DETAILED ACTION
This action is in response to the Applicant Response filed 20 July 2022 for application 16/124,657 filed 07 September 2018.
Claims 1, 3-7, 11, 13-17, 20 are currently amended.
Claims 21-23 are new.
Claims 9-10, 19 are cancelled.
Claims 1-8, 11-18, 20-23 are pending.
Claims 1-8, 11-18, 20-22 are rejected.
Claim 23 is objected to.

	
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant’s arguments regarding the 35 U.S.C 112(b) rejections of claims 7-8, 17-18 have been fully considered and, in light of the amendments to the claims, are persuasive. The previous 35 U.S.C. 112(b) rejections of claims 7-8, 17, 18 have been withdrawn. 

Applicant’s arguments regarding the 35 U.S.C. 103 rejections of claims 1-8, 11-18, 20 have been fully considered and are partially not persuasive and partially moot.
It is noted while the Examiner may appreciate differences between the applied art and features described in the originally filed specification, any such features must be explicitly recited in the claims themselves and/or definitively and comprehensively defined in the specification in order to be considered and impact BRI of the metes and bounds of the claim terms. Applicant is respectfully reminded that during examination, the BRI of the claim terms consistent with the specification applies, and thus, the applicant is encouraged to amend the claims or point to portion(s) of the originally filed specification that prevent the BRI interpretation of the claim terms (MPEP 2173.01) enabling correspondence to the applied art.
Applicant first argues that Costa teaches the entire machine learning system within a trusted environment, not a machine learning split between a trusted and untrusted environment. As noted below, Examiner agrees with applicant. However, applicant fails to address the combination of Costa and Tramer for this argument. The combination of Costa with Tramer teaches performing part of the model [FrontNet] in a trusted environment while teaching another part of the model [BackNet] in an untrusted environment. 
Applicant next argues that while Tramer teaches outsourcing operations to an untrusted environment, the DNN is executed in the trusted environment. Again, Examiner agrees with applicant. However, applicant fails to address the combination of Costa, Tramer and Gupta for this argument. As noted by applicant, Tramer teaches outsourcing computations of a DNN to an untrusted environment. Additionally, Gupta teaches splitting a DNN across two environments, wherein each environment has a plurality of layers, one with the input layer and several intermediate layers and the other with the subsequent intermediate layers and the output layer. Therefore, the combination of Tramer teaching outsourcing a portions of the DNN calculations to an untrusted environment and Gupta teaching dividing layers of a DNN across two environments does, in fact, teach executing a FrontNet portion of a DNN in a trusted environment and a BackNet portion in an untrusted environment.
Next, applicant argues that the combination of Costa and Tramer is not proper. Specifically, applicant argues that because Costa teaches performing the entire model in the trusted environment to preserve privacy, one would not modify this architecture to perform some of those calculations outside of the trusted environment. However, it would be obvious to a person skilled in the art to modify Costa with Tramer in order to perform a DNN in a trusted environment and maintain the privacy of the data while achieving better performance. While not specifically addressed by applicant, The combination of Costa and Tramer with Gupta is also proper. Gupta is also able to maintain data privacy while outsourcing computations to additional environments.
Applicant next argues that the training of the model is computed within the trusted environment and not using an untrusted environment. With respect to applicant’s argument, Examiner respectfully disagrees. First, as noted above, Tramer teaches outsourcing computations, which are part of the training process, to an untrusted environment. Additionally, as noted above, Gupta teaches splitting the model between two environments and training each portion. Therefore, the combination of Costa, Tramer and Gupta does, in fact, teach training the FrontNet and BackNet model portions.
Applicant next argues, with respect to claims 3 and 13, that the cited claims fail to teach 
wherein each of the training datasets provided by the different training dataset providers are used during the training of the FrontNet subnet model and the BackNet subnet model of the deep learning model to generate the trained deep learning model, and wherein the same trained deep learning model is released to each of the different training dataset providers with the FrontNet subnet model encrypted with an encryption key specific to the training dataset provider. (emphasis added by applicant)
Specifically, applicant argues that even if Costa teaches providing the trained model to the dataset providers, Costa does not teach encrypting specifically the FrontNet subnet model with the encryption key of each provider. Examiner respectfully disagrees. Costa teaches using training data from various dataset providers to train the entire model and provides the model to each of the dataset providers using provider specific encryption keys (Costa, ¶¶0029-0030, 0032-0039). The claim language does not provide for such a restriction that only the FrontNet subnet model be encrypted. While the claim language recites encrypting at least the FrontNet model, there is no language restricting encryption of the BackNet model. Therefore, the encryption of the entire model in Costa does, in fact, encrypt the FrontNet subnet model and, therefore, teaches claims 3 and 13. 
Applicant next argues, with respect to claims 6 and 16, that the cited references fail to teach: 
generating, by a fingerprint generation module executing within the trusted execution environment, one or more first fingerprint data structures for the one or more training datasets, wherein each first fingerprint data structure comprises a fingerprint that is a feature embedding of a selected layer of the deep learning model; and 
storing, by the fingerprint generation module, the generated one or more first fingerprint data structures in an evidence storage. (emphasis added by applicant)
