DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .  This Office Action is in response to the application filed on 10/09/2020. Claims 1-20 are examined.

Drawings
The drawings are objected to because Fig. 8 “ML Engine Provisioning Server 242” should be labeled “542”.  
Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. The figure or figure number of an amended drawing should not be labeled as “amended.” If a drawing figure is to be canceled, the appropriate figure must be removed from the replacement sheet, and where necessary, the remaining figures must be renumbered and appropriate changes made to the brief description of the several views of the drawings for consistency. Additional replacement sheets may be necessary to show the renumbering of the remaining figures. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.

The drawings are objected to as failing to comply with 37 CFR 1.84(p)(4) because reference character “1002” in Fig. 13 has been used to designate both Step 7 and Provisioning server.  
Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.

Specification
The disclosure is objected to because of the following informalities:
Paragraph 0003 line 6, “to to” should read “to”.
Paragraph 0006 lines 5 and 6 “Invention” should not be capitalized.
Paragraph 0009 line 11 “validated” should have a period after it.
Paragraph 0018 line 2 “Thee” should read “the”.
Paragraph 00119 “(referred to as ‘A’)” does not have a corresponding label on the drawings.
Appropriate correction is required.

Claim Objections
Claims 1 and 10 are objected to because of the following informalities:
“ML applications” in claims 1 and 10 should read “ML application”.  
Appropriate correction is required.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 1-18 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
Claims 1 and 10 recite "the ML model release tool", but it is unclear whether "the ML model release tool" refers to the model release tool recited in claims 1 and 10, a specific machine learning model release tool, or some other model release tool. The limitation has been interpreted as referring to any model release tool.   
Dependent claims are also rejected for inheriting the deficiencies of the independent claims from which they depend on.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claim 1, 4-5, 9; 10, 13-14, 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over WU (U.S. 20200250321), in view of Booth (U.S. 20200134230), in view of Moore (U.S. 20190140846) in further view of Avetisov (U.S. 20210044976).

