DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
1. Claims 1 – 20 are currently pending in this application.
Claims 1, 3-5, 11, 13-15, and 20 are amended as filed on 10/23/2025.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
More specifically, claims 1, 11, and 20 contain the limitation “notifying, by at least one of the first client and the clients in the subset of clients, the server that the particular client may be subject to a client isolation attack based on the comparison”. It is unclear how the first client would come to the determination that the different particular client may be under attack. Do the clients transmit their scores and the server makes a determination based on said scores? Do the clients transmit a message stating that the system is at risk?. For examination purposes, the limitation will be treated as if the scores are being transmitted. However, appropriate correction is required. Claims 2-10 and 12-19 are rejected, at least, based on their respective dependencies on claims 1 and 11.
Claims 5-6 and 15-16 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention. More specifically, the claims contain the limitation that “the first client notifies the server of the federated learning system that the particular client may be subject to the client isolation attack”. It is unclear how the first client would come to the determination that the different particular client may be under attack. Do the clients transmit their scores and the server makes a determination based on said scores? Do the clients transmit a message stating that the system is at risk?. For examination purposes, the limitation will be treated as if the scores are being transmitted. However, appropriate correction is required. Claims 6 and 16 are rejected, at least, based on their respective dependencies on claims 5 and 15.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1-3, 7-8, 11-13, 17-18, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Takasaki et al. (Patent No. US 12,288,145, B2), hereinafter Takasaki, in view of Zhou et al. (Pre-Grant Publication No. US 2024/0012942 A1), hereinafter Zhou.
2. With respect to claims 1 and 11, Takasaki taught a method comprising: requesting, by a first client, overfitting scores from each client in a subset of clients in a federated learning system (1:46-58, where the federated learning system can be seen in 4:14-20); receiving the overfitting scores from the clients in the subset of clients at the first client and building a distribution for each of the overfitting scores received from the subset of clients (13:13-32, where the distribution can be seen in figures 5a & 5b); determining, by the first client or one of the clients in the subset of clients, that the overfitting scores of a particular client are of interest based on a comparison of overfitting scores by the first client or one of the clients in the subset of clients (13:13-32. Further, the client submitting the scores can be seen in 5:30-31, where the local device is a client in accordance with 11:56-62 & figure 8).
However, Takasaki did not explicitly state that the determined particular client was considered suspicious and initiating a security protocol and notifying, by at least one of the first client and the clients in the subset of clients, the server that the particular client may be subject to a client isolation attack based on the comparison. On the other hand, Zhou did teach that the determined particular client was considered suspicious and initiating a security protocol (0006, where the excluded party was the suspicious party) and notifying, by at least one of the first client and the clients in the subset of clients, the server that the particular client may be subject to a client isolation attack based on the comparison (0006, where the this teaches transmitting the score for comparison and the client submitting a score is shown by Takasaki: 5:30-31, where the local device is a client in accordance with 11:56-62 & figure 8, and wherein the leader transmits the scores in accordance with 13:13-32). Both of the systems of Takasaki and Zhou are directed towards federated learning and therefore, it would have been obvious to a person having ordinary skill in the art, at the time of the effective filing of the invention to modify the teachings of Takasaki, to perform identifying suspicious parties, as taught by Zhou, in order to better maintain the integrity of the model.
3. As for claims 2 and 12, they are rejected on the same basis as claims 1 and 11 (respectively). In addition, Zhou taught wherein the overfitting scores are based on learning curve plots, wherein the overfitting scores of the particular client are determined as suspicious when accuracy with regard to a training dataset increases while accuracy with regard to a validation dataset decreases (0034-0035).
4. As for claims 3 and 13, they are rejected on the same basis as claims 1 and 11 (respectively). In addition, Takasaki taught determining that the overfitting scores of the particular client are suspicious when the overfitting scores of the particular client have a sufficiently dissimilar distribution to the distribution of the overfitting scores from the other clients (figs 5a & 5b. See also Zhou: 0034-0035).
5. As for claims 7 and 17, they are rejected on the same basis as claims 1 and 11 (respectively). In addition, Zhou taught wherein the particular client is the first client, further comprising initiating the security protocol at the first client (0006).
6. As for claims 8 and 18, they are rejected on the same basis as claims 1 and 11 (respectively). In addition, Zhou taught performing training rounds iteratively (0030).