Specifically, applicant first argues that the “blinding factors” are not fingerprints but are random numbers generated to blind the outsourced computations. Examiner respectfully disagrees. Tramer teaches generating and using blinding factors when passing data between processor (Tramer section 3.3). As noted by applicant, these blinding factors are randomly generated and blind the outsourced computation. While they are randomly generated, the blinding factors still include identification information and information regarding the values of the data in order for each processor to be able use the data, and are therefore, in fact, a fingerprint data structure containing a feature embedding. Applicant next argues that that the blinding factors do not comprise a feature embedding of a selected layer of a deep learning model. As noted above, the blinding factors are, in fact, fingerprint data structures comprising feature embeddings. Moreover, Tramer teaches exchanging the blinding factors (e.g., fingerprint data) between each layer of the model (Tramer, section 3.3). Therefore, the blinding factor, i.e., fingerprint data structure, is a feature embedding of a selected layer.
Applicant’s arguments with respect to the Ohrimenko reference as it applies to claims 1 and 11 have been considered but are moot because the arguments do not rely on any reference applied in the prior or current rejection of record for any teaching or matter specifically challenged in the argument.
Applicant next argues, with respect to claims 4 and 14, that the cited references fail to teach: 
in response to receiving, by the deep learning training service framework, the one or more encrypted training datasets: 
prior to decrypting the one or more encrypted training datasets, authenticating, by the security module, training dataset providers of the one or more training dataset providers; and 
discarding, by the security module, any training datasets from training dataset providers that do not pass the authentication from further use during training of the FrontNet subnet model and BackNet subnet model of the deep learning model.
(emphasis added by applicant)
Specifically, applicant argues that Ohrimenko teaches establishing a secure channel prior to data transmission but does not teach authenticating the training datasets after receipt of the datasets. While Examiner agrees that Ohrimenko teaches establishing a secure channel prior to data transmission, Examiner respectfully disagrees that Ohrimenko does not teach authentication after receiving the training data. After establishing a secure channel, each party securely uploads its private data and uses AES-GCM for integrity protection, i.e., authentication (Ohrimenko, section 5). Similarly, in the instant application, the specification uses GCM to authenticate the training data (¶0051). Therefore, Ohrimenko teaches uploading the data and using GCM to authenticate the data in order to protect the integrity of the uploaded data.
 Applicant’s remaining arguments with respect to the Ohrimenko reference have been considered but are moot because the arguments do not rely on any reference applied in the current rejection of record for any teaching or matter specifically challenged in the argument.
Applicant’s arguments with respect to the Ohrimenko and Fung references as it applies to claims 1 and 11 have been considered but are moot because the arguments do not rely on any reference applied in the prior or current rejection of record for any teaching or matter specifically challenged in the argument.
Applicant next argues, with respect to claims 4 and 14, that the cited references fail to teach: 
in response to receiving, by the deep learning training service framework, the one or more encrypted training datasets: 
verifying, by the security module, the integrity of the one or more training datasets; and 
discarding, by the security module, any training datasets that do not pass the verification from further use during training of the FrontNet subnet model and BackNet subnet model of the deep learning model. (emphasis added by applicant)
Specifically, applicant argues that the cited references do not teach the operations of authentication and verification, let alone the operations being performed by a security module of a trusted execution environment specifically in response to receiving the encrypted datasets. First, as noted above, Ohrimenko teaches securely uploading private data to the enclave (trusted execution environment) and performing GCM for authentication (Ohrimenko, section 5). Moreover, Fung teaches an aggregator (trusted execution environment) receiving the datasets and performing a RONI defense to verify the data by determining whether data is suspicious or not and rejecting the suspicious data (Fung, section II). Both references perform these security algorithms using software on the trusted execution environment, i.e., by the security module, upon receipt of the training datasets. Therefore, the combination of Ohrimenko and Fung teach performing the authentication of claims 4 and 14 and the verification of claims 5 and 15 by the security modules of the trusted execution environment after receiving the training datasets.
Applicant’s arguments with respect to the Tamrakar reference as it applies to claims 1 and 11 have been considered but are moot because the arguments do not rely on any reference applied in the prior or current rejection of record for any teaching or matter specifically challenged in the argument.
Applicant next argues that the Tamrakar reference does not teach the similarity based on a distance function to measure the similarity of the embeddings as recited in claims 7-8 and 17-18. Examiner respectfully disagrees. Tamrakar teaches comparing a dictionary representation [embedding] and a query representation [embedding] to find a match with has a zero distance difference (Tamrakar, sections 5-6). Because a match is represented by a zero distance difference, the similarity between embeddings is found using a similarity distance function. Therefore, Tamrakar does teach similarity based on a distance function to measure the similarity of the embeddings.
Therefore, claims 1 is rejected under 35 U.S.C. 103 as unpatentable over Costa in view of Tramer and further in view of Gupta. Additionally, claims 11, 20 are also rejected as unpatentable over Costa in view of Tramer and further in view of Gupta. Moreover, the rejections of claims 1, 11, 20 apply to all dependent claims which are dependent on claims 1, 11, 20, including claims 1-3, 6, 11-13, 16, 20 which are also unpatentable over Costa in view of Tramer and further in view of Gupta; claims 4-5, 14-15 which are unpatentable over Costa in view of Tramer, further in view of Gupta, further in view of Ohrimenko and further in view of Fung; and claims 7-8, 17-18 which are unpatentable over Costa in view of Tramer, further in view of Gupta and further in view of Tamrakar.