Regarding claim 1,
WU discloses: A method for executing a machine learning (ML) application in a computing environment, the method comprising: receiving, from a TEE of a model release tool, into the TEE of the server, a model encryption key (MEK) bound to the ML application ([Fig. 2-208, 0045] obtaining an encryption key of the ciphertext in the trusted execution environment via a data transmission channel between the trusted execution environment and the data provider [0056], a model such as a machine learning model [0104] the devices for realizing various functions can be even considered as a software module for implementing a method, and also a structure of the hardware component); receiving, from the TEE of a model release tool, into the TEE of the server, an ML model of the ML application, ([Fig. 2-206, 0045] inputting the ciphertext and the one or more model parameters into a trusted execution environment) 
the ML application and a descriptor of the ML application, and executing the ML application using the ML model and the descriptor [0055] the training of the model parameters of the target model and the obtaining of the sample data may both be executed in the trusted execution environment on the data processing server).
WU does not disclose: the ML model encrypted with the MEK; decrypting using the MEK, by the TEE of the server, the ML model; the descriptor encrypted by a cryptographic key derived from the secret.
 However in the same field of endeavor Booth discloses: the ML model encrypted with the MEK; decrypting using the MEK, by the TEE of the server, the ML model ([0037] The model decryptor 218 is to authenticate and unlock the ML model 275 using a secret key, key 234 of TEE 230. The secret key 234 for decrypting the model 275 is derived from an attestation process with a hardware root of trust), the descriptor encrypted by a cryptographic key derived from the secret ([0047] metadata 435 generated by analytics mechanism 430 is further encrypted and integrity protected; the private key 424 being derived from a secret)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Booth in the secure models of WU by encrypting/decrypting a ML model. This would have been obvious because the person having ordinary skill in the art would have been motivated in order to provide assurance that proprietary algorithms or logic loaded be extracted or stolen (Booth 0028).
WU in view of Booth does not disclose: receiving, from a trusted execution environment (TEE) of a user computing device, into a TEE of a server, a secret, the user computing device being authenticated by an identity and access management (IAM) service, the TEE validating the secret against a time-limited token, receiving, from a TEE of a provisioning server, into the TEE of the server.
However, in the same field of endeavor Moore discloses:
receiving, from a trusted execution environment (TEE) of a user computing device, into a TEE of a server, a secret ([0007] a first trusted execution environment obtains a secret key from a second trusted execution environment, [0069] client-side TEE provision logic 310 and server-side TEE provision logic 312), the user computing device being authenticated by an identity and access management (IAM) service ([0054] It will be recognized that asymmetric and/or symmetric authentication techniques may be used to authenticate the measurements. The measurements include the identification information [0219] the first trusted execution environment is configured to authenticate the second trusted execution environment based at least in part on the self-reported measurements of the second trusted execution environment [0177] Memory 1820 may store a subscriber identifier, such as an International Mobile Subscriber Identity (IMSI), and an equipment identifier, such as an International Mobile Equipment Identifier (IMEI). Such identifiers may be transmitted to a network server to identify users and equipment), 
receiving, from a TEE of a provisioning server, into the TEE of the server ([0040] TEE provisioning system 100 includes a plurality of user systems 102A-102M, a network 104, and a plurality of servers [0044] servers 106A-106N may push information to user devices 102A-102M).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Moore in the sending and receiving of secure ML models in WU in view of Booth by sending data from a client TEE to a server TEE. This would have been obvious because the person having ordinary skill in the art would have been motivated in order to provide a chain of trust. A person of ordinary skill could have reasonably concluded that models in WU could be send from and to TEE’s because a person of ordinary skill would have reasonably concluded that such a chain of trust would improve security such that TEE’s can be customized with the information without other parties, such as a cloud provider, being able to know or manipulate the information (Moore 0004).
Wu in view of Booth and Moore does not disclose validating the secret against a time-limited token.
However, in the same field of endeavor Avetisov discloses:
validating the secret against a time-limited token ([0120] The token may include an associated timestamp or time-stamps that indicate when the token was created or when it expires; the relying party server 145 can determine to grant the client device 135 access if the token presented by the client device matches a valid token in the repository [0293] expire based on a threshold period of time);
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Avetisov in the secure models of WU in view of Booth and Moore by using a time limited token for authentication. This would have been obvious because the person having ordinary skill in the art would have been motivated in order to certify users (Avetisov 0378).

Regarding claim 4,
WU in view of Moore, Booth and Avetisov discloses: The method of claim 1 wherein 
Avetisov further discloses: the time-limited token is bound to a cryptographic key of the user computing device ([0293] signed by a private key corresponding to a public key (e.g., public ID key)).  

Regarding claim 5,
WU in view of Moore, Booth and Avetisov discloses: The method of claim 1 further comprising: 
Avetisov further discloses: sending, by the user computing device, an attestation quote request to the server, the attestation quote request including the time-limited token (20210044976 Avetisov [0293] expire based on a threshold period of time);3786342486US01 receiving, by the user computing device, an attestation quote from the server, the attestation quote based on the TEE of the server; sending, by the user computing device, an attestation report request for an attestation report to an attestation service ([0293] criteria by which the relying party authenticated the user), the attestation report request including the attestation quote and the access token ([0293] timestamps corresponding to the transaction Tx 415B or transaction Tx 415A (e.g., time of publication), signature of token, or other credentials); receiving, by the user computing device, the attestation report, the user computing device validating the attestation report ([0293] In some embodiments, the transaction 415C may include a new token, like token C, generated by the smart contract having determined the authentication results).

Regarding claim 9,
WU in view of Moore, Booth and Avetisov discloses: The method of claim 1,
WU further discloses: wherein the ML application includes an ML engine and non-confidential data, the ML application being executed on the ML engine using the non-confidential data ([0014] decrypting, in the trusted execution environment, the ciphertext using the encryption key to obtain the target data; processing, in the trusted execution environment, the obtained target data using the model with the one or more parameters to obtain a result).

