FINAL REJECTION, SECOND DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after December 21, 2021, is being examined under the first inventor to file provisions of the AIA .
Response to Remarks and Arguments
Examiner notes that examination has changed to Examiner Tsai in the instant action.
First, regarding the Specification and Drawing objections, Examiner thanks Applicant for the amendments and corrections. The objections are withdrawn.
Next, regarding, the prior art rejections, Applicant apparently has maintained the claims and argues that the last rejection is improper and should be withdrawn. Specifically, Applicant contends that:
The Office Action asserts that a PHOSITA would combine Fung and Cao by, apparently, replacing Fung's trust score with a cosine similarity between clients. However, as shown above, Fung already calculates a cosine similarity and there is no explanation has to how Fung's aggregation that already uses cosine similarity would be changed. For example, of cosine similarity between clients is the new standard, how are the trust scores and aggregation equations altered? Putting in the cosine similarity of Fung into the current Cao equations will break Fung rendering it "unsatisfactory for its intended purpose." As such, there cannot be a suggestion or motivation to combined.
(Remarks: p. 8). Examiner respectfully disagrees. Initially, Applicant’s contention that the last Office Action requires a replacement of Fung’s trust score with a cosine similarity between clients is a mischaracterization of the combination of Cao and Fung. Instead, the combination was a modification of Cao’s trust score with a risk score, as recited by representative claim 1. Fung describes a risk score which is disclosed as calculated utilizing a cosine similarity. The modification is to Cao and not Fung as Applicant claims and it is to utilize a risk score, rather than a trust score as taught by Cao.
Examiner is therefore not persuaded and maintains the rejection.
The claims stand rejected.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The following are the references relied upon in the rejections below:
Cao et al. “FLTrust: Byzantine-robust Federated Learning via Trust Bootstrapping” (2021)
Fung et al. “Mitigating Sybils in Federated Learning Poisoning” (2020)
Liu et al. “FedEraser: Enabling Efficient Client-Level Data Removal from Federated Learning Models” (2021)
Xie et al. “Zeno++: Robust Fully Asynchronous SGD” (2021)
Claims 1-3, 5-6, 10-12, 13-14, and 16-17, and 18-19 are rejected under 35 U.S.C. 103 as being unpatentable over Cao in view of Fung.
Claim 1:
Regarding claim 1, Cao discloses: An apparatus comprising:
Memory to store instructions; and
one or more processors to execute the instructions to: receive trained model update data from each of a plurality of collaborators, execute an auxiliary machine learning model to the trained model update data to generate a [risk] score for trained model update data associated with each collaborator and apply one or more policies based on the [risk] scores to generate adjusted trained model update data associated with each collaborator.
Cao, pg. 1, Abstract, Paragraph 2 “In this work, we bridge the gap via proposing FLTrust, a new federated learning method in which the service provider itself bootstraps trust. In particular, the service provider itself collects a clean small training dataset (called root dataset) for the learning task and the service provider maintains a model (called server model) based on it to bootstrap trust. In each iteration, the service provider first assigns a trust score to each local model update from the clients, where a local model update has a lower trust score if its direction deviates more from the direction of the server model update. Then, the service provider normalizes the magnitudes of the local model updates such that they lie in the same hyper-sphere as the server model update in the vector space. Our normalization limits the impact of malicious local model updates with large magnitudes…”
It is implicit that federated learning systems necessarily involve processors for training and aggregation processes.
So, the above discloses an apparatus comprising a processor to receive trained model update data from each of a plurality of collaborators (clients), execute an auxiliary machine learning model (server model) to the trained model update data to generate a score (a trust score) for trained model update data associated with each collaborator and apply one or more policies (normalizing/downscaling) based on the risk scores to generate adjusted trained model update data (normalized local model updates) associated with each collaborator.
Thus far, Cao does not explicitly teach that weighted policies are applied based on a risk score (it applies weighted policies based on trust scores)
Fung teaches a risk score
Fung, pg. 4, Column 2, Section 5, Paragraph 3 “FoolsGold uses this assumption to modify the learning rates of each client in each iteration. Our approach aims to maintain the learning rate of clients that provide unique gradient updates, while reducing the learning rate of clients that repeatedly contribute similar-looking gradient updates.”
Fung, pg. 5-6, Column 2, Updates history. “…To better estimate similarity of the overall contributions made by clients, FoolsGold computes the similarity between pairwise aggregated historical updates instead of just the updates from the current iteration.”
Fung, pg. 6, Column 1, Paragraph 3 “We interpret the cosine similarity on the indicative features, a value between -1 and 1, as a representation of how strongly two clients are acting as sybils.”
So, clients/collaborators with high similarity to multiple others are flagged as potential Sybils (poisoning agents). Therefore, the cosine similarity is measure of Sybil/poison risk (a risk score).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the federated learning algorithm taught by Fung with the federated learning system of Cao to specifically teach generating a risk score for the for trained model update data of collaborators in a FL system because a risk score enables a more proactive and defensive handling of updates since the likelihood of harm rather than presumed reliability is quantified. Both systems generate scores (Cao’s trust score, Fung’s risk score) for update integrity that are analogous, and the combination would create a comprehensive detection of poisoned updates/risk-based adjustment.
