Notice of Pre-AIA  or AIA  Status
         The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
 
Status of Claims
            The amendment filed on November 15, 2021 in response to the Aug. 13, 2021 non-final Office action has been entered. The status of the claims is as follows:
Claims 1-18 remain pending in the application.
Claims 1-5, 7-11, and 13-17 have been amended. 
Claims 6, 12, and 18 remain original as filed.
 
Information Disclosure Statement
            The information disclosure statement (IDS) submitted on 11/18/2021 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
 

Response to Arguments
            The amendment and arguments filed on 11/15/2021 have been fully considered. The examiner’s response is delineated as follows.
(a)       Applicant’s arguments in “Claim Objections” are believed to be intended for objections to the Specification because the non-final Office Communication does not include any objections to the claims.  To the extent that Applicant meant to direct this withdrawn in view of Applicant’s amendment to the specification.
(b)       Applicant’s arguments in the section “Claim Rejections – 35 USC § 112” have been fully considered.  The rejections of claims 1-5, 7-11, and 13-17 are hereby withdrawn in view of Applicant’s amendment to the specification.  Nonetheless, Applicant indicated that “Applicant has amended claims 6, 12 and 18 to correct the indefiniteness issue.”  Nonetheless, claims 6, 12, and 18 remain original as evidenced by the absence of amendment and the status identifiers “Original”.  Therefore, the rejections of claims 6, 12, and 18 under 35 U.S.C. § 112(b) are maintained.
(c)        Applicant’s arguments in the section “Claim Rejections- 35 USC § 103” have been fully considered but are unpersuasive. More specifically, regarding Applicant’s argument that “Applicant contends that neither CHEN nor MOORE, alone or in combination, teaches or suggests all the limitations of amended claim 1”. For example, neither reference teaches or suggests at least "wherein the distortion is not visible to the human eve" (emphasis original), and that “independent claims 7 and 13, amended to contain similar limitations as independent claim 1, are patentable over the cited references”, the examiner notes that the above emphasized claim language was not presented in the originally filed claim 1 against which Chen and Moore were cited.  Further, Applicant’s argument is moot in view of the new ground for rejection necessitated by Applicant’s amendment, as delineated in the claim rejections under 35 U.S.C. § 103 below.
(d)       Applicant’s arguments for claims 5, 11, and 17 have been fully considered but are unpersuasive. More specifically, Applicant argued that “Each of Applicant's claims 5, 11 and 17 indirectly import the features/limitations described above based on their dependence from claims 1, 8 and 15. Applicant contends that neither CHEN nor MOORE nor BRENNAN, alone or in combination, teaches or suggests at least these features/limitations of claims 5, 11 and 17.”  The examiner notes that Applicant merely relied upon the dependency of claims 5, 11, and 17 from their respective independent claims 1, 8, and 15.  Nonetheless, claims 1, 8, and 15 stand rejected under 35 U.S.C. § 103 in view of the new ground of rejections necessitated by Applicant’s amendment.  Therefore, neither claims 1, 8, and 15 nor claims 5, 11, and 17 are considered allowable.
 
Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.
 
The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.
 
            Claims 1-18 stand rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.
(a)      Claim 1, as amended, recites the following limitations: “wherein the separate samples are distorted based on inverting a portion of bits comprising the separate samples, to induce the machine learning model to misclassify the separate samples to a different class from the separate original class of the separate samples”.  The amended limitation as shown above contains subject matter that was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. Claims 7 and 13 are also amended to include identical or substantially similar language. 
More specifically, the present disclosure does not provide adequate written description to support the amended claim language. Further, the present disclosure describes, inter alia, “In one example, a characteristic of machine learning models, such as proprietary model 112, may be that it is relatively sensitive to minor distortions of a few bits in images that cause misclassification, even after significant amounts of data are used in training data 220 and other robustness safeguards are applied. For example, for an image that includes a cat, and should be classified as a cat image, due to the sensitivity of machine learning models, the image may be slightly distorted by a few bits or a bit pattern in a way that will induce the classifier of proprietary model 112 to misclassify the image under the class of dog images, rather than under the class of cat images, 100% of the time.” ¶ [0030].  ¶ [0035] further describes that “In one example, the minimal distortion applied by adversarial transform 234 may include a few bits or a pattern of bits that are distorted in sample 230.” That is, the present disclosure merely describes minor distortions of a few bits, an image may be slightly distorted by a few bits or a bit pattern, and a few bits or a pattern of bits that are distorted in a sample. Nonetheless, the entire present disclosure does not explicitly describe inverting a portion of bits. Therefore, claims 1, 7, and 13 are rejected under 35 U.S.C. 112(a).
(b)      Claims 2-6, 8-12, and 14-18 respectively depend from independent claims 1, 7, and 13 and thus inherit the aforementioned deficiencies.  Claims 2-6, 8-12, and 14-18 are thus also rejected under 35 U.S.C. § 112(a) for at least the foregoing reasons.
 
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
 
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
 
            Claims 1-18 stand rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
(a)       Independent claims 1, 7, and 13: The claimed limitation “wherein the separate samples are distorted based on inverting a portion of bits comprising the separate samples, to induce the machine learning model to misclassify the separate samples to a different class from the separate original class of the separate samples” recited in claim 1 is indefinite.  Claims 7 and 13 are also amended to include identical or substantially similar claim language.  More particularly, the amended claim language recites, inter alia, “wherein the separate samples are distorted based on inverting a portion of bits comprising the separate samples”.  Nonetheless, it is unclear how “a portion of bits” may possibly “compris[e] the separate samples”.  A sample comprises bits, and according to the claimed limitation, a smaller portion of these bits is inverted.  Nonetheless, according to the limitation again, this smaller portion of these bits comprises the separate sample.  That is, the claimed limitation recites a subset (“a portion of bits”) comprising and encompassing a superset (a “separate sample”) and is thus indefinite. Therefore, independent claims 1, 7, and 13 are rejected under 35 U.S.C. 112(b) for at least the foregoing reasons.
(b)       Dependent claims 2-6, 8-12, and 14-18 inherit the aforementioned deficiencies from independent claims 1, 7, and 13, respectively.  Therefore, claims 2-6, 8-12, and 14-18 are also rejected under 35 U.S.C. 112(b), the same rationale applying.
(c)      Claim(s) 3: the limitation “separate samples” in “applying, by the computer system, an adversarial transform to separate samples” and again in “applying, by the computer system, the adversarial transform to separate samples to distort a second selection of bits of the separate samples” are indefinite because it is unclear whether these two recitations of “separate samples” refer to the same or different “separate samples”. The respective interpretation of these two recitations of “separate samples” are delineated in the rationales for the rejections of claim 3 under 35 U.S.C. § 103 below.
(d)      Dependent claims 6, 12, and 18: Applicant indicated that “Applicant has amended claims 6, 12 and 18 to correct the indefiniteness issue.”  Nonetheless, claims 6, 12, and 18 remain original as evidenced by the absence of amendment and the status identifiers “Original”.  Therefore, the rejections of claims 6, 12, and 18 under 35 U.S.C. § 112(b) are maintained.  More specifically, as explained in the non-final Office action (Non-Final 8/13/2021), claims 6, 12, and 18 respectively recite multiple present participle phrases without clearly indicating which preceding nouns or pronouns are respectively modified by these consecutive present participle phrases. Applicant is requested to clearly indicate on record which preceding nouns or pronouns are respectively modified by these consecutive present participle phrases. For the purpose of examination, the present participle phrase “providing access is interpreted as modifying “one or more APls”; the phrase “return results is interpreted as modifying “one or more services”; and the phrase “comprising at least one selection is interpreted as modifying “results”.
 
