DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1 and 8-13 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because claim 1 recites a device comprising a model partitioner, a public model data store, a private model data store that is not clearly a machine and may be software per se. Note dependent claims 2 and 4-6 recite the edge device includes, among other elements, a public model processor that is clearly a machine for these claims and those claims dependent on claims 2 and 5. To overcome this rejection, applicant should amend claim 1 with substance equivalent to “An edge device for distributed use of a machine learning model, the edge device comprising: one or more hardware processors;  a model partitioner to partition, by executing an instruction with at least one of the hardware processors, the machine learning model received from an aggregator into private layers and public layers …” as supported by claim 24 and IFW [0040]).
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have 

Claims 1-4, 8-18 and 24 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Patent Publication No. 2018/0375638 A1 to Khanna et al. (“Khanna”) in view of U.S. Patent Publication No. 2020/0274898 A1 to Xie et al. (“Xie”).
As to claim 1, Khanna discloses edge device for distributed use of a machine learning model (Khanna: fig 1-17, [0095-106]: fig 12  … secure model portion 1202 includes one or more higher layers of neural network and one or more unsecure model portions include one or more lower layers of neural network  … or any other data processing models, computational models, machine learning models or artificial intelligence models suitable for being split into two or more portions … and may be used in processes in fig 1-16 [0101] … hub device 1200, provider network 102, edge devices or other devices in fig 12 may be the same as or include one or more same components as hub device, provider network, edge devices or any components in fig 1-11 and 13-16 [0095]), the edge device comprising:
a model partitioner to partition the machine learning model received from an aggregator into private layers and public layers (Khanna: fig 1-17, [0095-106]: fig 12 … model server (model partitioner) 1206 receives the secure model portions 1202 and unsecure model portions 1208 of data modeling process from provider network (aggregator) and splits (partitions) the received data processing model into the secure model portions (private layers) 1202 and unsecure model portions (public layers) 1208 and deploys unsecure model portions 1208 to respective edge devices 704 and sends secure model portions 1202 to secure execution environment 1204 [0098] … hub device 1200, provider network 102, edge devices or other devices in fig 12 may be the same as or include one or more same components as hub device, provider network, edge devices or any components in fig 1-11 and 13-16 [0095]).
Khanna did not explicitly disclose the edge device comprising a model partitioner to partition the machine learning model received from an aggregator into private layers and public layers (emphasis added).
edge devices or other devices in fig 12 may be the same as or include one or more same components as hub device, provider network, edge devices or any components in fig 1-11 and 13-16.
At the effective filing date, for AIA , it would have been obvious to a person of ordinary skill in the art to incorporate this obvious variation disclosed in Khanna.  The suggestion/motivation would have been to embrace all various modifications and changes made as would be obvious to a person skilled in the art having benefit of this disclosure (Khanna: [0141]).  
Khanna further discloses a public model data store implemented outside of a trusted execution environment of the edge device, the model partitioner to store the public layers in the public model data store (Khanna: fig 1-17, [0095-106; 107-113; 122-130]: fig 16 … model server (model partitioner) deploys unsecure model portions to respective edge devices and data collectors at edge devices collect respective data (store the public layers in the public model data store)  … edge devices perform operations on respective collected data using unsecure portions of model to generate processed data (a public model data store implemented outside of a trusted execution environment of the edge device) [0128] …fig 13 … hub device includes TPM (trusted platform module) 1302 includes memory that stores secure model portions 1202 … configured to prevent access to secure model portions 1202 from outside of secure environment 1204 (see with [0128] - a public model data store implemented outside of a trusted execution environment of the edge device) [0109]… hub device 1200, provider network 102, edge devices or other devices in fig 12 may be the same as or include one or more same components as hub device, provider network, edge devices or any components in fig 1-11 and 13-16 [0095]).
Khanna did not explicitly disclose a public model data store implemented outside of a trusted execution environment of the edge device, the model partitioner to store the public layers in the public model data store (emphasis added).
see with [0128] – such as a public model data store implemented outside of a trusted execution environment of the edge device) (Khanna: fig 12-13, [0109]).
