DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 07/07/2020 and 03/30/2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1, 9-11 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over SHARMA et al. (Pub. No.: US 2021/0064760, hereinafter SHARMA) in view of HAZARD (Pub. No.: US 2020/0125968).
Regarding claim 1: SHARMA discloses A method, in a data processing system comprising at least one processor (SHARMA - Fig. 6, a processor 601), and at least one memory (SHARMA - memory 603) comprising instructions executed by the at least one processor to determine a susceptibility of a trained machine learning model to a cybersecurity threat, the method comprising:
executing a trained machine learning model on a test dataset to generate test results output data (SHARMA - [0038]: A privacy attack may involve an adversary feeding one or more inputs to the model and analyzing how a model responds);
determining an overfit measure of the trained machine learning model based on the generated test results output data, wherein the overfit measure quantifies an amount of overfitting of the trained machine learning model to a specific sub-portion of the test dataset (SHARMA - [0039]: Overfitting may occur where a machine learning algorithm builds a model that fits too closely to a limited set of data. In other words, the machine learning algorithm may build a model based on relationships it identifies and understands from the training data but those relationships do not generalize to all data sets. One result of overfitting may be that the model is better at predicting outcomes for samples included in the training data than on new samples the model has not seen before);
applying analytics to the overfit measure to determine a susceptibility probability that indicates a likelihood that the trained machine learning model is susceptible to a cybersecurity threat based on the determined amount of overfitting of the trained machine learning model (SHARMA - [0040]: In situations where overfitting has occurred, an adversary may use a model's confidence for a prediction provided in response to a sample input to infer whether the sample is or is not a member of the training data. See also [0041], [0042]: Correlational models may be susceptible to privacy attacks such as the membership inference attack where the adversary may correctly identify whether an input is from the training dataset 80% of the time, under different test distributions and sample sizes); and
However SHARMA doesn’t explicitly teach, but HAZARD discloses:
performing a corrective action based on the determined susceptibility probability (HAZARD - [0037]: Once the training data that caused the anomalous action to be taken is determined in block 150, then in block 160, the system can cause the removal of the portion of the reasoning model that caused the selection of the action to be taken).


It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of SHARMA with HAZARD so that a portion of leaning model is removed in case of anomaly action detected. The modification would have allowed the system to improving security. 
Regarding claim 9: SHARMA as modified discloses wherein the corrective action comprises outputting the determined susceptibility probability to a security incident and event management (SIEM) computing system (HAZARD - [0033]: Detecting an anomaly may include receiving a signal from part of the system or from another system that indicates an anomaly has occurred), and wherein the SIEM computing system automatically performs the corrective action in response to receiving the determined susceptibility probability from the data processing system (HAZARD - [0036]: the training context causing the anomalous action might be determined in other ways, such as searching the training contexts for the nearest context to the current context (similar to what is described above with respect to block 120). Such embodiments may search for all context-action pairs that would have caused selection of the anomalous action. As described below, in some embodiments, all such context-action pairs might then be removed in block 170).
HAZARD is combined with SHARMA herein for similar obviousness reasons and motivation and the same rationale as stated for claim 1.
Regarding claim 10: SHARMA as modified discloses wherein the corrective action comprises removing the trained machine learning model from runtime operation, retraining the machine learning model, identifying a training dataset used to train the machine learning model that is determined to be poisoned and notifying a provider of the poisoned training dataset, and rejecting the poisoned training dataset for use in training other machine learning models (HAZARD - [0021]: in block 150, the training data that caused the anomalous event is removed).
HAZARD is combined with SHARMA herein for similar obviousness reasons and motivation and the same rationale as stated for claim 1.
Regarding claims 11 and 19: Claims are directed to computer readable medium claims and do not teach or further define over the limitations recited in claims 1 and 9. Therefore, claims 11 and 19 are also rejected for similar reasons set forth in claims 1 and 9. 
Regarding claim 20: this claim defines a apparatus claim that corresponds to method claim 1 and does not define beyond limitations of claim 1. Therefore, claim 20 is rejected with the same rational as in the rejection of claim 1. 

