Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
Claims 1-20 are presented for examination in this application (17/868123) filed
2022-07-19.
The Examiner cites particular sections in the references as applied to the claims
below for the convenience of the applicant(s). Although the specified citations are
representative of the teachings in the art and are applied to the specific limitations within
the individual claim, other passages and figures may apply as well. It is respectfully
requested that, in preparing responses, the applicant(s) fully consider the references in
their entirety as potentially teaching all or part of the claimed invention, as well as the
context of the passage as taught by the prior art or disclosed by the Examiner.
Response to Arguments
Applicant’s arguments and remarks filed 2025-10-17 have been fully considered. The arguments and remarks regarding the 35 U.S.C 101 rejections were found to be persuasive. The arguments and remarks regarding the 35 U.S.C 103 rejections were found to be persuasive however the amendments have necessitated a change in the references applied. The 35 U.S.C 103 rejections have been maintained via new ground of rejection.
35 U.S.C 101
Applicant’s response:
Applicant states “The claims do not recite "an abstract idea of a mental process) ... which can be performed by the human mind." On the contrary, the claims relate to sanitization of received neural network model parameters, at a security platform, to ensure removal of any data that may be used to reconstruct malware at a user device within the computer network. These processes (e.g., removal of possible malware-related data) cannot be performed by the human mind. See SRI Int'l, Inc. v. Cisco Systems, Inc., 930 F.3d 1295, 1304 (Fed. Cir. 2019) (declining to identify the claimed collection and analysis of network data as abstract because "the human mind is not equipped to detect suspicious activity by using network monitors and analyzing network packets as recited by the claims")…
Even if the Office considers the claims to recite elements from one of the enumerated groupings of abstract ideas-which Applicant does not concede-the claims are not "directed to" an abstract idea because the claims integrate any alleged abstract idea into "a practical application." MPEP 2106.04(d) explains that "[if] a claim recites a judicial exception in Step 2A Prong One, examiners should evaluate whether the claim as a whole integrates the recited judicial exception into a practical application of the exception in Step 2A Prong Two." MPEP 2106.04(d)(II) further states that "[i]f the claim as a whole integrates the judicial exception into a practical application based upon evaluation of these considerations, the additional limitations impose a meaningful limit on the judicial exception and the claim is eligible at Step 2A."
The claims clearly recite a practical application of the alleged abstract idea. For example, claim 1 recites multiple, specific, detailed, unique steps performed at particular devices that use computer processes for receiving neural network model parameters, iteratively modifying said parameters until it may be ensured that malware-related data is removed from the model parameters, and sending the modified parameters for use to other devices in the network. These features of the claims are necessarily rooted in computer technology and are for integration into a very specific practical application of malware protection in computer networks …
Even if it is assumed that that the above features are insufficient for showing that the alleged judicial exception is integrated into a practical application -which Applicant does not concede - Applicant respectfully submits that the claims recite "significantly more" than the alleged judicial exception. See MPEP § 2106, and MPEP § 2106.05(a) (noting that "it is critical that examiners look at the claim 'as a whole,' in other words, the claim should be evaluated 'as an ordered combination, without ignoring the requirements of the individual steps (emphasis added)".
Examiner’s response:
The examiner finds that the iterative retraining process, deemed an additional element, would be significantly more and serve a practical application when coupled with the actions of sanitizing a neural network to remove possible malware from the model parameters. The 35 U.S.C 101 rejection has thus been overcome.
35 U.S.C 103
Applicant’s response:
Applicant states “The applied references do not disclose or suggest "performing the iterative retraining process comprises modifying the model parameters until the model parameters are sanitized to remove possible malware information from the model parameters," as recited in claim 1. Karam describes "detection of Neural Trojans in different applications of neural networks for different devices and/or systems (e.g., IoT devices, devices using artificial intelligence at the edge, etc.)." See Karam at 4. With respect to Neural Trojans, Karam 3 recites "Neural Trojans can cause stealthy changes to a neural network configuration (i.e., neural network model), thereby infecting systems, such as self-driving vehicles that rely on accurate input classification for proper functionality." Karam 3 further recites Neural Trojan attacks as being "potentially malicious training data [being] injected into the training process" of neural networks. Karam further refers to the use of an updated CNN model to detect such attacks. See, for example, claim 1. However, none of these techniques in Karam for detection of neural network attacks relate to an iterative retraining process for "modifying the model parameters until the model parameters are sanitized to remove possible malware information from the model parameters," as recited in claim 1. The other applied references, Chan and Doan do not overcome these deficiencies of Karam.” The Office concedes that Karam does not disclose or suggest "when a quantity of updated model parameters exceeds or is equal to a threshold value that is based on a total number of model parameters, stopping the iterative retraining process," as recited in claim 1, and relies on Chan. However, Chan does not overcome these deficiencies of Karam.
