DETAILED ACTION
Applicant’s amendment filed 8/2/2022 has been fully considered. 
Claims 1-20 are pending and have been examined.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendment
Applicant’s arguments are not persuasive. Applicant's arguments filed 8/2/2022 have been fully considered but they are not persuasive.
Regarding Applicant’s arguments with respect to Balabine, namely a “raw data”, “progressive framework system”, etc., Examiner respectfully points out while the elements must be arranged as required by the claim, but this is not an ipsissimis verbis test, i.e., identity of terminology is not required. In re Bond, 910 F.2d 831, 15 USPQ2d 1566 (Fed. Cir. 1990). Note that, in some circumstances, it is permissible to use multiple references in a 35  U.S.C. 102 rejection. See MPEP  § 2131.
Regarding the receiving step, Balabine teaches any type of data, covering both structured or unstructured, absent a clear definition of what is raw data, progressive framework system, etc, the entities performing the functions as claimed correspond to the mapping of Balabine. At most, raw data can be interpreted to be unaltered data (spec, par.35), under that understanding, Balabine’s data tracking interactions/ user behavior with respect to resources and is not altered, i.e. unaltered, meeting the claim limitation (Balabine, par.29-32), the cited portion is reproduced below:
[0029] The anomalous behavioral data includes one or more behavioral factors having one or more current values determined based at least in part on monitoring of user activity on the computer network over a first time period by one or more monitoring agents executing on one or more data stores in the plurality of data stores. For example, each data store in the plurality of data stores can have its own monitoring agent that tracks any user interactions with that data store (such as access requests, read/writes, access times, sensitive data records accessed, sensitive data types accessed, etc.).
[0030] FIG. 2 illustrates an example architecture of a system for determining risk associated with anomalous behavior according to an exemplary embodiment. Users 201A-201D are users of the computer network and access data stores 202A and 202B. The user activity and behavior data is tracked by monitoring agents 203A and 203B on data stores 202A and 202B, respectively. Of course, the number of data stores, users, and monitoring agents can vary. For example, a single monitoring agent connected to all data stores can perform monitoring of activity on all of the data stores. Alternatively, multiple monitoring agents can be used with each monitoring agent monitoring one or more data stores. Monitoring agent can also be located on a client-side user device. Many variations are possible and this example is not intended to be limiting.
[0031] The monitoring agent can be a process executing on a device, such as a data store, which is able to track interactions with one or more data stores, log user information and metadata corresponding to the interactions, and report the collected user behavior and activity data to another process or device that performs an analysis of the collected user behavior and activity data.
[0032] Monitoring agents 203A and 203B can provide the collected activity data to a user behavior analytics component 204. This user behavior analytics component 204 is shown separate from the data stores for clarity only, and it is understood that the user behavior analytics component 204 can itself be stored on a data store, at a centralized location or centralized device, at a client-side device, or anywhere else on the network.
Regarding the monitoring step, Balabine teaches the argued limitation since Balabine monitors the data and user behavior and associates to particular time periods, based on timestamps of activity, see cited portions below:
[0032] Monitoring agents 203A and 203B can provide the collected activity data to a user behavior analytics component 204. This user behavior analytics component 204 is shown separate from the data stores for clarity only, and it is understood that the user behavior analytics component 204 can itself be stored on a data store, at a centralized location or centralized device, at a client-side device, or anywhere else on the network.
[0033] User behavior analytics component 204 analyzes user activity and behavioral data corresponding to users 201A-201D of the computer network over a predetermined time period that can be set automatically or selected by a user and identifies aspects of the user activity and behavioral data that is anomalous with past user activity and behavioral data. For example, the time period can be an hour, a day, a week, a month, a year, or any other suitable period of time.
