DETAILED ACTION
This Office Action is in response to the Applicants' communication filed on February 18, 2022, which amends claims 1, 5, 7, 11, 13 and 17, presents arguments, is hereby acknowledged. Claims 1-18 are currently pending and have been examined.
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 02/18/2022 has been entered.
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
Response to Arguments
Regarding limitations of Claims of  the instant case in view of the amended Claims and upon further consideration, a new ground(s) of rejection, necessitated by the amendments is made in view of different interpretation of the previously applied references and new prior art as presented in this Office action. Therefore, Applicant’s arguments are moot.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103, which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1-18 are rejected under 35 U.S.C. 103 as being unpatentable over Papernot, N., McDaniel, P., Wu, X., Jha, S. and Swami, A., 2016, May. Distillation as a defense to adversarial perturbations against deep neural networks. In 2016 IEEE symposium on security and privacy (SP) (pp. 582-597). IEEE (Papernot), in view of US 20210192357 A1 (Sinha) and in further view of US 20200005133 A1 (Zhang), US 10936973 B1 (Wang) and He, Z., Rakin, A.S. and Fan, D., 2019. Parametric noise injection: Trainable randomness to improve deep neural network robustness against adversarial attack. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 588-597) (He).
Regarding Claims 1, 7 and 13, Papernot teaches:
A method for preventing model theft during classification, the method comprising: obtaining feature information of an object from a service requester; inputting the feature information of the object into a pre-trained classification model that outputs initial prediction including respective initial prediction probability corresponding to each category of a plurality of categories, wherein the classification model includes a pre-trained deep neural network including an input layer, a plurality of intermediate layers, and an output layer that are sequentially stacked; determining, from the plurality of categories, a category corresponding to a maximum initial prediction probability as a target category; selecting one or more target layers of the deep neural network from the input layer, the plurality of intermediate layers, and the output layer to add disturbance data; determining disturbance data corresponding to each of one or more target layers based on the target category, inputting the feature information into the classification model to obtain subsequent prediction including respective subsequent prediction probability corresponding to each category of the plurality if categories, wherein obtaining the subsequent prediction includes adding the disturbance data corresponding to each of the one or more target layers to data to be input into the target layer, a category from the plurality categories that corresponds to a maximum subsequent prediction probability remains the target category, and the maximum subsequent prediction probability is greater than the maximum initial prediction probability; and outputting the target category and the maximum subsequent prediction probability to the service requester (Papernot: Fig. 3, illustrates a framework to classify adversarial sample through two stage NN configuration that stage 1 performs direction sensitivity estimation, perturbation is selected and inputted into stage 2 for misclassification check, which is not a training process; Section III, a defense distillation scheme Fig. 5 that that uses input data X and Labels Y to train initial DNN to generate probability vector predictions F(x) (i.e. plurality of categories and target category), then the class probabilities knowledge and input data are feed into a 2nd level DNN to generate probability vector predictions for this distilled network, where distilled network training labels F(x) is a soft-matric target instead of hard class label Y(x) (i.e. disturbance is layer based); prediction probability of distilled network is great than the prediction probability of initial network due to that the mechanism improves misclassification from adversarial perturbations or attacks. ).
Papernot does not teach that distilled network uses gradient-based knowledge from initial DNN. However, Sinha teaches (Sinha: Fig. 2, an adversarial defense system that uses gradient trained auxiliary network (e.g. Figs. 1A-C) to generate Logits; the Logits from the auxiliary network is combined with Logits of main network to perform final classification for object y, where Figs. 1A-C illustrate a knowledge distillation system that trains auxiliary network based on gradients, [0025]-[0027] where gradient tensor is a scalar loss function with respect to the input or intermediate layer; i.e. Fig. 1A illustrates a training process on adversarial attacked and Figs. 1B-C use trained NN for adversarial defense and knowledge distillation. It is further noted that a trained NN needs to identify adversarial attacks before it can defend the attack, which it is design choice on whether output identified adversarial attacks because any of Sinha, Papernot is capable of identify trained adversarial attacks; the similar concept and procedures are also illustrated in e.g. Figs. 4A-B of Zhang that network is trained with clean and decoying data, or Wang of Fig. 3 that the network is trained with both clean samples and samples with perturbations. Once networks are trained, they are used to classify/identify adversarial attacks, e.g. steps of 301 – 303 of Wang and steps of 441, 480, 485-486 of Zhang)
It would have been obvious for one of ordinary skill in the art before the effective filling date of the claimed invention was made to modify Papernot with distilled network uses gradient-based knowledge from initial DNN as further taught by Sinha. The advantage of doing so is to provide a mechanism to generate and pass an adversarial gradient signal back to the main neural network to regulate main tensor of main network to enhance the main network capability for against adversarial perturbations in DNN (Sinha: [0004]-[0005]).