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. 
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
 
       Claims 1-4, 6-10, 12-16, and 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Chen et al., U.S. Patent No. 10,839,291, filed Jul. 1, 2017, and issued Nov. 17, 2020 (hereinafter Chen) in view of Moore U.S. Pat. App. Pub. No. 2011/0289027, filed May 20, 2010 (hereinafter Moore) and further in view of Goodfellow et al., Explaining and Harnessing Adversarial Examples (20 March 2015) (hereinafter Goodfellow) which has already been placed on record in the Aug. 13, 2021 non-final Office Communication.
 
With respect to claim 1 as amended, Chen teaches:
A method comprising: accessing, by a computer system, a machine learning model and a plurality of samples, (Chen at col. 1, l. 48: “deep neural network (DNN) training system”; col. 9, l. 14-15: “DNN training system 102”; col. 1, l. 46: “deep neural networks”; col. 9, ll. 22-27: “input samples,” “initial training dataset,” and/or “current training set”.  The examiner notes that training deep neural networks on a DNN training system using input samples, initial training dataset, and/or a current training set teaches the aforementioned limitations.)
the plurality of samples classified with separate original classes of a plurality of classes within training data used to train the machine learning model to identify the plurality of classes; (Chen at col. 4, ll. 26-28: “each piece of training data may be associated with a class”; col. 3, ll. 46-47: “DNN trainer 106 may then cause a first DNN to be trained to classify images using the first training set”.  The examiner notes that a DNN’s classification of an image using the first training set and the class associated with each piece of training data teach the above limitation.)
generating, by the computer system, a plurality of synthetic samples  comprising separate samples of the plurality of samples, (Chen at col. 9, ll. 51-53: “one or more portions of a sample image may be altered to generate a test image”; col. 9, ll. 64-67: “518 ’alter a portion of the test image’ a portion of the properly classified test image is altered”; col. 10, ll. 9-16”: “At block 524, the adversarial images may be provided as an input”; and “the current training set may be updated with the adversarial images”.  Col. 9, ll. 52-53: “one or more portions of a sample image may be altered”; col. 9, ll. 64-67: “518 ‘alter a portion of the test image’ a portion of the properly classified test image is altered”. The examiner first notes that a test image obtained from altering a sample image teaches the claimed synthetic sample. The examiner further notes that such an altered image comprises a separate sample because the altered image is used to update the training data set.)
wherein the separate samples are distorted to induce the machine learning model to misclassify the separate samples to a different class from the separate original class of the separate samples,  and (Chen at col. 9, ll. 64-67: “518 ’alter a portion of the test image’ a portion of the properly classified test image is altered”; col. 9, ll. 60-62 and col. 6, l. 59: “the classification of the test image does not match the target classification” that “may be the class of the base image”; col. 10, ll. 1-3: “when the test image is not properly classified, the test image maybe identified as an adversarial image”.  The examiner notes that Chen’s altering a test image that is eventually misclassified teaches the separate samples are distorted to induce the machine learning model to misclassify the separate samples to a different class from the separate original class of the separate samples.)
creating, by the computer system, a synthetic sample signature, from the plurality of synthetic samples and a matrix of a plurality of returned class labels identifying separate portions of the plurality of classes as determined from actual classifications of the plurality of synthetic samples from running the plurality of synthetic samples on the machine learning model.  (Chen at col. 9, ll. 64-67: “518 ’alter a portion of the test image’ a portion of the properly classified test image is altered”.  col. 9, ll. 54 and 60-62: “provide test image to DNN for classification”; and “the classification of the test image does not match the target classification, the test image is improperly classified”. The examiner notes that ¶ [0031] of the disclosure explicitly states that “synthetic sample signature 250 may include a set of synthetic samples 246, created by an adversarial transform 234”. Therefore, Chen’s generating an adversarial image teaches creating a synthetic sample signature.
Moreover, Chen at col. 12, ll. 59-65: “data structures” for storing “a number of program modules” and “program data”. The examiner notes that Chen’s “data structure” that stores “program data” such as the aforementioned misclassification of the “test image” that does not match the target classification (e.g., “wrong class (e.g., not the target class)” in col. 8, ll. 12-13) as well as the misclassified “test image” in an adversarial image set (e.g., 254-1) and “the new class” for the misclassified “test image” teach a matrix of a plurality of returned class labels as determined from actual classifications of each of the plurality of synthetic samples from running the plurality of synthetic samples on the machine learning model.)
Chen does not appear to explicitly teach:
wherein the separate samples are distorted based on inverting a portion of bits comprising the separate samples,
wherein the distortion is not visible to the human eye; and
creating, by the computer system, a synthetic sample signature, to verify an identity of the machine learning model at runtime,
Goodfellow does, however teach:
wherein the separate samples are distorted based on inverting a portion of bits comprising the separate samples, (Goodfellow at ¶ 2, § 3, p. 2: “For example, digital images often use only 8 bits per pixel”.  ¶ 1, p. 6: “As control experiments, we trained training a maxout network with noise based on randomly adding ± to each pixel, or adding noise in U(-; ) to each pixel.” The examiner notes that Goodfellow’s adding ± to each pixel that uses 8 bits teaches inverting a portion of bits in a sample because a bit stores a binary value (e.g., 0 or 1) so changing a pixel’s value by adding ± changes at least the binary value (e.g., “0”) of at least one bit to the other binary value (e.g., “1”) and thus teaches inverting a portion of bits as claimed.)
wherein the distortion is not visible to the human eye; and (Goodfellow at Caption of Figure 1, p. 3: “A demonstration of fast adversarial example generation applied to GoogLeNet (Szegedy et al., 2014a) on ImageNet. By adding an imperceptibly small vector whose elements are equal to the sign of the elements of the gradient of the cost function with respect to the input, we can change GoogLeNet’s classification of the image. Here our  of .007 corresponds to the magnitude of the smallest bit of an 8 bit image encoding after GoogLeNet’s conversion to real numbers.” ¶ 3, § 2, p. 1: “On some datasets, such as ImageNet (Deng et al., 2009), the adversarial examples were so close to the original examples that the differences were indistinguishable to the human eye.”)
Chen and Goodfellow are analogous art because both references pertain to training neural networks with adversarial examples. 
It would have been obvious for a person of ordinary skill in the art prior to the effective filing date to have modified Chen’s training a deep neural network work with synthetic samples obtained by distorting original images (see Chen, supra) to incorporate Goodfellow’s adversarial examples one or more bits of which are inverted with imperceptibly small perturbation (see Goodfellow, Abstract and ¶ 2, § 1, p. 1, supra). The modification addresses the shortcoming of conventional approaches that cause the activation to grow and thus “accidental steganography” by subtracting the penalty from the activation, rather than adding the penalty to the activation as in convention approaches, so as to make confident enough predictions that the error in prediction has saturated at a minimum value (Goodfelllow, p. 2, § 3, ¶ 4: “The adversarial perturbation causes the activation to grow by                         
                            
