Prosecution Insights
Last updated: July 17, 2026
Application No. 18/497,075

Method for Assessment of the Robustness and Resilience of Machine Learning Models to Model Extraction Attacks on AI-Based Systems

Final Rejection §101§102§103§112
Filed
Oct 30, 2023
Priority
Oct 31, 2022 — IL 297834
Examiner
CHOUAT, ABDERRAHMEN
Art Unit
2451
Tech Center
2400 — Computer Networks
Assignee
Deutsche Telekom AG
OA Round
2 (Final)
73%
Grant Probability
Favorable
3-4
OA Rounds
0m
Est. Remaining
78%
With Interview

Examiner Intelligence

Grants 73% — above average
73%
Career Allowance Rate
201 granted / 275 resolved
+15.1% vs TC avg
Moderate +5% lift
Without
With
+5.4%
Interview Lift
resolved cases with interview
Typical timeline
2y 9m
Avg Prosecution
7 currently pending
Career history
284
Total Applications
across all art units

Statute-Specific Performance

§101
3.6%
-36.4% vs TC avg
§103
87.9%
+47.9% vs TC avg
§102
4.7%
-35.3% vs TC avg
§112
3.0%
-37.0% vs TC avg
Black line = Tech Center average estimate • Based on career data from 275 resolved cases

Office Action

§101 §102 §103 §112
Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Claim Interpretation Examiner notes MPEP section 2111.04: Claim scope is not limited by claim language that suggests or makes optional but does not require steps to be performed, or by claim language that does not limit a claim to a particular structure. However, examples of claim language, although not exhaustive, that may raise a question as to the limiting effect of the language in a claim are: (A) "adapted to" or "adapted for" clauses; (B) "wherein" clauses; and (C) "whereby" clauses. Response to Arguments Regarding applicant arguments directed at the rejection of claim 1 under 35 USC 101: Applicant argues that for at least the reason that it is directed at a “model extraction attack simulation system.” Examiner respectfully disagrees for the following reasons: 1 – The system is a normal generic system. 2 – No simulation as actually being performed. 3 – The model extraction attack is defined in the claims as training, evaluating, and calculating steps and are therefore part of the abstract idea. Examiner respectfully notes that the claims recite steps at a high level generality and lack specificity in implementing a technical solution. 1 – The claims don’t define what robustness is. 2 – The claims don’t show any simulation. 3 – The claims don’t define what evaluations are. 4 – The claims don’t define the system. 5 – The claims don’t define what the models are. 6 – The claims use very broad terminology such as “relative to” or “correspond to.” 7 - The claims don’t use the calculations for improvement of a system or networking operations, and are focused on claiming evaluation and calculation mental steps in as broad of a form as possible without any specificity and therefore the arguments are not persuasive. Regarding applicants arguments directed at the rejection of claim 1 under 35 USC 102: Applicant argues that Rigaki does not teach a simulated model extraction attack. Examiner respectfully disagrees. 1) Rigaki teaches training a set of surrogate models using different learning strategies, and analyze their performance according to metrics indicating agreement and accuracy. [Page 4-6 and 8] 2) Rigaki is directed at analyzing performance against model extraction attacks. [Page 4 Model Extraction] Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 1-4, 6-10, and 12-14 are rejected under 35 U.S.C. 101 because the claimed invention is directed to determining using mental/pen and paper evaluation and comparison without significantly more. The claims are directed to statutory categories, a set of method claims, and a singular system claim. The claims are directed to abstract idea under the judicial exception (mental or pen and paper process) and under the revised guidelines. Regarding claim 1, the claim recites: 1 – obtaining information by a system. Examiner notes transmitting/receiving information for display and displaying the information is insignificant extra-solution activity. Revised Guidance 55, n.31; see also MPEP § 2106.05(g). Data gathering and display elements are merely insignificant extra-solution activity that do not add significantly more to the abstract idea to render the claimed invention patent eligible. See In re Bilski, 545 F.3d 943, 962 (Fed. Cir. 2008) (en bane), aff'd on other grounds, 561 U.S. 593 (2010) ("[T]he involvement of the machine or transformation in the claimed process must not merely be insignificant extra-solution activity"); see also MPEP § 2106.05(g); and see buySAFE, Inc. v. Google, Inc., 765 F.3d 1350, 1355 (Fed. Cir. 2014) (computer receives and sends information over a network). 