DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 29-48 are pending in this application.
Claims 29-48 are newly added as part of preliminary amendment submitted on 04/09/2020.
Claims 1-28 are cancelled.
IDS submitted on 04/09/2020 and 02/11/2021 has been considered.


Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 29-32, 35, 40-43 and 46 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Costa et al. (US 2017/0372226 A1) (hereinafter, “Costa”).

As to claim 29, Costa discloses an apparatus comprising: 
at least one processing core (“The processor monitors memory accesses to the trusted execution environment so that only code running in a trusted execution environment is able to access data in the trusted execution environment.” -e.g. see, [0025] see also, [0056]; herein, Costa teaches a processing core; see also, [0054], [0130]), 
at least one memory including computer program code (“A multi-party privacy-preserving machine learning system is described which has a trusted execution environment comprising at least one protected memory region. A code loader at the system loads machine learning code, received from at least one of the parties, into the protected memory region. A data uploader uploads confidential data, received from at least one of the parties, to the protected memory region.” -e.g. see, [0005], see also, [0025], [0030], [0034]), 
the at least one memory and the computer program code being configured to, with the at least one processing core, cause the apparatus at least to store training data (“The data center then receives secure data uploads 306 over the secure channel(s). The uploaded data comprises training data and/or test data for use with the machine learning code. The uploaded data is secure, for example by being encrypted by a secret key generated by the entity making the data available for upload.” -e.g. see, [0038]; see also, [0005], [0029], [0037], [0070]); 
provide a trusted execution environment (“FIG. 1 is a schematic diagram of a privacy-preserving machine learning system comprising a data center 106 comprising at least one trusted execution environment 100 which controls a secure memory region.” -e.g. see, [0025]); and run, in the trusted execution environment, a training process configured to obtain parameters of a neural network, using the training data (“The trusted execution environment decrypts the data 310 using the key(s) it received and executes 312 machine learning training or test phase processes according to the code uploaded by the code-loader. The trusted execution environment executes the machine learning code in a data-oblivious manner either by using oblivious random access memory 316 or by using machine learning processes that have side channel protection 314. The output of the data-oblivious machine learning process is encrypted and output 318 from the data center to one or more of the parties, such as server A in the example of FIG. 1 or end user devices 114 in the example of FIG. 1.” -e.g. see, [0039]; herein, Costa teaches a training process (i.e. machine learning process) configured to obtain parameters (i.e. the output of the data-oblivious machine learning process); Costa further teaches: “In various examples, the trusted execution environment is configured to train one or more neural networks using the data oblivious supervised learning scheme of FIG. 6 above where the training data is securely shuffled.” -e.g. see, [0077]; herein, machine learning model is a neural network).

As to claim 40, it is rejected using the similar rationale as for the rejection of claim 29.

As to claim 30, Costa discloses wherein the apparatus is further configured to provide another execution environment, the trusted execution environment being provided with at least one hardware and/or software security feature not provided for the another execution environment (“In some examples the trusted execution environment is implemented using hardware such that the secure memory region is isolated from any other code, including operating system and hypervisor. In some examples the trusted execution environment is implemented using a trusted virtual machine.” -e.g. see, [0026]; herein, operating system and/or hypervisor are running in separate environment (i.e. another execution environment) and the trusted execution environment is provided with one hardware and/or software security feature (i.e. secure memory), see also, [0025]).

As to claim 41, it is rejected using the similar rationale as for the rejection of claim 30.

As to claim 31, Costa discloses wherein the memory is accessible to at least two execution environments (“In an example, the trusted execution environment comprises a secure memory region which is a processor protected memory region within the address space of a regular process.” -e.g. see, [0025]; herein, Costa discloses the memory is accessible to multiple environments by separating the memory (i.e. the address space of a regular process) to a secure memory region in order to support a trusted execution environment; see also, [0026]).
As to claim 42, it is rejected using the similar rationale as for the rejection of claim 31.

As to claim 32, Costa discloses further configured to decrypt the training data before using it in the training process (“The trusted execution environment decrypts the data 310 using the key(s) it received and executes 312 machine learning training or test phase processes according to the code uploaded by the code-loader. The trusted execution environment executes the machine learning code in a data-oblivious manner either by using oblivious random access memory 316 or by using machine learning processes that have side channel protection 314.” -e.g. see, [0039]).
As to claim 43, it is rejected using the similar rationale as for the rejection of claim 32. 

As to claim 35, Costa discloses further configured to cause the parameters of the neural network to be exported from the apparatus (“The output of the data-oblivious machine learning process is encrypted and output 318 from the data center to one or more of the parties, such as server A in the example of FIG. 1 or end user devices 114 in the example of FIG. 1.” -e.g. see, [0039]; herein, Costa discloses the parameters of the neural network (i.e. the output data of the machine learning process) to be exported (i.e. to one or more of the parties); see also, [0075]; herein, the trusted execution environment executes a neural network in an oblivious manner).

