DETAILED ACTION
This communication is responsive to the application # 16/442,336 filed on June 14, 2019. Claims 1-20 are pending and are directed toward DIFFERENTIAL PRIVACY TO PREVENT MACHINE LEARNING MODEL MEMBERSHIP INFERENCE.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Drawings
The drawings are objected to because instead of ϕ, ψ is shown at FIG. 1.  Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. The figure or figure number of an amended drawing should not be labeled as “amended.” If a drawing figure is to be canceled, the appropriate figure must be removed from the replacement sheet, and where necessary, the remaining figures must be renumbered and appropriate changes made to the brief description of the several views of the drawings for consistency. Additional replacement sheets may be necessary to show the renumbering of the remaining figures. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet”   
Claim Objections
Claims 2 and 13 are objected to because of the following informalities:  period is missing at the end of the claim.  Each claim should begin with a capital letter and end with a period. Appropriate correction is required.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more. Claim 1 is directed to a mathematical relationship. A mathematical relationship is a relationship between variables or numbers. A mathematical relationship may be expressed in words or using mathematical symbols. For example, pressure (p) can be described as the ratio between the magnitude of the normal force (F) and area of the surface on contact (A), or it can be set forth in the form of an equation such as p = F/A. (MPEP, 2106.04(a)(2)(A)).
The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements when considered both individually and as a combination do not amount to significantly more than the abstract idea. The type of information being manipulated does not impose meaningful limitations or render the idea less abstract. Looking at the elements as a combination does not add anything 
Claims 2-20 do not amount to significantly more than the abstract idea itself based on the same rational as having the same or similar limitations, without including additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements when considered both individually and as a combination do not amount to significantly more than the abstract idea. The claims are not patent eligible. The claims are not patent eligible.
For example: Claim 2 is not eligible because a claim that recites a numerical formula or equation will be considered as falling within the "mathematical concepts" grouping. In addition, there are instances where a formula or equation is written in text format that should also be considered as falling within this grouping. For example, the phrase "determining a ratio of A to B" is merely using a textual replacement for the particular equation (ratio = A/B). Additionally, the phrase "calculating the force of the object by multiplying its mass by its acceleration" is using a textual replacement for the particular equation (F= ma). (MPEP, 2106.04(a)(2)(B)).
Claims 2-6 are not eligible because they enumerate known algorithms without significantly more.
Claims 7 has limitation, which is part of a definition of DP-SGD, and therefore is rejected for the same reasons as claims 2-6.
Claims 8-20 have the same deficiencies as provided for claims 1-7 above.
Claims 10 and 11 are additionally rejected as being directed to a signal, being claimed as “non-tangible storage media”. See also Specification [0040].
Invitation to Participate in DSMER Pilot Program
The present application satisfies the criteria for participation set forth in the Federal Register Notice entitled “Deferred Subject Matter Eligibility Response (DSMER) Pilot Program.” Therefore, the examiner invites applicant to participate in the DSMER pilot program. 
An applicant who accepts the invitation to participate in this pilot program must still file a reply to every Office action mailed in this application, but may defer presenting arguments or amendments in response to subject matter eligibility (SME) rejection(s) until the earlier of final disposition of the application, or the withdrawal or obviation of all other outstanding non-SME rejections. A final disposition for purposes of this pilot program occurs upon the earliest of: mailing of a notice of allowance; mailing of a final Office action; filing of a notice of appeal; filing of a request for continued examination; or abandonment of the application. Other than applicant’s ability to defer responding to SME rejections, participation in the DSMER pilot program does not alter the normal examination process (e.g., as outlined in MPEP 700), and applicant must still respond to all non-SME rejections when replying to Office actions. 
Further information about the pilot program, including an explanation of the criteria for receiving an invitation, and the conditions of participation, is provided in the Federal Register Notice announcing the program, which is available on the pilot program website https://www.uspto.gov/patents/initiatives/patent-application-initiatives/deferred-subject-matter-eligibility-response.
Applicant has two choices with respect to this invitation:
(1) Applicant may elect to participate in the DSMER pilot program. To effect this choice, applicant MUST accept this invitation by filing a completed request form PTO/SB/456 with a 
(2) Applicant may decline to participate in the pilot program. No action is required from applicant to effect this choice, because if applicant does not timely file a properly completed form PTO/SB/456, the application will not be entered into the pilot program.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 9 and 20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention. Claims 9 and 20 have limitations, wherein the differential privacy mechanism having the highest mitigation efficiency ratio is automatically incorporated into the data science process along with its parameters. However according to claims 8 and 19 the data science process comprises an 
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1-7 and 10-18 are rejected under 35 U.S.C. 103 as being unpatentable over Bassily et al.  (Private Empirical Risk Minimization: Efficient Algorithms and Tight Error Bounds, 2014 IEEE, pages 464-473) in view of Shokri et al. (Membership Inference Attacks Against Machine Learning Models, arXiv:1610.05820v2 [cs.CR] 31 Mar 2017, 16 pages), hereinafter referred to as Bassily and Shokri respectively.
As per claim 1, Bassily teaches a method of maintaining machine learning model data privacy (Convex empirical risk minimization is a basic tool in machine learning and statistics. We provide new algorithms and matching lower bounds for differentially private convex empirical risk minimization, Bassily, page 464) comprising:
training a machine learning model forming part of a data science process using data anonymized using each of two or more differential privacy mechanisms (We show that simple approaches to smoothing arbitrary loss functions (in order to apply previous techniques) do not yield optimal error rates. In particular, optimal algorithms were not previously known for problems such as training support vector machines and the high-dimensional median. Bassily, page 464);
determining, for each of the two or more differential privacy mechanisms (We give separate algorithms (and lower bounds) for (, 0)- and (, δ)-differential privacy; perhaps surprisingly, the techniques used for designing optimal algorithms in the two cases are completely different. Bassily, page 464),
Bassily does not use Applicant terminology, Shokri however teaches  a level of accuracy and a level precision when evaluating data with known classifications (Fig.4 and Fig.5. Shokri, page 8); 
Bassily in view of Shokri are analogous art to the claimed invention, because they are from a similar field of endeavor of systems, components and methodologies for providing secure communication between computer systems. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Bassily in view of Shokri. This would have been desirable because the setting for our inference attack is as follows. the attacker is given a data record and black-box query access to the target model. the attack succeeds if the attacker can correctly determine whether this data record was part of the model’s training dataset or not. the standard metrics for attack accuracy are precision (what fraction of records inferred as members are indeed members of the training dataset) and recall (what fraction of the training dataset’s members are correctly inferred as members by the attacker) (Shokri, pages 3-4).

