.1. Adversarial Training, where Projected gradient descent (PGD) is a suggested method for adversarial attack).
	At the time of filing, one of ordinary skill in the art would have found it obvious that a single step PGD method may be used in substitution of the suggested Fast Gradient Sign Method (FGSM) for generating the adversarial images as taught by Chang. This modification is rationalized as a simple substitution of one known element for another to obtain predictable results. In this instance, Chang discloses that a one-step attack method such as FGSM is applied to generate a first adversarial example. Chang further suggests projected gradient descent (PGD) as another method for performing an adversarial attack in generating adversarial examples. One of ordinary skill in the art could have simply substituted the suggested one-step FGSM attack method with a one-step PGD adversarial attack as the method for generating the first adversarial example, where both would have resulting in generating a first adversarial example. 

Regarding claim 3, please see the above rejection of claim 2. Ioffe, Szegedy, Chang, and Jang disclose the computer-implement method of Claim 2 wherein the perturbed images are generated starting from adding random noise within a predetermined image perturbation budget to the clean images (see Chang sect. 2.1. White Box attacks, where the adversarial attack methods are subject to “ɛ” which is a constant value used to constrain the noise level of the perturbation).

Regarding claim 4, please see the above rejection of claim 3. Ioffe, Szegedy, Chang, and Jang disclose the computer-implement method of Claim 3 wherein the adversarial image attacks are targeted attacks (see Chang sect. 2. Background and sect. 2.1 White Box attacks, where white box attacks use full information about the model to craft adversarial examples to specifically target the model).

Regarding claim 5, please see the above rejection of claim 1. Ioffe, Szegedy, Chang, and Jang disclose the computer-implement method of Claim 1 wherein the step of generating perturbed images based on the clean images by applying adversarial image attacks comprises
for each clean image:
generating an initial image by adding random noise within a predetermined image perturbation budget to each clean image (see Chang sect. 3.2. Proposed Efficient Two-Step Adversarial Defense, and sect. 2.1 White Box Attacks, where adversarial examples are generated per each clean input based on an adversarial image attack adding a noise perturbation amount to the clean input);
generating a perturbed image by applying at least one-step projected gradient descent using a gradient of a classification loss function with respect to the clean image (see Chang sect. 2.1 White Box attacks and sect. 3.1. Adversarial Training, where Projected gradient descent (PGD) is a suggested method for adversarial attack; see Chang Eq. (2) where the gradient of the loss function is used with respect to the input image, label, and parameters of the model parameters).

Regarding claim 6, please see the above rejection of claim 1. Ioffe, Szegedy, Chang, and Jang disclose the computer-implement method of Claim 1 wherein the perturbation amount is no more than a predetermined perturbation budget (see Jang sect. 3. Our Algorithm, where the decrease of probability is limited to a maximum of “pi – 1/|C|”).

Regarding claim 7, please see the above rejection of claim 6. Ioffe, Szegedy, Chang, and Jang disclose the computer-implemented method of claim 6 wherein the one or more non-ground-truth classes comprise a most confusing class, the most confusing class has the minimum gradient of the classification loss among the one or more non-ground-truth classes (see Jang sect. 3. Our Algorithm, where the determined adversarial perturbation, “di*”, which corresponds to the chosen decrease of probability, is the minimal norm solution to a gradient linear system function, and suggests the determined adversarial perturbation corresponds to a class label).

Regarding claim 8, please see the above rejection of claim 7. Ioffe, Szegedy, Chang, and Jang disclose the computer-implement method of Claim 7 wherein the most confusing class has a share set as a minimal value smaller than the predetermined perturbation amount (see Jang sect. 3. Our Algorithm, where the decrease of probability is limited to a maximum of “pi – 1/|C|”), each of the one or more non-ground-truth classes other than the most confusing class has a share proportional to the gradient of each class subtracted by the minimum gradient (see Ioffe [0062], where the smoothing label distribution may be a non-uniform distribution that includes one or more smoothing scores that are capable of being different from one or more other smoothing scores in the same smoothing label distribution; see Jang sect. 3. Our Algorithm, where the decrease is denoted as “δi = pi – pi+1”, is determined as a minimum of a function of a gradient of the probability of a sample belonging to class “l”).

