DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 01/23/2019 was filed. The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 6-14, and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Kesarwani (US PGPUB: 20190362072, Filed Date: May 22, 2018) in view of Lee (US PGPUB: 20190095629, Filed Date: Sep. 25, 2017).
Regarding independent claim 1, Kesarwani teaches: A method, comprising: deploying a machine learning model, wherein the machine learning model is used in responding to queries from users; (Kesarwani − [0033] Fig. 2 At 201 the system may deploy a model for responding to requests received from users. The description of the deployed model as explained in conjunction with 101 is applicable and will not be restated here.)
receiving, at the deployed machine learning model, input from at least one entity; (Kesarwani − [0033] Fig. 2 At 202 input may be received from one or more users. [0027] The machine learning model may include a model that is continuously retrained using input received from users. For example, users may provide feedback to a movie recommendation model regarding the quality of a recommendation provided by the model. The recommendation model is an entity, user is providing feedback (input) into the deployed system.)
determining that the at least one entity is an adversary attempting to retrain and/or steal the deployed machine learning model; (Kesarwani − [0034] FIG. 2, determines, upon receipt of the user input, whether the input is or may be malicious input at 203. To determine if the input is malicious, the system may use one or a combination of malicious input detection techniques, for example, a temporal detection technique, a label detection technique, a user detection technique, a collusion detection technique, a combination of one or more of these techniques, or the like. [0035] In some poisoning attacks, a person, or group of people, attempts to provide a large volume of feedback or inputs having an extreme nature. An input having an extreme nature includes input that would be considered an outlier or an input that is at one extreme or the other of a scale. An adversary is a person or group of people attempting to do poisoning attacks against the model. The techniques described in paragraph 0034, is how it determines at least one entity is an adversary. These inputs are used to retrain a deployed machine learning model.)
Kesarwani teaches removing the malicious input but does not explicitly teach: and providing, in view of the determining that the at least one entity is an adversary, an altered response, wherein the altered response comprises at least one of: a response from a machine learning model other than the deployed machine learning model and a response from the deployed machine learning model altered with errors.
However, Lee teaches: and providing, in view of the determining that the at least one entity is an adversary, an altered response, (Lee – Fig. 1B, [0056] the perturbation insertion engine 160 is provided as part of the model 130 itself, the perturbation insertion engine 160 may operate as an additional layer of the model 130 just prior to the output layer of the model to thereby introduce perturbations in the probability values generated at the layer of the trained neural network model 130 just prior to the output layer of the model 130. In embodiments where the perturbation insertion engine 160 is external to the model 130, the perturbations may be injected into the output vector 135 of the trained neural network model 130 to thereby modify the original vector output 135 that is generated by the trained neural network model 130 to be a modified vector output 165 prior to generating the labeled data set 140 that is output to the attacker 110.)
wherein the altered response comprises at least one of: a response from a machine learning model other than the deployed machine learning model and a response from the deployed machine learning model altered with errors. (Lee – Fig. 1B, [0056] In embodiments where the perturbation insertion engine 160 is external to the model 130, the perturbations may be injected into the output vector 135 of the trained neural network model 130 to thereby modify the original vector output 135 that is generated by the trained neural network model 130 to be a modified vector output 165 prior to generating the labeled data set 140 that is output to the attacker 110. [0057] The modified vector output 165 provides a modified set of probability values associated with different labels or classes corresponding to vector slots. These modified probability values are noise (errors) being applied to the manipulated labeled data 170 sent to the adversary attacker. The perturbation is model different than the deployed machine learning model.)
Accordingly, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to have combined the teaching of Kesarwani, and Lee as each inventions relates to preventing malicious input for  stealing and retraining machine learning models. Adding the teaching of Lee provides Kesarwani with an additional model layer for sending outputs with noise to the adversary sending malicious inputs that is similar to the actual machine learning model outputs. Therefore, providing the benefit of preventing attacks on deployed machine learning models.
Regarding dependent claim 2, Kesarwani teaches: wherein the determining comprises determining that the at least one entity has provided a predetermined number of inputs to the deployed machine learning model within a predetermined time frame. (Kesarwani − [0035] Therefore, a temporal detection technique may include identifying a time period for receipt of a plurality of inputs. The technique may identify a number of inputs that are received during that time period and may also identify a nature of the inputs, for example, whether the inputs are extreme. If a large number of inputs are received during this time period, for example, over a predetermined threshold, the system may further verify the input.)
