DEVICE AND METHOD FOR DETERMINING ADVERSARIAL PERTURBATIONS OF A MACHINE LEARNING SYSTEM

DETAILED ACTION Claims 1-9 are presented for examination. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Allowable Subject Matter Claim 3 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. Information Disclosure Statement The Information Disclosure Statement(s) submitted by applicant on 08/14/2023 and 06/07/2023 has/have been considered. The submission is in compliance with the provisions of 37 CFR § 1.97. Form PTO-1449 signed and attached hereto. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. Claims 1,2, 4-9 are rejected under 35 U.S.C. 103 as being unpatentable over Dezfooli et. al. ("Universal Adversarial Perturbations", 2017, IEEE Conference on Computer Vision and Pattern Recognition, vol 2. 2017, pages 1-9, 2017) (hereinafter Dezfooli) in view of “CN 113033822 A” (Hereinafter 822’). As per claim 1, Dezfooli discloses a computer-implemented method for determining an adversarial perturbation for input signals of a machine learning system, the method comprising the following steps (Abstract, discloses: “We propose a systematic algorithm for computing universal perturbations, and show that state-of-the-art deep neural networks are highly vulnerable to such perturbations, albeit being quasi-imperceptible to the human eye.”): iteratively determining a best perturbation, wherein the best perturbation is provided as adversarial perturbation after a predefined amount of iterations, wherein at least one iteration includes the following steps (Bottom of Page 1769, discloses: “We now examine the effect of fine-tuning the networks with perturbed images. We use the VGG-F architecture, and fine-tune the network based on a modified training set where universal perturbations are added to a fraction of (clean) training samples: for each training point, a universal perturbation is added with probability 0.5, and the original sample is preserved with probability 0.5. To account for the diversity of universal perturbations, we pre-compute a pool of 10 different universal perturbations and add perturbations to the training samples randomly from this pool. The network is fine-tuned by training 5 extra epochs on the modified training set. To assess the effect of fine-tuning on the robustness of the network, we compute a new universal perturbation for the fine-tuned network (with p = ∞and ξ = 10), and report the fooling rate of the network. After 5 extra epochs, the fooling rate on the validation set is 76.2%, which shows an improvement with respect to the original network (93.7%, see Table 1).4 Despite this improvement, the fine-tuned network remains largely vulnerable to small universal perturbations. We therefore repeated the above procedure (i.e., computation of a pool of 10 universal perturbations for the fine-tuned network, fine-tuning of the new network based on the modified training set for 5 epochs), and we obtained a new fooling ratio of 80.0%. In general, the repetition of this procedure for a fixed number of times did not yield any improvement over the 76.2% ratio obtained after one step of fine-tuning. Hence, while fine-tuning the network leads to a mild improvement in the robustness, this simple solution does not fully immune against universal perturbations.” Here, Dezfooli discloses repeating, at least once (“We therefore repeated the above procedure”), the determining the universal adversarial perturbation (“computation of a pool of 10 universal perturbations for the fine-tuned network”), the perturbing the specified subset of the first training input values (“modified training set”), and the training the machine learning system in the second training (“fine-tuning”)): sampling a perturbation (Dezfooli, Bottom of Page 1769, discloses: “We use the VGG-F architecture, and fine-tune the network based on a modified training set where universal perturbations are added to a fraction of (clean) training samples: for each training point, a universal perturbation is added with probability 0.5, and the original sample is preserved with probability 0.5.3”. As shown above, the fraction of the training sample that is perturbed is the specified plurality of the first training input values, and thus by perturbing this fraction, Dezfooli discloses perturbing each of the specified plurality of the first training input values with the universal adversarial perturbation.); applying the sampled perturbation to an input signal to determine a potential adversarial example (Page 1769: “We use the VGG-F architecture, and fine-tune the network based on a modified training set where universal perturbations are added to a fraction of (clean) training samples: for each training point, a universal perturbation is added with probability 0.5, and the original sample is preserved with probability 0.5.3”. Here, Dezfooli recites a “fraction of (clean) training samples”, and Dezfooli has already established the “samples” as “Let X = {x1, . . . , xm} be a set of images sampled from the distribution μ. Our proposed algorithm seeks a universal perturbation v, such that kvkp ≤ ξ, while fooling most images in X. The algorithm proceeds iteratively over the data in X and gradually builds the universal perturbation”. Dezfooli gives no indication that the “fraction of (clean) training samples” are not drawn from the sample X used to calculate the universal