FINGERPRINTING TECHNIQUES TO SUPPORT FILE HASH GENERATION

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments The present office action is responsive to communication filed on 11/26/2025. Claims 1, 8, and 15 have been amended. Claims 2,9, and 16 has previously been cancelled. Claims 1, 3, 5, 7, 8, 10-15, and 17-20 are currently pending. Applicant’s arguments filed on 11/26/2025, with respect to the rejections of claims 1-5, 8-12, and 15-19 under 35 USC 103 over Singh et al. (US PGPub No. 20200278948-A1) in view of Kim et al. (US PGPub No. 20230156018-A1), Godowski et al. (US PGPub No. 20180365418-A1 ), and Bivans et al. (US PGPub No. 20230351010-A1) with the amended limitations, as seen in pages 9-13, of the Remarks, are met have been fully considered and are persuasive. Therefore, the rejection have been withdrawn. However, upon further consideration, a new grounds of rejection of is made in in view of Degioanni et al. (US PGPub No. 20160373327-A1) and Onoue et al. (US PGPub No. 20230133971-A1) . Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. Claims 1, 3, 4, 5, 8, 10, 11, 12, 15, 17,18, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Singh et al. (US PGPub No. 20200278948-A1) in view of Degioanni et al. (US PGPub No. 20160373327-A1), Kim et al. (US PGPub No. 20230156018-A1), Onoue et al. (US PGPub No. 20230133971-A1), and Bivans et al. (US PGPub No. 20230351010-A1). With respect to claim 1, Singh teaches a method comprising: (¶0081: The one or more programs may be configured to implement the various processes, algorithms, methods, techniques, etc. described herein.). acquiring, at a first time using one or more programs executing in a kernel space of an operating system, (¶0012: The host can be a user device having an agent operating thereon to perform the determining. The host can be any of a server, virtual machine, and a container. The cloud service can include microsegmentation of the host. The cloud service can be configured to match a unique identifier of the host of host with the fingerprint for the enrollment and management. The plurality of hardware parameters can be obtained through any of assembly code and operating system. ¶0249: The agent, residing partially in the kernel, hooks into attempts to send and read from the network. The agent can send related information to the cloud-based system, so we can understand what’s happening on the network; also, after policies have started being enforced, the agent receives those policies and then can prevent other apps from sending and receiving from certain other hosts, as the policies direct.). first fingerprinting data (¶0246: In an embodiment, the network can include cryptographic identity of workloads for identifying communications, authorizing communications, etc. The cryptographic identity is used to verify software and / or machine identity, i.e., the identity of the application and the identity of the devices, hosts. The cryptographic identity can be referred to as a device or application fingerprint. Importantly, the cryptographic identity is based on multiple characteristics to ensure unique identification and prevent spoofing. As seen in Table 11 (below ¶0246) shows the cryptographic identity can be based on process identifiers.) associated with a target application process in a user space of the operating system responsive to detecting an execution of the target application process, (¶0247: Also, the cryptographic identity can include values based on Software Reputation, Behavioral Scoring, Capabilities, and the like. Figure 25 the block diagram of two systems communicating to one another and their example cryptographic identities, i.e., fingerprints); sharing, by a processing device (¶0077: As seen in Figure 2, the data inspection engines 116, processing node manager 118, authority node manager 128, user interface manager 132, logging node manager 148, and authority agent 180 may be realized by instructions that upon execution cause one or more processing devices to carry out the processes and functions described above.) using the one or more programs, the first fingerprinting data with a user space monitoring application executing in the user space of the operating system; (¶0251: In this manner, the various fingerprinting techniques described herein can be used to uniquely identify a host on which the agent (application 600 as seen in Figure 6) is operating on, and this unique fingerprint can be used by cloud-shared by the cloud-based system 100 (sharing) , as seen in Figure 1, to manage the device, assign policy, and the like). Singh does not disclose: the first fingerprinting data comprising mount namespace information associated with the target application process with a first mount namespace; However, Degioanni teaches: the first fingerprinting data comprising mount namespace information associated with the target application process with a first mount namespace; (¶053-0054: As seen in Figure 1, first namespace(s) 102 constrains first application process 104. Example namespaces includes process identifier (PID) namespaces, network namespaces, and mount namespaces. First programmatic container 100 includes first namespace(s) 102. Thus, if first namespace(s) 102 includes a PID namespace and first programmatic container 100 is migrated, then first application program process 104 continues to be referenced as PID 1). It would have been obvious, before the effective filing date, to modify Singh’s fingerprinting method to substitute and/or augment Singh’s fingerprint fields (e.g., process identifiers and other fingerprint attributes) with Degioanni’s mount namespace identifier, such that the first fingerprinting data includes mount namespace information associating the target application process with a first mount namespace, because both process identifiers and namespace identifiers were known in the art as process-context identifiers and a person of ordinary skill would have recognized that using a mount namespace identifier in the fingerprint is a predictable variation that improves the precision and efficiency of monitoring containerized applications and their execution environments (Degioanni ¶0007). Singh in view of Degioanni does not disclose: acquiring, by the user space monitoring application, second fingerprinting data associated with the target application process at a second time; determining, using the user space monitoring application, a validity of the hash value based on the fingerprinting data by comparing the first fingerprint data with the second fingerprint data, However, Kim teaches: acquiring, by the user space monitoring application, second fingerprinting data associated with the target application process at a second time; (¶0083: The derived electronic file generation apparatus 300 may generate a second identifier for a device together with a derived electronic fingerprint of a derived electronic file, and transmit the second identifier together with the derived electronic fingerprint to the electronic fingerprint management apparatus 100. The electronic fingerprint management apparatus 100 may receive the derived electronic fingerprint and the second identifier, and store the derived electronic fingerprint and the second identifier in the memory unit RM to be mapped to each other.). determining, using the user space monitoring application, a validity of the hash value based on the fingerprinting data by comparing the first fingerprint data with the second fingerprint data, (¶0095: For example, when the electronic file linked to the electronic fingerprint management apparatus 100 is an electronic file of a contract image, whether the authenticity of the contract image of the linked electronic file may be quickly verified by generating a hash value of the contract image and comparing the hash value with that stored in the electronic fingerprint management apparatus 100.). It would have been obvious, before the effective filing date, to modify Singh in view of Degioanni such that the user-space monitoring application acquires second fingerprinting data associated with the same target