                                
                                    ω
                                
                                
                                    T
                                
                            
                            η
                        
                    ”; and p. 4, § 5, ¶ 2: “This is somewhat similar to L1 regularization. However, there are some important differences. Most significantly, the L1 penalty is subtracted off the model’s activation during training, rather than added to the training cost. This means that the penalty can eventually start to disappear if the model learns to make confident enough predictions that [Symbol font/0x7A] saturates.”)
Chen modified by Goodfellow teaches creating a synthetic sample signature for a machine learning model in col. 9, ll. 54, 60-62, and 64-67 (see citations and rationale, supra) but does not appear to explicitly teach the synthetic sample signature is created to verify an identity of the machine learning model at runtime.
Moore does, however, teach:
creating, by the computer system, a synthetic sample signature, to verify an identity of the machine learning model at runtime, (Moore at Abstract: “a method of learning the behavior of a legacy system” that “includes gathering information with respect to inputs, outputs, and internal function of the legacy system; defining from the gathered information a set of behavioral rules describing the legacy system” where “legacy system processes are undocumented or poorly documented”; and “there may not be clear understanding of the full extent of what the legacy system processes are intended to accomplish” (¶ [0002]).  ¶ [0043]: “[t]hese rules, as discussed above, represent behavior observed by monitor”; ¶ [0095]: “[a]n output 130 generated by legacy process 110 may then be compared to an expected output 130 predicted by an applicable rule”; and “[i]f the actual output is equivalent to a first predicted output by the rule, then the rule is legitimate for at least a correctly-formatted input.”  
The examiner notes that Moore’s “rule” represents observed behaviors of an undocumented or poorly documented process or system, and that Moore’s determining the legitimacy of such a rule and hence the behaviors thereof by comparing expected outputs to previously generated outputs teaches verifying the identity of the process such as Chen’s machine learning model. More specifically, ¶¶ [0047]-[0049] of the present disclosure describe that the identity of a black-box process is verified by comparing expected labels with actual, returned labels. Therefore, the examiner asserts that Moore’s comparing observed behaviors of an undocumented process to/with corresponding behaviors to determine the legitimacy of observed behaviors (“rules”) at least implicitly teaches verifying the identity of the undocumented process. The examiner further notes that Moore’s testing the process with “rules” and observing the behaviors of the process being tested teaches determining the legitimacy and identity of the machine learning model at runtime.)
Chen, Goodfellow, and Moore are analogous art because all three references pertain to making predictions on data. 
It would have been obvious for a person of ordinary skill in the art prior to the effective filing date to have modified Chen in view of Goodfellow with Moore’s behavioral rules that describe the behaviors of a running process (Moore, ¶ [0095], supra).  The modification enables learning and modeling the behaviors of an undocumented process and effectively replicating the undocumented process with a replica for running on a new system, without completely writing new software components, to prevent catastrophic results from a failure of the undocumented process (Moore, ¶ [0043]: “These rules, as discussed above, represent behavior observed by monitor 155, checked by rule checker 150, and incorporated into the function of translator 145 and bypasser 160. Once a level of confidence is reached that the rules are acceptably accurate, legacy process 110, or one or more of its sub-processes, may be replaced with a legacy mimic 190. In this way, the behavior of legacy process 110 is retained without the necessity of writing completely new software components. Further, legacy mimic 190 may then be implemented on new hardware components, thus preventing catastrophic results that could occur from a failure of the obsolete hardware components of legacy process 110.” ¶ [0044]: “FIG. 1C illustrates the concept of a legacy mimic 190, which represents a system based on rules identified from the behavior of legacy process 110. When fully operational, legacy mimic 190 may be effectively a replication of legacy process 110.”)
 
With respect to claim 2, Chen modified by Moore and Goodfellow teaches the method of claim 1 from which claim 2 depends, and Chen further teaches:
wherein accessing a machine learning model and a plurality of samples further comprises: selecting, by the computer system, a subset of the plurality of samples with a selection of one or more samples for the plurality of classes. (col. 4, ll. 26-30: “each piece of training data may be associated with a class” “the associations of class may be used in a deep learning algorithm to train a DNN”; col. 4, ll. 51-58: “initial training dataset 202 may include uncontaminated data samples with K-classes”; and “Once the initial training dataset 202 is converted into training set 216-1, training set 216-1 may be provided to DNN trainer 106 for training a first round DNN.”  The examiner notes that Chen’s inclusion of “K-classes” in the initial training dataset and hence the “training set” for “training a first round DNN” teaches the above claimed limitation.)
 
With respect to claim 3, Chen modified by Moore and Goodfellow teaches the method of claim 1 from which claim 3 depends, and Chen further teaches:
wherein generating a plurality of synthetic samples further comprises: applying, by the computer system, an adversarial transform to separate samples to distort a first selection of bits of the separate samples (Chen at col. 3, ll. 33-34: “adversarial image generator 108”; col. 7, l. 1: “causative image generator 402”; col. 7, ll. 6: “to change the smallest number of pixels, such as in sample image 212-2”; col. 7, l. 18: “evolution image generator 404”; col. 6, ll. 52-53: “altering one or more portions of a base image (e.g., sample image 212-n”; and col. 9, ll. 63-64: “test image” that is “properly classified”.  The examiner notes that the “adversarial image generator,” “causative image generator,” and/or “evolution image generator” teaches the claimed adversarial transform, and that a “base image” and/or “test image” teaches the claimed “separate sample”.)
to induce the machine learning model to misclassify the separate samples to a first group of different classes, excluding the separate original class, of the plurality of classes; and (Chen at col. 7, ll. 8: “causative image generator 402” “to change the smallest number of pixels, such as in sample image 212-2, that results in the trained DNN classifies x’ different than x”; col. 9, ll. 55-62: “the test image may be provided to the DNN for classification”; and “if the classification of the test image does not match the target classification, the test image is improperly classified”.  The examiner notes that test image classification that does not match the target classification teaches inducing the machine learning model to misclassify separate samples to a first group of different classes.  Moreover, the different classes into which the separate samples are misclassified into exclude the separate original class.)
applying, by the computer system, the adversarial transform to separate samples to distort a second selection of bits of the separate samples (Chen at col. 7, ll. 33-57: “the analytical attacks and/or adversarial images may become guidance on changing or injecting code”; “the sliding window technique may be used on the base image (e.g., sample image that misclassified test image is based on)”; and “the portion identified by the sliding window technique approximates the portions of the assembly File that has bytecode that needs to be changed”.  Col. 7, l. 63 - col. 8, l. 26: “enhancing deep learning resiliency against analytical attacks”; “rebuild iterative layers of DNNs and/or utilize the adversarial images to enhance robustness”; “These attacks may modify the uncontaminated data samples (e.g., base images) slightly”; and “DNN training system 102 may repeat the process until a number of iterations M is reached.”  
The examiner notes that Chen’s applying the sliding window technique to identify and modify a portion of a base image (whose test image is misclassified) and iteratively “modify the uncontaminated data samples” in multiple iterations (e.g., “8” in col. 8, l. 27) teaches an adversarial transform that distorts a second selection of bits of each separate sample.)
to induce the machine learning model to misclassify the separate samples to a second group of different classes, excluding the separate original class, of the plurality of classes. (Chen at col. 6, ll. 52-55: “altering one or more portions of a base image (e.g., sample image 212-n) to generate a test image; providing the test image to the trained DNN (e.g., trained DNN 304-1) for classification”; col. 9, ll. 60-62 and col. 6, l. 59: “the classification of the test image does not match the target classification”; col. 10, ll. 1-3: “when the test image is not properly classified, the test image maybe identified as an adversarial image”.   The examiner notes that Chen’s altering a base image into a test image that is then misclassified by a DNN teaches inducing a machine learning model to misclassify the separate samples to a group of different classes.  Moreover, the aforementioned different classes of the test images exclude the separate original class.)
 
