Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. These claims are directed to an abstract idea without significantly more. 

Step 1: Claims 1-13 are directed to a method (i.e., process), claims 14-19 are directed to a non-transitory computer-readable mediums (i.e., product/article of manufacture); therefore, all pending claims are directed to one of the four statutory categories of invention.
Step 2A, Prong 1: Independent Claim 1 recites A method of evaluating the robustness of a Deep Neural Network (DNN) model, the method comprising: obtaining a set of training data-points correctly predicted by the DNN model (data collection - insignificant extra-solution activity); obtaining a set of realistic transformations of the set of training data-points correctly predicted by the DNN model, the set of realistic transformations corresponding to additional data-points within a predetermined mathematical distance from each of a training data-point of the set of training data-points (data collection - insignificant extra-solution creating a robustness profile corresponding to whether the DNN model accurately predicts an outcome for the additional data-points of the set of realistic transformations (Mental processes -observation, evaluation, judgment, opinion); generating a robustness evaluation of the DNN model based on the robustness profile (outputting the data - insignificant extra-solution activity).
Independent Claim 7 recites A method of evaluating a first Deep Neural Network (DNN) as compared to a second DNN in terms of robustness, the method comprising: obtaining a set of training data-points correctly predicted by both the first DNN model and the second DNN model (data collection - insignificant extra-solution activity); obtaining a set of realistic transformations of the set of training data-points correctly predicted by both the first DNN model and second DNN model, the set of realistic transformations corresponding to additional data-points within a predetermined mathematical distance from each of a training data-point of the set of training data-points (data collection - insignificant extra-solution activity); creating a first robustness profile corresponding to whether the first DNN model accurately predicts an outcome for the additional data-points of the set of realistic transformations (Mental processes -observation, evaluation, judgment, opinion); creating a second robustness profile corresponding to whether the second DNN model accurately predicts an outcome for the additional data-points of the set of realistic transformations (Mental processes -observation, evaluation, judgment, opinion); generating a first robustness evaluation of the first DNN model based on the robustness profile (outputting the data - insignificant extra-solution activity); generating a second robustness evaluation of the second DNN model based on the robustness profile (outputting the data - insignificant extra-solution activity); identifying whether the first DNN model or the second DNN model has greater robustness based on the first robustness evaluation and the second robustness evaluation (Mental processes -observation, evaluation, judgment, opinion).
Independent claim 14 recites similar limitations as found in claim 1, and a similar analysis applies. Claim 14 includes the additional limitations of “A non-transitory computer-readable storage medium configured to store instructions that, in response to being executed, cause a system to perform operations, the operations comprising:” These also appear to be a high-level recitation of generic computer components to automate an abstract idea, a mental process, which is able to 
be performed by a person in their mind.
Accordingly, the claims recite an abstract idea.
Step 2A, Prong 2: This judicial exception is not integrated into a practical application because the claim language only recites elements tied to the types of data collected for use in the Mental Processes and does not include claim language demonstrating a claimed practical application and because it does not impose any meaningful limitations on practicing the abstract idea. The collecting (obtaining) steps in claims 1, 7, and 14 are recited at a high level of generality (i.e., as a general means of obtaining data for use in the evaluation (creating, identifying) steps) and amount to mere data gathering, which is a form of insignificant extra-solution activity. See MPEP 2106.05(g).

Each of the additional limitations is no more than mere instructions to apply the exception using a generic computer component. Simply implementing the abstract idea on a generic computer is not a practical application of the abstract idea. Generating a first (or second) robustness evaluation of the first (or second) DNN model based on the robustness profile is simply implementing the abstract idea on a generic computer or merely using a computer as a tool to perform an abstract idea. See applicant's specification [0030] Fig. 2 for generic computer description. The judicial exception is not integrated into a practical application. Accordingly, the claim as a whole does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea and the claim recites an abstract idea.
Independent 14 include computer components as discussed above in step 2A, Prong 1. However, each of the additional limitations is no more than mere instructions to apply the exception using a generic computer component. Simply implementing the abstract idea on a generic computer for storing in memory or sending information over a network is not a practical application of the abstract idea. Such elements do no integrate the abstract idea into a practical application and are conventional functions of generically claimed computer uses or are insignificant extra-solution activity. See MPEP 2106.05(d).