Regarding dependent claim 3, Kesarwani teaches: wherein the determining comprises comparing a profile of the at least one entity to profiles of known adversaries. (Kesarwani − [0041] The malicious feedback identifier 308 is responsible for identify if the feedback is malicious using different malicious input detection techniques and sources, for example, information related to user profiles 309)
Regarding dependent claim 6, Kesarwani does not explicitly teach: wherein the machine learning model other than the deployed machine learning model is used for providing responses for a single adversary.
However, Lee teaches: wherein the machine learning model other than the deployed machine learning model is used for providing responses for a single adversary. (Lee – Fig. 1B, [0056] In embodiments where the perturbation insertion engine 160 is external to the model 130, the perturbations may be injected into the output vector 135 of the trained neural network model 130 to thereby modify the original vector output 135 that is generated by the trained neural network model 130 to be a modified vector output 165 prior to generating the labeled data set 140 that is output to the attacker 110. [0057] The modified vector output 165 provides a modified set of probability values associated with different labels or classes corresponding to vector slots. These modified probability values are noise (errors) being applied to the manipulated labeled data 170 sent to the adversary attacker. The perturbation is model different than the deployed machine learning model.) 
Accordingly, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to have combined the teaching of Kesarwani, and Lee as each inventions relates to preventing malicious input for  stealing and retraining machine learning models. Adding the teaching of Lee provides Kesarwani with an additional model layer for sending outputs with noise to the adversary sending malicious inputs that is similar to the actual machine learning model outputs. Therefore, providing the benefit of preventing attacks on deployed machine learning models.
Regarding dependent claim 7, Kesarwani teaches: comprising determining that the single adversary attempted to steal the deployed machine learning model, by comparing a model deployed by the single adversary to the machine learning model other than the deployed machine learning model. (Kesarwani – [0036] the system may compare the time period that received a high number of inputs to other sources to determine if some event may have occurred that may have resulted in an abnormal number of genuine inputs. [0041] The malicious feedback identifier 308 is responsible for identify if the feedback is malicious using different malicious input detection techniques and sources, for example, information related to user profiles 309)
Regarding dependent claim 8, Kesarwani does not explicitly teach: wherein the machine learning model other than the deployed machine learning model has different performance characteristics than the deployed machine learning model.
However, Lee teaches: wherein the machine learning model other than the deployed machine learning model has different performance characteristics than the deployed machine learning model. (Lee – Fig. 1B, [0056] In embodiments where the perturbation insertion engine 160 is external to the model 130, the perturbations may be injected into the output vector 135 of the trained neural network model 130 to thereby modify the original vector output 135 that is generated by the trained neural network model 130 to be a modified vector output 165 prior to generating the labeled data set 140 that is output to the attacker 110. [0057] The modified vector output 165 provides a modified set of probability values associated with different labels or classes corresponding to vector slots. These modified probability values are noise (errors) being applied to the manipulated labeled data 170 sent to the adversary attacker. The perturbation is model different than the deployed machine learning model.)
Accordingly, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to have combined the teaching of Kesarwani, and Lee as each inventions relates to preventing malicious input for  stealing and retraining machine learning models. Adding the teaching of Lee provides Kesarwani with an additional model layer for sending outputs with noise to the adversary sending malicious inputs that is similar to the actual machine learning model outputs. Therefore, providing the benefit of preventing attacks on deployed machine learning models.
Regarding dependent claim 9, Kesarwani teaches: comprising wherein the machine learning model comprises a public model. (Kesarwani − [0022] The system may deploy a model, in conjunction with an application, that responds to requests or queries provided by users. The model may include a machine learning model that is trained using input received from users, also referred to as crowdsourcing the training of the machine learning model.)
Regarding dependent claim 10, Kesarwani does not explicitly teach: wherein the deployed machine learning model altered with errors comprises errors that are unique to each entity identified as an adversary.