2- performing a simulated model extraction attack. Examiner notes this is part of the abstract idea because it is defined using steps constituting the abstract idea. Training models (see analysis below) evaluating performance of each substitute model; Examiner notes that evaluating using evaluations methods lack any specificity as claimed is an abstract idea, i.e., "an observation, evaluation, judgment, opinion" which could be performed as a mental process. See MPEP § 2106.04(a)(2)(III)(A). calculating, the robustness of each substitute model. Calculations of robustness can be agreement and accuracy, which are pre-established calculations and with a single model can be performed by pen and paper and therefore part of the abstract idea. The following limitations constitute extra solution activity: The claim recites steps for training models. Examiner notes training models includes inputting of data which is an extra solution activity and receiving an output. Transmitting and receiving information for processing is an insignificant extra-solution activity. Revised Guidance 55, n.31; see also MPEP § 2106.05(g). Data gathering and display elements are merely insignificant extra-solution activity that do not add significantly more to the abstract idea to render the claimed invention patent eligible. See In re Bilski, 545 F.3d 943, 962 (Fed. Cir. 2008) (en bane), aff'd on other grounds, 561 U.S. 593 (2010) ("[T]he involvement of the machine or transformation in the claimed process must not merely be insignificant extra-solution activity"); see also MPEP § 2106.05(g); and see buySAFE, Inc. v. Google, Inc., 765 F.3d 1350, 1355 (Fed. Cir. 2014) ( computer receives and sends information over a network). Regarding claims 2-3, the claims again recite a mental determination rule, the closer in performance the better a substitute, and is logical and mental determination and therefore part of the abstract idea. Regarding claim 4, the claim recites an if[Wingdings font/0xE0]then mental evaluation and is therefore part of the abstract idea. Regarding claims 6, 8, the claim recites mathematical input to be provided, again examiner notes that data gather and transmitting as input is considered to be routine and conventional/generic extra solution activity. Regarding claim 7 again recites a calculation and therefore part of the mental determination. Regarding claim 9 discusses data gathering (see analysis above). Regarding claim 10, the claim recites a weighted average calculation, which again the examiner notes was around prior to computers, and consensus is that it was invented in 1712, and therefore part of the abstract idea. Regarding claim 12, the claim provides a definition of robustness of the original model to correspond to another model. Examiner notes (1) this is a mental correlation or determination and therefore part of the abstract idea. This judicial exception is not integrated into a practical application because: 1) The claims are recited at a high level of abstractness and focuses of purely mental/pen and paper evaluations. 2) The claims lack specificity in a solution to a specific technical problem. Instead the claims attempt to swallow evaluation and calculation (mental determinations) for models. The claims are silent to how many of the steps are performed, furthermore the claims do not do anything with all of these determinations (mental steps) they merely attempt to swallow up the determinations with as broad extra solution activity as possible. For example the claims don’t define what robustness is, nor how its calculated. The claims recite evaluations at a high level. The claims do not use the mental evaluation of robustness. The claims are focused on claiming robustness calculation, without providing any form of Therefore the claims are deemed to not provide a specific technical solution and improvement to evaluation of models but are deemed to cover any means for evaluating performance of models and comparing them. In Data Engine Technologies LLC v. Google LLC (Fed. Cir 2018) The courts determined Claim 12 of the ‘259 patent to be patent eligible because it provided limitations directed at the specific technical solution and concluded that the invention therein was "directed to a specific method for navigating through three-dimensional electronic spreadsheets" rather than an abstract idea. The courts further determined that a broad version of the claim, Claim 1 of the ‘551 patent was patent ineligible and was struck down under 35 U.S.C. 101 as the court determined the claim "generically recites associating each of the cell matrices with a user-settable page identifier and does not recite the specific implementation of a notebook tab interface." And further stated "not limited to the specific technical solution and improvement in electronic spreadsheet functionality that rendered representative claim 12 of the '259 patent eligible . . . [i]nstead, claim 1 . . . covers any means for identifying electronic spreadsheet pages.". For the same reasoning and