Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This office action is in response to the communication filed on 6/8/2022.
Response to Arguments
Applicant's arguments filed 6/8/22 have been fully considered but they are not persuasive.
The applicants essentially argue that “[because] the server [in Shen] is performing a poisoning detection analysis, [the server can’t also receive results of a poison detection analysis]”.  The examiner disagrees.  Whether the server performs any sort of analysis is not relevant to whether or not the server receives results of a poison detection analysis.  In fact, the claims do not limit the receiving to being from outside of the server.  Thus, the server performing a poison detection analysis and generating results thereto would fall within the claimed “receiving results of a poison detection analysis”.  And while the examiner believes this is one manner in which the claims are met, the examiner also believes that Shen meets a more traditional interpretation of the server receiving poison detection analysis results.  
Shen teaches the server prompting the various clients to perform poisoning detection analysis.  This can be seen in Shen, where the server sends the updated model to the clients.  It is at this point that the clients then perform “poisoning detection analysis”.  As shown in section 3.2 of Shen, each user trains its own model based on its training dataset and generates the gradient value for each iteration (of this training).  This is what reads on the poisoning detection analysis.  This gradient information is then masked and sent to the server.  The server updates the global model, generates an updated set of parameters from the updated model and sends the updated parameters to each user.  The users then each use the updated parameters as input to their local model, thus generating different gradient values, which are again masked and provided to the server.  Each time the users generate gradient values, they are performing a function which falls within the scope of the claimed “poisoning detection analysis”.  This is due to two things.  One, the claims do not limit “poisoning detection analysis” to anything more than analysis used during poisoning detection, and this iterative processing performed by the users is part of poisoning detection described by Shen.  As such, Shen does teach that the server receives poisoning detection analysis results.  
Note that the claims do not require the results to be anything more specific than results of some sort of poisoning detection analysis.  The claims do not limit the results to being final results, or any sort of identification of a poisoning.  Rather, the claims only require some sort of results of analysis being performed within the context of poisoning detection.  The gradient values calculated by each user falls within the scope of the claim language.
Regarding the applicants’ assertion that Shen did not teach that the poisoning detection analysis comprises at least one of an analysis of class-specific misclassification rates or an analysis of activation clustering of a current state of the machine learning model, the examiner respectfully disagrees.  This may be due to the applicants misinterpreting the rejection by assuming the examiner was relying upon the server performing the analysis.  However, in this case, as discussed above, with respect to the claims, the examiner is relying upon the results of the analysis performed by each user as reading on the claimed results.  The user receives, in each iteration, the updated parameters, which are based upon clustering of the current state of the model, and then uses the parameters to further train their local model to generate further gradient values.  This falls within the scope of “the poisoning detection analysis comprises at least one of an analysis of class-specific misclassification rates or an analysis of activation clustering of a current state of the machine learning model”.  It does not require that the poison detection analysis perform class specific misclassification rates, or that the poison detection analysis perform activation clustering of a current state of the machine learning model, but rather it requires analysis of at least one of those two things.  Shen teaches that the users perform analysis of the updated parameters, which fall within at least one of those two things.  As such, Shen reads on the claims.
With regards to the class-specific misclassification rates, paragraph 0036 of the instant specification as published appears to show that determining distances between what is expected and actual results falls within the scope of class-specific misclassification rates.  Shen appears, at least in section 2.4 to discuss a similar methodology where various clusters of results are compared to determine the distance between the clusters and if the distance is greater than a certain amount, determining that poisoning has occurred.  Respectfully, the examiner believes that this falls within the scope of the claim language, and as such, has rejected new claim 16 accordingly.
The examiner suggest that the applicants review the claims carefully, and then amend the claims to more accurately reflect what they are trying to claim.  In this case, the claim language is very broad, and based upon the applicants’ arguments the examiner does not believe the claims are specific enough to accurately reflect what the applicants are arguing.
Because the examiner does not find the arguments persuasive, the examiner has maintained the rejections, as shown below.
