Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant’s arguments, see Remarks pages 7-8, filed 05/17th/2022, with respect to claims 1-20 rejection under 35 USC § 101 have been fully considered and are persuasive. The claims rejection under 35 USC § 101 has been withdrawn.

Applicant’s arguments, see Remarks page 8-9, filed 05/17th/2022, with respect
to claims 1-20 rejection under 35 U.S.C. § 103 have been fully considered and are moot in light of the new rejection shown below.

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 1-20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first
paragraph, as failing to comply with the written description requirement. The claim( s)
contains subject matter which was not described in the specification in such a way as to
reasonably convey to one skilled in the relevant art that the inventor or a joint inventor,
or for applications subject to pre-A IA 35 U.S.C. 112, the inventor(s), at the time the
application was filed, had possession of the claimed invention.
With respect to claims 1, 7, and 14, the instant specification does not describe the type of data in based on a type of data of the training data points, or when or how said type of data would be selected in order to affect the parameters and realistic transformations. Based on a type of data of the training data points is interpreted as incorporating new matter into the claim to which there is no support in the original disclosure.
The remaining claims are rejected with respect to their dependence on the
rejected claims.

The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.



Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-A IA 35 U.S.C. 112, the applicant), regards as the invention. 
Regarding claims 1, 7, and 14, based on a type of data of the training data points is indefinite. There is no support for based on a type of data of the training data points upon which the parameters and the realistic transformations are dependent. It's not clear what the type of data is or when it is identified. In the interest of further examination the type of data is considered to be images and the parameters are considered to be image altering parameters such as noise and rotation or orientation.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all 
obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-2, 4-5, 14-15, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Fawzi (The Robustness of Deep Networks A Geometrical Perspective - 2017), in view of Cicek (SaaS: Speed as a Supervisor for Semi-supervised Learning – May 2018).

Regarding claim 1 Fawzi teaches obtaining a set of realistic transformations of the set of training data-points correctly predicted by the DNN model, the set of realistic transformations corresponding to additional data-points within a predetermined mathematical distance from each of a training data-point of the set of training data-points and the set of realistic transformations being transformations to each of multiple parameters of the training data-points that are predicted based on a type of data of the training data points such that the set of realistic transformations simulate situations or circumstances that introduce variations that are likely to occur to data analyzed by the DNN model ([page 56, Fig. 5] (a) The original image. The remaining images are minimally perturbed images (along with the corresponding estimated label) that misclassify the CaffeNet deep neural network. (b) Adversarial perturbation, (c) random noise, (d) semirandom noise with m = 1000, (e) universal perturbation, (f) affine transformation.). The examiner notes that Fawzi teaches in [Figure 5] an original image and multiple transformations of the original image showing minimal perturbations and the corresponding estimated labels. The examiner also notes that the claim does not define what is the type of data upon which the parameters and realistic transformations are dependent. The examiner interprets the type of data, based on the specifications and in particular [0038-0040], [0054], [0056], and [0071], to be image data and the parameters to be image altering parameters such as noise and rotation)
creating a robustness profile corresponding to whether the DNN model accurately predicts an outcome for the additional data-points of the set of realistic transformations ([Page 52, Figure 2] Here, B denotes the decision boundary of the classifier between classes 1 and 2, and T denotes the set of perturbed versions
of x1 (i.e., T = {Tr (x1):r ∈ R}), where we recall that R denotes the set of admissible perturbations. The pointwise robustness at x1 is defined as the smallest perturbation in R that causes x1 to change class. The examiner notes that Fawzi teaches in [Figure 2] a representation of how well a classifier performs against different levels of perturbations.)
generating a robustness evaluation of the DNN model based on the robustness profile. ([Page57, Fig 7] The two-dimensional normal cross sections of the decision boundaries for three different classifiers near randomly chosen samples. The section is spanned by the adversarial perturbation of the data point x (vertical axis) and a random vector in the tangent space to the decision boundary (horizontal axis). The green region is the classification region of x. The decision boundaries with different classes are illustrated in different colors. Note the difference in range between the x and y axes. (a) VGG-F (ImageNet), (b) LeNet (CIFAR), (c) LeNet (MNIST). (Figure used with permission from [18].) The examiner notes that Fawzi teaches in [Fig. 7] a visual evaluation of how well three different models classify perturbed samples.)
retraining, based on the robustness evaluation, the DNN model using the additional data points ([Page 60, Para. 2] Specifically, a minimization-maximization approach is proposed, where the loss is minimized over worst-case examples, rather than only on the original data. That is, the following minimization-maximization training procedure is used to train the network:

    PNG
    media_image1.png
    63
    277
    media_image1.png
    Greyscale

The examiner notes that Fawzi teaches minimizing the loss function over incorrect examples).
However, though Fawzi teaches A method of evaluating the robustness of a Deep Neural Network (DNN) model, the method comprising: as stated above, Fawzi fails to explicitly teach obtaining a set of training data-points correctly predicted by the DNN model.
On the other hand, Cicek teaches obtaining a set of training data-points correctly predicted by the DNN model. ([Page 1, Fig. 1]
Supervision quality affects learning speed. During training, the loss decreases rapidly when most labels provided are correct, and slows down significantly as the percentage of correct labels decreases. The left plot shows the loss when training a Resnet18 on CIFAR10 for different percentages of corrupted labels. The error bars show mean and standard deviation over 3 runs with random initial weights. The right panel shows the loss as a function of the percentage of incorrect labels for a unit of time corresponding to ten epochs. All the results use a fixed learning rate of 0:1, with no data augmentation or weight decay. The examiner notes that Cicek teaches in [Fig 1] correctly classifying images when labels do not experience corruption. The examiner also notes that Fawzi and Cicek are both considered analogous because they are in the same field of computational neural networks. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Fawzi’s analysis of deep classifiers’ robustness to perturbation to incorporate A method of evaluating the robustness of a Deep Neural Network (DNN) model, the method comprising: obtaining a set of training data-points correctly predicted by the DNN model as taught by Cicek [Fig 1] to measure the quality of an iterative estimate of the posterior probability of unknown labels [Page 1, Para 1]).

Regarding claim 2 Fawzi teaches The method of claim 1, further comprising: identifying a plurality of robustness holes in the DNN model corresponding to additional data-points where the DNN model is determined as inaccurately predicting the outcome of the additional data-points. ([Page 52, Para. 5] Hence,
despite being zero risk, this classifier is highly unstable to additive perturbation, as it suffices to perturb the bias of the image (i.e., by adding a very small value to all pixels) to cause misclassification).

Regarding claim 4 Fawzi teaches The method of claim 2, wherein the robustness evaluation of the DNN model identifies a particular class of realistic transformations where there are identified robustness holes. ([Page 51, Para. 6] Before going into more detail about robustness, we first define some notations. Let X denote the ambient space where images live. We denote by R the set of admissible perturbations. For example, when considering geometric perturbations, R is set to be the group of geometric (e.g., affine) transformations under study. The examiner notes that Fawzi teaches perturbations that cause affine transformations.)

Regarding claim 5 Fawzi teaches The method of claim 1, wherein the robustness evaluation of the DNN model comprises a graph illustrating the robustness at the additional data-points of the realistic transformations. ([Page 52, Figure 2] Here, B denotes the decision boundary of the classifier between classes 1 and 2, and T denotes the set of perturbed versions of x1 (i.e., T = {Tr (x1):r ∈ R}), where we recall that R denotes the set of admissible perturbations. The pointwise robustness at x1 is defined as the smallest perturbation in R that causes x1 to change class. The examiner notes that Fawzi teaches in [Figure 2] a representation of how well a classifier performs against different levels of perturbations).

Regarding claim 14 Fawzi teaches obtaining a set of realistic transformations of the set of training data-points correctly predicted by the DNN model, the set of realistic transformations corresponding to additional data-points within a predetermined mathematical distance from each of a training data-point of the set of training data-points and the set of realistic transformations being transformations to each of multiple parameters of the training data-points that are predicted based on a type of data of the training data points such that the set of realistic transformations simulate situations or circumstances that introduce variations that are likely to occur to data analyzed by the DNN model ([page 56, Fig. 5] (a) The original image. The remaining images are minimally perturbed images (along with the corresponding estimated label) that misclassify the CaffeNet deep neural network. (b) Adversarial perturbation, (c) random noise, (d) semirandom noise with m = 1000, (e) universal perturbation, (f) affine transformation.). The examiner notes that Fawzi teaches in [Figure 5] an original image and multiple transformations of the original image showing minimal perturbations and the corresponding estimated labels. The examiner also notes that the claim does not define what is the type of data upon which the parameters and realistic transformations are dependent. The examiner interprets the type of data, based on the specifications and in particular [0038-0040], [0054], [0056], and [0071], to be image data and the parameters to be image altering parameters such as noise and rotation)
creating a robustness profile corresponding to whether the DNN model accurately predicts an outcome for the additional data-points of the set of realistic transformations ([Page 52, Figure 2] Here, B denotes the decision boundary of the classifier between classes 1 and 2, and T denotes the set of perturbed versions
of x1 (i.e., T = {Tr (x1):r ∈ R}), where we recall that R denotes the set of admissible perturbations. The pointwise robustness at x1 is defined as the smallest perturbation in R that causes x1 to change class. The examiner notes that Fawzi teaches in [Figure 2] a representation of how well a classifier performs against different levels of perturbations.)
generating a robustness evaluation of the DNN model based on the robustness profile. ([Page57, Fig 7] The two-dimensional normal cross sections of the decision boundaries for three different classifiers near randomly chosen samples. The section is spanned by the adversarial perturbation of the data point x (vertical axis) and a random vector in the tangent space to the decision boundary (horizontal axis). The green region is the classification region of x. The decision boundaries with different classes are illustrated in different colors. Note the difference in range between the x and y axes. (a) VGG-F (ImageNet), (b) LeNet (CIFAR), (c) LeNet (MNIST). (Figure used with permission from [18].) The examiner notes that Fawzi teaches in [Fig. 7] a visual evaluation of how well three different models classify perturbed samples.)
retraining, based on the robustness evaluation, the DNN model using the additional data points ([Page 60, Para. 2] Specifically, a minimization-maximization approach is proposed, where the loss is minimized over worst-case examples, rather than only on the original data. That is, the following minimization-maximization training procedure is used to train the network:

    PNG
    media_image1.png
    63
    277
    media_image1.png
    Greyscale

The examiner notes that Fawzi teaches minimizing the loss function over incorrect examples).
However, Fawzi fails to teach A non-transitory computer-readable storage medium configured to store instructions that, in response to being executed, cause a system to perform operations, the operations comprising: obtaining a set of training data-points correctly predicted by the DNN model.
On the other hand, Cicek teaches A non-transitory computer-readable storage medium configured to store instructions that, in response to being executed, cause a system to perform operations, the operations comprising: obtaining a set of training data-points correctly predicted by the DNN model. ([Page 1, Fig. 1]
Supervision quality affects learning speed. During training, the loss decreases rapidly when most labels provided are correct, and slows down significantly as the percentage of correct labels decreases. The left plot shows the loss when training a Resnet18 on CIFAR10 for different percentages of corrupted labels. The error bars show mean and standard deviation over 3 runs with random initial weights. The right panel shows the loss as a function of the percentage of incorrect labels for a unit of time corresponding to ten epochs. All the results use a fixed learning rate of 0:1, with no data augmentation or weight decay. The examiner notes that Cicek teaches in [Fig 1] correctly classifying images when labels do not experience corruption. The examiner also notes that Fawzi and Cicek are both considered analogous because they are in the same field of computational neural networks. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Fawzi’s analysis of deep classifiers’ robustness to perturbation to incorporate A non-transitory computer-readable storage medium configured to store instructions that, in response to being executed, cause a system to perform operations, the operations comprising: obtaining a set of training data-points correctly predicted by the DNN model as taught by Cicek [Fig 1] to measure the quality of an iterative estimate of the posterior probability of unknown labels [Page 1, Para 1]).

Regarding claim 15 Fawzi teaches The computer-readable storage medium of claim 14, wherein the operations further comprise: identifying a plurality of robustness holes in the DNN model corresponding to additional data-points where the DNN model is determined as inaccurately predicting the outcome of the additional data-points. ([Page 52, Para. 5] Hence, despite being zero risk, this classifier is highly unstable to additive perturbation, as it suffices to perturb the bias of the image (i.e., by adding a very small value to all pixels) to cause misclassification.)

Regarding claim 18 Fawzi teaches The computer-readable storage medium of claim 14, wherein the robustness evaluation of the DNN model comprises a graph illustrating the robustness at the additional data-points of the realistic transformations. ([Page 52, Figure 2] Here, B denotes the decision boundary of the classifier between classes 1 and 2, and T denotes the set of perturbed versions of x1 (i.e., T = {Tr (x1):r ∈ R}), where we recall that R denotes the set of admissible perturbations. The pointwise robustness at x1 is defined as the smallest perturbation in R that causes x1 to change class. The examiner notes that Fawzi teaches in [Figure 2] a representation of how well a classifier performs against different levels of perturbations).

Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over Fawzi (The Robustness of Deep Networks A Geometrical Perspective - 2017), in view of Cicek (SaaS: Speed as a Supervisor for Semi-supervised Learning – May 2018) further in view of Carlini (Towards Evaluating the Robustness of Neural Networks - 2017)

Regarding claim 3 Fawzi/Cicek teach The method of claim 2. wherein the DNN model is an image classification model. However, Fawzi/Cicek fail to explicitly teach and the predetermined mathematical distance is a L-norm used to measure a distance between two images by measuring the difference between two vectors in a given vector space.
On the other hand, Carlini teaches and the predetermined mathematical distance is a L-norm used to measure a distance between two images by measuring the difference between two vectors in a given vector space. ([Page 42, para.2] L2 distance measures the standard Euclidean (root-mean-square) distance between x and x’. The L2 distance can remain small when there are many small changes to many pixels. The examiner notes that Fawzi/Cicek and Carlini are considered analogous because they are in the same field of computational neural networks. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified (Fawzi/Cicek)’s analysis of deep classifiers’ robustness to perturbation to incorporate and the predetermined mathematical distance is a L-norm used to measure a distance between two images by measuring the difference between two vectors in a given vector space as taught by Carlini [Page 42, Para 2] to construct attacks that perform superior to the state-of-the art [Page 42, Para 5]).

Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Fawzi (The Robustness of Deep Networks A Geometrical Perspective - 2017), in view of Cicek (SaaS: Speed as a Supervisor for Semi-supervised Learning – May 2018) further in view of Krasser (US 10832168B2).

