Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
	The amendment filed on 08/24/2022 has been entered. Claims 3-4, 6-7, 11-14, 17-18, and 20 remain pending in the application. Claims 1-2, 5, 8-10, 15-16, 19 have been amended. Applicant’s arguments filed on 8/24 have been fully considered but they are not persuasive. Applicant argues that the prior art does not expressly disclose “for the DP accelerator to sign the watermark extracted from the watermark-enabled Al model”. 
	The examiner respectfully disagrees. The prior art Savagaonkar discloses cryptographic features such as generating CSRs and keys to verify authenticity, see at least (Savagaonkar 39-40). In this example, the PCIe accelerators are able to perform cryptographic operations and it would be obvious to include signing the watermark as part of authentication purposes. Therefore, the examiner maintains their 35 U.S.C. 103 rejection accordingly.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20, are rejected under 35 U.S.C. 103 as being unpatentable over [US-20190370440-A1] (Gu), hereinafter [Gu], in view of [US-20210034788-A1] (Savagaonkar), hereinafter [Savagaonkar].

Regarding claim 1, Gu teaches a method:
Receiving input data from a host device; ([0036] Specifically, a deep neural network (DNN) takes as input the raw training data representation and maps it to an output via a parametric function.)
a watermark-enabled artificial intelligence (AI) model based on the input data, wherein the watermark-enable Al model, when executed, is configured to extract a watermark from the watermark-enabled Al model; ([0045] Advantageously, model verification is the notion of verifying the ownership or provenance of a DNN hosted remotely (e.g., at service t′) through extracting watermarks from that service and evaluating those watermarks, as will be described below.)
and transmitting the watermark of the watermark-enabled Al model to the host device. ([0047]to this end, and assuming the model has been stolen or otherwise wrongfully appropriated by a competitor, e.g., to offer an AI service, the owner or other interested and authorized entity can readily verify this by sending the watermark (more specifically, a data item that includes the watermark) to the service as an input, and then checking the service's output for the presence of the preconfigured label.)
Gu does not appear to teach a data processing (DP) accelerator, however, in an analogous art, Savagaonkar teaches using an accelerator to provide a secure connection and teaches the method further:
a data processing (DP) accelerator ([0004] In one example, the system also includes a circuit board on each of the one or more PCIe accelerators and the microcontroller are arranged. In another example, each of the one or more PCIe accelerators is a tensor processing unit. In another example, each of the one or more PCIe accelerators is a graphical processing unit.)
for the DP accelerator to sign the watermark extracted from the watermark-enabled Al model (“The microcontroller 550 may include unique keying material securely stored in a registry database. The contents of this database may cryptographically protected using keys maintained in an offline quorum-based Certification Authority (CA). The microcontroller 550 can generate Certificate Signing Requests (CSRs) directed at the microcontroller 550's CA, which can verify the authenticity of the CSRs using the information in the registry database before issuing identity certificates.” (39))
Furthermore, it would have been obvious to one skilled in the art, before the effectively filing date, to modify the deep learning model verification framework with the enclave and PCIe accelerator collaboration of Savagaonkar. One would have been motivated to do so as it allows “an application that wants to use a PCIe accelerator securely, may runs its application logic as well as the entire or one or more parts of the PCIe accelerator software stack inside an enclave or a set of enclaves [0013].”
 
Regarding claim 2, Gu teaches all of the features with respect to claim 1 as outlined above. Gu further teaches:
receiving the watermark-enabled Al model from the host device. ([64] This subject matter may be implemented as-a-service, e.g., by a third party that performs model verification testing on behalf of owners or other interested entities. The subject matter may be implemented within or in association with a data center that provides cloud-based computing, data storage or related services.)
Gu does not appear to teach a data processing (DP) accelerator, however, in an analogous art, Savagaonkar teaches using an accelerator to provide a secure connection and teaches the method further:
a data processing (DP) accelerator ([0004] In one example, the system also includes a circuit board on each of the one or more PCIe accelerators and the microcontroller are arranged. In another example, each of the one or more PCIe accelerators is a tensor processing unit. In another example, each of the one or more PCIe accelerators is a graphical processing unit.)
Furthermore, it would have been obvious to one skilled in the art, before the effectively filing date, to modify the deep learning model verification framework with the enclave and PCIe accelerator collaboration of Savagaonkar. One would have been motivated to do so as it allows “an application that wants to use a PCIe accelerator securely, may runs its application logic as well as the entire or one or more parts of the PCIe accelerator software stack inside an enclave or a set of enclaves [0013].”

