DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Priority
Acknowledgment is made of priority based on Patent Application EP 21212249,3 filed on December 3rd, 2021.
Information Disclosure Statement
Acknowledgment is made of the information disclosure statements filed on May 29, 2024. The U.S. patents and Foreign Patents have been considered.
Drawings
The drawings submitted on May 29, 2024 have been considered and accepted.
Claim Objections
Claims 1 and 8-9 are objected to because of the following informalities:
In claim 1 and 8-9, line 11, line 13, and line 4 respectively, “missing a comma before and.”
Appropriate correction is required.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(B) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
Claims 1-13 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
Claim 1 recites the terms “specifying and reading” in “specifying and reading in an item of masking information …” It is unclear what is being specified and read.
Claims 1-4 and 6-7 recite the term “tolerable” in “tolerable in terms of controlling the machine” which is a relative term that renders the claims indefinite. The term " tolerable " is not defined by the claims, the specification does not provide a standard for ascertaining the requisite degree, and one of ordinary skill in the art would not be reasonably apprised of the scope of the invention.
Claim 1 recites the limitation “the thus-modified” in line 12; there is insufficient antecedent basis for these limitation in the claim.
Claim 8 recites “storing the test input signal is fed into the first machine learning ...” The language of this limitation is unclear as it is incomplete for omitting essential structural cooperative relationships of elements.
Claims 2-7 and 10-13 are rejected under 35 U.S.C. 112(b) as they depend on the rejected claim 1.
Claim 9 is rejected under 35 U.S.C. 112(b) as they depend on the rejected claim 8.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-13 are rejected under 35 U.S.C. 103 as being unpatentable over Rouhani et al. (Pub. No. US 2021/0019605), hereinafter Rouhani; in view of Kumar et al. (Pub. No. US 2023/0325497), hereinafter Kumar.
Claim 1. Rouhani discloses a computer-implemented method for recognizing theft of a trained machine learning module (See Parag. [0043]; track the machine learning model in the event a misuse of the machine learning model is detected), wherein
providing a first machine learning module, which is trained to output on the basis of an input signal an output signal for controlling a machine (See Parag. [0044]; a machine learning model 100 may be trained to perform a classification task in which the machine learning model 100 processes an input sample and outputs a probability vector that includes a probability of the input sample being a member of each of a plurality of classes),
b) specifying and reading in an item of masking information by which a part of the output signal that is tolerable in terms of controlling the machine (See Parag. [0083]; at 502, the detection engine 330 may identify, based at least on an activation map associated with a hidden layer of a first machine learning model, a plurality of input samples that causes the activation functions applied by a plurality of neurons forming the hidden layer to output values occupying one or more low probabilistic regions of the activation map. For instance, the activation map associated with a hidden layer of the machine learning model 100 may enumerate the different output values of the activation functions applied by the neurons forming that layer of the machine learning model 100),
c) expanding the first machine learning module by adding an additional output layer (See Parag. [0083]; at 502, the detection engine 330 may identify, based at least on an activation map associated with a hidden layer of a first machine learning model, a plurality of input samples that causes the activation functions applied by a plurality of neurons forming the hidden layer to output values occupying one or more low probabilistic regions of the activation map. For instance, the activation map associated with a hidden layer of the machine learning model 100 may enumerate the different output values of the activation functions applied by the neurons forming that layer of the machine learning model 100),
- into which the output signal is fed (See Parag. [0083]; at 502, the detection engine 330 may identify, based at least on an activation map associated with a hidden layer of a first machine learning model, a plurality of input samples that causes the activation functions applied by a plurality of neurons forming the hidden layer to output values occupying one or more low probabilistic regions of the activation map,
- which on the basis of the masking information inserts a digital watermark into the
tolerable part of the output signal (See Parag. [0084]; at 504, the detection engine 330 may embed, in the hidden layer of the first machine learning model, a first digital watermark corresponding to the plurality of input samples by at least training, based on training data that includes the plurality of input samples, the first machine learning model. For example, a digital watermark may be embedded in the machine learning model 100 by at least training the machine learning model 100 based on training data that includes one or more input samples configured to alter the low probabilistic regions of the activation map) and