Regarding claim 10,
WU discloses: A system for executing a machine learning (ML) application in a computing environment, the system comprising a plurality of computing devices, each of the computing devices including a processor and a non-transient memory for storing instructions which when executed by the processor cause the system to: receive, from a TEE of a model release tool, into the TEE of the server, a model encryption key (MEK) bound to the ML application ([Fig. 2-208, 0045] obtaining an encryption key of the ciphertext in the trusted execution environment via a data transmission channel between the trusted execution environment and the data provider [0056], a model such as a machine learning model [0104] the devices for realizing various functions can be even considered as a software module for implementing a method, and also a structure of the hardware component); receive, from the TEE of a model release tool, into the TEE of the server, an ML model of the application, ([Fig. 2-206, 0045] inputting the ciphertext and the one or more model parameters into a trusted execution environment). 
the application and a descriptor of the ML application, and execute the ML application using the ML model and the descriptor ([0055] the training of the model parameters of the target model and the obtaining of the sample data may both be executed in the trusted execution environment on the data processing server).
WU does not disclose: the ML model encrypted with the MEK; decrypt using the MEK, by the TEE of the server, the ML model; the descriptor encrypted by a cryptographic key derived from the secret.
 However in the same field of endeavor Booth discloses: the ML model encrypted with the MEK; decrypt using the MEK, by the TEE of the server, the ML model ([0037] The model decryptor 218 is to authenticate and unlock the ML model 275 using a secret key, key 234 of TEE 230. The secret key 234 for decrypting the model 275 is derived from an attestation process with a hardware root of trust). The descriptor encrypted by a cryptographic key derived from the secret ([0047] metadata 435 generated by analytics mechanism 430 is further encrypted and integrity protected; the private key 424 being derived from a secret)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Booth in the secure models of WU by encrypting/decrypting a ML model. This would have been obvious because the person having ordinary skill in the art would have been motivated in order to provide assurance that proprietary algorithms or logic loaded be extracted or stolen (Booth 0028).
WU in view of Booth does not disclose: receive, from a trusted execution environment (TEE) of a user computing device, into a TEE of a server, a secret, the user computing device being authenticated by an identity and access management (IAM) service, the TEE validating the secret against a time-limited token, receiving, from a TEE of a provisioning server, into the TEE of the server.
However, in the same field of endeavor Moore discloses:
receive, from a trusted execution environment (TEE) of a user computing device, into a TEE of a server, a secret ([0007] a first trusted execution environment obtains a secret key from a second trusted execution environment, [0069] client-side TEE provision logic 310 and server-side TEE provision logic 312), the user computing device being authenticated by an identity and access management (IAM) service ([0054] It will be recognized that asymmetric and/or symmetric authentication techniques may be used to authenticate the measurements. The measurements include the identification information [0219] the first trusted execution environment is configured to authenticate the second trusted execution environment based at least in part on the self-reported measurements of the second trusted execution environment [0177] Memory 1820 may store a subscriber identifier, such as an International Mobile Subscriber Identity (IMSI), and an equipment identifier, such as an International Mobile Equipment Identifier (IMEI). Such identifiers may be transmitted to a network server to identify users and equipment), 
receive, from a TEE of a provisioning server ([0040] TEE provisioning system 100 includes a plurality of user systems 102A-102M, a network 104, and a plurality of servers), into the TEE of the server ([0044] servers 106A-106N may push information to user devices 102A-102M).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Moore in the sending and receiving of secure ML models in WU in view of Booth by sending data from a client TEE to a server TEE. This would have been obvious because the person having ordinary skill in the art would have been motivated in order to provide a chain of trust. A person of ordinary skill could have reasonably concluded that models in WU could be send from and to TEE’s because a person of ordinary skill would have reasonably concluded that such a chain of trust would improve security such that TEE’s can be customized with the information without other parties, such as a cloud provider, being able to know or manipulate the information (Moore 0004).
Wu in view of Moore and Booth does not disclose validating the secret against a time-limited token.
However, in the same field of endeavor Avetisov discloses:
validating the secret against a time-limited token ([0120] The token may include an associated timestamp or time-stamps that indicate when the token was created or when it expires; the relying party server 145 can determine to grant the client device 135 access if the token presented by the client device matches a valid token in the repository [0293] expire based on a threshold period of time);
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Avetisov in the secure models of WU in view of Moore and Booth by using a time limited token for authentication. This would have been obvious because the person having ordinary skill in the art would have been motivated in order to certify users (Avetisov 0378).