Regarding claim 3, the combination of Gu and Savagaonkar, as shown in the rejection above, discloses all of the limitations of claim 1. Gu discloses receiving input data and transmitting the watermark to the host device (see paragraph 45). However, in analogous art, Gu fails to disclose that the receiving and transmitting are performed over a secure link between the host device and the DP accelerator. Savagaonkar discloses receiving and transmitting are performed over a secure link between the host device and the DP accelerator (see paragraph 13). It would have been obvious to one skilled in the art, before the effectively filing date, to modify the deep learning model verification framework with the enclave and PCIe accelerator collaboration of Savagaonkar. One would have been motivated to do so as it allows “an application that wants to use a PCIe accelerator securely, may runs its application logic as well as the entire or one or more parts of the PCIe accelerator software stack inside an enclave or a set of enclaves [0013].”

Regarding claim 4, the combination of Gu and Savagaonkar, as shown in the rejection above, discloses all of the limitations of claims 1 and 3. Gu fails to disclose wherein the secure link comprises a peripheral component interconnect express (PCIe) communication channel. Savagaonkar discloses wherein the secure link comprises a peripheral component interconnect express (PCIe) communication channel (see paragraphs 0004 and 0015). It would have been obvious to one skilled in the art, before the effectively filing date, to modify the deep learning model verification framework with the enclave and PCIe accelerator collaboration of Savagaonkar. One would have been motivated to do so as it allows “an application that wants to use a PCIe accelerator securely, may runs its application logic as well as the entire or one or more parts of the PCIe accelerator software stack inside an enclave or a set of enclaves [0013].”

Regarding claim 5, the combination of Gu and Savagaonkar, as shown in the rejection above, discloses all of the limitations of claims 1 and 3. Gu does fails to disclose exchanging, by the DP accelerator and the host device, one or more keys; and performing at least one of: establishing the secure link using at least one of the one or more keys. Savagaonkar discloses: exchanging, by the DP accelerator and host device, one or more keys; and performing at least one of: establishing the secure link using at least one of the one or more keys; (See paragraph [0004]) It would have been obvious to one skilled in the art, before the effectively filing date, to modify the deep learning model verification framework with the enclave and PCIe accelerator collaboration of Savagaonkar. One would have been motivated to do so as it allows “The application processor may be configured to manage the keys used by the cryptographic engine and may also be responsible for ensuring semantic integrity of any buffers being decrypted by the cryptographic crypto engine [0016].”

Regarding claim 6, Gu teaches all of the features with respect to claim 1 as outlined above. Gu further teaches:
The method of claim 1, further comprising digitally signing the watermark. ([0039] In a typical embedding process, an embedding algorithm E embeds predefined watermarks W into the carrier data C, which is the data to be protected. After the embedding, the embedded data (e=E(W, C)) are stored or transmitted.)