Bassily in view of Shokri further teaches determining, using the respective determined levels of precision and accuracy (theorem III.2 (Utility guarantee). Let θpriv be the output of Aexp−samp (Algorithm 2 above). then, we have the following guarantee on the expected excess risk. Bassily, page 469), a mitigation efficiency ratio for each of the two or more differential privacy mechanisms (Vol(Ai)/Vol(A2), Bassily, page 469);
and incorporating the differential privacy mechanism having a highest mitigation efficiency ratio and its parameters into the data science process (In this section, we complete the picture by deriving lower bounds on the excess risk caused by differentially private algorithm for risk minimization. Bassily, page 471).
As per claim 2, Bassily in view of Shokri teaches the method of claim 1, wherein the mitigation efficiency ratio is defined as cp and is based on changes in accuracy and precisions of the machine learning model, wherein: φ =(largest change accuracy-actual change accuracy/largest change accuracy)/(largest change precision-actual change precision/largest change precision) (Vol(Ai)/Vol(A2), Bassily, page 469, and see Setting Parameters. Bassily, page 465)
As per claim 3, Bassily in view of Shokri teaches the method of claim 1, wherein a first of the two or more differential privacy mechanisms comprises local differential privacy (LDP) (We show a generic -differentially private algorithm for minimizing Lipschitz strongly convex loss functions based on a combination of a simple pre-processing step (called the localization step) and any generic -differentially private algorithm for Lipschitz convex loss functions. We carry out the localization step using a simple output perturbation algorithm, Bassily, page 470).
As per claim 4, Bassily in view of Shokri teaches the method of claim 3, wherein the LDP is realized using local randomizers (At each step t, the algorithm samples a random point di from the data set, computes a noisy version of di’s contribution to the gradient of L at the current estimate ˜θt, and then uses that noisy measurement to  update the parameter estimate. the algorithm is similar to algorithms that have appeared previously ([41] first investigated gradient descent with noisy updates; stochastic variants were studied by [21, 14, 39]). the novelty of our analysis lies in taking advantage of the randomness in the choice of di (following [25]) to run the algorithm for many steps without a significant cost to privacy. Bassily, page 465).
claim 5, Bassily in view of Shokri teaches the method of claim 3, wherein the LDP anonymizes the training data prior to its being used to train the machine learning model (Noisy real data. the attacker may have access to some data that is similar to the target model’s training data and can be considered as a “noisy” version thereof. In our experiments with location datasets, we simulate this by flipping the (binary) values of 10% or 20% randomly selected features, then training our shadow models on the resulting noisy dataset. Shokri, pages 5-6).
Bassily in view of Shokri are analogous art to the claimed invention, because they are from a similar field of endeavor of systems, components and methodologies for providing secure communication between computer systems. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Bassily in view of Shokri. This would have been desirable because this scenario models the case where the training data for the target and shadow models are not sampled from exactly the same population, or else sampled in a non-uniform way (Shokri, page 6).