Examiner’s response:
Applicant’s arguments with respect to claim(s) 1-20 have been considered but are moot because the new ground of rejection does not reply on references applied in the prior rejection of record for any teaching or matter specifically challenged in the arguments. Applicant’s arguments have necessitated a change in the references applied. The 35 U.S.C 103 rejections have thus been maintained via new grounds of rejection.
Specification
The specification is objected to because of the following informalities:
There appears to be a typo at [12] on page 3 of the specification. [12] recites “…threshold, retaining an original value” and should read “…threshold, retraining an original value”.
Appropriate corrections should be made to resolve these objections.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-5, 7, 9-13, 15, 17-20 are rejected under 35 U.S.C 103 as being unpatentable over Karam et al. (US20220303286 hereinafter referred to as Karam) in view Zhang et al. (“Adversarial Feature Selection Against Evasion Attacks” hereinafter referred to as Zhang.
Regarding claim 1 (currently amended):
Karam teaches a system comprising: a user computing device (see [0091]: “ The processor 1352 can provide, for example, for coordination of the other components of the mobile computing device 1350, such as control of user interfaces, applications run by the mobile computing device 1350, and wireless communication by the mobile computing device 1350.”)
and a security platform comprising:
a processor (see ([0104]: “The attacker system 104 can include processor(s) 1402, a model data modifier 1404, a Trojan injection module 1406, and a communication interface 1408. The processor(s) 1402 can be configured to perform or execute any one or more of the operations of the attacker system 104. The model data modifier 1404 can receive or extract a training dataset or other data that is used by a network model of the target system 106A. The modifier 1404 can then maliciously change or update that data. The Trojan injection module 1406 can then inject the maliciously updated data back into the target system 106A. The module 1406 can also attempt to inject the maliciously updated data into other similar or same systems as the target system 106A in an ecosystem or environment, as described throughout this disclosure.”)
and memory storing computer-readable instructions that, when executed by the processor, cause the security platform (see [0085]: “The computing device 1300 includes a processor 1302, a memory 1304, a storage device 1306, a high-speed interface 1308 connecting to the memory 1304 and multiple high-speed expansion ports 1310, and a low-speed interface 1312 connecting to a low-speed expansion port 1314 and the storage device 1306”) to
receive, from the user computing device, model parameters of a neural network (see [0008]: “The attack identification computing system is configured to: receive, from the target computing system, the CNN model and parameters associated with the CNN model; ”)
providing an input to a plurality of input nodes of the neural network (see [0009]: “. Generating the update file for the received CNN model can include retraining the received CNN model with the updated weights;”)
generating, from one or more output nodes, an output based on the input (see [0008]: “generate, based on the received CNN model and the parameters, an ecosystem of CNN models, wherein generating the ecosystem comprises modifying original weights of the parameters associated with the CNN model)
determining an error value based on the output, an expected output, the input, and a loss function (see [0071]: “FIGS. 10A-C depict distribution of accuracy across each ecosystem using the techniques described herein. FIG. 10A depicts a graph for distribution of the entire ecosystem for each threshold percentage at 32-bit precision. FIG. 10B depicts a graph for distribution of the entire ecosystem for each threshold percentage at 16-bit precision. FIG. 10C depicts a graph of average trial accuracy of the ecosystem at each threshold level. The cutoff (99%) can be the base accuracy that the model started with, and the optimum (5%) can be the largest value for tp before the accuracy can degrade from the original model. Anything under the cutoff value can be an undesirable result. ”)
based on the error value, updating one or more parameters; (see [0009]: “Updating the received CNN model can include transmitting, to the target computing system, deltas of the updated weights.”); and
send, to the user computing device, the updated model parameters of the neural network (see [0009]: “Updating the received CNN model can include transmitting, to the target computing system, deltas of the updated weights.”. Also see [0114]: “The computer system 102 can also generate an update file in 1516. This can include retraining the received network model with the updated weights (1518). This can also include determining matrices of weights before and after the retraining (1520). In so doing, the computer system 102 can XOR the weights in an update file (1522). The update file can then be used to update the network model for the target system and also other similar or same systems in the same environment or ecosystem.”).
