Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
Response to Arguments
Applicant’s arguments with respect to claim(s) have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Claim Rejections - 35 USC §103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1, 6, 8, 13, 15, 20 are rejected under 35 U.S.C. 103 as being unpatentable over Morello (Pub. No. US 2018/0260574) in view of Saffar (Pat. No. US 10,824,726) in view of Wu (Pub. No. US 2018/0210801) 
Claim 1, Morello teaches “ A method, comprising: receiving, by an agent running within a virtual machine, information related to an event ([0047] FIG. 4 shows an example host device 310 with a first safe execution environment 400 and a second quarantined execution environment 410. The safe execution environment 400 is configured to host and run the detector container 315 in a virtual machine (VM) 401 over an OS Kernel 402. The quarantined execution environment 410 is instantiated and created by the detector container 315. [0050] In the quarantined execution environment 410, the detector container 315-A is configured to monitor the execution of the APP container 420. This includes intercepting any communications into and out of the APP container 420 and determining, based on the intercepted communications, if any unauthorized action is attempted to be performed by the APP container 420.), wherein: the event comprises a connection request or a file access request ([0052] Upon detection of an unauthorized action by the APP container 420, the detector container 315-A is configured to generate a detection event. In addition, one or more mitigation actions can be performed. Such mitigation actions may include, but are not limited to, terminating the execution of the APP container 420, terminating a specific malicious process executed by the APP container 420 that causes the vulnerability, blocking communications between the APP container 420 and resources external to the APP container 420, sending an alert indicating the detection event (e.g., to the console device 320, FIG. 3), and so on.): the virtual machine comprises a plurality of containers executing thereon ([Fig. 3] 310 VM executing containers); the event is associated with a container of the plurality of containers ([Fig. 3] 310 containers are monitored for events); and the information includes a network address of the container or a name of the container ([0045] Upon detection of an unauthorized action indicating a vulnerability in an APP container 311, the detector container 315 is configured to generate and report a detection event to the console device 320. Such an event may include a container identifier of the APP container 311); determining, by the agent, based on the identifier, whether to block or allow an action related to the event; and causing the action to be blocked in response to determining that the action should be blocked and causing the action to be allowed in response to determining that the action should be allowed ([0052] Upon detection of an unauthorized action by the APP container 420, the detector container 315-A is configured to generate a detection event. In addition, one or more mitigation actions can be performed. Such mitigation actions may include, but are not limited to, terminating the execution of the APP container 420, terminating a specific malicious process executed by the APP container 420 that causes the vulnerability, blocking communications between the APP container 420 and resources external to the APP container 420, sending an alert indicating the detection event (e.g., to the console device 320, FIG. 3), and so on.)”.
However, Morello may not explicit teach further details regarding matching of patterns to a container.
Safar teaches “accessing, by the agent, container mapping information that comprises mappings of identifiers to container names or network addresses, the accessing being performed in response to the receiving of the information and comprising determining, by the agent an identifier that corresponds to the network address or the name in the container mapping information ([Col. 7, Line 43-65] In one embodiment of the disclosure, the container scanner 260 may be a computer process (or an instance of a computer program) executing on the RMS 200. Specifically, the container scanner 260 may be a computer process dedicated towards the validation of containers. Validation of a container may refer to determining whether the container includes computer readable program code consistent with malicious activity, and/or whether the container exhibits anomalous behavior. Thus, in one embodiment of the disclosure, the container scanner 260 may include functionality to: (i) maintain and update a library of digital signatures (e.g., patterns of data) unique to one or more known cyber threats and/or attacks; (ii) generate container profiles 250, for example, comprising models of the intended behavior (e.g., normal operation) of one or more containers executing on the service platform; (iii) receive scan requests from the RMS kernel 230 specifying container IDs; (iv) in response to receiving scan requests, subject containers to one or more misuse and/or anomaly detection algorithms; (v) based on a matching of at least one known digital signature to at least a portion of a container, determining that the container is contaminated; (vi) based on at least one deviation from a model exhibited by an active container, determining that the container is contaminated; (vii) based on not one match to a known digital signature to at least a portion of a container and based on observing no deviations in behavior exhibited by a container with respect to a model of the container, determining that the container is clean; and (viii) generate and provide scan responses, to the RMS kernel 230, including the results of the validation process (e.g., that a container is clean, or alternatively, that a container is contaminated).)”