Claim Objections
Claims 7-8, 17-18, 21, 23 are objected to because of the following informalities:
Claim 7, line 11, relatively smallest distance is grammatically incorrect [Suggestions “relative smallest distance” or “smallest distance”]
Claim 17, line 11, relatively smallest distance is grammatically incorrect [Suggestions “relative smallest distance” or “smallest distance”]
Claim 21, line 1, wherein the further comprising should read “further comprising”
Claims 23, line 2, Backnet should read “BackNet”
Appropriate correction is required.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-3, 6, 11-13, 16, 20-21 are rejected under 35 U.S.C. 103 as being unpatentable over Costa et al. (US 2017/0372226 A1 – Privacy-Preserving Machine Learning, hereinafter referred to as “Costa”) in view of Tramèr et al. (Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware, hereinafter referred to as “Tramer”) and further in view of Gupta et al. (US 2017/0372201 A1 – Secure Training of Multi-Party Deep Neural Network, hereinafter referred to as “Gupta”).

Regarding claim 1, Costa teaches a method, in a data processing system comprising at least one processor and at least one memory, the at least one memory comprising instructions that are executed by the at least one processor to configure the at least one processor to implement a deep learning training service framework (Costa, ¶0025 – teaches processors running code stored in a memory to perform privacy preserving machine learning), the method comprising: 
receiving, by the deep learning training service framework, from one or more client computing devices, one or more encrypted training datasets for training a deep learning model (Costa, ¶0029 – teaches data center [deep learning training service framework] receiving encrypted training datasets for machine learning from server A and server B [client computing devices]); 
executing, by the deep learning training service framework, a FrontNet subnet model of the deep learning model in a trusted execution environment of the deep learning training service framework (Costa, ¶0030 – teaches executing the machine learning code on the TEE of the data center [deep learning training service framework]); 
decrypting, by a security module executing within the trusted execution environment, the one or more encrypted training datasets (Costa, ¶¶0038-0039 – teaches the TEE decrypting the training data from the entities); 
training (Costa, ¶¶0038-0039 – teaches processing training data), by training logic of the deep learning training service framework (Costa, ¶¶0038-0039 – teaches processing training data using the machine learning model in the TEE of the data center [deep learning training service framework]), the FrontNet subnet model and BackNet subnet model of the deep learning model based on the decrypted training datasets (Costa, ¶¶0038-0039 – teaches processing decrypted training data using the machine learning model in the TEE of the data center; [While Costa teaches the model in the TEE, Costa teaches training the entire model which, when combined with Tramer below, comprises both subnets of the model]); and 
releasing, by the deep learning training service framework, a trained deep learning model comprising a trained FrontNet subnet model and a trained BackNet subnet model, to the one or more client computing devices (Costa, ¶0032 – teaches data center [deep learning training service framework] outputting a trained machine learning model to server A and server B [client computing devices]; [While Costa teaches the model in the TEE, Costa teaches releasing the entire model which, when combined with Tramer below, comprises both subnets of the model]).
While Costa teaches executing a machine learning model in a trusted execution environment, Cost does not explicitly teach splitting the model into subnets where one subnet is executed/trained in the trusted environment and the other subnet is executed trained in the untrusted environment. Moreover, Costa does not explicitly teach wherein the FrontNet subnet model comprises a first predetermined number of consecutive layers of the deep learning model from an input layer of the deep learning model to an intermediate layer, and wherein the BackNet subnet model comprises a second predetermined number of consecutive layers of the deep learning model from a layer, subsequent to the intermediate layer, to an output layer of the deep learning model.
Tramer teaches
executing, by the deep learning training service framework, a FrontNet subnet model of the deep learning model in a trusted execution environment of the deep learning training service framework (Tramer, section 1 – teaches Slalom [deep learning training service framework] which executes a deep neural network partially on a trusted processor [FrontNet on trusted execution environment] and partially outsources execution to a co-located untrusted processor [BackNet external to the trusted execution environment]; see also Tramer, Figure 1); 
executing, by the deep learning training service framework, a BackNet subnet model of the deep learning model in the deep learning training service framework external to the trusted execution environment (Tramer, section 1 – teaches Slalom [deep learning training service framework] which executes a deep neural network partially on a trusted processor [FrontNet on trusted execution environment] and partially outsources execution to a co-located untrusted processor [BackNet external to the trusted execution environment]; see also Tramer, Figure 1) …; 