With respect to claim 4, Chen modified by Moore and Goodfellow teaches the method of claim 1 from which claim 4 depends, and Chen further teaches:
The method according to claim 1, further comprising: sending, by the computer system, the plurality of synthetic samples to the machine learning model as sample input; and (Chen at col. 6, ll. 52-55: “altering one or more portions of a base image (e.g., sample image 212-n) to generate a test image; providing the test image to the trained DNN (e.g., trained DNN 304-1) for 55 classification”; col. 10, ll. 54-56: “the test image may be provided to the DNN for classification”.  The examiner notes that altering a base image into a test image and classifying the test image by a DNN teaches the above limitation.)
retrieving, by the computer system, separate returned class labels from the machine learning model for the plurality of synthetic samples, (Chen at col. 6, l. 47-48 and 52-53: an adversarial sample (e.g., “the test image” of “a base image”) of “one or more adversarial sample or images”; col. 6, l. 57: “the trained DNN”; col. 6, l. 58 “something different than target classification or class”. The examiner notes that the “trained DNN” teaches the machine learning model, that each “test image” (altered from a “base image”) of “one or more adversarial samples or images” teach “each of the plurality of synthetic samples, and that “something different than target classification or class” teaches the claimed separate returned class label.)
wherein separate returned class labels specify classes from the plurality of classes classified for separate synthetic samples by the machine learning model. (col. 6, ll. 55-58: “the test image as an adversarial image (e.g., adversarial image 252-2) in adversarial image set 254-1 when the trained DNN classifies the test image as something different than target classification or class”.  The examiner notes that the DNN that classifies an “adversarial image” into “something different than target classification or class” teaches the above limitation.)
 
With respect to claim 6, Chen modified by Moore and Goodfellow teaches the method of claim 1 from which claim 6 depends, and Chen further teaches:
The method according to claim 1, further comprising: outputting, by the computer system, the synthetic sample signature for running on one or more application programming interfaces providing access to one or more processes returning results comprising at least a selection of the plurality of classes, (Chen at col. 10, ll. 9-16”: “[a]t block 524, the adversarial images may be provided as an input”; “the current training set may be updated with the adversarial images”; col. 15, ll. 17-24: “[v]arious embodiments may be implemented using” “software elements”; and “Examples of software may include” “application program interfaces (API)”.  Col. 3, ll. 48-50: “one or more adversarial images that are misclassified by the first DNN”; col. 6, l. 58: “something different than target classification or class”. 
The examiner notes that generating adversarial images for updating the current training set teaches outputting the synthetic sample signature.  The DNN’s classification and/or misclassification of these adversarial images by using the implementation of an API teaches that the adversarial images are for running on a classifier provided through one or more application programming interfaces. The examiner further notes that DNN’s misclassification of the adversarial image set into “something different than target classification or classes” teaches the claimed one or more processes returning results comprising at least a selection of the plurality of classes.)
wherein the plurality of synthetic samples are valid inputs to run on the one or more processes, (col. 5, ll. 25-30: “training set 216-2 may include each sample image 212 of training set 216-1 and each adversarial image 252 of adversarial image set 254-1” “provide training set 216-2 to DNN trainer 106 to train a second DNN.” The examiner notes that providing an adversarial image set to train a DNN teaches the plurality of synthetic samples are valid inputs.)
Chen teaches running a plurality of synthetic samples as inputs in col. 5, ll. 25-30 (see citation and rationale for claim 1 above) but does not appear to explicitly teach:
the one or more processes are one or more services,
wherein a comparison of the results of running the plurality of synthetic samples on the one or more services with the matrix indicates whether the one or more services are running the machine learning model for providing the one or more services.
Moore does, however, teach:
the one or more processes are one or more services, (Moore at ¶ [0028]: “a service request with a list of corresponding new service connections to make”.  The examiner notes that Moore’s description of a service request with a list of new service connections teaches inputs (e.g., the valid inputs taught by Chen in col. 5, ll. 25-30 cited immediately above) to run on one or more services.)
wherein a comparison of the results of running inputs on the one or more services indicates whether the one or more services are running the machine learning model for providing the one or more services. (Moore at ¶ [0028]: “a service request with a list of corresponding new service connections to make”.  Moore at Abstract: “[l]earning the behavior of a legacy system includes” “defining from the gathered information a set of behavioral rules describing the legacy system; and testing the rules by applying known inputs to the legacy system and verifying that the legacy system responds as predicted by the rules”; ¶ [0095]: “[a]n output 130 generated by legacy process 110 may then be compared to an expected output 130 predicted by an applicable rule”; and “If the actual output is equivalent to a first predicted output by the rule, then the rule is legitimate”. 
The examiner notes that Moore’s description of a service request with a list of new service connections teaches running an input (e.g., a classification request for an adversarial sample at the DNN) on the service(s) (e.g., the DNN) via the “list of new service connections”. The examiner further notes that determining whether an “undocumented or poorly documented” process behaves as predicted by comparing an “expected output” to/with an output generated by the process teaches the above limitation.)
Therefore, Chen modified by Moore thus teach the above limitation.
Chen, Goodfellow, and Moore are analogous art because all three references pertain to making predictions on data. 
It would have been obvious for a person of ordinary skill in the art prior to the effective filing date to have modified Chen in view of Goodfellow to incorporate Moore’s provisioning services for determining legitimacy and hence the identity of a running application or process.  The modification conserves computing resources by sharing any of Moore’s services among various software components and hence the sharing of the memory, GUI, notification generator, etc. (which are allocated for the aforementioned shared services) among these various software components, rather than allocating dedicated, additional memory, GUI, notification generator, etc. for each of these various software components had these services not been shared (Moore at ¶ [0134]: “Although legacy interface/probe tool suite components translator 145, rule checker 150, monitor 155, and bypasser 160 are illustrated each with its own memory, notification generator, graphic user interface (GUI), and notifications, any or all of these services may be shared between one or more of the components of legacy interface/probe 140.”)
 