Khanna did not explicitly disclose a public model data store implemented outside of a trusted execution environment of the edge device, the model partitioner to store the public layers in the public model data store (emphasis added).
Xie discloses a public model data store implemented outside of a trusted execution environment of the edge device, the model partitioner to store the public layers in the public model data store (emphasis added) (Xie: fig 1-6, [0034-40; 47-89; 58-72]: fig 1 … terminal device (edge device) 100 includes hardware platform and two running environments, a rich execution environment (REE) (a public model data store implemented outside of a trusted execution environment) 120 and a trusted execution environment (TEE) 140 that are isolated from each other  … fig 3 … a phase referred to as data collection phase of collecting access behavior data of a client application (CA) [0058] …  an access behavior data sample of accessing a to-be-protected service/interface (model partitioner) 10 … that may be deployed in the REE or TEE … forwards to a critical resource agent in the REE (the model partitioner to store the public layers in the public model data store) [0059] …).
Khanna and Xie are analogous art because they are from the same field of endeavor with respect to security.
At the effective filing date, for AIA , it would have been obvious to a person of ordinary skill in the art to incorporate the strategies by Xie into the device by Khanna.  The suggestion/motivation would have been to provide for a device to 
Khanna and Xie further disclose a private model data store implemented within the trusted execution environment of the edge device, the model partitioner to store the private layers in the private model data store (Khanna: fig 1-17, [0095-106; 107-113; 122-130]: …fig 13 … hub device includes TPM (trusted platform module) 1302 includes memory that stores secure model portions 1202 and secure processor 1306 to implement some or all of secure model portions 1202 (a private model data store implemented within the trusted execution environment of the edge device) [0109]… hub device 1200, provider network 102, edge devices or other devices in fig 12 may be the same as or include one or more same components as hub device, provider network, edge devices or any components in fig 1-11 and 13-16 [0095]).
Same motivation applies as mentioned above to make the proposed modification.
As to claim 2, Khanna and Xie disclose a public model processor to identify a feature in local data using the public layers  (Khanna: fig 1-17, [0095-106; 107-113; 122-130]:fig 12 … one or more unsecure model portions include one or more lower layers of the neural network (local data using the public layers) [0101]  … in the model training phase, a behavior modeler (public model processor)150 uses access behavior dataset 138 as data source … access behavior dataset can represent a feature, for example, a time interval between two consecutive accesses or a quantity of related critical resources that are held during an access [0060] … behavior modeler (public model processor)150 performs feature extraction on the access behavior dataset 138 [0065] … unsecure model portions 1208 perform one or more operations on collected data at edge devices 704 to generate processed data (see with [0060; 65] - identify a feature in local data using the public layers) and transmit some or all processed data to hub device for further processing [0100]);
a private model trainer to train the private layers using the feature (Khanna: fig 1-17, [0095-106; 107-113; 122-130]:fig 12 … secure model portion a private model trainer) 1202 in the secure execution environment 1204 to process received data from unsecured portions 1208 (see with [0060;65; 100-101] - to train the private layers using the feature) to generate result [0102] …); and
a model update provider to provide the trained private layers to the aggregator (Khanna: fig 1-17, [0095-106; 107-113; 122-130]:fig 12 … the secure model portion  1202 and/or hub device (a model update provider) may then transmit the result to one or more endpoints, e.g. provider network 102, one or more edge devices and/or one or more other devices (provide the trained private layers to the aggregator) [0102]).
For motivation, see rejection of claim 1.
As to claim 3, Khanna and Xie disclose wherein the private model trainer is implemented within the trusted execution environment (Khanna: fig 1-17, [0095-106; 107-113; 122-130]: fig 12 … hub device implements and/or executes the secure model portion (a private model trainer) 1202 in the secure execution environment 1204 to process received data from unsecured portions 1208  to generate result [0102]).
For motivation, see rejection of claim 1.