[0034] The user behavior analytics component 204 is a process, program, or hardware device that identifies one or more behavioral factors having one or more current values that are anomalous for a particular user and provides the one or more behavioral factors and the one or more current values of those behavioral factors to user risk assessment component 205. The user behavior analytics component 204 can also provide user activity data and behavioral information for non-anomalous activity to the user risk assessment component 205. This non-anomalous activity can be used as part of the risk assessment process, as discussed further below.
[0035] This user risk assessment component 205 is shown separate from the data stores and from the user behavior analytics component 204 for clarity only, and it is understood that the user risk assessment component 205 can itself be stored on a data store, at a centralized location or centralized device, at a client-side device, or anywhere else on the network. For example, the user behavior analytics component 204 and the user risk assessment component 205 can be located on the same device or be different modules within a single program.
[0068] At step 501 at least one user count corresponding to the least one unique content element is determined, wherein the at least one user count indicates at least one first quantity associated with behavior of the user relative to the at least one unique content element over a first time period. As discussed above, an example of this is the number of accesses by a user to a unique data store within a time period. If there is more than one unique content element (e.g., multiple unique data stores accessed), then a user count can be computed for each of the unique content elements.
[0069] At step 502 at least one total count corresponding to the least one unique content element is determined, wherein the at least one total count indicates at least one second quantity associated with behavior of a plurality of users relative to the at least one unique content element over the first time period. Using the above-mentioned example, the total count could indicate a total number of accesses by a plurality of users to the unique data store within the time period. If there is more than one unique content element (e.g., multiple unique data stores accessed), then a total count can be computed for each of the unique content elements. The total count information can be received, for example, from a user behavior analytics component 204 such as the one shown in FIG. 2.
[0070] At step 503 at least one probability corresponding to the current value is determined by dividing the at least one total count by the at least one user count. This is in accordance with the probability formula described with respect to step 102 of FIG. 1. If there is more than one unique content element (e.g., multiple unique data stores accessed), then a probability can be computed for each of the unique content elements.
[0071] At step 504 the total surprisal value corresponding to the behavioral factor is determined based on a summation of the self-information corresponding to the at least one probability. This step is reflected by the earlier described formula for total surprisal value:
I=−Σ.sub.i=1.sup.n ln p.sub.i
[0072] Where I corresponds to the total “surprisal” value of a particular behavioral factor, n corresponds to the total quantity of unique content elements associated with a behavioral factor, ln corresponds to the natural log, i corresponds to a unique content element in a plurality of unique content elements associated with the behavioral factor, p.sub.i corresponds to the probability of an actor accessing the i-th unique content element, and ln p.sub.i corresponds to the self-information of a particular probability associated with a unique content element. In this case the self-information is computed as a natural log of the probability, but it is understood that other types of logarithms or bases may be used to assess self-information.
[0073] FIG. 6 illustrates an example of the surprisal value determination process according to an exemplary embodiment. Received anomalous behavior data 600 in FIG. 6 includes an access time of day 601 behavioral factor and a data stores count 602 behavioral factor. Since the access time of day 601 behavioral factor is content agnostic, the surprisal value for this behavioral factor is set to 1 at step 603.
[0074] As shown in FIG. 6, the data stores count 602 behavioral factor includes a first user count 604 of accesses of a first data store, data store S17, by a user, as well as a second user count 605 of accesses of a second data store, data store S32, by the user.
[0075] Behavior data for a plurality of users 606 is also received and used to determine the probabilities associated with each unique content element for behavioral factors that are not content agnostic. This behavior data can be received from monitoring agents, such as agents 203A and 203B shown in FIG. 2, and/or from an analytics component, such as component 204 shown in FIG. 2. The behavior data for the plurality of users 606 includes user data that is relevant to the anomalous behavior of the user. In this case, the behavior data 606 includes the number of accesses of data store S17 by the plurality of users 607 and the number of accesses of data store S32 by the plurality of users 608.