With respect to claim 7, Chen teaches:
A computer system comprising one or more processors, one or more computer-readable memories, one or more computer-readable storage devices, and program instructions, stored on at least one of the one or more storage devices for execution by at least one of the one or more processors via at least one of the one or more memories, the stored program instructions comprising: program instructions (Chen at col. 2, ll. 20-21: “DNN training system”; col. 11, ll. 56-59: “one or more processors, multi-core processors,” “co-processors,” and “controllers”; col. 11, ll. 4-5: “volatile memory or nonvolatile memory”; col. 12, ll. 59-61: “[t]he drives and associated computer-readable media provide volatile and/or nonvolatile storage of data, data structures, computer-executable instructions, and so forth”; col. 12, ll. 9-11: “[t]he system bus 808 provides an interface for system components including, but not limited to, the system memory 806 to the processing unit 804”.)
program instructions to access a machine learning model and a plurality of samples, (Chen at col. 1, l. 48: “deep neural network (DNN) training system”; col. 9, l. 14-15: “DNN training system 102”; col. 1, l. 46: “deep neural networks”; col. 9, ll. 22-27: “input samples,” “initial training dataset,” and/or “current training set”.  The examiner notes that training deep neural networks on a DNN training system using input samples, initial training dataset, and/or a current training set teaches the aforementioned limitations.)
the plurality of samples classified with a separate original class of a plurality of classes within training data used to train the machine learning model to identify the plurality of classes; (Chen at col. 4, ll. 26-28: “each piece of training data may be associated with a class”; col. 3, ll. 46-47: “DNN trainer 106 may then cause a first DNN to be trained to classify images using the first training set”.  The examiner notes that a DNN’s classification of an image using the first training set and the class associated with each piece of training data teach the above limitation.)
program instructions to generate a plurality of synthetic samples comprising a separate sample of the plurality of samples, (Chen at col. 9, ll. 51-53: “one or more portions of a sample image may be altered to generate a test image”; col. 9, ll. 64-67: “518 ’alter a portion of the test image’ a portion of the properly classified test image is altered”; col. 10, ll. 9-16”: “At block 524, the adversarial images may be provided as an input”; and “the current training set may be updated with the adversarial images”.  Col. 9, ll. 52-53: “one or more portions of a sample image may be altered”; col. 9, ll. 64-67: “518 ‘alter a portion of the test image’ a portion of the properly classified test image is altered”. The examiner first notes that a test image obtained from altering a sample image teaches the claimed synthetic sample. The examiner further notes that such an altered image comprises a separate sample because the altered image is used to update the training data set.)
wherein the separate sample is distorted to induce the machine learning model to misclassify the separate sample to a different class from the separate original class of the separate sample, and (Chen at col. 9, ll. 64-67: “518 ’alter a portion of the test image’ a portion of the properly classified test image is altered”; col. 9, ll. 60-62 and col. 6, l. 59: “the classification of the test image does not match the target classification” that “may be the class of the base image”; col. 10, ll. 1-3: “when the test image is not properly classified, the test image maybe identified as an adversarial image”.  The examiner notes that Chen’s altering a test image that is eventually misclassified teaches the separate samples are distorted to induce the machine learning model to misclassify the separate samples to a different class from the separate original class of the separate samples.)
program instructions to create a synthetic sample signature, from the plurality of synthetic samples and a matrix of a plurality of returned class labels identifying separate portions of the plurality of classes as determined from actual classifications of the plurality of synthetic samples from running the plurality of synthetic samples on the machine learning model. (Chen at col. 9, ll. 64-67: “518 ’alter a portion of the test image’ a portion of the properly classified test image is altered”.  col. 9, ll. 54 and 60-62: “provide test image to DNN for classification”; and “the classification of the test image does not match the target classification, the test image is improperly classified”. The examiner notes that ¶ [0031] of the disclosure explicitly states that “synthetic sample signature 250 may include a set of synthetic samples 246, created by an adversarial transform 234”. Therefore, Chen’s generating an adversarial image teaches creating a synthetic sample signature.
Moreover, Chen at col. 12, ll. 59-65: “data structures” for storing “a number of program modules” and “program data”. The examiner notes that Chen’s “data structure” that stores “program data” such as the aforementioned misclassification of the “test image” that does not match the target classification (e.g., “wrong class (e.g., not the target class)” in col. 8, ll. 12-13) as well as the misclassified “test image” in an adversarial image set (e.g., 254-1) and “the new class” for the misclassified “test image” teach a matrix of a plurality of returned class labels as determined from actual classifications of each of the plurality of synthetic samples from running the plurality of synthetic samples on the machine learning model.)
Chen does not appear to explicitly teach:
wherein the separate samples are distorted based on inverting a portion of bits comprising the separate samples,
wherein the distortion is not visible to the human eye; and
program instructions to create an input, for verifying an identity of the machine learning model at runtime,
Goodfellow does, however teach:
wherein the separate samples are distorted based on inverting a portion of bits comprising the separate samples, (Goodfellow at ¶ 2, § 3, p. 2: “For example, digital images often use only 8 bits per pixel”.  ¶ 1, p. 6: “As control experiments, we trained training a maxout network with noise based on randomly adding ± to each pixel, or adding noise in U(-; ) to each pixel.” The examiner notes that Goodfellow’s adding ± to each pixel that uses 8 bits teaches inverting a portion of bits in a sample because a bit stores a binary value (e.g., 0 or 1) so changing a pixel’s value by adding ± changes at least the binary value (e.g., “0”) of at least one bit to the other binary value (e.g., “1”) and thus teaches inverting a portion of bits as claimed.)
wherein the distortion is not visible to the human eye; and (Goodfellow at Caption of Figure 1, p. 3: “A demonstration of fast adversarial example generation applied to GoogLeNet (Szegedy et al., 2014a) on ImageNet. By adding an imperceptibly small vector whose elements are equal to the sign of the elements of the gradient of the cost function with respect to the input, we can change GoogLeNet’s classification of the image. Here our  of .007 corresponds to the magnitude of the smallest bit of an 8 bit image encoding after GoogLeNet’s conversion to real numbers.” ¶ 3, § 2, p. 1: “On some datasets, such as ImageNet (Deng et al., 2009), the adversarial examples were so close to the original examples that the differences were indistinguishable to the human eye.”)
Chen and Goodfellow are analogous art because both references pertain to training neural networks with adversarial examples. 
It would have been obvious for a person of ordinary skill in the art prior to the effective filing date to have modified Chen’s training a deep neural network work with synthetic samples obtained by distorting original images (see Chen, supra) to incorporate Goodfellow’s  adversarial examples one or more bits of which are inverted with imperceptibly small perturbation (see Goodfellow, Abstract and ¶ 2, § 1, p. 1, supra). The modification addresses the shortcoming of conventional approaches that, despite the small perturbation to an image, cause the activation to grow so as to cause “accidental steganography” by subtracting the penalty from the activation, rather than adding the penalty to the activation as in convention approaches, so as to make confident enough predictions that the error in prediction has saturated at a minimum value (Goodfelllow, p. 2, § 3, ¶ 4: “The adversarial perturbation causes the activation to grow by                         
                            