As to claim 4, Khanna and Xie disclose wherein the public model processor is implemented outside of the trusted execution environment  (Khanna: fig 1-17, [0095-106; 107-113; 122-130]: fig 12 … one or more unsecure model portions include one or more lower layers of the neural network (local data using the public layers) [0101]  … in the model training phase, a behavior modeler (public model processor)150 uses access behavior dataset 138 as data source … access behavior dataset can represent a feature, for example, a time interval between two consecutive accesses or a quantity of related critical resources that are held during an access [0060] and see fig 3 & 6 behavior modeler (public model processor)150 is outside of TEE 140).
For motivation, see rejection of claim 1.
claim 8, Khanna and Xie disclose wherein the model partitioner is to identify a layer of the machine learning model as one of the private layers when the layer is encrypted (Khanna: fig 1-17, [0095-106; 107-113; 122-130]: fig 16 … block 1602 receive a model at hub device, at least a secure portion of model is encrypted and block 1604 decrypt secure portion of model using a key to obtain a decrypted secure portion of the model [0122-123]).
For motivation, see rejection of claim 1.
As to claim 11, Khanna and Xie disclose wherein the public layers represent feature extraction layers (Khanna: fig 1-17, [0095-106; 107-113; 122-130]: fig 12 … one or more unsecure model portions include one or more lower layers of the neural network (public layers) [0101]  … in the model training phase, a behavior modeler 150 uses access behavior dataset 138 as data source … access behavior dataset can represent a feature, for example, a time interval between two consecutive accesses or a quantity of related critical resources that are held during an access (public layers represent feature extraction layers) [0060]).
For motivation, see rejection of claim 1.
As to claim 12, Khanna and Xie disclose wherein the private layers represent confidential classification layers (Khanna: fig 1-17, [0095-106; 107-113; 122-130]: fig 16 … block 1602 receive a model at hub device, at least a secure portion of model is encrypted (private layers represent confidential classification layers) and block 1604 decrypt secure portion of model using a key to obtain a decrypted secure portion of the model [0122-123]).
For motivation, see rejection of claim 1.
As to claim 13, Khanna and Xie disclose wherein the storing of the private layers within the trusted execution environment preserves the confidentiality of the private layers (Khanna: fig 1-17, [0095-106; 107-113; 122-130]: fig 16 … the secure execution environment may then identify one of the decrypted portions of the model as the secure model portion to remain in the secure execution environment [0124]).
For motivation, see rejection of claim 1.
claims 14-15 and 18, see similar rejection to claims 1-2 and 8, respectively. where the medium is taught by the device.
As to claim 24, see similar rejection to claim 1 where the method is taught by the device.
Claims 5-7 and 16-17 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Patent Publication No. 2018/0375638 A1 to Khanna et al. (“Khanna”) in view of U.S. Patent Publication No. 2020/0274898 A1 to Xie et al. (“Xie”) and further in view of U.S. Patent Publication No. 2020/0125737 A1 to Zhao et al. (“Zhao”).
As to claim 5, Khanna and Xie disclose wherein the local data is first local data, the feature is a first feature (Khanna: fig 1-17, [0095-106; 107-113; 122-130]:fig 12 … one or more unsecure model portions include one or more lower layers of the neural network (local data) [0101]  … in the model training phase, a behavior modeler 150 uses access behavior dataset 138 as data source … access behavior dataset can represent a feature (feature is a first feature), for example, a time interval between two consecutive accesses or a quantity of related critical resources that are held during an access [0060]).
For motivation, see rejection of claim 1.
Khanna did not explicitly disclose a query handler to cause the public model processor to identify a second feature of second local data provided in a query; and a private model processor to utilize the private layers to generate a classification output based on the second feature, the query handler to provide the classification output as a result of the query.