[0076] At step 609 the probability of accessing data store S17 is computed based on the number of accesses of data store S17 by the user 604 and the number of accesses of data store S17 by the plurality of users 607. Similarly, at step 610 the probability of accessing data store S32 is computed based on the number of accesses of data store S32 by the user 605 and the number of accesses of data store S32 by the plurality of users 608. Both of these probabilities are then used in step 611 to determine the surprisal value for the “data stores count” behavioral factor. The surprisal value can be determined in accordance with the above-mentioned equation.
[0077] FIG. 7 illustrates a graph 700 showing the relationship between the surprisal value and access probability. As shown in the graph 700, the surprisal value has an inverse relationship with probability, with surprisal increasing as probability decreases.
[0078] Returning to FIG. 1, at step 103 one or more dynamic weights corresponding to the one or more behavioral factors are determined based at least in part on the one or more current values and one or more historically expected values of the one or more behavioral factors for the user. As explained below, the one or more historically expected values are determined based at least in part on monitoring of user activity on the computer network over one or more second time periods prior to the first time period by the one or more monitoring agents executing on the one or more data stores.
Regarding the determining step, Balabine teaches the argued portion since access during a particular time period may be more indicative of malicious activity than the same access during a different time period, access during nighttime hours by an otherwise authorized user may indicate malicious activity, the same access during regular business hours may not indicate malicious activity. Balabine further teaches risk associated with certain anomalous behaviors or events can also be tracked over time to provide a risk profile of a user and flag certain users for increased scrutiny, a user that typically accesses 200 sensitive data stores (on average) every month and in the month of February accesses 3,500 sensitive data stores, then that behavior can be flagged as anomalous, see cited portions below:
[0024] The Applicant has discovered a method, apparatus, and computer-readable medium that solve the problem of analyzing anomalous behavior of users in computer network and identifying anomalous behaviors and/or users that pose high levels of risk. The system disclosed herein quantifies perceived risk associated with anomalous events induced by actors in an enterprise environment. This quantified risk can then be used by the system to take remedial or preventative actions and alert security administrators. As discussed further in the following description, risk associated with certain anomalous behaviors or events can also be tracked over time to provide a risk profile of a user and flag certain users for increased scrutiny.
[0025] FIG. 1 illustrates a flowchart for determining risk associated with anomalous behavior of a user on a computer network according to an exemplary embodiment. At step 101 anomalous behavioral data corresponding to an anomalous activity of a user on a computer network comprising a plurality of data stores is received.
[0026] As used herein, a data store can refer to any computing device or electronic device connected to the network, such as a database, a server, a client computing device, a mobile device, a router, a modem, or any other component that forms part of the computer network.
[0027] The anomalous behavior can be activity that is performed by an automated action or program, such as an automatic script that performs a set of tasks. In the situation where the anomalous activity is an automated action, the automated action can be associated with a user based upon information regarding which user authorized, initiated, designed, or had permissions to access the automated action.
[0028] Anomalous behavior can include any actions or usage patterns that are inconsistent with previous actions or usage patterns of a user, unusual for a user, or unexpected for a particular user. Anomalies are a class of unusual or unexpected user activities that do not explicitly break any enterprise policies but that are inconsistent with past user activities. For example, if user John Doe typically accesses 200 sensitive data stores (on average) every month and in the month of February accesses 3,500 sensitive data stores, then that behavior can be flagged as anomalous.
[0046] Count of sensitive data types accessed—the sensitive data types accessed by the user and a count of accesses to the sensitive data types by the user. This can include not only which sensitive data types the user accessed, but also a number of times the user accessed each unique sensitive data type.
[0047] Cross group access—access by the user to one or more components of the computer network associated with different groups than the groups associated with the user.
[0048] Of course, the behavioral factors 302 shown in FIG. 3 are provided as examples only, and the behavioral factors can include any metric that tracks user actions on the computer network or components of the computer network, user engagement with the computer network or components of the computer network, or user activity or inactivity.
