METADATA PROCESSING TECHNIQUES AND ARCHITECTURES FOR DATA PROTECTION

DETAILED ACTION This Office Action is in response to the application filed on 10/17/2024 having claims 1-20 pending. Claims 1-20 are examined and being considered on the merits. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Oath/Declaration The applicant’s oath/declaration has been reviewed by the examiner and is found to conform to the requirements prescribed in 37 C.F.R. 1.63. Specification The Specification filed on 10/17/2024 is accepted for examination purpose. Drawings The Drawings filed on 10/17/2024 are accepted for examination purpose. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Thrash et al. (US 2016/0164886) hereinafter Thrash in view of Serdy et al. (US 2020/0279004) hereinafter Serdy and further in view of Gukal et al. (US 2017/0214708) hereinafter Gukal. As per Claim 1, Thrash teaches a method comprising: processing input data to determine that the data is associated with a potential threat (Thrash, Parag. [0063-0064]; “FIG. 5 illustrates an example process 500 for analyzing threats, according to an embodiment of the present disclosure. In some embodiments, the threat analysis process 500 may be performed in whole or in part by the threat analysis system 108 described herein. For some embodiments, the process for analyzing data flows may perform more or less operations than what is illustrated in FIG. 5, and may perform the operations illustrated in FIG. 5 in an order different than the order shown. At block 502, bit stream data is received. Depending on the embodiment, the bit stream data may be received from a network device, or some other source of bit stream data. The bit stream data may be received by a threat analysis system described herein, such as the threat analysis system 108.”); interpreting the input data as a predetermined data type (Thrash, Parag. [0064]; “At block 502, bit stream data is received. Depending on the embodiment, the bit stream data may be received from a network device, or some other source of bit stream data. The bit stream data may be received by a threat analysis system described herein, such as the threat analysis system 108.”); [processing the input data using locality sensitive hashing to create a signature for the input data, the processing including processing the input data in groups of bytes with each group of bytes including a predetermined number of bytes]; comparing the signature to a plurality of signatures that are associated with one or more threats (Thrash, Parag. [0029]; “Computer data, such as bit stream data, can be analyzed using signature matching based on the aggregated threat signatures obtained from the plurality of threat signature sources. Sets of threat signatures from different threat signature sources can differ in the number threat signatures, the threats covered, and the threat signatures available for a given threat. In view of this, using the set of aggregated threat signatures to detect threats in computer data can increase the likelihood of detecting a threat over only using a single set of threat signatures from one threat signature source to detect threats.”), the comparing including: [comparing a first band of the signature with a first band of each of the plurality of signatures]; and [comparing a second band of the signature with a second band of each of the plurality of signatures]; [based on the comparing, determining a first matched signature from among the plurality of signatures that is similar to the signature]; identifying first threat data that is associated with the first matched signature (Thrash, Parag. [0003]; “The bit stream data is analyzed, based on the plurality of threat signatures, to detect a first threat in the bit stream data.” … Parag. [0042]; “The threat analysis system 108 may be configured to detect threats in the network traffic by first performing a signature-based threat analysis of the network traffic using the threat signatures aggregated from two or more of the threat signature sources 102.”); [retrieving first metadata for the first threat data, the first metadata indicating at least one of a category of the potential threat, an entity that created the potential threat, an entity that distributed the potential threat, a time when the potential threat was created, a platform targeted by the potential threat, a behavior of the potential threat, or a method used to propagate the potential threat]; and [based on the first metadata, providing information indicating that the input data is associated with the first metadata]. Thrash does not expressly teach: processing the input data using locality sensitive hashing to create a signature for the input data, the processing including processing the input data in groups of bytes with each group of bytes including a predetermined number of bytes; comparing a first band of the signature with a first band of each of the plurality of signatures; comparing a second band of the signature with a second band of each of the plurality of signatures; based on the comparing, determining a first matched signature from among the plurality of signatures that is similar to the signature; retrieving first metadata for the first threat data, the first metadata indicating at least one of a category of the potential threat, an entity that created the potential threat, an entity that distributed the potential threat, a time when the potential threat was created, a platform targeted by the potential threat, a behavior of the potential threat, or a method used to propagate the potential threat; and based on the first metadata, providing information indicating that the input data is associated with the first metadata. However, Serdy teaches: processing the input data using locality sensitive hashing to create a signature for the input data, the processing including processing the input data in groups of bytes with each group of bytes including a predetermined number of bytes (Serdy, Parag. [0016]; “The Minhashing technique provides a mechanism quickly estimate how similar two sets of data are by breaking a document into a collection of substrings known as a shingle (i.e., breaking data into a fixed length; breaking a document into 8-bit chunks, 8-shingles (or bytes) are generated to represent that data), calculate a hash value for every shingle to convert the substring into a number, then storing the minimum value of all the hash values. By repeating this with a set of different hash functions, a signature is built using the minimum hash value from all the hash functions applied to the document.” … Parag. [0025]; “Minhash signatures are then grouped using Locality-Sensitive Hashing (LSH) (see above) to optimize finding similar minhash signatures without having to compare against every existing minhash signature in the database. This technique also comes from Stanford and is described in the same document referenced above. The LSH technique starts by grouping the minhash values for a signature into bands, i.e. minhash values 0-5 could be band 1, 6-10 band 2, etc.”); comparing a first band of the signature with a first band of each of the plurality of signatures (Serdy, Parag. [0025]; “For documents whose content is primarily text, content analysis can be performed to look for similarity. One way to do this is to use a technique called Minhashing (see above) to compute a set of hash values for each document, sometimes called the document’s “minhash signature”. The system will then apply a Jaccard Similarity test (see above) to determine how similar the signatures are. Minhash signatures are then grouped using Locality-Sensitive Hashing (LSH) (see above) to optimize finding similar minhash signatures without having to compare against every existing minhash signature in the database. This technique also comes from Stanford and is described in the same document referenced above. The LSH technique starts by grouping the minhash values for a signature into bands, i.e. minhash values 0-5 could be band 1, 6-10 band 2, etc. When trying to find similar signatures, instead of applying the Jaccard similarity test to every signature already computed, the first step is to find signatures that have at least one matching set of values in a particular LSH band. When a new document is added, the algorithm looks for existing documents that have at least one band of the signature that matches the new document. If a match is found, the new document signature is compared to the entire signature of the matching document with the Jaccard similarity test. If it is within the threshold, the new document is given the same similarity group as the matching document.” … Parag. [0050]; “If the document is text based, all of the Minhash signatures for the same similarity group are retrieved (503) from the document store (504). The process then computes the Jaccard similarity between the Minhash signature of the requested document and the Minhash signatures of the other documents in the similarity group (506).”); and comparing a second band of the signature with a second band of each of the plurality of signatures (Serdy, Parag. [0025]; “For documents whose content is primarily text, content analysis can be performed to look for similarity. One way to do this is to use a technique called Minhashing (see above) to compute a set of hash values for each document, sometimes called the document’s “minhash signature”. The system will then apply a Jaccard Similarity test (see above) to determine how similar the signatures are. Minhash signatures are then grouped using Locality-Sensitive Hashing (LSH) (see above) to optimize finding similar minhash signatures without having to compare against every existing minhash signature in the database. This technique also comes from Stanford and is described in the same document referenced above. The LSH technique starts by grouping the minhash values for a signature into bands, i.e. minhash values 0-5 could be band 1, 6-10 band 2, etc. When trying to find similar signatures, instead of applying the Jaccard similarity test to every signature already computed, the first step is to find signatures that have at least one matching set of values in a particular LSH band. When a new document is added, the algorithm looks for existing documents that have at least one band of the signature that matches the new document. If a match is found, the new document signature is compared to the entire signature of the matching document with the Jaccard similarity test. If it is within the threshold, the new document is given the same similarity group as the matching document.” … Parag. [0050]; “If the document is text based, all of the Minhash signatures for the same similarity group are retrieved (503) from the document store (504). The process then computes the Jaccard similarity between the Minhash signature of the requested document and the Minhash signatures of the other documents in the similarity group (506).”); based on the comparing, determining a first matched signature from among the plurality of signatures that is similar to the signature (Serdy, Parag. [0025]; “For documents whose content is primarily text, content analysis can be performed to look for similarity. One way to do this is to use a technique called Minhashing (see above) to compute a set of hash values for each document, sometimes called the document’s “minhash signature”. The system will then apply a Jaccard Similarity test (see above) to determine how similar the signatures are. Minhash signatures are then grouped using Locality-Sensitive Hashing (LSH) (see above) to optimize finding similar minhash signatures without having to compare against every existing minhash signature in the database. This technique also comes from Stanford and is described in the same document referenced above. The LSH technique starts by grouping the minhash values for a signature into bands, i.e. minhash values 0-5 could be band 1, 6-10 band 2, etc. When trying to find similar signatures, instead of applying the Jaccard similarity test to every signature already computed, the first step is to find signatures that have at least one matching set of values in a particular LSH band. When a new document is added, the algorithm looks for existing documents that have at least one band of the signature that matches the new document. If a match is found, the new document signature is compared to the entire signature of the matching document with the Jaccard similarity test. If it is within the threshold, the new document is given the same similarity group as the matching document.” … Parag. [0050]; “If the document is text based, all of the Minhash signatures for the same similarity group are retrieved (503) from the document store (504). The process then computes the Jaccard similarity between the Minhash signature of the requested document and the Minhash signatures of the other documents in the similarity group (506).”); Thrash and Serdy are from similar field of technology. Prior to the instant application’s effective filling date, there was a need for providing a signature-based method to detect potential threats. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Serdy system into Thrash system, with a motivation to provide a method that compares minhash signature bands to identify a similarity between a plurality of signatures (Serdy, Parag. [0025]). The combination of Thrash and Serdy does not expressly teach: retrieving first metadata for the first threat data, the first metadata indicating at least one of a category of the potential threat, an entity that created the potential threat, an entity that distributed the potential threat, a time when the potential threat was created, a platform targeted by the potential threat, a behavior of the potential threat, or a method used to propagate the potential threat; and based on the first metadata, providing information indicating that the input data is associated with the first metadata. However, Gukal teaches: retrieving first metadata for the first threat data, the first metadata indicating at least one of a category of the potential threat, an entity that created the potential threat, an entity that distributed the potential threat, a time when the potential threat was created, a platform targeted by the potential threat, a behavior of the potential threat, or a method used to propagate the potential threat (Gukal, Parag. [0227]; “The attack pattern detector 1206 may monitor and/or analyze the collected data 1204a-1204c (i.e., input data) to determine whether a network abnormality has occurred or is occurring. In many cases, a network abnormality may fall within acceptable network usage. In other cases, the network abnormality may indicate a potential network threat.” … Parag. [0238]; “The process 1306 may receive new alert data 1304 (i.e., metadata). The new alert data 1304 may include information about a network abnormality that may be a threat to the network. The new alert data 1304 may include information such as a possible identity of the source of the threat, what the nature of the threat appears to be, when the threat began or occurred, and/or where the threat occurred in the site network.”); and based on the first metadata, providing information indicating that the input data is associated with the first metadata (Gukal, Parag. [0227]; “The attack pattern detector 1206 may monitor and/or analyze the collected data 1204a-1204c (i.e., input data) to determine whether a network abnormality has occurred or is occurring. In many cases, a network abnormality may fall within acceptable network usage. In other cases, the network abnormality may indicate a potential network threat.” … Parag. [0238]; “The process 1306 may receive new alert data 1304. The new alert data 1304 (i.e., metadata) may include information about a network abnormality that may be a threat to the network. The new alert data 1304 may include information such as a possible identity of the source of the threat, what the nature of the threat appears to be, when the threat began or occurred, and/or where the threat occurred in the site network.”). Thrash, Serdy and Gukal are from similar field of technology. Prior to the instant application’s effective filling date, there was a need for providing a signature-based method to detect potential threats. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Gukal system into Thrash-Serdy system, with a motivation to provide information of the detected threat (Gukal, Parag. [0238]). As per claim 2, the combination of Thrash, Serdy and Gukal teach the method of claim 1. Serdy teaches wherein the signature includes a predetermined number of values (Serdy, Parag. [0025]; “For documents whose content is primarily text, content analysis can be performed to look for similarity. One way to do this is to use a technique called Minhashing (see above) to compute a set of hash values for each document, sometimes called the document’s “minhash signature”. The system will then apply a Jaccard Similarity test (see above) to determine how similar the signatures are. Minhash signatures are then grouped using Locality-Sensitive Hashing (LSH) (see above) to optimize finding similar minhash signatures without having to compare against every existing minhash signature in the database. This technique also comes from Stanford and is described in the same document referenced above. The LSH technique starts by grouping the minhash values for a signature into bands, i.e. minhash values 0-5 could be band 1, 6-10 band 2, etc. When trying to find similar signatures, instead of applying the Jaccard similarity test to every signature already computed, the first step is to find signatures that have at least one matching set of values in a particular LSH band. When a new document is added, the algorithm looks for existing documents that have at least one band of the signature that matches the new document. If a match is found, the new document signature is compared to the entire signature of the matching document with the Jaccard similarity test. If it is within the threshold, the new document is given the same similarity group as the matching document.”). As per claim 3, the combination of Thrash, Serdy and Gukal teach the method of claim 1. Thrash teaches wherein the input data is binary data (Thrash, Parag. [0064]; “At block 502, bit stream data is received. Depending on the embodiment, the bit stream data may be received from a network device, or some other source of bit stream data. The bit stream data may be received by a threat analysis system described herein, such as