Regarding claim 7, Gu teaches all of the features with respect to claim 1 as outlined above. Gu further teaches:
The method of claim 1, wherein the input data comprises a query command to return the watermark to the host device. ([0057] According to this disclosure, to verify the ownership of a remote AI service, an owner (or other authorized entity, perhaps on the owner's behalf) sends normal queries to the remote AI service, preferably using the previously-generated watermark dataset D.sub.wm.)
Regarding claim 8, Gu teaches a method:
Receiving input data from a host device; ([0036] Specifically, a deep neural network (DNN) takes as input the raw training data representation and maps it to an output via a parametric function.)
a watermark-enabled artificial intelligence (AI) model based on the input data, wherein the watermark-enable Al model, when executed, is configured to extract a watermark from the watermark-enabled Al model; ([0045] Advantageously, model verification is the notion of verifying the ownership or provenance of a DNN hosted remotely (e.g., at service t′) through extracting watermarks from that service and evaluating those watermarks, as will be described below.)
and transmitting the watermark of the watermark-enabled Al model to the host device. ([0047]to this end, and assuming the model has been stolen or otherwise wrongfully appropriated by a competitor, e.g., to offer an AI service, the owner or other interested and authorized entity can readily verify this by sending the watermark (more specifically, a data item that includes the watermark) to the service as an input, and then checking the service's output for the presence of the preconfigured label.)
Gu does not appear to teach a data processing (DP) accelerator and for the DP accelerator to sign the watermark extracted from the watermark-enabled Al model, however, in an analogous art, Savagaonkar teaches using an accelerator to provide a secure connection and teaches the method further:
a data processing (DP) accelerator ([0004] In one example, the system also includes a circuit board on each of the one or more PCIe accelerators and the microcontroller are arranged. In another example, each of the one or more PCIe accelerators is a tensor processing unit. In another example, each of the one or more PCIe accelerators is a graphical processing unit.)
for the DP accelerator to sign the watermark extracted from the watermark-enabled Al model for the DP accelerator to sign the watermark extracted from the watermark-enabled Al model (“The microcontroller 550 may include unique keying material securely stored in a registry database. The contents of this database may cryptographically protected using keys maintained in an offline quorum-based Certification Authority (CA). The microcontroller 550 can generate Certificate Signing Requests (CSRs) directed at the microcontroller 550's CA, which can verify the authenticity of the CSRs using the information in the registry database before issuing identity certificates.” (39))
Furthermore, it would have been obvious to one skilled in the art, before the effectively filing date, to modify the deep learning model verification framework with the enclave and PCIe accelerator collaboration of Savagaonkar. One would have been motivated to do so as it allows “an application that wants to use a PCIe accelerator securely, may runs its application logic as well as the entire or one or more parts of the PCIe accelerator software stack inside an enclave or a set of enclaves [0013].”
 
Regarding claim 9, Gu teaches all of the features with respect to claim 8 as outlined above. Gu further teaches:
receiving the Al model from the host device. ([64] This subject matter may be implemented as-a-service, e.g., by a third party that performs model verification testing on behalf of owners or other interested entities. The subject matter may be implemented within or in association with a data center that provides cloud-based computing, data storage or related services.)
Gu does not appear to teach a data processing (DP) accelerator, however, in an analogous art, Savagaonkar teaches using an accelerator to provide a secure connection and teaches the method further:
a data processing (DP) accelerator ([0004] In one example, the system also includes a circuit board on each of the one or more PCIe accelerators and the microcontroller are arranged. In another example, each of the one or more PCIe accelerators is a tensor processing unit. In another example, each of the one or more PCIe accelerators is a graphical processing unit.)
Furthermore, it would have been obvious to one skilled in the art, before the effectively filing date, to modify the deep learning model verification framework with the enclave and PCIe accelerator collaboration of Savagaonkar. One would have been motivated to do so as it allows “an application that wants to use a PCIe accelerator securely, may runs its application logic as well as the entire or one or more parts of the PCIe accelerator software stack inside an enclave or a set of enclaves [0013].”

Regarding claim 10, the combination of Gu and Savagaonkar, as shown in the rejection above, discloses all of the limitations of claim 1. Gu discloses wherein the input data and the watermark are received (see paragraph 45). However, in analogous art, Gu fails to disclose that the receiving and transmitting are performed over a secure link between the host device and the DP accelerator. Savagaonkar discloses receiving and transmitting are performed over a secure link between the host device and the DP accelerator (see paragraph 13). It would have been obvious to one skilled in the art, before the effectively filing date, to modify the deep learning model verification framework with the enclave and PCIe accelerator collaboration of Savagaonkar. One would have been motivated to do so as it allows “an application that wants to use a PCIe accelerator securely, may runs its application logic as well as the entire or one or more parts of the PCIe accelerator software stack inside an enclave or a set of enclaves [0013].”

Regarding claim 11, the combination of Gu and Savagaonkar, as shown in the rejection above, discloses all of the limitations of claims 8 and 10. Gu fails to disclose wherein the secure link comprises a peripheral component interconnect express (PCIe) communication channel. Savagaonkar discloses wherein the secure link comprises a peripheral component interconnect express (PCIe) communication channel (see paragraphs 0004 and 0015). It would have been obvious to one skilled in the art, before the effectively filing date, to modify the deep learning model verification framework with the enclave and PCIe accelerator collaboration of Savagaonkar. One would have been motivated to do so as it allows “an application that wants to use a PCIe accelerator securely, may runs its application logic as well as the entire or one or more parts of the PCIe accelerator software stack inside an enclave or a set of enclaves [0013].”