Step 2B: The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, in the Step 2A, Prong Two analysis, the additional elements of performing steps “A non-transitory computer-readable storage medium configured to store instructions that, in response to being executed, cause a system to perform operations, the operations comprising” are construed as a generic or conventional computer components, to perform the mental process and amount to no more than mere instructions to apply the exception using a generic computer component. Thus, the independent claims do not add significantly more than the abstract idea. Therefore, the claims are not patent eligible under 35 U.S.C. 101.
The same conclusion is reached for the dependent claims of claim 1, 7, and 14 see below for detail.
Claims 2-6 are dependent on independent claim 1. 
The dependent claim 2 recite The method of claim 1, further comprising:  identifying a plurality of robustness holes in the DNN model corresponding to additional data-points where the DNN model is determined as inaccurately predicting the outcome of the additional data-points. This is a further recitation of a limitation within the Mental processes (observation, evaluation, judgment, opinion) enumerated category of abstract ideas.
3 recite The method of claim 2, wherein the DNN model is an image classification model and the predetermined mathematical distance is a L-norm used to measure a distance between two images by measuring the difference between two vectors in a given vector space. This is merely describing the type of data that links the data to a field of use. See MPEP 2106.05(h). The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea.
The dependent claim 4 recites The method of claim 2, the robustness evaluation of the DNN model identifies a particular class of realistic transformations where there are identified robustness holes. This is a further recitation of a limitation within the Mental processes (observation, evaluation, judgment, opinion) enumerated category of abstract ideas.
The dependent claim 5 recites The method of claim 1, wherein the robustness evaluation of the DNN model comprises a graph illustrating the robustness at the additional data-points of the realistic transformations. This is merely describing the type of data that links the data to a field of use. See MPEP 2106.05(h). The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea.
6 recites The method of claim 1, wherein the DNN model is a malware detection model, wherein the set of realistic transformations correspond to source code obfuscation transforms and the mathematical distance corresponds to a distance between a training-data point source code and additional data-points corresponding to potential malware code. This is merely describing the type of data that links the data to a field of use. See MPEP 2106.05(h). The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea.
Claims 8-13 are dependent on independent claim 7. 
The dependent claim 8 recite The method of claim 7, further comprising: identifying a plurality of robustness holes in each of the first and second DNN models corresponding to additional data-points where each of the respective first and second DNN models are determined as inaccurately predicting the outcome of the additional data-points. This is a further recitation of a limitation within the Mental processes (observation, evaluation, judgment, opinion) enumerated category of abstract ideas.
The dependent claim 9 recite The method of claim 8, wherein each of the first and second DNN models are image classification models and the predetermined mathematical distance is a LP- norm used to measure a distance between two images by measuring the difference between two vectors in a given vector space. This is merely describing the type of data that links the data to a field of use. See MPEP 
The dependent claim 10 recite The method of claim 8, wherein each of the first and second DNN models are malware detection models and wherein the set of realistic transformations correspond to source code obfuscation transforms and the mathematical distance corresponds to a distance between a training-data point source code and additional data-points corresponding to potential malware code. This is merely describing the type of data that links the data to a field of use. See MPEP 2106.05(h). The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea.
The dependent claim 11 recites The method of claim 8, wherein the robustness evaluation of each of the first and second DNN models comprises a graph illustrating the robustness at the additional data-points of the realistic transformations. This is merely describing the type of data that links the data to a field of use. See MPEP 2106.05(h). The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea.
12 recites The method of claim 8, wherein the robustness evaluation of each of the DNN models identify a particular class of an initial image classification where there are identified robustness holes. This is a further recitation of a limitation within the Mental processes (observation, evaluation, judgment, opinion) enumerated category of abstract ideas.
The dependent claim 13 recites The method of claim 7, the method further comprising recommending either the first or second DNN model for a particular application based which of the first DNN model or the second DNN model is identified as having greater robustness. This is a further recitation of a limitation within the Mental processes (observation, evaluation, judgment, opinion) enumerated category of abstract ideas.
Claims 15-19 are dependent on independent claim 14. 
The dependent claim 15 recite The computer-readable storage medium of claim 14, wherein the operations further comprise: identifying a plurality of robustness holes in the DNN model corresponding to additional data-points where the DNN model is determined as inaccurately predicting the outcome of the additional data-points. This is a further recitation of a limitation within the Mental processes (observation, evaluation, judgment, opinion) enumerated category of abstract ideas.
The dependent claim 16 recite The computer-readable storage medium of claim 15, wherein the DNN model is an image classification model and the predetermined mathematical distance is a L-norm used to measure a distance between two images by measuring the difference between two vectors in a given vector space. This is merely describing the type of data that links the data to a field of use. See MPEP 2106.05(h). The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea.
The dependent claim 17 recites The computer-readable storage medium of claim 14, wherein the DNN model is a malware detection model, wherein the robustness evaluation of the DNN model identifies a particular class of realistic transformations where there are identified robustness holes. This is a further recitation of a limitation within the Mental processes (observation, evaluation, judgment, opinion) enumerated category of abstract ideas.
The dependent claim 18 recites The computer-readable storage medium of claim 14, wherein the robustness evaluation of the DNN model comprises a graph illustrating the robustness at the additional data-points of the realistic transformations. This is merely describing the type of data that links the data to a field of use. See MPEP 2106.05(h). The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea.
The dependent claim 19 recites The computer-readable storage medium of claim 14, wherein the DNN model is a malware detection model, wherein the set of realistic transformations correspond to source code obfuscation transforms and the mathematical distance corresponds to a distance between a training-data point source code and additional data-points corresponding to potential malware code. This is merely describing the type of data that links the data to a field of use. See MPEP 2106.05(h). The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea.
Therefore, claims 1-20 are not patent eligible.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all 
obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-2, 4-5, 14-15, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Fawzi (The Robustness of Deep Networks A Geometrical Perspective - 2017), in view of Cicek (SaaS: Speed as a Supervisor for Semi-supervised Learning – May 2018).