rationale the examiner is of the opinion that the claim is directed at an abstract idea. 3) In its analysis, the Federal Circuit enquired whether "the claims are directed to a specific improvement in the capabilities of computing devices, or, instead, 'a process that qualifies as an "abstract idea" for which computers are invoked merely as a tool."' Core Wireless Licensing S.A.R.L. v. LG Electronics, Inc., 880 F.3d 1356, 1361-62 (Fed. Cir. 2018) (quoting Enfish, LLC v. Microsoft Corp., 822 F.3d 1327, 1336 (Fed. Cir. 2016). The claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception because: The claims do not add a specific limitation beyond the judicial exception that is not "well-understood, routine, conventional" in the field; Furthermore, the claims simply appends well-understood, routine, conventional activities previously known to the industry, specified at a high level of generality, to the judicial exception. Additional elements such as algorithms, datasets, training etc are recited at a high level of generality such that it amounts to no more than indicating a field of use or technological environment in which to apply the judicial exception. Claim 12-13 inherit the same rejection as claim 1 above for reciting similar limitations. Claim Rejections - 35 USC § 112 The following is a quotation of the first paragraph of 35 U.S.C. 112(a): (a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention. The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112: The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention. Claims 1-4, 6-10, and 12-14 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. Regarding claim 1, the claim recites “a model extraction attack simulation system”, examiner has reviewed the specification and is unable to find a system referred to as “model extraction attack simulation system.” Examiner respectfully requests the applicant use language consistent with the specification. A review of [0052-0066] do not recite simulation system, or performing a simulation. Examiner also notes sections [0052] and is directed at determining resilience and not at robustness. Robustness can be an “optional” parameter but the focus of that section is directed at resilience. Examiner respectfully asks that the applicant be consistent with the embodiment being described in the specification. Regarding claim 1, the claim recites “performing … a simulated model extraction attack”, examiner has reviewed the specification and is unable to find a recitation of performing a “simulated model extraction attack” Examiner respectfully requests the applicant use language consistent with the specification. Claims 2-4, 6-10, and 12-14 inherit the same rejection as claim 1 above for reciting similar limitations or depending from claims reciting similar limitations. The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph: The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. Claims 1-4, 6-10, and 12-14 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention. Regarding claim 1, the claim recites the term “robustness” which is a relative term which renders the claim indefinite. The term robustness is not defined by the claim, and furthermore the specification does not provide a standard for ascertaining the requisite degree, and one of ordinary skill in the art would not be reasonable apprised of the scope of the invention. For example “The Toyota Landcruiser is a robust off-roader” understanding that it is not a robust submersible. Claims 2-4, 6-10, and 12-14 inherit the same rejection as claim 1 above for reciting similar limitations or depending from claims reciting similar limitations. Regarding claim 4, the claim recites “the determined robustness of the original ML model” examiner respectfully notes claim 1 does not “determine the robustness of the original ML mode.” Regarding claim 12, the claim inherits the same rejection as claim 4 for reciting similar limitations. Claim Rejections - 35 USC § 102 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention. Claim(s) 1-4, 6 and 9-10 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Rigaki et al. “Stealing Malware Classifiers and AVs at Low False Positive Conditions” hereinafter Rigaki. Regarding claim 1 Rigaki further teaches A method for performing an assessment of the robustness and resilience of an examined original machine learning (ML) model (Page 5; Section 5 ¶ 1; Ember2018, Sorel-FCNN. Sorel-LGB) against model extraction attacks, comprising: (Page 1 – Right Col, ¶ 3-5 showing research steps equivalent to a method; Page 6, Section 8, ¶1 The first goal of our experiments is to test the agreement of surrogates with their respective target models at low FPR levels.) obtaining, by a model extraction attack simulation system (Page 6-Right Col – Section 8.1; Experimental setup) having at least one processor (Mapping above: Examiner