application at a later time and determines a validity of a hash value by comparing the first and second fingerprinting data, as taught by Kim, to yield the predictable result of verifying the authenticity and integrity of the monitored application file using a known re-fingerprinting and comparison technique applied to the application files monitored in the Singh–Degioanni system. Singh in view of Degioanni and Kim does not disclose: generating a hash value of a target application file associated with the target application process by switching the user space monitoring application first mount namespace based on the mount namespace information and accessing target application file in the first mount namespace; and Onoue teaches: generating a hash value of a target application file associated with the target application process by switching the user space monitoring application first mount namespace based on the mount namespace information and accessing target application file in the first mount namespace; and (¶0061-0073:Figure 9 demonstrates, when the script 1-1 is executed and attempts to access the file F2, the FUSE driver 5a captures (hooks) this access (S11) and notifies the control program 7 of capture information of the name script that has performed the access, the file name of the access target, and the like (S12). When the acquired execution path name is registered in the policy 7b (S109: Yes), the control program 7 reads the file of the execution path name and calculates the hash value of the corresponding program (S110). ); It would have been obvious to a person having ordinary skill in the art, before the effective filing date, to modify the combined teaching of Singh in view of Degioanni and Kim by further configuring the user-space monitoring application to, upon identifying the target application and its associated mount namespace from the fingerprinting data, access the corresponding target application file and generate a hash value for that file as taught by Onoue’s control program that intercepts file access and calculates a hash of the accessed program, thereby applying a known hashing-on-access technique to the monitored application files in the Singh–Degioanni–Kim system according to known methods to yield the predictable result of generating a file hash for the identified application file in its mount-namespace context for integrity verification. Singh in view of Degioanni, Kim, and Onoue does not disclose: wherein the validity of the hash value indicates whether the hash value is a correct representation of instructions executing in the target application process. However, Bivans teaches: wherein the validity of the hash value indicates whether the hash value is a correct representation of instructions executing in the target application process. (¶0152: Additionally or alternatively, the security agent can access a configuration profile defining a security policy defining a periodic verification of an application—based on other validation information, such as a cryptographic hash value, associated with a valid set of instructions representing the application—at the predefined time interval (or another time interval) during runtime execution of the application. The security agent can: periodically calculate a value based on a cryptographic hash of the application; and execute the action in response to detecting a difference between the value and the cryptographic hash value.) It would have been obvious to a person having ordinary skill in the art, before the effective filing date, to modify the combined teaching of Singh in view of Degioanni, Kim, and Onoue by further configuring the user-space monitoring application to interpret the result of the comparison between the first and second fingerprinting data (including the generated hash value) as an indication of whether the hash value corresponds to a valid set of instructions for the monitored application, as taught by Bivans’ use of a cryptographic hash associated with a valid set of application instructions for runtime verification, thereby applying a known hash-based code-validation technique to the monitored application in the Singh–Degioanni–Kim–Onoue system according to known methods to yield the predictable result of detecting when the executing application’s instructions deviate from the expected valid instructions so as to prevent access violations and mitigate security vulnerabilities. With respect to claim 3, the combination of Singh in view of Degioanni, Kim, Onoue, and Bivans teaches method of claim 1 (see rejection of claim 1 above), wherein determining the validity of the hash value is based on a comparison of elements of the first fingerprinting data acquired at the first time with corresponding elements of the second fingerprinting data acquired at the second time. (Kim: ¶0013: Here, the original electronic fingerprint may include a first original electronic fingerprint generated by the original electronic file generation apparatus during the generation of the original electronic file, and a second original electronic fingerprint generated when the original electronic file generated by the original electronic file generation apparatus is changed or deleted. And as further demonstrated ¶0131 and Figure 5, when receiving the image copy authenticity verification request (S690), the electronic fingerprint managing apparatus generates an image hash value and image meta information regarding the image copy received from the court server and searches for the presence of the same image on the basis of the image hash value and image meta information stored in a database (S700, S710). The electronic fingerprint managing apparatus determines the authenticity of the image on the basis of whether the same image hash value as the image copy exists and transmits a result thereof to the court server (S720).). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention utilize the teachings of Kim with regards to validity of hash value to the method of Singh in view of Degioanni, Onoue, and Bivans in order to ensure confidence in verification of the authenticity and integrity of data and effectively prevent illegal, alteration, and use of data thereby ensuring objective and transparent of confidential information (Kim ¶0023). With respect to claim 4, the combination of Singh in view of Degioanni, Kim, Onoue, and Bivans teaches method of claim 1 (see rejection of claim 1 above), wherein the first fingerprinting data comprises at least one of: a file change time indicating when file contents of the target application file are changed; a device identifier (Singh: ¶0066: Such instances may include, for example, whether a given file has been virus scanned, whether content at a given URL has been scanned for inappropriate (e.g., pornographic) content, whether a given fingerprint matches any of a set of stored documents, and whether a checksum corresponds to any of a set of stored documents. ¶0129: The mobile admin (agent management cloud 606) performs inventory lookup with device fingerprints at the MDM server to authorize the user and the device 604 (step 806) as seen in Figure 16. Singh: ¶0246: The cryptographic identity is used to verify software and/or machine identity, i.e., the identity of the applications and the identity of the devices, hosts.) indicating a storage location of the target application file; a file inode number of the target application file; or a device mount count indicating a number of times a storage device with the device identifier was changed. (Kim ¶0127-0129:As seen in Figure 5, the image information processor generates and stores one or more image files (S620). When an image file is generated by the image information processor, an image hash value and additional information, including but not limited to, an image storing path, device identification information (IP address, MAC address, model name, installation apparatus, installation purpose) and image meta information (hash value generation date and time, and generation date and time, name, type, size, and generation coordinates of the image file) are generated together (S630). The image hash value may be transmitted together with at least one from the group consisting of an image storing path, device identification information, and image meta information.). Although Singh does mention the fingerprinting data being correlated to the device identifier indicating an inventory and target application (the implication of use in ¶0066 & 0129) , but Singh does not explicitly disclose that the device identifier indicating a storage location of the target application file. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention utilize the teachings of Kim with regards to second fingerprinting data to the method of Degioanni, Onoue, and Bivans in order to maintain protection while verifying authenticity and integrity of newly introduced data (Kim ¶0002). With respect to claim 5, the combination of Singh in view of Degioanni, Kim, Onoue, and Bivans teaches the method of claim 4 (see rejection of claim 4 above),further comprising: executing a second program of the one or more programs in the kernel space of the operating system (Singh: ¶0139-0141: Specifically, FIG. 19 illustrates activity between the client applications 864, the TUN interface 852, a UDP listening socket 862, a VPN listening socket 864, and the VPN/broker server 860. First, the client application 854 sends a DNS query for an internal domain (step 902). The TUN interface 852 receives the IP packet corresponding to the DNS request and changes the packet's destination to the UDP listening socket 862 and writes the packet back (step 904).) to maintain the device mount count indicating the number of times the storage device with the device identifier was changed. (Singh: ¶0146-0147: The client application listens for security critical events such as Operating System (OS) upgrades, abrupt geolocation changes, device information deviation, and changes in the installed application list, and updates the cloud-based security system. The cloud-based security system evaluates the changes and computes a new risk index for the device. Specifically, the cloud-based security system creates a device fingerprint and a risk index for the mobile device based on the nature of applications installed on the system, operating system vulnerabilities, anti-virus status, patch level, device configuration, and the like (maintain the device mount count indicating the number of times the storage device with the device identifier was changed) . As seen in Figure 21, the multidimensional risk profiling process 1000 includes threat data management where the cloud-based security system collects information related to threats (step 1010)). With respect to claim 8, Singh teaches a system comprising: (¶0012-0013: In various embodiments, the present disclosure relates to systems and methods for fingerprinting to identify devices and applications for use in management and policy in the cloud.) memory; and a processing device, operatively coupled to the memory, to: (¶0017-0018: In another embodiment, a cloud node in a cloud-based security system, configured to provide network access control of a mobile device based on multidimensional risk profiling includes a network interface, a data store, and a processor communicatively coupled to one another; and memory storing computer executable instructions, and in response to execution by the processor, the computer-executable instructions cause the processor to receive posture data from the mobile device;). acquire, at a first time using one or more programs executing in a kernel space of an operating system, (¶0012: The host can be a user device having an agent operating thereon to perform the determining. The host can be any of a server, virtual machine, and a container. The cloud service can include microsegmentation of the host. The cloud service can be configured to match a unique identifier of the host of host with the fingerprint for the enrollment and management. The plurality of hardware parameters can be obtained through any of assembly code and operating system. ¶0249: The agent, residing partially in the kernel, hooks into attempts to send and read from the network. The agent can send related information to the cloud-based system, so we can understand what’s happening on the network; also, after policies have started being enforced, the agent receives those policies and then can prevent other apps from sending and receiving from certain other hosts, as the policies direct.). first fingerprinting data (¶0246: In an embodiment the network can include cryptographic identity of workloads for identifying communications, authorizing communications, etc. The cryptographic identity is used to verify software and / or machine identity, i.e., the identity of the application and the identity of the devices, hosts. The cryptographic identity can be referred to as a device or application fingerprint. Importantly, the cryptographic identity is based on multiple characteristics to ensure unique identification and prevent spoofing. As seen in Table 11 (below ¶0246) shows the cryptographic identity can be based on process identifiers.) associated with a target application process in a user space of the operating system responsive to detecting an execution of the target application process, (¶0247: Also, the cryptographic identity can include values based on Software Reputation, Behavioral Scoring, Capabilities, and the like. Figure 25 the block diagram of two systems communicating to one another and their example cryptographic identities, i.e., fingerprints). share, using the one or more programs, (¶0077: As seen in Figure 2, the data inspection engines 116, processing node manager 118, authority node manager 128, user interface manager 132, logging node manager 148, and authority agent 180 may be realized by instructions that upon execution cause one or more processing devices to carry out the processes and functions described above.) the first fingerprinting data with a user space monitoring application executing in the user space of the operating system; (¶0251: In this manner, the various fingerprinting techniques described herein can be used to uniquely identify a host on which the agent (application 600 as seen in Figure 6) is operating on, and this unique fingerprint can be used by cloud-shared by the cloud-based system 100 (sharing) , as seen in Figure 1, to manage the device, assign policy, and the like). Singh does not disclose: the first fingerprinting data comprising mount namespace information associating the target application process with a first mount namespace; However, Degioanni teaches: the first fingerprinting data comprising mount namespace information associated with the target application process with a first mount namespace; (¶053-0054: As seen in Figure 1, first namespace(s) 102 constrains first application process 104. Example namespaces includes process identifier (PID) namespaces, network namespaces, and mount namespaces. First programmatic container 100 includes first namespace(s) 102. Thus, if first namespace(s) 102 includes a PID namespace and first programmatic container 100 is migrated, then first application program process 104 continues to be referenced as PID 1); It would have been obvious, before the effective filing date, to modify Singh’s fingerprinting method to substitute and/or augment Singh’s fingerprint fields (e.g., process identifiers and other fingerprint attributes) with Degioanni’s mount namespace identifier, such that the first fingerprinting data includes mount namespace information associating the target application process with a first mount namespace, because both process identifiers and namespace identifiers were known in the art as process-context identifiers and a person of ordinary skill would have recognized that using a mount namespace identifier in the fingerprint is a predictable variation that improves the precision and efficiency of monitoring containerized applications and their execution environments (Degioanni ¶0007). Singh in view of Degioanni does not disclose: acquire, by the user space monitoring