Regarding claim 13,
WU in view of Moore, Booth and Avetisov discloses: The system of claim 10 wherein 
Avetisov further discloses: the time-limited token is bound to a cryptographic key of the user computing device ([0293] signed by a private key corresponding to a public key (e.g., public ID key)).  

Regarding claim 14,
WU in view of Moore, Booth and Avetisov discloses: The system of claim 10 wherein the system further caused to: 
Avetisov further discloses: send, by the user computing device, an attestation quote request to the server, the attestation quote request including the time-limited token (20210044976 Avetisov [0293] expire based on a threshold period of time);3786342486US01 receive, by the user computing device, an attestation quote from the server, the attestation quote based on the TEE of the server; sending, by the user computing device, an attestation report request for an attestation report to an attestation service ([0293] criteria by which the relying party authenticated the user), the attestation report request including the attestation quote and the access token ([0293] timestamps corresponding to the transaction Tx 415B or transaction Tx 415A (e.g., time of publication), signature of token, or other credentials); receive, by the user computing device, the attestation report, the user computing device validating the attestation report ([0293] In some embodiments, the transaction 415C may include a new token, like token C, generated by the smart contract having determined the authentication results).

Regarding claim 18,
WU in view of Moore, Booth and Avetisov discloses: The system of claim 10,
WU further discloses: wherein the ML application includes an ML engine and non-confidential data, the ML application being executed on the ML engine using the non-confidential data ([0014] decrypting, in the trusted execution environment, the ciphertext using the encryption key to obtain the target data; processing, in the trusted execution environment, the obtained target data using the model with the one or more parameters to obtain a result).

Claim 2-3, 7, 11-12, 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over WU (U.S. 20200250321), in view of Booth (U.S. 20200134230) in view of Moore (U.S. 20190140846), and in view of Avetisov (U.S. 20210044976), in further view of Kumar Addepalli (U.S. 20200265493).

Regarding claim 2,
WU in view of Moore, Booth and Avetisov discloses: The method of claim 1 wherein 
WU in view of Moore, Booth and Avetisov does not disclose: the ML model is contained within an ML volume, the ML model encrypted with the MEK.  
However, in the same field of endeavor Kumar Addepalli discloses: the ML model is contained within an ML volume, the ML model encrypted with the MEK ([0043] all of the AI models may be stored in the AI-TMN).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Kumar Addepalli in the secure models of WU in view of Moore, Booth and Avetisov by storing encrypted ML models together. This would have been obvious because the person having ordinary skill in the art would have been motivated to push and pull models in a secure manor (Kumar Addepalli 042).

Regarding claim 3,
WU in view of Moore, Booth and Avetisov discloses: The method of claim 2 wherein 
Avetisov further discloses: a hash is used to verify the integrity of [0208] include cryptographic hashes operable to… verify information)
WU in view of Moore, Booth and Avetisov does not disclose: the MEK is tied to a user ID of an owner of the ML model and the ML volume.
However, in the same field of endeavor Kumar Addepalli discloses: the MEK is tied to a user ID of an owner of the ML model and the ML volume (Kumar Addepalli [0043] Each AI model is encrypted and integrity protected and used by the subscribing/licensing user with a uniquely generated time-bound/fully licensed key).  
A person of ordinary skill in the art before the effective filing date of the claimed invention would have had a similar motivation to combine as the motivation in claim 2.

Regarding claim 7,
WU in view of Moore, Booth and Avetisov discloses: The method of claim 1 further comprising: 
WU in view of Moore, Booth and Avetisov does not disclose: storing, by the server, the ML model in a model registry, the ML model being sealed in the model registry; receiving, by an ML-TEE, the ML model from the model registry, and unsealing the ML model.  
However, in the same field of endeavor Kumar Addepalli discloses: storing, by the server, the ML model in a model registry, the ML model being sealed in the model registry; receiving, by an ML-TEE, the ML model from the model registry, and unsealing the ML model ([0043] Moreover, all of the AI models may be stored in the AI-TMN in a trusted and secured manner and not stored anywhere else. AI models are dynamically pushed and pulled to/from the AI-TMN. Each AI model is encrypted and integrity protected and used by the subscribing/licensing user with a uniquely generated time-bound/fully licensed key).
A person of ordinary skill in the art before the effective filing date of the claimed invention would have had a similar motivation to combine as the motivation in claim 2.

