Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
This is in response to the amendments filed on 8/29/2022. Claims 1-4, 8-11, 15-18, 22, and 24 have been amended. Claims 1-25 are currently pending and have been considered below. 

Response to Arguments
Applicant’s arguments with respect to claim(s) 1, 8, 15, 22, and 24 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1-4, 8-11, 15-18, and 22-25 is/are rejected under 35 U.S.C. 103 as being unpatentable over “Pogorelik” (US 2019/0188386) in view of “Dirac” (US 2015/0379072).

Regarding Claim 1:
Pogorelik teaches:
A computer-implemented method for private transfer learning (Fig. 1; Abstract, “… protecting Artificial Intelligence (AI) payloads…”), comprising:
	providing authorized use of a machine learning model by:
encrypting the machine learning model using a predetermined encryption mechanism (Fig. 1, step 1 - “Load Encrypted AI Payload”; ¶0025, “As a part of installation, AI Orchestration Service/Logic 202 will encrypt the Model 210 … and save it in dedicated security store 212…”), wherein the machine learning model comprises a training application programming interface (API), an inferencing API (Fig. 2, element 202 contains “Proxy APIs”; ¶0025, “AI Orchestration Service/Logic 202 - this is a service responsible for installation of the AI components and handling application specific AI queries related to inference and/or training”), …
copying the encrypted machine learning model to a trusted execution environment (Fig. 1, step 2 - “Move to GPU only memory”; ¶0030, “After being provided with App. Key, the initializer 226 copies the encrypted model from the shared memory to the GPU only memory”); and
training the machine learning model by executing the training API in a secure enclave of the trusted execution environment (Fig. 10 details a software stack for the machine learning application/framework, with the stack being executed by an underlying GPU; ¶0069, “The training framework 1104 can hook into an untrained neural network 1106 and enable the untrained neutral net to be trained using the parallel processing resources described herein to generate a trained neural network 1108”).
Pogorelik does not disclose:
wherein the machine learning model comprises … credentials that authenticate a call from an unsecured execution environment;
Dirac teaches:
wherein the machine learning model (¶0041, “… machine learning service (MLS)…”) comprises … credentials that authenticate a call from an unsecured execution environment (Fig. 9, step 904; ¶0086, “The request may next be validated in accordance with various rules or policies of the MLS (element 904) … For example, in accordance with a security policy, the permissions, roles or capabilities granted to the requesting client may be checked to ensure that the client is authorized to have the requested operations performed”; ¶0074, “When requesting a creation of a data source, in some implementations clients may also be required to provide security credentials that can be used by the MLS to access the data records”);
	Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Pogorelik’s secured artificial intelligence system by enhancing Pogorelik’s machine learning system include credentials utilized to verify received requests from external clients, as taught by Dirac, in order to ensure specific clients are only allowed to access specific resources.
	The motivation is to incorporate security policies that validate credentials within a machine learning system such that the security of the system is enhanced by providing services to only verified clients (Dirac, ¶0061).

Regarding Claim 2:
The method of claim 1, wherein Pogorelik in view of Dirac further teaches training the machine learning model comprises authenticating a call to execute the training API from the unsecured execution environment, based on the credentials (Dirac, ¶0086, “The request may next be validated in accordance with various rules or policies of the MLS (element 904) … For example, in accordance with a security policy, the permissions, roles or capabilities granted to the requesting client may be checked to ensure that the client is authorized to have the requested operations performed”; i.e., in order to execute any function of Pogorelik’s machine learning system, a call needs to be verified based on received credentials).
The motivation to reject claim 2 under Dirac is the same motivation applied in rejecting claim 1 above.

Regarding Claim 3:
The method of claim 2, Pogorelik in view of Dirac further comprising generating an inference from the machine learning model by executing the inferencing API in the secure enclave of the trusted execution environment (Pogorelik, ¶0026, “API Proxy Forwarder/Logic 208 - this is the logic block responsible for transferring application initiated queries to the protected service … Proxy Forwarder logic is used for forwarding regular inference calls to either “normal” … or graphic execution unit”; ¶0030, “After placing the model, the GPU TEE Initializer 226 will notify Inference Proxy Forwarder about service availability”; i.e., generate an inference regarding service availability based on an inference API being executed within a trusted execution environment).