application, second fingerprinting data associated with the target application process at a second time; and determine, using the user space monitoring application, a validity of the hash value based on the fingerprinting data by comparing the first fingerprint data with the second fingerprint data, However, Kim teaches: acquire, by the user space monitoring application, second fingerprinting data associated with the target application process at a second time; (¶0083: The derived electronic file generation apparatus 300 may generate a second identifier for a device together with a derived electronic fingerprint of a derived electronic file, and transmit the second identifier together with the derived electronic fingerprint to the electronic fingerprint management apparatus 100. The electronic fingerprint management apparatus 100 may receive the derived electronic fingerprint and the second identifier, and store the derived electronic fingerprint and the second identifier in the memory unit RM to be mapped to each other.). and determine, using the user space monitoring application, a validity of the hash value based on the fingerprinting data by comparing the first fingerprint data with the second fingerprint data, (¶0095: For example, when the electronic file linked to the electronic fingerprint management apparatus 100 is an electronic file of a contract image, whether the authenticity of the contract image of the linked electronic file may be quickly verified by generating a hash value of the contract image and comparing the hash value with that stored in the electronic fingerprint management apparatus 100.). It would have been obvious, before the effective filing date, to modify Singh in view of Degioanni such that the user-space monitoring application acquires second fingerprinting data associated with the same target application at a later time and determines a validity of a hash value by comparing the first and second fingerprinting data, as taught by Kim, to yield the predictable result of verifying the authenticity and integrity of the monitored application file using a known re-fingerprinting and comparison technique applied to the application files monitored in the Singh–Degioanni system. Singh in view of Degioanni and Kim does not disclose: generate a hash value of a target application file associated with the target application process by switching the user space monitoring application to the first mount namespace based on the mount namespace information and accessing the target application file in the first mount namespace; However, Onoue teaches: generate a hash value of a target application file associated with the target application process by switching the user space monitoring application to the first mount namespace based on the mount namespace information and accessing the target application file in the first mount namespace; (¶0061-0073:Figure 9 demonstrates, when the script 1-1 is executed and attempts to access the file F2, the FUSE driver 5a captures (hooks) this access (S11) and notifies the control program 7 of capture information of the name script that has performed the access, the file name of the access target, and the like (S12). When the acquired execution path name is registered in the policy 7b (S109: Yes), the control program 7 reads the file of the execution path name and calculates the hash value of the corresponding program (S110). ); It would have been obvious to a person having ordinary skill in the art, before the effective filing date, to modify the combined teaching of Singh in view of Degioanni and Kim by further configuring the user-space monitoring application to, upon identifying the target application and its associated mount namespace from the fingerprinting data, access the corresponding target application file and generate a hash value for that file as taught by Onoue’s control program that intercepts file access and calculates a hash of the accessed program, thereby applying a known hashing-on-access technique to the monitored application files in the Singh–Degioanni–Kim system according to known methods to yield the predictable result of generating a file hash for the identified application file in its mount-namespace context for integrity verification. Singh in view of Degioanni, Kim, and Onoue does not disclose: wherein the validity of the hash value indicates whether the hash value is a correct representation of instructions executing in the target application process. However, Bivans teaches: wherein the validity of the hash value indicates whether the hash value is a correct representation of instructions executing in the target application process. (¶0152: Additionally or alternatively, the security agent can access a configuration profile defining a security policy defining a periodic verification of an application—based on other validation information, such as a cryptographic hash value, associated with a valid set of instructions representing the application—at the predefined time interval (or another time interval) during runtime execution of the application. The security agent can: periodically calculate a value based on a cryptographic hash of the application; and execute the action in response to detecting a difference between the value and the cryptographic hash value.) It would have been obvious to a person having ordinary skill in the art, before the effective filing date, to modify the combined teaching of Singh in view of Degioanni, Kim, and Onoue by further configuring the user-space monitoring application to interpret the result of the comparison between the first and second fingerprinting data (including the generated hash value) as an indication of whether the hash value corresponds to a valid set of instructions for the monitored application, as taught by Bivans’ use of a cryptographic hash associated with a valid set of application instructions for runtime verification, thereby applying a known hash-based code-validation technique to the monitored application in the Singh–Degioanni–Kim–Onoue system according to known methods to yield the predictable result of detecting when the executing application’s instructions deviate from the expected valid instructions so as to prevent access violations and mitigate security vulnerabilities. With respect to claim 10, the combination of Singh in view of Degioanni, Kim, Onoue, and Bivans teaches system of claim 8 (see rejection of claim 8 above), wherein to determine the validity of the hash value, the processing device is to compare elements of the first fingerprinting data acquired at the first time with corresponding elements of the second fingerprinting data acquired at the second time. (Kim: ¶0013: Here, the original electronic fingerprint may include a first original electronic fingerprint generated by the original electronic file generation apparatus during the generation of the original electronic file, and a second original electronic fingerprint generated when the original electronic file generated by the original electronic file generation apparatus is changed or deleted. And as further demonstrated ¶0131 and Figure 5, when receiving the image copy authenticity verification request (S690), the electronic fingerprint managing apparatus generates an image hash value and image meta information regarding the image copy received from the court server and searches for the presence of the same image on the basis of the image hash value and image meta information stored in a database (S700, S710). The electronic fingerprint managing apparatus determines the authenticity of the image on the basis of whether the same image hash value as the image copy exists and transmits a result thereof to the court server (S720).). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention utilize the teachings of Kim with regards to validity of hash value to the method of Singh in view of Degioanni Onoue, and Bivans in order to ensure confidence in verification of the authenticity and integrity of data and effectively prevent illegal, alteration, and use of data thereby ensuring objective and transparent of confidential information (Kim ¶0023). With respect to claim 11, the combination of Singh in view of Kim, Godowski, and Bivans teaches system of claim 8 (see rejection of claim 8 above), wherein the first fingerprinting data comprises at least one of: a file change time indicating when file contents of the target application file are changed; a device identifier (Singh: ¶0066: Such instances may include, for example, whether a given file has been virus scanned, whether content at a given URL has been scanned for inappropriate (e.g., pornographic) content, whether a given fingerprint matches any of a set of stored documents, and whether a checksum corresponds to any of a set of stored documents. ¶0129: The mobile admin (agent management cloud 606) performs inventory lookup with device fingerprints at the MDM server to authorize the user and the device 604 (step 806) as seen in Figure 16. Singh: ¶0246: The cryptographic identity is used to verify software and/or machine identity, i.e., the identity of the applications and the identity of the devices, hosts.) indicating a storage location of the target application file; a file inode number of the target application file; or a device mount count indicating a number of times a storage device with the device identifier was changed. (Kim ¶0127-0129:As seen in Figure 5, the image information processor generates and stores one or more image files (S620). When an image file is generated by the image information processor, an image hash value and additional information, including but not limited to, an image storing path, device identification information (IP address, MAC address, model name, installation apparatus, installation purpose) and image meta information (hash value generation date and time, and generation date and time, name, type, size, and generation coordinates of the image file) are generated together (S630). The image hash value may be transmitted together with at least one from the group consisting of an image storing path, device identification information, and image meta information.). Although Singh does mention the fingerprinting data being correlated to the device identifier indicating an inventory and target application (the implication of use in ¶0066 & 0129) , but Singh does not explicitly disclose that the device identifier indicating a storage location of the target application file. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention utilize the teachings of Kim with regards to second fingerprinting data to the method of Singh in view of Degioanni, Onoue, and Bivans in order to maintain protection while verifying authenticity and integrity of newly introduced data (Kim ¶0002). With respect to claim 12, the combination of Singh in view of Degioanni, Kim, Onoue, and Bivans teaches system of claim 11 (see rejection of claim 11 above) but does not disclose, wherein the processing device is further to: execute a second program of the one or more programs in the kernel space of the operating system (Singh: ¶0139-0141: Specifically, FIG. 19 illustrates activity between the client applications 864, the TUN interface 852, a UDP listening socket 862, a VPN listening socket 864, and the VPN/broker server 860. First, the client application 854 sends a DNS query for an internal domain (step 902). The TUN interface 852 receives the IP packet corresponding to the DNS request and changes the packet's destination to the UDP listening socket 862 and writes the packet back (step 904).) to maintain the device mount count indicating the number of times the storage device with the device identifier was changed. (Singh: ¶0146-0147: The client application listens for security critical events such as Operating System (OS) upgrades, abrupt geolocation changes, device information deviation, and changes in the installed application list, and updates the cloud-based security system. The cloud-based security system evaluates the changes and computes a new risk index for the device. Specifically, the cloud-based security system creates a device fingerprint and a risk index for the mobile device based on the nature of applications installed on the system, operating system vulnerabilities, anti-virus status, patch level, device configuration, and the like (maintain the device mount count indicating the number of times the storage device with the device identifier was changed) . As seen in Figure 21, the multidimensional risk profiling process 1000 includes threat data management where the cloud-based security system collects information related to threats (step 1010)). With respect to claim 15, Singh teaches a non-transitory computer-readable storage medium including instructions that, when executed by a processing device, cause the processing device to: (¶0253-0254: Moreover, some embodiments may include a non-transitory computer-readable storage medium having computer readable code stored thereon for programming a computer, server, appliance, device, processor, circuit, etc. each of which may include a processor to perform functions as described and claimed herein. When stored in the non-transitory computer readable medium, software can include instructions executable by a processor or device (e.g., any type of programmable circuitry or logic) that, in response to such execution, cause a processor or the device to perform a set of operations, steps, methods, processes, algorithms, functions, techniques, etc. as described herein for the various embodiments.). acquire, at a first time using one or more programs executing in a kernel space of an operating system, (¶0012: The host can be a user device having an agent operating thereon to perform the determining. The host can be any of a server, virtual machine, and a container. The cloud service can include microsegmentation of the host. The cloud service can be configured to match a unique identifier of the host of host with the fingerprint for the enrollment and management. The plurality of hardware parameters can be obtained through any of assembly code and operating system. ¶0249: The agent, residing partially in the kernel, hooks into attempts to send and read from the network. The agent can send related information to the cloud-based system, so we can understand what’s happening on the network; also, after policies have started being enforced, the agent receives those policies and then can prevent other apps from sending and receiving from certain other hosts, as the policies direct.) first fingerprinting data (¶0246: In an embodiment the network can include cryptographic identity of workloads for identifying communications, authorizing communications, etc. The cryptographic identity is used to verify software and / or machine identity, i.e., the identity of the application and the identity of the devices, hosts. The cryptographic identity can be referred to as a device or application fingerprint. Importantly, the cryptographic identity is based on multiple characteristics to ensure unique identification and prevent spoofing. As seen in Table 11 (below ¶0246) shows the cryptographic identity can be based on process identifiers.) associated with a target application process in a user space of the operating system responsive to detecting an execution of the target application process, (¶0247: Also, the cryptographic identity can include values based on Software Reputation, Behavioral Scoring, Capabilities, and the like. Figure 25 the block diagram of two systems communicating to one another and their example cryptographic identities, i.e., fingerprints). share, by the processing device (¶0077: As seen in Figure 2, the data inspection engines 116, processing node manager 118, authority node manager 128, user interface manager 132, logging node manager 148, and authority agent 180 may be realized by instructions that upon execution cause one or more processing devices to carry out the processes and functions described above.) using the one or more programs, the first fingerprinting data with a user space monitoring application executing in the user space of the operating system; (¶0251: In this manner, the various fingerprinting techniques described herein can be used to uniquely identify a host on which the agent (application 600 as seen in Figure 6) is operating on, and this unique fingerprint can be used by cloud-shared by the cloud-based system 100 (sharing) , as seen in Figure 1, to manage the device, assign policy, and the like). Singh does not disclose: the first fingerprinting data comprising mount namespace information associating the target application process with a first mount namespace; However, Degioanni teaches the first fingerprinting data comprising mount namespace information associated with the target application process with a first mount namespace; (¶053-0054: As seen in Figure 1, first namespace(s) 102 constrains first application process 104. Example namespaces includes process identifier (PID) namespaces, network namespaces, and mount namespaces. First programmatic container 100 includes first namespace(s) 102. Thus, if first namespace(s) 102 includes a PID namespace and first programmatic container 100 is migrated, then first application program process 104 continues to be referenced as PID 1); It would have been obvious, before the effective filing date, to modify Singh’s fingerprinting method to substitute and/or augment Singh’s fingerprint fields (e.g., process identifiers and other fingerprint attributes) with Degioanni’s mount namespace identifier, such that the first fingerprinting data includes mount namespace information associating the target application process with a first mount namespace, because both process identifiers and namespace identifiers were known in the art as process-context identifiers and a person of ordinary skill would have recognized that using a mount namespace identifier in the fingerprint is a predictable variation that improves the precision and efficiency of monitoring containerized applications and their execution environments (Degioanni ¶0007). Singh in view of Degioanni does not disclose: acquire, by the user space monitoring application, second fingerprinting data associated with the target application process at a second time; determine, using the user space monitoring application, a validity of the hash value based on the fingerprinting data by comparing the first fingerprint data with the second fingerprint data, However, Kim teaches: acquire, by the user space monitoring application, second fingerprinting data associated with the target application process at a second time; (¶0083: The derived electronic file generation apparatus 300 may generate a second identifier for a device together with a derived electronic fingerprint of a derived electronic file, and transmit the second identifier together with the derived electronic fingerprint to the electronic fingerprint management apparatus 100. The electronic fingerprint management apparatus 100 may receive the derived electronic fingerprint and the second identifier, and store the derived electronic fingerprint and the second identifier in the memory unit RM to be mapped to each other.). determine, using the user space monitoring application, a validity of the hash value based on the fingerprinting data by comparing the first fingerprint data with the second fingerprint data, (¶0095: For example, when the electronic file linked to the electronic fingerprint management apparatus 100 is an electronic file of a contract image, whether the authenticity of the contract image of the linked electronic file may be quickly verified by generating a hash value of the contract image and comparing the hash value with that stored in the electronic fingerprint management apparatus 100.). It would have been obvious, before the effective filing date, to modify Singh in view of Degioanni such that the user-space monitoring application acquires second fingerprinting data associated with the same target application at a later time and determines a validity of a hash value by comparing the first and second fingerprinting data, as taught by Kim, to yield the predictable result of verifying the authenticity and integrity of the monitored application file using a known re-fingerprinting and comparison technique applied to the application files monitored in the Singh–Degioanni system. Singh in view of Degioanni and Kim does not disclose: generate a hash value of a target application file associated with the target application process by switching by switching the user space monitoring application to the first mount namespace based on the mount namespace information and accessing the target application file in the first mount namespace; and However, Onoue teaches: generate a hash value of a target application file associated with the target application process by switching by switching the user space monitoring application to the first mount namespace based on the mount namespace information and accessing the target application file in the first mount namespace; and(¶0061-0073:Figure 9 demonstrates, when the script 1-1 is executed and attempts to access the file F2, the FUSE driver 5a captures (hooks) this access (S11) and notifies the control program 7 of capture information of the name script that has performed the access, the file name of the access target, and the like (S12). When the acquired execution path name is registered in the policy 7b (S109: Yes), the control program 7 reads the file of the execution path name and calculates the hash value of the corresponding program (S110). ); It would have been obvious to a person having ordinary skill in the art, before the effective filing date, to modify the combined teaching of Singh in view of Degioanni and Kim by further configuring the user-space monitoring application to, upon identifying the target application and its associated mount namespace from the fingerprinting data, access the corresponding target application file and generate a hash value for that file as taught by Onoue’s control program that intercepts file access and calculates a hash of the accessed program, thereby applying a known hashing-on-access technique to the monitored application files in the Singh–Degioanni–Kim system according to known methods to yield the predictable result of generating a file hash for the identified application file in its mount-namespace context for integrity verification. Singh in view of Degioanni, Kim, and Onoue does not disclose: wherein the validity of the hash value indicates whether the hash value is a correct representation of instructions executing in the target application process. However, Bivans teaches: wherein the validity of the hash value indicates whether the hash value is a correct representation of instructions executing in the target application process. (¶0152: Additionally or alternatively, the security agent can access a configuration profile defining a security policy defining a periodic verification of an application—based on other validation information, such as a cryptographic hash value, associated with a valid set of instructions representing the application—at the predefined time interval (or another time interval) during runtime execution of the application. The security agent can: periodically calculate a value based on a cryptographic hash of the application; and execute the action in response to detecting a difference between the value and the cryptographic hash value.) It would have been obvious to a person having ordinary skill in the art, before the effective filing date, to modify the combined teaching of Singh in view of Degioanni, Kim, and Onoue by further configuring the user-space monitoring application to interpret the result of the comparison between the first and second fingerprinting data (including the generated hash value) as an indication of whether the hash value corresponds to a valid set of instructions for the monitored application, as taught by Bivans’ use of a cryptographic hash associated with a valid set of application instructions for runtime verification, thereby applying a known hash-based code-validation technique to the monitored application in the Singh–Degioanni–Kim–Onoue