Regarding claim 12, the combination of Gu and Savagaonkar, as shown in the rejection above, discloses all of the limitations of claims 8 and 12. Gu does fails to disclose exchanging, by the DP accelerator and host device, one or more keys; and performing at least one of: establishing the secure link using at least one of the one or more keys. Savagaonkar discloses: exchanging, by the DP accelerator and host device, one or more keys; and performing at least one of: establishing the secure link using at least one of the one or more keys; (See paragraph [0004]) It would have been obvious to one skilled in the art, before the effectively filing date, to modify the deep learning model verification framework with the enclave and PCIe accelerator collaboration of Savagaonkar. One would have been motivated to do so as it allows “The application processor may be configured to manage the keys used by the cryptographic engine and may also be responsible for ensuring semantic integrity of any buffers being decrypted by the cryptographic crypto engine [0016].”

Regarding claim 13, Gu teaches all of the features with respect to claim 8 as outlined above. Gu further teaches:
The method of claim 1, further comprising digitally signing the watermark. ([0039] In a typical embedding process, an embedding algorithm E embeds predefined watermarks W into the carrier data C, which is the data to be protected. After the embedding, the embedded data (e=E(W, C)) are stored or transmitted.)

Regarding claim 14, Gu teaches all of the features with respect to claim 8 as outlined above. Gu further teaches:
The method of claim 1, wherein the input data comprises a query command to return the watermark to the host device. ([0057] According to this disclosure, to verify the ownership of a remote AI service, an owner (or other authorized entity, perhaps on the owner's behalf) sends normal queries to the remote AI service, preferably using the previously-generated watermark dataset D.sub.wm.)
Regarding claim 15, Gu teaches a method:
Receiving input data from a host device; ([0036] Specifically, a deep neural network (DNN) takes as input the raw training data representation and maps it to an output via a parametric function.)
a watermark-enabled artificial intelligence (AI) model based on the input data, wherein the watermark-enable Al model, when executed, is configured to extract a watermark from the watermark-enabled Al model; ([0045] Advantageously, model verification is the notion of verifying the ownership or provenance of a DNN hosted remotely (e.g., at service t′) through extracting watermarks from that service and evaluating those watermarks, as will be described below.)
and transmitting the watermark of the watermark-enabled Al model to the host device. ([0047]to this end, and assuming the model has been stolen or otherwise wrongfully appropriated by a competitor, e.g., to offer an AI service, the owner or other interested and authorized entity can readily verify this by sending the watermark (more specifically, a data item that includes the watermark) to the service as an input, and then checking the service's output for the presence of the preconfigured label.)
Gu does not appear to teach a data processing (DP) accelerator and for the DP accelerator to sign the watermark extracted from the watermark-enabled Al model, however, in an analogous art, Savagaonkar teaches using an accelerator to provide a secure connection and teaches the method further:
a data processing (DP) accelerator ([0004] In one example, the system also includes a circuit board on each of the one or more PCIe accelerators and the microcontroller are arranged. In another example, each of the one or more PCIe accelerators is a tensor processing unit. In another example, each of the one or more PCIe accelerators is a graphical processing unit.)
for the DP accelerator to sign the watermark extracted from the watermark-enabled Al model for the DP accelerator to sign the watermark extracted from the watermark-enabled Al model (“The microcontroller 550 may include unique keying material securely stored in a registry database. The contents of this database may cryptographically protected using keys maintained in an offline quorum-based Certification Authority (CA). The microcontroller 550 can generate Certificate Signing Requests (CSRs) directed at the microcontroller 550's CA, which can verify the authenticity of the CSRs using the information in the registry database before issuing identity certificates.” (39))
Furthermore, it would have been obvious to one skilled in the art, before the effectively filing date, to modify the deep learning model verification framework with the enclave and PCIe accelerator collaboration of Savagaonkar. One would have been motivated to do so as it allows “an application that wants to use a PCIe accelerator securely, may runs its application logic as well as the entire or one or more parts of the PCIe accelerator software stack inside an enclave or a set of enclaves [0013].”
 