the threat analysis system 108.”). As per claim 4, the combination of Thrash, Serdy and Gukal teach the method of claim 1. Serdy teaches further comprising: determining that the first band of the signature does not match the first band of each of the plurality of signatures (Serdy, Parag. [0025]; “For documents whose content is primarily text, content analysis can be performed to look for similarity. One way to do this is to use a technique called Minhashing (see above) to compute a set of hash values for each document, sometimes called the document’s “minhash signature”. The system will then apply a Jaccard Similarity test (see above) to determine how similar the signatures are. Minhash signatures are then grouped using Locality-Sensitive Hashing (LSH) (see above) to optimize finding similar minhash signatures without having to compare against every existing minhash signature in the database. This technique also comes from Stanford and is described in the same document referenced above. The LSH technique starts by grouping the minhash values for a signature into bands, i.e. minhash values 0-5 could be band 1, 6-10 band 2, etc. When trying to find similar signatures, instead of applying the Jaccard similarity test to every signature already computed, the first step is to find signatures that have at least one matching set of values in a particular LSH band. When a new document is added, the algorithm looks for existing documents that have at least one band of the signature that matches the new document. If a match is found, the new document signature is compared to the entire signature of the matching document with the Jaccard similarity test. If it is within the threshold, the new document is given the same similarity group as the matching document.”); wherein the comparing the second band of the signature with the second band of each of the plurality of signatures is performed in response to determining that the first band of the signature does not match the first band of each of the plurality of signatures (Serdy, Parag. [0025]; “For documents whose content is primarily text, content analysis can be performed to look for similarity. One way to do this is to use a technique called Minhashing (see above) to compute a set of hash values for each document, sometimes called the document’s “minhash signature”. The system will then apply a Jaccard Similarity test (see above) to determine how similar the signatures are. Minhash signatures are then grouped using Locality-Sensitive Hashing (LSH) (see above) to optimize finding similar minhash signatures without having to compare against every existing minhash signature in the database. This technique also comes from Stanford and is described in the same document referenced above. The LSH technique starts by grouping the minhash values for a signature into bands, i.e. minhash values 0-5 could be band 1, 6-10 band 2, etc. When trying to find similar signatures, instead of applying the Jaccard similarity test to every signature already computed, the first step is to find signatures that have at least one matching set of values in a particular LSH band. When a new document is added, the algorithm looks for existing documents that have at least one band of the signature that matches the new document. If a match is found, the new document signature is compared to the entire signature of the matching document with the Jaccard similarity test. If it is within the threshold, the new document is given the same similarity group as the matching document.” Examiner submits that under the Broadest Reasonable Interpretation (BRI), a comparison involves evaluating whether the compared values match or do not match. Thus, examiner interprets the feature, from citation, “at least one matching set of values in a particular LSH band (first or second)” comprises obtaining a not match result and moves to next band until a match is obtained as a result of the comparison.). As per claim 5, the combination of Thrash, Serdy and Gukal teach the method of claim 1. Serdy teaches further comprising: based on the comparing, determining a second matched signature from among the plurality of signatures that is similar to the signature (Serdy, Parag. [0025]; “For documents whose content is primarily text, content analysis can be performed to look for similarity. One way to do this is to use a technique called Minhashing (see above) to compute a set of hash values for each document, sometimes called the document’s “minhash signature”. The system will then apply a Jaccard Similarity test (see above) to determine how similar the signatures are. Minhash signatures are then grouped using Locality-Sensitive Hashing (LSH) (see above) to optimize finding similar minhash signatures without having to compare against every existing minhash signature in the database. This technique also comes from Stanford and is described in the same document referenced above. The LSH technique starts by grouping the minhash values for a signature into bands, i.e. minhash values 0-5 could be band 1, 6-10 band 2, etc. When trying to find similar signatures, instead of applying the Jaccard similarity test to every signature already computed, the first step is to find signatures that have at least one matching set of values in a particular LSH band. When a new document is added, the algorithm looks for existing documents that have at least one band of the signature that matches the new document. If a match is found, the new document signature is compared to the entire signature of the matching document with the Jaccard similarity test. If it is within the threshold, the new document is given the same similarity group as the matching document.” Examiner submits that under the Broadest Reasonable Interpretation (BRI), a comparison involves evaluating whether the compared values match or do not match. Thus, examiner interprets the feature, from citation, “at least one matching set of values in a particular LSH band (first or second)” comprises obtaining a not match result and moves to next band until a match is obtained as a result of the comparison.); In addition, Thrash teaches: identifying second threat data that is associated with the second matched signature (Thrash, Abstract; “The threat analysis log data is analyzed to detect a second threat in the bit stream data.” … Parag. [0007]; “In an embodiment, a user is notified regarding the first threat or the second threat when identified.”); and Finally, Gukal teaches: retrieving second metadata for the second threat data (Gukal, Parag. [0008]; “In an embodiment, the first threat and the second threat are similar.” … Parag. [0227]; “The attack pattern detector 1206 may monitor and/or analyze the collected data 1204a-1204c (i.e., input data) to determine whether a network abnormality has occurred or is occurring. In many cases, a network abnormality may fall within acceptable network usage. In other cases, the network abnormality may indicate a potential network threat.” … Parag. [0238]; “The process 1306 may receive new alert data 1304 (i.e., metadata). The new alert data 1304 may include information about a network abnormality that may be a threat to the network. The new alert data 1304 may include information such as a possible identity of the source of the threat, what the nature of the threat appears to be, when the threat began or occurred, and/or where the threat occurred in the site network.” Examiner submits that is an obvious design applying the same method to first or second data.); wherein the information is based on the second metadata (Gukal, Parag. [0008]; “In an embodiment, the first threat and the second threat are similar.” … Parag. [0227]; “The attack pattern detector 1206 may monitor and/or analyze the collected data 1204a-1204c (i.e., input data) to determine whether a network abnormality has occurred or is occurring. In many cases, a network abnormality may fall within acceptable network usage. In other cases, the network abnormality may indicate a potential network threat.” … Parag. [0238]; “The process 1306 may receive new alert data 1304 (i.e., metadata). The new alert data 1304 may include information about a network abnormality that may be a threat to the network. The new alert data 1304 may include information such as a possible identity of the source of the threat, what the nature of the threat appears to be, when the threat began or occurred, and/or where the threat occurred in the site network.”). As per claim 6, the combination of Thrash, Serdy and Gukal teach the method of claim 1, Serdy teaches wherein the first band includes a predetermined number of values in the signature (Serdy, Parag. [0025]; “For documents whose content is primarily text, content analysis can be performed to look for similarity. One way to do this is to use a technique called Minhashing (see above) to compute a set of hash values for each document, sometimes called the document’s “minhash signature”. The system will then apply a Jaccard Similarity test (see above) to determine how similar the signatures are. Minhash signatures are then grouped using Locality-Sensitive Hashing (LSH) (see above) to optimize finding similar minhash signatures without having to compare against every existing minhash signature in the database. This technique also comes