Karam does not teach to perform an iterative retraining process for the neural network to modify the neural network to modify the model parameters, wherein the performing the iterative retraining process comprises modifying the model parameters until the model parameters are sanitized to remove possible malware information from the model parameters and when a quantity of updated model parameters exceeds or is equal to a threshold value that is based on a total number of model parameter, stopping the iterative retraining process.
Zhang, however, analogously teaches to perform an iterative retraining process for the neural network to modify the neural network to modify the model parameters (see pg. 769 section III. A. : “The implementation of the proposed adversarial feature selection approach is given in Algorithm 1. It is a simple variant of the popular forward selection and backward elimination wrapping algorithms, which iteratively add or delete a feature from the current candidate set, starting, respectively, from an empty feature set and from the full feature set [38], [44], [58].”).
wherein the performing the iterative retraining process comprises modifying the model parameters until the model parameters are sanitized to remove possible malware information from the model parameters (see pg. 766 section I. : “ The proposed model is implemented as a wrapper-based feature selection approach, suitable for linear and nonlinear classifiers (with differentiable discriminant functions), and for discrete- and real-valued feature spaces. We exploit the well-known forward selection and backward elimination algorithms to implement the proposed approach. Its effectiveness against attacks that assume different levels of knowledge of the attacked system (discussed in Section IV) is experimentally evaluated on different application examples, including spam and PDF malware detection (Section V). We finally discuss the conclusion in Section VI..”) and
when a quantity of updated model parameters exceeds or is equal to a threshold value that is based on a total number of model parameters, stopping the iterative retraining process (see pg. 769 line 11:
PNG
media_image1.png
386
408
media_image1.png
Greyscale
).
Before the effective filing date of the claimed invention, it would have been
obvious to one of ordinary skill in the art, having the teachings of Karam and Zhang before him or her, to modify the system of claim 1 to include attributes of performing an iterative retraining process for the neural network to modify the neural network to modify the model parameters, wherein the performing the iterative retraining process comprises modifying the model parameters until the model parameters are sanitized to remove possible malware information from the model parameters and when a quantity of updated model parameters exceeds or is equal to a threshold value that is based on a total number of model parameter, stopping the iterative retraining process in order to optimize a model (see pg. 767 section I. introduction: We model classifier security as a regularization term to be optimized together with the estimated classifier’s generalization capability during the feature selection process. The proposed model is implemented as a wrapper-based feature selection approach, suitable for linear and nonlinear classifiers (with differentiable discriminant functions), and for discrete- and real-valued feature spaces. We exploit the well-known forward selection and backward elimination algorithms to implement the proposed approach. Its effectiveness against attacks that assume different levels of knowledge of the attacked system (discussed in Section IV) is experimentally evaluated on different application examples, including spam and PDF malware detection (Section V).”.
Regarding claim 2 (currently amended):
Karam in view of Zhang teaches the system of 1.
Karam does not teach wherein the stopping the iterative retraining process is further based on determining that a change of each values of the updated model parameters exceeds of a threshold percentage.
Zhang, however, analogously further teaches wherein the stopping the iterative retraining process is further based on determining that a change of each values of the updated model parameters exceeds of a threshold percentage (see pg. 769 line 11:
PNG
media_image1.png
386
408
media_image1.png
Greyscale
).
Before the effective filing date of the claimed invention, it would have been
obvious to one of ordinary skill in the art, having the teachings of Karam and Zhang before him or her, to modify the system of claim 2 to include attributes of stopping the retraining process is further based on determining that a change of each values of the updated model parameters exceeds of a threshold percentage in order to in order to optimize a model (see pg. 767 section I. introduction: We model classifier security as a regularization term to be optimized together with the estimated classifier’s generalization capability during the feature selection process. The proposed model is implemented as a wrapper-based feature selection approach, suitable for linear and nonlinear classifiers (with differentiable discriminant functions), and for discrete- and real-valued feature spaces. We exploit the well-known forward selection and backward elimination algorithms to implement the proposed approach. Its effectiveness against attacks that assume different levels of knowledge of the attacked system (discussed in Section IV) is experimentally evaluated on different application examples, including spam and PDF malware detection (Section V).”.)
