Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This office action is in response to the communication filed on 10/23/2019.
Claims 1-15 have been examined.


Information Disclosure Statement
The information disclosure statement (IDS) submitted on 1/14/2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-15 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Shen et al. (“Auror: Defending Against Poisoning Attacks in Collaborative Deep Learning Systems”).
Regarding claims 1, 12, and 14, Shen disclosed a system, method, and CRM, for detecting model poisoning attempts in a federated learning system comprising a server orchestrating with clients to train a machine learning model, the method comprising: receiving, by the server, results of a poisoning detection analysis (updated gradients), the poisoning detection analysis comprising at least one of an analysis of class-specific misclassification rates or an analysis of activation clustering of a current state of the machine learning model (Shen Sections 2.3, 2.4, 3.2, and 5, for example).
Regarding claims 2, 13, and 15, Shen disclosed selecting, by the server, a subset of clients from the clients to perform the poisoning detection analysis on the current state of the machine learning model (Shen Sections 2.3, 2.4, 3.2, and 5, for example); sending, by the server, to the subset of clients, at least the current state of the machine learning model (Shen Sections 2.3, 2.4, 3.2, and 5, for example); and receiving, by the server from at least one client of the subset of clients, the results of the poisoning detection analysis (Shen Sections 2.3, 2.4, 3.2, and 5, for example).
Regarding claim 3, Shen disclosed determining, by the server from the results of the poisoning detection analysis, a number of the subset of clients that have accepted the current state of the machine learning model (users who returned their gradient values) (Shen Sections 2.3, 2.4, 3.2, and 5, for example); and determining, by the server, to update the current state of the model to a new state based upon the number of the subset of clients that have accepted the current state of the machine leaning model to meeting a threshold.
Regarding claim 4, Shen disclosed selecting, by the server, a new subset of clients from the clients to perform the poisoning detection analysis on the new state of the machine learning model (Shen Sections 2.3, 2.4, 3.2, and 5, for example); sending, by the server, to the new subset of clients, at least the new state of the machine learning model (Shen Sections 2.3, 2.4, 3.2, and 5, for example); and receiving, by the server from at least one client of the new subset of clients, the results of the poisoning detection analysis (Shen Sections 2.3, 2.4, 3.2, and 5, for example).
Regarding claim 5, Shen disclosed sending, by the server, a specification of the poisoning detection analysis to the subset of clients, the specification comprising instructions on whether to perform one or both of the analysis of class-specific misclassification rates or the analysis of activation clustering (Shen Sections 2.3, 2.4, 3.2, and 5, for example).
Regarding claim 6, Shen disclosed performing the analysis of class-specific misclassification rates comprises: applying test data to the current state of the machine learning model to obtain predictions (Shen Sections 2.3, 2.4, 3.2, and 5, for example); comparing the predictions to expected labels to obtain a misclassification distribution (Shen Sections 2.3, 2.4, 3.2, and 5, for example); applying at least one metric to determine one or more aggregation of distances (Shen Sections 2.3, 2.4, 3.2, and 5, for example); and flagging the current state of the model as poisoned based upon the one or more distances exceeding a threshold (Shen Sections 2.3, 2.4, 3.2, and 5, for example).
Regarding claim 7, Shen disclosed that the at least one metric comprises distances among class-specific error rates for the current state of the machine learning model as compared to a previous state of the machine learning model or pairwise differences in error rates among classes for the current state of the machine learning model (Shen Sections 2.3, 2.4, 3.2, and 5, for example).
Regarding claim 8, Shen disclosed that the aggregation performed corresponds to at least one of sum, absolute, Euclidian, or squared Euclidean norms (Shen Sections 2.3, 2.4, 3.2, and 5, for example).
Regarding claim 9, Shen disclosed that performing the analysis of activation clustering comprises: applying test data as an input to the current state of the machine learning model to determine activations of the machine learning model (Shen Sections 2.3, 2.4, 3.2, and 5, for example); extracting the activations from the machine learning model (Shen Sections 2.3, 2.4, 3.2, and 5, for example); sorting the activations according to predicted classes into groups (Shen Sections 2.3, 2.4, 3.2, and 5, for example); performing a dimension reduction on each group of the sorted activations (Shen Sections 2.3, 2.4, 3.2, and 5, for example); clustering the reduced activations into clusters (Shen Sections 2.3, 2.4, 3.2, and 5, for example); and applying at least one metric to the clusters to determine whether at least one threshold is exceeded (Shen Sections 2.3, 2.4, 3.2, and 5, for example); and flagging the current state of the model as poisoned based upon exceeding the at least one threshold (Shen Sections 2.3, 2.4, 3.2, and 5, for example).
Regarding claim 10, Shen disclosed that the at least one metric comprises at least one of a threshold size of the clusters, a threshold centroid distance of the clusters, or a threshold class-wise average silhouette of the clusters (Shen Sections 2.3, 2.4, 3.2, and 5, for example).
Regarding claim 11, Shen disclosed applying, by the server, test data as an input to the current state of the machine learning model in order to determine predictions for use in the analysis of class-specific misclassification rates or to extract activations for use in the analysis of activation clustering (Shen Sections 2, 3.2, and 5, for example).


Conclusion
Claims 1-15 have been rejected.
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
“Mitigating Sybils in Federated Learning Poisoning” taught another system for training multi-party machine learning models including determining Euclidian distance between clusters of gradients from various clients.  
US 11,227,050 taught a system for ranking data instances on federated clients and determining anomaly scores (likelihood of poisoning) based on rations between average distance and largest distance between selected and additional data instances.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MATTHEW T HENNING whose telephone number is (571)272-3790. The examiner can normally be reached Monday- Thursday 9AM-5PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on (571)272-3972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: 





/MATTHEW T HENNING/            Primary Examiner, Art Unit 2491