However, Lee teaches: wherein the deployed machine learning model altered with errors comprises errors that are unique to each entity identified as an adversary. (Lee – Fig. 1B, [0056] In embodiments where the perturbation insertion engine 160 is external to the model 130, the perturbations may be injected into the output vector 135 of the trained neural network model 130 to thereby modify the original vector output 135 that is generated by the trained neural network model 130 to be a modified vector output 165 prior to generating the labeled data set 140 that is output to the attacker 110. [0057] The modified vector output 165 provides a modified set of probability values associated with different labels or classes corresponding to vector slots. These modified probability values are noise (errors) being applied to the manipulated labeled data 170 sent to the adversary attacker. The perturbation is model different than the deployed machine learning model.)
Accordingly, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to have combined the teaching of Kesarwani, and Lee as each inventions relates to preventing malicious input for  stealing and retraining machine learning models. Adding the teaching of Lee provides Kesarwani with an additional model layer for sending outputs with noise to the adversary sending malicious inputs that is similar to the actual machine learning model outputs. Therefore, providing the benefit of preventing attacks on deployed machine learning models.
Regarding independent claim 11, Kesarwani teaches: An apparatus, comprising: at least one processor; (Kesarwani − [0044] As shown in FIG. 4, computer system/server 12’, processor 16′)
and a computer readable storage medium having computer readable program code embodied therewith and executable by the at least one processor, the computer readable program code comprising: (Kesarwani − [0005] Another aspect of the invention provides an apparatus for delaying the effect of malicious attacks on a machine learning model that is continuously retrained using input captured from a plurality of users, comprising: at least one processor; and a computer readable storage medium having computer readable program code embodied therewith and executable by the at least one processor, the computer readable program code comprising: computer readable program code)
computer readable program code configured to deploy a machine learning model, wherein the machine learning model is used in responding to queries from users; (Kesarwani − [0033] Fig. 2 At 201 the system may deploy a model for responding to requests received from users. The description of the deployed model as explained in conjunction with 101 is applicable and will not be restated here.)
computer readable program code configured to receive, at the deployed machine learning model, input from at least one entity; (Kesarwani − [0033] Fig. 2 At 202 input may be received from one or more users. [0027] The machine learning model may include a model that is continuously retrained using input received from users. For example, users may provide feedback to a movie recommendation model regarding the quality of a recommendation provided by the model. The recommendation model is an entity, user is providing feedback (input) into the deployed system.)
computer readable program code configured to determine that the at least one entity is an adversary attempting to retrain and/or steal the deployed machine learning model; (Kesarwani − [0034] FIG. 2, determines, upon receipt of the user input, whether the input is or may be malicious input at 203. To determine if the input is malicious, the system may use one or a combination of malicious input detection techniques, for example, a temporal detection technique, a label detection technique, a user detection technique, a collusion detection technique, a combination of one or more of these techniques, or the like. [0035] In some poisoning attacks, a person, or group of people, attempts to provide a large volume of feedback or inputs having an extreme nature. An input having an extreme nature includes input that would be considered an outlier or an input that is at one extreme or the other of a scale. An adversary is a person or group of people attempting to do poisoning attacks against the model. The techniques described in paragraph 0034, is how it determines at least one entity is an adversary. These inputs are used to retrain a deployed machine learning model.)
Kesarwani teaches removing the malicious input but does not explicitly teach: and computer readable program code configured to provide, in view of the determining that the at least one entity is an adversary, an altered response, wherein the altered response comprises at least one of: a response from a machine learning model other than the deployed machine learning model and a response from the deployed machine learning model altered with errors.
However, Lee teaches: and computer readable program code configured to provide, in view of the determining that the at least one entity is an adversary, an altered response, (Lee – Fig. 1B, [0056] the perturbation insertion engine 160 is provided as part of the model 130 itself, the perturbation insertion engine 160 may operate as an additional layer of the model 130 just prior to the output layer of the model to thereby introduce perturbations in the probability values generated at the layer of the trained neural network model 130 just prior to the output layer of the model 130. In embodiments where the perturbation insertion engine 160 is external to the model 130, the perturbations may be injected into the output vector 135 of the trained neural network model 130 to thereby modify the original vector output 135 that is generated by the trained neural network model 130 to be a modified vector output 165 prior to generating the labeled data set 140 that is output to the attacker 110.)
