Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . This communication is in response to the application filed on 10/06/2020. The Examiner acknowledges claims 1-20. No claims have been cancelled or added. Claims 1-20 are pending and claims 1-20 are allowed.  Claims 1, 10, and 17 is/are independent. 

Information Disclosure Statement
	The information disclosure statement(s) (IDS) submitted on 10/06/2020 and 05/16/2019 is/are in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement(s) is/are being considered by the examiner.


Examiner’s Note
On February 28, 2022 Examiner contacted applicant's representative Daniel Hill (Reg. No. 35895) and requested approval to make minor changes to avoid potential antecedent basis issues. Applicant's representative agreed to the proposed changes and to send a Word document with the proposed changes to the examiner. Examiner received a Word document from applicant's representative on February 28.

On March 2, 2022 Examiner contacted applicant's and obtained approval to change, for claim 1, "low confidence" to "confidence below a predetermined threshold", and changing "high confidence" to "confidence above a predetermined threshold". See Examiner's Amendment below.

Examiner’s Amendment

An examiner's amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.

Authorization for this examiner's amendment was given via telephone conversation and email from Attorney Daniel Hill (Reg. No. 35895) on February 28, 2022 and March 2, 2022.

The application has been amended as follows:

Amendments to the Claims:
This listing of claims will replace prior versions, and listings, of claims in the application:
Listing of Claims: 
1. (Currently Amended) A method for protecting a machine learning model, the method comprising:
providing [[a]] the machine learning model;
during inference operation, providing a plurality of input samples to the machine learning model;
receiving a plurality of output predictions from a predetermined node in the machine learning model in response to the plurality of input values; and
measuring a distribution of the plurality of output predictions from the predetermined node,
if the distribution of the plurality of output predictions indicates correct output category prediction with a confidence below a predetermined threshold, then the machine learning model is slowed to reduce a prediction rate of subsequent output predictions of the machine learning model; and
confidence above a predetermined threshold


14. (Currently Amended) The method of claim 10, wherein one or more delay nodes each further comprise a feedback loop with a delay element.  

19. (Currently Amended) The machine learning system of claim 18, wherein a predetermined node is characterized as being a node in a last hidden layer before an output layer of the machine learning model.  

		
Allowable Subject Matter
Claims 1-20 are allowed.

Reasons for Allowance
The following is an examiner’s statement of reasons for allowance:

The prior art of record (in particular, Tramer et al., Stealing Machine Learning Models 
via Prediction APIs, Proceedings of the 25th USENIX Security Symposium, August 10–12, 2016 (hereinafter "Tramer")(submitted and uploaded by applicant with IDS), Lee et al., Defending Against Model Stealing Attacks Using Deceptive Perturbations, Association for the Advancement of Artificial Intelligence, May 2018 (hereinafter "Lee") (submitted and uploaded by applicant with IDS), Wiggers et al., IBM’s AI watermarking method protects models from theft and sabotage, https://venturebeat.com/2018/07/20/ibms-ai-watermarking-method-protects-
CLAIM 1

measuring a distribution of the plurality of output predictions from the predetermined node, 
if the distribution of the plurality of output predictions indicates correct output category prediction with a confidence below a predetermined threshold, then the machine learning model is slowed to reduce a prediction rate of subsequent output predictions of the machine learning model; and 
if the distribution of the plurality of predictions indicates correct output category prediction with a confidence above a predetermined threshold, then the machine learning model is not slowed to reduce the prediction rate of subsequent output predictions of the machine learning model.

CLAIM 10
determining a distribution of a plurality of output predictions from a predetermined node of the machine learning model, 
if the distribution of the plurality of output predictions indicates correct output category prediction with a confidence at least as high as a confidence of a previously generated output prediction, then a prediction rate of subsequently generated output values of the machine learning model is not reduced, and 
if the distribution of the plurality of output predictions indicates correct output category prediction with a lower confidence than a confidence of a previously generated output prediction, then the machine learning model is slowed to reduce the prediction rate of subsequently generated output predictions.





CLAIM 17
a machine learning protection circuit for receiving the output category predictions from the machine learning model, and in response, 
determining a distribution of the output category predictions, wherein a prediction rate of subsequently generated output category predictions is determined by the distribution of previously generated output category predictions, 
wherein determining the distribution is widening decreases the prediction rate and determining the distribution is narrowing does not decrease the prediction rate.

Rather, Tramer discloses various extraction algorithms and case studies, and describes possible countermeasures such as rounding confidences, differential privacy and ensemble methods [Tramer, section 5, 5.1, 5.2, and 7]. 
However, Tramer does not disclose at least the features of claim 1 quoted above.  
Lee discloses adding a small controllable perturbation maximizing the loss of a stolen model, thereby applying noise that has little influence to normal users but degrading and slowing down a model stealing attack [Lee, section 3, 1st paragraph].
Wiggers discloses embedding a watermark in a machine learning model and extracting the watermark to prove ownership [Wiggers, page 3]. 
Hendrycks discloses using a softmax prediction probability as a baseline for error and out-of-distribution detection [Hendrycks, sections 3 and 6].
Pogorelik discloses detecting an attempt to retrieve a machine learning model, which may include detecting an anomaly such as differences in stochastic distributions between feature sets in training and an inference data set and performing preventive measures including, for example, introducing a delay in execution of the machine learning model [Pogorelik, para. 16, 44].
However, the combination of Tramer, Lee, Wiggers, Hendrycks, and Pogorelik does not teach at least the features of claims 1, 10, and 17 quoted above.  

.

For the reasons described above, the prior art of record does not disclose, with respect to independent claim(s) 1, 10, and 17, features corresponding to those of independent claim(s) 1, 10, and 17 in their respective contexts. Therefore, the independent claim(s) 1, 10, and 17 is/are allowed.

Dependent claims 2-9, 11-16, and 18-20 are allowed in view of their respective dependence from independent claim(s) 1, 10, and 17.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled “Comments on Statement of Reasons for
Allowance.”

Conclusion
	Any inquiry concerning this communication or earlier communications from the examiner should be directed to HOWARD H LOUIE whose telephone number is 571-272-0036.  The examiner can normally be reached on Monday-Friday 9 AM-5 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung W. Kim can be reached on 571-272-3804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/HOWARD H. LOUIE/Examiner, Art Unit 2494                                                     
	
/THEODORE C PARSONS/Primary Examiner, Art Unit 2494