system according to known methods to yield the predictable result of detecting when the executing application’s instructions deviate from the expected valid instructions so as to prevent access violations and mitigate security vulnerabilities. With respect to claim 17, the combination Singh in view of Degioanni, Kim, Onoue, and Bivans teaches a non-transitory computer-readable storage medium of claim 15 (see rejection of claim 15 above) , wherein to determine the validity of the hash value, the processing device is to compare elements of the first fingerprinting data acquired at the first time with corresponding elements of the second fingerprinting data acquired at the second time. (Kim: ¶0013: Here, the original electronic fingerprint may include a first original electronic fingerprint generated by the original electronic file generation apparatus during the generation of the original electronic file, and a second original electronic fingerprint generated when the original electronic file generated by the original electronic file generation apparatus is changed or deleted. And as further demonstrated ¶0131 and Figure 5, when receiving the image copy authenticity verification request (S690), the electronic fingerprint managing apparatus generates an image hash value and image meta information regarding the image copy received from the court server and searches for the presence of the same image on the basis of the image hash value and image meta information stored in a database (S700, S710). The electronic fingerprint managing apparatus determines the authenticity of the image on the basis of whether the same image hash value as the image copy exists and transmits a result thereof to the court server (S720).). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention utilize the teachings of Kim with regards to validity of hash value to the method of Singh in view of Degioanni, Onoue, and Bivans in order to ensure confidence in verification of the authenticity and integrity of data and effectively prevent illegal, alteration, and use of data thereby ensuring objective and transparent of confidential information (Kim ¶0023). With respect to claim 18, the combination Singh in view of Degioanni, Kim, Onoue, and Bivans teaches a non-transitory computer-readable storage medium of claim 15 (see rejection of claim 15 above), wherein the first fingerprinting data comprises at least one of: a file change time indicating when file contents of the target application file are changed; a device identifier (Singh: ¶0066: Such instances may include, for example, whether a given file has been virus scanned, whether content at a given URL has been scanned for inappropriate (e.g., pornographic) content, whether a given fingerprint matches any of a set of stored documents, and whether a checksum corresponds to any of a set of stored documents. ¶0129: The mobile admin (agent management cloud 606) performs inventory lookup with device fingerprints at the MDM server to authorize the user and the device 604 (step 806) as seen in Figure 16. Singh: ¶0246: The cryptographic identity is used to verify software and/or machine identity, i.e., the identity of the applications and the identity of the devices, hosts.) indicating a storage location of the target application file; a file inode number of the target application file; or a device mount count indicating a number of times a storage device with the device identifier was changed. (Kim ¶0127-0129:As seen in Figure 5, the image information processor generates and stores one or more image files (S620). When an image file is generated by the image information processor, an image hash value and additional information, including but not limited to, an image storing path, device identification information (IP address, MAC address, model name, installation apparatus, installation purpose) and image meta information (hash value generation date and time, and generation date and time, name, type, size, and generation coordinates of the image file) are generated together (S630). The image hash value may be transmitted together with at least one from the group consisting of an image storing path, device identification information, and image meta information.). Although Singh does mention the fingerprinting data being correlated to the device identifier indicating an inventory and target application (the implication of use in ¶0066 & 0129) , but Singh does not explicitly disclose that the device identifier indicating a storage location of the target application file. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention utilize the teachings of Kim with regards to second fingerprinting data to the method of Singh in view of Degioanni, Onoue, and Bivans in order to maintain protection while verifying authenticity and integrity of newly introduced data (Kim ¶0002). With respect to claim 19, the combination Singh in view of Degioanni, Kim, Onoue, and Bivans teaches a non-transitory computer-readable storage medium of claim 18 (see rejection of claim 18 above) but does not disclose, wherein the processing device is further to: execute a second program of the one or more programs in the kernel space of the operating system (Singh: ¶0139-0141: Specifically, FIG. 19 illustrates activity between the client applications 864, the TUN interface 852, a UDP listening socket 862, a VPN listening socket 864, and the VPN/broker server 860. First, the client application 854 sends a DNS query for an internal domain (step 902). The TUN interface 852 receives the IP packet corresponding to the DNS request and changes the packet's destination to the UDP listening socket 862 and writes the packet back (step 904).) to maintain the device mount count indicating the number of times the storage device with the device identifier was changed. (Singh: ¶0146-0147: The client application listens for security critical events such as Operating System (OS) upgrades, abrupt geolocation changes, device information deviation, and changes in the installed application list, and updates the cloud-based security system. The cloud-based security system evaluates the changes and computes a new risk index for the device. Specifically, the cloud-based security system creates a device fingerprint and a risk index for the mobile device based on the nature of applications installed on the system, operating system vulnerabilities, anti-virus status, patch level, device configuration, and the like (maintain the device mount count indicating the number of times the storage device with the device identifier was changed) . As seen in Figure 21, the multidimensional risk profiling process 1000 includes threat data management where the cloud-based security system collects information related to threats (step 1010)). Claims 6, 13, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Singh et al. (US PGPub No. 20200278948-A1) in view of Degioanni et al. (US PGPub No. 20160373327-A1), Kim et al. (US PGPub No. 20230156018-A1), Onoue et al. (US PGPub No. 20230133971-A1), Bivans et al. (US PGPub No. 20230351010-A1), and Gopalakrishnan et al. (US PGPub No. 20230156018-A1). With respect to claim 6, the combination of Singh in view of Degioanni, Kim, Onoue, and Bivans teaches method of claim 1 (see rejection of claim 1 above), but does not disclose wherein sharing, by the processing device using the one or more programs, the first fingerprinting data with the user space monitoring application comprises transmitting a notification message to the user space monitoring application utilizing a notification channel. However, Gopalakrishnan wherein sharing, by the processing device using the one or more programs, the first fingerprinting data with the user space monitoring application comprises transmitting a notification message to the user space monitoring application utilizing a notification channel. (¶0099-0101: As seen in Figure 4, illustrates a process for collecting attributes and distributing context-based service rules and/or mapping records defined for data messages associated with confidential information, in some embodiments. The process starts by receiving (at 410) notification of a file event from a GI agent executing on a machine on the host computer. As described above for the process 300, the notification, in some embodiments, is an event identifier associated with a set of attributes pertaining to the file event. The process collects (at 420) contextual attributes for the file event. As described above, the context engine, in some embodiments, directs the GI agent (i.e., the GI agent from which the original event notification was received) to collect from the OS modules additional process parameters that are associated with the process identifier (ID) that it received with the network event.