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to apply the teachings of Safar with the teachings of Morello in order to provide a system that teaches mapping of identifiers. The motivation for applying Safar teaching with Morello teaching is to provide a system that allows determination of unallowable actions. Morello , Safar are analogous art directed towards system monitoring. Together Morello , Safar teach every limitation of the claimed invention. Since the teachings were analogous art known at the filing time of invention, one of ordinary skill could have applied the teachings of Safar with the teachings of Morello by known methods and gained expected results. 
However, the combination may not explicitly teach mappings of process identifiers of containers to container names.
Wu teaches as evidence “mappings of process identifiers of containers to container names ([0082] It should be noted that correspondences between a container running on the physical machine, a process in the container, and a thread in the container, that is, to which process a thread belongs and to which container the process belongs, are known to the operating system, and may be indicated by using the unique identifiers, or indicated in a form of a mapping table or the like. For example, an identifier of a thread in a container may be a container-process-thread triplet.)”.
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to apply the teachings of Wu with the teachings of Morello, Safar in order to provide a system that teaches details of identifiers. The motivation for applying Wu teaching with Morello, Safar teaching is to provide a system that allows for design choice. Morello , Safar, Wu are analogous art directed towards system monitoring. Together Morello, Safar, Wu teach every limitation of the claimed invention. Since the teachings were analogous art known at the filing time of invention, one of ordinary skill could have applied the teachings of Wu with the teachings of Morello, Safar by known methods and gained expected results. 
Claim 6, the combination teaches the claim, wherein Morello teaches  “the method of claim 1, wherein determining, by the agent  based on the whether to block or allow the action related to the event comprises: providing, by the to a firewall component; and  receiving a block or allow decision from the firewall component ([0052] Upon detection of an unauthorized action by the APP container 420, the detector container 315-A is configured to generate a detection event. In addition, one or more mitigation actions can be performed. Such mitigation actions may include, but are not limited to, terminating the execution of the APP container 420, terminating a specific malicious process executed by the APP container 420 that causes the vulnerability, blocking communications between the APP container 420 and resources external to the APP container 420, sending an alert indicating the detection event (e.g., to the console device 320, FIG. 3), and so on.).
Claim 8, “a non-transitory computer readable medium comprising instructions to be executed in a computer system, wherein the instructions when executed in the computer system perform a method, the method comprising: by an agent running within a virtual machine, information related to an event, wherein: the event comprises a connection request or a file access request; the virtual machine comprises a plurality of containers executing thereon; the event is associated with a container of the plurality of containers; and the information includes a network address of the container or a name of the container; accessing, by the agent container mapping information that comprises mappings of process identifiers of containers to container names or network addresses, the accessing being performed in response to the receiving of the information and comprising  determining, by the  identifier that corresponds to the network address or the name in the container mapping information; determining, by the agent based on  identifier, whether to block or allow an action related to the event; and causing the action to be blocked in response to determining that the action should be blocked and causing the action to be allowed in response to determining that the action should be allowed” is similar to claim 1 and therefore rejected with the same references and citations.
Claim 13, “the non-transitory computer readable medium of claim 8, wherein determining, by the agent based on the whether to block or allow the action related to the event comprises: providing, by the  to a firewall component; and receiving a block or allow decision from the firewall component” is similar to claim 6 and therefore rejected with the same references and citations.
Claim 15, “a system comprising one or more processors and a non-transitory computer readable medium comprising instructions that, when executed by the one or more processors, cause the one or more processors to perform a method, the method comprising: by an agent running within a virtual machine, information related to an event, wherein: the event comprises a connection request or a file access request; the virtual machine comprises a plurality of containers executing thereon; the event is associated with a container of the plurality of containers; and the information includes a network address of the container or a name of the container; accessing, by the agent container mapping information that comprises mappings of process identifiers of containers to container names or network addresses, the accessing being performed in response to the receiving of the information and comprising determining, by the identifier that corresponds to the network address or the name in the container mapping information; determining, by the agent based on identifier, whether to block or allow an action related to the event; and causing the action to be blocked in response to determining that the action should be blocked and causing the action to be allowed in response to determining that the action should be allowed” is similar to claim 1 and therefore rejected with the same references and citations.
Claim 20, “the system of claim 15, wherein determining, by the agent based on the  whether to block or allow the action related to the event comprises: providing, by to a firewall component; and receiving a block or allow decision from the firewall component” is similar to claim 6 and therefore rejected with the same references and citations.
Claims 2, 9, 16 are rejected under 35 U.S.C. 103 as being unpatentable over Morello in view of Saffar in view of Wu in further view of Shuster (Pub. No. US 2019/0310935)
Claim 2, the combination may not explicitly teach the claim.