from Stanford and is described in the same document referenced above. The LSH technique starts by grouping the minhash values for a signature into bands, i.e. minhash values 0-5 could be band 1, 6-10 band 2, etc. When trying to find similar signatures, instead of applying the Jaccard similarity test to every signature already computed, the first step is to find signatures that have at least one matching set of values in a particular LSH band. When a new document is added, the algorithm looks for existing documents that have at least one band of the signature that matches the new document. If a match is found, the new document signature is compared to the entire signature of the matching document with the Jaccard similarity test. If it is within the threshold, the new document is given the same similarity group as the matching document.”). As per claim 7, the combination of Thrash, Serdy and Gukal teach the method of claim 1. Serdy teaches wherein the predetermined data type is a character (Serdy, Parag. [0016]; “The Minhashing technique provides a mechanism quickly estimate how similar two sets of data are by breaking a document into a collection of substrings known as a shingle (i.e., breaking data into a fixed length; breaking a document into 8-bit chunks, 8-shingles (or bytes) are generated to represent that data), calculate a hash value for every shingle to convert the substring into a number, then storing the minimum value of all the hash values. By repeating this with a set of different hash functions, a signature is built using the minimum hash value from all the hash functions applied to the document.” … Parag. [0025]; “For documents whose content is primarily text, content analysis can be performed to look for similarity. One way to do this is to use a technique called Minhashing (see above) to compute a set of hash values for each document, sometimes called the document’s “minhash signature”.”). As per claim 8, the combination of Thrash, Serdy and Gukal teach the method of claim 1. Thrash teaches wherein the input data is initially formatted as a non-character data type (Thrash, Parag. [0064]; “At block 502, bit stream data is received. Depending on the embodiment, the bit stream data may be received from a network device, or some other source of bit stream data. The bit stream data may be received by a threat analysis system described herein, such as the threat analysis system 108.” Examiner submits that under the broadest reasonable interpretation (BRI), a bit stream data could represent audio and/or video files. That is, the examiner interprets a bit stream data as non-character data type.). As per claim 9, Thrash teaches a system (Thrash, Parag. [0035]; “FIG. 1 illustrates an example environment 100 for a threat analysis system, according to an embodiment of the present disclosure.”) comprising: one or more processors (Thrash, Parag. [0068]; “Computing module 600 might include, for example, one or more processors, controllers, control modules, or other processing devices, such as a processor 604.”); and memory communicatively coupled to the one or more processors and storing executable instructions that, when executed by the one or more processors, cause the one or more processors to perform operations (Thrash, Parag. [0069]; “Computing module 600 might also include one or more memory modules, simply referred to herein as main memory 608. For example, preferably random access memory (RAM) or other dynamic memory, might be used for storing information and instructions to be executed by processor 604. Main memory 608 might also be used for storing temporary variables or other intermediate information during execution of instructions to be executed by processor 604. Computing module 600 might likewise include a read only memory (“ROM) or other static storage device coupled to bus 602 for storing static information and instructions for processor 604.”) comprising: identifying data that is associated with a potential issue (Thrash, Parag. [0027]; “According to some embodiments, signatures that facilitate identification of computer security threats in computer data are aggregated (e.g., ingested) from two or more threat signature sources (e.g., computer security vendors), which may be organizations that are separate and independent from one another.” … Parag. [0063-0064]; “FIG. 5 illustrates an example process 500 for analyzing threats, according to an embodiment of the present disclosure. In some embodiments, the threat analysis process 500 may be performed in whole or in part by the threat analysis system 108 described herein. For some embodiments, the process for analyzing data flows may perform more or less operations than what is illustrated in FIG. 5, and may perform the operations illustrated in FIG. 5 in an order different than the order shown. At block 502, bit stream data is received. Depending on the embodiment, the bit stream data may be received from a network device, or some other source of bit stream data. The bit stream data may be received by a threat analysis system described herein, such as the threat analysis system 108. … At block 514, a user is notified regarding one or more threats identified by analysis of the bit stream data at block 506, or identified by heuristic analysis of the threat analysis log data at block 510.”); [processing the data using a hash-based technique to create a signature for the data, the processing including processing the data in groups of bytes with each group of bytes including a predetermined number of bytes]; comparing the signature to a signature for data that is labeled as being associated with an issue (Thrash, Parag. [0029]; “Computer data, such as bit stream data, can be analyzed using signature matching based on the aggregated threat signatures obtained from the plurality of threat signature sources. Sets of threat signatures from different threat signature sources can differ in the number threat signatures, the threats covered, and the threat signatures available for a given threat. In view of this, using the set of aggregated threat signatures to detect threats in computer data can increase the likelihood of detecting a threat over only using a single set of threat signatures from one threat signature source to detect threats.”); [determining a matched signature based on the comparing; retrieving metadata for the signature for the data that is labeled as being associated with the issue, the metadata indicating a characteristic of the issue; and providing analysis data indicating that the data is associated with the characteristic]. Thrash does not expressly teach: processing the data using a hash-based technique to create a signature for the data, the processing including processing the data in groups of bytes with each group of bytes including a predetermined number of bytes; determining a matched signature based on the comparing; retrieving metadata for the signature for the data that is labeled as being associated with the issue, the metadata indicating a characteristic of the issue; and providing analysis data indicating that the data is associated with the characteristic. However, Serdy teaches: processing the data using a hash-based technique to create a signature for the data, the processing including processing the data in groups of bytes with each group of bytes including a predetermined number of bytes (Serdy, Parag. [0016]; “The Minhashing technique provides a mechanism quickly estimate how similar two sets of data are by breaking a document into a collection of substrings known as a shingle (i.e., breaking data into a fixed length; breaking a document into 8-bit chunks, 8-shingles (or bytes) are generated to represent that data), calculate a hash value for every shingle to convert the substring into a number, then storing the minimum value of all the hash values. By repeating this with a set of different hash functions, a signature is built using the minimum hash value from all the hash functions applied to the document.” … Parag. [0025]; “Minhash signatures are then grouped using Locality-Sensitive Hashing (LSH) (see above) to optimize finding similar minhash signatures without having to compare against every existing minhash signature in the database. This technique also comes from Stanford and is described in the same document referenced above. The LSH technique starts by grouping the minhash values for a signature into bands, i.e. minhash values 0-5 could be band 1, 6-10 band 2, etc.”); determining a matched signature based on the comparing (Serdy, Parag. [0025]; “For documents whose content is primarily text, content analysis can be performed to look for similarity. One way to do this is to use a technique called Minhashing (see above) to compute a set of hash values for each document, sometimes called the document’s “minhash signature”. The system will then apply a Jaccard Similarity test (see above) to determine how similar the signatures are. Minhash signatures are then grouped using Locality-Sensitive Hashing (LSH) (see above) to optimize finding similar minhash signatures without having to compare against every existing minhash signature in the database. This technique also comes from Stanford and is described in the same document referenced above. The LSH technique starts by grouping the minhash values for a signature into bands, i.e. minhash values 0-5 could be band 1, 6-10 band 2, etc. When trying to find similar signatures, instead of applying the Jaccard similarity test to every signature already computed, the first step is to find signatures that have at least one matching set of values in a particular LSH band. When a new document is added, the algorithm looks for existing documents that have at least one band of the signature that matches the new document. If a match is found, the new document signature is compared to the entire signature of the matching document with the Jaccard similarity test. If it is within the threshold, the new document is given the same similarity group as the matching document.” … Parag. [0050]; “If the document is text based, all of the Minhash signatures for the same similarity group are retrieved (503) from the document store (504). The process then computes the Jaccard similarity between the Minhash signature of the requested document and the Minhash signatures of the other documents in the similarity group (506).”); Thrash and Serdy are from similar field of technology. Prior to the instant application’s effective filling date, there was a need for providing a signature-based method to detect potential issues/threats. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Serdy system into Thrash system, with a motivation to provide a method that compares minhash signature bands to identify a similarity between a plurality of signatures (Serdy, Parag. [0025]). The combination of Thrash and Serdy does not expressly teach: retrieving metadata for the signature for the data that is labeled as being associated with the issue, the metadata indicating a characteristic of the issue; and providing analysis data indicating that the data is associated with the characteristic. However, Gukal teaches: retrieving metadata for the signature for the data that is labeled as being associated with the issue, the metadata indicating a characteristic of the issue (Gukal, Parag. [0227]; “The attack pattern detector 1206 may monitor and/or analyze the collected data 1204a-1204c (i.e., input data) to determine whether a network abnormality has occurred or is occurring. In many cases, a network abnormality may fall within acceptable network usage. In other cases, the network abnormality may indicate a potential network threat.” … Parag. [0238]; “The process 1306 may receive new alert data 1304 (i.e., metadata). The new alert data 1304 may include information about a network abnormality that may be a threat to the network. The new alert data 1304 may include information such as a possible identity of the source of the threat, what the nature of the threat appears to be, when the threat began or occurred, and/or where the threat occurred in the site network.”); providing analysis data indicating that the data is associated with the characteristic (Gukal, Parag. [0227]; “The attack pattern detector 1206 may monitor and/or analyze the collected data 1204a-1204c (i.e., input data) to determine whether a network abnormality has occurred or is occurring. In many cases, a network abnormality may fall within acceptable network usage. In other cases, the network abnormality may indicate a potential network threat.” … Parag. [0238]; “The process 1306 may receive new alert data 1304. The new alert data 1304 (i.e., metadata) may include information about a network abnormality that may be a threat to the network. The new alert data 1304 may include information such as a possible identity of the source of the threat, what the nature of the threat appears to be, when the threat began or occurred, and/or where the threat occurred in the site network.”). Thrash, Serdy and Gukal are from similar field of technology. Prior to the instant application’s effective filling date, there was a need for providing a signature-based method to detect potential threats. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Gukal system into Thrash-Serdy system, with a motivation to provide information of the detected issue/threat (Gukal, Parag. [0238]). As per claim 10, the combination of Thrash, Serdy and Gukal teach the system of claim 9. Serdy teaches wherein the comparing includes comparing a predetermined number of bands of the signature with a predetermined number of bands of the signature (Serdy, Parag. [0025]; “For documents whose content is primarily text, content analysis can be performed to look for similarity. One way to do this is to use a technique called Minhashing (see above) to compute a set of hash values for each document, sometimes called the document’s “minhash signature”. The system will then apply a Jaccard Similarity test (see above) to determine how similar the signatures are. Minhash signatures are then grouped using Locality-Sensitive Hashing (LSH) (see above) to optimize finding similar minhash signatures without having to compare against every existing minhash signature in the database. This technique also comes from Stanford and is described in the same document referenced above. The LSH technique starts by grouping the minhash values for a signature into bands, i.e. minhash values 0-5 could be band 1, 6-10 band 2, etc. When trying to find similar signatures, instead of applying the Jaccard similarity test to every signature already computed, the first step is to find signatures that have at least one matching set of values in a particular LSH band. When a new document is added, the algorithm looks for existing documents that have at least one band of the signature that matches the new document. If a match is found, the new document signature is compared to the entire signature of the matching document with the Jaccard similarity test. If it is within the threshold, the new document is given the same similarity group as the matching document.” … Parag. [0050]; “If the document is text based, all of the Minhash signatures for the same similarity group are retrieved (503) from the document store (504). The process then computes the Jaccard similarity between the Minhash signature of the requested document and the Minhash signatures of the other documents in the similarity group (506).”) In addition, Thrash teaches: … data that is labeled as being associated with the issue (Thrash, Parag. [0027]; “According to some embodiments, signatures that facilitate identification of computer security threats in computer data are aggregated (e.g., ingested) from two or more threat signature sources (e.g., computer security vendors), which may be organizations that are separate and independent from one another.” … Parag. [0063-0064]; “FIG. 5 illustrates an example process 500 for analyzing threats, according to an embodiment of the present disclosure. In some embodiments, the threat analysis process 500 may be performed in whole or in part by the threat analysis system 108 described herein. For some embodiments, the process for analyzing data flows may perform more or less operations than what is illustrated in FIG. 5, and may perform the operations illustrated in FIG. 5 in an order different than the order shown. At block 502, bit stream data is received. Depending on the embodiment, the bit stream data may be received from a network device, or some other source of bit stream data. The bit stream data may be received by a threat analysis system described herein, such as the threat analysis system 108. … At block 514, a user is notified regarding one or more threats identified by analysis of the bit stream data at block 506, or identified by heuristic analysis of the threat analysis log data at block 510.”). As per claim 11, the rejection of claim 10 is included. In addition is a system of claim that recites similar features as presented on claim 2. Therefore, claim 11 is rejected using the same rationale applied to claim 2. As per claim 12, the combination of Thrash, Serdy and Gukal teach the system of claim 9. Thrash teaches wherein the processing the data includes processing the data as a predetermined data type (Thrash, Parag. [0064]; “At block 502, bit stream data is received. Depending on the embodiment, the bit stream data may be received from a network device, or some other source of bit stream data. The bit stream data may be received by a threat analysis system described herein, such as the threat analysis system 108.”). As per claim 13, the rejection of claim 12 is included. In addition is a system of claim that recites similar features as presented on claim 7. Therefore, claim 13 is rejected using the same rationale applied to claim 7. As per claim 14, the rejection of claim 13 is included. In addition is a system of claim that recites similar features as presented on claim 8. Therefore, claim 14 is rejected using the same rationale applied to claim 8. As per claim 15, Thrash teaches a system (Thrash, Parag. [0035]; “FIG. 1 illustrates an example environment 100 for a threat analysis system, according to an embodiment of the present disclosure.”) comprising: one or more processors (Thrash, Parag. [0068]; “Computing module 600 might include, for example, one or more processors, controllers, control modules, or other processing devices, such as a processor 604.”); and memory communicatively coupled to the one or more processors and storing executable instructions