Prosecution Insights
Last updated: July 17, 2026
Application No. 17/558,744

MECHANISM FOR POISON DETECTION IN A FEDERATED LEARNING SYSTEM

Final Rejection §103
Filed
Dec 22, 2021
Examiner
TSAI, JAMES T
Art Unit
2100
Tech Center
2100 — Computer Architecture & Software
Assignee
Intel Corporation
OA Round
2 (Final)
63%
Grant Probability
Moderate
3-4
OA Rounds
0m
Est. Remaining
99%
With Interview

Examiner Intelligence

Grants 63% of resolved cases
63%
Career Allowance Rate
192 granted / 305 resolved
+8.0% vs TC avg
Strong +56% interview lift
Without
With
+56.2%
Interview Lift
resolved cases with interview
Typical timeline
3y 3m
Avg Prosecution
39 currently pending
Career history
331
Total Applications
across all art units

Statute-Specific Performance

§101
1.5%
-38.5% vs TC avg
§103
96.4%
+56.4% vs TC avg
§102
1.0%
-39.0% vs TC avg
§112
0.3%
-39.7% vs TC avg
Black line = Tech Center average estimate • Based on career data from 305 resolved cases

Office Action

§103
FINAL REJECTION, SECOND DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after December 21, 2021, is being examined under the first inventor to file provisions of the AIA . Response to Remarks and Arguments Examiner notes that examination has changed to Examiner Tsai in the instant action. First, regarding the Specification and Drawing objections, Examiner thanks Applicant for the amendments and corrections. The objections are withdrawn. Next, regarding, the prior art rejections, Applicant apparently has maintained the claims and argues that the last rejection is improper and should be withdrawn. Specifically, Applicant contends that: The Office Action asserts that a PHOSITA would combine Fung and Cao by, apparently, replacing Fung's trust score with a cosine similarity between clients. However, as shown above, Fung already calculates a cosine similarity and there is no explanation has to how Fung's aggregation that already uses cosine similarity would be changed. For example, of cosine similarity between clients is the new standard, how are the trust scores and aggregation equations altered? Putting in the cosine similarity of Fung into the current Cao equations will break Fung rendering it "unsatisfactory for its intended purpose." As such, there cannot be a suggestion or motivation to combined. (Remarks: p. 8). Examiner respectfully disagrees. Initially, Applicant’s contention that the last Office Action requires a replacement of Fung’s trust score with a cosine similarity between clients is a mischaracterization of the combination of Cao and Fung. Instead, the combination was a modification of Cao’s trust score with a risk score, as recited by representative claim 1. Fung describes a risk score which is disclosed as calculated utilizing a cosine similarity. The modification is to Cao and not Fung as Applicant claims and it is to utilize a risk score, rather than a trust score as taught by Cao. Examiner is therefore not persuaded and maintains the rejection. The claims stand rejected. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The following are the references relied upon in the rejections below: Cao et al. “FLTrust: Byzantine-robust Federated Learning via Trust Bootstrapping” (2021) Fung et al. “Mitigating Sybils in Federated Learning Poisoning” (2020) Liu et al. “FedEraser: Enabling Efficient Client-Level Data Removal from Federated Learning Models” (2021) Xie et al. “Zeno++: Robust Fully Asynchronous SGD” (2021) Claims 1-3, 5-6, 10-12, 13-14, and 16-17, and 18-19 are rejected under 35 U.S.C. 103 as being unpatentable over Cao in view of Fung. Claim 1: Regarding claim 1, Cao discloses: An apparatus comprising: Memory to store instructions; and one or more processors to execute the instructions to: receive trained model update data from each of a plurality of collaborators, execute an auxiliary machine learning model to the trained model update data to generate a [risk] score for trained model update data associated with each collaborator and apply one or more policies based on the [risk] scores to generate adjusted trained model update data associated with each collaborator. Cao, pg. 1, Abstract, Paragraph 2 “In this work, we bridge the gap via proposing FLTrust, a new federated learning method in which the service provider itself bootstraps trust. In particular, the service provider itself collects a clean small training dataset (called root dataset) for the learning task and the service provider maintains a model (called server model) based on it to bootstrap trust. In each iteration, the service provider first assigns a trust score to each local model update from the clients, where a local model update has a lower trust score if its direction deviates more from the direction of the server model update. Then, the service provider normalizes the magnitudes of the local model updates such that they lie in the same hyper-sphere as the server model update in the vector space. Our normalization limits the impact of malicious local model updates with large magnitudes…” It is implicit that federated learning systems necessarily involve processors for training and aggregation processes. So, the above discloses an apparatus comprising a processor to receive trained model update data from each of a plurality of collaborators (clients), execute an auxiliary machine learning model (server model) to the trained model update data to generate a score (a trust score) for trained model update data associated with each collaborator and apply one or more policies (normalizing/downscaling) based on the risk scores to generate adjusted trained model update data (normalized local model updates) associated with each collaborator. Thus far, Cao does not explicitly teach that weighted policies are applied based on a risk score (it applies weighted policies based on trust scores) Fung teaches a risk score Fung, pg. 4, Column 2, Section 5, Paragraph 3 “FoolsGold uses this assumption to modify the learning rates of each client in each iteration. Our approach aims to maintain the learning rate of clients that provide unique gradient updates, while reducing the learning rate of clients that repeatedly contribute similar-looking gradient updates.” Fung, pg. 5-6, Column 2, Updates history. “…To better estimate similarity of the overall contributions made by clients, FoolsGold computes the similarity between pairwise aggregated historical updates instead of just the updates from the current iteration.” Fung, pg. 6, Column 1, Paragraph 3 “We interpret the cosine similarity on the indicative features, a value between -1 and 1, as a representation of how strongly two clients are acting as sybils.” So, clients/collaborators with high similarity to multiple others are flagged as potential Sybils (poisoning agents). Therefore, the cosine similarity is measure of Sybil/poison risk (a risk score). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the federated learning algorithm taught by Fung with the federated learning system of Cao to specifically teach generating a risk score for the for trained model update data of collaborators in a FL system because a risk score enables a more proactive and defensive handling of updates since the likelihood of harm rather than presumed reliability is quantified. Both systems generate scores (Cao’s trust score, Fung’s risk score) for update integrity that are analogous, and the combination would create a comprehensive detection of poisoned updates/risk-based adjustment. Claim 11: Claim 11 discloses a method that recites the same method of claim 1 with substantially the same limitations. Therefore the claim is rejected for the same reasons as stated in the 35 U.S.C. 103 rejection of claim 1 above. Claim 16: Claim 16 discloses a computer readable medium that implements the same recited in claim 1 with substantially the same limitations. Therefore, claim 16 is rejected for the same reasons as claim 1. In addition, Fung discloses an algorithm, including pseudocode (pg. 10, Column 2), designed to be deployed on real-world systems, which teaches a computer readable medium as it must be stored. Claim 2: Regarding claim 2, Cao discloses: The apparatus of claim 1, wherein the one or more processors is further to aggregate the adjusted trained model update data to generate a unified model. Cao, pg. 1, Abstract, Paragraph 2 “…Finally, the service provider computes the average of the normalized local model updates weighted by their trust scores as a global model update, which is used to update the global model…” Claim 3: Regarding claim 3, Cao/Fung discloses: The apparatus of claim 2, wherein the auxiliary machine learning model is to compare trained model update data associated with a first collaborator [to historical trained model update data associated with the first collaborator]. Cao, pg. 2, Column 1, Paragraph 3 “In our FLTrust, the root trust origins from the direction of the server model update. In particular, if the direction of a local model update is more similar to that of the server model update, then the direction of the local model update may be more “promising”. Formally, we use the cosine similarity, a popular metric to measure the angle between two vectors, to measure the direction similarity between a local model update and the server model update.” Discloses wherein the auxiliary machine learning model performs a comparison with the trained model update data (local model update) associated with a first collaborator (local modal). (the data is compared to the server model update computed from the root dataset) Thus far, Cao does not explicitly teach that the trained model update data associated with a first collaborator is compared to historical trained model update data associated with the first collaborator Fung teaches comparing first model update data associated with a first collaborator to historical trained model update data associated with the first collaborator Fung, pg. 5-6, Column 2, Paragraph 4 “FoolsGold maintains a history of updates from each client. It does this by aggregating the updates at each iteration from a single client into a single aggregated client gradient (line 3). To better estimate similarity of the overall contributions made by clients, FoolsGold computes the similarity between pairwise aggregated historical updates instead of just the updates from the current iteration.” Claim 5: Regarding claim 5, Fung discloses: The apparatus of claim 3, wherein the auxiliary machine learning model compare trained model is to update data associated with the first collaborator to trained model update data associated with a second collaborator. Fung, pg. 5, Column 1, Paragraph 2 “We now explain the FoolsGold approach (Algorithm 1). In the federated learning protocol, gradient updates are collected and aggregated in synchronous update rounds. FoolsGold adapts the learning rate αi per client2 based on (1) the update similarity among indicative features in any given iteration, and (2) historical information from past iterations.” Fung, pg. 5, Column 1, Cosine similarity. “We use cosine similarity to measure the angular distance between updates…” So, the model updates compares updates across different clients/collaborators (computes cosine similarity between the first collaborator’s update and other collaborator updates (encompassing a second collaborator)) to detect malicious behavior. Claims 13 and 18: Claims 13 and 18 recite limitations that are the same or substantially the same as those recited in claims 3 and 5, in combination. Therefore the claim is rejected for the same reasons as stated in the 35 U.S.C. 103 rejection of claims 3 and 5 above. Claim 6: Regarding claim 6, Fung discloses: The apparatus of claim 5, wherein to generate adjusted trained model update data comprises to adjust a weight of the trained model update data based on the risk score. Fung, pg. 4, Column 2, Section 2, Paragraph 3 “…We design, implement, and evaluate a novel defense against sybil-based poisoning attacks for the federated learning setting that uses an adaptive learning rate per client based on inter-client contribution similarity.” Fung, pg. 2, Column 2, Paragraph 1 “…FoolsGold adapts the learning rate αi per client2 based on (1) the update similarity among indicative features in any given iteration, and (2) historical information from past iterations…” So, client updates are weighted via the learning rate according to their similarity to others (the risk score). Therefore, it is disclosed that weights of the trained model update data are adjusted based on a risk score. Claim 14 and 19: Claims 14 and 19 recite limitations that are the same or substantially the same as those recited in claim 6. Therefore the claim is rejected for the same reasons as stated in the 35 U.S.C. 103 rejection of claim 6 above. Claim 10: Regarding claim 10, Cao discloses: The apparatus of claim 2, wherein the one or more processors further to transmit the unified model to the plurality of collaborators. Cao, pg. 1, Column 2, Paragraph 1 “…Roughly speaking, FL iteratively performs the following three steps: the server provided by the service provider sends the current global model to the clients or a selected subset of them; each selected client trains a model (called local model) via fine-tuning the global model using its own local training data and sends the local model updates back to the server1; and the server aggregates the local model updates to be a global model update according to an aggregation rule and uses it to update the global model...” Claims 12 and 17: Claims 12 and 17 recite limitations that are the same or substantially the same as those recited in claims 2 and 10, in combination. Therefore the claim is rejected for the same reasons as stated in the 35 U.S.C. 103 rejection of claims 2 and 10 above. Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable over Cao and Fung in view of Liu. Claim 4: Regarding claim 4, Cao/Fung discloses: The apparatus of claim 3, wherein the auxiliary machine learning model is to receive the historical trained model update data [from a first database]. Cao, pg. 1, Abstract, Paragraph 2 “…the service provider itself collects a clean small training dataset (called root dataset) for the learning task and the service provider maintains a model (called server model) based on it to bootstrap trust. In each iteration, the service provider first assigns a trust score to each local model update from the clients…” Fung, pg. 5-6, Column 2, Paragraph 4 “FoolsGold maintains a history of updates from each client. It does this by aggregating the updates at each iteration from a single client into a single aggregated client gradient (line 3)...” The combination of Cao/Fung discloses wherein an auxiliary machine learning model receives historical trained model update data. Thus far, the combination of Cao/Fung does not explicitly teach that the historical trained model update data comes from a first database Liu teaches historical trained model update data from a first database Liu, pg. 1, Abstract “…The basic idea of FedEraser is to trade the central server’s storage for unlearned model’s construction time, where FedEraser reconstructs the unlearned model by leveraging the historical parameter updates of federated clients that have been retained at the central server during the training process of FL…” So, the central server retains historical trained model update data for later use, and explicitly discloses a “central server’s storage” which encompasses a database. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the historical client update data taught by Liu with the federated learning system of Cao/Fung to specifically teach historical trained model update data from a first database because maintaining an accessible record of past clients updates helps enables detection of malicious activity (See Liu, pg. 1, Column 2, Paragraph 2 “Considering in FL some training data are polluted or manipulated by data poisoning attacks [8], [9], [10], or outdated over time, or even identified to be mistakes after training. The ability to completely forget such data and its lineage can greatly improve the security, responsiveness and reliability of the FL systems.”). Claims 7-9, 15, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Cao and Fung in view of Xie. Claim 7: Regarding claim 7, the combination of Cao/Fung does not explicitly disclose: The apparatus of claim 6, wherein a policy is associated with a predetermined risk score range. Xie discloses a policy is associated with a predetermined risk score range Xie, pg. 1, Abstract “We propose Zeno++, a new robust asynchronous Stochastic Gradient Descent (SGD) procedure, intended to tolerate Byzantine failures of workers…” Xie, pg. 3-4, Column 2, Section 4.1, Remark 1, Paragraph 1 “Inspired by Zeno (Xie et al., 2019b), we compute a score for each candidate gradient estimator by using the stochastic zero-order oracle. However, in contrast to the existing synchronous SGD with majority-based aggregation methods, we need a hard threshold to decide whether a gradient is accepted, as sorting is not meaningful in asynchronous settings. This descent score is described next.” So, each update is assigned a descent score, then a policy threshold is defined that fall below the threshold (fall within a certain range) are associated with a specific policy (accepted or rejected). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the policy associated with a predetermined risk score range as taught by Xie with the federated learning system of Cao/Fung because it would in more robust filtering in the weighting of client updates. The combination allows the FL system to act not only on the magnitude of a score but also to enforce hard boundaries, which is a well understood practice in adversarial machine learning. Claim 15 and 20: Claims 15 and 20 recite limitations that are the same or substantially the same as those recited in claim 7. Therefore the claim is rejected for the same reasons as stated in the 35 U.S.C. 103 rejection of claim 7 above. Claim 8: Regarding claim 8, Xie discloses: The apparatus of claim 7, wherein a first policy indicates that the weight of the trained model update data to be adjusted a first percentage upon a determination the risk is within a first predetermined risk score range. PNG media_image1.png 744 642 media_image1.png Greyscale (See Xie, Algorithm 1 above, lines outlined in red) If an update’s score is high enough (when it is determined the descent score is within a first predetermined range) the server incorporates the full update into the model and adjusted a first percentage (the weight of the update data is adjusted with 100% contribution). Claim 9: Regarding claim 9, Xie discloses: The apparatus of claim 8, wherein a second policy indicates that the weight of the trained model update data to be adjusted a second percentage upon a determination the risk is within a second predetermined risk score range. Xie, pg. 4, Column 1, Paragraph 1 “Using the stochastic descent score, we can set a hard threshold parameterized by ∈ to filter out candidate gradients with relatively small scores. The detailed algorithm is outlined in Algorithm 1.” Discloses wherein a second policy (filter out) indicates that the weight of the trained model update data is adjusted a second percentage (adjusted with 0% contribution) upon a determination the risk is within a second predetermined score range (small score). Conclusion THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAMES T TSAI whose telephone number is (571)270-3916. The examiner can normally be reached M-F 8-5 Eastern. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Viker Lamardo can be reached at 571-270-5871. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /JAMES T TSAI/ Primary Examiner, Art Unit 2147
Read full office action