notes experimental setup running on computer inherently include a processor) access to the original ML model, (Rigaki teaches obtaining black-box query access to the target ML Models, where querying the model is equivalent to access to the original ML model; Page 3 – Right Col - ¶2; The adversary can query the models or the Avs during the inference phase; Page 4 – Left Col - ¶ 4; An essential part of the methodology is the query budget, which is a limit on the number of queries that are allowed on the target model, given the cost of the queries and potential security limitations.) an external dataset, (Page 4 – Left Col - ¶ 2-3, 5; The Active Learning approach schema is shown in Figure 2. It uses two datasets, the thief dataset that is used to query the target model and the test dataset that is used for attack evaluation; Page 5 – Left and Right Col – Section 6 Datasets: discusses both internal and external datasets, therefore there are portions of the received and not internally generated) a list of candidate learning algorithms, (Page 1 – Right Col - ¶ 3; The first part studies and compares four active learning sampling strategies to create surrogate models. The strategies used for the attack are random sampling, entropy, entropy+kmedoids, and Monte Carlo Dropout+entropy. Examiner points to Points to page 8 -table 2, which shows the active learning strategies applied to the surrogate models) PNG media_image1.png 200 400 media_image1.png Greyscale and an attacker query budget; (Rigaki explicitly defines and uses a query budget constraining the number of queries to the target model) Page 6 – Right Col - ¶ 2; The total query budget was set to 25,000 queries. The total number of query rounds was set to 10, allowing 1,750 new samples to be used per query round. The model was trained from scratch at each training round using all data in the labeled pool. The FCNN and dualFCNN models were trained for up to 100 epochs. The LGB model settings were 500 boosting rounds, 2, 048 leaves, and max_depth set to 15. The validation set was used for training model selection: the early stopping rounds for the LGB were set to 60, while the patience parameter for the neural networks was set to 30. All neural networks were trained using model checkpoints where the best model, based on validation accuracy, was saved and used for testing; Page 4 – Left Col - ¶ 4; An essential part of the methodology is the query budget, which is a limit on the number of queries that are allowed on the target model, given the cost of the queries and potential security limitations. We use and separate 20% of the query budget for the validation samples and 10% for the seed samples. The rest of the budget is split equally for all the rounds for the query samples.) and performing, by the model extraction attack simulation system (mapping above), a simulated model extraction attack (see mapping below also see Page 4; Section 4.1 model extraction attack methodology; and Page 3 Sections 3-4 on threat model extraction attacks and methodology) on the original ML model (target model) to determine the robustness (accuracy and agreement) of the original ML model (mapping above), (Mapping above about experimental setup + Page 4 – Left Col - ¶ 1; We extract the functionality of target models by creating surrogate models that closely resemble the performance of the target models. The goal of a surrogate model is not to have good detection performance but to have a performance that is close to the target model, using the agreement metric to evaluate the attack.) wherein performing the simulated model extraction attack comprises: training, multiple candidate substitute models (training the surrogate models) with the external dataset (mapping above) for each of the candidate learning algorithms (Each learning strategy) in the list of candidate learning algorithms, (see mapping above for active learning strategies) (Page 3 – Left Col ¶ 3-4 teachings the training of different surrogate models using datasets; Page 4 – Left Col - ¶ 2-3 Surrogate models are trained using an active learning approach using data sets; Figure 2 shows that the first step of the attack is to randomly select validation samples from the thief dataset, and to randomly select a seed (1), which are done only once. The validation samples are given to the target model to predict their labels and the samples with their labels are stored in the validation set (2). In the first round the seed data labels are retrieved from the target model and are added to the Labeled Pool of samples (3). Then the complete Labeled Pool is used to train the surrogate model (4), and during training, the validation set is used in each round to select the best-trained model (5). Then we test the model using the test dataset to obtain metrics (6). Then we take the remaining samples in the thief dataset (7), and ask