Regarding claim 9, please see the above rejection of claim 7. Ioffe, Szegedy, Chang, and Jang disclose the computer-implement method of Claim 7 wherein each of one or more non-ground-truth (see Ioffe [0062], where the smoothing label distribution may be a non-uniform distribution that includes one or more smoothing scores that are capable of being different from one or more other smoothing scores in the same smoothing label distribution; see Jang sect. 3. Our Algorithm, where the decrease is denoted as “δi = pi – pi+1”, is determined as a minimum of a function of a gradient of the probability of a sample belonging to class “l”).

Regarding claim 10, Ioffe, Szegedy, Chang, and Jang disclose a computer-implemented method for training an image classification model to improve robustness against adversarial attacks, the method comprising: 
receiving a clean image and a corresponding ground-truth label (see Ioffe [0061], where a set of training data is obtained; see Ioffe [0038], where the set of training data includes training items with associated labels; and see Ioffe [0042]-[0043], where the training data items are training images), the ground-truth label is represented as a vector comprising a probability distribution in a probability simplex among a ground-truth class and one or more non-ground- truth classes (see Ioffe [0043]-[0045], where the training image are associated with training label distributions for a set of labels indicating a correct label among other labels; see Szegedy sect. 7. Model Regularization via Label Smoothing, where the ground truth distribution, q(k|x), for training examples are normalized so that the sum of the distribution over labels is equal to 1); 
generating an initial image by adding random noise within a predetermined image perturbation budget to the clean image (see Chang sect. 3.2. Proposed Efficient Two-Step Adversarial Defense, and sect. 2.1 White Box Attacks, where adversarial examples are generated per each clean input based on an adversarial image attack adding a noise perturbation amount to the clean input); 
replacing the ground-truth label by a targeted label with a selected non-ground-truth class as (see Ioffe [0063], where a modified target label distribution is generated based on the initial training distribution and a smoothing label distribution), which is a most confusing class having the minimum gradient of the classification loss among the one or more non-ground-truth classes (see Jang sect. 3. Our Algorithm, where the determined adversarial perturbation, “di*”, which corresponds to the chosen decrease of probability, is the minimal norm solution to a gradient linear system function, and suggests the determined adversarial perturbation corresponds to a class label); 
generating a perturbed image by applying at least one step projected gradient descent using a gradient of a classification loss function with respect to the clean image, the classification loss function is a function of the input image, the targeted label and parameters of the image classification model (see Chang sect. 2.1 White Box attacks and sect. 3.1. Adversarial Training, where Projected gradient descent (PGD) is a suggested method for adversarial attack; see Chang Eq. (2) where the loss function is a function of the input image, label, and parameters of the model parameters; see Chang sect. 3.3. The training process, where the generated adversarial images are used with label smoothing to train the deep neural network model); and 
training the image classification model using at least the perturbed image (see Chang sect. 3.1. Adversarial Training, sect. 3.2.3 The final loss function, and sect. 3.3. The training process, where the generated adversarial images are used with label smoothing to train the deep neural network model).
Please see the above rejection of claim 1, as the rationale to combine the teachings of Ioffe, Szegedy, Chang, and Jang are similar, mutatis mutandis. 

Regarding claim 11, please see the above rejection of claim 10. Ioffe, Szegedy, Chang, and Jang disclose the computer-implement method of Claim 10 wherein the at least one step projected gradient descent is one step projected gradient descent (see Chang sect. 2.1 White Box attacks and sect. 3.1. Adversarial Training, where Projected gradient descent (PGD) is a suggested method for adversarial attack, which first randomly picks a point within a confined small ball around each clean input).

Regarding claim 13, please see the above rejection of claim 10. Ioffe, Szegedy, Chang, and Jang disclose the computer-implement method of Claim 10 further comprising: 
generating a perturbed label from the ground-truth label by decreasing a probability for the ground-truth class by a perturbation amount no more than a predetermined perturbation budget (see Ioffe [0062]-[0063], where a smoothing label distribution is determined and is used to regularize  and generate a modified target label distribution based on a calculated weighted sum of the initial target label distribution and smoothing label distribution; see also Ioffe [0051]-[0052], where the modified distribution determined from weighted sum of the initial target and smoothing label distribution suggests decreasing the probability for a ground truth class by a predetermined amount; see Jang sect. 3. Our Algorithm, where the decrease of probability is limited to a maximum of “pi – 1/|C|” ) and distributing the perturbation amount among at least one of the one or more non-ground-truth classes based on the gradient of classification losses with respect to the at least one or more non-ground-truth class (see Jang sect. 3. Our Algorithm, where the decrease of a probability of a sample, “xi” belonging in class “l”, denoted as “pi” to a chosen probability value to be achieved, denoted as “pi+1”, where the decrease is denoted as “δi = pi – pi+1”, is determined as a minimum of a function of a gradient of the probability of a sample belonging to class “l”, denoted as “gi”, and corresponds to the minimal-norm solution to a gradient linear system function described at equation (4)); and 
training the image classification model using both the perturbed image and the perturbed label (see Ioffe [0064], where the regularized training data is used to train the neural network model; see Chang sect. 3.1. Adversarial Training, sect. 3.2.3 The final loss function, and sect. 3.3. The training process, where the generated adversarial images are used with label smoothing to train the deep neural network model).