Regarding claims 10 and 18
Claims 10 and 18 recite analogous limitations to claim 2 and are therefore rejected on the same grounds as claim 2.
Regarding claim 3 (currently amended):
Karam in view of Zhang teaches the system of 1.
Karam does not teach wherein the computer-readable instructions, when executed by the processor, cause the security platform to iteratively perform the retraining process until the quantity of the updated model parameters exceeds the threshold value
Zhang, however, analogously teaches wherein the computer-readable instructions, when executed by the processor, cause the security platform to iteratively perform the retraining process until the quantity of the updated model parameters exceeds the threshold value (see pg. 769 line 11:
PNG
media_image1.png
386
408
media_image1.png
Greyscale
).
Before the effective filing date of the claimed invention, it would have been
obvious to one of ordinary skill in the art, having the teachings of Karam and Zhang before him or her, to modify the system of claim 3 to include attributes of security platform to iteratively perform the retraining process until the quantity of the updated model parameters exceeds the threshold value to in order to optimize a model (see pg. 767 section I. introduction: We model classifier security as a regularization term to be optimized together with the estimated classifier’s generalization capability during the feature selection process. The proposed model is implemented as a wrapper-based feature selection approach, suitable for linear and nonlinear classifiers (with differentiable discriminant functions), and for discrete- and real-valued feature spaces. We exploit the well-known forward selection and backward elimination algorithms to implement the proposed approach. Its effectiveness against attacks that assume different levels of knowledge of the attacked system (discussed in Section IV) is experimentally evaluated on different application examples, including spam and PDF malware detection (Section V).”.)
Regarding claims 11 and 19:
Claims 11 and 19 recite analogous limitations to claim 3 and are therefore rejected on the same grounds as claim 2.
Regarding claim 4 (currently amended):
Karam in view of Zhang teaches the system of 1.
Karam does not teach wherein the updating the one or more model parameters is based on the error value being greater than a threshold error value, wherein the threshold error value is based on the expected output.
Zhang, however, analogously further teaches wherein the updating the one or more model parameters is based on the error value being greater than a threshold error value, wherein the threshold error value is based on the expected output (see pg. 769 line 11:
PNG
media_image1.png
386
408
media_image1.png
Greyscale
).
Before the effective filing date of the claimed invention, it would have been
obvious to one of ordinary skill in the art, having the teachings of Karam and Zhang before him or her, to modify the system of claim 4 to include attributes updating the one or more model parameters is based on the error value being greater than a threshold error value, wherein the threshold error value is based on the expected output in order to optimize a model (see pg. 767 section I. introduction: We model classifier security as a regularization term to be optimized together with the estimated classifier’s generalization capability during the feature selection process. The proposed model is implemented as a wrapper-based feature selection approach, suitable for linear and nonlinear classifiers (with differentiable discriminant functions), and for discrete- and real-valued feature spaces. We exploit the well-known forward selection and backward elimination algorithms to implement the proposed approach. Its effectiveness against attacks that assume different levels of knowledge of the attacked system (discussed in Section IV) is experimentally evaluated on different application examples, including spam and PDF malware detection (Section V).”.)
Regarding claims 12 and 20:
Claims 12 and 20 recite analogous limitations to claim 4 and are therefore rejected on the same grounds as claim 4.
Regarding claim 5:
Karam in view of Zhang teaches the system of 1.
Karam further teaches wherein the model parameters comprise biases and weights for the neural network (see [0051]: “FIG. 3 is an algorithm for diversifying a convolutional neural network (CNN) model. CNNs can require a large number of trainable parameters (e.g., weights, activations, bias terms, etc.)”.
Regarding claim 13:
Claim 13 recites analogous limitations to claim 5 and is therefore rejected on the same grounds as claim 5.
Regarding claim 7 (currently amended):
Karam in view of Zhang teaches the system of 1.
Karam further teaches further comprising a database storing, for the retraining process, a plurality of inputs and corresponding expected outputs (see [0056]: “As shown, the final network M can be trained. Stochastic parameter mutation can be applied to the weights to derive n copies of the model M. These weights can then be stored in a secure database for future deployment. Thus, the ecosystem can be derived from M and the weights for each network in the ecosystem can be stored.” Also see [0061]: “Next, each model can be mapped from the new ecosystem to each model in the old ecosystem by XOR'ing their parameters. This can derive an update for each model that can be deployed to the ecosystem. The new parameters can overwrite what currently exists in the database or data store described herein.”).