that, when executed by the one or more processors, cause the one or more processors to perform operations (Thrash, Parag. [0069]; “Computing module 600 might also include one or more memory modules, simply referred to herein as main memory 608. For example, preferably random access memory (RAM) or other dynamic memory, might be used for storing information and instructions to be executed by processor 604. Main memory 608 might also be used for storing temporary variables or other intermediate information during execution of instructions to be executed by processor 604. Computing module 600 might likewise include a read only memory (“ROM) or other static storage device coupled to bus 602 for storing static information and instructions for processor 604.”) comprising: processing input data to determine that the data is associated with a potential issue (Thrash, Parag. [0063-0064]; “FIG. 5 illustrates an example process 500 for analyzing threats, according to an embodiment of the present disclosure. In some embodiments, the threat analysis process 500 may be performed in whole or in part by the threat analysis system 108 described herein. For some embodiments, the process for analyzing data flows may perform more or less operations than what is illustrated in FIG. 5, and may perform the operations illustrated in FIG. 5 in an order different than the order shown. At block 502, bit stream data is received. Depending on the embodiment, the bit stream data may be received from a network device, or some other source of bit stream data. The bit stream data may be received by a threat analysis system described herein, such as the threat analysis system 108.”); interpreting the input data as a predetermined data type (Thrash, Parag. [0064]; “At block 502, bit stream data is received. Depending on the embodiment, the bit stream data may be received from a network device, or some other source of bit stream data. The bit stream data may be received by a threat analysis system described herein, such as the threat analysis system 108.”); [processing the input data using locality sensitive hashing to create a signature for the input data, the processing including processing the input data in groups of bytes with each group of bytes including a predetermined number of bytes]; [comparing the signature to at least one signature associated with each cluster from among a plurality of clusters, each of the plurality of clusters being associated with a threat that shares at least one attribute]; [based on the comparing, determining a first cluster, from among the plurality of clusters, to which the signature matches]; [retrieving first metadata for the first cluster, the first metadata indicating at least one of a category of the threat, an entity that created the threat, an entity that distributed the threat, a time when the threat was created, a platform targeted by the threat, a behavior of the threat, or a method used to propagate the threat]; and [based on the first metadata, providing information indicating that the input data is associated with the first metadata]. Thrash does not expressly teach: processing the input data using locality sensitive hashing to create a signature for the input data, the processing including processing the input data in groups of bytes with each group of bytes including a predetermined number of bytes; comparing the signature to at least one signature associated with each cluster from among a plurality of clusters, each of the plurality of clusters being associated with a threat that shares at least one attribute; based on the comparing, determining a first cluster, from among the plurality of clusters, to which the signature matches; retrieving first metadata for the first cluster, the first metadata indicating at least one of a category of the threat, an entity that created the threat, an entity that distributed the threat, a time when the threat was created, a platform targeted by the threat, a behavior of the threat, or a method used to propagate the threat; and based on the first metadata, providing information indicating that the input data is associated with the first metadata. However, Serdy teaches: processing the input data using locality sensitive hashing to create a signature for the input data, the processing including processing the input data in groups of bytes with each group of bytes including a predetermined number of bytes (Serdy, Parag. [0016]; “The Minhashing technique provides a mechanism quickly estimate how similar two sets of data are by breaking a document into a collection of substrings known as a shingle (i.e., breaking data into a fixed length; breaking a document into 8-bit chunks, 8-shingles (or bytes) are generated to represent that data), calculate a hash value for every shingle to convert the substring into a number, then storing the minimum value of all the hash values. By repeating this with a set of different hash functions, a signature is built using the minimum hash value from all the hash functions applied to the document.” … Parag. [0025]; “Minhash signatures are then grouped using Locality-Sensitive Hashing (LSH) (see above) to optimize finding similar minhash signatures without having to compare against every existing minhash signature in the database. This technique also comes from Stanford and is described in the same document referenced above. The LSH technique starts by grouping the minhash values for a signature into bands, i.e. minhash values 0-5 could be band 1, 6-10 band 2, etc.”); comparing the signature to at least one signature associated with each cluster from among a plurality of clusters, each of the plurality of clusters being associated with a threat that shares at least one attribute (Serdy, Parag. [0025]; “For documents whose content is primarily text, content analysis can be performed to look for similarity. One way to do this is to use a technique called Minhashing (see above) to compute a set of hash values for each document, sometimes called the document’s “minhash signature”. The system will then apply a Jaccard Similarity test (see above) to determine how similar the signatures are. Minhash signatures are then grouped (i.e., clustered) using Locality-Sensitive Hashing (LSH) (see above) to optimize finding similar minhash signatures without having to compare against every existing minhash signature in the database. This technique also comes from Stanford and is described in the same document referenced above. The LSH technique starts by grouping the minhash values for a signature into bands, i.e. minhash values 0-5 could be band 1, 6-10 band 2, etc. When trying to find similar signatures, instead of applying the Jaccard similarity test to every signature already computed, the first step is to find signatures that have at least one matching set of values in a particular LSH band. When a new document is added, the algorithm looks for existing documents that have at least one band of the signature that matches the new document. If a match is found, the new document signature is compared to the entire signature of the matching document with the Jaccard similarity test. If it is within the threshold, the new document is given the same similarity group (i.e., cluster) as the matching document.” … Parag. [0026]; “Each such text-based similarity group has a single minhash signature. This single signature is called the “exemplar ” and is selected from among all the document signatures in the similarity group. The exemplar minhash signature for a similarity group is the signature that has the lowest average Jacquard Similarity to all other members of the similarity group. This is also called the “k-medoid” of the group. As new documents are added to a similarity group, the exemplar for the similarity group may change.” … Parag. [0050]; “If the document is text based, all of the Minhash signatures for the same similarity group are retrieved (503) from the document store (504). The process then computes the Jaccard similarity between the Minhash signature of the requested document and the Minhash signatures of the other documents in the similarity group (506).”); based on the comparing, determining a first cluster, from among the plurality of clusters, to which the signature matches (Serdy, Parag. [0025]; “For documents whose content is primarily text, content analysis can be performed to look for similarity. One way to do this is to use a technique called Minhashing (see above) to compute a set of hash values for each document, sometimes called the document’s “minhash signature”. The system will then apply a Jaccard Similarity test (see above) to determine how similar the signatures are. Minhash signatures are then grouped (i.e., clustered) using Locality-Sensitive Hashing (LSH) (see above) to optimize finding similar minhash signatures without having to compare against every existing minhash signature in the database. This technique also comes from Stanford and is described in the same document referenced above. The LSH technique starts by grouping the minhash values for a signature into bands, i.e. minhash values 0-5 could be band 1, 6-10 band 2, etc. When trying to find similar signatures, instead of applying the Jaccard similarity test to every signature already computed, the first step is to find