Regarding claim 14, please see the above rejection of claim 13. Ioffe, Szegedy, Chang, and Jang disclose the computer-implement method of Claim 13 wherein distributing the predetermined perturbation budget among the one or more non-ground-truth classes comprises setting a share for the most confusing class as a minimal value smaller than the predetermined perturbation budget (see Jang sect. 3. Our Algorithm, where the decrease of probability is limited to a maximum of “pi – 1/|C|”).

Regarding claim 15, Ioffe, Szegedy, Chang, and Jang disclose a computer-implemented method for training a deep learning neural network model to improve robustness against adversarial attacks, the method comprising: 
receiving a dataset comprising a plurality of elements and corresponding ground-truth label representations for the elements (see Ioffe [0061], where a set of training data is obtained; see Ioffe [0038], where the set of training data includes training items with associated labels; and see Ioffe [0042]-[0043], where the training data items are training images, and each label may be a score distribution), each ground-truth label representations represents a probability distribution across a ground-truth class and one or more non-ground-truth classes (see Ioffe [0043]-[0045], where the training image are associated with training label distributions for a set of labels indicating a correct label among other labels; see Szegedy sect. 7. Model Regularization via Label Smoothing, where the ground truth distribution, q(k|x), for training examples are normalized so that the sum of the distribution over labels is equal to 1)); 
generating, for each ground-truth label representation, a perturbed label representation based on the ground-truth label representation by altering the probability distribution for the ground-truth label representation (see Ioffe [0063], where a modified target label distribution is generated based on the initial training distribution and a smoothing label distribution) based on at least a gradient of a (see Jang sect. 3. Our Algorithm, where the decrease of a probability of a sample, “xi” belonging in class “l”, denoted as “pi” to a chosen probability value to be achieved, denoted as “pi+1”, where the decrease is denoted as “δi = pi – pi+1”, is determined as a minimum of a function of a gradient of the probability of a sample belonging to class “l”, denoted as “gi”, and corresponds to the minimal-norm solution to a gradient linear system function described at equation (4)); and 
training the deep learning neural network model using at least the perturbed label representations (see Ioffe [0064], where the regularized training data is used to train the neural network model; see Chang sect. 3.3. The training process, where the generated adversarial images are used with label smoothing to train the deep neural network model).
Please see the above rejection of claim 1, as the rationale to combine the teachings of Ioffe, Szegedy, Chang, and Jang are similar, mutatis mutandis. 

Regarding claim 16, please see the above rejection of claim 15. Ioffe, Szegedy, Chang, and Jang disclose the computer-implement method of Claim 15 wherein the deep learning neural network model is an image classification model (see Ioffe [0032], where the neural network generates an estimated likelihood that an input image contains an image of an object belonging to a category), the plurality of elements are clean images (see Ioffe [0042]-[0043], where the training data items are training images).

Regarding claim 17, please see the above rejection of claim 15. Ioffe, Szegedy, Chang, and Jang disclose the computer-implement method of Claim 15 wherein each of the ground-truth label representations is a vector representing each ground- truth label representation as a one-hot vector with the probability, at least initially, corresponding to the ground-truth class as 1 and probabilities for the one or more non-ground-truth classes as 0 (see Ioffe [0045] where the training label distribution may be a one-hot distribution).