wherein the altered response comprises at least one of: a response from a machine learning model other than the deployed machine learning model and a response from the deployed machine learning model altered with errors. (Lee – Fig. 1B, [0056] In embodiments where the perturbation insertion engine 160 is external to the model 130, the perturbations may be injected into the output vector 135 of the trained neural network model 130 to thereby modify the original vector output 135 that is generated by the trained neural network model 130 to be a modified vector output 165 prior to generating the labeled data set 140 that is output to the attacker 110. [0057] The modified vector output 165 provides a modified set of probability values associated with different labels or classes corresponding to vector slots. These modified probability values are noise (errors) being applied to the manipulated labeled data 170 sent to the adversary attacker. The perturbation is model different than the deployed machine learning model.)
Accordingly, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to have combined the teaching of Kesarwani, and Lee as each inventions relates to preventing malicious input for  stealing and retraining machine learning models. Adding the teaching of Lee provides Kesarwani with an additional model layer for sending outputs with noise to the adversary sending malicious inputs that is similar to the actual machine learning model outputs. Therefore, providing the benefit of preventing attacks on deployed machine learning models.
Regarding independent claim 12, Kesarwani teaches: A computer program product, comprising: 
a computer readable storage medium having computer readable program code embodied therewith, the computer readable program code executable by a processor and comprising: (Kesarwani − [0005] Another aspect of the invention provides an apparatus for delaying the effect of malicious attacks on a machine learning model that is continuously retrained using input captured from a plurality of users, comprising: at least one processor; and a computer readable storage medium having computer readable program code embodied therewith and executable by the at least one processor, the computer readable program code comprising: computer readable program code)
computer readable program code configured to deploy a machine learning model, wherein the machine learning model is used in responding to queries from users; (Kesarwani − [0033] Fig. 2 At 201 the system may deploy a model for responding to requests received from users. The description of the deployed model as explained in conjunction with 101 is applicable and will not be restated here.)
computer readable program code configured to receive, at the deployed machine learning model, input from at least one entity; (Kesarwani − [0033] Fig. 2 At 202 input may be received from one or more users. [0027] The machine learning model may include a model that is continuously retrained using input received from users. For example, users may provide feedback to a movie recommendation model regarding the quality of a recommendation provided by the model. The recommendation model is an entity, user is providing feedback (input) into the deployed system.)
computer readable program code configured to determine that the at least one entity is an adversary attempting to retrain and/or steal the deployed machine learning model; (Kesarwani − [0034] FIG. 2, determines, upon receipt of the user input, whether the input is or may be malicious input at 203. To determine if the input is malicious, the system may use one or a combination of malicious input detection techniques, for example, a temporal detection technique, a label detection technique, a user detection technique, a collusion detection technique, a combination of one or more of these techniques, or the like. [0035] In some poisoning attacks, a person, or group of people, attempts to provide a large volume of feedback or inputs having an extreme nature. An input having an extreme nature includes input that would be considered an outlier or an input that is at one extreme or the other of a scale. An adversary is a person or group of people attempting to do poisoning attacks against the model. The techniques described in paragraph 0034, is how it determines at least one entity is an adversary. These inputs are used to retrain a deployed machine learning model.)
Kesarwani teaches removing the malicious input but does not explicitly teach: and computer readable program code configured to provide, in view of the determining that the at least one entity is an adversary, an altered response, wherein the altered response comprises at least one of: a response from a machine learning model other than the deployed machine learning model and a response from the deployed machine learning model altered with errors.
However, Lee teaches: and computer readable program code configured to provide, in view of the determining that the at least one entity is an adversary, an altered response, (Lee – Fig. 1B, [0056] the perturbation insertion engine 160 is provided as part of the model 130 itself, the perturbation insertion engine 160 may operate as an additional layer of the model 130 just prior to the output layer of the model to thereby introduce perturbations in the probability values generated at the layer of the trained neural network model 130 just prior to the output layer of the model 130. In embodiments where the perturbation insertion engine 160 is external to the model 130, the perturbations may be injected into the output vector 135 of the trained neural network model 130 to thereby modify the original vector output 135 that is generated by the trained neural network model 130 to be a modified vector output 165 prior to generating the labeled data set 140 that is output to the attacker 110.)
wherein the altered response comprises at least one of: a response from a machine learning model other than the deployed machine learning model and a response from the deployed machine learning model altered with errors. (Lee – Fig. 1B, [0056] In embodiments where the perturbation insertion engine 160 is external to the model 130, the perturbations may be injected into the output vector 135 of the trained neural network model 130 to thereby modify the original vector output 135 that is generated by the trained neural network model 130 to be a modified vector output 165 prior to generating the labeled data set 140 that is output to the attacker 110. [0057] The modified vector output 165 provides a modified set of probability values associated with different labels or classes corresponding to vector slots. These modified probability values are noise (errors) being applied to the manipulated labeled data 170 sent to the adversary attacker. The perturbation is model different than the deployed machine learning model.)