signatures that have at least one matching set of values in a particular LSH band. When a new document is added, the algorithm looks for existing documents that have at least one band of the signature that matches the new document. If a match is found, the new document signature is compared to the entire signature of the matching document with the Jaccard similarity test. If it is within the threshold, the new document is given the same similarity group (i.e., cluster) as the matching document.” … Parag. [0026]; “Each such text-based similarity group has a single minhash signature. This single signature is called the “exemplar ” and is selected from among all the document signatures in the similarity group. The exemplar minhash signature for a similarity group is the signature that has the lowest average Jacquard Similarity to all other members of the similarity group. This is also called the “k-medoid” of the group. As new documents are added to a similarity group, the exemplar for the similarity group may change.” … Parag. [0050]; “If the document is text based, all of the Minhash signatures for the same similarity group are retrieved (503) from the document store (504). The process then computes the Jaccard similarity between the Minhash signature of the requested document and the Minhash signatures of the other documents in the similarity group (506).”); Thrash and Serdy are from similar field of technology. Prior to the instant application’s effective filling date, there was a need for providing a signature-based method to detect potential issues/threats. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Serdy system into Thrash system, with a motivation to provide a method that compares signatures to identify a similarity between a plurality of signatures in a cluster/group (Serdy, Parag. [0025]). The combination of Thrash and Serdy does not expressly teach: retrieving first metadata for the first cluster, the first metadata indicating at least one of a category of the threat, an entity that created the threat, an entity that distributed the threat, a time when the threat was created, a platform targeted by the threat, a behavior of the threat, or a method used to propagate the threat; and based on the first metadata, providing information indicating that the input data is associated with the first metadata. However, Gukal teaches: retrieving first metadata for the first cluster, the first metadata indicating at least one of a category of the threat, an entity that created the threat, an entity that distributed the threat, a time when the threat was created, a platform targeted by the threat, a behavior of the threat, or a method used to propagate the threat (Gukal, Parag. [0227]; “The attack pattern detector 1206 may monitor and/or analyze the collected data 1204a-1204c (i.e., input data) to determine whether a network abnormality has occurred or is occurring. In many cases, a network abnormality may fall within acceptable network usage. In other cases, the network abnormality may indicate a potential network threat.” … Parag. [0238]; “The process 1306 may receive new alert data 1304 (i.e., metadata). The new alert data 1304 may include information about a network abnormality that may be a threat to the network. The new alert data 1304 may include information such as a possible identity of the source of the threat, what the nature of the threat appears to be, when the threat began or occurred, and/or where the threat occurred in the site network.” … Parag. [0311]; “The clustering engine 1907 a may use clustering techniques to categorize patterns of network behavior according to similarity. For example, when network behavior affects a particular group of network systems and/or deception mechanism, clustering engine 1907 a can identify features network systems or deception mechanisms in the group. Features can include, for example, the type of the network system or being emulated by the deception mechanism (e.g., desktop computer laptop computer, tablet computer, etc.), identification information associated with the network system or deception mechanism (e.g., an IP address, a MAC address, a computer name, etc.), a hardware con figuration of the network system or being emulated by the deception mechanism (e.g., a number of processors, a amount of memory, a number of storage devices, the type and capabilities of attached peripheral devices, etc.), and/or a software configuration of the network system or being emulated by the deception mechanism (e.g., an operating system type and/or version, operating system patches, installed drivers, types and identities of user applications, etc.). The clustering engine 1907a can further use clustering techniques to identify similar features among the group of affected network systems and/or deception mechanisms. For example, the clustering engine 1907a can determine that each affected network system and/or deception mechanism have the same operating type and version. Similarities Such as these can be used as part of developing an attack pattern 1908.”); based on the first metadata, providing information indicating that the input data is associated with the first metadata (Gukal, Parag. [0227]; “The attack pattern detector 1206 may monitor and/or analyze the collected data 1204a-1204c (i.e., input data) to determine whether a network abnormality has occurred or is occurring. In many cases, a network abnormality may fall within acceptable network usage. In other cases, the network abnormality may indicate a potential network threat.” … Parag. [0238]; “The process 1306 may receive new alert data 1304 (i.e., metadata). The new alert data 1304 may include information about a network abnormality that may be a threat to the network. The new alert data 1304 may include information such as a possible identity of the source of the threat, what the nature of the threat appears to be, when the threat began or occurred, and/or where the threat occurred in the site network.” … Parag. [0311]; “The clustering engine 1907 a may use clustering techniques to categorize patterns of network behavior according to similarity. For example, when network behavior affects a particular group of network systems and/or deception mechanism, clustering engine 1907 a can identify features network systems or deception mechanisms in the group. Features can include, for example, the type of the network system or being emulated by the deception mechanism (e.g., desktop computer laptop computer, tablet computer, etc.), identification information associated with the network system or deception mechanism (e.g., an IP address, a MAC address, a computer name, etc.), a hardware con figuration of the network system or being emulated by the deception mechanism (e.g., a number of processors, a amount of memory, a number of storage devices, the type and capabilities of attached peripheral devices, etc.), and/or a software configuration of the network system or being emulated by the deception mechanism (e.g., an operating system type and/or version, operating system patches, installed drivers, types and identities of user applications, etc.). The clustering engine 1907a can further use clustering techniques to identify similar features among the group of affected network systems and/or deception mechanisms. For example, the clustering engine 1907a can determine that each affected network system and/or deception mechanism have the same operating type and version. Similarities Such as these can be used as part of developing an attack pattern 1908.”). Thrash, Serdy and Gukal are from similar field of technology. Prior to the instant application’s effective filling date, there was a need for providing a signature-based method to detect potential threats. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Gukal system into Thrash-Serdy system, with a motivation to provide information of the detected issue/threat (Gukal, Parag. [0238]). As per claim 16, the rejection of claim 14 is included. In addition, is a system claim that recites similar features as presented on claim 14. Therefore, claim 16 is rejected using the same rationale applied to claim 14. As per claim 17, the rejection of claim 15 is included. In addition, is a system claim that recites similar features as presented on claim 13. Therefore, claim 17 is rejected using the same rationale applied to claim 13. As per claim 18, the combination of Thrash, Serdy and Gukal teach the system of claim 15. Serdy teaches wherein the operations further comprise: using a clustering technique to group one or more data items into the first cluster (Serdy, Parag. [0025]; “For documents whose content is primarily text, content analysis can be performed to look for similarity. One way to do this is to use a technique called Minhashing (see above) to compute a set of hash values for each document, sometimes called the document’s “minhash signature”. The system will then apply a Jaccard Similarity test (see above) to determine how similar the signatures are. Minhash signatures are then grouped (i.e., clustered) using Locality-Sensitive Hashing (LSH) (see above) to optimize finding similar minhash signatures without having to compare against every existing minhash signature in the database. This technique also comes from Stanford and is described in