training, by training logic of the deep learning training service framework, the FrontNet subnet model and BackNet subnet model of the deep learning model (Tramer, Appendix F – teaches applying a similar FrontNet/BackNet execution for training the model) ..., wherein the FrontNet subnet model is trained within the trusted execution environment and provides intermediate representations to the BackNet subnet model which is trained external to the trusted execution environment using the intermediate representations (Tramer, section 1 – teaches Slalom [deep learning training service framework] which executes a deep neural network partially on a trusted processor [FrontNet on trusted execution environment] and partially outsources linear layers for execution to a co-located untrusted processor [BackNet external to the trusted execution environment]; see also Tramer, Figure 1).
It would have been obvious to one of ordinary skill in the art before the filing date of the claimed invention to modify Costa with the teachings of Tramer in order to achieve better performance without compromising security in the field of privacy-preserving machine learning using a trusted environment (Tramer, section 1 – “This paper explores a novel approach to this challenge, wherein a Deep Neural Network (DNN) execution is partially outsourced from a trusted processor to a co-located, untrusted but faster device. In this sense, our work differs from prior systems for evaluating DNNs in TEEs ..., which execute all computations inside the enclave. Our approach outsources CPU intensive steps to a fast untrusted co-processor therefore achieving much better performance than running the entire computation in the enclave, without compromising security.”).
While Costa in view of Tramer teaches splitting a deep network into a FrontNet and a BackNet, Costa in view of Tramer does not explicitly teach wherein the FrontNet subnet model comprises a first predetermined number of consecutive layers of the deep learning model from an input layer of the deep learning model to an intermediate layer, and wherein the BackNet subnet model comprises a second predetermined number of consecutive layers of the deep learning model from a layer, subsequent to the intermediate layer, to an output layer of the deep learning model.
Gupta teaches wherein the FrontNet subnet model comprises a first predetermined number of consecutive layers of the deep learning model from an input layer of the deep learning model to an intermediate layer, and wherein the BackNet subnet model comprises a second predetermined number of consecutive layers of the deep learning model from a layer, subsequent to the intermediate layer, to an output layer of the deep learning model (Gupta, Algorithm 1 – teaches Alice [trusted FrontNet] processes inputs and some predetermined intermediate layers of a DNN and passes intermediate result (encrypted if desired) to Bob [untrusted BackNet] to process a predetermined remainder of layers and output layer of DNN during DNN training).
It would have been obvious to one of ordinary skill in the art before the filing date of the claimed invention to modify Costa in view of Tramer with the teachings of Gupta in order to preserve privacy of input data while using outside resource to assist in computations in the field of privacy-preserving machine learning using a trusted and untrusted environment (Gupta, Abstract – “A deep neural network may be trained on the data of one or more entities, also known as Alices. An outside computing entity, also known as a Bob, may assist in these computations, without receiving access to Alices' data. Data privacy may be preserved by employing a “split” neural network. The network may comprise an Alice part and a Bob part. The Alice part may comprise at least three neural layers, and the Bob part may comprise at least two neural layers. When training on data of an Alice, that Alice may input her data into the Alice part, perform forward propagation though the Alice part, and then pass output activations for the final layer of the Alice part to Bob. Bob may then forward propagate through the Bob part. Similarly, backpropagation may proceed backwards through the Bob part, and then through the Alice part of the network.”).

Regarding claim 2, Costa in view of Tramer and further in view of Gupta teaches all of the limitations of the method of claim 1 as noted above. Costa further teaches wherein the one or more client computing devices comprises a plurality of computing devices associated with a plurality of different training dataset providers (Costa, ¶0029 – teaches multiple servers [client computing devices] providing a plurality of different data sets; Costa, ¶0032 – teaches each server receiving data from multiple devices; see also Figs. 1-2), and wherein the security module executing within the trusted execution environment prevents training dataset providers from accessing training datasets provided by other training dataset providers (Costa, ¶0025 – teaches access to the trusted execution environment and the data within the TEE is limited to the code running in the TEE).
It would have been obvious to one of ordinary skill in the art before the filing date of the claimed invention to combine the teachings of Costa, Tramer and Gupta for the same reasons as disclosed in claim 1 above.