Shuster teaches “the method of claim 1, wherein the event comprises the connection request, and wherein the network address comprises a source internet protocol (IP) address of a connection ([Fig. 3] Name of container).
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to apply the teachings of Shuster with the teachings of Morello, Safar, Wu in order to provide a system that teaches an identifier may be an IP address. The motivation for applying Shuster teaching with Morello, Safar teaching is to provide a system that allows for design choice. Morello , Safar, Wu, Shuster  are analogous art directed towards system monitoring. Together Morello, Safar, Wu, Shuster teach every limitation of the claimed invention. Since the teachings were analogous art known at the filing time of invention, one of ordinary skill could have applied the teachings of Shuster with the teachings of Morello, Safar, Wu by known methods and gained expected results. 
Claim 9,  “the non-transitory computer readable medium of claim 8, wherein the event comprises the connection request, and wherein the network address comprises a source internet protocol (IP) address of a connection” is similar to claim 2 and therefore rejected with the same references and citations.
Claim 16, “the system of claim 15, wherein the event comprises the connection request, and wherein the network address comprises a source internet protocol (IP) address of a connection” is similar to claim 2 and therefore rejected with the same references and citations
Claim 3, 10, 17 is rejected under 35 U.S.C. 103 as being unpatentable over Morello in view of Saffar in view of Wu in further view of Zeng
Claim 3, the combination may not explicitly teach the claim.
Zeng teaches “the method of claim 1, wherein the event comprises the file access request, and wherein the information comprises a file path includes the name of the container ([0078] Those syscalls are then sent to Mapper and Parser to generate: the mapping of host file path and container file path and the mapping of container file path and violation. The former is represented in <cid, HostFilePath, ContainerFilePaht> while the latter is represented in <cid, ContainerFilePath, Violation>. Specifically, (1) cid is the unique ID for each container; (2) HostFilePath is the full path for each file (for example /var/123456/usr/bin/ls) in host; (3) ContainerFilePath is the full path for each file (for example /bin/ls) in container; (4) Violation indicates the actions that break file integrity. Finally, Aggregator joins two mappings using the key cid and ContainerFilePath and then generates the output <cid, HostFilePath, Violation> which can be directly used by host FIM.).
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to apply the teachings of Zeng with the teachings of Morello, Safar, Wu in order to provide a system that teaches an identifier may be included in a file path. The motivation for applying Zeng teaching with Morello, Safar, Wu teaching is to provide a system that allows for design choice. Morello , Safar, Wu, Zeng are analogous art directed towards system monitoring. Together Morello, Safar, Wu, Zeng teach every limitation of the claimed invention. Since the teachings were analogous art known at the filing time of invention, one of ordinary skill could have applied the teachings of Zeng with the teachings of Morello, Safar, Wu by known methods and gained expected results. 
Claim 10, “the non-transitory computer readable medium of claim 8, wherein the event comprises the file access request, and wherein the information comprises a file path  includes the name of the container” is similar to claim 3 and therefore rejected with the same references and citations.
Claim 17, “the system of claim 15, wherein the event comprises the file access request, and wherein the information comprises a file path  includes the name of the container” is similar to claim 3 and therefore rejected with the same references and citations.
Claims 4, 11, 18 are rejected under 35 U.S.C. 103 as being unpatentable over Morello in view of Saffar in view Wu in  view of Jeong and Thakkar
Claim 4, the combination may not explicitly teach the limitations.
Jeong teaches “the method of claim 1, wherein the information comprises a file path comprising the name of the container, and wherein the method further determining, by the agent whether a file associated with the event is an executable file by providing the file path to a service of an operating system (OS) of the virtual machine ([0017] Here, the hash table may store the hash value corresponding to a pre-installed executable file, and may further include at least one of identifier information for identifying the executable file or a path of the executable file. [0023] A security device that provides a security service according to an embodiment of the present disclosure includes a hash value manager that, if a hash value corresponding to an executable file is present in a hash table, calculates a hash value of the executable file, and compares the hash value found from the hash table and the calculated hash value, and if the found hash value and the calculated hash value are the same, determines to allow executing the executable file; and a host operating system file protector that, if an execution request for an executable file of a guest operating system or an executable file being executed in the guest operating system is detected, identifies whether the execution is possible through the hash value manager, and allows executing the executable file according to a result of determination.)”.