Regarding claim 1 Fawzi teaches obtaining a set of realistic transformations of the set of training data-points correctly predicted by the DNN model, the set of realistic transformations corresponding to additional data-points within a predetermined mathematical distance from each of a training data-point of the set of training data-points ([page 56, Fig. 5] (a) The original image. The remaining images are minimally perturbed images (along with the corresponding estimated label) that misclassify the CaffeNet deep neural network. (b) Adversarial perturbation, (c) random noise, (d) semirandom noise with m = 1000, (e) universal perturbation, (f) affine transformation.). The examiner notes that Fawzi teaches in [Figure 5] an original image and multiple transformations of the original image showing minimal perturbations and the corresponding estimated labels.)
creating a robustness profile corresponding to whether the DNN model accurately predicts an outcome for the additional data-points of the set of realistic transformations ([Page 52, Figure 2] Here, B denotes the decision boundary of the classifier between classes 1 and 2, and T denotes the set of perturbed versions
of x1 (i.e., T = {Tr (x1):r ∈ R}), where we recall that R denotes the set of admissible perturbations. The pointwise robustness at x1 is defined as the smallest perturbation in R that causes x1 to change class. The examiner notes that Fawzi teaches in [Figure 2] a representation of how well a classifier performs against different levels of perturbations.)
generating a robustness evaluation of the DNN model based on the robustness profile. ([Page57, Fig 7] The two-dimensional normal cross sections of the 
However, though Fawzi teaches A method of evaluating the robustness of a Deep Neural Network (DNN) model, the method comprising: as stated above, Fawzi fails to explicitly teach obtaining a set of training data-points correctly predicted by the DNN model.
On the other hand, Cicek teaches obtaining a set of training data-points correctly predicted by the DNN model. ([Page 1, Fig. 1]
Supervision quality affects learning speed. During training, the loss decreases rapidly when most labels provided are correct, and slows down significantly as the percentage of correct labels decreases. The left plot shows the loss when training a Resnet18 on CIFAR10 for different percentages of corrupted labels. The error bars show mean and standard deviation over 3 runs with random initial weights. The right panel shows the loss as a function of the percentage of incorrect labels for a unit of time corresponding to ten epochs. All the results use a fixed learning rate of 0:1, with no data augmentation or weight decay. The examiner notes that Cicek teaches in [Fig 1] correctly classifying images when labels do not experience corruption. The examiner also notes that Fawzi A method of evaluating the robustness of a Deep Neural Network (DNN) model, the method comprising: obtaining a set of training data-points correctly predicted by the DNN model as taught by Cicek [Fig 1] to measure the quality of an iterative estimate of the posterior probability of unknown labels [Page 1, Para 1]).

Regarding claim 2 Fawzi teaches The method of claim 1, further comprising: identifying a plurality of robustness holes in the DNN model corresponding to additional data-points where the DNN model is determined as inaccurately predicting the outcome of the additional data-points. ([Page 52, Para. 5] Hence,
despite being zero risk, this classifier is highly unstable to additive perturbation, as it suffices to perturb the bias of the image (i.e., by adding a very small value to all pixels) to cause misclassification).

Regarding claim 4 Fawzi teaches The method of claim 2, wherein the robustness evaluation of the DNN model identifies a particular class of realistic transformations where there are identified robustness holes. ([Page 51, Para. 6] Before going into more detail about robustness, we first define some notations. Let X denote the ambient space where images live. We denote by R the set of admissible perturbations. For example, when considering geometric perturbations, R is set to be 

Regarding claim 5 Fawzi teaches The method of claim 1, wherein the robustness evaluation of the DNN model comprises a graph illustrating the robustness at the additional data-points of the realistic transformations. ([Page 52, Figure 2] Here, B denotes the decision boundary of the classifier between classes 1 and 2, and T denotes the set of perturbed versions of x1 (i.e., T = {Tr (x1):r ∈ R}), where we recall that R denotes the set of admissible perturbations. The pointwise robustness at x1 is defined as the smallest perturbation in R that causes x1 to change class. The examiner notes that Fawzi teaches in [Figure 2] a representation of how well a classifier performs against different levels of perturbations).