- which outputs the thus-modified output signal (See Parag. [0084]; at 504, the detection engine 330 may embed, in the hidden layer of the first machine learning model, a first digital watermark corresponding to the plurality of input samples by at least training, based on training data that includes the plurality of input samples, the first machine learning model. For example, a digital watermark may be embedded in the machine learning model 100 by at least training the machine learning model 100 based on training data that includes one or more input samples configured to alter the low probabilistic regions of the activation map. The one or more input samples altering the low probabilistic regions of the activation map of the machine learning model 100 may correspond to watermarking keys for subsequently extracting the digital watermark),
d) transferring the expanded first machine learning module to a user (See Parag. [0094]; at 602, the detection engine 330 may embed a first digital watermark in a first copy of the machine learning model 100 distributed to the first client 352a and a second digital watermark in a second copy of the machine learning model 100 distributed to the second client 352b. For example, the detection engine 330 may embed the first digital watermark in a hidden layer or an output layer of the first copy of the machine learning model 100. The detection engine 330 may further embed the second digital watermark in a hidden layer or an output layer of the second copy of the machine learning model 100),
e) receiving a second machine learning module (See Parag. [0085]; at 506, the detection engine 330 may extract, from a second machine learning model, a second digital watermark by at least processing, with the second machine learning model, the plurality of input samples corresponding to the first digital watermark. See also Parag. [0090]),
f) checking on the basis of the masking information whether the tolerable part of an output signal of the second machine learning module contains the digital watermark (See Parag. [0086]; at 508, the detection engine 330 may determine that the second machine learning model is a duplicate of the first machine learning model based at least on a comparison of the first digital watermark embedded in the first machine learning model and the second digital watermark extracted from the second machine learning model. For example, the third party machine learning model 320 may be tested for misuse by at least extracting, from the hidden layers of the third party machine learning model 320, the digital watermark embedded in the hidden layers of the machine learning model 100. See also Parag. [0091-0092]).
Rouhani doesn’t explicitly disclose g) outputting, dependent on the result of the check, an alarm signal.
However, Kumar discloses g) outputting, dependent on the result of the check, an alarm signal (See Parag. [0137]; when the correlation determination 510 results in a match of the first watermark and the second watermark, an alert notification 520 can be generated. In some embodiments, the match includes a match of a value of each of the first watermark and the second watermark that is within a range of the threshold. The alert notification can be provided to an operator console. See also Parag. [0120]).
It would be obvious to one of ordinary skill in the art at the time before the effective filling date of the claimed invention to modify the teaching, taught by Rouhani, to include outputting, dependent on the result of the check, an alarm signal, as taught by Kumar. This would be convenient for protecting an Al model from tampering (Kumar, Parag. [0004]).
Claim 2. Rouhani in view of Kumar discloses the method as claimed in claim 1,
Rouhani further discloses wherein output signals output by the additional output layer are counted by a counter (See Parag. [0086]; the detection engine 330 may compute a bit error rate (BER) between the digital watermark embedded in the machine learning model 100 and the digital watermark extracted from the third party machine learning model 320. The digital watermark embedded in the machine learning model 100 may not be present in the third party machine learning model 320 if the bit error rate (BER) between the digital watermark embedded in the machine learning model 100 and the digital watermark extracted from the third party machine learning model 320 exceeds a threshold value. By contrast, if the bit rate error does not exceed the threshold value, then the third party machine learning model 320 may be a duplicate of the machine learning model 100 and/or trained using the same proprietary training data as the machine learning model 100), and
-in that the digital watermark is inserted into the tolerable part of a respective output signal dependent on a counter reading of the counter (See Parag. [0086]; the detection engine 330 may compute a bit error rate (BER) between the digital watermark embedded in the machine learning model 100 and the digital watermark extracted from the third party machine learning model 320. The digital watermark embedded in the machine learning model 100 may not be present in the third party machine learning model 320 if the bit error rate (BER) between the digital watermark embedded in the machine learning model 100 and the digital watermark extracted from the third party machine learning model 320 exceeds a threshold value. By contrast, if the bit rate error does not exceed the threshold value, then the third party machine learning model 320 may be a duplicate of the machine learning model 100 and/or trained using the same proprietary training data as the machine learning model 100).