Regarding claim 18, please see the above rejection of claim 16. Ioffe, Szegedy, Chang, and Jang disclose the computer-implement method of Claim 16 further comprising: 
for each clean image: 
generating an initial image by adding random noise within a predetermined image perturbation budget to each clean image (see Chang sect. 3.2. Proposed Efficient Two-Step Adversarial Defense, and sect. 2.1 White Box Attacks, where adversarial examples are generated per each clean input based on an adversarial image attack adding a noise perturbation amount to the clean input); 
generating a perturbed image by applying at least one-step projected gradient descent using a gradient of a classification loss function with respect to the clean image (see Chang sect. 2.1 White Box attacks and sect. 3.1. Adversarial Training, where Projected gradient descent (PGD) is a suggested method for adversarial attack; see Chang Eq. (2) where the gradient of the loss function is used with respect to the input image, label, and parameters of the model parameters); and
wherein the step of training the deep learning neural network model using at least the perturbed label representations comprises training the image classification model using both the perturbed images and the perturbed label representations (see Ioffe [0064], where the regularized training data is used to train the neural network model; see Chang sect. 3.1. Adversarial Training, sect. 3.2.3 The final loss function, and sect. 3.3. The training process, where the generated adversarial images are used with label smoothing to train the deep neural network model).

Regarding claim 19, please see the above rejection of claim 15. Ioffe, Szegedy, Chang, and Jang 
decreasing a probability for the ground-truth class by a perturbation amount no more than a predetermined perturbation budget (see Jang sect. 3. Our Algorithm, where the decrease of probability is limited to a maximum of “pi – 1/|C|”); 
choosing a most confusing class among the one or more non-ground-truth classes, the most confusing class has the minimum gradient of the classification loss among the one or more non-ground-truth classes (see Jang sect. 3. Our Algorithm, where the determined adversarial perturbation, “di*”, which corresponds to the chosen decrease of probability, is the minimal norm solution to a gradient linear system function, and suggests the determined adversarial perturbation corresponds to a class label;);
setting a share for the most confusing class as a minimal value smaller than the perturbation amount (see Jang sect. 3. Our Algorithm, where the decrease of probability is limited to a maximum of “pi – 1/|C|”, and where the determined adversarial perturbation, “di*”, which corresponds to the chosen decrease of probability, is the minimal norm solution to a gradient linear system function, and suggests the determined adversarial perturbation corresponds to a class label); and 
distributing a share for each of the one or more non-ground-truth classes other than the most confusing class proportional to the gradient of each non-ground-truth class subtracted by the minimum gradient (see Ioffe [0062], where the smoothing label distribution may be a non-uniform distribution that includes one or more smoothing scores that are capable of being different from one or more other smoothing scores in the same smoothing label distribution; see Jang sect. 3. Our Algorithm, where the decrease is denoted as “δi = pi – pi+1”, is determined as a minimum of a function of a gradient of the probability of a sample belonging to class “l”).
(see Chang sect. 2. Background and sect. 2.1 White Box attacks, where the suggested FGSM , IFGSM, and PGD adversarial attacks are described as white box attacks).

Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable over Ioffe, Szegedy, Chang, and Jang as applied to claim 10 above, and further in view of Paudice et al. (“Label Sanitization against Label Flipping Poisoning Attacks”), herein Paudice.
Regarding claim 12, please see the above rejection of claim 10. Ioffe, Szegedy, Chang, and Jang disclose the computer-implement method of Claim 10 wherein the vector representing the ground- truth label is a one-hot vector with a probability corresponding to the ground-truth class as 1 (see Ioffe [0045] where the training label distribution may be a one-hot distribution). 
Ioffe, Szegedy, Chang, and Jang do not explicitly disclose that the targeted label is a one-hot vector with a probability corresponding to the most confusing class as 1.
Paudice teaches in a related and pertinent label sanitization technique against label flipping poisoning attacks on machine learning systems (see Paudice Abstract), where adversarial labels are generated from flipping the labels of training data set to maximize an arbitrary objective function (see Paudice sect. 3. Label Flipping Attacks).
At the time of filing, one of ordinary skill in the art would have found it obvious to apply the teachings of Paudice to the teachings of Ioffe, Szegedy, Chang, and Jang to determine a corresponding label flip attack to generate adversarial labels in which the corresponding label class determined as the corresponding minimal norm solution to the gradient linear system of equations is flipped to a 1.  
This modification is rationalized as an application of a known technique to a known device ready for improvement to yield predictable results. In this instance, Ioffe, Szegedy, Chang, and Jang disclose a .

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner 
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, VINCENT RUDOLPH can be reached on (571) 272-8243. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/TIMOTHY CHOI/Examiner, Art Unit 2661                                                                                                                                                                                                        

/VINCENT RUDOLPH/Supervisory Patent Examiner, Art Unit 2661