the same document referenced above. The LSH technique starts by grouping the minhash values for a signature into bands, i.e. minhash values 0-5 could be band 1, 6-10 band 2, etc. When trying to find similar signatures, instead of applying the Jaccard similarity test to every signature already computed, the first step is to find signatures that have at least one matching set of values in a particular LSH band. When a new document is added, the algorithm looks for existing documents that have at least one band of the signature that matches the new document. If a match is found, the new document signature is compared to the entire signature of the matching document with the Jaccard similarity test. If it is within the threshold, the new document is given the same similarity group (i.e., cluster) as the matching document.” … Parag. [0026]; “Each such text-based similarity group has a single minhash signature. This single signature is called the “exemplar ” and is selected from among all the document signatures in the similarity group. The exemplar minhash signature for a similarity group is the signature that has the lowest average Jacquard Similarity to all other members of the similarity group. This is also called the “k-medoid” of the group. As new documents are added to a similarity group, the exemplar for the similarity group may change.” … Parag. [0050]; “If the document is text based, all of the Minhash signatures for the same similarity group are retrieved (503) from the document store (504). The process then computes the Jaccard similarity between the Minhash signature of the requested document and the Minhash signatures of the other documents in the similarity group (506).”), In addition, Gukal teaches the one or more data items being associated with the at least one attribute (Gukal, Parag. [0227]; “The attack pattern detector 1206 may monitor and/or analyze the collected data 1204a-1204c (i.e., input data) to determine whether a network abnormality has occurred or is occurring. In many cases, a network abnormality may fall within acceptable network usage. In other cases, the network abnormality may indicate a potential network threat.” … Parag. [0238]; “The process 1306 may receive new alert data 1304 (i.e., metadata). The new alert data 1304 may include information about a network abnormality that may be a threat to the network. The new alert data 1304 may include information such as a possible identity of the source of the threat, what the nature of the threat appears to be, when the threat began or occurred, and/or where the threat occurred in the site network.” … Parag. [0311]; “The clustering engine 1907 a may use clustering techniques to categorize patterns of network behavior according to similarity. For example, when network behavior affects a particular group of network systems and/or deception mechanism, clustering engine 1907 a can identify features network systems or deception mechanisms in the group. Features can include, for example, the type of the network system or being emulated by the deception mechanism (e.g., desktop computer laptop computer, tablet computer, etc.), identification information associated with the network system or deception mechanism (e.g., an IP address, a MAC address, a computer name, etc.), a hardware con figuration of the network system or being emulated by the deception mechanism (e.g., a number of processors, a amount of memory, a number of storage devices, the type and capabilities of attached peripheral devices, etc.), and/or a software configuration of the network system or being emulated by the deception mechanism (e.g., an operating system type and/or version, operating system patches, installed drivers, types and identities of user applications, etc.). The clustering engine 1907a can further use clustering techniques to identify similar features (i.e., attributes) among the group of affected network systems and/or deception mechanisms. For example, the clustering engine 1907a can determine that each affected network system and/or deception mechanism have the same operating type and version. Similarities such as these can be used as part of developing an attack pattern 1908.”). As per claim 19, the combination of Thrash, Serdy and Gukal teach the system of claim 15. Serdy teaches wherein the at least one signature associated with the first cluster is a signature for a data item located at a center region of the first cluster (Serdy, Parag. [0026]; “Each such text-based similarity group has a single minhash signature. This single signature is called the “exemplar” and is selected from among all the document signatures in the similarity group. The exemplar minhash signature for a similarity group is the signature that has the lowest average Jacquard Similarity to all other members of the similarity group. This is also called the “k-medoid” (i.e., data representing the most centrical point of the cluster) of the group. As new documents are added to a similarity group, the exemplar for the similarity group may change.” … Parag. [0050]; “If the document is text based, all of the Minhash signatures for the same similarity group are retrieved (503) from the document store (504). The process then computes the Jaccard similarity between the Minhash signature of the requested document and the Minhash signatures of the other documents in the similarity group (506).”). As per claim 20, the combination of Thrash, Serdy and Gukal teach the system of claim 15, wherein the first metadata is associated with each data item of the first cluster (Gukal, Parag. [0311]; “The clustering engine 1907 a may use clustering techniques to categorize patterns of network behavior according to similarity. For example, when network behavior affects a particular group of network systems and/or deception mechanism, clustering engine 1907 a can identify features network systems or deception mechanisms in the group. Features can include, for example, the type of the network system or being emulated by the deception mechanism (e.g., desktop computer laptop computer, tablet computer, etc.), identification information associated with the network system or deception mechanism (e.g., an IP address, a MAC address, a computer name, etc.), a hardware con figuration of the network system or being emulated by the deception mechanism (e.g., a number of processors, a amount of memory, a number of storage devices, the type and capabilities of attached peripheral devices, etc.), and/or a software configuration of the network system or being emulated by the deception mechanism (e.g., an operating system type and/or version, operating system patches, installed drivers, types and identities of user applications, etc.). The clustering engine 1907a can further use clustering techniques to identify similar features among the group of affected network systems and/or deception mechanisms. For example, the clustering engine 1907a can determine that each affected network system and/or deception mechanism have the same operating type and version. Similarities Such as these can be used as part of developing an attack pattern 1908.” … Parag. [0319]; “the machine learning engine 2011b can implement clustering techniques to categorize or group data according to similarity.”). Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Hernaki (US 7,908,657) relates to detecting a variant of a known threat. A portion of network traffic is matched with at least a portion of a signature associated with the known threat. If the portion of network traffic being matched with the signature does not exactly match the signature, the extent of match between the portion of network traffic and the signature is determined. If the extent of match satisfies a threshold, a security response is triggered based upon the extent of match. Li et al. (US 10,437,996) relates to a method that includes preparing a representation of data associated with a plurality of software modules, the representation comprising similarity-based hashing of signatures constructed from a first subset of features of the plurality of software modules. The method also includes performing a similarity-based query utilizing the similarity-based hashing of signatures to identify one or more of the plurality of software modules as candidate software modules matching a received seed software module. The method further includes computing distances between the candidate software modules and the seed software module utilizing a second subset of features of the plurality of software modules, classifying one or more of the candidate software modules as a designated type based on the computed distances, generating a notification comprising a list of the classified candidate software modules, and controlling access by one or more client devices associated with an enterprise to the candidate software modules in the list. Any inquiry concerning this communication or earlier communications from the examiner should be directed to ALEX D CARRASQUILLO whose telephone number is (571)270-5045. The examiner can normally be reached Monday - Friday 9:00 am - 6:00 pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached at 571-272-8878. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /A.D.C./Examiner, Art Unit 2498 /JOHN B KING/Primary Examiner, Art Unit 2498