Prosecution Timeline

Dec 22, 2021
Application Filed
Apr 10, 2025
Non-Final Rejection mailed — §103
Aug 11, 2025
Response Filed
Jun 24, 2026
Final Rejection mailed — §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12682206
QUANTIZED NEURAL NETWORK TRAINING AND INFERENCE
4y 5m to grant Granted Jul 14, 2026
Patent 12682207
ENHANCING SILENT FEATURES WITH ADVERSARIAL NETWORKS FOR IMPROVED MODEL VERSIONS
3y 9m to grant Granted Jul 14, 2026
Patent 12675718
AHEAD-OF-TIME GATE-FUSION TRANSPILATION FOR SIMULATION
4y 6m to grant Granted Jul 07, 2026
Patent 12670365
METHOD AND SYSTEM FOR MULTI-SENSOR FUSION IN THE PRESENCE OF MISSING AND NOISY LABELS
3y 0m to grant Granted Jun 30, 2026
Patent 12650754
THREE-DIMENSIONAL INTERFACE CONTROL METHOD AND TERMINAL
3y 5m to grant Granted Jun 09, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

3-4
Expected OA Rounds
63%
Grant Probability
99%
With Interview (+56.2%)
3y 3m (~0m remaining)
Median Time to Grant
Moderate
PTA Risk
Based on 305 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month