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention utilize the teachings of Gopalakrishnan with regards to the sharing of fingerprinting data to the method of Singh in view of Degioanni, Kim, Onoue, and Bivans in order to improve intrusion detection while maintaining the prevention of data loss (Gopalakrishnan ¶0001). With respect to claim 13, the combination of Singh in view of Degioanni, Kim, Onoue, and Bivans teaches system of claim 8 (see rejection of claim 8 above), but does not disclose wherein, to share, using the one or more programs, the first fingerprinting data with the user space monitoring application, the processing device is to transmit a notification message to the user space monitoring application utilizing a notification channel. However, Gopalakrishnan teaches wherein, to share, using the one or more programs, the first fingerprinting data with the user space monitoring application, the processing device is to transmit a notification message to the user space monitoring application utilizing a notification channel. (¶0099-0101: As seen in Figure 4, illustrates a process for collecting attributes and distributing context-based service rules and/or mapping records defined for data messages associated with confidential information, in some embodiments. The process starts by receiving (at 410) notification of a file event from a GI agent executing on a machine on the host computer. As described above for the process 300, the notification, in some embodiments, is an event identifier associated with a set of attributes pertaining to the file event. The process collects (at 420) contextual attributes for the file event. As described above, the context engine, in some embodiments, directs the GI agent (i.e., the GI agent from which the original event notification was received) to collect from the OS modules additional process parameters that are associated with the process identifier (ID) that it received with the network event.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention utilize the teachings of Gopalakrishnan with regards to the sharing of fingerprinting data to the method of Singh in view of Degioanni, Kim, Onoue, and Bivans in order to improve intrusion detection while maintaining the prevention of data loss (Gopalakrishnan ¶0001). With respect to claim 20, the combination Singh in view of Degioanni, Kim, Onoue, and Bivans teaches a non-transitory computer-readable storage medium of claim 15 (see rejection of claim 15 above), but does not disclose wherein, to share, using the one or more programs, the first fingerprinting data with the user space monitoring application, the processing device is to transmit a notification message to the user space monitoring application utilizing a notification channel. However, Gopalakrishnan wherein, to share, using the one or more programs, the first fingerprinting data with the user space monitoring application, the processing device is to transmit a notification message to the user space monitoring application utilizing a notification channel. (¶0099-0101: As seen in Figure 4, illustrates a process for collecting attributes and distributing context-based service rules and/or mapping records defined for data messages associated with confidential information, in some embodiments. The process starts by receiving (at 410) notification of a file event from a GI agent executing on a machine on the host computer. As described above for the process 300, the notification, in some embodiments, is an event identifier associated with a set of attributes pertaining to the file event. The process collects (at 420) contextual attributes for the file event. As described above, the context engine, in some embodiments, directs the GI agent (i.e., the GI agent from which the original event notification was received) to collect from the OS modules additional process parameters that are associated with the process identifier (ID) that it received with the network event.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention utilize the teachings of Gopalakrishnan with regards to the sharing of fingerprinting data to the method of Singh in view of Degioanni, Kim, Onoue, and Bivans in order to improve intrusion detection while maintaining the prevention of data loss (Gopalakrishnan ¶0001). Claims 7 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Singh et al. (US PGPub No. 20200278948-A1) in view of Degioanni et al. (US PGPub No. 20160373327-A1), Kim et al. (US PGPub No. 20230156018-A1), Onoue et al. (US PGPub No. 20230133971-A1), Bivans et al. (US PGPub No. 20230351010-A1), and Du et al. (US PGPub No. 20230095870-A1 ). With respect to claim 7, the combination of Singh in view of Degioanni, Kim, Onoue, and Bivans teaches method of claim 1 (see rejection of claim 1 above) but does not disclose, wherein the one or more programs executing in the kernel space of the operating system execute within an extended Berkeley Packet Filter (eBPF) infrastructure. However, Du teaches wherein the one or more programs executing in the kernel space of the operating system execute within an extended Berkeley Packet Filter (eBPF) infrastructure. (¶0121:Illustrated in Figure 7, as incoming packets arrive (710), they can be made available by the kernel for capture (e.g., via the Berkeley Packet Filter (BPF)). IoT server 134 performs a variety of tasks in conjunction with ring buffer 702.) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention utilize the teachings of Du with regards to Berkeley Packet Filter (eBPF) infrastructure to the method of Singh in view of Degioanni, Kim, Onoue, and Bivans in order to preserve traffic corresponding to the most interesting flows and (e.g., if an alert triggers) can provide a packets (e.g., as contextual information) for permanent storage and subsequent analysis (Du ¶0121 ). With respect to claim 14, the combination of Singh in view of Degioanni, Kim, Onoue, and Bivans teaches system of claim 8 (see rejection of claim 8 above), wherein the one or more programs executing in the kernel space of the operating system execute within an extended Berkeley Packet Filter (eBPF) infrastructure. However, Du teaches wherein the one or more programs executing in the kernel space of the operating system execute within an extended Berkeley Packet Filter (eBPF) infrastructure. (¶0121:Illustrated in Figure 7, as incoming packets arrive (710), they can be made available by the kernel for capture (e.g., via the Berkeley Packet Filter (BPF)). IoT server 134 performs a variety of tasks in conjunction with ring buffer 702.) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention utilize the teachings of Du with regards to Berkeley Packet Filter (eBPF) infrastructure to the method of Singh in view of Degioanni, Kim, Onoue, and Bivans in order to preserve traffic corresponding to the most interesting flows and (e.g., if an alert triggers) can provide a packets (e.g., as contextual information) for permanent storage and subsequent analysis (Du ¶0121 ). Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to TAYLOR P VU whose telephone number is (703)756-1218. The examiner can normally be reached MON - FRI (7:30 - 5:00). Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alexander Lagor can be reached at (571) 270-5143. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /T.P.V./ Examiner, Art Unit 2437 /ALEXANDER LAGOR/ Supervisory Patent Examiner, Art Unit 2437