As to claim 46, it is rejected using the similar rationale as for the rejection of claim 35.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 33, 34, 44 and 45 are rejected under 35 U.S.C. 103 as being unpatentable over Costa in view of SAMBANDAM et al. (US 2018/0288052 A1) (hereinafter, “Sambandam”).
As to claim 33, Costa may not explicitly disclose further configured to obtain a measurement of a computer program of the training process, and to cause the measurement to be provided to a party outside of the apparatus.
However, in an analogous art, Sambandam discloses further configured to obtain a measurement of a computer program of the … process (Sambandam: “Generally, the security components, among other features, enable establishing trust relationships by attesting to the authenticity of components of the computing system by measuring the software and hardware components via, for example, by performing a cryptographic hash on the software, firmware, loader or other component. Measurements may be made of code, data structures, configuration, information, or anything that can be loaded into memory and measurements are performed such that if the component being measured has been altered or changed, the results of the measurement would be different. In some cases, user authentication may also be performed during the attestation process, for example, using passwords, biometrics, two-factor authentication, or other known user authentication techniques” -e.g. see, Sambandam: [0038]; herein, Sambandam teaches obtaining a measurement of a software component which is equivalent to obtain measurement of any computer program (i.e. training process), see also, Sambandam: [0040]), and to cause the measurement to be provided to a party outside of the apparatus (“Attestation of the software and hardware components may also be communicated to a third party, allowing that third party to verify that the software and hardware components of the computing system have not been changed. In some cases, third parties may be separate and remote from the computing system and remote attestation via, for example another trusted third party or direct anonymous attestation, may be used to enable establishing the trust relationship.” -e.g. see, Sambandam: [0039]).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Costa with the teaching of Sambandam to “configured to obtain a measurement of a computer program of the training process, and to cause the measurement to be provided to a party outside of the apparatus” in order to enable trust relationships of computer programs before execution of the computer programs in an environment.

As to claim 44, it is rejected using the similar rationale as for the rejection of claim 33.

As to claim 34, Costa may not explicitly disclose wherein the measurement is further configured to obtain a hash of the computer program of the training process.
However, in an analogous art, Sambandam discloses wherein the measurement is further configured to obtain a hash of the computer program of the … process (Sambandam: “Generally, the security components, among other features, enable establishing trust relationships by attesting to the authenticity of components of the computing system by measuring the software and hardware components via, for example, by performing a cryptographic hash on the software, firmware, loader or other component. Measurements may be made of code, data structures, configuration, information, or anything that can be loaded into memory and measurements are performed such that if the component being measured has been altered or changed, the results of the measurement would be different. In some cases, user authentication may also be performed during the attestation process, for example, using passwords, biometrics, two-factor authentication, or other known user authentication techniques” -e.g. see, Sambandam: [0038]; herein, Sambandam teaches obtaining a hash of a software component which is equivalent to obtain hash of any computer program (i.e. training process), see also, Sambandam: [0040]).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Costa with the teaching of Sambandam to “wherein the measurement is further configured to obtain a hash of the computer program of the training process” in order to enable trust relationships of computer programs before execution of the computer programs in an environment.

As to claim 45, it is rejected using the similar rationale as for the rejection of claim 34.

Claims 36-39 and 47 are rejected under 35 U.S.C. 103 as being unpatentable over Costa in view of McMahan et al. (US 2017/0109322 A1) (hereinafter, “McMahan”).

As to claim 36, Costa may not explicitly disclose further configured to cause randomly generated noise to be added to the parameters before exporting them from the apparatus.
However, in an analogous art, McMahan discloses further configured to cause randomly generated noise to be added to the parameters before exporting them from the apparatus (“User devices 302 can then be configured to provide the local updates to server 304. As indicated above, training data 308 may be privacy sensitive. In this manner, the local updates can be performed and provided to server 304 without compromising the privacy of training data 308. For instance, in such implementations, training data 308 is not provided to server 304. The local update does not include training data 308. In implementations, wherein a locally updated model is provided to server 304, privacy sensitive data may be able to be derived or inferred from the model parameters. In such implementations, one or more encryption, random noise techniques, and/or other security techniques can be added to the training process to obscure any inferable information.” -e.g. see, McMahan: [0033]).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Costa with the teaching of McMahan to “configured to cause randomly generated noise to be added to the parameters before exporting them from the apparatus” in order to protect privacy sensitive data from being exposed.
As to claim 47, it is rejected using the similar rationale as for the rejection of claim 36.