Claim 3. Rouhani in view of Kumar discloses the method as claimed in claim 2,
Rouhani further discloses wherein different parts of the digital watermark are selected and inserted into the tolerable part of a respective output signal dependent on the counter reading (See Parag. [0064]; a digital watermark may be extracted from the third party machine learning model 320 by processing, with the third party machine learning model 320, input samples corresponding to the trigger keys X.sup.key. Whether the third party machine learning model 320 is a duplicate of the machine learning model 100 may be determined based on whether a bit error rate (BER) between the digital watermark embedded in the machine learning model 100 and the digital watermark extracted from the third party machine learning model 320 is below a threshold value. For instance, if the third party machine learning model 320 is a duplicate of the machine learning model 100, the input samples corresponding to the trigger keys X.sup.key may trigger the same or similar changes to the low probabilistic regions of the activation maps associated with the hidden layers of the third party machine learning model 320 and may therefore result in a lower bit rate error (BER) value).
Claim 4. Rouhani in view of Kumar discloses the method as claimed in claim 1,
Rouhani further discloses wherein the digital watermark is inserted into the tolerable part of a respective output signal dependent on a random process (See Parag. [0071-0073]; embedding the digital watermark in the output layer 130 of the machine learning model 100 may include identifying a set of K unique and random input samples from the rarely explored regions of the machine learning model 100. Each the K quantity of random input sample may be passed through the pre-trained machine learning model 100 to verify that its intermediate activation lies within the rarely explored regions of the machine learning model 100…).
Claim 5. Rouhani in view of Kumar discloses the method as claimed in claim 1,
Rouhani further discloses wherein an interface between the first machine learning module and the additional output layer is protected against external access (See Parag. [0081] and Table 4; Robustness Embedded watermark shall be resilient against model modifications such as pruning, fine- tuning, or WM overwriting. Integrity Watermark extraction shall yield minimal false alarms (a.k.a., false positives); the watermarked model should be uniquely identified using the pertinent keys. Capacity Watermarking methodology shall be capable of embedding a large amount of information in the target DNN. Efficiency Communication and computational overhead of watermark embedding and extraction shall be negligible. Security The watermark shall be secure against brute- force attacks and leave no tangible footprints in the target neural network; thus, an unauthorized party cannot detect/remove the presence of a watermark).
Claim 6. Rouhani in view of Kumar discloses the method as claimed in claim 1,
Rouhani further discloses wherein the second machine learning module is used for controlling the machine, in that the signal is output if the tolerable part of the output signal of the second machine learning module does not contain the digital watermark (See Parag. [0086]; the detection engine 330 may compute a bit error rate (BER) between the digital watermark embedded in the machine learning model 100 and the digital watermark extracted from the third party machine learning model 320. The digital watermark embedded in the machine learning model 100 may not be present in the third party machine learning model 320 if the bit error rate (BER) between the digital watermark embedded in the machine learning model 100 and the digital watermark extracted from the third party machine learning model 320 exceeds a threshold value. By contrast, if the bit rate error does not exceed the threshold value, then the third party machine learning model 320 may be a duplicate of the machine learning model 100 and/or trained using the same proprietary training data as the machine learning model 100).
Kumar further discloses the output signal is the alarm signal (See Parag. [0137]; when the correlation determination 510 results in a match of the first watermark and the second watermark, an alert notification 520 can be generated. In some embodiments, the match includes a match of a value of each of the first watermark and the second watermark that is within a range of the threshold. The alert notification can be provided to an operator console. See also Parag. [0120]).
It would be obvious to one of ordinary skill in the art at the time before the effective filling date of the claimed invention to modify the teaching, taught by Rouhani, to include outputting, dependent on the result of the check, an alarm signal, as taught by Kumar. This would be convenient for protecting an Al model from tampering (Kumar, Parag. [0004]).