Regarding claim 3, Costa in view of Tramer and further in view of Gupta teaches all of the limitations of the method of claim 2 as noted above. Costa further teaches wherein each of the training datasets provided by the different training dataset providers are used during the training of the FrontNet subnet model and the BackNet subnet model of the deep learning model to generate the trained deep learning model (Costa, ¶¶0029-0030 – teaches using training data from multiple providers, which can be shuffled, to train the model), and wherein the same trained deep learning model is released to each of the different training dataset providers (Costa, ¶0032 – teaches outputting the trained model to each of the providers) with the FrontNet subnet model encrypted with an encryption key specific to the training dataset provider (Costa, ¶¶0032-0039 – teaches encrypting the output of the machine learning process [FrontNet model] using data provider specific keys and sending the encrypted output to each of the data providers).
It would have been obvious to one of ordinary skill in the art before the filing date of the claimed invention to combine the teachings of Costa, Tramer and Gupta for the same reasons as disclosed in claim 1 above.

Regarding claim 6, Costa in view of Tramer and further in view of Gupta teaches all of the limitations of the method of claim 1 as noted above. Tramer further teaches 
generating, by a fingerprint generation module executing within the trusted execution environment, one or more first fingerprint data structures for the one or more training datasets (Tramer, section 3.3 – teaches the trusted processor generating and using blinding factors [fingerprint] for the data when sending the data to the untrusted processor; see also Tramer, section 2.3) wherein each first fingerprint data structure comprises a fingerprint that is a feature embedding of a selected layer of the deep learning model (Tramer, section 3.3 – teaches fingerprint data structures exchanged between each layer [feature embedding of a layer]); and 
storing, by the fingerprint generation module, the generated one or more first fingerprint data structures in an evidence storage (Tramer, section 3.3 – teaches storing the blinding factors in memory).
It would have been obvious to one of ordinary skill in the art before the filing date of the claimed invention to modify Costa, Tramer and Gupta in order to generate fingerprints for the data to protect user data when sent to the untrusted processor while avoiding costly overhead (Tramer, section 2.3).

Regarding claim 11, it is the computer program product embodiment of claim 1 with similar limitations to claim 1 and is rejected using the same reasoning found in claim 1.

Regarding claim 12, the rejection of claim 11 is incorporated herein. Further, the limitations in this claim are taught by Costa in view of Tramer and further in view of Gupta for the reasons set forth in the rejection of claim 2.

Regarding claim 13, the rejection of claim 12 is incorporated herein. Further, the limitations in this claim are taught by Costa in view of Tramer and further in view of Gupta for the reasons set forth in the rejection of claim 3.
Regarding claim 16, the rejection of claim 11 is incorporated herein. Further, the limitations in this claim are taught by Costa in view of Tramer and further in view of Gupta for the reasons set forth in the rejection of claim 6.

Regarding claim 20, it is the system embodiment of claim 1 with similar limitations to claim 1 and is rejected using the same reasoning found in claim 1.

Regarding claim 21 (New), Costa in view of Tramer and further in view of Gupta teaches all of the limitations of the method of claim 2 as noted above. Gupta further teaches 
negotiating, with one or more of the training dataset providers, a customized partitioning point hyperparameter for the training dataset provider prior to training a corresponding instance of the deep learning model, wherein the customized partitioning point defines one of a last intermediate layer of the FrontNet subnet model or a first layer of the BackNet subnet model (Gupta, ¶¶0037-0038 - teaches each Alice [training dataset provider] creating a split DNN with Bob wherein each Alice has a predetermined number [partitioning point hyperparameter] of layers [FrontNet] and Bob has a predetermined number of layers [BackNet] where each Alice has at least three layers, one of which is hidden, and Bob has two or more layers); and 
configuring, for each instance of the deep learning model corresponding to each of the one or more training dataset providers, the first predetermined number of consecutive layers of the FrontNet subnet model and the second predetermined number of consecutive layers of the BackNet subnet model based on the customized partitioning point hyperparameter for the training dataset provider (Gupta, ¶¶0037-0038 - teaches each Alice [training dataset provider] creating a split DNN with Bob wherein each Alice has a predetermined number [partitioning point hyperparameter] of layers [FrontNet] and Bob has a predetermined number of layers [BackNet] where each Alice has at least three layers, one of which is hidden, and Bob has two or more layers).
It would have been obvious to one of ordinary skill in the art before the filing date of the claimed invention to modify Costa, Tramer and Gupta in order to distribute model layers to preserve privacy of input data while using outside resource to assist in computations in the field of privacy-preserving machine learning using a trusted and untrusted environment (Gupta, Abstract).

Claims 4-5, 14-15 are rejected under 35 U.S.C. 103 as being unpatentable over Costa in view of Tramer, further in view of Gupta, further in view of Ohrimenko et al. (Oblivious Multi-Party Machine Learning on Trusted Processors, hereinafter referred to as “Ohrimenko”), and further in view of Fung et al. (Mitigation Sybils in Federated Learning Poisoning, hereinafter referred to as “Fung”).