Regarding claim 14 Fawzi teaches obtaining a set of realistic transformations of the set of training data-points correctly predicted by the DNN model, the set of realistic transformations corresponding to additional data-points within a predetermined mathematical distance from each of a training data-point of the set of training data-points ([page 56, Fig. 5] (a) The original image. The remaining images are minimally perturbed images (along with the corresponding estimated label) that misclassify the CaffeNet deep neural network. (b) Adversarial perturbation, (c) random noise, (d) semirandom noise with m = 1000, (e) universal perturbation, (f) affine transformation. (Figure used courtesy of [17].). The examiner notes that Fawzi teaches in [Figure 5] an original image and multiple transformations of the original image showing minimal perturbations and the corresponding estimated labels.)
creating a robustness profile corresponding to whether the DNN model accurately predicts an outcome for the additional data-points of the set of realistic transformations ([Page 52, Figure 2] Here, B denotes the decision boundary of the classifier between classes 1 and 2, and T denotes the set of perturbed versions
of x1 (i.e., T = {Tr (x1):r ∈ R}), where we recall that R denotes the set of admissible perturbations. The pointwise robustness at x1 is defined as the smallest perturbation in R that causes x1 to change class. The examiner notes that Fawzi teaches in [Figure 2] a representation of how well a classifier performs against different levels of perturbations.)
generating a robustness evaluation of the DNN model based on the robustness profile. ([Page57, Fig 7] The two-dimensional normal cross sections of the decision boundaries for three different classifiers near randomly chosen samples. The section is spanned by the adversarial perturbation of the data point x (vertical axis) and a random vector in the tangent space to the decision boundary (horizontal axis). The green region is the classification region of x. The decision boundaries with different classes are illustrated in different colors. Note the difference in range between the x and y axes. (a) VGG-F (ImageNet), (b) LeNet (CIFAR), (c) LeNet (MNIST). (Figure used with permission from [18].) The examiner notes that Fawzi teaches in [Fig. 7] a visual evaluation of how well three different models classify perturbed samples.)
However, Fawzi fails to teach A non-transitory computer-readable storage medium configured to store instructions that, in response to being executed, cause a system to perform operations, the operations comprising: obtaining a set of training data-points correctly predicted by the DNN model.
A non-transitory computer-readable storage medium configured to store instructions that, in response to being executed, cause a system to perform operations, the operations comprising: obtaining a set of training data-points correctly predicted by the DNN model. ([Page 1, Fig. 1]
Supervision quality affects learning speed. During training, the loss decreases rapidly when most labels provided are correct, and slows down significantly as the percentage of correct labels decreases. The left plot shows the loss when training a Resnet18 on CIFAR10 for different percentages of corrupted labels. The error bars show mean and standard deviation over 3 runs with random initial weights. The right panel shows the loss as a function of the percentage of incorrect labels for a unit of time corresponding to ten epochs. All the results use a fixed learning rate of 0:1, with no data augmentation or weight decay. The examiner notes that Cicek teaches in [Fig 1] correctly classifying images when labels do not experience corruption. The examiner also notes that Fawzi and Cicek are both considered analogous because they are in the same field of computational neural networks. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Fawzi’s analysis of deep classifiers’ robustness to perturbation to incorporate A non-transitory computer-readable storage medium configured to store instructions that, in response to being executed, cause a system to perform operations, the operations comprising: obtaining a set of training data-points correctly predicted by the DNN model as taught by Cicek [Fig 1] to measure the 

Regarding claim 15 Fawzi teaches The computer-readable storage medium of claim 14, wherein the operations further comprise: identifying a plurality of robustness holes in the DNN model corresponding to additional data-points where the DNN model is determined as inaccurately predicting the outcome of the additional data-points. ([Page 52, Para. 5] Hence, despite being zero risk, this classifier is highly unstable to additive perturbation, as it suffices to perturb the bias of the image (i.e., by adding a very small value to all pixels) to cause misclassification.)

Regarding claim 18 Fawzi teaches The computer-readable storage medium of claim 14, wherein the robustness evaluation of the DNN model comprises a graph illustrating the robustness at the additional data-points of the realistic transformations. ([Page 52, Figure 2] Here, B denotes the decision boundary of the classifier between classes 1 and 2, and T denotes the set of perturbed versions of x1 (i.e., T = {Tr (x1):r ∈ R}), where we recall that R denotes the set of admissible perturbations. The pointwise robustness at x1 is defined as the smallest perturbation in R that causes x1 to change class. The examiner notes that Fawzi teaches in [Figure 2] a representation of how well a classifier performs against different levels of perturbations).

Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over Fawzi (The Robustness of Deep Networks A Geometrical Perspective - 2017), in view of Cicek 

Regarding claim 3 Fawzi/Cicek teach The method of claim 2. wherein the DNN model is an image classification model. However, Fawzi/Cicek fail to explicitly teach and the predetermined mathematical distance is a L-norm used to measure a distance between two images by measuring the difference between two vectors in a given vector space.
On the other hand, Carlini teaches and the predetermined mathematical distance is a L-norm used to measure a distance between two images by measuring the difference between two vectors in a given vector space. ([Page 42, para.2] L2 distance measures the standard Euclidean (root-mean-square) distance between x and x’. The L2 distance can remain small when there are many small changes to many pixels. The examiner notes that Fawzi/Cicek and Carlini are considered analogous because they are in the same field of computational neural networks. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified (Fawzi/Cicek)’s analysis of deep classifiers’ robustness to perturbation to incorporate and the predetermined mathematical distance is a L-norm used to measure a distance between two images by measuring the difference between two vectors in a given vector space as taught by Carlini [Page 42, Para 2] to construct attacks that perform superior to the state-of-the art [Page 42, Para 5]).

Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Fawzi (The Robustness of Deep Networks A Geometrical Perspective - 2017), in view of Cicek (SaaS: Speed as a Supervisor for Semi-supervised Learning – May 2018) further in view of Krasser (US 10832168B2).

