DETAILED ACTION
Office Action Summary
Instant application was files 9/10/2019.
Claims 1-20 are pending in the instant application.
Claims 1-20 are rejected under 35 USC § 102.
Applicants’ arguments filed 4/21/2022 have been considered but are not persuasive.  Applicant argues that the cited prior art can not be used and recites a portion of 102(b)(2) claim language but leaves out the initial line which states “(1) DISCLOSURES MADE 1 YEAR OR LESS BEFORE THE EFFECTIVE FILING DATE OF THE CLAIMED INVENTION.—A disclosure made 1 year or less before the effective filing date of a claimed invention shall not be prior art to the claimed invention under subsection (a)(1) if …”, since the prior art relied upon was published prior than one year before the effective filing date of the instant application it is a valid prior art.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by MARIA-IRINA NICOLAE ET AL: "Adversarial Robustness Toolbox v0.3.0", ARXIV.ORG, CORNELL UNIVERSITY LIBRARY, 201 OLIN LIBRARY CORNELL UNIVERSITY ITHACA, NY 14853, 3 July 2018 (2018-07-03), XP081261736. (ART furnished in IDS 9/10/2019)

As per claim 1, D1 teaches A method for securing machine learning models in a computing environment by one or more processors (D1, abstract: “deploying practical defenses of real-world AI problems) comprising: providing one or more hardened machine learning models secured against adversarial attacks (D1, page 4, 1.1 "model hardening") by applying one or more of a plurality of combinations (D1, page 3, 1.6 "The architecture of ART makes it easy to combine various defenses") of selected preprocessing operations from one or more machine learning models (D1, page 4, 1.3-4 "input data preprocessing"), a data set used for hardening the one or more machine learning models (D1, page 4, 1.2-3 "augment the training data of the classifier, e.g. by adversarial examples (so-called adversarial training[17, 30]) or other augmentation methods"), a list of preprocessors, and a selected number of learners. (D1, page 4, 1.3-4 "input data preprocessing")

As per claim 2, D1 teaches The method of claim 1, further including receiving the one or more machine learning models, the data set used for hardening the one or more machine learning models, the list of preprocessors, and the selected number of learners. (D1, page 4, 1.1 "model hardening" AND 1.3-4 "input data preprocessing") and page 3, 1.6 "The architecture of ART makes it easy to combine various defenses" the total number of devices is the number of learners)

As per claim 3, D1 teaches The method of claim 1, further including learning a degree of adversarial robustness of each of the plurality of combinations of selected preprocessing operations. (D1, page 4, 1.9 "robustness metrics")

As per claim 4, D1 teaches The method of claim 1, further including: receiving one or more data instances from the data set; and transforming the one or more data instances by applying one or more transformation operations by one or more of the plurality of combinations of selected preprocessing operations. (D1, page 4, 1.3-6 "input data preprocessing, often using non-differentiable or randomized transformation [19], transformations reducing the dimensionality of the inputs [43], or transformations aiming to project inputs onto the "true" data manifold").

As per claim 5, D1 teaches The method of claim 1, further including preprocessing incoming data using one or more of the plurality of combinations of selected preprocessing operations prior to being consumed by the one or more machine learning models. (D1, page 4, 1.3-4 "input data preprocessing"),

As per claim 6, D1 teaches The method of claim 1, further including determining a security score for the one or more hardened machine learning models indicating a level of security from the adversarial attacks. (D1, page 14, first paragraph teaches using a score and section 10.3 page 29)

As per claim 7, D1 teaches The method of claim 1, further including: learning one or more parameters for each of the selected number of learners; and learning each of the plurality of combinations of selected preprocessing operations that harden the one or more machine learning models. (D1, page 4, 1.1 "model hardening" AND 1.3-4 "input data preprocessing") and page 3, 1.6 "The architecture of ART makes it easy to combine various defenses" the total number of devices is the number of learners)

Claims 8-14 teach the system claims that correspond to the method claims 1-7 and are rejected using the same rational.
Claims 15-20 teach the computer program product claims that correspond to the method claims 1-7 and are rejected using the same rational.

Other Arts of Record
Lee et al. (10,657,259) teaches “The mechanisms of the illustrative embodiments are specific to a technological environment involving one or more data processing systems and/or computing devices that are specifically configured to implement the additional logic of the present invention thereby resulting in a non-generic technological environment comprising one or more non-generic data processing systems and/or computing devices. Moreover, the illustrative embodiments are specifically directed to solving the technological problem of hardening neural networks, cognitive models, or machine learning models against adversarial attacks by introducing deceiving gradients via specific training of specialized computing devices or systems having neural network models, machine learning models, deep learning models, or other such cognitive or artificial intelligence for performing a cognitive operation.”
Carvalho et al. (11,132,444) teaches “The mechanisms of the illustrative embodiments are specific to a technological environment involving one or more data processing systems and/or computing devices that are specifically configured to implement the additional logic of the present invention thereby resulting in a non-generic technological environment comprising one or more non-generic data processing systems and/or computing devices. Moreover, the illustrative embodiments are specifically directed to solving the technological problem of hardening neural networks, cognitive models, or machine learning models against adversarial attacks by introducing deceiving gradients via specific training of specialized computing devices or systems having neural network models, machine learning models, deep learning models, or other such cognitive or artificial intelligence for performing a cognitive operation.”
Sharad et al. (2019/0325163) teaches “Embodiments of the present invention provide methods for hardening machine learning systems against adversarial attacks through input randomization and quantization (i.e., a defensive mechanism employed to protect machine learning models). For example, a hardening operation can introduce random perturbations followed by quantizing to a machine learning model input before the input is passed to a prediction step (e.g., a machine learning classification step). This hardening operation makes the results of perturbations introduced by an adversary unpredictable, thus defeating their attacks.”
Joye et al. (2020/0143045) teaches “A method is provided for protecting a trained machine learning model that provides prediction results with confidence levels. The confidence level is a measure of the likelihood that a prediction is correct. The method includes determining if a query input to the model is an attempted attack on the model. If the query is determined to be an attempted attack, a first prediction result having a highest confidence level is swapped with a second prediction result having a relatively lower confidence level so that the first and second prediction results and confidence levels are re-paired. Then, the second prediction result is output from the model with the highest confidence level. By swapping the confidence levels and outputting the prediction results with the swapped confidence levels, the machine learning model is more difficult for an attacker to extract.”

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SIMON P KANAAN whose telephone number is (571)270-3906.  The examiner can normally be reached on M-F (7AM-4PM).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/SIMON P KANAAN/Primary Examiner, Art Unit 2492