Regarding claim 6 Fawzi/Cicek teach The method of claim 1 however Fawzi/Cicek fail to explicitly teach wherein the DNN model is a malware detection model, wherein the set of realistic transformations correspond to source code obfuscation transforms and the mathematical distance corresponds to a distance between a training-data point source code and additional data-points corresponding to potential malware code.
On the other hand, Krasser teaches wherein the DNN model is a malware detection model, wherein the set of realistic transformations correspond to source code obfuscation transforms and the mathematical distance corresponds to a distance between a training-data point source code and additional data-points corresponding to potential malware code. ([Col. 3, line 39] While example techniques described herein may refer to analyzing a program that may potentially be malware, it is understood that the techniques may also apply to other non-malicious software that includes code obfuscation or other transformation performed by a generator. The examiner notes that Fawzi/Cicek and Krasser are considered analogous because they are in the same field of computational neural networks. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified (Fawzi/Cicek)’s analysis of deep classifiers’ robustness to perturbation to incorporate wherein the DNN model is a malware detection model, wherein the set of realistic transformations correspond to source code obfuscation transforms and the mathematical distance corresponds to a distance between a training-data point source code and additional data-points corresponding to potential malware code as taught by Krasser [Col. 3, Line 39] to make it more difficult to locate security vulnerabilities in the code [Page 3, Line 44]).

Claims 7 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Fawzi (The Robustness of Deep Networks A Geometrical Perspective - 2017), in view of Baluja (The Virtues of Peer Pressure: A Simple Method for Discovering High-Value Mistakes - 2015), further in view of Brajim-Belhouari (Model selection based on robustness criterion with measurement application - 1999).