[0049] As shown in column 303, each of the behavioral factors 302 has a corresponding factor data type. The factor data types include a continuous data type that is described by a range of values. The factor data types also include an ordinal data type described by an enumerated sequence representing ordered gradation of each factor such as “atypical,” “unusual,” and “highly unusual.”
[0050] If a behavioral factor described by a data type cannot be mapped to a gradation level, which is the case for nominal data types, then a secondary factor of the nominal event factor can be used for establishing a gradation level. For example, relocation of a tangible object such as a computer user can be characterized by the speed of the user's movement which becomes a continuous metric and which therefore enables characterization of the user relocation event.
[0055] For example, when the behavioral factor is the “count of data stores accessed,” then n can correspond to the total quantity of unique data stores accessed, i can correspond to a unique data store accessed, and p.sub.i can corresponds to the probability of an actor accessing the i-th unique data store. In this case, the probability can be given by:
[00002] p i = the number of actor s accesses to data store i / total number of user accesses to data store i
[0056] In another example, when the behavioral factor is the “count of sensitive data types accessed,” then n can correspond to the total quantity of unique sensitive data types accessed, i can correspond to a unique sensitive data type accessed, and p.sub.i can corresponds to the probability of an actor accessing the i-th unique sensitive data type. In this case, the probability can be given by:
[00003] p i = the number of actor ′ s accesses to sensitive data type i / total number of user accesses to sensitive data type i
[0057] When the anomalous behavioral data includes multiple behavioral factors, a surprisal value can be computed for each of the behavioral factors. FIG. 4 illustrates a flowchart for determining surprisal values corresponding to multiple behavioral factors according to an exemplary embodiment.
[0058] At step 401 the current behavioral factor is set to the first behavioral factor in a set of behavioral factors in the anomalous behavior data. The process can begin with the first behavioral factor and iterate through the remaining behavioral factors, as discussed in greater detail below.
[0059] At step 402 it is determined whether the current behavioral factor is content agnostic. A behavioral factor is content agnostic if the value of the behavioral factor is independent of the content or type of content accessed. Examples of content agnostic behavioral factors include the time of day, data of week, and relocation behavioral factors. Whether a behavioral factor is content agnostic can be indicated by a variable, such as a flag, associated with the behavioral factor. The data type of the behavioral factor can also be used to determine if the behavioral factor is content agnostic. For example, as shown in FIG. 3, all of the behavioral factors having a data type of ordinal are content agnostic.
[0060] If the current behavioral factor is content agnostic, then at step 403 the surprisal value corresponding to the current behavioral factor is set to “one.” This indicates that there will be no net information gained from content agnostic behavioral factors.
Regarding the providing step, Balabine teaches the argued limitation since Balabine teaches different probabilities for detecting malicious behavior based on actions/behavior/activities and time parameters, see cited portions below:
[0055] For example, when the behavioral factor is the “count of data stores accessed,” then n can correspond to the total quantity of unique data stores accessed, i can correspond to a unique data store accessed, and p.sub.i can corresponds to the probability of an actor accessing the i-th unique data store. In this case, the probability can be given by:
[00002] p i = the number of actor s accesses to data store i / total number of user accesses to data store i
[0056] In another example, when the behavioral factor is the “count of sensitive data types accessed,” then n can correspond to the total quantity of unique sensitive data types accessed, i can correspond to a unique sensitive data type accessed, and p.sub.i can corresponds to the probability of an actor accessing the i-th unique sensitive data type. In this case, the probability can be given by:
[00003] p i = the number of actor ′ s accesses to sensitive data type i / total number of user accesses to sensitive data type i
[0057] When the anomalous behavioral data includes multiple behavioral factors, a surprisal value can be computed for each of the behavioral factors. FIG. 4 illustrates a flowchart for determining surprisal values corresponding to multiple behavioral factors according to an exemplary embodiment.