Regarding claim 4, Costa in view of Tramer and further in view of Gupta teaches all of the limitations of the method of claim 1 as noted above. However, Costa in view of Tramer and further in view of Gupta does not explicitly teach in response to receiving, by the deep learning training service framework, the one or more encrypted training datasets: prior to decrypting the one or more encrypted training datasets, authenticating, by the security module, training dataset providers of the one or more training dataset providers; and discarding, by the security module, any training datasets from training dataset providers that do not pass the authentication from further use during training of the FrontNet subnet model and BackNet subnet model of the deep learning model.
Ohrimenko teaches in response to receiving, by the deep learning training service framework, the one or more encrypted training datasets (Ohrimenko, section 5 – teaches receiving by the enclave [deep learning training service framework] locally generated key and datasets from each data provider):
prior to decrypting the one or more encrypted training datasets, authenticating, by the security module, training dataset providers of the one or more training dataset providers (Ohrimenko, section 5 – teaches the enclave receiving keys and encrypted data and using AES-GCM for integrity protection [authentication – see Specification ¶0051]); and 
discarding, by the security module, any training datasets from training dataset providers that do not pass the authentication from further use during training of the FrontNet subnet model and BackNet subnet model of the deep learning model (Ohrimenko, section 5 – teaches the enclave receiving keys and encrypted data and using AES-GCM for integrity protection [Authentication for data integrity means only using authenticated data]).
It would have been obvious to one of ordinary skill in the art before the filing date of the claimed invention to modify Costa in view of Tramer and further in view of Gupta with the teachings of Ohrimenko in order to allow multiple parties to perform collaborative data analytics while guaranteeing the privacy of the individual datasets in the field of privacy-preserving machine learning using a trusted environment (Ohrimenko, Abstract – “Privacy-preserving multi-party machine learning allows multiple organizations to perform collaborative data analytics while guaranteeing the privacy of their individual datasets. Using trusted SGX-processors for this task yields high performance, but requires a careful selection, adaptation, and implementation of machine-learning algorithms to provably prevent the exploitation of any side channels induced by data-dependent access patterns.”).
While Costa in view of Tramer, further in view of Gupta and further in view of Ohrimenko teaches authenticating data and data providers for integrity protection, Costa in view of Tramer, further in view of Gupta and further in view of Ohrimenko does not explicitly teach discarding non-authenticated datasets.
Fung teaches discarding, by the security module, any training datasets from training dataset providers that do not pass the authentication from further use during training of the FrontNet subnet model and BackNet subnet model of the deep learning model (Fung, section II – teaches discarding any data that does not pass verification to avoid poisoning attacks).
It would have been obvious to one of ordinary skill in the art before the filing date of the claimed invention to modify Costa in view of Tramer, further in view of Gupta and further in view of Ohrimenko with the teachings of Fung in order to avoid poisoning attacks which could degrade accuracy of the model and/or incorrectly modify the probability for a particular result in the field of distributed machine learning using global model training (Fung, section II – “In a poisoning attack ..., an adversary meticulously creates adversarial training examples and inserts them into the training data set of an attacked model. This may be done to degrade the accuracy of the shared model (a random attack), or to increase/decrease the probability of a targeted example being predicted to be a targeted class with the trained model (a targeted attack) ... For example, such an attack could be mounted to avoid fraud detection or to evade email spam filtering...”).

Regarding claim 5, Costa in view of Tramer, further in view of Gupta, further in view of Ohrimenko and further in view of Fung teaches all of the limitations of the method of claim 4 as noted above. Fung further teaches in response to receiving, by the deep learning training service framework, the one or more encrypted training datasets (Fung, section II – teaches using a RONI defense to verify training samples by global server to avoid poisoning attacks):
verifying, by the security module, the integrity of the one or more training datasets (Fung, section II – teaches using a RONI defense to verify training samples); and 
discarding, by the security module, any training datasets that do not pass the verification from further use during training of the FrontNet subnet model and BackNet subnet model of the deep learning model (Fung, section II – teaches discarding any data that does not pass verification to avoid poisoning attacks).
It would have been obvious to one of ordinary skill in the art before the filing date of the claimed invention to combine the teachings of Costa, Tramer, Gupta, Ohrimenko and Fung to verify the integrity of training data in order to avoid poisoning attacks which could degrade accuracy of the model and/or incorrectly modify the probability for a particular result (Fung, section II).

Regarding claim 14, the rejection of claim 11 is incorporated herein. Further, the limitations in this claim are taught by Costa in view of Tramer, further in view of Gupta, further in view of Ohrimenko and further in view of Fung for the reasons set forth in the rejection of claim 4.