Regarding claim 6 Fawzi/Cicek teach The method of claim 1 however Fawzi/Cicek fail to explicitly teach wherein the DNN model is a malware detection model, wherein the set of realistic transformations correspond to source code obfuscation transforms and the mathematical distance corresponds to a distance between a training-data point source code and additional data-points corresponding to potential malware code.
On the other hand, Krasser teaches wherein the DNN model is a malware detection model, wherein the set of realistic transformations correspond to source code obfuscation transforms and the mathematical distance corresponds to a distance between a training-data point source code and additional data-points corresponding to potential malware code. ([Col. 3, line 39] While example techniques described herein may refer to analyzing a program that may potentially be malware, it is understood that the techniques may also apply to other non-malicious software that includes code obfuscation or other transformation performed by a generator. The examiner notes that Fawzi/Cicek and Krasser are considered analogous because they are in the same field of computational neural networks. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified (Fawzi/Cicek)’s analysis of deep wherein the DNN model is a malware detection model, wherein the set of realistic transformations correspond to source code obfuscation transforms and the mathematical distance corresponds to a distance between a training-data point source code and additional data-points corresponding to potential malware code as taught by Krasser [Col. 3, Line 39] to make it more difficult to locate security vulnerabilities in the code [Page 3, Line 44]).

Claims 7 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Fawzi (The Robustness of Deep Networks A Geometrical Perspective - 2017), in view of Baluja (The Virtues of Peer Pressure: A Simple Method for Discovering High-Value Mistakes - 2015), further in view of Brajim-Belhouari (Model selection based on robustness criterion with measurement application - 1999).

Regarding claim 7 Fawzi teaches creating a first robustness profile corresponding to whether the first DNN model accurately predicts an outcome for the additional data-points of the set of realistic transformations ([Page 52, Figure 2] Here, B denotes the decision boundary of the classifier between classes 1 and 2, and T denotes the set of perturbed versions of x1 (i.e., T ={Tr (x1):r ! R}), where we recall that R denotes the set of admissible perturbations. The pointwise robustness at x1 is defined as the smallest perturbation in R that causes x1 to change class. The examiner notes that Fawzi teaches in [Fig. 2] a profile representing the robustness of a classifier 
creating a second robustness profile corresponding to whether the second DNN model accurately predicts an outcome for the additional data-points of the set of realistic transformations ([Page 52, Figure 2] Here, B denotes the decision boundary of the classifier between classes 1 and 2, and T denotes the set of perturbed versions of x1 (i.e., T ={Tr (x1):r ! R}), where we recall that R denotes the set of admissible perturbations. The pointwise robustness at x1 is defined as the smallest perturbation in R that causes x1 to change class. The examiner notes that Fawzi teaches in [Fig. 2] a profile representing the robustness of a classifier vs perturbations. The examiner also notes that Fawzi teaches in [Fig. 7] that his analysis was done on multiple classifiers).
generating a first robustness evaluation of the first DNN model based on the robustness profile ([Page57, Fig 7] The two-dimensional normal cross sections of the decision boundaries for three different classifiers near randomly chosen samples. The section is spanned by the adversarial perturbation of the data point x (vertical axis) and a random vector in the tangent space to the decision boundary (horizontal axis). The green region is the classification region of x. The decision boundaries with different classes are illustrated in different colors. Note the difference in range between the x and y axes. (a) VGG-F (ImageNet), (b) LeNet (CIFAR), (c) LeNet (MNIST). (Figure used with permission from [18].) The examiner notes that Fawzi teaches in [Fig. 7] a visual evaluation of how well three different models classify perturbed samples.)
generating a second robustness evaluation of the second DNN model based on the robustness profile ([Page57, Fig 7] The two-dimensional normal cross sections of the decision boundaries for three different classifiers near randomly chosen samples. The section is spanned by the adversarial perturbation of the data point x (vertical axis) and a random vector in the tangent space to the decision boundary (horizontal axis). The green region is the classification region of x. The decision boundaries with different classes are illustrated in different colors. Note the difference in range between the x and y axes. (a) VGG-F (ImageNet), (b) LeNet (CIFAR), (c) LeNet (MNIST). (Figure used with permission from [18].) The examiner notes that Fawzi teaches in [Fig. 7] a visual evaluation of how well three different models classify perturbed samples.)
However, Fawzi fails to explicitly teach, the method comprising: obtaining a set of training data-points correctly predicted by both the first DNN model and the second DNN model. Furthermore, Fawzi fails to explicitly teach obtaining a set of realistic transformations of the set of training data-points correctly predicted by both the first DNN model and second DNN model, the set of realistic transformations corresponding to additional data-points within a predetermined mathematical distance from each of a training data-point of the set of training data-points. Furthermore, Fawzi fails to explicitly teach identifying whether the first DNN model or the second DNN model has greater robustness based on the first robustness evaluation and the second robustness evaluation. 
    On the other hand, Baluja teaches A method of evaluating a first Deep Neural Network (DNN) as compared to a second DNN in terms of robustness, the method comprising: obtaining a set of training data-points correctly predicted by both the first DNN model and the second DNN model ([Page 99, Para 3] With both of these approaches, we use the consistent classification of the peer networks as a filter to select images. The examiner notes that Fawzi and Baluja are considered analogous because they are in the same field of computational neural networks. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Fawzi’s analysis of deep classifiers’ robustness to perturbation to incorporate A method of evaluating a first Deep Neural Network (DNN) as compared to a second DNN in terms of robustness, the method comprising: obtaining a set of training data-points correctly predicted by both the first DNN model and the second DNN model as taught by Baluja [Page 99, Para 3] to efficiently and intuitively discover input instances that are misclassified by well-trained neural networks [Page 96, Para 1]).
Furthermore, Baluja teaches obtaining a set of realistic transformations of the set of training data-points correctly predicted by both the first DNN model and second DNN model, the set of realistic transformations corresponding to additional data-points within a predetermined mathematical distance from each of a training data-point of the set of training data-points ([page 100, para 1] Illustrating using the MNIST example, we start by randomly selecting a digit image from the training set (seed). We also randomly generate a small affine transformation (e.g., small rotation, translation, stretch). The examiner notes that Baluja teaches in [Page 99-100] the correct classification of images by multiple networks and then applying affine transformations to some of those images. The examiner also notes that Fawzi and obtaining a set of realistic transformations of the set of training data-points correctly predicted by both the first DNN model and second DNN model, the set of realistic transformations corresponding to additional data-points within a predetermined mathematical distance from each of a training data-point of the set of training data-points as taught by Baluja [page 100, para 1] to efficiently and intuitively discover input instances that are misclassified by well-trained neural networks [Page 96, Para 1]).
Furthermore, Brajim-Belhouari teaches identifying whether the first DNN model or the second DNN model has greater robustness based on the first robustness evaluation and the second robustness evaluation. ([Page 202. Para.1] The problem of nonlinear model selection has been considered for a measurement dedicated approach. A simple selection procedure, based on robustness to deviations of the distribution laws from the assumed ones, has been proposed. The examiner notes that Fawzi/Baluja and Brajim-Belhouari are considered analogous because they are in the same field of computational neural networks. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified (Fawzi/Baluja)’s analysis of deep classifiers’ robustness to perturbation to incorporate identifying whether the first DNN model or the second DNN model has greater robustness based on the first robustness evaluation and the second robustness evaluation as taught by Brajim-Belhouari [Page 202. Para.1] to estimate parameters efficiently without exact knowledge of noise distribution [Page 202. Para.1]).