Claim 11:
Claim 11 discloses a method that recites the same method of claim 1 with substantially the same limitations. Therefore the claim is rejected for the same reasons as stated in the 35 U.S.C. 103 rejection of claim 1 above.
Claim 16:
Claim 16 discloses a computer readable medium that implements the same recited in claim 1 with substantially the same limitations. Therefore, claim 16 is rejected for the same reasons as claim 1. In addition, Fung discloses an algorithm, including pseudocode (pg. 10, Column 2), designed to be deployed on real-world systems, which teaches a computer readable medium as it must be stored.
Claim 2:
Regarding claim 2, Cao discloses: The apparatus of claim 1, wherein the one or more processors is further to aggregate the adjusted trained model update data to generate a unified model.
Cao, pg. 1, Abstract, Paragraph 2 “…Finally, the service provider computes the average of the normalized local model updates weighted by their trust scores as a global model update, which is used to update the global model…”
Claim 3:
Regarding claim 3, Cao/Fung discloses: The apparatus of claim 2, wherein the auxiliary machine learning model is to compare trained model update data associated with a first collaborator [to historical trained model update data associated with the first collaborator].
Cao, pg. 2, Column 1, Paragraph 3 “In our FLTrust, the root trust origins from the direction of the server model update. In particular, if the direction of a local model update is more similar to that of the server model update, then the direction of the local model update may be more “promising”. Formally, we use the cosine similarity, a popular metric to measure the angle between two vectors, to measure the direction similarity between a local model update and the server model update.”
Discloses wherein the auxiliary machine learning model performs a comparison with the trained model update data (local model update) associated with a first collaborator (local modal).
(the data is compared to the server model update computed from the root dataset)
Thus far, Cao does not explicitly teach that the trained model update data associated with a first collaborator is compared to historical trained model update data associated with the first collaborator
Fung teaches comparing first model update data associated with a first collaborator to historical trained model update data associated with the first collaborator
Fung, pg. 5-6, Column 2, Paragraph 4 “FoolsGold maintains a history of updates from each client. It does this by aggregating the updates at each iteration from a single client into a single aggregated client gradient (line 3). To better estimate similarity of the overall contributions made by clients, FoolsGold computes the similarity between pairwise aggregated historical updates instead of just the updates from the current iteration.”
Claim 5:
Regarding claim 5, Fung discloses: The apparatus of claim 3, wherein the auxiliary machine learning model compare trained model is to update data associated with the first collaborator to trained model update data associated with a second collaborator.
Fung, pg. 5, Column 1, Paragraph 2 “We now explain the FoolsGold approach (Algorithm 1). In the federated learning protocol, gradient updates are collected and aggregated in synchronous update rounds. FoolsGold adapts the learning rate αi per client2 based on (1) the update similarity among indicative features in any given iteration, and (2) historical information from past iterations.”
Fung, pg. 5, Column 1, Cosine similarity. “We use cosine similarity to measure the angular distance between updates…”
So, the model updates compares updates across different clients/collaborators (computes cosine similarity between the first collaborator’s update and other collaborator updates (encompassing a second collaborator)) to detect malicious behavior.
Claims 13 and 18:
Claims 13 and 18 recite limitations that are the same or substantially the same as those recited in claims 3 and 5, in combination. Therefore the claim is rejected for the same reasons as stated in the 35 U.S.C. 103 rejection of claims 3 and 5 above.
Claim 6:
Regarding claim 6, Fung discloses: The apparatus of claim 5, wherein to generate adjusted trained model update data comprises to adjust a weight of the trained model update data based on the risk score.
Fung, pg. 4, Column 2, Section 2, Paragraph 3 “…We design, implement, and evaluate a novel defense against sybil-based poisoning attacks for the federated learning setting that uses an adaptive learning rate per client based on inter-client contribution similarity.”
Fung, pg. 2, Column 2, Paragraph 1 “…FoolsGold adapts the learning rate αi per client2 based on (1) the update similarity among indicative features in any given iteration, and (2) historical information
from past iterations…”
So, client updates are weighted via the learning rate according to their similarity to others (the risk score). Therefore, it is disclosed that weights of the trained model update data are adjusted based on a risk score.
Claim 14 and 19:
Claims 14 and 19 recite limitations that are the same or substantially the same as those recited in claim 6. Therefore the claim is rejected for the same reasons as stated in the 35 U.S.C. 103 rejection of claim 6 above.
Claim 10:
Regarding claim 10, Cao discloses: The apparatus of claim 2, wherein the one or more processors further to transmit the unified model to the plurality of collaborators.
Cao, pg. 1, Column 2, Paragraph 1 “…Roughly speaking, FL iteratively performs the following three steps: the server provided by the service provider sends the current global model to the clients or a selected subset of them; each selected client trains a model (called local model) via fine-tuning the global model using its own local training data and sends the local model updates back to the server1; and the server aggregates the local model updates to be a global model update according to an aggregation rule and uses it to update the global model...”