                                
                                    ω
                                
                                
                                    T
                                
                            
                            η
                        
                    ”; and p. 4, § 5, ¶ 2: “This is somewhat similar to L1 regularization. However, there are some important differences. Most significantly, the L1 penalty is subtracted off the model’s activation during training, rather than added to the training cost. This means that the penalty can eventually start to disappear if the model learns to make confident enough predictions that [Symbol font/0x7A] saturates.”)
Chen modified by Goodfellow teaches creating a synthetic sample signature for a machine learning model in col. 9, ll. 54, 60-62, and 64-67 (see citations and rationale immediately above) but does not appear to explicitly teach the synthetic sample signature is created to verify an identity of the machine learning model at runtime.
Moore does, however, teach:
program instructions to create an input, for verifying an identity of the machine learning model at runtime, (Moore at Abstract: “a method of learning the behavior of a legacy system” that “includes gathering information with respect to inputs, outputs, and internal function of the legacy system; defining from the gathered information a set of behavioral rules describing the legacy system” where “legacy system processes are undocumented or poorly documented”; and “there may not be clear understanding of the full extent of what the legacy system processes are intended to accomplish” (¶ [0002]).  ¶ [0043]: “[t]hese rules, as discussed above, represent behavior observed by monitor”; ¶ [0095]: “[a]n output 130 generated by legacy process 110 may then be compared to an expected output 130 predicted by an applicable rule”; and “[i]f the actual output is equivalent to a first predicted output by the rule, then the rule is legitimate for at least a correctly-formatted input.”  
The examiner notes that Moore’s “rule” represents observed behaviors of an undocumented or poorly documented process or system, and that Moore’s determining the legitimacy of such a process and hence the behaviors thereof by comparing expected outputs to previously generated outputs teaches verifying the identity of the process such as Chen’s machine learning model. The examiner further notes that Moore’s testing the process with “rules” and observing the behaviors of the process being tested teaches determining the legitimacy and identity of the machine learning model at runtime.)
Chen, Goodfellow, and Moore are analogous art because all three references pertain to making predictions on data. 
It would have been obvious for a person of ordinary skill in the art prior to the effective filing date to have modified Chen in view of Goodfellow with Moore’s behavioral rules that describe behaviors of a running process (Moore, ¶ [0095], supra).  The modification enables learning and modeling the behaviors of an undocumented process and effectively replicating the undocumented process with a replica for running on a new system, without completely writing new software components, to prevent catastrophic results from a failure of the undocumented process (Moore, ¶ [0043]: “These rules, as discussed above, represent behavior observed by monitor 155, checked by rule checker 150, and incorporated into the function of translator 145 and bypasser 160. Once a level of confidence is reached that the rules are acceptably accurate, legacy process 110, or one or more of its sub-processes, may be replaced with a legacy mimic 190. In this way, the behavior of legacy process 110 is retained without the necessity of writing completely new software components. Further, legacy mimic 190 may then be implemented on new hardware components, thus preventing catastrophic results that could occur from a failure of the obsolete hardware components of legacy process 110.” ¶ [0044]: “FIG. 1C illustrates the concept of a legacy mimic 190, which represents a system based on rules identified from the behavior of legacy process 110. When fully operational, legacy mimic 190 may be effectively a replication of legacy process 110.”)
 
With respect to claim 8 depending upon claim 7, it is substantially similar to claim 2 and is rejected in the same manner, the same art and reasoning applying.
 
With respect to claim 9 depending upon claim 7, it is substantially similar to claim 3 and is rejected in the same manner, the same art and reasoning applying.
 
With respect to claim 10 depending upon claim 8, it is substantially similar to claims 2 and 4 and is rejected in the same manner, the same art and reasoning applying.
 
With respect to claim 12 depending upon claim 8, it is substantially similar to claim 6 and is rejected in the same manner, the same art and reasoning applying.
 
