DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
1.The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

                                              Claim Rejections - 35 USC §101

2.    35 U.S.C. 101 reads as follows:

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

3. Claims 15-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. The claims do not fall within at least one of the four categories of patent eligible subject matter.

As for claim 15. the preamble of independent claim 15 indicates that it is drawn to a computer program-product embodied in a computer-readable medium. The broadest reasonable interpretation of a claim drawn to a computer readable medium typically covers forms of non-transitory tangible media and transitory propagating signals per se in view of the ordinary and customary meaning of the term “computer readable medium”, particularly when the specification is silent. See MPEP 2111.01. The Applicant’s Specification at paragraph [0079] fails to explicitly exclude non-transitory embodiments from the term “computer readable medium” and instead, explicitly includes them as alternate embodiments. In paragraph [0086] the computer readable medium is taught as including computer-readable signals. A claim drawn to such a computer readable medium that covers both transitory and non-transitory embodiments may be amended to narrow the claim to cover only statutory embodiments to avoid rejection under 35 U.S.C. § 101 by adding the limitation "non-transitory" to the claim.
4. Claims 16-20 are dependent on claim 15 and do not cure its deficiency.


Claim Rejections - 35 USC § 103
5.The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

6. Claim(s) 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Rouhani (US Pub.No.2020/0167471) in view of Christiansen (US Pub.No.2021/0125104).

7.  Regarding claims 1,8 and 15 Rouhani teaches a method, a system and a computer program product for inline detection and prevention of adversarial attacks, the method comprising:
generating, by a processor, an enforcement point, wherein the enforcement point includes one or more adversarial detection models; receiving user input data; analyzing, at the enforcement point, the user input data (abstract and Para:0028 teaches detecting and preventing an adversarial attack against a target machine learning model. The method includes a defender machine learning model will be deployed at an input layer of a target machine learning model. A defender machine learning model deployed at the input layer of a target machine learning model will be configured to determine, prior to any processing by the target machine learning model, whether an input sample is a malicious input sample or a legitimate input sample. Alternatively, and/or additionally, a defender machine learning model will be deployed at one or more intermediate layers of the target machine learning model. A defender machine learning model deployed at an intermediate layer of the target machine learning model will be configured to determine, based at least on a latent response observed at the intermediate layer, whether an input sample triggering the latent response is a malicious input sample or a legitimate input sample);

determining, from the analyzing, whether there is an adversarial attack in the user input data (Para:0030 teaches a defender machine learning model will be trained to learn a probability density function (PDF) associated with the legitimate input samples of a target machine learning model. For example, a defender machine learning model deployed at an input layer of the target machine learning model will be trained to learn a probability density function of legitimate input samples whereas a defender machine learning model deployed at an intermediate layer of the target machine learning model will be trained to learn a probability density function of a latent response triggered by the legitimate input samples. The probability density function associated with legitimate input samples will correspond to an explored subspace of the target machine learning model, which will be occupied by subsets of data frequently encountered by the target machine learning model, for example, during a training of the target machine learning model. By contrast, malicious input samples will typically originate from the unexplored subspace of the target machine learning model, which will be occupied by subsets of data infrequently encountered by the target machine learning model. For instance, a malicious input sample will be generated by manipulating the noncritical (e.g., nuisance) features of input samples occupying the unexplored subspace of the target machine learning model. Accordingly, the defender machine learning model will be configured to determine, based at least on the probability density function, a probability of an input sample and/or a latent response to the input sample. The defender machine learning model will be further configured to identify the input sample as a malicious input sample if the probability of the input sample and/or the corresponding latent response fails to exceed a threshold value).
Para:0045-0046 teaches in some example embodiments, each of the N quantity of defender machine learning models will be associated with a security parameter P. sub. n corresponding to a threshold probability for an input sample to be recognized as a legitimate input sample. For example, the first defender machine learning model 340A may identify an input sample as a malicious input sample if the probability associated with the input sample does not exceed a corresponding security parameter. Alternatively, and/or additionally, the second defender machine learning model 340B will identify an input sample as a malicious input sample if the probability of the latent response triggered by the input sample does not exceed a corresponding security parameter. Each of N quantity of defender machine learning models will generate an output indicative of whether an input sample is a malicious input sample or a legitimate input sample. For instance, each of the N quantity of defender machine learning models will generate a binary output d. sub. k∈{0,1} in which the value 1 may denote a malicious input sample and the value 0 may denote a legitimate input sample). 

Rouhani  teaches all the above claimed limitations but does not expressly teach generating an alert based on determining there is an adversarial attack.

Christiansen teaches generating an alert based on determining there is an adversarial attack (Para:0083 teaches the adversarial defense module can send an alert  to indicate that an adversarial attack has occurred if an anomaly is detected). 

Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the invention was filed to modify Rouhanto include generating an alert based on determining there is an adversarial attack, as taught by Christiansen teaches such a setup would notify the user/human operator if an anomaly is detected.

8. Regarding claims 2, 9 and 16 Rouhani teaches all the above claimed limitations but does not expressly teach the method, the system and the computer program product, wherein the enforcement point is in communication with a machine learning framework, and wherein the machine learning framework includes updated information on identified adversarial attacks based on machine learning models.

Christiansen teaches the method, the system and the computer program product wherein the enforcement point is in communication with a machine learning framework, and wherein the machine learning framework includes updated information on identified adversarial attacks based on machine learning models (Para:0018-0019 teaches updating data on identified adversarial attacks based on machine learning models).
   