the surrogate model to provide a confidence vector, which are sent to the sampling strategy (8). The sampling strategy chooses a subsample to send to the target model (9) to label. The target model labels the subsamples, which are added to the Labeled Pool again (3). The process is repeated for several rounds.; Page 6 – Right Col – Section 8.2; The unlabeled part of the Ember 2018 dataset was used as the thief dataset, and the Ember 2018 test set was used for evaluating the attack performance against the Ember2018 target model. The different metrics were measured at an FPR equal to 0.01. The threshold of the target model was set to 0.8336 to achieve this FPR level. Each experiment was run five times to randomize the initial seed and validation data selection. Each surrogate was trained with all the strategies, totaling 11 combinations, as shown in Table 2. To show their performance in Figure 4a we picked the best sampling strategy per surrogate in terms of agreement with the Ember2018 target in the test set at the 0.01 FPR. The Figure shows that our dualFCNN architecture outperforms both the LGB and FCNN architectures and reaches the highest agreement level with as few as 13,000 queries. The ROC curves depicted in Figure 5a show that the dualFCNN)(Examiner points to active learning strategies (equivalent to candidate learning algorithms) in the first column, they run all the active learning strategies this is equivalent to “each of the candidate learning algorithms”) where each candidate substitute model is trained on a subset of the external dataset (mapping above) corresponding to an ith query limit of the query budget; (limited by the query limit) (Mapping above + Page 4 – Left Col - ¶ 4; An essential part of the methodology is the query budget, which is a limit on the number of queries that are allowed on the target model, given the cost of the queries and potential security limitations. We use and separate 20% of the query budget for the validation samples and 10% for the seed samples. The rest of the budget is split equally for all the rounds for the query samples; Page 4 – Right Col – Fig 2: Figure 2: Schema of the Active Learning approach to create surrogate models 𝑓ˆ by querying target models 𝑓 with a subset selection of the thief dataset. All labeled samples are added to the Labeled pool that is used to train the surrogate. The main loop is 3,4,5,6,7,8,9; actions 1 and 2 (in red) are performed once. See also Page 4 – Left Col - ¶ 6 [Wingdings font/0xE0] Page 4 – Right Col - ¶ 2 discussing different subsets used in training; Page 5 – Section 6.1; Ember 2018 training data set; Section 6.2 Sorel20m Training Dataset;) evaluating, (calculating) performance (agreement and accuracy) of each candidate substitute model (surrogate models) according to different evaluation methods; (agreement and accuracy) (Page 1 – Right Col - ¶ 3; The surrogates are compared by their performance agreement with the target models and their accuracy, measured at fixed low FPR levels of 0.01 or lower. In order to achieve better surrogate performance, we propose a new neural network architecture (dualFCNN) for creating surrogate models, that outperforms the existing fully connected neural networks (FCNN) for malware detection that have been previously proposed in the literature. Page 1 – Left Col – Abstract; The surrogates were evaluated on their agreement with the targeted models. Good surrogates of the stand-alone classifiers were created with up to 99% agreement with the target models, using less than 4% of the original training dataset size. Good AV surrogates were also possible to train, but with a lower agreement; Page 1 – Right Col - ¶ 4; Results showed that the surrogate models can achieve an agreement of up to 99% and are within 1% of the accuracy of the target models, while for the antivirus surrogates, the agreement levels varied from 90-98%.) and calculating, (calculating) robustness (agreement and accuracy) of each candidate substitute model (surrogate model) with respect to similarity of performance relative to the original ML model, (Examiner respectfully notes that robustness is defined as the quality or state of being strong, interpreted alongside “with respect to similarity of performance” is interpreted to be the quality or state of being similar in performance; See 4.3 metrics below and table 2; highest agreement and accuracy by definition mean mimic the behavior of the original especially with the numbers of 99%+ for agreement and 99% for accuracy calculated for some of the surrogate models - Pg 8 Table 2 shoes the different surrogate models and the target model showing the highest level of agreement and accuracy along with a threshold.) PNG media_image2.png 200 400 media_image2.png Greyscale PNG media_image3.png 200 400 media_image3.png Greyscale Regarding claim 2, Rigaki teaches the method according