As to claim 37, the combination of Costa and McMahan disclose further configured to run the neural network, once the parameters have been obtained, in the trusted execution environment (Costa: “The private support vector machine process (operations 712 to 722) shuffles the training data 700 as described above with reference to FIG. 6. It initializes the weights 714, sequentially reads a subset of shuffled data and rather than updating the model only for mis-predicted examples (as at operation 704) it computes flags 716 in an oblivious manner for each example in a subset, where the flags indicate whether a training example is mis-predicted by the current model or not. The objective function is minimized by making a pass over substantially all the training data in a subset 718 using the flags to indicate whether to make a real or a dummy action so that patterns of memory accesses, patterns of disk accesses and patterns of network accesses are masked. This is done using oblivious primitives such as the ogreater( ), omin( ) and omove( ) primitives described above. The private process obliviously updates the weights at operation 720 for example, using the oblivious assignment primitives described above. The process repeats 722 until a stopping condition is met, such as a fixed number of epochs.” -e.g. see, Costa: [0075]; herein, Costa discloses repeating of machine learning process by a pre-configured number of iterations, hence, parameters or results of one iteration is taken as input to run the neural network for the next iteration; see also, Costa: [0066]).

As to claim 38, the combination of Costa and McMahan disclose further configured to cause randomly generated noise to be added to a result obtained from the neural network, before causing the response to be transmitted from the apparatus (“User devices 302 can then be configured to provide the local updates to server 304. As indicated above, training data 308 may be privacy sensitive. In this manner, the local updates can be performed and provided to server 304 without compromising the privacy of training data 308. For instance, in such implementations, training data 308 is not provided to server 304. The local update does not include training data 308. In implementations, wherein a locally updated model is provided to server 304, privacy sensitive data may be able to be derived or inferred from the model parameters. In such implementations, one or more encryption, random noise techniques, and/or other security techniques can be added to the training process to obscure any inferable information.” -e.g. see, McMahan: [0033], see also, McMahan: [0030]).

As to claim 39, Costa discloses further configured to run the neural network in the trusted execution environment at most a preconfigured number of times (“If the number of iterations has reached a specified number T (where T is public and is set by a user or preconfigured) the process ends 524 and the clusters are output. Otherwise the process makes another iteration from step 516.” -e.g. see, [0066]; see also, [0062], [0075], [0076], [0077]).

Claim 48 is rejected under 35 U.S.C. 103 as being unpatentable over Costa in view of McLean (US 8,850,211 B2) and further in view of McMahan.