Accordingly, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to have combined the teaching of Kesarwani, and Lee as each inventions relates to preventing malicious input for  stealing and retraining machine learning models. Adding the teaching of Lee provides Kesarwani with an additional model layer for sending outputs with noise to the adversary sending malicious inputs that is similar to the actual machine learning model outputs. Therefore, providing the benefit of preventing attacks on deployed machine learning models.
Regarding dependent claim 13, Kesarwani teaches: wherein the determining comprises determining that the at least one entity has provided a predetermined number of inputs to the deployed machine learning model within a predetermined time frame. (Kesarwani − [0035] Therefore, a temporal detection technique may include identifying a time period for receipt of a plurality of inputs. The technique may identify a number of inputs that are received during that time period and may also identify a nature of the inputs, for example, whether the inputs are extreme. If a large number of inputs are received during this time period, for example, over a predetermined threshold, the system may further verify the input.)
Regarding dependent claim 14, Kesarwani teaches: wherein the determining comprises comparing a profile of the at least one entity to profiles of known adversaries. (Kesarwani − [0041] The malicious feedback identifier 308 is responsible for identify if the feedback is malicious using different malicious input detection techniques and sources, for example, information related to user profiles 309)
Regarding dependent claim 17, Kesarwani does not explicitly teach: wherein the machine learning model other than the deployed machine learning model is used for providing responses for a single adversary.
However, Lee teaches: wherein the machine learning model other than the deployed machine learning model is used for providing responses for a single adversary. (Lee – Fig. 1B, [0056] In embodiments where the perturbation insertion engine 160 is external to the model 130, the perturbations may be injected into the output vector 135 of the trained neural network model 130 to thereby modify the original vector output 135 that is generated by the trained neural network model 130 to be a modified vector output 165 prior to generating the labeled data set 140 that is output to the attacker 110. [0057] The modified vector output 165 provides a modified set of probability values associated with different labels or classes corresponding to vector slots. These modified probability values are noise (errors) being applied to the manipulated labeled data 170 sent to the adversary attacker. The perturbation is model different than the deployed machine learning model.) 
Accordingly, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to have combined the teaching of Kesarwani, and Lee as each inventions relates to preventing malicious input for  stealing and retraining machine learning models. Adding the teaching of Lee provides Kesarwani with an additional model layer for sending outputs with noise to the adversary sending malicious inputs that is similar to the actual machine learning model outputs. Therefore, providing the benefit of preventing attacks on deployed machine learning models.
Regarding dependent claim 18, Kesarwani teaches: comprising determining that the single adversary attempted to steal the deployed machine learning model, by comparing a model deployed by the single adversary to the machine learning model other than the deployed machine learning model. (Kesarwani – [0036] the system may compare the time period that received a high number of inputs to other sources to determine if some event may have occurred that may have resulted in an abnormal number of genuine inputs. [0041] The malicious feedback identifier 308 is responsible for identify if the feedback is malicious using different malicious input detection techniques and sources, for example, information related to user profiles 309)
Regarding dependent claim 19, Kesarwani does not explicitly teach: wherein the deployed machine learning model altered with errors comprises errors that are unique to each entity identified as an adversary.
However, Lee teaches: wherein the deployed machine learning model altered with errors comprises errors that are unique to each entity identified as an adversary. (Lee – Fig. 1B, [0056] In embodiments where the perturbation insertion engine 160 is external to the model 130, the perturbations may be injected into the output vector 135 of the trained neural network model 130 to thereby modify the original vector output 135 that is generated by the trained neural network model 130 to be a modified vector output 165 prior to generating the labeled data set 140 that is output to the attacker 110. [0057] The modified vector output 165 provides a modified set of probability values associated with different labels or classes corresponding to vector slots. These modified probability values are noise (errors) being applied to the manipulated labeled data 170 sent to the adversary attacker. The perturbation is model different than the deployed machine learning model.)