With respect to claim 13, Chen teaches:
A computer program product comprises a computer readable storage medium having program instructions embodied therewith, wherein the computer readable storage medium is not a transitory signal per se, the program instructions executable by a computer to cause the computer to: (Chen, col. 10, ll. 59-61: “any non-transitory computer-readable storage medium or machine-readable storage medium”; col. 11, ll. 7-11: “[e]xamples of computer-executable instructions may include any suitable type of code, such as source code, compiled code, interpreted code, executable code, static code, dynamic code, object-oriented code, visual code, and the like”) embodied therewith, wherein the computer readable storage medium is not a transitory signal per se; col. 11, l. 33: “running on a processor”)
access, by a computer, a machine learning model and a plurality of samples, (Chen, col. 1, l. 48: “deep neural network (DNN) training system”; col. 9, l. 14-15: “DNN training system 102”; col. 1, l. 46: “deep neural networks”; col. 9, ll. 22-27: “input samples,” “initial training dataset,” and/or “current training set”.  The examiner notes that training deep neural networks on a DNN training system using input samples, initial training dataset, and/or a current training set teaches the aforementioned limitations.)
the plurality of samples classified with separate original classes of a plurality of classes within training data used to train the machine learning model to identify the plurality of classes; (Chen, col. 4, ll. 26-28: “each piece of training data may be associated with a class”; col. 3, ll. 46-47: “DNN trainer 106 may then cause a first DNN to be trained to classify images using the first training set”.  The examiner notes that a DNN’s classification of an image using the first training set and the class associated with each piece of training data teach the above limitation.)
generate, by the computer, a plurality of synthetic samples comprising separate samples of the plurality of samples, (Chen, col. 9, ll. 51-53: “one or more portions of a sample image may be altered to generate a test image”; col. 9, ll. 64-67: “518 ’alter a portion of the test image’ a portion of the properly classified test image is altered”; col. 10, ll. 9-16”: “At block 524, the adversarial images may be provided as an input”; and “the current training set may be updated with the adversarial images”.  Col. 9, ll. 52-53: “one or more portions of a sample image may be altered”; col. 9, ll. 64-67: “518 ‘alter a portion of the test image’ a portion of the properly classified test image is altered”. The examiner first notes that a test image obtained from altering a sample image teaches the claimed synthetic sample. The examiner further notes that such an altered image comprises a separate sample because the altered image is used to update the training data set.)
wherein the separate samples are distorted, to induce the machine learning model to misclassify the separate samples to a different class from the separate original class of the separate samples, and (Chen,  col. 9, ll. 64-67: “518 ’alter a portion of the test image’ a portion of the properly classified test image is altered”; col. 9, ll. 60-62 and col. 6, l. 59: “the classification of the test image does not match the target classification” that “may be the class of the base image”; col. 10, ll. 1-3: “when the test image is not properly classified, the test image maybe identified as an adversarial image”.  The examiner notes that Chen’s altering a test image that is eventually misclassified teaches the separate samples are distorted to induce the machine learning model to misclassify the separate samples to a different class from the separate original class of the separate samples.)
create, by the computer, a synthetic sample signature from the plurality of synthetic samples and a matrix of a plurality of returned class labels identifying separate classes of the plurality of classes as determined from classification of the plurality of synthetic samples from running the plurality of synthetic samples on the machine learning model. (Chen, col. 9, ll. 64-67: “518 ’alter a portion of the test image’ a portion of the properly classified test image is altered”.  col. 9, ll. 54 and 60-62: “provide test image to DNN for classification”; and “the classification of the test image does not match the target classification, the test image is improperly classified”. The examiner notes that ¶ [0031] of the disclosure explicitly states that “synthetic sample signature 250 may include a set of synthetic samples 246, created by an adversarial transform 234”. Therefore, Chen’s generating an adversarial image teaches creating a synthetic sample signature.
Moreover, Chen, col. 12, ll. 59-65: “data structures” for storing “a number of program modules” and “program data”. The examiner notes that Chen’s “data structure” that stores “program data” such as the aforementioned misclassification of the “test image” that does not match the target classification (e.g., “wrong class (e.g., not the target class)” in col. 8, ll. 12-13) as well as the misclassified “test image” in an adversarial image set (e.g., 254-1) and “the new class” for the misclassified “test image” teach a matrix of a plurality of returned class labels as determined from actual classifications of each of the plurality of synthetic samples from running the plurality of synthetic samples on the machine learning model.)
Chen does not appear to explicitly teach:
wherein the separate samples are distorted based on inverting a portion of bits comprising the separate samples, 
wherein the distortion is not visible to the human eye; and
creating, by the computer system, an input, to an identity of the machine learning model at runtime,
Goodfellow does, however teach:
wherein the separate samples are distorted based on inverting a portion of bits comprising the separate samples, (Goodfellow at ¶ 2, § 3, p. 2: “For example, digital images often use only 8 bits per pixel”.  ¶ 1, p. 6: “As control experiments, we trained training a maxout network with noise based on randomly adding ± to each pixel, or adding noise in U(-; ) to each pixel.” The examiner notes that Goodfellow’s adding ± to each pixel that uses 8 bits teaches inverting a portion of bits in a sample because a bit stores a binary value (e.g., 0 or 1) so changing a pixel’s value by adding ± changes at least the binary value (e.g., “0”) of at least one bit to the other binary value (e.g., “1”) and thus teaches inverting a portion of bits as claimed.)
wherein the distortion is not visible to the human eye; and (Goodfellow at Caption of Figure 1, p. 3: “A demonstration of fast adversarial example generation applied to GoogLeNet (Szegedy et al., 2014a) on ImageNet. By adding an imperceptibly small vector whose elements are equal to the sign of the elements of the gradient of the cost function with respect to the input, we can change GoogLeNet’s classification of the image. Here our  of .007 corresponds to the magnitude of the smallest bit of an 8 bit image encoding after GoogLeNet’s conversion to real numbers.” ¶ 3, § 2, p. 1: “On some datasets, such as ImageNet (Deng et al., 2009), the adversarial examples were so close to the original examples that the differences were indistinguishable to the human eye.”)
Chen and Goodfellow are analogous art because both references pertain to training neural networks with adversarial examples. 
It would have been obvious for a person of ordinary skill in the art prior to the effective filing date to have modified Chen’s generating synthetic samples that are distorted to cause a machine learning model to misclassify such generated synthetic samples as cited immediately above (Chen at Abstract) to incorporate Goodfellow’s adversarial examples one or more bits of which are inverted with imperceptibly small perturbation (Goodfellow, Abstract and ¶ 2, § 1, p. 1). The modification addresses the shortcoming of conventional approaches that, despite the small perturbation to an image, cause the activation to grow so as to cause “accidental steganography” by subtracting the penalty from the activation, rather than adding the penalty to the activation as in convention approaches, so as to make confident enough predictions that the error in prediction has saturated at a minimum value (Goodfelllow, p. 2, § 3, ¶ 4: “The adversarial perturbation causes the activation to grow by                         
                            
                                
                                    ω
                                
                                
                                    T
                                
                            
                            η
                        
                    ”; and p. 4, § 5, ¶ 2: “This is somewhat similar to L1 regularization. However, there are some important differences. Most significantly, the L1 penalty is subtracted off the model’s activation during training, rather than added to the training cost. This means that the penalty can eventually start to disappear if the model learns to make confident enough predictions that [Symbol font/0x7A] saturates.”)
Chen modified by Goodfellow teaches creating a synthetic sample signature for a machine learning model in col. 9, ll. 54, 60-62, and 64-67 (see citations and rationale immediately above) but does not appear to explicitly teach the synthetic sample signature is created to verify an identity of the machine learning model at runtime.
Moore does, however, teach:
creating, by the computer system, a synthetic sample signature, to verify an identity of the machine learning model at runtime, (Moore at Abstract: “a method of learning the behavior of a legacy system” that “includes gathering information with respect to inputs, outputs, and internal function of the legacy system; defining from the gathered information a set of behavioral rules describing the legacy system” where “legacy system processes are undocumented or poorly documented”; and “there may not be clear understanding of the full extent of what the legacy system processes are intended to accomplish” (¶ [0002]).  ¶ [0043]: “[t]hese rules, as discussed above, represent behavior observed by monitor”; ¶ [0095]: “[a]n output 130 generated by legacy process 110 may then be compared to an expected output 130 predicted by an applicable rule”; and “[i]f the actual output is equivalent to a first predicted output by the rule, then the rule is legitimate for at least a correctly-formatted input.”  
The examiner notes that Moore’s “rule” represents observed behaviors of an undocumented or poorly documented process or system, and that Moore’s determining the legitimacy of such a rule and hence the behaviors thereof by comparing expected outputs to previously generated outputs teaches verifying the identity of the process such as Chen’s machine learning model. More specifically, ¶¶ [0047]-[0049] of the present disclosure describe that the identity of a black-box process is verified by comparing expected labels with actual, returned labels. Therefore, the examiner asserts that Moore’s comparing observed behaviors of an undocumented process to/with corresponding behaviors to determine the legitimacy of observed behaviors (“rules”) at least implicitly teaches verifying the identity of the undocumented process. The examiner further notes that Moore’s testing the process with “rules” and observing the behaviors of the process being tested teaches determining the legitimacy and identity of the machine learning model at runtime.)
Chen, Goodfellow, and Moore are analogous art because all three references pertain to making predictions on data. 
It would have been obvious for a person of ordinary skill in the art prior to the effective filing date to have modified Chen in view of Goodfellow to incorporate Moore’s “behavioral rules” describing the behaviors of the execution of a process (Moore at ¶ [0095]).  The modification enables learning and modeling the behaviors of an undocumented process and effectively replicating the undocumented process with a replica for running on a new system, without completely writing new software components, to prevent catastrophic results from a failure of the undocumented process (Moore, ¶ [0043]: “These rules, as discussed above, represent behavior observed by monitor 155, checked by rule checker 150, and incorporated into the function of translator 145 and bypasser 160. Once a level of confidence is reached that the rules are acceptably accurate, legacy process 110, or one or more of its sub-processes, may be replaced with a legacy mimic 190. In this way, the behavior of legacy process 110 is retained without the necessity of writing completely new software components. Further, legacy mimic 190 may then be implemented on new hardware components, thus preventing catastrophic results that could occur from a failure of the obsolete hardware components of legacy process 110.” ¶ [0044]: “FIG. 1C illustrates the concept of a legacy mimic 190, which represents a system based on rules identified from the behavior of legacy process 110. When fully operational, legacy mimic 190 may be effectively a replication of legacy process 110.”)
 