Claims 2-4, 6, 8, 12-14, 16 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over SHARMA et al. (Pub. No.: US 2021/0064760, hereinafter SHARMA) in view of HAZARD (Pub. No.: US 2020/0125968) and Baker (Pub. No.: US 2020/0285939).
Regarding claims 2 and 12: SHARMA as modified discloses wherein the sub-portion of the test dataset is a single data point in the test dataset (SHARMA - [0044]: A differential privacy guarantee may be a measure of how much an output from a model changes based on the presence or absence of a single data point in the training dataset),
However, SHARMA as modified doesn’t explicitly teach but Baker discloses wherein determining an overfit measure of the machine learning model comprises determining a stability of a decision surface around the single data point (Baker - [0147]: It also receives the information about the orthogonal vectors to the decision surface computed by the procedure illustrated in FIG. 22. Rapid changes in the direction orthogonal to the decision surface are an indication of overfitting. At block 117, the computer system 4100 also performs other tests for evidence of overfitting, such as testing the smoothness and consistency of the classification scores along a curve such as the one connecting two data examples, as described in FIG. 23).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of SHARMA and HAZARD with Baker so that determining overfitting is performed by testing the smoothness and consistency of the classification scores along a curve. The modification would have allowed the system to determine an overfit measure. 
Regarding claims 3 and 13: SHARMA as modified discloses wherein the stability of the decision surface around the single data point is determined based on sampling data points of a region around the single data point and determining a distribution of outputs corresponding to the sampled data points (SHARMA - [0175]: Finding near neighbors is also useful for making estimates of the local probability distribution. At block 188, the computer system 4100 estimates the probability density function of a category or cluster can be by counting the number of neighbors that are of that category or cluster within a region around a data example X and dividing by the volume of the region).
Regarding claims 4 and 14: SHARMA as modified discloses wherein the overfit measure is a wobbliness measurement derived based on an area, entropy, and variance of the outputs corresponding to the sampled data points (Baker - [0376]: a term can be added to the error cost function for classifier 1327 that rewards maximizing the entropy of the distribution of the data examples among the clusters).
Baker is combined with SHARMA and HAZARD herein for similar obviousness reasons and motivation and the same rationale as stated for claim 2.
Regarding claims 6 and 16: SHARMA as modified discloses wherein determining a susceptibility probability comprises training a susceptibility machine learning model to generate the susceptibility probability based on one or more of the area, entropy, and variance of the outputs corresponding to the sampled data points (SHARMA -[0064]: The E for a differential privacy guarantee may give an upper bound on the probability of a particular model output varying as a result of including (or removing) a single training example. The smaller the epsilon, the stronger the differential privacy guarantee).
Regarding claims 8 and 18: SHARMA as modified discloses wherein the single data point is a data point that represents a potential backdoor trigger for a backdoor in the trained machine learning model (SHARMA - [0078]: A differential privacy guarantee may be a measure of how much the output of a machine learning model changes in response to the presence or absence of a single data point in the training dataset. [0079]: The strength of a privacy guarantee may indicate a likelihood that a privacy attack on a machine learning model can determine whether a sample is a member of the data used to train the model).

Claims 7 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over SHARMA et al. (Pub. No.: US 2021/0064760, hereinafter SHARMA) in view of HAZARD (Pub. No.: US 2020/0125968) and Sjögren et al. (Pub. No.: US 2021/0334656).
Regarding claims 7 and 17: SHARMA as modified doesn’t explicitly teach but Sjögren discloses wherein the machine learning model is a deep learning neural network model (Sjögren - [0029]: The machine learning model may be a deep learning model. Deep learning using deep neural networks has become very popular in many applications thanks to powerful transformations learned by deep neural networks).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of SHARMA and HAZARD with Sjögren so that deep learning  neural network model is used for analysis. The modification would have allowed the system to use deep learning model. 

Allowable Subject Matter
Claims 5 and 15 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. The reason for allowance will be furnished upon allowance of the application.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Trim et al. (Pub. No.: US 2021/0064929) - Detecting and preventing unwanted model training data
Rouhani et al. (Pub. No.: US 2020/0167471) - Detection and prevention of adversarial deep learning
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MENG LI whose telephone number is (571)272-8729.  The examiner can normally be reached on M-F 8:30-5:30.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s acting supervisor, Kristine Kincaid can be reached on (571) 272-4063.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8729.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MENG LI/
Primary Examiner, Art Unit 2437