Regarding claim 15:
Claim 15 recites analogous limitations to claim 7 and is therefore rejected on the same grounds as claim 7.
Regarding claim 8:
Karam in view of Zhang teaches the system of 1.
Karam does not teach wherein the updating the one or more model parameters is based on a gradient descent algorithm.
Zhang, however, teaches in analogous wherein the updating the one or more model parameters is based on a gradient descent algorithm (see pg. 771 section III. B.: “This basically amounts to exploiting the available gradient as a search heuristic, and to selecting the feasible point that best aligns with the current gradient. An example of the descent paths explored in discrete spaces by our evasion attack algorithm is given in Fig. 1 (rightmost plot).”).
Before the effective filing date of the claimed invention, it would have been
obvious to one of ordinary skill in the art, having the teachings of Karam and Zhang before him or her, to modify the system of claim 8 to include attributes of the gradient descent algorithm in order to decrease the objective function (see pg. 771 section III. B.: “For classifiers with a differentiable discriminant function, the number of queries can be reduced by perturbing only a number of features which correspond to the maximum absolute values of the gradient, one at a time, in the correct direction, and eventually retaining the sample that maximally decreases the objective function.”).
Regarding claim 16:
Claim 16 recites analogous limitations to claim 8 and is therefore rejected on the same grounds as claim 8.
Regarding 9:
Karam teaches a method comprising receiving, from a user computing device, model parameters of a neural network (see [0008]: “The attack identification computing system is configured to: receive, from the target computing system, the CNN model and parameters associated with the CNN model; ”);
performing a retraining process for the neural network, wherein the retraining process comprises: providing an input to a plurality of input nodes of the neural network (see [0009]: “. Generating the update file for the received CNN model can include retraining the received CNN model with the updated weights;”);
generating, from one or more output nodes, an output based on the input (see [0008]: “generate, based on the received CNN model and the parameters, an ecosystem of CNN models, wherein generating the ecosystem comprises modifying original weights of the parameters associated with the CNN model);
determining an error value based on the output, an expected output, the input, and a loss function (see [0071]: “FIGS. 10A-C depict distribution of accuracy across each ecosystem using the techniques described herein. FIG. 10A depicts a graph for distribution of the entire ecosystem for each threshold percentage at 32-bit precision. FIG. 10B depicts a graph for distribution of the entire ecosystem for each threshold percentage at 16-bit precision. FIG. 10C depicts a graph of average trial accuracy of the ecosystem at each threshold level. The cutoff (99%) can be the base accuracy that the model started with, and the optimum (5%) can be the largest value for tp before the accuracy can degrade from the original model. Anything under the cutoff value can be an undesirable result. ”)
and based on the error value, updating one or more parameters (see [0009]: “Updating the received CNN model can include transmitting, to the target computing system, deltas of the updated weights.”); and
send, to the user computing device, the updated model parameters of the neural network (see [0009]: “Updating the received CNN model can include transmitting, to the target computing system, deltas of the updated weights.”. Also see [0114]: “The computer system 102 can also generate an update file in 1516. This can include retraining the received network model with the updated weights (1518). This can also include determining matrices of weights before and after the retraining (1520). In so doing, the computer system 102 can XOR the weights in an update file (1522). The update file can then be used to update the network model for the target system and also other similar or same systems in the same environment or ecosystem.”).
Karam does not teach when a quantity of updated model parameters exceeds a threshold that is based on a total number of model parameters, stopping the retraining process.
Zhang, however, analogously teaches to perform an iterative retraining process for the neural network to modify the neural network to modify the model parameters (see pg. 769 section III. A. : “The implementation of the proposed adversarial feature selection approach is given in Algorithm 1. It is a simple variant of the popular forward selection and backward elimination wrapping algorithms, which iteratively add or delete a feature from the current candidate set, starting, respectively, from an empty feature set and from the full feature set [38], [44], [58].”).
wherein the performing the iterative retraining process comprises modifying the model parameters until the model parameters are sanitized to remove possible malware information from the model parameters (see pg. 766 section I. : “ The proposed model is implemented as a wrapper-based feature selection approach, suitable for linear and nonlinear classifiers (with differentiable discriminant functions), and for discrete- and real-valued feature spaces. We exploit the well-known forward selection and backward elimination algorithms to implement the proposed approach. Its effectiveness against attacks that assume different levels of knowledge of the attacked system (discussed in Section IV) is experimentally evaluated on different application examples, including spam and PDF malware detection (Section V). We finally discuss the conclusion in Section VI..”) and
when a quantity of updated model parameters exceeds or is equal to a threshold value that is based on a total number of model parameters, stopping the iterative retraining process (see pg. 769 line 11:
PNG
media_image1.png
386
408
media_image1.png
Greyscale
).