Regarding claim 7 Fawzi teaches creating a first robustness profile corresponding to whether the first DNN model accurately predicts an outcome for the additional data-points of the set of realistic transformations ([Page 52, Figure 2] Here, B denotes the decision boundary of the classifier between classes 1 and 2, and T denotes the set of perturbed versions of x1 (i.e., T ={Tr (x1):r ! R}), where we recall that R denotes the set of admissible perturbations. The pointwise robustness at x1 is defined as the smallest perturbation in R that causes x1 to change class. The examiner notes that Fawzi teaches in [Fig. 2] a profile representing the robustness of a classifier vs perturbations. The examiner also notes that Fawzi teaches in [Fig. 7] that his analysis was done on multiple classifiers).
creating a second robustness profile corresponding to whether the second DNN model accurately predicts an outcome for the additional data-points of the set of realistic transformations ([Page 52, Figure 2] Here, B denotes the decision boundary of the classifier between classes 1 and 2, and T denotes the set of perturbed versions of x1 (i.e., T ={Tr (x1):r ! R}), where we recall that R denotes the set of admissible perturbations. The pointwise robustness at x1 is defined as the smallest perturbation in R that causes x1 to change class. The examiner notes that Fawzi teaches in [Fig. 2] a profile representing the robustness of a classifier vs perturbations. The examiner also notes that Fawzi teaches in [Fig. 7] that his analysis was done on multiple classifiers).
generating a first robustness evaluation of the first DNN model based on the robustness profile ([Page57, Fig 7] The two-dimensional normal cross sections of the decision boundaries for three different classifiers near randomly chosen samples. The section is spanned by the adversarial perturbation of the data point x (vertical axis) and a random vector in the tangent space to the decision boundary (horizontal axis). The green region is the classification region of x. The decision boundaries with different classes are illustrated in different colors. Note the difference in range between the x and y axes. (a) VGG-F (ImageNet), (b) LeNet (CIFAR), (c) LeNet (MNIST). (Figure used with permission from [18].) The examiner notes that Fawzi teaches in [Fig. 7] a visual evaluation of how well three different models classify perturbed samples.)
generating a second robustness evaluation of the second DNN model based on the robustness profile ([Page57, Fig 7] The two-dimensional normal cross sections of the decision boundaries for three different classifiers near randomly chosen samples. The section is spanned by the adversarial perturbation of the data point x (vertical axis) and a random vector in the tangent space to the decision boundary (horizontal axis). The green region is the classification region of x. The decision boundaries with different classes are illustrated in different colors. Note the difference in range between the x and y axes. (a) VGG-F (ImageNet), (b) LeNet (CIFAR), (c) LeNet (MNIST). (Figure used with permission from [18].) The examiner notes that Fawzi teaches in [Fig. 7] a visual evaluation of how well three different models classify perturbed samples.)
However, Fawzi fails to explicitly teach, the method comprising: obtaining a set of training data-points correctly predicted by both the first DNN model and the second DNN model. Furthermore, Fawzi fails to explicitly teach obtaining a set of realistic transformations of the set of training data-points correctly predicted by both the first DNN model and second DNN model, the set of realistic transformations corresponding to additional data-points within a predetermined mathematical distance from each of a training data-point of the set of training data-points and the set of realistic transformations being transformations to each of multiple parameters of the training data-points that are predicted based on a type of data of the training data points such that the set of realistic transformations simulate situations or circumstances that introduce variations that are likely to occur to data analyzed by the first DNN model and the second DNN model. Furthermore, Fawzi fails to explicitly teach identifying whether the first DNN model or the second DNN model has greater robustness based on the first robustness evaluation and the second robustness evaluation. Furthermore, Fawzi fails to explicitly teach in response to the first DNN model having greater robustness than the second DNN model, selecting the first DNN model over the second DNN model to analyze data.
    On the other hand, Baluja teaches A method of evaluating a first Deep Neural Network (DNN) as compared to a second DNN in terms of robustness, the method comprising: obtaining a set of training data-points correctly predicted by both the first DNN model and the second DNN model ([Page 99, Para 3] With both of these approaches, we use the consistent classification of the peer networks as a filter to select images. The examiner notes that Fawzi and Baluja are considered analogous because they are in the same field of computational neural networks. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Fawzi’s analysis of deep classifiers’ robustness to perturbation to incorporate A method of evaluating a first Deep Neural Network (DNN) as compared to a second DNN in terms of robustness, the method comprising: obtaining a set of training data-points correctly predicted by both the first DNN model and the second DNN model as taught by Baluja [Page 99, Para 3] to efficiently and intuitively discover input instances that are misclassified by well-trained neural networks [Page 96, Para 1]).
Furthermore, Baluja teaches obtaining a set of realistic transformations of the set of training data-points correctly predicted by both the first DNN model and second DNN model, the set of realistic transformations corresponding to additional data-points within a predetermined mathematical distance from each of a training data-point of the set of training data-points and the set of realistic transformations being transformations to each of multiple parameters of the training data-points that are predicted based on a type of data of the training data points such that the set of realistic transformations simulate situations or circumstances that introduce variations that are likely to occur to data analyzed by the DNN model ([page 100, para 1] Illustrating using the MNIST example, we start by randomly selecting a digit image from the training set (seed). We also randomly generate a small affine transformation (e.g., small rotation, translation, stretch). The examiner notes that Baluja teaches in [Page 99-100] the correct classification of images by multiple networks and then applying affine transformations to some of those images. The examiner also notes that the claim does not define what is the type of data upon which the parameters and realistic transformations are dependent. The examiner interprets the type of data, based on the specifications and in particular [0038-0040], [0054], [0056], and [0071], to be image data and the parameters to be image altering parameters such as noise and rotation The examiner also notes that Fawzi and Baluja are considered analogous because they are in the same field of computational neural networks. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Fawzi’s analysis of deep classifiers’ robustness to perturbation to incorporate obtaining a set of realistic transformations of the set of training data-points correctly predicted by both the first DNN model and second DNN model, the set of realistic transformations corresponding to additional data-points within a predetermined mathematical distance from each of a training data-point of the set of training data-points and the set of realistic transformations being transformations to each of multiple parameters of the training data-points that are predicted based on a type of data of the training data points such that the set of realistic transformations simulate situations or circumstances that introduce variations that are likely to occur to data analyzed by the DNN model as taught by Baluja [page 100, para 1] to efficiently and intuitively discover input instances that are misclassified by well-trained neural networks [Page 96, Para 1]).
Furthermore, Brajim-Belhouari teaches identifying whether the first DNN model or the second DNN model has greater robustness based on the first robustness evaluation and the second robustness evaluation. ([Page 202. Para.1] The problem of nonlinear model selection has been considered for a measurement dedicated approach. A simple selection procedure, based on robustness to deviations of the distribution laws from the assumed ones, has been proposed. The examiner notes that Fawzi/Baluja and Brajim-Belhouari are considered analogous because they are in the same field of computational neural networks. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified (Fawzi/Baluja)’s analysis of deep classifiers’ robustness to perturbation to incorporate identifying whether the first DNN model or the second DNN model has greater robustness based on the first robustness evaluation and the second robustness evaluation as taught by Brajim-Belhouari [Page 202. Para.1] to estimate parameters efficiently without exact knowledge of noise distribution [Page 202. Para.1]).
Furthermore, Brajim-Belhouari teaches in response to the first DNN model having greater robustness than the second DNN model, selecting the first DNN model over the second DNN model to analyze data ([Page 199, Para. 4] In the presence of contaminated data, we compute the performance deviation of each candidate model structure:

    PNG
    media_image2.png
    71
    917
    media_image2.png
    Greyscale

According to this selection criterion, the less sensitive model is chosen:

    PNG
    media_image3.png
    73
    901
    media_image3.png
    Greyscale


The examiner notes that Brajim-Belhouari teaches the selection of the model that is less sensitive (more robust). The examiner also notes that Fawzi/Baluja and Brajim-Belhouari are considered analogous because they are in the same field of computational neural networks. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified (Fawzi/Baluja)’s analysis of deep classifiers’ robustness to perturbation to incorporate in response to the first DNN model having greater robustness than the second DNN model, selecting the first DNN model over the second DNN model to analyze data as taught by Brajim-Belhouari [Page 199. Para.4] to estimate parameters efficiently without exact knowledge of noise distribution [Page 202. Para.1]).