Regarding claim 15, the rejection of claim 14 is incorporated herein. Further, the limitations in this claim are taught by Costa in view of Tramer, further in view of Gupta, further in view of Ohrimenko and further in view of Fung for the reasons set forth in the rejection of claim 5.

Claims 7-8, 17-18 are rejected under 35 U.S.C. 103 as being unpatentable over Costa in view of Tramer, further in view of Gupta and further in view of Tamrakar et al. (The Circle Game: Scalable Private Membership Test Using Trusted Hardware, hereinafter referred to as “Tamrakar”).

Regarding claim 7, Costa in view of Tramer and further in view of Gupta teaches all of the limitations of the method of claim 6 as noted above. However, Costa in view of Tramer and further in view of Gupta does not explicitly teach processing, by the trained deep learning model, new input data to generate an output result and a second fingerprint data structure corresponding to the new input data; receiving, from a client device of the one or more client devices, a query comprising the second fingerprint data structure; searching, by a query module executing in the deep learning training service framework, the evidence storage for a first fingerprint data structure similar to the second fingerprint data structure based on a distance function that measures a similarity between embeddings of the fingerprint data structures in the evidence storage and the second fingerprint data structure, and identifying the first fingerprint data structure as a fingerprint data structure in the evidence storage having a relatively smallest distance; and identifying, by the query module, a training dataset, of the one or more training datasets, and a corresponding training dataset provider based on an entry in the evidence storage having a first fingerprint data structure similar to the second fingerprint data structure.
Tamrakar teaches 
processing, by the trained deep learning model, new input data (Tamrakar, section 5 - teaches processing input query by the trusted app [deep learning model]) to generate an output result (Tamrakar, section 3.1 - teaches generating a result value for the input) and a second fingerprint data structure (Tamrakar, section 5 - teaches generating a data representation [fingerprint] for the input query) corresponding to the new input data (Tamrakar, section 3.1 - teaches generating a result value for the input; Tamrakar, section 5 - teaches generating a data representation [fingerprint] for the input query; see also Tamrakar, Figs. 1-2); 
receiving, from a client device of the one or more client devices, a query comprising the second fingerprint data structure (Tamrakar, section 5 - teaches receiving query from user which has data represented by the query representation; see also Tamrakar, Figs. 1-2); 
searching, by a query module executing in the deep learning training service framework, the evidence storage for a first fingerprint data structure similar to the second fingerprint data structure (Tamrakar, section 5- teaches searching, by the trusted app [deep learning training service framework], a dictionary [evidence storage] for a data representation [first fingerprint] which is similar to the newly generated representation for the input query [second fingerprint]; see also Tamrakar, Figs. 1-2) based on a distance function that measures a similarity between embeddings of the fingerprint data structures in the evidence storage and the second fingerprint data structure, and identifying the first fingerprint data structure as a fingerprint data structure in the evidence storage having a relatively smallest distance (Tamrakar, sections 5-6 – teaches comparing [distance measure of similarity between embeddings] dictionary representations [embeddings of fingerprint data structures in evidence storage] and query representations [embeddings of second fingerprint data structures] to identify a match [first fingerprint data structure] in the dictionary have a zero distance); and 
identifying, by the query module, a training dataset, of the one or more training datasets, and a corresponding training dataset provider based on an entry in the evidence storage corresponding to the first fingerprint data structure (Tamrakar, section 5 - teaches identifying malware [data and data provider] based on identifying a data representation [first fingerprint] in the dictionary [evidence storage] which matches the data representation for query input data [second fingerprint]; see also Tamrakar, Figs. 1-2).
It would have been obvious to one of ordinary skill in the art before the filing date of the claimed invention to modify Costa in view of Tramer and further in view of Gupta with the teachings of Tamrakar in order to develop efficient privacy preserving mechanisms for verifying trusted data using untrusted processes in the field of privacy-preserving trusted environments (Tamrakar, section 5 – “To meet the requirements defined in the preceding section, TA needs a mechanism for accessing the dictionary (X) without leaking any information about the users’ queries (Requirement R1). The naive approach of accessing specific elements of X in the REE violates this requirement because the adversary can observe which dictionary items are being checked. Canonically, this type of problem could be solved using ORAM where TA is the ORAM processor and REE stores the encrypted shuffled database. However, as an alternative approach, we propose a new carousel design pattern in which a representation of the dictionary is continuously circled through TA. As we demonstrate in Section 7, the fundamental advantage of our carousel approach is that it supports efficient processing of batches of queries in a single carousel cycle. Namely, whereas using ORAM to answer a batch of m queries requires accessing O(m log n) dictionary items, these m queries can be answered by a single cycle that reads n dictionary items. When the size of the batch increases, the latter approach becomes more efficient.”).