[0058] At step 401 the current behavioral factor is set to the first behavioral factor in a set of behavioral factors in the anomalous behavior data. The process can begin with the first behavioral factor and iterate through the remaining behavioral factors, as discussed in greater detail below.
[0059] At step 402 it is determined whether the current behavioral factor is content agnostic. A behavioral factor is content agnostic if the value of the behavioral factor is independent of the content or type of content accessed. Examples of content agnostic behavioral factors include the time of day, data of week, and relocation behavioral factors. Whether a behavioral factor is content agnostic can be indicated by a variable, such as a flag, associated with the behavioral factor. The data type of the behavioral factor can also be used to determine if the behavioral factor is content agnostic. For example, as shown in FIG. 3, all of the behavioral factors having a data type of ordinal are content agnostic.
[0060] If the current behavioral factor is content agnostic, then at step 403 the surprisal value corresponding to the current behavioral factor is set to “one.” This indicates that there will be no net information gained from content agnostic behavioral factors.
[0061] If the current behavioral factor is not content agnostic, then at step 404 the surprisal value corresponding to the behavioral factor is determined as a function of at least one probability corresponding to a current value of the behavioral factor. This probability assessment is described above and explained further with respect to FIGS. 5-6.
[0062] At step 405 a determination is made regarding whether there are any additional behavioral factors in the set of behavioral factors in the anomalous behavior data. If there are additional behavioral factors, then at step 407 the current behavioral factor is set to the next behavioral factor in the set of behavioral factors and steps 402-405 are repeated. Otherwise, if there are no additional behavioral factors, then at step 406 the process of determining surprisal values ends.
[0063] When the behavioral factor is not content agnostic, the current value of the behavioral factor can indicate at least one unique content element. For example, when the behavioral factor is “Count of data stores accessed,” the current values can indicate 2 unique data stores and their corresponding counts, such as:
[0064] (1) Data Store D1—12 accesses;
[0065] (2) Data Store F14—3 accesses;
[0066] The surprisal value for the behavioral factor in this situation can then be determined based upon probabilities associated with each of unique content elements accessed (Data Stores D1 and F14 in the above example).
[0067] FIG. 5 illustrates a flowchart for determining a surprisal value corresponding to the behavioral factor based on at least one probability corresponding to a current value of the behavioral factor according to an exemplary embodiment. The steps shown in FIG. 5 are performed for behavior factors that are not content agnostic and for which the current value of the behavioral factor indicates at least one unique content element.
[0114] Returning to FIG. 11, at step 1104 it is determined whether the attention metric for the user exceeds a predefined attention threshold or whether the risk metric corresponding to the anomalous activity of the user exceeds a predefined risk threshold. At step 1105 one or more security actions relating to the user are performed based at least in part on a determination that the attention metric for the user exceeds the predefined attention threshold or that the risk metric corresponding to the anomalous activity of the user exceeds a predefined risk threshold. As discussed earlier, these security actions can include restricting user access to certain records, types, or data stores, restricting overall user access, reporting the risk metric, the attention metric, or anomalous data to the administrator, sending automated alerts, or performing any other security action to mitigate or resolve a potential threat. The risk metric and attention metric can also be used by the system to prioritize, rank, order and/or implement security measures. For example, security actions can be applied to a ranked list of user or incidents depending relative risk metrics and attention metrics. Either the risk metric and attention metric can be used as a measure used to rank users for security actions and/or to provide actionable intelligence to security administrators.
[0115] Abnormal activities in an enterprise environment attributed to an actor (such as a user or process) can be classified as an anomaly or as a violation. Anomalies are a class of unusual or unexpected actor's activities which do not break any enterprise policies and which are discussed at length in the preceding sections.
[0116] Abnormal activities can also include “violations,” which are a class of actor's activities that are non-conformant to the policies set forth in the enterprise. Both violations and anomalies have the potential indicating undesired consequences, resulting in an implicit risk to the system.