Accordingly, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to have combined the teaching of Kesarwani, and Lee as each inventions relates to preventing malicious input for  stealing and retraining machine learning models. Adding the teaching of Lee provides Kesarwani with an additional model layer for sending outputs with noise to the adversary sending malicious inputs that is similar to the actual machine learning model outputs. Therefore, providing the benefit of preventing attacks on deployed machine learning models.
Regarding independent claim 20, Kesarwani teaches: A method, comprising: 
employing a machine learning model to respond to queries from one or more entities; (Kesarwani − [0033] Fig. 2 At 201 the system may deploy a model for responding to requests received from users. The description of the deployed model as explained in conjunction with 101 is applicable and will not be restated here.)
determining from a pattern of queries that the one or more entities comprises an adversary attempting to steal the machine learning model; (Kesarwani – [0035] Therefore, a temporal detection technique may include identifying a time period for receipt of a plurality of inputs. The technique may identify a number of inputs that are received during that time period and may also identify a nature of the inputs, for example, whether the inputs are extreme. If a large number of inputs are received during this time period, for example, over a predetermined threshold, the system may further verify the input. In other words, if the system receives a surge of inputs within a predetermined time period, the system may flag the inputs for further review. If, upon further verification or review, the system determines that some or all of these inputs have an extreme nature, the system may mark or classify the received input as possibly being malicious input.)
Kesarwani does not explicitly teach: selecting, from the machine learning model and a variation of the machine learning model, a model to be used to provide responses to the queries, wherein the selecting comprises selecting a variation of the machine learning model if the one or more entities are determined to be an adversary; and providing responses to the queries using the selected model.
However, Lee teaches: selecting, from the machine learning model and a variation of the machine learning model, a model to be used to provide responses to the queries, wherein the selecting comprises selecting a variation of the machine learning model if the one or more entities are determined to be an adversary; (Lee – Fig. 1B, [0056] the perturbation insertion engine 160 is provided as part of the model 130 itself, the perturbation insertion engine 160 may operate as an additional layer of the model 130 just prior to the output layer of the model to thereby introduce perturbations in the probability values generated at the layer of the trained neural network model 130 just prior to the output layer of the model 130. In embodiments where the perturbation insertion engine 160 is external to the model 130, the perturbations may be injected into the output vector 135 of the trained neural network model 130 to thereby modify the original vector output 135 that is generated by the trained neural network model 130 to be a modified vector output 165 prior to generating the labeled data set 140 that is output to the attacker 110.)
and providing responses to the queries using the selected model. (Lee – Fig. 1B, [0056] In embodiments where the perturbation insertion engine 160 is external to the model 130, the perturbations may be injected into the output vector 135 of the trained neural network model 130 to thereby modify the original vector output 135 that is generated by the trained neural network model 130 to be a modified vector output 165 prior to generating the labeled data set 140 that is output to the attacker 110. [0057] The modified vector output 165 provides a modified set of probability values associated with different labels or classes corresponding to vector slots. These modified probability values are noise (errors) being applied to the manipulated labeled data 170 sent to the adversary attacker. The perturbation is model different than the deployed machine learning model.)
Accordingly, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to have combined the teaching of Kesarwani, and Lee as each inventions relates to preventing malicious input for  stealing and retraining machine learning models. Adding the teaching of Lee provides Kesarwani with an additional model layer for sending outputs with noise to the adversary sending malicious inputs that is similar to the actual machine learning model outputs. Therefore, providing the benefit of preventing attacks on deployed machine learning models.

Claims 4-5 and 15-16 are rejected under 35 U.S.C. 103 as being unpatentable over Kesarwani in view of Lee as applied to claims 1-3, 6-13, and 17-20 above, and further in view of Sadaghiani (US PAT: 10341374,  Filed Date: Nov. 20, 2018).
Regarding dependent claim 4, Kesarwani does not explicitly teach: wherein the determining comprises computing a resiliency score for the deployed machine learning model that identifies an attack threshold corresponding to an input pattern that is indicative of the deployed machine learning model being attacked.