Zhao discloses a query handler to cause the public model processor to identify a second feature of second local data provided in a query (Zhao: fig 1-9, [0021-76]: [0041] fig 1-3 … data miner (public model processor) obtains a global model through training … based on the feature set X={x., x2 … xn} that each data provider u(1-n) provides (public model processor to identify a second feature of second local data provided) [0025-26] … data miner and U data providers separately initialize and store model parameters (public model processor to identify a first feature of first local data provided) [0032] … any data provider u performs the following operations during one iteration … s101-public model processor to identify a second feature of second local data provided) [0052] … fig 9 … for data training … performed by model training apparatus of fig 6, the data providers and data miner of fig 7 … or for example, by any system, environment or combination as appropriate [0119]); 
and a private model processor to utilize the private layers to generate a classification output based on the second feature (Zhao: fig 1-9, [0021-76]: [0041] fig 1-3 …  a data miner can continuously update (1st 2nd … n feature(s)) public parameter set W(global) by using data of plurality of data providers (generate a classification output based on the second feature) and public parameter set W(global) downloaded each time by single data provider (private model processor) is a result obtained after the plurality of data providers jointly participate in an update … during training, a data provider needs only upload the result of each updated parameter to data miner (to generate a classification output based on the second feature), thereby ensuring data security of the shared data-provider (private model processor to utilize the private layers) [0052] … fig 9 … data miner maintains plurality of public parameters and each of data providers maintains plurality of public parameters … the set of public parameters downloaded may be subset [0120] … the model parameter update algorithm provides changes in private parameters before and after being replaced (based on 1st 2nd …n feature(s)) [0122]), 
the query handler to provide the classification output as a result of the query (Zhao: fig 1-9, [0021-76]: … the following describes solutions of the present application based on an example [0080] … assume that high-level training requirement is establishing, based on asset data of the user provided by two bank institutions, a model for predicting whether a user is capable of repaying a heavy loan schedule (… the classification output as a result of the query) [0081] … both a bank 1 and bank 2 can provide data that has features x1, x2, x3 and x4 and uses data as training samples [0084] …a high-level system see with [0080-81-84;90-91]- the query handler to provide the classification output as a result of the query) [0092]).
Khanna, Xie and Zhao are analogous art because they are from the same field of endeavor with respect to model training.
At the effective filing date, for AIA , it would have been obvious to a person of ordinary skill in the art to incorporate the strategies by Zhao into the device by Khanna and Xie.  The suggestion/motivation would have been to provide model training based on data sharing (Zhao: [0005]).
As to claim 6, see similar rejection to claim 3 where the device is taught by the device.
As to claim 7, Khanna, Xie and Zhao disclose wherein the query handler is to access the query from at least one of trusted input hardware or a local data provider (Zhao: fig 1-9, [0021-76]: … the following describes solutions of the present application based on an example [0080] … assume that high-level training requirement is establishing, based on asset data of the user provided by two bank institutions, a model for predicting whether a user is capable of repaying a heavy loan schedule [0081] … both a bank 1 and bank 2 can provide data that has features x1, x2, x3 and x4 and uses data as training samples (wherein the query handler is to access the query from at least one of trusted input hardware or a local data provider(s)) [0084]).
For motivation, see rejection of claim 5.
As to claim 16-17.
Claims 9-10 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Patent Publication No. 2018/0375638 A1 to Khanna et al. (“Khanna”) in view of U.S. Patent Publication No. 2020/0274898 A1 to Xie et al. (“Xie”) and further in view of U.S. Patent Publication No. 2018/0136912 A1 to Venkataramani et al. (“Venkataramani”).
As to claim 9, Khanna and Xie disclose the device of claim 1.
For motivation, see rejection of claim 1.
Khanna did not explicitly disclose wherein the model partitioner is to identify a layer of the machine learning model as one of the private layers based on whether the layer is fully connected.