Regarding Claim 4:
The method of claim 3, wherein Pogorelik in view of Dirac further teaches:
	the machine learning model comprises a deep neural network (DNN) model (Pogorelik, ¶0066, “The exemplary neural networks described above can be used to perform deep learning. Deep learning is machine learning using deep neural networks”);
	the DNN model is trained to perform a generic task (Pogorelik, ¶0071, “Unsupervised learning is a learning method in which the network attempts to train itself using unlabeled data. Thus, for unsupervised learning the training dataset 1102 will include input data without any associated output data. The untrained neural network 1106 can learn groupings within the unlabeled input and can determine how individual inputs are related to the overall dataset. Unsupervised training can be used to generate a self-organizing map, which is a type of trained neural network 1107 capable of performing operations useful in reducing the dimensionality of data. Unsupervised training can also be used to perform anomaly detection, which allows the identification of data points in an input dataset that deviate from the normal patterns of the data”; Here, the examiner interprets unsupervised training using unlabeled inputs as a “generic” training); and
	the training API trains the DNN model to perform a task that refines the generic task to a more specific task than the generic task  (Pogorelik, ¶0068, “Once the neural network is structured, a learning model can be applied to the network to train the network to perform specific tasks”; ¶0069, “The training framework 1104 can hook into an untrained neural network 1106 and enable the untrained neural net to be trained using the parallel processing resources described herein to generate a trained neural network 1108”).

Regarding Claims 8-11 and 15-18:
Computer program product claims 8-11 and system claims 15-18 correspond to respective method claims 1-4 and contain no further limitations. Thus, claims 8-11 and 15-18 are each rejected by applying the same rationale used to reject claims 1-4, respectively.

Regarding Claim 22:
Pogorelik teaches:
A system (Fig. 1 & Fig. 2) comprising:
	a computer processing circuit (Fig. 1 - “Main CPU”);
	a graphical processing circuit (GPU) (Fig. 1 - “Graphics Processor”); and
	a computer-readable storage medium storing instructions, which, when executed by the computer processing circuit, are configured to cause the computer processing circuit to perform a method comprising:
	providing authorized use of a machine learning model by:
		encrypting the machine learning model (Fig. 1, step 1 - “Load Encrypted AI Payload”; ¶0025, “As a part of installation, AI Orchestration Service/Logic 202 will encrypt the Model 210 … and save it in dedicated security store 212…”), wherein the machine learning model comprises a training application programming interface (API), an inferencing API (Fig. 2, element 202 contains “Proxy APIs”; ¶0025, “AI Orchestration Service/Logic 202 - this is a service responsible for installation of the AI components and handling application specific AI queries related to inference and/or training”), …;
		copying the encrypted machine learning model to a trusted execution environment (Fig. 1, step 2 - “Move to GPU only memory”; ¶0030, “After being provided with App. Key, the initializer 226 copies the encrypted model from the shared memory to the GPU only memory”); and
		training the machine learning model by executing the training API in a secure enclave of the trusted execution environment (Fig. 10 details a software stack for the machine learning application/framework, with the stack being executed by an underlying GPU; ¶0069, “The training framework 1104 can hook into an untrained neural network 1106 and enable the untrained neutral net to be trained using the parallel processing resources described herein to generate a trained neural network 1108”), …
Pogorelik does not disclose:
wherein the machine learning model comprises … credentials that authenticate a call from an unsecured execution environment;
wherein training the machine learning model comprises authenticating, based on the credentials, a call to execute the training API from the unsecured execution environment.
Dirac teaches:
wherein the machine learning model (¶0041, “… machine learning service (MLS)…”) comprises … credentials that authenticate a call from an unsecured execution environment (Fig. 9, step 904; ¶0086, “The request may next be validated in accordance with various rules or policies of the MLS (element 904) … For example, in accordance with a security policy, the permissions, roles or capabilities granted to the requesting client may be checked to ensure that the client is authorized to have the requested operations performed”; ¶0074, “When requesting a creation of a data source, in some implementations clients may also be required to provide security credentials that can be used by the MLS to access the data records”);
wherein training the machine learning model comprises authenticating, based on the credentials, a call to execute the training API from the unsecured execution environment (Dirac, ¶0086, “The request may next be validated in accordance with various rules or policies of the MLS (element 904) … For example, in accordance with a security policy, the permissions, roles or capabilities granted to the requesting client may be checked to ensure that the client is authorized to have the requested operations performed”; i.e., in order to execute any function of Pogorelik’s machine learning system, a call needs to be verified based on received credentials).
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Pogorelik’s secured artificial intelligence system by enhancing Pogorelik’s machine learning system include credentials utilized to verify received requests from external clients, as taught by Dirac, in order to ensure specific clients are only allowed to access specific resources.
	The motivation is to incorporate security policies that validate credentials within a machine learning system such that the security of the system is enhanced by providing services to only verified clients (Dirac, ¶0061).