7. With respect to claim 20, Takasaki taught a method comprising: requesting, by a first client, overfitting scores from each client in a subset of clients in a federated learning system (4:14-20), receiving the overfitting scores from the clients in the subset of clients at the first client (4:14-20); determining that the overfitting scores of a particular client are of interest based on a comparison of overfitting scores of the first client and the overfitting scores received from the subset of clients (4:14-20).
However, Takasaki did not explicitly state that the determined particular client was considered suspicious and initiating a security protocol, wherein the overfitting scores relate to changes in a loss related to a training dataset changes in a loss related to a validation dataset, wherein the overfitting scores of the particular client are of interest when the loss related to the training dataset is improving while the loss related to the training dataset is worsening, and informing a server of the federated learning system, by at least one of the first client and the clients in the subset of clients, the particular client may be subject to a client isolation attack. On the other hand, Zhou did teach that the determined particular client was considered suspicious and initiating a security protocol (0006, where the excluded party was the suspicious party), wherein the overfitting scores relate to changes in a loss related to a training dataset changes in a loss related to a validation dataset (0034-0035), wherein the overfitting scores of the particular client are of interest when the loss related to the training dataset is improving while the loss related to the training dataset is worsening (0034-0035), and informing a server of the federated learning system, by at least one of the first client and the clients in the subset of clients, the particular client may be subject to a client isolation attack (0006, where the this teaches transmitting the score for comparison and the client submitting a score is shown by Takasaki: 5:30-31, where the local device is a client in accordance with 11:56-62 & figure 8, and wherein the leader transmits the scores in accordance with 13:13-32). . Both of the systems of Takasaki and Zhou are directed towards federated learning and therefore, it would have been obvious to a person having ordinary skill in the art, at the time of the effective filing of the invention to modify the teachings of Takasaki, to perform identifying suspicious parties, as taught by Zhou, in order to better maintain the integrity of the model.
Claim(s) 4 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Takasaki, in view of Zhou, and in further view of Djuhera et al. (Pre-Grant Publication No. US 2025/0192913 A1), hereinafter Djuhera.
8. As for claims 4 and 14, they are rejected on the same basis as claims 1 and 11 (respectively). However, Takasaki did not explicitly state comparing the overfitting scores of the first client and of the other clients using a two sample KS test. On the other hand, Djuhera did teach comparing the overfitting scores of the first client and the other clients using a two sample KS test (0061). Both of the systems of Takasaki and Djuhera are directed towards federated learning and therefore, it would have been obvious to a person having ordinary skill in the art, at the time of the effective filing of the invention to modify the teachings of Takasaki, to perform specific tests, as taught by Djuhera, in order to better maintain the integrity of the model.
Claim(s) 5-6, 9, 15-16, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Takasaki, in view of Zhou, and in further view of Zaccak et al. (Pre-Grant Publication No. US 2021/0360010 A1), hereinafter Zac.
9. As for claims 5 and 15, they are rejected on the same basis as claims 1 and 11 (respectively). However, Takasaki did not explicitly state wherein the particular client is not the first client and wherein the first client notifies the server of the federated learning system that the particular client may be subject to the client isolation attack. On the other hand, Zac did teach wherein the particular client is not the first client and wherein the first client notifies the server of the federated learning system that the particular client may be subject to the client isolation attack (0070, where model inversion attacks perform the data corruption features of a client isolation attack and are thus, equivalent. Accordingly, the model receives the training data sets from the different clients of figure 1a). Both of the systems of Takasaki and Zac are directed towards federated learning and therefore, it would have been obvious to a person having ordinary skill in the art, at the time of the effective filing of the invention to modify the teachings of Takasaki, to identify specific attack types, as taught by Zac, in order to better maintain the integrity of the model.
10. As for claims 6 and 16, they are rejected on the same basis as claims 1 and 11 (respectively). In addition, Zhou taught wherein the security protocol includes removing the particular client from the federated learning system (0006).
11. As for claims 9 and 19, they are rejected on the same basis as claims 1 and 11 (respectively). In addition, Zhou taught wherein at least some of the clients in each of the training rounds perform the joint overfitting protocol to determine whether any of the clients are suspicious (0034-0035, where paragraph 0021, of the applicant’s specification indicates that joint overfitting is utilizing the data from the plurality of client to make a determination).