adversarial perturbation, as they have not redefined “training samples”.). Dezfooli does not explicitly disclose determining an output signal from the machine learning system for the potential adversarial example; determining a loss value characterizing a deviation of the output signal to a desired output signal, wherein the desired output signal corresponds to the input signal; based on the loss value being larger than a previous loss value, setting the best perturbation to the sampled perturbation. However, 822’ discloses determining an output signal from the machine learning system for the potential adversarial example (abstract, learning model until the loss function converges, and the trained machine learning model is loss obtained. model; if the loss function converges, the result is output directly. The invention generates loss confrontation samples through confrontation attacks, which can achieve a higher attack success rate under the same disturbance constraints, and can be used to evaluate the performance of the machine learning model and the effectiveness of the confrontation defense method; the generated confrontation samples are implemented on the machine learning model. Adversarial training can effectively resist various adversarial attacks and improve the robustness of the model); determining a loss value characterizing a deviation of the output signal (abstract, learning model until the loss function converges, and the trained machine learning model is loss obtained. model; if the loss function converges, the result is output directly. ) to a desired output signal, wherein the desired output signal corresponds to the input signal (page 10, The gradient-based counter attack algorithm has lower calculation cost and better performance and is one of the most popular counter attack methods at present. The gradient-based counter attack determines the added perturbation by computing the gradient of a loss function to the input samples, where the loss function is typically loss determined by a deep neural network model for the predicted and true labels of the input samples. The objective of the counterattack is to add the perturbation to the original sample, so that the predicted label of the counter sample obtained after adding the perturbation is not equal to the true label, and the core of the counterattack is to maximize the value of the loss function between the predicted label and the true label of the model for the input sample. The counterattack can mislead the normally loss trained machine learning model and attack various defense models. On the other hand, the defects of the machine learning model can be found for the counter attack research, and the counterattack training of the counterattack samples generated by the counterattack method on the deep neural network model can be used as a defense method, so that the robustness of the model can be effectively improved, and various counterattacks can be resisted. Although the existing gradient-based counterattack method achieves a good effect, a certain error may exist in the generated counterattack sample with the optimal distance from the counterattack sample. This is mainly due to two reasons, the first is that the loss value of the generated challenge sample does not necessarily change loss strictly along the gradient direction after adding the perturbation due to the complexity and nonlinearity of the deep neural network; the second reason is that the step size of each iteration determines the amplitude of the added disturbance, but in practice, neither a fixed step size nor an adaptive step size can guarantee the optimal disturbance amplitude, so that the generated countermeasure samples have the largest loss value. Therefore, the existing technology cannot accurately evaluate the loss robustness of the machine learning model and the effectiveness of the defense countermeasure method.); based on the loss value being larger than a previous loss value, setting the best perturbation to the sampled perturbation (page 10, The gradient-based counter attack algorithm has lower calculation cost and better performance and is one of the most popular counter attack methods at present. The gradient-based counter attack determines the added perturbation by computing the gradient of a loss function to the input samples, where the loss function is typically loss determined by a deep neural network model for the predicted and true labels of the input samples. The objective of the counterattack is to add the perturbation to the original sample, so that the predicted label of the counter sample obtained after adding the perturbation is not equal to the true label, and the core of the counterattack is to maximize the value of the loss function between the predicted label and the true label of the model for the input sample. The counterattack can mislead the normally loss trained machine learning model and attack various defense models. On the other hand, the defects of the machine learning model can be found for the counter attack research, and the counterattack training of the counterattack samples generated by the counterattack method on the deep neural network model can be used as a defense method, so that the robustness of the model can be effectively improved, and various counterattacks can be resisted. Although the existing gradient-based counterattack method