Regarding Claim 23:
The system of claim 22, wherein Pogorelik in view of Dirac further teaches: 
the machine learning model comprises a deep neural network (DNN) model (Pogorelik, ¶0066, “The exemplary neural networks described above can be used to perform deep learning. Deep learning is machine learning using deep neural networks”); 
the DNN model is trained to perform a generic task (Pogorelik, ¶0071, “Unsupervised learning is a learning method in which the network attempts to train itself using unlabeled data. Thus, for unsupervised learning the training dataset 1102 will include input data without any associated output data. The untrained neural network 1106 can learn groupings within the unlabeled input and can determine how individual inputs are related to the overall dataset. Unsupervised training can be used to generate a self-organizing map, which is a type of trained neural network 1107 capable of performing operations useful in reducing the dimensionality of data. Unsupervised training can also be used to perform anomaly detection, which allows the identification of data points in an input dataset that deviate from the normal patterns of the data”; Here, the examiner interprets unsupervised training using unlabeled inputs as a “generic” training); and 
the training API trains the DNN model to perform a task that refines the generic task to a more specific task than the generic task  (Pogorelik, ¶0068, “Once the neural network is structured, a learning model can be applied to the network to train the network to perform specific tasks”; ¶0069, “The training framework 1104 can hook into an untrained neural network 1106 and enable the untrained neural net to be trained using the parallel processing resources described herein to generate a trained neural network 1108”).

Regarding Claims 24 and 25:
Method claims 24 and 25 correspond to respective system claims 22 and 23 and contain no further limitations. Therefore claims 24 and 25 are rejected by applying the same rationale used to reject claims 22 and 23 above, respectively.

Claims 5-7, 12-14, and 19-21 is/are rejected under 35 U.S.C. 103 as being unpatentable over “Pogorelik” (US 2019/0188386) in view of “Dirac” (US 2015/0379072) in further view of “Sarkar” (WO 2020/136663).

Regarding Claim 5:
Pogorelik in view of Dirac teaches:
The method of claim 1, …
Pogorelik in view of Dirac does not disclose:
… further comprising generating a combination of a body of the machine learning model with a head of an additional machine learning model in the trusted execution environment. 
Sarkar teaches:
… further comprising generating a combination of a body of the machine learning model with a head of an additional machine learning model in the trusted execution environment (Figure 4 details merging two deep neural network models, a pre-existing model 111 and a pre-existing model 112, into a single model Y (see Figure 5, elements 204/205), where the merging includes merging of a head layer X and body layers X1 and Z1 of each model). 
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Pogorelik in view of Dirac’s secure artificial intelligence processing system by enhancing Pogorelik in view of Dirac’s data model to incorporate a combination of models using various layers from each model, as taught by Sakar, in order to build a model that is better indicative of a targeted data group.
	The motivation is to effectively create a data model that represents a targeted data group, which may be new in view of an artificial intelligence processing system, by merging models of adequate pre-existing data with models having new data (Sakar, Page 22, “Certain embodiments may provide one or more of the following technical advantage(s). Embodiments herein enable to build prediction models of a behavior, such as e.g., churn, when the available data is limited”).

Regarding Claim 6:
The method of claim 5, Pogorelik in view of Dirac in further view of Sakar further comprising performing the inferencing API for the combination (Pogorelik, Fig. 2, element 202 is the main interface that establishes an inference API for any existing model stored within AI Secure Store 212, and thus would be necessitated for any additional models; ¶0025, “AI Orchestration Service/Logic 202—this is a service responsible for installation of the AI components and handling application specific AI queries related to inference and/or training”).

Regarding Claim 7:
The method of claim 5, Pogorelik in view of Dirac in further view of Sakar further comprising performing the training API for the combination (Pogorelik, Fig. 2, element 202 is the main interface that establishes a training API for any existing model stored within AI Secure Store 212, and thus would be necessitated for any additional models; ¶0025, “AI Orchestration Service/Logic 202—this is a service responsible for installation of the AI components and handling application specific AI queries related to inference and/or training”).

Regarding Claims 12-14 and 19-21:
Computer program product claims 12-14 and system claims 19-21 correspond to respective method claims 5-7 and contain no further limitations. Therefore claims 12-14 and 19-21 are each rejected by applying the same rationale used to reject claims 5-7 above, respectively.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DANIEL B POTRATZ whose telephone number is (571)270-5329.  The examiner can normally be reached on M-F 10 A.M. - 6 P.M. CST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 571-272-3972.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/DANIEL B POTRATZ/Primary Examiner, Art Unit 2491