Before the effective filing date of the claimed invention, it would have been
obvious to one of ordinary skill in the art, having the teachings of Karam and Zhang before him or her, to modify the system of claim 1 to include attributes of performing an iterative retraining process for the neural network to modify the neural network to modify the model parameters, wherein the performing the iterative retraining process comprises modifying the model parameters until the model parameters are sanitized to remove possible malware information from the model parameters and when a quantity of updated model parameters exceeds or is equal to a threshold value that is based on a total number of model parameter, stopping the iterative retraining process in order to optimize a model (see pg. 767 section I. introduction: We model classifier security as a regularization term to be optimized together with the estimated classifier’s generalization capability during the feature selection process. The proposed model is implemented as a wrapper-based feature selection approach, suitable for linear and nonlinear classifiers (with differentiable discriminant functions), and for discrete- and real-valued feature spaces. We exploit the well-known forward selection and backward elimination algorithms to implement the proposed approach. Its effectiveness against attacks that assume different levels of knowledge of the attacked system (discussed in Section IV) is experimentally evaluated on different application examples, including spam and PDF malware detection (Section V).”.
Regarding claim 17 (currently amended):
Karam teaches a non-transitory computer readable medium storing computer executable instructions (see fig 13. Also see [0094]: “The memory can include, for example, flash memory and/or NVRAM memory (non-volatile random access memory), as discussed below.”)
a security platform to receive model parameters of a neural network (see [0008]: “The attack identification computing system is configured to: receive, from the target computing system, the CNN model and parameters associated with the CNN model; ”);
perform a retraining process for the neural network, wherein the retraining process comprises: providing an input to a plurality of input nodes of the neural network (see [0009]: “. Generating the update file for the received CNN model can include retraining the received CNN model with the updated weights;”);
generating, from one or more output nodes, an output based on the input (see [0008]: “generate, based on the received CNN model and the parameters, an ecosystem of CNN models, wherein generating the ecosystem comprises modifying original weights of the parameters associated with the CNN model);
determining an error value based on the output, an expected output, the input, and a loss function (see [0071]: “FIGS. 10A-C depict distribution of accuracy across each ecosystem using the techniques described herein. FIG. 10A depicts a graph for distribution of the entire ecosystem for each threshold percentage at 32-bit precision. FIG. 10B depicts a graph for distribution of the entire ecosystem for each threshold percentage at 16-bit precision. FIG. 10C depicts a graph of average trial accuracy of the ecosystem at each threshold level. The cutoff (99%) can be the base accuracy that the model started with, and the optimum (5%) can be the largest value for tp before the accuracy can degrade from the original model. Anything under the cutoff value can be an undesirable result. ”);
and based on the error value, updating one or more parameters (see [0009]: “Updating the received CNN model can include transmitting, to the target computing system, deltas of the updated weights.”); and
send, to the user computing device, the updated model parameters of the neural network (see [0009]: “Updating the received CNN model can include transmitting, to the target computing system, deltas of the updated weights.”. Also see [0114]: “The computer system 102 can also generate an update file in 1516. This can include retraining the received network model with the updated weights (1518). This can also include determining matrices of weights before and after the retraining (1520). In so doing, the computer system 102 can XOR the weights in an update file (1522). The update file can then be used to update the network model for the target system and also other similar or same systems in the same environment or ecosystem.”).
Karam does not teach when a quantity of updated model parameters exceeds a threshold that is based on a total number of model parameters, stopping the retraining process.