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to apply the teachings of Jeong with the teachings of Morello, Safar, Wu in order to provide, as evidence, further queries can be provided to an OS based system for additional information. The motivation for applying Jeong teaching with Morello, Safar, Wu teaching is to provide a system that allows for situational awareness. Morello, Safar, Wu, Jeong are analogous art directed towards monitoring container environments. Together Morello, Safar, Wu, Jeong teach every limitation of the claimed invention. Since the teachings were analogous art known at the filing time of invention, one of ordinary skill could have applied the teachings of Jeong with the teachings of Morello, Safar, Wu by known methods and gained expected results. 
However, the combination may not explicitly teach the remaining limitations.
Thakkar teaches “determining, by the agent whether to check a white list for the file based on whether the file is an executable file ([0048] The computer 102 (container engine 110) may monitor execution of the (second) computer-readable program code in the isolated container 112 in any of a number of different manners. In some examples, the container engine may monitor known rules of code execution, acting in a fashion similar to malware analysis used by authors of some anti-malware. The container engine may therefore be aware of execution patterns that diverge from normal and well-known functions of an executable file (computer file) or an app reading a non -executable file (computer file). For example, an executable file is typically not known to capture central processing unit (CPU) interrupt service routines, become memory resident on termination, or overwrite portions of its virtual storage device. The container engine may maintain known normal behaviors of code executing on the computer. In various examples, this may be done by a brute force list, or an evolving data model trained with machine learning on known behaviors. [0057] If the container engine 110 finds a discrepancy with the normal known patterns (i.e. white list), it may flag the executable file as malicious software, and terminate the isolated container 112. The container engine may retain the potentially-infected, isolated container for further evaluation such as by vendor, developer or author of the anti-malware 118. The container engine may also alert the anti-malware 118 that a potentially suspect behavior was detected. In response, the anti-malware may take an appropriate remedial action. For example, the anti-malware may warn the user, quarantine the executable file and/or perform one or more other custom or configured remedial actions. The container engine may further delete or erase the isolated container after execution of the executable file in the isolated container.)”.
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to apply the teachings of Thakkar with the teachings of Morello, Safar, Wu, Jeong in order to provide, as evidence, utilizing a whitelist. The motivation for applying Thakkar teaching with Morello, Safar, Wu, Jeong teaching is to provide a system that allows for situational awareness. Morello, Safar, Wu, Jeong, Thakkar are analogous art directed towards monitoring container environments. Together Morello, Safar, Wu, Jeong, Thakkar teach every limitation of the claimed invention. Since the teachings were analogous art known at the filing time of invention, one of ordinary skill could have applied the teachings of Thakkar with the teachings of Morello, Safar, Wu, Jeong by known methods and gained expected results. 
Claim 11, “the non-transitory computer readable medium of claim 8, wherein the information comprises a file path comprising the name of the container, and wherein the method further comprises: determining, by the agent whether a file associated with the event is an executable file by providing the file path to a service of an operating system (OS) of the virtual machine; and determining, by the agent whether to check a white list for the file based on whether the file is an executable file” is similar to claim 4 and therefore rejected with the same references and citations
Claim 18, “the system of claim 15, wherein the information comprises a file path comprising the name of the container, and wherein the method further comprises: determining, by the agent whether a file associated with the event is an executable file by providing the  file path to a service of an operating system (OS) of the virtual machine; and determining, by the agent whether to check a white list for the file based on whether the file is an executable file” is similar to claim 4 and therefore rejected with the same references and citations.
Claims 5, 12, 19 are rejected under 35 U.S.C. 103 as being unpatentable over Morello in view of Saffar in view of Wu in view of Liang and Goel
Claim 5, the combination may not explicitly teach the limitations.
Liang teaches “the method of claim 1, wherein determining the comprises acquiring, by a user identifier related to the container from the container mapping information based on the address ([Col. 70, Lines 32-44] “In the illustrated embodiment, the data intake and query system 108 generates field-value pairs for at least the container ID and name, namespace ID and name, pod ID and name, based on the characteristics obtained by the data adapter 1802. Furthermore, in some embodiments, the data intake and query system 108 generate field-value pairs for the host, source, and sourcetype based on the characteristics obtained by the data adapter 1802. For example, as shown in FIGS. 19 and 20A, the source, sourcetype, pod name, namespace name, container name, and container ID can all be derived from the path 1908. Using the above-identified field value pairs a user can filter or analyze events to identify related events more easily.” [Col. 60, Lines 1- 9] “In certain embodiments, the data adapter 1802 (i.e. detector of Morello) can extract the data from the chunks of data or determine the relevant information about the isolated execution environment 1806 associated with the chunks of data using one or more rules, regex rules, transformers, etc. For example, different isolated execution environment managers 1804 can generate and store chunks of data differently or in various formats or structures. Accordingly, the data adapter 1802 can identify and use different regex rules to parse chunks of data based on the format or structure of the chunks of data, based on an identifier or characteristic of the isolated execution environment manager 1804 that generated or is associated with the chunk of data.”)”.