Regarding claim 13 Fawzi/Baluja/Brajim-Belhouari teaches The method of claim 7, the method further comprising recommending either the first or second DNN model for a particular application based which of the first DNN model or the second DNN model is identified as having greater robustness. ([Page 196, Para. 4 on Brajim-Belhouari] we compute the performance deviation of each candidate model structure. By the means of the proposed selection criterion the less sensitive model is chosen (Section 4)).

Claims 8, 11-12 are rejected under 35 U.S.C. 103 as being unpatentable over Fawzi (The Robustness of Deep Networks A Geometrical Perspective - 2017), in view of Baluja (The Virtues of Peer Pressure: A Simple Method for Discovering High-Value Mistakes - 2015), further in view of Brajim-Belhouari (Model selection based on robustness criterion with measurement application - 1999), further in view of Rozsa (Adversarial Diversity and Hard Positive Generation - 2016).

Regarding claim 8, Fawzi/Baluja/Brajim-Belhouari teach The method of claim 7 but fail to explicitly teach further comprising: identifying a plurality of robustness holes in each of the first and second DNN models corresponding to additional data-points where each of the respective first and second DNN models are determined as inaccurately predicting the outcome of the additional data-points.
further comprising: identifying a plurality of robustness holes in each of the first and second DNN models corresponding to additional data-points where each of the respective first and second DNN models are determined as inaccurately predicting the outcome of the additional data-points. ([Page 7, Table 1] Error rates of various adversarial and hard positive trained networks on both MNIST and adversarial test sets. Increasing adversarial diversity clearly improves results. The examiner notes that Rozsa teaches in [Table 1] a list of classifiers and the percentage of their misclassification of input data. The examiner notes that Fawzi/Baluja/Brajim-Belhouari and Rozsa are considered analogous because they are in the same field of computational neural networks. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified (Fawzi/Baluja/Brajim-Belhouari)’s analysis of deep classifiers’ robustness to perturbation to incorporate further comprising: identifying a plurality of robustness holes in each of the first and second DNN models corresponding to additional data-points where each of the respective first and second DNN models are determined as inaccurately predicting the outcome of the additional data-points as taught by Rozsa [Page 7. Table 1] to generate perturbations that correspond to semantically meaningful image structures [Page 1, Para 1]).

Regarding claim 11, Fawzi/Baluja/Brajim-Belhouari/Rozsa teaches The method of claim 8, wherein the robustness evaluation of each of the first and second DNN models comprises a graph illustrating the robustness at the additional data-points of the realistic transformations. ([Page 52, Figure 2 on Fawzi] Here, B denotes the decision boundary of the classifier between classes 1 and 2, and T denotes the set of perturbed versions of x1 (i.e., T = {Tr (x1):r ∈ R}), where we recall that R denotes the set of admissible perturbations. The pointwise robustness at x1 is defined as the smallest perturbation in R that causes x1 to change class. The examiner notes that Fawzi teaches in [Figure 2] a representation of how well a classifier performs against different levels of perturbations. The examiner also notes that Fawzi teaches in [Fig 7] that his analysis is done on multiple classifiers).