Regarding claim 16, Gu teaches all of the features with respect to claim 1 as outlined above. Gu further teaches:
receiving the watermark-enabled Al model from the host device. ([64] This subject matter may be implemented as-a-service, e.g., by a third party that performs model verification testing on behalf of owners or other interested entities. The subject matter may be implemented within or in association with a data center that provides cloud-based computing, data storage or related services.)
Gu does not appear to teach a data processing (DP) accelerator, however, in an analogous art, Savagaonkar teaches using an accelerator to provide a secure connection and teaches the method further:
a data processing (DP) accelerator ([0004] In one example, the system also includes a circuit board on each of the one or more PCIe accelerators and the microcontroller are arranged. In another example, each of the one or more PCIe accelerators is a tensor processing unit. In another example, each of the one or more PCIe accelerators is a graphical processing unit.)
Furthermore, it would have been obvious to one skilled in the art, before the effectively filing date, to modify the deep learning model verification framework with the enclave and PCIe accelerator collaboration of Savagaonkar. One would have been motivated to do so as it allows “an application that wants to use a PCIe accelerator securely, may runs its application logic as well as the entire or one or more parts of the PCIe accelerator software stack inside an enclave or a set of enclaves [0013].”

Regarding claim 17, the combination of Gu and Savagaonkar, as shown in the rejection above, discloses all of the limitations of claim 15. Gu discloses wherein the receiving input data and transmitting the watermark (see paragraph 45). However, in analogous art, Gu fails to disclose that the receiving and transmitting are performed over a secure link between the host device and the DP accelerator. Savagaonkar discloses receiving and transmitting are performed over a secure link between the host device and the DP accelerator (see paragraph 13). It would have been obvious to one skilled in the art, before the effectively filing date, to modify the deep learning model verification framework with the enclave and PCIe accelerator collaboration of Savagaonkar. One would have been motivated to do so as it allows “an application that wants to use a PCIe accelerator securely, may runs its application logic as well as the entire or one or more parts of the PCIe accelerator software stack inside an enclave or a set of enclaves [0013].”

Regarding claim 18, the combination of Gu and Savagaonkar, as shown in the rejection above, discloses all of the limitations of claims 15 and 17. Gu fails to disclose wherein the secure link comprises a peripheral component interconnect express (PCIe) communication channel. Savagaonkar discloses wherein the secure link comprises a peripheral component interconnect express (PCIe) communication channel (see paragraphs 0004 and 0015). It would have been obvious to one skilled in the art, before the effectively filing date, to modify the deep learning model verification framework with the enclave and PCIe accelerator collaboration of Savagaonkar. One would have been motivated to do so as it allows “an application that wants to use a PCIe accelerator securely, may runs its application logic as well as the entire or one or more parts of the PCIe accelerator software stack inside an enclave or a set of enclaves [0013].”

Regarding claim 19, the combination of Gu and Savagaonkar, as shown in the rejection above, discloses all of the limitations of claims 15 and 17. Gu does fails to disclose exchanging, by the DP accelerator and the host device, one or more keys; and performing at least one of: establishing the secure link using at least one of the one or more keys. Savagaonkar discloses: exchanging, by the DP accelerator and the host device, one or more keys; and performing at least one of: establishing the secure link using at least one of the one or more keys; (See paragraph [0004]) It would have been obvious to one skilled in the art, before the effectively filing date, to modify the deep learning model verification framework with the enclave and PCIe accelerator collaboration of Savagaonkar. One would have been motivated to do so as it allows “The application processor may be configured to manage the keys used by the cryptographic engine and may also be responsible for ensuring semantic integrity of any buffers being decrypted by the cryptographic crypto engine [0016].”

Regarding claim 20, Gu teaches all of the features with respect to claim 15 as outlined above. Gu further teaches:
The method of claim 1, further comprising digitally signing the watermark. ([0039] In a typical embedding process, an embedding algorithm E embeds predefined watermarks W into the carrier data C, which is the data to be protected. After the embedding, the embedded data (e=E(W, C)) are stored or transmitted.)

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 






Any inquiry concerning this communication or earlier communications from the examiner should be directed to AUSTIN W COLLIER whose telephone number is (571)272-0066. The examiner can normally be reached Mon-Fri.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Phlip Chea can be reached on 571-272-3951. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/AUSTIN W COLLIER/Examiner, Art Unit 2499                                                                                                                                                                                                        /PHILIP J CHEA/Supervisory Patent Examiner, Art Unit 2499