As to claim 48, Costa discloses a non-transitory computer readable medium having stored thereon a set of computer readable instructions that, when executed by at least one processor ([0025], [0168]), cause an apparatus to at least: 
store a computer program (“A multi-party privacy-preserving machine learning system is described which has a trusted execution environment comprising at least one protected memory region. A code loader at the system loads machine learning code, received from at least one of the parties, into the protected memory region. A data uploader uploads confidential data, received from at least one of the parties, to the protected memory region.” -e.g. see, [0005], see also, [0025], [0030], [0034]); 
provide training data to a trusted execution environment of the device (“The data center establishes 304 a secure channel with the entities (such as server A) associated with the data-oblivious machine learning request. The data center then receives secure data uploads 306 over the secure channel(s). The uploaded data comprises training data and/or test data for use with the machine learning code.” -e.g. see, [0038]), the computer program being configured to cause, in the trusted execution environment, a training process to obtain parameters of a neural network, using the training data (“The trusted execution environment decrypts the data 310 using the key(s) it received and executes 312 machine learning training or test phase processes according to the code uploaded by the code-loader. The trusted execution environment executes the machine learning code in a data-oblivious manner either by using oblivious random access memory 316 or by using machine learning processes that have side channel protection 314. The output of the data-oblivious machine learning process is encrypted and output 318 from the data center to one or more of the parties, such as server A in the example of FIG. 1 or end user devices 114 in the example of FIG. 1.” -e.g. see, [0039]; herein, Costa teaches a training process (i.e. machine learning process) configured to obtain parameters (i.e. the output of the data-oblivious machine learning process); Costa further teaches: “In various examples, the trusted execution environment is configured to train one or more neural networks using the data oblivious supervised learning scheme of FIG. 6 above where the training data is securely shuffled.” -e.g. see, [0077]; herein, machine learning model is a neural network); 
cause the parameters of the neural network to be exported from the apparatus (“The output of the data-oblivious machine learning process is encrypted and output 318 from the data center to one or more of the parties, such as server A in the example of FIG. 1 or end user devices 114 in the example of FIG. 1.” -e.g. see, [0039]; herein, Costa discloses the parameters of the neural network (i.e. the output data of the machine learning process) to be exported (i.e. to one or more of the parties); see also, [0075]; herein, the trusted execution environment executes a neural network in an oblivious manner);
Costa may not explicitly disclose obtain a measurement of the computer program; 
verify the measurement is consistent with a measurement value received from a device, and 
responsive to the measurement being consistent with the measurement value …;
cause randomly generated noise to be added to the parameters before exporting them from the apparatus.
However, in an analogous art, McLean discloses obtain a measurement of the computer program (McLean: “Upon unpacking the software and accessing the signature files, step 60, the computing device 28, 30 determines whether the signature 2 file 58 is present, test 62. If the signature 2 file 58 is present in the application file 50 (i.e., test 62="Yes"), the computing device 28, 30 uses the new or modified verification algorithm 58a to generate a verification value that is compared to a signature 2 value, step 64.” -e.g. see, McLean: col. 6, lines 24-30; herein, McLean teaches obtain (i.e. generate) a measurement of the computer program (i.e. a verification value of a software package); see also, McLean: Fig. 3, Fig. 5); 
verify the measurement is consistent with a measurement value received from a device (“… the signing server 26 may provide the requesting computing device 28, 30 with a new verification algorithm and new signature (i.e. the signature 2) in the form of a signature 2 file, step 74. The requesting computing device 28, 30 receives the signature 2 file from the signing server 26, stores the file (such as with the application code and data), and then can use that signature 2 file 58 for verifying the software, step 64.” -e.g. see, McLean: col. 6, lines 53-64; herein, the signing server is equivalent to a device which sends a measurement value (i.e. the signature 2 file); see also, “The generated verification value is then compared to the verification value obtained by decrypting the signature 2 file, step 110. If the two values are equal (i.e., test 112="Yes"), the processor is informed that the software can be trusted and execution will proceed accordingly, step 114.” -e.g. see, McLean: col. 7, lines 66-67 to col 8, lines 1-4; herein, generated verification value is equivalent to obtaining a measurement of the computer code which then verify (i.e. compared) with a measurement value received (i.e. the verification value obtained by decrypting the signature 2 file) which was received from a device (i.e. a server); see also, McLean: Fig. 3, Fig. 5), and 
responsive to the measurement being consistent with the measurement value, provide [execute the code or use the data] to … the device (“If the value generated by applying the new or modified verification algorithm to the application software matches the signature 2value obtained from the signature 2 file 58, the software is verified and the computing device 28, 30 proceeds to execute the code or use the data, step 66.” -e.g. see, McLean; col. 6, lines 33-38; herein, McLean teaches responsive to the measurement being consistent (i.e. the generated value matches to the value received), software may be executed in or obtain services which would be equivalent to provide training data or any other services to perform after a measurement being consistent with the measurement value that was received, see also McLean: Fig. 3, Fig. 5);
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Costa with the teaching of McLean to “obtain a measurement of the computer program; verify the measurement is consistent with a measurement value received from a device, and responsive to the measurement being consistent with the measurement value …” in order to determine legitimacy of a software package during run time which would prevent malicious action.
Neither Costa nor McLean explicitly disclose cause randomly generated noise to be added to the parameters before exporting them from the apparatus.
However, in an analogous art, McMahan discloses cause randomly generated noise to be added to the parameters before exporting them from the apparatus (“User devices 302 can then be configured to provide the local updates to server 304. As indicated above, training data 308 may be privacy sensitive. In this manner, the local updates can be performed and provided to server 304 without compromising the privacy of training data 308. For instance, in such implementations, training data 308 is not provided to server 304. The local update does not include training data 308. In implementations, wherein a locally updated model is provided to server 304, privacy sensitive data may be able to be derived or inferred from the model parameters. In such implementations, one or more encryption, random noise techniques, and/or other security techniques can be added to the training process to obscure any inferable information.” -e.g. see, McMahan: [0033]).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Costa and McLean with the teaching of McMahan to “cause randomly generated noise to be added to the parameters before exporting them from the apparatus” in order to protect privacy sensitive data from being exposed.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 

US 2014/0075502 A1: Aissi et al. teaches memory may be shared across multiple execution environment -e.g. see, [0071].

US 2007/0247366 A1: Smith et al. teaches verifying validity of a firmware by comparing a hash prior to running an application -e.g. see, [0145], [0167].

Any inquiry concerning this communication or earlier communications from the examiner should be directed to SUMAN DEBNATH whose telephone number is (571)270-1256. The examiner can normally be reached Mon-Fri; 9:00am-5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

SUMAN DEBNATH
Patent Examiner
Art Unit 2495



/S.D/Examiner, Art Unit 2495    

/FARID HOMAYOUNMEHR/Supervisory Patent Examiner, Art Unit 2495