Regarding claim 11,
WU in view of Moore, Booth and Avetisov discloses: The system of claim 10 wherein 
WU in view of Moore, Booth and Avetisov does not disclose: the ML model is contained within an ML volume, the ML model encrypted with the MEK.  
However, in the same field of endeavor Kumar Addepalli discloses: the ML model is contained within an ML volume, the ML model encrypted with the MEK ([0043] all of the AI models may be stored in the AI-TMN).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Kumar Addepalli in the secure models of WU in view of Moore, Booth and Avetisov by storing encrypted ML models together. This would have been obvious because the person having ordinary skill in the art would have been motivated to push and pull models in a secure manor (Kumar Addepalli 042).

Regarding claim 12,
WU in view of Moore, Booth and Avetisov discloses: The system of claim 11 wherein 
Avetisov further discloses: a hash is used to verify the integrity of [0208] include cryptographic hashes operable to… verify information).
WU in view of Moore, Booth and Avetisov does not disclose: the MEK is tied to a user ID of an owner of the ML model and the ML volume.
However, in the same field of endeavor Kumar Addepalli discloses: the MEK is tied to a user ID of an owner of the ML model and the ML volume (Kumar Addepalli [0043] Each AI model is encrypted and integrity protected and used by the subscribing/licensing user with a uniquely generated time-bound/fully licensed key).  
A person of ordinary skill in the art before the effective filing date of the claimed invention would have had a similar motivation to combine as the motivation in claim 2.

Regarding claim 16,
WU in view of Moore, Booth and Avetisov discloses: The system of claim 10 wherein the system further caused to:
WU in view of Moore, Booth and Avetisov does not disclose: store, by the server, the ML model in a model registry, the ML model being sealed in the model registry; receive, by an ML-TEE, the ML model from the model registry, and unsealing the ML model.  
However, in the same field of endeavor Kumar Addepalli discloses: store, by the server, the ML model in a model registry, the ML model being sealed in the model registry; receive, by an ML-TEE, the ML model from the model registry, and unsealing the ML model ([0043] Moreover, all of the AI models may be stored in the AI-TMN in a trusted and secured manner and not stored anywhere else. AI models are dynamically pushed and pulled to/from the AI-TMN. Each AI model is encrypted and integrity protected and used by the subscribing/licensing user with a uniquely generated time-bound/fully licensed key).
A person of ordinary skill in the art before the effective filing date of the claimed invention would have had a similar motivation to combine as the motivation in claim 2.


Claim 6, 15 is/are rejected under 35 U.S.C. 103 as being unpatentable over WU (U.S. 20200250321), in view of Booth (U.S. 20200134230), in view of Moore (U.S. 20190140846), in view of Avetisov (U.S. 20210044976), and in further view of Barnes (U.S. 20220067574).

Regarding claim 6, 
WU in view of Moore, Booth and Avetisov discloses: The method of claim 1 wherein 
WU in view of Moore, Booth and Avetisov does not disclose: the MEK is bound to the ML application
However, in the same field of endeavor Barnes discloses: the MEK is bound to the ML application ([0044] the model key).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Barnes in the secure models of WU in view of Moore, Booth and Avetisov by binding keys to ML applications. This would have been obvious because the person having ordinary skill in the art would have been motivated to prevent unauthorized parties from accessing private data of users (Barnes 0001).

Regarding claim 15, 
WU in view of Moore, Booth and Avetisov discloses: The system of claim 10 wherein 
WU in view of Moore, Booth and Avetisov does not disclose: the MEK is bound to the ML application
However, in the same field of endeavor Barnes discloses: the MEK is bound to the ML application ([0044] the model key).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Barnes in the secure models of WU in view of Moore, Booth and Avetisov by binding keys to ML applications. This would have been obvious because the person having ordinary skill in the art would have been motivated to prevent unauthorized parties from accessing private data of users (Barnes 0001).