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to apply the teachings of Liang with the teachings of Morello, Safar, Wu in order to provide, as evidence, further queries can be provided including user ID. The motivation for applying Liang teaching with Morello, Safar, Wu teaching is to provide a system that allows for design choice. Morello, Safar, Wu, Liang are analogous art directed towards monitoring container environments. Together Morello, Safar, Wu, Liang teach every limitation of the claimed invention. Since the teachings were analogous art known at the filing time of invention, one of ordinary skill could have applied the teachings of Liang with the teachings of Morello, Safar, Wu by known methods and gained expected results. 
However, the combination may not explicitly teach the remaining limitations .
Goel teaches “wherein the user identifier is used in determining whether to block or allow the action related to the event ([0005] In one embodiment, a method for running applications on a multi-tenant container platform may include (1) receiving, at a host administrator service on a container host computing device and via a host administrator service socket handle, a request for a privileged operation from an application running in a non-privileged container, (2) performing, based on a user identifier of the application, a security check of a user associated with the application, (3) comparing, when the security check results in approval, a process identifier of the requested privileged operation against a whitelist of permitted operations to determine the requested privileged operation is permissible, and (4) initiating running, when the requested privileged operation is permissible, the requested privileged operation.)”.
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to apply the teachings of Goel with the teachings of Morello, Safar, Wu, Liang in order to provide, as evidence, events of Morello may be further compared against user privileges. The motivation for applying Goel teaching with Morello, Safar, Wu, Liang, teaching is to provide a system that allows for permitting certain events. Morello, Safar, Wu, Liang, Goel are analogous art directed towards monitoring container environments. Together Morello, Safar, Wu, Liang, Goel teach every limitation of the claimed invention. Since the teachings were analogous art known at the filing time of invention, one of ordinary skill could have applied the teachings of Goel with the teachings of Morello, Safar, Wu, Liang by known methods and gained expected results. 
Claim 12, “the non-transitory computer readable medium of claim 8, wherein determining the comprises acquiring, by the agent a user identifier related to the container from the container mapping information based on the address, wherein the user identifier is used in determining whether to block or allow the action related to the event” is similar to claim 5 and therefore rejected with the same references and citations.
Claim 19, “the system of claim 15, wherein determining the  comprises acquiring, by the a user identifier related to the container from the container mapping information based on the address, wherein the user identifier is used in determining whether to block or allow the action related to the event” is similar to claim 5 and therefore rejected with the same references and citations.
Claims 7, 14 are rejected under 35 U.S.C. 103 as being unpatentable over Morello in view of Saffar in view of Wu in view of Goel
Claim 7, Goel  teaches “the method of claim 1, wherein determining, by the agent based on the whether to block or allow the action related to the event comprises: determining, by the whether a process related to the event is present in a white list; if the process is present in the white list, determining to allow the action; and if the process is not present in the white list, determining to block the action ([0047] As illustrated in FIG. 3, at step 314 one or more of the systems described herein may compare, when security checks results in approvals, process identifiers of requested privileged operations against whitelists of permitted operations to determine requested privileged operations are permissible. The systems described herein may perform step 314 in a variety of ways. For example, comparing module 108 may, as part of server 206 in FIG. 2, compare, when the security check results in approval, a PID of a requested privileged operation in request 127 against whitelist 128 of permitted operations to determine the requested privileged operation in request 127 is permissible. In embodiments, comparing module 108 declines request 127 if a requested privileged operation in request 127 is not on whitelist 128, and otherwise proceeds. Further, target containers may be identified using PIDs.)”.
Rational to claim 5 is applied here.
Claim 14, “the non-transitory computer readable medium of claim 8, wherein determining, by the agent based on the whether to block or allow the action related to the event comprises: determining, by the whether a process related to the event is present in a white list; if the process is present in the white list, determining to allow the action; and if the process is not present in the white list, determining to block the action” is similar to claim 7 and therefore rejected with the same references and citations.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WYNUEL S AQUINO whose telephone number is (571)272-7478. The examiner can normally be reached 9AM-5PM EST M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lewis Bullock can be reached on 571-272-3759. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/WYNUEL S AQUINO/Primary Examiner, Art Unit 2199