Regarding claim 12, Fawzi/Baluja/Brajim-Belhouari/Rozsa teaches The method of claim 8, wherein the robustness evaluation of each of the DNN models identify a particular class of an initial image classification where there are identified robustness holes. ([Page 7, Table 1 on Rozsa] Error rates of various adversarial and hard positive trained networks on both MNIST and adversarial test sets. Increasing adversarial diversity clearly improves results. The examiner notes that Rozsa teaches in [Table 1] a list of classifiers and the rate of their misclassification of input data.)

Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Fawzi (The Robustness of Deep Networks A Geometrical Perspective - 2017), in view of Baluja (The Virtues of Peer Pressure: A Simple Method for Discovering High-Value Mistakes - 2015), further in view of Brajim-Belhouari (Model selection based on robustness criterion with measurement application - 1999), further in view of Rozsa (Adversarial .

Regarding claim 9 Fawzi/Baluja/Brajim-Belhouari/Rozsa teach The method of claim 8, but fail to explicitly teach wherein each of the first and second DNN models are image classification models and the predetermined mathematical distance is a LP- norm used to measure a distance between two images by measuring the difference between two vectors in a given vector space.
However, Carlini teaches wherein each of the first and second DNN models are image classification models and the predetermined mathematical distance is a LP- norm used to measure a distance between two images by measuring the difference between two vectors in a given vector space ([Page 42, para.2] L2 distance measures the standard Euclidean (root-mean-square) distance between x and x’. The L2 distance can remain small when there are many small changes to many pixels. The examiner notes that Fawzi/Rozsa/Brajim-Belhouari/Rozsa and Carlini are considered analogous because they are in the same field of computational neural networks. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified (Fawzi/Rozsa/Brajim-Belhouari/Rozsa)’s analysis of deep classifiers’ robustness to perturbation to incorporate wherein each of the first and second DNN models are image classification models and the predetermined mathematical distance is a LP- norm used to measure a distance between two images by measuring the difference between two vectors in a given vector space as taught by Carlini [Page .

Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Fawzi (The Robustness of Deep Networks A Geometrical Perspective - 2017), in view of Baluja (The Virtues of Peer Pressure: A Simple Method for Discovering High-Value Mistakes - 2015), further in view of Brajim-Belhouari (Model selection based on robustness criterion with measurement application - 1999), further in view of Rozsa (Adversarial Diversity and Hard Positive Generation - 2016), further in view of Krasser (US 10832168B2).

Regarding claim 10 Fawzi/Baluja/Brajim-Belhouari/Rozsa teach The method of claim 8 but fail to explicitly teach wherein each of the first and second DNN models are malware detection models, and fail to explicitly teach wherein the set of realistic transformations correspond to source code obfuscation transforms and the mathematical distance corresponds to a distance between a training-data point source code and additional data-points corresponding to potential malware code.
However, Krasser teaches wherein each of the first and second DNN models are malware detection models. ([Col 18, line 57] In some examples, at operation 402, the operation module 228 operates a second computational model 404 based at least in part on the trial feature vector 322 to determine whether the trial data stream 116 is associated with malware. For example, the second computational model 404 can operate on the trial feature vector 322 to provide a classification 120 indicating whether wherein each of the first and second DNN models are malware detection models as taught by Krasser [Col 18, line 57] to determine
whether the trial data stream is associated with malware [Col 18, Line 59]).
Furthermore, Krasser teaches wherein the set of realistic transformations correspond to source code obfuscation transforms and the mathematical distance corresponds to a distance between a training-data point source code and additional data-points corresponding to potential malware code ([Col. 3, line 39] While example techniques described herein may refer to analyzing a program that may potentially be malware, it is understood that the techniques may also apply to other non-malicious software that includes code obfuscation or other transformation performed by a generator. The examiner notes that Fawzi/Rozsa/Brajim-Belhouari/Rozsa and Krasser are considered analogous because they are in the same field of computational neural networks. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified (Fawzi/Rozsa/Brajim-Belhouari/Rozsa)’s analysis of deep classifiers’ robustness to perturbation to incorporate wherein the set of realistic transformations correspond to source code obfuscation transforms and the mathematical distance corresponds to a distance between a training-data point source code and additional data-points corresponding to potential malware code as taught by Krasser [Col. 3, Line 39] to make it more difficult to locate security vulnerabilities in the code [Page 3, Line 44])

Claim 16 is rejected under 35 U.S.C. 103 as being unpatentable over Fawzi (The Robustness of Deep Networks A Geometrical Perspective - 2017), in view of Cicek (SaaS: Speed as a Supervisor for Semi-supervised Learning – May 2018), further in view of Carlini (Towards Evaluating the Robustness of Neural Networks - 2017).

Regarding claim 16, Fawzi/Cicek teach The computer-readable storage medium of claim 15 but fails to explicitly teach wherein the DNN model is an image classification model and the predetermined mathematical distance is a L-norm used to measure a distance between two images by measuring the difference between two vectors in a given vector space.
However, Carlini teaches wherein the DNN model is an image classification model and the predetermined mathematical distance is a L-norm used to measure a distance between two images by measuring the difference between two vectors in a given vector space  ([Page 42, Para 2] L2 distance measures the standard Euclidean (root-mean-square) distance between x and x’. The L2 distance can remain small when there are many small pixels. The examiner notes that Fawzi/Cicek and Carlini are considered analogous because they are in the same field of computational wherein the DNN model is an image classification model and the predetermined mathematical distance is a L-norm used to measure a distance between two images by measuring the difference between two vectors in a given vector space as taught by Carlini [Page 42, Para 2] to construct attacks that perform superior to the state-of-the art [Page 42, Para 5]).