Claim 8, 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over WU (U.S. 20200250321), in view of Booth (U.S. 20200134230), in view of Moore (U.S. 20190140846), in view of Avetisov (U.S. 20210044976), and in further view of Nandakumar (U.S. 20200252198).

Regarding claim 8,
WU in view of Moore, Booth and Avetisov discloses: The method of claim 1 further comprising: 
Moore further discloses: The server sending, over a secure channel between TEE of a provisioning server and the TEE of the server ([0069] service 314 may transfer machine-readable file formats, such as Extensible Markup Language (XML) and JavaScript Object Notation (JSON), between client-side TEE provision logic 310 and server-side TEE provision logic 312), the TEE of the server independently deriving the cryptographic key derived from the secret stored therein [0134] hash used to verify).
Booth further discloses: The server sealing the ML application descriptor using a cryptographic key derived from the secret ([0037] The model decryptor 218 is to authenticate and unlock the ML model 275 using a secret key, key 234 of TEE 230. The secret key 234 for decrypting the model 275 is derived from an attestation process with a hardware root of trust [0047] metadata 435 generated by analytics mechanism 430 is further encrypted and integrity protected; the private key 424 being derived from a secret).
WU in view of Moore, Booth and Avetisov does not disclose: sending a ML application descriptor 
However, in the same field of endeavor Nandakumar discloses sending a ML application descriptor ([0113] encrypts a data/label pair and passes the encrypted data).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Nandakumar in the secure models of WU in view of Moore, Booth and Avetisov. This would have been obvious because the person having ordinary skill in the art would have been motivated to perform machine learning for more than one user (Nandakumar 0001).

Regarding claim 17,
WU in view of Moore and Avetisov discloses: The system of claim 10 further comprising: 
Moore further discloses: The server sending, over a secure channel between TEE of a provisioning server and the TEE of the server ([0069] service 314 may transfer machine-readable file formats, such as Extensible Markup Language (XML) and JavaScript Object Notation (JSON), between client-side TEE provision logic 310 and server-side TEE provision logic 312), the TEE of the server independently deriving the cryptographic key derived from the secret stored therein [0134] hash used to verify).
Booth further discloses: The server sealing the ML application descriptor using a cryptographic key derived from the secret ([0037] The model decryptor 218 is to authenticate and unlock the ML model 275 using a secret key, key 234 of TEE 230. The secret key 234 for decrypting the model 275 is derived from an attestation process with a hardware root of trust [0047] metadata 435 generated by analytics mechanism 430 is further encrypted and integrity protected; the private key 424 being derived from a secret).
WU in view of Moore, Booth and Avetisov does not disclose: sending a ML application descriptor 
However, in the same field of endeavor Nandakumar discloses sending a ML application descriptor ([0113] encrypts a data/label pair and passes the encrypted data).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Nandakumar in the secure models of WU in view of Moore and Avetisov. This would have been obvious because the person having ordinary skill in the art would have been motivated to perform machine learning for more than one user (Nandakumar 0001).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's
disclosure.
Srinivasan 3/24/2020 (US 20210133577) Protecting machine learning models.
Wang 5/2/2019 (US 20200327250) teaches securing personal data.
Ortiz 5/28/2019 (US 20190362083) teaches use of TEE’s.
Pearson 3/25/2015 (US 20160285638) teaches authentication related t using TEE’s.

Any inquiry concerning this communication or earlier communications from the examiner
should be directed to THOMAS A CARNES whose telephone number is (571)272-4378. The examiner can
normally be reached Monday-Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a
USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use
the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor,
Shewaye Gelagay can be reached on (571) 272-4219. The fax phone number for the organization where
this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from
Patent Center. Unpublished application information in Patent Center is available to registered users. To
file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit
https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and
https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional
questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like
assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or
571-272-1000.
/T.A.C./
Examiner, Art Unit 2436
/AMIE C. LIN/Primary Examiner, Art Unit 2436