Claim 7. Rouhani in view of Kumar discloses the method as claimed in claim 1,
Rouhani further discloses wherein the second machine learning module is installed and run in an edge computing environment, in that it is checked whether the tolerable part of the output signal of the second machine learning module contains the digital watermark, and in that, dependent on the result of the check, the second machine learning module is used for controlling the machine (See Parag. [0086]; at 508, the detection engine 330 may determine that the second machine learning model is a duplicate of the first machine learning model based at least on a comparison of the first digital watermark embedded in the first machine learning model and the second digital watermark extracted from the second machine learning model. See Parag. [0097-0102] and Fig. 7; the computing system 700 may be used to implement the machine learning model 100, the target machine learning model 320, the detection engine 330, and/or any components therein… See Fig. 3).
Claim 8. Rouhani discloses a method for recognizing theft of a trained machine learning module (See Parag. [0043]; track the machine learning model in the event a misuse of the machine learning model is detected), wherein
providing a first machine learning module, which is trained to output on the basis of an input signal an output signal for controlling a machine (See Parag. [0044]; a machine learning model 100 may be trained to perform a classification task in which the machine learning model 100 processes an input sample and outputs a probability vector that includes a probability of the input sample being a member of each of a plurality of classes),
determining a test input signal that does not occur in the control of the machine (See Parag. [0088]; at 552, the detection engine 330 may identify a plurality of input samples originating from one or more rarely explored regions of a first machine learning model occupied by input samples rarely encountered by the first machine learning model),
storing the test input signal is fed into the first machine learning module and a
resulting output signal of the first machine learning module as the digital watermark (See Parag. [0089]; at 554, the detection engine 330 may embed, in the output layer of the first machine learning model, a digital watermark corresponding to the plurality of input samples by at least fine-tuning, based at least on the plurality of input samples, the trained first machine learning model to classify, with an above-threshold certainty, each of the plurality of input samples. The digital watermark may be embedded in the output layer 130 of the machine learning model 100 after the machine learning model 100 has completed training and one or more digital watermarks have already been embedded in the hidden layers (e.g., the input layer 110, the first intermediate layer 120a, and the second intermediate layer 120b) of the machine learning model 100),
transferring the first machine learning module to a user (See Parag. [0094]; at 602, the detection engine 330 may embed a first digital watermark in a first copy of the machine learning model 100 distributed to the first client 352a and a second digital watermark in a second copy of the machine learning model 100 distributed to the second client 352b. For example, the detection engine 330 may embed the first digital watermark in a hidden layer or an output layer of the first copy of the machine learning model 100. The detection engine 330 may further embed the second digital watermark in a hidden layer or an output layer of the second copy of the machine learning model 100),
receiving a second machine learning module (See Parag. [0085]; at 506, the detection engine 330 may extract, from a second machine learning model, a second digital watermark by at least processing, with the second machine learning model, the plurality of input samples corresponding to the first digital watermark. See also Parag. [0090]),
feeding the test input signal into the second machine learning module and checking
whether the resulting output signal matches the stored digital watermark (See Parag. [0086]; at 508, the detection engine 330 may determine that the second machine learning model is a duplicate of the first machine learning model based at least on a comparison of the first digital watermark embedded in the first machine learning model and the second digital watermark extracted from the second machine learning model. For example, the third party machine learning model 320 may be tested for misuse by at least extracting, from the hidden layers of the third party machine learning model 320, the digital watermark embedded in the hidden layers of the machine learning model 100. See also Parag. [0091-0092]).
Rouhani doesn’t explicitly disclose g) outputting dependent on the result of the check,
an alarm signal.
However, Kumar discloses outputting, dependent on the result of the check, an alarm signal (See Parag. [0137]; when the correlation determination 510 results in a match of the first watermark and the second watermark, an alert notification 520 can be generated. In some embodiments, the match includes a match of a value of each of the first watermark and the second watermark that is within a range of the threshold. The alert notification can be provided to an operator console. See also Parag. [0120]).
It would be obvious to one of ordinary skill in the art at the time before the effective filling date of the claimed invention to modify the teaching, taught by Rouhani, to include outputting, dependent on the result of the check, an alarm signal, as taught by Kumar. This would be convenient for protecting an Al model from tampering (Kumar, Parag. [0004]).