Regarding claim 13 Fawzi/Baluja/Brajim-Belhouari teaches The method of claim 7, the method further comprising recommending either the first or second DNN model for a particular application based which of the first DNN model or the second DNN model is identified as having greater robustness. ([Page 196, Para. 4 on Brajim-Belhouari] we compute the performance deviation of each candidate model structure. By the means of the proposed selection criterion the less sensitive model is chosen (Section 4)).

Claims 8, 11-12 are rejected under 35 U.S.C. 103 as being unpatentable over Fawzi (The Robustness of Deep Networks A Geometrical Perspective - 2017), in view of Baluja (The Virtues of Peer Pressure: A Simple Method for Discovering High-Value Mistakes - 2015), further in view of Brajim-Belhouari (Model selection based on robustness criterion with measurement application - 1999), further in view of Rozsa (Adversarial Diversity and Hard Positive Generation - 2016).

Regarding claim 8, Fawzi/Baluja/Brajim-Belhouari teach The method of claim 7 but fail to explicitly teach further comprising: identifying a plurality of robustness holes in each of the first and second DNN models corresponding to additional data-points where each of the respective first and second DNN models are determined as inaccurately predicting the outcome of the additional data-points.
On the other hand, Rozsa teaches further comprising: identifying a plurality of robustness holes in each of the first and second DNN models corresponding to additional data-points where each of the respective first and second DNN models are determined as inaccurately predicting the outcome of the additional data-points. ([Page 7, Table 1] Error rates of various adversarial and hard positive trained networks on both MNIST and adversarial test sets. Increasing adversarial diversity clearly improves results. The examiner notes that Rozsa teaches in [Table 1] a list of classifiers and the percentage of their misclassification of input data. The examiner notes that Fawzi/Baluja/Brajim-Belhouari and Rozsa are considered analogous because they are in the same field of computational neural networks. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified (Fawzi/Baluja/Brajim-Belhouari)’s analysis of deep classifiers’ robustness to perturbation to incorporate further comprising: identifying a plurality of robustness holes in each of the first and second DNN models corresponding to additional data-points where each of the respective first and second DNN models are determined as inaccurately predicting the outcome of the additional data-points as taught by Rozsa [Page 7. Table 1] to generate perturbations that correspond to semantically meaningful image structures [Page 1, Para 1]).

Regarding claim 11, Fawzi/Baluja/Brajim-Belhouari/Rozsa teaches The method of claim 8, wherein the robustness evaluation of each of the first and second DNN models comprises a graph illustrating the robustness at the additional data-points of the realistic transformations. ([Page 52, Figure 2 on Fawzi] Here, B denotes the decision boundary of the classifier between classes 1 and 2, and T denotes the set of perturbed versions of x1 (i.e., T = {Tr (x1):r ∈ R}), where we recall that R denotes the set of admissible perturbations. The pointwise robustness at x1 is defined as the smallest perturbation in R that causes x1 to change class. The examiner notes that Fawzi teaches in [Figure 2] a representation of how well a classifier performs against different levels of perturbations. The examiner also notes that Fawzi teaches in [Fig 7] that his analysis is done on multiple classifiers).

Regarding claim 12, Fawzi/Baluja/Brajim-Belhouari/Rozsa teaches The method of claim 8, wherein the robustness evaluation of each of the DNN models identify a particular class of an initial image classification where there are identified robustness holes. ([Page 7, Table 1 on Rozsa] Error rates of various adversarial and hard positive trained networks on both MNIST and adversarial test sets. Increasing adversarial diversity clearly improves results. The examiner notes that Rozsa teaches in [Table 1] a list of classifiers and the rate of their misclassification of input data.)

Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Fawzi (The Robustness of Deep Networks A Geometrical Perspective - 2017), in view of Baluja (The Virtues of Peer Pressure: A Simple Method for Discovering High-Value Mistakes - 2015), further in view of Brajim-Belhouari (Model selection based on robustness criterion with measurement application - 1999), further in view of Rozsa (Adversarial Diversity and Hard Positive Generation - 2016), further in view of Carlini (Towards Evaluating the Robustness of Neural Networks - 2017).

Regarding claim 9 Fawzi/Baluja/Brajim-Belhouari/Rozsa teach The method of claim 8, but fail to explicitly teach wherein each of the first and second DNN models are image classification models and the predetermined mathematical distance is a LP- norm used to measure a distance between two images by measuring the difference between two vectors in a given vector space.
However, Carlini teaches wherein each of the first and second DNN models are image classification models and the predetermined mathematical distance is a LP- norm used to measure a distance between two images by measuring the difference between two vectors in a given vector space ([Page 42, para.2] L2 distance measures the standard Euclidean (root-mean-square) distance between x and x’. The L2 distance can remain small when there are many small changes to many pixels. The examiner notes that Fawzi/Rozsa/Brajim-Belhouari/Rozsa and Carlini are considered analogous because they are in the same field of computational neural networks. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified (Fawzi/Rozsa/Brajim-Belhouari/Rozsa)’s analysis of deep classifiers’ robustness to perturbation to incorporate wherein each of the first and second DNN models are image classification models and the predetermined mathematical distance is a LP- norm used to measure a distance between two images by measuring the difference between two vectors in a given vector space as taught by Carlini [Page 42, para.2] to construct attacks that perform superior to the state-of-the art [Page 42, Para 5]).

Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Fawzi (The Robustness of Deep Networks A Geometrical Perspective - 2017), in view of Baluja (The Virtues of Peer Pressure: A Simple Method for Discovering High-Value Mistakes - 2015), further in view of Brajim-Belhouari (Model selection based on robustness criterion with measurement application - 1999), further in view of Rozsa (Adversarial Diversity and Hard Positive Generation - 2016), further in view of Krasser (US 10832168B2).

Regarding claim 10 Fawzi/Baluja/Brajim-Belhouari/Rozsa teach The method of claim 8 but fail to explicitly teach wherein each of the first and second DNN models are malware detection models, and fail to explicitly teach wherein the set of realistic transformations correspond to source code obfuscation transforms and the mathematical distance corresponds to a distance between a training-data point source code and additional data-points corresponding to potential malware code.
However, Krasser teaches wherein each of the first and second DNN models are malware detection models. ([Col 18, line 57] In some examples, at operation 402, the operation module 228 operates a second computational model 404 based at least in part on the trial feature vector 322 to determine whether the trial data stream 116 is associated with malware. For example, the second computational model 404 can operate on the trial feature vector 322 to provide a classification 120 indicating whether trial data stream 116 is associated with malware, or is associated with a specific type of malware. The examiner notes that Krasser teaches in [Fig. 8] the use of two models. The examiner also notes that Fawzi/Baluja/Brajim-Belhouari/Rozsa and Krasser are considered analogous because they are in the same field of computational neural networks. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified (Fawzi/Rozsa/Brajim-Belhouari/Rozsa)’s analysis of deep classifiers’ robustness to perturbation to incorporate wherein each of the first and second DNN models are malware detection models as taught by Krasser [Col 18, line 57] to determine
whether the trial data stream is associated with malware [Col 18, Line 59]).
Furthermore, Krasser teaches wherein the set of realistic transformations correspond to source code obfuscation transforms and the mathematical distance corresponds to a distance between a training-data point source code and additional data-points corresponding to potential malware code ([Col. 3, line 39] While example techniques described herein may refer to analyzing a program that may potentially be malware, it is understood that the techniques may also apply to other non-malicious software that includes code obfuscation or other transformation performed by a generator. The examiner notes that Fawzi/Rozsa/Brajim-Belhouari/Rozsa and Krasser are considered analogous because they are in the same field of computational neural networks. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified (Fawzi/Rozsa/Brajim-Belhouari/Rozsa)’s analysis of deep classifiers’ robustness to perturbation to incorporate wherein the set of realistic transformations correspond to source code obfuscation transforms and the mathematical distance corresponds to a distance between a training-data point source code and additional data-points corresponding to potential malware code as taught by Krasser [Col. 3, Line 39] to make it more difficult to locate security vulnerabilities in the code [Page 3, Line 44])

Claim 16 is rejected under 35 U.S.C. 103 as being unpatentable over Fawzi (The Robustness of Deep Networks A Geometrical Perspective - 2017), in view of Cicek (SaaS: Speed as a Supervisor for Semi-supervised Learning – May 2018), further in view of Carlini (Towards Evaluating the Robustness of Neural Networks - 2017).

Regarding claim 16, Fawzi/Cicek teach The computer-readable storage medium of claim 15 but fails to explicitly teach wherein the DNN model is an image classification model and the predetermined mathematical distance is a L-norm used to measure a distance between two images by measuring the difference between two vectors in a given vector space.
However, Carlini teaches wherein the DNN model is an image classification model and the predetermined mathematical distance is a L-norm used to measure a distance between two images by measuring the difference between two vectors in a given vector space  ([Page 42, Para 2] L2 distance measures the standard Euclidean (root-mean-square) distance between x and x’. The L2 distance can remain small when there are many small pixels. The examiner notes that Fawzi/Cicek and Carlini are considered analogous because they are in the same field of computational neural networks. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified (Fawzi/Cicek)’s analysis of deep classifiers’ robustness to perturbation to incorporate wherein the DNN model is an image classification model and the predetermined mathematical distance is a L-norm used to measure a distance between two images by measuring the difference between two vectors in a given vector space as taught by Carlini [Page 42, Para 2] to construct attacks that perform superior to the state-of-the art [Page 42, Para 5]).

Claim 17 is rejected under 35 U.S.C. 103 as being unpatentable over Fawzi (The Robustness of Deep Networks A Geometrical Perspective - 2017), in view of Cicek (SaaS: Speed as a Supervisor for Semi-supervised Learning – May 2018), further in view of Krasser (US 10832168B2).