Claim 17 is rejected under 35 U.S.C. 103 as being unpatentable over Fawzi (The Robustness of Deep Networks A Geometrical Perspective - 2017), in view of Cicek (SaaS: Speed as a Supervisor for Semi-supervised Learning – May 2018), further in view of Krasser (US 10832168B2).

Regarding claim 17 Fawzi/Cicek teach wherein the robustness evaluation of the DNN model identifies a particular class of realistic transformations where there are identified robustness holes ([Page 51, Para. 6 on Fawzi] Before going into more detail about robustness, we first define some notations. Let X denote the ambient space where images live. We denote by R the set of admissible perturbations. For example, when considering geometric perturbations, R is set to be the group of geometric (e.g., affine) transformations under study. The examiner notes that Fawzi teaches perturbations that cause affine transformations).
The computer-readable storage medium of claim 14, Fawzi/Cicek fail to explicitly teach wherein the DNN model is a malware detection model.
On the other hand, Krasser teaches wherein the DNN model is a malware detection model. ([Col 18, line 57] In some examples, at operation 402, the operation module 228 operates a second computational model 404 based at least in part on the trial feature vector 322 to determine whether the trial data stream 116 is associated with malware. For example, the second computational model 404 can operate on the trial feature vector 322 to provide a classification 120 indicating whether trial data stream 116 is associated with malware, or is associated with a specific type of malware. The examiner notes that Fawzi/Cicek and Krasser are considered analogous because they are in the same field of computational neural networks. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified (Fawzi/Cicek)’s analysis of deep classifiers’ robustness to perturbation to incorporate wherein the DNN model is a malware detection model as taught by Krasser [Col 18, line 57] to determine whether the trial data stream is associated with malware [Col 18, Line 59]).

Claim 19 is rejected under 35 U.S.C. 103 as being unpatentable over Fawzi (The Robustness of Deep Networks A Geometrical Perspective - 2017), in view of Cicek (SaaS: Speed as a Supervisor for Semi-supervised Learning – May 2018), further in view of Krasser (US 10832168B2).

Regarding claim 19 Fawzi/Cicek teach The computer-readable storage medium of claim 14. However, Fawzi/Cicek fail to explicitly teach wherein the DNN model is a malware detection model, and Fawzi/Cicek fail to explicitly teach wherein the set of realistic transformations correspond to source code obfuscation transforms and the mathematical distance corresponds to a distance between a training-data point source code and additional data-points corresponding to potential malware code.
On the other hand, Krasser teaches wherein the DNN model is a malware detection model. ([Col 18, line 57] In some examples, at operation 402, the operation module 228 operates a second computational model 404 based at least in part on the trial feature vector 322 to determine whether the trial data stream 116 is associated with malware. For example, the second computational model 404 can operate on the trial feature vector 322 to provide a classification 120 indicating whether trial data stream 116 is associated with malware, or is associated with a specific type of malware. The examiner notes that Fawzi/Cicek and Krasser are considered analogous because they are in the same field of computational neural networks. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified (Fawzi/Cicek)’s analysis of deep classifiers’ robustness to perturbation to incorporate wherein the DNN model is a malware detection model as taught by Krasser [Col 18, line 57] to determine whether the trial data stream is associated with malware [Col 18, Line 59]).
Furthermore, Krasser teaches wherein the set of realistic transformations correspond to source code obfuscation transforms and the mathematical distance corresponds to a distance between a training-data point source code and additional data-points corresponding to potential malware code ([Col. 3, line 39] While example techniques described herein may refer to analyzing a program that may potentially be malware, it is understood that the techniques may also apply to other non-malicious software that includes code obfuscation or other transformation performed by a generator. The examiner notes that Fawzi/Cicek and Krasser are considered analogous because they are in the same field of computational neural networks. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified (Fawzi/Cicek)’s analysis of deep classifiers’ robustness to perturbation to incorporate wherein the set of realistic transformations correspond to source code obfuscation transforms and the mathematical distance corresponds to a distance between a training-data point source code and additional data-points corresponding to potential malware code as taught by Krasser [Col. 3, Line 39] to make it more difficult to locate security vulnerabilities in the code [Page 3, Line 44]).

Conclusion

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Karam - US20190303720A1
Hara - US20170228639A1
Papernot-The Limitations of Deep Learning in Adversarial Settings 2016
Fawzi-Analysis of classifiers’ robustness to adversarial perturbations 2016

Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHAMCY ALGHAZZY whose telephone number is (571)272-8824. The examiner can normally be reached Monday-Friday 7:30am-4:30pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Omar Fernandez Rivas can be reached on (571) 272-2589. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/OMAR F FERNANDEZ RIVAS/Supervisory Patent Examiner, Art Unit 2128