achieves a good effect, a certain error may exist in the generated counterattack sample with the optimal distance from the counterattack sample. This is mainly due to two reasons, the first is that the loss value of the generated challenge sample does not necessarily change loss strictly along the gradient direction after adding the perturbation due to the complexity and nonlinearity of the deep neural network; the second reason is that the step size of each iteration determines the amplitude of the added disturbance, but in practice, neither a fixed step size nor an adaptive step size can guarantee the optimal disturbance amplitude, so that the generated countermeasure samples have the largest loss value. Therefore, the existing technology cannot accurately evaluate the loss robustness of the machine learning model and the effectiveness of the defense countermeasure method.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Dezfooli and 822’. The motivation would have been to build the network that provide endpoint security solutions (both hardware and software based). The Examiner notes that this motivation applies to all dependent and/or otherwise subsequently addressed claims. As per claim 2, claim is rejected for the same reasons and motivations as claim 1, above. In addition, 822’ discloses wherein the input signals are sensor signals or features of sensor signals (page 17, Substituting the input signal as a machine learning model f, and calculating the gradient corresponding to the loss function J between the prediction label and the real loss label y). As per claim 4, claim is rejected for the same reasons and motivations as claim 1, above. In addition, 822’ discloses wherein at least one element of the input signal characterizes an integer and the sampled perturbation includes a corresponding element characterizing an integer (page 19, S37, randomly generating a matrix P consisting of numbers between 0 and 1 with the same dimension as the original sample). As per claim 5, claim is rejected for the same reasons and motivations as claim 1, above. In addition, 822’ discloses wherein the adversarial perturbation is sampled by sampling a random perturbation for each input signal of a dataset and combining the sampled random perturbations (page 19, S37, randomly generating a matrix P consisting of numbers between 0 and 1 with the same dimension as the original sample. Respectively adopting a fixed step length a and a random step length b as amplitude on-confrontation samples of the added disturbance). As per claim 6, claim is rejected for the same reasons and motivations as claim 1, above. In addition, 822’ discloses wherein the output signal characterizes a classification and/or regression result and/or a density value and/or a probability value, based on the input signal (page 19, S37, randomly generating a matrix P consisting of numbers between 0 and 1 with the same dimension as the original sample. Respectively adopting a fixed step length a and a random step length b as amplitude on-confrontation samples of the added disturbance). As per claim 7, claim is rejected for the same reasons and motivations as claim 1, above. In addition, 822’ discloses training the machine learning system including: applying the adversarial perturbation to the training input signal to determining an adversarial example and training the machine learning system to predict a desired output signal corresponding to the training input signal for the adversarial example (page 10, The gradient-based counter attack algorithm has lower calculation cost and better performance and is one of the most popular counter attack methods at present. The gradient-based counter attack determines the added perturbation by computing the gradient of a loss function to the input samples, where the loss function is typically loss determined by a deep neural network model for the predicted and true labels of the input samples. The objective of the counterattack is to add the perturbation to the original sample, so that the predicted label of the counter sample obtained after adding the perturbation is not equal to the true label, and the core of the counterattack is to maximize the value of the loss function between the predicted label and the true label of the model for the input sample. The counterattack can mislead the normally loss trained machine learning model and attack various defense models. On the other hand, the defects of the machine learning model can be found for the counter attack research, and the counterattack training of the counterattack samples generated by the counterattack method on the deep neural network model can be used as a defense method, so that the robustness of the model can be effectively improved, and various counterattacks can be resisted.). As per claim 8, claim is rejected for the same reasons and motivations as claim 7, above. As per claim 9, claim is rejected for the same reasons and motivations as claim 1, above. Conclusion Please see the attached PTO-892 for the prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOHAMMAD A SIDDIQI whose telephone number is (571)272-3976. The examiner can normally be reached Monday-Friday. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl G Colin can be reached at 571-272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /MOHAMMAD A SIDDIQI/Primary Examiner, Art Unit 2493