DETAILED ACTION
This Office Action is in response to the application 16/715,643 filed on December 16th, 2019.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Claims 1-20 are pending and herein considered.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS), submitted on 09/03/2020, is in compliance with the provisions of 37 CRR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-20 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Kruthiveti et al. (Kruthiveti), U.S. Pub. Number 2021/0157912.
Regarding claim 1; Kruthiveti discloses a computer-implemented method for training a machine learning system to detect an adversarial attack, the method comprising:
obtaining a collection of sequences, the collection of sequences including at least a first sequence and a second sequence (pars. 0044 & 0047; figs. 4 & 5; receives sensor data in the form of an adversarial image depicting a traffic sign indicating an 80 miles per hour (mph) speed limit that has been modified such that the ML model misrecognizes the sign as indicating a 30 mph speed limit; receives data to be input into the ML model; any suitable data such as images, sound, text, etc., may be input into the model depending on the application, and the input data may be represented by a one-or higher-dimensional set of numbers; for instance, in the context of autonomous vehicles, the input data could include images captured by sensors mounted on an autonomous vehicle; other examples of input data include microphone recordings, thermal camera images, LIDAR data, RADAR data, etc.);
classifying the first sequence as belonging to a first class indicative of a nominal sequence based on a first prediction that the first sequence includes an unperturbed version of sensor data (par. 0048; fig. 5; the feasible ML model such as a deep learning model, boosted tree, random forest, logistic regression model, linear regression model, etc., may be used to produce an output; the ML model may output any suitable prediction; ML model may be agnostic  to and unaffected by the adversarial detection being performed; returning to the example of autonomous vehicles, a deep learning model may be used to, e.g., classify objects such as traffic signs and pedestrians captured in an image.);
classifying the second sequence as belonging to a second class indicative of an adversarial sequence based on a second prediction that the second sequence includes a perturbed version of the sensor data (pars. 0049 & 0053; figs. 5 & 6; the adversarial detection module processes the input-output pair associated with the ML model using the detection model to determine an adversarial score; the adversarial detection module perturbs the input data using predefined random perturbations; for instance, in the case of an image.);
generating combined loss data based on (i) a first average loss involving incorrect classifications of the first class with respect to a first set of sequences from the collection of sequences in which each sequence within the first set of sequences is the nominal sequence and (ii) a second average loss involving incorrect classifications of the second class with respect to a second set of sequences from the collection of sequences in which each sequence within the second set of sequences is the adversarial sequence (par. 0053 & 0060; fig. 6; the ML system could generate multiple perturbations of the image by making predefined random changes to pixel values within the image for each of the perturbations such as adding small numbers to the pixel values at random locations within the image; the adversarial detection module includes a detection model that generates a score indicative of whether the input is adversarial using a neural fingerprinting technique or a comparison of features extracted by a surrogate ML model to an expected feature distribution for the output of the ML model.); and
updating parameters of the machine learning system based on the combined loss data (par. 0061; the plug-in nature of the adversarial detection module allows such a module to be deployed to defend a variety of learning-based ML models, while being developed and updated independently of those ML models.).
Regarding claim 2; Kruthiveti discloses the computer-implemented. method of claim 1, wherein the step of updating parameters includes: determining the parameters of a discriminative model of the machine learning system that minimize the combined loss data of a weighted function involving the first average loss and the second average loss (par. 0050; fig. 5; determines whether the adversarial score output by the adversarial detection module satisfies a predetermined threshold for raising an adversarial flag.).
Regarding claim 3; Kruthiveti discloses the computer-implemented method of claim 1, wherein the machine learning system comprises a deep neural network with an architecture that processes temporal sequences (par. 0071; the ML model comprises one of a deep learning model, a support vector machine, a boosted tree, a random forest, a logistic regression model, or a linear regression model.).
Regarding claim 4; Kruthiveti discloses the computer-implemented method of claim 1, wherein the machine learning system includes a recursive neural network, a long short-term memory network, or a gated recursive unit (par. 0054; a neural fingerprinting ML model.).
Regarding claim 5; Kruthiveti discloses the computer-implemented method of claim 1, wherein: the first sequence is generated such that another machine learning system generates first class data for the first sequence; the second sequence is a perturbed version of the first sequence such that the another machine learning system generates second class data for the second sequence; and the first class data is different from the second class data (par. 0063; inputting the perturbed data into a neural fingerprinting model included in the adversarial detection module which generates output perturbations and determining a difference between the output perturbations and a set of expected output perturbations.).
Regarding claim 6; Kruthiveti discloses the computer-implemented method of claim 5, wherein: the first sequence is extracted from a stream of sensor data; the first sequence includes a plurality of frames of sensor data; and the second sequence includes a subsequence, the subsequence includes iterative perturbed versions of a selected frame of the first sequence in which one of the perturbed versions of the selected frame causes the another machine learning system to generate the second class data for the second sequence (par. 0054; the adversarial score output by the model that includes a neural fingerprinting ML model is indicative of whether the input perturbations and outputs of the neural fingerprinting ML model matches the fingerprints for a class predicted by the ML model based on a measure of distance such as Euclidean distance or L1 distance.).
Regarding claim 7; Kruthiveti discloses the computer-implemented method of claim 5, wherein: the first sequence is extracted from a stream of sensor data; the first sequence includes a plurality of frames of sensor data; and each frame of the second sequence is perturbed by a respective perturbation such that the second sequence causes the another machine learning system to generate the second class data for the second sequence (par. 0075; processing the data input into the ML model and the output data via the adversarial detection module comprises perturbing the data input into the ML model using a set of predefined random perturbations, inputting the perturbed data into a neural fingerprinting model include in the adversarial detection module which generates output perturbations, and determining a difference between the output perturbations and a set of expected output perturbations.).
Regarding claims 8-14; Claims 8-14 are directed to non-transitory computer readable medium which have similar scope as claims 1-7. Therefore, claims 8-14 remain un-patentable for the same reasons.
Regarding claims 15-20; Claims 15-20 are directed to computer-implemented method which have similar scope as claims 1-7. Therefore, claims 15-20 remain un-patentable for the same reasons.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KHOI V LE whose telephone number is (571)270-5087. The examiner can normally be reached 9:00 AM - 5:00 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on 571-272-4219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/KHOI V LE/
Primary Examiner, Art Unit 2436