Regarding the applicants’ request for further clarification regarding the rejection of claims 3-15, the examiner has provided, in each rejection, further detail regarding the rejections below.  Note that because the details of claims 6-10 are required in the alternative, (only one of class-specific miscalculation rates and activation clustering of a current state of the machine learning model are required) these dependent claims do not necessarily require that the prior art being applied meets the details being claimed.  For example, as discussed above, Shen, in at least one embodiment, teach analysis of activation clustering of a current state of the machine learning model.  Thus, in this embodiment of Shen, the details regarding the class-specific misclassification rates, as claimed in claims 6-8, are not required by the claim, as they are recited in the alternative to the activation clustering scope of the claim.
	New claim 16 has been addressed below.
	
	
	All objections and rejections not set forth below have been withdrawn.
Claims 1-16 have been examined.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim 16 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 16 recites “the results of the poison detection analysis”, which lacks antecedent basis in the claim.  The claim provides support for “a result” not “a plurality of results”.  


Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-16 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Shen et al. (“Auror: Defending Against Poisoning Attacks in Collaborative Deep Learning Systems”).
Regarding claims 1, 12, and 14, Shen disclosed a system, method, and CRM, for detecting model poisoning attempts in a federated learning system comprising a server orchestrating with clients to train a machine learning model, the method comprising: receiving, by the server, results of a poisoning detection analysis (updated gradients), the poisoning detection analysis comprising at least one of an analysis of class-specific misclassification rates or an analysis of activation clustering of a current state of the machine learning model (Shen Sections 2.3, 2.4, 3.2, and 5, for example).
Regarding claims 2, 13, and 15, Shen disclosed selecting, by the server, a subset of clients from the clients to perform the poisoning detection analysis on the current state of the machine learning model (Shen Sections 2.3, 2.4, 3.2, and 5, for example); sending, by the server, to the subset of clients, at least the current state of the machine learning model (Shen Sections 2.3, 2.4, 3.2, and 5, for example); and receiving, by the server from at least one client of the subset of clients, the results of the poisoning detection analysis (Shen Sections 2.3, 2.4, 3.2, and 5, for example receiving the gradient values from each client).
Regarding claim 3, Shen disclosed determining, by the server from the results of the poisoning detection analysis, a number of the subset of clients that have accepted the current state of the machine learning model (users who returned their gradient values) (Shen Sections 2.3, 2.4, 3.2, and 5, for example); and determining, by the server, to update the current state of the model to a new state based upon the number of the subset of clients that have accepted the current state of the machine leaning model to meeting a threshold (Shen Sections 2.3, 2.4, 3.2, and 5, for example the Auror system updates when it receives gradient values.  Even if the threshold is “at least 1”, this meets the claim.).
Regarding claim 4, Shen disclosed selecting, by the server, a new subset of clients from the clients to perform the poisoning detection analysis on the new state of the machine learning model (Shen Sections 2.3, 2.4, 3.2, and 5, for example sending the updated model and the clients performing iterative retraining); sending, by the server, to the new subset of clients, at least the new state of the machine learning model (Shen Sections 2.3, 2.4, 3.2, and 5, for example sending the updated model and the clients performing iterative retraining); and receiving, by the server from at least one client of the new subset of clients, the results of the poisoning detection analysis (Shen Sections 2.3, 2.4, 3.2, and 5, for example sending the updated model and the clients performing iterative retraining).
Regarding claim 5, Shen disclosed sending, by the server, a specification of the poisoning detection analysis to the subset of clients, the specification comprising instructions on whether to perform one or both of the analysis of class-specific misclassification rates or the analysis of activation clustering (Shen Sections 2.3, 2.4, 3.2, and 5, for example because the server sends the updated model based on its particular poison detection, this is a specification that the analysis to be performed by the client is with respect to the poison detection performed to update the model).