With respect to claim 14 depending upon claim 13, it is substantially similar to claim 2 and is rejected in the same manner, the same art and reasoning applying.
 
With respect to claim 15 depending upon claim 13, it is substantially similar to claim 3 and is rejected in the same manner, the same art and reasoning applying.
 
With respect to claim 16 depending upon claim 13, it is substantially similar to claim 4 and is rejected in the same manner, the same art and reasoning applying.
 
With respect to claim 18 depending upon claim 13, it is substantially similar to claim 6 and is rejected in the same manner, the same art and reasoning applying.
 
            Claim 5, 11, and 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Chen et al., U.S. Patent No. 10,839,291 in view of Moore U.S. Pat. App. Pub. No. 2011/0289027 and Goodfellow et al., Explaining and Harnessing Adversarial Examples (20 March 2015) (hereinafter Goodfellow) and further in view of Brennan U.S. Pat. App. Pub. No. 2018/0075368, filed September 12, 2016 (hereinafter Brennan).
With respect to claim 5, Chen modified by Goodfellow and Moore teaches the method of claim 1 from which claim 5 depends, and Chen further teaches:
The method according to claim 1, wherein creating a synthetic sample signature further comprises: receiving, by the computer system, a separate returned class label from the machine learning model for the plurality of synthetic samples; and (Chen, col. 1, l. 48: “deep neural network (DNN) training system”; col. 9, l. 14-15: “DNN training system 102”; col. 3, ll. 48-50: “one or more adversarial images that are misclassified by the first DNN”; col. 6, l. 58 “something different than target classification or class”.  col. 6, ll. 55-58: “the test image as an adversarial image (e.g., adversarial image 252-2) in adversarial image set 254-1 when the trained DNN classifies the test image as something different than target classification or class”.  Col. 8, ll. 13-15: “the test image may be identified as an adversarial image and included in an adversarial image set”; and “the adversarial images may be added to a subsequent training set (e.g., training set 216-2) as a new class.” The examiner notes that Chen’s adding a misclassified adversarial image and its misclassification as a new class into a training set for training teaches receiving a separate returned class label, and that the misclassification of “one or more adversarial images” teaches the claimed “separate returned class label”. The examiner thus asserts that Chen teaches the above limitation.)
organizing, by the computer system, separate returned class labels from among the plurality of returned class labels in the matrix (Chen, col. 6, l. 58 “something different than target classification or class”; col. 3, ll. 48-50: “one or more adversarial images that are misclassified by the first DNN”; col. 12, ll. 59-65: “data structures” for storing “a number of program modules” and “program data”.  The examiner notes that that Chen's misclassification of “one or more adversarial images” teaches the claimed separate returned class labels, and that Chen’s “data structures” storing program data such as the misclassification results teach the claimed matrix.)
wherein entries in the matrix correlates with a particular synthetic sample from among the plurality of synthetic samples in the synthetic sample signature. (Chen, col. 10, ll. 9-16”: “[a]t block 524, the adversarial images may be provided as an input”; and “the current training set may be updated with the adversarial images”.  The examiner notes that any one of “adversarial images” used in updating “the current training set” teaches a particular synthetic sample, and that storing the training result of such a particular synthetic sample in the matrix (e.g., the aforementioned data structure) teaches that entries in the matrix correspond to a particular synthetic sample.)
Chen teaches a particular synthetic sample, a plurality of synthetic samples, and a synthetic sample signature (see Chen, col. 9, ll. 54, 60-62, and 64-67, supra) but does not appear to explicitly teach:
the matrix that is sized as a size of the plurality of classes by the size of the plurality of classes,
Brennan, however, does teach the matrix that is sized as a size of the plurality of classes, (FIG. 3 and ¶¶ [0037]-[0038]: “confusion matrix” “represented misclassified data” and having a size of “the given sample size of plant type classification results” by “the given sample size of plant type classification results” where “all off-diagonal elements on the confusion matrix data structure 300 represent misclassified data”.  The examiner notes that the “confusion matrix” in FIG. 3 has a size of “the given sample size of plant type classification results” by “the given sample size of plant type classification results” so that “all off-diagonal elements on the confusion matrix data structure 300 represent misclassified data” and thus teaches the above limitation.)
In addition, Brennan also teaches:
wherein entries in the matrix correlates with a particular sample from among the plurality of samples in the sample signature. (¶ [0032]: “using a confusion matrix to identify commonly confused entity/relationship instances and to interrogate therefrom candidate features for use in recognizing class sets of entity/relationship instances with high misclassification rates”.  ¶ [0037]: “Specifically, each row represents an actual plant type, and each column represents a predicted plant type that can be confused with (i.e., incorrectly substituted for or even incorrectly transposed with) the correct or actual plant type. Therefore, each row and column combination indicates for a given pairing of plant types”. The examiner notes that the commonly confused entries in Brennan’s confusion matrix thus correlate with particular samples that are commonly misclassified.)
Therefore, the examiner asserts that Chen modified by Brennan teaches the above limitation in its entirety.
Chen, Moore, Goodfellow, and Brennan are analogous art because all four references pertain to making predictions on data. 
It would have been obvious for a person of ordinary skill in the art prior to the effective filing date to have modified Chen in view of Moore and Goodfellow to incorporate Brennan’s confusion matrix that correlates samples and sample signatures (Brennan, ¶¶ [0037]-[0038], supra). The modification not only allows users to identify commonly confused entity/relationship instances but also boosts error detection for training and evaluating computing systems (Brennan, ¶ [0032]: “In the system memory 220, a variety of programs may be stored in one or more memory devices, including a ground truth verification engine module 221 which may be invoked to process machine-annotated ground truth training set data using a confusion matrix to identify commonly confused entity/relationship instances and to interrogate therefrom candidate features for use in recognizing class sets of entity/relationship instances with high misclassification rates which are identified, prioritized, and highlighted as review candidates for a human annotator or SME to verify, either individually or in bulk, alone or in combination with evidence-based correction recommendations for the machine-annotated ground truth training set data, thereby boosting error detection and generating verified ground truth for use in training and evaluating a computing system (e.g., an IBM Watson™ QA system).”
 
With respect to claim 11 depending upon claim 8, it is substantially similar to claims 2 and 5 and is rejected in the same manner, the same art and reasoning applying.
 
With respect to claim 17 depending upon claim 13, it is substantially similar to claim 5 and is rejected in the same manner, the same art and reasoning applying. 

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ERICH C. TZOU whose telephone number is (571)272-9852. The examiner can normally be reached Monday-Friday 6:00AM-5:30PM PST with alternative Fridays off.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ann J. Lo can be reached on 571-272-9767. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/E.C.T./Examiner, Art Unit 2126 
/ANN J LO/Supervisory Patent Examiner, Art Unit 2126