Claim 9. Rouhani discloses the method as claimed in claim 8,
Rouhani further discloses wherein the first machine learning module is expanded by adding an additional input layer (See Parag. [0083]; at 502, the detection engine 330 may identify, based at least on an activation map associated with a hidden layer of a first machine learning model, a plurality of input samples that causes the activation functions applied by a plurality of neurons forming the hidden layer to output values occupying one or more low probabilistic regions of the activation map. For instance, the activation map associated with a hidden layer of the machine learning model 100 may enumerate the different output values of the activation functions applied by the neurons forming that layer of the machine learning model 100), which
- checks an incoming input signal for whether it matches the test input signal (See Parag. [0088]; the detection engine 330 may identify a plurality of input samples originating from one or more rarely explored regions of a first machine learning model occupied by input samples rarely encountered by the first machine learning model) and
- given a positive result of the check, makes the first machine learning module output an output signal by which characteristic properties of the first machine learning module are specified (See Parag. [0092]; the detection engine 330 may determine that the second machine learning model is a duplicate of the first machine learning model based at least on the digital watermark being determined to be present in the second machine learning model. In some example embodiments, the digital watermark embedded in the machine learning model 100 may be present in the third party machine learning model 320 if the probability of the machine learning model 320 correctly classifying the K quantity of random input samples exceeds the threshold value p. When that is the case, the third party machine learning model 320 may be identified as being a duplicate of the machine learning model 100 and/or as having been trained using the same proprietary training data as the machine learning model 100).
Claim 10. Rouhani discloses the method as claimed in claim 1,
Rouhani further discloses wherein an output signal comprising the digital watermark is output via a different output channel than an output signal not comprising the digital watermark (See Parag. [0076]; the outputs of the third party machine learning model 320 in response to the each of the K quantity of random input samples corresponding to the watermarking keys may be used to determine whether the digital watermark embedded in the output layer 130 of the machine learning model 100 is present in the output layer of the third party machine learning model 320. For example, the presence of the digital watermark in the third party machine learning model 320 may be determined based on the quantity of mismatches between the outputs from the third party machine learning model 320 and the ground-truth labels assigned to each of the K quantity of random input samples).
Claim 11. Rouhani discloses a theft reporting system for trained machine learning modules, set up for performing a method as claimed in claim 1 (See Parag. [0043]; different digital watermarks may be embedded in the machine learning model distributed to different parties in order to track the machine learning model in the event a misuse of the machine learning model is detected).
Claim 12. Rouhani discloses a computer program product, comprising a computer readable hardware storage device having computer readable program code stored therein, said program code executable by a processor of a computer system to implement a method set up for performing a method as claimed in claim 1 (See Fig. 7 and Parag. [0098-0099]; the computing system 700 can include a processor 710, a memory 720, a storage device 730, and input/output devices 740… The memory 720 is a computer readable medium such as volatile or non-volatile that stores information within the computing system 700).
Claim 13. Rouhani discloses a computer-readable storage medium with a computer program product as claimed in claim 12 (See Fig. 7 and Parag. [0098-0099]; the computing system 700 can include a processor 710, a memory 720, a storage device 730, and input/output devices 740… The memory 720 is a computer readable medium such as volatile or non-volatile that stores information within the computing system 700).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure (see PTO-form 892).
The following Patents and Papers are cited to further show the state of the art at the time of Applicant’s invention with respect to recognizing theft of trained machine learning modules.
Charette et al. (Pub. No. US 2022/0300842) - “System and Method for AI Model Watermarking;”
Teaches watermarking prediction outputs generated by a first AI model to enable detection of a target AI model that has been distilled from the prediction outputs. Includes receiving, at the first AI model, a set of input data samples from a requesting device; storing at least a subset of the input data samples to maintain a record of the input data samples; predicting, using the first AI model, a respective set of prediction outputs that each include a probability value, the AI model using a watermark function to insert a periodic watermark signal in the probability values of the prediction outputs; and outputting, from the first AI model, the prediction outputs including the periodic watermark signal. (See Abstract).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GHIZLANE MAAZOUZ whose telephone number is (571)272-8118. The examiner can normally be reached Telework M-F 7:30-5 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Philip J Chea can be reached on 571-272-3951. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/GHIZLANE MAAZOUZ/Examiner, Art Unit 2499
/PHILIP J CHEA/Supervisory Patent Examiner, Art Unit 2499