Regarding claim 6, Shen disclosed performing the analysis of class-specific misclassification rates comprises: applying test data to the current state of the machine learning model to obtain predictions (Shen Sections 2.3, 2.4, 3.2, and 5, for example); comparing the predictions to expected labels to obtain a misclassification distribution (Shen Sections 2.3, 2.4, 3.2, and 5, for example); applying at least one metric to determine one or more aggregation of distances (Shen Sections 2.3, 2.4, 3.2, and 5, for example); and flagging the current state of the model as poisoned based upon the one or more distances exceeding a threshold (Shen Sections 2.3, 2.4, 3.2, and 5, for example).
Regarding claim 7, Shen disclosed that the at least one metric comprises distances among class-specific error rates for the current state of the machine learning model as compared to a previous state of the machine learning model or pairwise differences in error rates among classes for the current state of the machine learning model (Shen Sections 2.3, 2.4, 3.2, and 5, for example).
Regarding claim 8, Shen disclosed that the aggregation performed corresponds to at least one of sum, absolute, Euclidian, or squared Euclidean norms (Shen Sections 2.3, 2.4, 3.2, and 5, for example).
Regarding claim 9, Shen disclosed that performing the analysis of activation clustering comprises: applying test data as an input to the current state of the machine learning model to determine activations of the machine learning model (Shen Sections 2.3, 2.4, 3.2, and 5, for example); extracting the activations from the machine learning model (Shen Sections 2.3, 2.4, 3.2, and 5, for example); sorting the activations according to predicted classes into groups (Shen Sections 2.3, 2.4, 3.2, and 5, for example); performing a dimension reduction on each group of the sorted activations (Shen Sections 2.3, 2.4, 3.2, and 5, for example); clustering the reduced activations into clusters (Shen Sections 2.3, 2.4, 3.2, and 5, for example); and applying at least one metric to the clusters to determine whether at least one threshold is exceeded (Shen Sections 2.3, 2.4, 3.2, and 5, for example); and flagging the current state of the model as poisoned based upon exceeding the at least one threshold (Shen Sections 2.3, 2.4, 3.2, and 5, for example).
Regarding claim 10, Shen disclosed that the at least one metric comprises at least one of a threshold size of the clusters, a threshold centroid distance of the clusters, or a threshold class-wise average silhouette of the clusters (Shen Sections 2.3, 2.4, 3.2, and 5, for example).
Regarding claim 11, Shen disclosed applying, by the server, test data as an input to the current state of the machine learning model in order to determine predictions for use in the analysis of class-specific misclassification rates or to extract activations for use in the analysis of activation clustering (Shen Sections 2, 3.2, and 5, for example).
Regarding claim 16, Shen disclosed that the server receives the results of the poison detection analysis from a plurality of clients (Shen Sections 2.3, 2.4, 3.2, and 5, for example, the analysis is the clients each downloading the updated parameters and then generating updated gradient values), wherein the poisoning detection analysis comprises each of the analysis of the class-specific misclassification rates and the analysis of the activation clustering of the current state of the machine learning model (Shen Sections 2.3, 2.4, 3.2, and 5, for example.  The server generates the new model parameters based upon class specific misclassification rates – e.g. the distances between the gradient clusters.  The server also generates the new model parameters based upon clustering of the current state – e.g. the distance between the clusters.  The clients running the models based on the new parameters falls within the scope of the analysis claimed.).  

Conclusion
Claims 1-16 have been rejected.
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
“Mitigating Sybils in Federated Learning Poisoning” taught another system for training multi-party machine learning models including determining Euclidian distance between clusters of gradients from various clients.  
US 11,227,050 taught a system for ranking data instances on federated clients and determining anomaly scores (likelihood of poisoning) based on rations between average distance and largest distance between selected and additional data instances.
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MATTHEW T HENNING whose telephone number is (571)272-3790. The examiner can normally be reached Monday- Thursday 9AM-5PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on (571)272-3972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MATTHEW T HENNING/            Primary Examiner, Art Unit 2491