However, Zhou did not explicitly state that they were suspicious due to being subject to a client isolation attack. On the other hand, Zac did teach that they were suspicious due to being subject to a client isolation attack (0070, where model inversion attacks perform the data corruption features of a client isolation attack and are thus, equivalent. Accordingly, the model receives the training data sets from the different clients of figure 1a). Both of the systems of Takasaki and Zac are directed towards federated learning and therefore, it would have been obvious to a person having ordinary skill in the art, at the time of the effective filing of the invention to modify the teachings of Takasaki, to identify specific attack types, as taught by Zac, in order to better maintain the integrity of the model.
Claim(s) 10 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Takasaki, in view of Zhou, and in further view of Rose (Patent No. US 10,873,578 B1).
12. As for claim 10, it is rejected on the same basis as claims 1. However, Takasaki did not explicitly state taught wherein the overfitting scores are shared using cryptography such that each sending client encrypts the corresponding overfitting scores using a private key, wherein receiving clients decrypt the overfitting scores using corresponding public keys. On the other hand, Rose did teach wherein the overfitting scores are shared using cryptography such that each sending client encrypts the corresponding overfitting scores using a private key, wherein receiving clients decrypt the overfitting scores using corresponding public keys (3:19-25). Both of the systems of Takasaki and Rose are directed towards federated learning and therefore, it would have been obvious to a person having ordinary skill in the art, at the time of the effective filing of the invention to modify the teachings of Takasaki, to utilize private/public keys for encrypting/decrypting, as taught by Rose, in order to better maintain the integrity of the model.
13. As for claim 18, it is rejected on the same basis as claim 11. In addition, Zhou taught performing training rounds iteratively (0030). However, Takasaki did not explicitly state taught wherein the overfitting scores are shared using cryptography such that each sending client encrypts the corresponding overfitting scores using a private key, wherein receiving clients decrypt the overfitting scores using corresponding public keys. On the other hand, Rose did teach wherein the overfitting scores are shared using cryptography such that each sending client encrypts the corresponding overfitting scores using a private key, wherein receiving clients decrypt the overfitting scores using corresponding public keys (3:19-25). Both of the systems of Takasaki and Rose are directed towards federated learning and therefore, it would have been obvious to a person having ordinary skill in the art, at the time of the effective filing of the invention to modify the teachings of Takasaki, to utilize private/public keys for encrypting/decrypting, as taught by Rose, in order to better maintain the integrity of the model.
Response to Arguments
Applicant's arguments filed 10/23/2025 have been fully considered but they are not persuasive.
14. The applicant argues on page 8 that the “determination of whether an overfitting score is suspicious is performed by each of the clients. Thus, any of the clients can notify the server. Paragraph 32 of the specification states that multiple clients may perform a joint verification protocol and any of the clients may be able to determine which of the other clients may be under attack. Further, as noted in Figure 3 at element 334 (the method 300 may be performed individually by multiple clients), the server is informed by a client that a particular client may be under attack.”
While the applicants arguments may present support to indicate a means for informing the applicant, it still stands that said means is unclear. In particular, paragraph 0032 states that “each node or client may initiate the joint verification protocol. In another example, each node or client that suspects a client isolation attack may initiate the protocol.” Furthermore, figure 3 indicates that a client (item 334) can “Inform Server and Perform Security Protocol”. Neither of the cited sections (from the specification) explicitly state informing the federated learning system that the particular client maybe subject to the client isolation attack. It is understood (from figure 3 & paragraph 0053) that a client may transmit a score to the security server which is believed, by the examiner, to be the applicant’s intention behind the informing limitation. However, what (specifically) is being conducted should be explicitly stated in order to overcome the rejection and make said limitations clear and unambiguous. For example: limitations could indicate that the informing comprises transmitting the computed scores to the server.
15. The applicant argues on page 9 that “claim 1 is amended to clarify that the client receives the overfitting scores and the clients are the ones that identify the suspicious client - not the server or aggregator. Even if the server initiates the security protocol, the server is first informed by one of the clients.” However, Takasaki does teach that the client us submitting the scores to the server and can be seen in 5:30-31, where the local device is a client in accordance with 11:56-62 & figure 8, and wherein the leader transmits the scores in accordance with 13:13-32.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOSEPH L GREENE whose telephone number is (571)270-3730. The examiner can normally be reached Monday - Thursday, 10:00am - 4:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Nicholas R. Taylor can be reached at 571 272-3889. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/JOSEPH L GREENE/Primary Examiner, Art Unit 2443