Zhang, however, analogously teaches to perform an iterative retraining process for the neural network to modify the neural network to modify the model parameters (see pg. 769 section III. A. : “The implementation of the proposed adversarial feature selection approach is given in Algorithm 1. It is a simple variant of the popular forward selection and backward elimination wrapping algorithms, which iteratively add or delete a feature from the current candidate set, starting, respectively, from an empty feature set and from the full feature set [38], [44], [58].”).
wherein the performing the iterative retraining process comprises modifying the model parameters until the model parameters are sanitized to remove possible malware information from the model parameters (see pg. 766 section I. : “ The proposed model is implemented as a wrapper-based feature selection approach, suitable for linear and nonlinear classifiers (with differentiable discriminant functions), and for discrete- and real-valued feature spaces. We exploit the well-known forward selection and backward elimination algorithms to implement the proposed approach. Its effectiveness against attacks that assume different levels of knowledge of the attacked system (discussed in Section IV) is experimentally evaluated on different application examples, including spam and PDF malware detection (Section V). We finally discuss the conclusion in Section VI..”) and
when a quantity of updated model parameters exceeds or is equal to a threshold value that is based on a total number of model parameters, stopping the iterative retraining process (see pg. 769 line 11:
PNG
media_image1.png
386
408
media_image1.png
Greyscale
).
Before the effective filing date of the claimed invention, it would have been
obvious to one of ordinary skill in the art, having the teachings of Karam and Zhang before him or her, to modify the non-transitory computer readable medium of claim 17 to include attributes of performing an iterative retraining process for the neural network to modify the neural network to modify the model parameters, wherein the performing the iterative retraining process comprises modifying the model parameters until the model parameters are sanitized to remove possible malware information from the model parameters and when a quantity of updated model parameters exceeds or is equal to a threshold value that is based on a total number of model parameter, stopping the iterative retraining process in order to optimize a model (see pg. 767 section I. introduction: We model classifier security as a regularization term to be optimized together with the estimated classifier’s generalization capability during the feature selection process. The proposed model is implemented as a wrapper-based feature selection approach, suitable for linear and nonlinear classifiers (with differentiable discriminant functions), and for discrete- and real-valued feature spaces. We exploit the well-known forward selection and backward elimination algorithms to implement the proposed approach. Its effectiveness against attacks that assume different levels of knowledge of the attacked system (discussed in Section IV) is experimentally evaluated on different application examples, including spam and PDF malware detection (Section V).”.
Claims 6 and 14 are rejected under 35 U.S.C 103 as being unpatentable over Karam et al. (US20220303286 hereinafter referred to as Karam) in view Zhang et al. (“Adversarial Feature Selection Against Evasion Attacks” hereinafter referred to as Zhang) in further view of Doan et al. (“Februus: Input Purificiation Defense Against Trojan Attacks on Deep Neural Network Systems” hereinafter referred to as Doan).
Regarding claim 6 (currently amended):
Karam in view of Zhang teaches the system of 1.
Karam in view of Zhang does not teach wherein the loss function is one of: a mean squared error loss function, a binary cross-entropy loss function; or a categorical cross-entry loss function.
Doan, however, teaches in analogous wherein the loss function is one of: a mean squared error loss function, a binary cross-entropy loss function, or a categorical cross-entry loss function (see pg. 10 VII B: “An attacker can augment the original objective (binary cross entropy loss) used for classification with a new objective to minimize the score of GradCAM for Trojaned inputs.”).
Before the effective filing date of the claimed invention, it would have been
obvious to one of ordinary skill in the art, having the teachings of Karam, Zhang and Doan before him or her, to modify the system of claim 6 to include attributes of a loss function being one of a mean squared error loss function, a binary cross-entropy loss function, or a categorical cross-entry loss function in order to minimize the score (see section 7.2 ‘Attacks Targeting Trojan Removal’ subsection ‘Adaptive Trojan Training Attack’: “An attacker can augment the original objective (binary cross entropy loss) used for classification with a new objective to minimize the score of GradCAM for Trojaned inputs. Intuitively, this discourages the network from focusing on the trojaned area”.).
Regarding claim 14:
Claim 14 recites analogous limitations to claim 6 and is therefore rejected on the same grounds as claim 6.
Pertinent Prior Art
The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure:
US20230063489 — discloses malware detection with the use of neural networks
US20240054233A1 — discloses pruning data that is considered malicious with the use of neural networks and security platforms
US11562244B2 — discloses pruning data that is considered an adversarial attack with the use of neural networks
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Andrew A Bracero whose telephone number is (571)270-0592. The examiner can normally be reached Monday - Thursday 7:30a.m. - 5:00 p.m. ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, David Yi can be reached at (571) 270-7519 on Monday – Friday 9:00 a.m. – 5:00 p.m. E.T. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/ANDREW BRACERO/Examiner, Art Unit 2126 /VAN C MANG/Primary Examiner, Art Unit 2126