It would have been obvious for one of ordinary skill in the art before the effective filling date of the claimed invention was made to modify Papernot with detecting adversarial attacks through trained NN as further taught by Zhang and Wang. The advantage of doing so is to provide a mechanism to identify adversarial attacks and prevent misclassifications.
Papernot does not teach explicitly on selecting one or more target layers of the deep neural network from the input layer, the plurality of intermediate layers, and the output layer to add disturbance data. However, He teaches (He: section 3, injecting parametric noise to different components or locations (i.e. different layers) within a DNN, e.g. input/weight/inter-layer tensor).
It would have been obvious for one of ordinary skill in the art before the effective filling date of the claimed invention was made to modify Papernot with selecting one or more target layers of the deep neural network from the input layer, the plurality of intermediate layers, and the output layer as further taught by He. The advantage of doing so is to provide a mechanism to improve DNN robustness against adversarial attacks (He: Abstract).
Regarding Claims 2, 8 and 14, Papernot as modified teaches all elements of Claims 1, 7 and 13. Papernot as modified further teaches:
The method according to claim 1, wherein for each target layer, the disturbance data corresponding to the target layer is determined based on the target category and by performing: determining a target function by using the data input into the target layer as an independent variable, wherein the target function is positively correlated with a prediction probability corresponding to the target category; determining target data input into the target layer in the initial prediction; calculating a gradient value of the target function by using the target data as a value of the independent variable; and determining the disturbance data corresponding to the target layer based on the gradient value (Papernot: Fig. 5; Sinha: Figs 1A-C and 2).
Regarding Claims 3, 9 and 15, Papernot as modified teaches all elements of Claims 1-2, 7-8 and 13-14. Papernot as modified further teaches:
The method according to claim 2, wherein determining the disturbance data corresponding to the target layer based on the gradient value includes: obtaining a constant and a function, wherein the function is not monotonically decreasing; substituting the gradient value as the value of the independent variable into the function to obtain a target result; and calculating a product of the constant and the target result as the disturbance data (Sinha: [0025]-[0027], and Figs. 1A-C and 2).
Regarding Claims 4, 10 and 16, Papernot as modified teaches all elements of Claims 1-3, 7-9 and 13-15. Papernot as modified further teaches:
The method according to claim 3, wherein the function is a sign function (Sinha: [0034] – [0037], a sign function).
Regarding Claims 5, 11 and 17, Papernot as modified teaches all elements of Claims 1, 7 and 13 respectively. Papernot as modified further teaches:
The method according to claim 1, wherein selecting the one or more target layers includes selecting at least a last intermediate layer (Sinha: [0025]-[0027] where gradient tensor is a scalar loss function with respect to the input or intermediate layer; He: section 3; injecting parametric noise to different components or locations (i.e. different layers) within a DNN, e.g. input/weight/inter-layer tensor).
Regarding Claims 6, 12 and 18, Papernot as modified teaches all elements of Claims 1, 7 and 13 respectively. Papernot as modified further teaches:
The method according to claim 1, wherein the object includes at least one of a user, a merchant, a product, or an event (Papernot and Sinha, which is what their neural network do).
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZHITONG CHEN whose telephone number is (571)270-1936.  The examiner can normally be reached on M-F 9:30am - 5pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yuwen Pan can be reached on 571-272-7855.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/ZHITONG CHEN/
Primary Examiner, Art Unit 2649