Claims 12 and 17:
Claims 12 and 17 recite limitations that are the same or substantially the same as those recited in claims 2 and 10, in combination. Therefore the claim is rejected for the same reasons as stated in the 35 U.S.C. 103 rejection of claims 2 and 10 above.
Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable over Cao and Fung in view of Liu.
Claim 4:
Regarding claim 4, Cao/Fung discloses: The apparatus of claim 3, wherein the auxiliary machine learning model is to receive the historical trained model update data [from a first database].
Cao, pg. 1, Abstract, Paragraph 2 “…the service provider itself collects a clean small training dataset (called root dataset) for the learning task and the service provider maintains a model (called server model) based on it to bootstrap trust. In each iteration, the service provider first assigns a trust score to each local model update from the clients…”
Fung, pg. 5-6, Column 2, Paragraph 4 “FoolsGold maintains a history of updates from each client. It does this by aggregating the updates at each iteration from a single client into a single aggregated client gradient (line 3)...”
The combination of Cao/Fung discloses wherein an auxiliary machine learning model receives historical trained model update data.
Thus far, the combination of Cao/Fung does not explicitly teach that the historical trained model update data comes from a first database
Liu teaches historical trained model update data from a first database
Liu, pg. 1, Abstract “…The basic idea of FedEraser is to trade the central server’s storage for unlearned model’s construction time, where FedEraser reconstructs the unlearned model by leveraging the historical parameter updates of federated clients that have been retained at the central server during the training process of FL…”
So, the central server retains historical trained model update data for later use, and explicitly discloses a “central server’s storage” which encompasses a database.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the historical client update data taught by Liu with the federated learning system of Cao/Fung to specifically teach historical trained model update data from a first database because maintaining an accessible record of past clients updates helps enables detection of malicious activity (See Liu, pg. 1, Column 2, Paragraph 2 “Considering in FL some training data are polluted or manipulated by data poisoning attacks [8], [9], [10], or outdated over time, or even identified to be mistakes after training. The ability to completely forget such data and its lineage can greatly improve the security, responsiveness and reliability of the FL systems.”).
Claims 7-9, 15, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Cao and Fung in view of Xie.
Claim 7:
Regarding claim 7, the combination of Cao/Fung does not explicitly disclose: The apparatus of claim 6, wherein a policy is associated with a predetermined risk score range.
Xie discloses a policy is associated with a predetermined risk score range
Xie, pg. 1, Abstract “We propose Zeno++, a new robust asynchronous Stochastic Gradient Descent (SGD) procedure, intended to tolerate Byzantine failures of workers…”
Xie, pg. 3-4, Column 2, Section 4.1, Remark 1, Paragraph 1 “Inspired by Zeno (Xie et al., 2019b), we compute a score for each candidate gradient estimator by using the stochastic zero-order oracle. However, in contrast to the existing synchronous SGD with majority-based aggregation methods, we need a hard threshold to decide whether a gradient is accepted, as sorting is not meaningful in asynchronous
settings. This descent score is described next.”
So, each update is assigned a descent score, then a policy threshold is defined that fall below the threshold (fall within a certain range) are associated with a specific policy (accepted or rejected).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the policy associated with a predetermined risk score range as taught by Xie with the federated learning system of Cao/Fung because it would in more robust filtering in the weighting of client updates. The combination allows the FL system to act not only on the magnitude of a score but also to enforce hard boundaries, which is a well understood practice in adversarial machine learning.
Claim 15 and 20:
Claims 15 and 20 recite limitations that are the same or substantially the same as those recited in claim 7. Therefore the claim is rejected for the same reasons as stated in the 35 U.S.C. 103 rejection of claim 7 above.
Claim 8:
Regarding claim 8, Xie discloses: The apparatus of claim 7, wherein a first policy indicates that the weight of the trained model update data to be adjusted a first percentage upon a determination the risk is within a first predetermined risk score range.
PNG
media_image1.png
744
642
media_image1.png
Greyscale
(See Xie, Algorithm 1 above, lines outlined in red)
If an update’s score is high enough (when it is determined the descent score is within a first predetermined range) the server incorporates the full update into the model and adjusted a first percentage (the weight of the update data is adjusted with 100% contribution).
Claim 9:
Regarding claim 9, Xie discloses: The apparatus of claim 8, wherein a second policy indicates that the weight of the trained model update data to be adjusted a second percentage upon a determination the risk is within a second predetermined risk score range.
Xie, pg. 4, Column 1, Paragraph 1 “Using the stochastic descent score, we can set a hard threshold parameterized by ∈ to filter out candidate gradients with relatively small scores. The detailed algorithm is outlined in Algorithm 1.”
Discloses wherein a second policy (filter out) indicates that the weight of the trained model update data is adjusted a second percentage (adjusted with 0% contribution) upon a determination the risk is within a second predetermined score range (small score).
Conclusion
THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAMES T TSAI whose telephone number is (571)270-3916. The examiner can normally be reached M-F 8-5 Eastern.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Viker Lamardo can be reached at 571-270-5871. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/JAMES T TSAI/ Primary Examiner, Art Unit 2147