Therefore it would have been obvious to one of the ordinary skill in the art before the effective filing date of the invention was filed to modify Rouhanto include the machine learning framework includes updated information on identified adversarial attacks based on machine learning models, as taught by Christiansen teaches such a setup would remove the need for human intervention to update the machine learning model, and also reduces serious performance drops by automatically identifying changes in performance.

9. Regarding claims 3, 10 and 17 Rouhani  teaches all the above claimed limitations but does not expressly teach the method, the system and the computer program product, further comprising: updating information at the enforcement point in regard to the updated information on identified adversarial attacks; and forwarding the updated information to one or more machine learning applications.

Christiansen teaches the method, the system and the computer program product further comprising: updating information at the enforcement point in regard to the updated information on identified adversarial attacks; and forwarding the updated information to one or more machine learning applications (para:0018-0019 teaches updating data on identified adversarial attacks).

Therefore it would have been obvious to one of the ordinary skill in the art before the effective filing date of the invention was filed to modify Rouhanto include updating information at the enforcement point in regard to the updated information on identified adversarial attacks as taught by Christiansen teaches such a setup would remove the need for human intervention to update the machine learning model, and also reduces serious performance drops by automatically identifying changes in performance.

10. Regarding claims 4,11 and 18 Rouhani  teaches all the above claimed limitations but does not expressly teach the method, the system and the computer program product, wherein analyzing the user input data includes: analyzing the user input data in regard to the updated information on identified adversarial attacks.

Christiansen teaches the method, the system and the computer program product wherein analyzing the user input data includes: analyzing the user input data in regard to the updated information on identified adversarial attacks (para:0018-0019 and para:0086 teaches analyzing the input data in regard to the updated information).

Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the invention was filed to modify Rouhanto include analyzing the user input data in regard to the updated information on identified adversarial attacks as taught by Christiansen teaches such a setup would remove the need for human intervention to update the machine learning model, and also reduces serious performance drops by automatically identifying changes in performance.

11. Regarding claims 5,12 and 19 Rouhani teaches the method, the system and the computer program product  wherein determining whether there is an adversarial attack in the user input data (para:0028, para:0030), but does not expressly teach, the determination further includes: identifying, from the updated information on identified adversarial attacks, there is no adversary; and forwarding the user input data to one or more machine learning applications, wherein the forwarding of the user input data includes metadata that indicates a level of confidence in regard to the adversary.

Christiansen teaches the method, the system and the computer program product wherein determining whether there is an adversarial attack in the user input data further includes: identifying, from the updated information on identified adversarial attacks, there is no adversary; and forwarding the user input data to one or more machine learning applications, wherein the forwarding of the user input data includes metadata that indicates a level of confidence in regard to the adversary (para:0018 and para:0046-0047 teaches the confidence module 200 is configured to perform the following steps: receiving data pertaining to the sample data, wherein the sample data is the data to be processed by the machine learning model (step 210); analyzing the data pertaining to the sample data using a mathematical operation and/or a machine learning algorithm (step 220); determining a confidence score for the machine learning model based on the analysis (step 230); and, only if the confidence score is below a predetermined confidence threshold (step 240), triggering retraining of the machine learning model (step 250). If the confidence score is above the predetermined confidence threshold (step 240), then the machine learning model 120 output may be confirmed at decision point 130. In this way, the machine learning inference system 100 is able to provide a confidence bound on the predictability of the machine learning model 120 that can be used to maintain performance, and trigger retraining of the machine learning model 120 should the confidence be lower than is acceptable. More specifically, in step 210, confidence module 200 receives data pertaining to the sample data. Here “data pertaining to the sample data” a reference to data that relates to the sample data. Data pertaining to the sample data comprises one or more of: the sample data itself, remapped sample data, metadata of the sample data etc).

Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the invention was filed to modify Rouhanto include forwarding of the user input data includes metadata that indicates a level of confidence in regard to the adversary
as taught by Christiansen such a setup would defense against adversarial attacks by evaluating sample data  and the sample data with imperceptible adversarial distortions will be detected.

12. Regarding claims 6, 13 and 20 Rouhani teaches the method, the system and the computer program product wherein determining whether there is an adversarial attack in the user input data (para:0028, Para:0030), but does not expressly teach the determination further includes: identifying, from the updated information on identified adversarial attacks, a confirmed adversary; and stopping the forwarding of the user input data to one or more machine learning applications

 Christiansen teaches the method, the system and the computer program product wherein identifying, from the updated information on identified adversarial attacks, a confirmed adversary  (para:0018-0019 and Para:0046); and stopping the forwarding of the user input data to one or more machine learning applications (para:0016 teaches stopping the forwarding of the input data to machine learning model).

Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the invention was filed to modify Rouhanto include stopping the forwarding of the user input data to one or more machine learning applications as taught by Christiansen such a setup would reduce the causing of false output, if there is a chance of the adversarial attack propagating through the machine learning model.

13. Regarding claims 7 and 14 Rouhani teaches the method and the system, further comprising: forwarding the user input data to the machine learning framework  (para:0028-0030).


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DEREENA T CATTUNGAL whose telephone number is (571)270-0506. The examiner can normally be reached Mon-Fri : 7:30 AM-5 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/DEREENA T CATTUNGAL/Primary Examiner, Art Unit 2431