However, Sadaghiani teaches: wherein the determining comprises computing a resiliency score for the deployed machine learning model that identifies an attack threshold corresponding to an input pattern that is indicative of the deployed machine learning model being attacked. (Sadaghiani −  [Col. 5 ll. 20-26] The system 100 using the digital threat mitigation platform 130 functions to generate a global digital threat score and one or more specific digital threat scores for one or more digital abuse types that may exist in the collected digital event data. [Col. 5,6 ll. 60-62, 1-5] The ensemble of machine learning models may include hundreds and/or thousands of machine learning models that work together to classify features of digital events data and namely, to classify or detect features that may indicate a possibility of fraud and/or abuse.)
Accordingly, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to have combined the teaching of Kesarwani, and Lee and Sadaghiani as each inventions relates to preventing malicious input for stealing and retraining machine learning models. Adding the teaching of Sadaghiani provides Kesarwani and Lee with determining a threat score for malicious inputs. Therefore, providing the benefit of preventing attacks on deployed machine learning models.
Regarding dependent claim 5, Kesarwani teaches: wherein the determining comprises (i) observing a pattern of input provided by the at least one entity and (ii) determining the at least one entity as an adversary when the pattern of input reaches the attack threshold. (Kesarwani – [0035] Therefore, a temporal detection technique may include identifying a time period for receipt of a plurality of inputs. The technique may identify a number of inputs that are received during that time period and may also identify a nature of the inputs, for example, whether the inputs are extreme. If a large number of inputs are received during this time period, for example, over a predetermined threshold, the system may further verify the input. In other words, if the system receives a surge of inputs within a predetermined time period, the system may flag the inputs for further review. If, upon further verification or review, the system determines that some or all of these inputs have an extreme nature, the system may mark or classify the received input as possibly being malicious input.)
Regarding dependent claim 15, Kesarwani does not explicitly teach: wherein the determining comprises computing a resiliency score for the deployed machine learning model that identifies an attack threshold corresponding to an input pattern that is indicative of the deployed machine learning model being attacked.
However, Sadaghiani teaches: wherein the determining comprises computing a resiliency score for the deployed machine learning model that identifies an attack threshold corresponding to an input pattern that is indicative of the deployed machine learning model being attacked. (Sadaghiani −  [Col. 5 ll. 20-26] The system 100 using the digital threat mitigation platform 130 functions to generate a global digital threat score and one or more specific digital threat scores for one or more digital abuse types that may exist in the collected digital event data. [Col. 5,6 ll. 60-62, 1-5] The ensemble of machine learning models may include hundreds and/or thousands of machine learning models that work together to classify features of digital events data and namely, to classify or detect features that may indicate a possibility of fraud and/or abuse.)
Accordingly, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to have combined the teaching of Kesarwani, and Lee and Sadaghiani as each inventions relates to preventing malicious input for stealing and retraining machine learning models. Adding the teaching of Sadaghiani provides Kesarwani and Lee with determining a threat score for malicious inputs. Therefore, providing the benefit of preventing attacks on deployed machine learning models.
Regarding dependent claim 16, Kesarwani teaches: wherein the determining comprises (i) observing a pattern of input provided by the at least one entity and (ii) determining the at least one entity as an adversary when the pattern of input reaches the attack threshold. (Kesarwani – [0035] Therefore, a temporal detection technique may include identifying a time period for receipt of a plurality of inputs. The technique may identify a number of inputs that are received during that time period and may also identify a nature of the inputs, for example, whether the inputs are extreme. If a large number of inputs are received during this time period, for example, over a predetermined threshold, the system may further verify the input. In other words, if the system receives a surge of inputs within a predetermined time period, the system may flag the inputs for further review. If, upon further verification or review, the system determines that some or all of these inputs have an extreme nature, the system may mark or classify the received input as possibly being malicious input.)

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CARL E BARNES JR whose telephone number is (571)270-3395. The examiner can normally be reached Monday-Friday 9am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Cesar Paula can be reached on 571-272-4128. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/CARL E BARNES JR/Examiner, Art Unit 2177                                                                                                                                                                                                        
/CESAR B PAULA/Supervisory Patent Examiner, Art Unit 2177