[0117] A violation can be thought of as an independent binary event which potentially may trigger additional binary events while an anomaly manifests fuzzy characteristics dependent on the current state of the observed universe of discourse. For example, an actor's access to an asset to which this actor does not have access rights triggers a violation. Conversely, an anomaly may be reported when an actor accesses a data asset on weekend but, if after some time work during a weekend becomes that actor's habit, anomalous events to that matter are no longer reported.
Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.
Applicant's arguments do not comply with 37 CFR 1.111(c) because they do not clearly point out the patentable novelty which he or she thinks the claims present in view of the state of the art disclosed by the references cited or the objections made. Further, they do not show how the amendments avoid such references or objections.
In response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).
Applicant’s arguments are not persuasive.
Claim Rejections - 35 USC § 102
Claims 1-19 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Balabine (20190081967).
Regarding claims 1, 7, and 13, Balabine teaches A computer-implementable method for detecting entity behavior, comprising: / A system comprising: a processor; a data bus coupled to the processor; and a non-transitory, computer-readable storage medium embodying computer program code, the non-transitory, computer-readable storage medium being coupled to the data bus, the computer program code interacting with a plurality of computer operations and comprising instructions executable by the processor and configured for: / A non-transitory, computer-readable storage medium embodying computer program code, the computer program code comprising computer executable instructions configured for (abstract, par.126-134):
receiving structured or unstructured raw data input by a primary analysis engine of a progressive trigger framework system, from various sources related to actions of an entity, wherein the progressive trigger framework system is implemented to perform detecting entity behavior and triggering indicator of behaviors (par.29-32);
monitoring over time by the progressive trigger framework system, the raw data input and associating the actions of the entity to particular time periods (par.32-35, 68-78);
determining by the progressive trigger framework system, a detection probability per each time period as to a triggering an indicator of behavior regarding a malicious activity, wherein the detection probability increases over time (par.24-28, 46-50, 55-60); and
providing by the progressive trigger framework system, a trigger indicator of behavior if the detection probability reaches a threshold value (par. 55-67, 114-117).
Regarding claims 2, 8, and 14, Balabine teaches wherein the receiving is agnostic as to the various sources (par.70-75).
Regarding claims 3, 9, and 15, Balabine teaches performing one or more of: querying the raw data and writing observables, querying the raw data and writing summary data; querying summary data and writing observables; and querying observable, enrichment, and entity state to write detection (par.24-28, 34-36, 114-121).
Regarding claims 4, 10, and 16, Balabine teaches wherein the monitoring further comprises determining entity behavior patterns (par.33-37).
Regarding claims 5, 11, and 17, Balabine teaches determining entity behavior patterns based on phase stacking (par.29-43).
Regarding claims 6, 12, and 18, Balabine teaches wherein the providing a trigger indicator of behavior comprises sending dynamic risk signals as to dynamic actions, dynamic data protection, and dynamic user protection (par.29-43).
Regarding claim 19, Balabine teaches wherein: the computer executable instructions are deployable to a client system from a server system at a remote location (par.26-32, 130-133).
Claim Rejections - 35 USC § 103
Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Balabine, and further in view of Bird (9607144).
Regarding claim 20, Balabine teaches providing reports and alerts/notifications (par.24-28, 34-36, 114-121), but does not expressly disclose, however, Bird teaches wherein: the computer executable instructions are provided by a service provider to a user on an on-demand basis (col.4, 30-67).
Therefore, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify Balabine to provide ondemand service as taught by Bird.
One of ordinary skill in the art would have been motivated to perform such a modification to provide additional security (Bird, col.1-2).
Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to David Garcia Cervetti whose telephone number is (571)272-5861. The examiner can normally be reached Monday-Friday 8AM-5PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, HADI ARMOUCHE can be reached on (571)270-3618. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/David Garcia Cervetti/Primary Examiner, Art Unit 2419