Regarding claim 8, Costa in view of Tramer, further in view of Gupta and further in view of Tamrakar teaches all of the limitations of the method of claim 7 as noted above. Tamrakar further teaches performing at least one of a debugging operation or a root cause analysis on the trained deep learning model based on the identified training dataset and identified corresponding training dataset provider (Tamrakar, section 3.1 - teaches malware detection [debugging] based on the identified matched data representation [corresponding to data and data provider of malware]).
It would have been obvious to one of ordinary skill in the art before the filing date of the claimed invention to modify Costa, Tramer, Gupta and Tamrakar in order to use the fingerprinting for debugging to protect user data when sent to the untrusted processor for malware checking (Tamrakar, section 3.1).

Regarding claim 17, the rejection of claim 16 is incorporated herein. Further, the limitations in this claim are taught by Costa in view of Tramer, further in view of Gupta and further in view of Tamrakar for the reasons set forth in the rejection of claim 7.

Regarding claim 18, the rejection of claim 17 is incorporated herein. Further, the limitations in this claim are taught by Costa in view of Tramer, further in view of Gupta and further in view of Tamrakar for the reasons set forth in the rejection of claim 8.

Claim 22 is rejected under 35 U.S.C. 103 as being unpatentable over Costa in view of Tramer, further in view of Gupta and further in view of Mahaffey et al. (US 2014/0189808 A1 – Multi-Factor Authentication and Comprehensive Login System for Client Server Networks, hereinafter referred to as “Mahaffey”).

Regarding claim 22 (New), Costa in view of Tramer and further in view of Gupta teaches all of the limitations of the method of claim 6 as noted above. However, Costa in view of Tramer and further in view of Gupta does not explicitly teach wherein generating one or more first fingerprint data structures for the one or more training datasets comprises generating, for each training data instance in the one or more training datasets, a first fingerprint data structure comprising a tuple data structure that specifies a fingerprint, a class label of the training data instance used to train the deep learning model, a data source identifier, and a hash digest of the training data instance.
Mahaffey teaches wherein generating one or more first fingerprint data structures for the one or more training datasets comprises generating, for each training data instance in the one or more training datasets, a first fingerprint data structure comprising a tuple data structure that specifies a fingerprint, a class label of the training data instance used to train the deep learning model, a data source identifier, and a hash digest of the training data instance (Mahaffey, 0041 - teaches that the fingerprint data structure for each transferred data instance comprises at least a URL [data source identifier], package name of hosting application [class label], signing certificate of hosting application [fingerprint], class name or other identifier of current UI dialog [class label], UUID [data source identifier], a hash of the application or site code [hash digest], and/or digital signature or HMAC provided by the application [fingerprint and/or hash digest]).
It would have been obvious to one of ordinary skill in the art before the filing date of the claimed invention to modify Costa in view of Tramer and further in view of Gupta with the teachings of Mahaffey in order to prevent unauthorized or unlimited use of a resource and to protect the security of the resource and the network while providing a simple and centralized method of user authentication and login for a wide variety of applications and networks and that utilizes an authentication device that is readily available for most users in the field of encrypted data transfer between devices (Mahaffey, ¶¶0004-0007 – “... Servers provide access to these resources in response to requests initiated by clients, and often require some sort of authentication before allowing a client to access or use the requested resource in order to prevent unauthorized or unlimited use of a resource and to protect the security of the resource and the network. Such authorization is typically based on a login or sign-in process that requires the client user to provide credentials or otherwise verify their right to obtain access to the resource or restricted area. The login process thus allows the server to control access to the resource by identifying and authenticating the user through the credentials presented by the user. In general, a credential is an object that is verified when presented to the verifier in an authentication transaction. Credentials may be bound in some way to the individual to whom they were issued, such as for identification, or they may be bearer credentials, which may be acceptable for general authorization... a simple and centralized method of user authentication and login for a wide variety of applications and networks and that utilizes an authentication device that is readily available for most users.”).

Allowable Subject Matter
Claim 23 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims, as well as amending the claim to correct the objections noted above.



Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communication from the examiner should be directed to MARSHALL WERNER whose telephone number is (469) 295-9143. The examiner can normally be reached on Monday – Thursday 7:30 AM – 4:30 PM ET.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kamran Afshar, can be reached at (571) 272-7796. The fax number for the organization where this application or proceeding is assigned is (571) 273-8300.
Information regarding the status of unpublished applications may be obtained from the Private Patent Application Information Retrieval (Private PAIR) system. Information regarding the status of published applications may be obtained from the Patent Center. For more information about the PAIR system, see http://pair-direct.uspto.gov. To file and manage patent submissions in the Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about the Patent Center. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (USA or Canada) or 571-272-1000.

/MARSHALL L WERNER/               Examiner, Art Unit 2125                                                                                                                                                                              
	

	
	/KAMRAN AFSHAR/               Supervisory Patent Examiner, Art Unit 2125