Venkataramani discloses wherein the model partitioner is to identify a layer of the machine learning model as one of the private layers based on whether the layer is fully connected (Venkataramani: fig 1-15, table 1, [0027-32; 89-104]: fig 1-4 & 6-7 a workflow for a deep learning system may include 1] define a deep learning (DL) network, its topology, the layer-types used, etc (model partitioner is to identify a layer of the machine learning model …) [0027-28] … for example,  … partitioning algorithm may use heuristics that extends partitions to multiple sets (see with [0027-28] - model partitioner is to identify a layer of the machine learning model …) [0108] … AlexNet is a publicly available DL network in the form of a CNN for performing image classification and the deep learning code generator may generate code automatically for the AlexNet image classifier [0090] … the net series-network object may include an array of objects that implement the layers of a pretrained AlexNet and these objects constructed from the Layer class provided  [0093] … net series-network object constructed may include twenty five layers as shown in table 1 (see table, for example, layers 2 and 6 “conv1” “conv2” convolution and layers 17 and 20 “fc6” “fc7” fully connected) (see with [0027-28; 108] - model partitioner is to identify a layer of the machine learning model as one of the private layers based on whether the layer is fully connected)[0094]).
Khanna, Xie and Venkataramani are analogous art because they are from the same field of endeavor with respect to deep learning (DL) network.

As to claim 10, Khanna, Xie and Venkataramani disclose the model partitioner is to identify a layer of the machine learning model as one of the private layers based on whether the layer is a convolutional layer (Venkataramani: fig 1-15, table 1, [0027-32; 89-104]: fig 1-4 & 6-7 a workflow for a deep learning system may include 1] define a deep learning (DL) network, its topology, the layer-types used, etc (model partitioner is to identify a layer of the machine learning model …) [0027-28] … for example,  … partitioning algorithm may use heuristics that extends partitions to multiple sets (see with [0027-28] - model partitioner is to identify a layer of the machine learning model …) [0108] … AlexNet is a publicly available DL network in the form of a CNN for performing image classification and the deep learning code generator may generate code automatically for the AlexNet image classifier [0090] … the net series-network object may include an array of objects that implement the layers of a pretrained AlexNet and these objects constructed from the Layer class provided  [0093] … net series-network object constructed may include twenty five layers as shown in table 1 (see table, for example, layers 2 and 6 “conv1” “conv2” convolution and layers 17 and 20 “fc6” “fc7” fully connected) (see with [0027-28; 108] - model partitioner is to identify a layer of the machine learning model as one of the private layers based on whether the layer is a convolutional layer)[0094]).
For motivation, see rejection of claim 10.
Conclusion
The following prior art made of record and not relied upon is considered pertinent to applicant’s disclosure.
A] US 20210112038 - Karame  
A trusted execution environment (TEE) and an untrusted processing system (UPS)
A computer-implemented method of instantiating a machine learning model with a host processing system is provided. The host processing system includes a trusted 
B] US 20210264274 – Kellerman
Partitioning a deep neural network (DNN) model into one or more sets of one or more private layers and one or more sets of one or more public layers, a set of one or more private layers being at least one key in a cryptographic system; and deploying the partitioned DNN model on one or more computing systems.
C] US 20190050683 – Gupta
Edge devices utilizing personalized machine learning and methods of operating the same are disclosed. An example edge device includes a model accessor to access a first machine learning model from a cloud service provider. A local data interface is to collect local user data. A model trainer is to train the first machine learning model to create a second machine learning model using the local user data. A local permissions data store is to store permissions indicating constraints on the local user data with respect to sharing outside of the edge device. A permissions enforcer is to apply permissions to the local user data to create a sub-set of the local user data to be shared outside of the edge device. A transmitter is to provide the sub-set of the local user data to a public data repository.
D] US 20200242268 – Epasto
Example systems and methods enhance user privacy by performing efficient on-device public-private computation on a combination of public and private data, such as, for example, public and private graph data. In particular, the on-device public-private computation framework described herein can enable a device associated with an entity to efficiently compute a combined output that takes into account and is explicitly based upon a combination of data that is associated with the entity and data that is associated with one or more other entities that are private connections of the entity, all without revealing to a centralized computing system a set of locally stored private data that identifies the one or more other entities that are private connections of the entity.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JUNE SISON whose telephone number is (571)270-5693. The examiner can normally be reached 9:00 am - 5:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Emmanuel Moise can be reached on 571-272-3865. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.




/JUNE SISON/Primary Examiner, Art Unit 2455