As per claim 6, Bassily in view of Shokri teaches the method of claim 1, wherein a second of the two or more differential privacy mechanisms comprises differential privacy stochastic descent gradient (DP-SGD) (Gradient descent-based algorithms. Bassily, page 465).
As per claim 7, Bassily in view of Shokri teaches the method of claim 6, wherein the DP-SGD anonymizes the training data while it is being used to train the machine learning model (In Figure 11, we look deeper into the factors that contribute to attack accuracy per class, including how overfitted the model is and what fraction of the training data belongs to each class. the (train-test) accuracy gap is the difference between the accuracy of the target model on its training and test data. Similar metrics are used in the literature to measure how overfitted a model is [18]. We compute this metric for each class. Shokri, page 11).
Bassily in view of Shokri are analogous art to the claimed invention, because they are from a similar field of endeavor of systems, components and methodologies for providing secure communication between computer systems. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Bassily in view 

Claims 10-18 have limitations similar to those treated in the above rejection, and are met by the references as discussed above, and are rejected for the same reasons of obviousness as used above.
Claims 8, 9, 19 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Bassily et al.  (Private Empirical Risk Minimization: Efficient Algorithms and Tight Error Bounds, 2014 IEEE, pages 464-473) in view of Shokri et al. (Membership Inference Attacks Against Machine Learning Models, arXiv:1610.05820v2 [cs.CR] 31 Mar 2017, 16 pages), in view of Rollins (Foundational Methodology for Data Science, IBM, 2015, 6 pages), hereinafter referred to as Bassily, Shokri and Rollins respectively.
As per claim 8, Bassily in view of Shokri teaches the method of claim 1, but does not teach sequence of stages, Rollins however teaches wherein the data science process comprises an automated sequence of stages including a business understanding stage, a privacy negotiation stage, a data understanding stage, a data preparation stage, a modeling stage, an evaluation stage, and a deployment stage (Figure 1. Foundational Methodology for Data Science, pages 3-5, Rollins).
Bassily in view of Shokri in view of Rollins are analogous art to the claimed invention, because they are from a similar field of endeavor of systems, components and methodologies for providing secure communication between computer systems. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Bassily in view of Shokri in view of Rollins. This would have been desirable because the flow of the methodology illustrates the iterative nature of the problem-solving process. As data scientists learn more about the data and the modeling, they frequently return to a previous stage to make adjustments. Models are not created once, deployed and left in place as is; instead, through feedback, refinement and redeployment, models are continually improved and adapted to evolving conditions. In this way, both the model and the work behind it can provide continuous value to the organization for as long as the solution is needed. (Rollins, page 5).

claim 9, Bassily in view of Shokri teaches the method of claim 8, wherein the differential privacy mechanism having the highest mitigation efficiency ratio is automatically incorporated into the data science process along with its parameters (Instead, when adaptively choosing a model for a customer supplied dataset, services such as Google Prediction API and Amazon ML should take into account not only the accuracy of the model but also the risk that it will leak information about its training data. Furthermore, they need to explicitly warn customers about this risk and provide more visibility into the model and the methods that can be used to reduce this leakage. Our inference attacks can be used as metrics to quantify leakage from a specific model, and also to measure the effectiveness of future privacy protection techniques deployed by machine-learning services. Shokri, page 13).
Bassily in view of Shokri in view of Rollins are analogous art to the claimed invention, because they are from a similar field of endeavor of systems, components and methodologies for providing secure communication between computer systems. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Bassily in view of Shokri in view of Rollins. This would have been desirable because in the case of machine learning as a service, platform operators such as Google and Amazon have significant responsibility to the users of their services. In their current form, these services simply accept the data, produce a model of unknown type and structure, and return an opaque API to this model that data owners use as they see fit, without any understanding that by doing so, they may be leaking out their data. Machine learning services do not inform their customers about the risks of overfitting or the harm that may result from models trained on inadequate datasets (for example, with unrepresentative records or too few representatives for certain classes) (Shokri, page 13). 

Claims 19 and 20 have limitations similar to those treated in the above rejection, and are met by the references as discussed above, and are rejected for the same reasons of obviousness as used above.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to OLEG KORSAK whose telephone number is (571)270-1938.  The examiner can normally be reached on 5:00 AM- 4:00 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/OLEG KORSAK/
Primary Examiner, Art Unit 2492