Regarding claim 17 Fawzi/Cicek teach wherein the robustness evaluation of the DNN model identifies a particular class of realistic transformations where there are identified robustness holes ([Page 51, Para. 6 on Fawzi] Before going into more detail about robustness, we first define some notations. Let X denote the ambient space where images live. We denote by R the set of admissible perturbations. For example, when considering geometric perturbations, R is set to be the group of geometric (e.g., affine) transformations under study. The examiner notes that Fawzi teaches perturbations that cause affine transformations).
 However, even though Fawzi/Cicek teach The computer-readable storage medium of claim 14, Fawzi/Cicek fail to explicitly teach wherein the DNN model is a malware detection model.
On the other hand, Krasser teaches wherein the DNN model is a malware detection model. ([Col 18, line 57] In some examples, at operation 402, the operation module 228 operates a second computational model 404 based at least in part on the trial feature vector 322 to determine whether the trial data stream 116 is associated with malware. For example, the second computational model 404 can operate on the trial feature vector 322 to provide a classification 120 indicating whether trial data stream 116 is associated with malware, or is associated with a specific type of malware. The examiner notes that Fawzi/Cicek and Krasser are considered analogous because they are in the same field of computational neural networks. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified (Fawzi/Cicek)’s analysis of deep classifiers’ robustness to perturbation to incorporate wherein the DNN model is a malware detection model as taught by Krasser [Col 18, line 57] to determine whether the trial data stream is associated with malware [Col 18, Line 59]).

Claim 19 is rejected under 35 U.S.C. 103 as being unpatentable over Fawzi (The Robustness of Deep Networks A Geometrical Perspective - 2017), in view of Cicek (SaaS: Speed as a Supervisor for Semi-supervised Learning – May 2018), further in view of Krasser (US 10832168B2).

Regarding claim 19 Fawzi/Cicek teach The computer-readable storage medium of claim 14. However, Fawzi/Cicek fail to explicitly teach wherein the DNN model is a malware detection model, and Fawzi/Cicek fail to explicitly teach wherein the set of realistic transformations correspond to source code obfuscation transforms and the mathematical distance corresponds to a distance between a training-data point source code and additional data-points corresponding to potential malware code.
On the other hand, Krasser teaches wherein the DNN model is a malware detection model. ([Col 18, line 57] In some examples, at operation 402, the operation module 228 operates a second computational model 404 based at least in part on the trial feature vector 322 to determine whether the trial data stream 116 is associated with malware. For example, the second computational model 404 can operate on the trial feature vector 322 to provide a classification 120 indicating whether trial data stream 116 is associated with malware, or is associated with a specific type of malware. The examiner notes that Fawzi/Cicek and Krasser are considered analogous because they are in the same field of computational neural networks. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified (Fawzi/Cicek)’s analysis of deep classifiers’ robustness to perturbation to incorporate wherein the DNN model is a malware detection model as taught by Krasser [Col 18, line 57] to determine whether the trial data stream is associated with malware [Col 18, Line 59]).
Furthermore, Krasser teaches wherein the set of realistic transformations correspond to source code obfuscation transforms and the mathematical distance corresponds to a distance between a training-data point source code and additional data-points corresponding to potential malware code ([Col. 3, line 39] While example techniques described herein may refer to analyzing a program that may potentially be malware, it is understood that the techniques may also apply to other non-malicious software that includes code obfuscation or other transformation performed by a generator. The examiner notes that Fawzi/Cicek and Krasser are considered analogous because they are in the same field of computational neural networks. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified (Fawzi/Cicek)’s analysis of deep classifiers’ robustness to perturbation to incorporate wherein the set of realistic transformations correspond to source code obfuscation transforms and the mathematical distance corresponds to a distance between a training-data point source code and additional data-points corresponding to potential malware code as taught by Krasser [Col. 3, Line 39] to make it more difficult to locate security vulnerabilities in the code [Page 3, Line 44]).

Conclusion

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Karam - US20190303720A1
“Karam teaches generative deep learning for sensing and feature regeneration”
Hara - US20170228639A1
“Hara teaches an efficient method to optimize the learning settings of neural networks”
Papernot-The Limitations of Deep Learning in Adversarial Settings 2016
“Papernot teaches a novel class of algorithms to craft adversarial samples based on a precise understanding of the mapping between inputs and outputs of DNNs”
Fawzi-Analysis of classifiers’ robustness to adversarial perturbations 2016
“Fawzi analyzes deep neural networks instability to adversarial perturbations”

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHAMCY ALGHAZZY whose telephone number is (571)272-8824. The examiner can normally be reached Monday-Friday 7:30am-4:30pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, OMAR FERNANDEZ RIVAS can be reached on (571) 272-2589. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/SHAMCY ALGHAZZY/Examiner, Art Unit 2128     

/OMAR F FERNANDEZ RIVAS/Supervisory Patent Examiner, Art Unit 2128