to claim 1, and is disclosed above, wherein the robustness of the original ML model corresponds to a respective candidate substitute model having the closest performance to that of the original target model. (See mapping above claim 1 showing the definitions of robustness as defined in claim 1, and the table showing agreement and accuracy scores, and where the one with the highest agreement and accuracy is by definition the one having the closest performance to that of the original target model) Regarding claim 3, Rigaki teaches the method according to claim 1, and is disclosed above, Rigaki further teaches wherein the robustness (accuracy see Table mapped in claim 1) of the original ML model (target model accuracy score see table in claim 1) corresponds to a candidate substitute model having the smallest difference (the closest in accuracy and agreement score) with respect to tested evaluation metrics (accuracy and agreement). (See mapping above claim 1 showing the definitions of robustness as defined in claim 1, and the table showing agreement and accuracy scores, and where the one with the highest agreement and accuracy is by definition the one having the closest performance to that of the original target model) Regarding claim 4, Rigaki teaches the method according to claim 1, and is disclosed above, Rigaki further teaches wherein a query limit L is provided, and the determined robustness of the original ML model corresponds to the query limit-L (Mapping claim 1 definition of robustness, and mapping claims 2 and 3 as well. Examiner notes that Claims 1-3 all show Rigaki teaches a query limit, furthermore examiner respectfully points to 112 rejection above indicating that the robustness of the original ML model has not been returned. Examiner respectfully notes in Claim 1 that robustness (agreement + similarity) was determined based on similarity to the original model this similarity (agreement and accuracy), equivalent to robustness, is determined based on a query limit L and therefore corresponds to the query limit) Regarding claim 6, Rigaki teaches the method according to claim 4, and is disclosed above, wherein performing the simulated model extraction attack on the original ML model further comprises: querying the original ML model according to the query budget; (Pg 4 Left Col ¶3-4; querying by the attacker the target model (original model) in accordance to a query budget; An essential part of the methodology is the query budget, which is a limit on the number of queries that are allowed on the target model,) and receiving a prediction vector from the original ML model.(Page 2 – Section 2.1; Depending on the target model 𝑓 , the adversary may query this model 𝑓 with data 𝑋 from what is called a thief datasetD𝑡ℎ𝑖𝑒 𝑓 , and retrieve classification labels or confidence vectors 𝑌𝑡𝑎𝑟𝑔𝑒𝑡 from the target model; examiner respectfully notes that a confidence vector is also known as a probability vector which is in itself a prediction; See below where the target model is queried and returns predictions See also Page 4 Section 4) PNG media_image4.png 3418 4680 media_image4.png Greyscale Regarding claim 9, Rigaki teaches the method according to claim 1, and is disclosed above, Rigaki further teaches wherein the external dataset D is taken from the same distribution as the original test set. (Pg 8 Left Col ¶ 1; where the datasets have roughly identical distribution; Sometimes, an attacker may have data from a different distribution (meaning sometimes they do) than the one used to train the target or may not even know the training data distribution. In the previous sections, we used thief and test datasets not previously seen by the targets, but we can assume they were roughly from identical distributions.) Regarding claim 10, Rigaki teaches the method according to claim 1, and is disclosed above, Rigaki further teaches wherein an evaluation method is to calculate the performance gap and setting weights, (predicted vectors) to calculate a weighted average.(entropy sampling on the vector averages) (Pg 4 Left Col 4.1.2; (2) Entropy sampling selects the top 𝑛 samples with the highest Shannon entropy calculated over the predictions. First, we use MC dropout with 20 neural network forward passes to retrieve prediction vectors for the thief dataset. Then we perform entropy sampling on the vector averages. MC dropout has not been used before for model stealing attacks, and it is tested for the first time in this paper. Pg 9 Right Col ¶ 2; This is also apparent in nthe ROC curves in Figure 7. The best results in terms of agreement and surrogate model accuracy are against AV2, which was the AV with the smallest gap in performance between the thief and test datasets (Table 4).) Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. Claim(s) 13-14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Rigaki et al. “Stealing Malware Classifiers and AVs at Low False Positive Conditions” hereinafter Rigaki in view of Sinn et al. (US 20220100867 A1). Regarding claim 13, the claim inherits the same rejection as claim 1 above for reciting similar limitations in the form of system claim. Rigaki does not explicitly teach comprising: at least one processor; and at least one memory having processor-executable instructions stored thereon; wherein the at least one processor is configured to execute the processor-executable instructions In an analogous art Sinn teaches at least one processor; and at least one memory having processor-executable instructions stored thereon; wherein the at least one processor is configured to execute the processor-executable instructions ([0006] An embodiment includes a computer system. The computer system includes a processor, a computer-readable memory, and a computer-readable storage device, and program instructions stored on the storage device for execution by the processor via the memory.) It would have been obvious to one of ordinary skill in the art prior to the effective filing of the application to modify the teachings of [Rigaki] to include [a system in evaluation machine learning models] as is taught by [Sinn]. The suggestion/motivation for doing so is to [improve automated evaluation of robustness of machine learning models [0001]]. Regarding claim 14, the claim inherits the same rejection as claim 1 above for reciting similar limitations in the form of a non-transitory computer-readable medium. Rigaki does not explicitly teach comprising: at least one processor; and at least one memory having processor-executable instructions stored thereon; wherein the at least one processor is configured to execute the processor-executable instructions In an analogous art Sinn teaches a non-transitory computer-readable medium having processor-executable instructions stored thereon ([0127] The functionality may be implemented as a method (e.g., a computer-implemented method) executed as instructions on a machine, where the instructions are included on at least one computer readable medium or one non-transitory machine-readable storage medium.) It would have been obvious to one of ordinary skill in the art prior to the effective filing of the application to modify the teachings of [Rigaki] to include [a non-transitory computer-readable medium having processor-executable instructions] as is taught by [Sinn]. The suggestion/motivation for doing so is to [improve automated evaluation of robustness of machine learning models [0001]]. Conclusion Claims 7-8, and 12 are not rejected under prior art rejections. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to ABDERRAHMEN H CHOUAT whose telephone number is (571)431-0695. The examiner can normally be reached on Mon-Fri from 9AM to 5PM PST. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Christopher Parry, can be reached at telephone number 571-272-8328. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from Patent Center. Status information for published applications may be obtained from Patent Center. Status information for unpublished applications is available through Patent Center to authorized users only. Should you have questions about access to the USPTO patent electronic filing system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). Examiner interviews are available via a variety of formats. See MPEP § 713.01. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) Form at https://www.uspto.gov/InterviewPractice. Abderrahmen Chouat Examiner Art Unit 2451 /Chris Parry/Supervisory Patent Examiner, Art Unit 2451
Read full office action

Prosecution Timeline

Oct 30, 2023
Application Filed
Oct 01, 2025
Non-Final Rejection mailed — §101, §102, §103
Feb 25, 2026
Response Filed
Jun 02, 2026
Final Rejection mailed — §101, §102, §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12652173
SYSTEM AND METHOD FOR GENERATING BLOCKCHAIN TOKEN SUPPORT FROM A SET OF DECLARATIONS
1y 8m to grant Granted Jun 09, 2026
Patent 12632521
SECURED INTELLIGENT IDENTITY VERIFICATION THROUGH BLOCKCHAIN
2y 4m to grant Granted May 19, 2026
Patent 12634156
COMPUTER TECHNOLOGY TO ENSURE AN ELECTRONIC DESIGN AUTOMATION (EDA) IMPLEMENTATION FOR ELECTRONIC CIRCUITRY IS TRACEABLE, AUDITABLE, AND REPRODUCIBLE
1y 5m to grant Granted May 19, 2026
Patent 12625951
System and Method for Preventing Attacks on a Machine Learning Model Based on an Internal Sate of the Model
2y 2m to grant Granted May 12, 2026
Patent 12619804
ARTIFICIAL AGING OF DIGITAL TWIN TO PREDICT USAGE OVER TIME OF INFRASTRUCTURE
3y 1m to grant Granted May 05, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

3-4
Expected OA Rounds
73%
Grant Probability
78%
With Interview (+5.4%)
2y 9m (~0m remaining)
Median Time to Grant
Moderate
PTA Risk
Based on 275 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month