Wiz Inc v. Orca Security Ltd

1. Case Identification

• Case #: IPR2024-00863
• Patent #: 11,663,031
• Filed: May 24, 2024
• Petitioner(s): Wiz, Inc.
• Patent Owner(s): Orca Security LTD.
• Challenged Claims: 1-16

2. Patent Overview

• Title: Techniques for Securing Virtual Assets at Rest
• Brief Description: The ’031 patent describes techniques for securing virtual cloud assets, such as virtual machines (VMs). The claimed system establishes an interface with a cloud environment, uses APIs to identify and locate virtual disks, takes or requests a snapshot of the disks, analyzes the snapshot for vulnerabilities while the VM is inactive, and reports the findings as alerts.

3. Grounds for Unpatentability

Ground 1: Obviousness over Veselov and Price - Claims 1, 3-9, and 11-16 are obvious over Veselov in view of Price.

• Prior Art Relied Upon: Veselov (Patent 11,216,563) and Price (Application # 2013/0247133).
• Core Argument for this Ground:
  • Prior Art Mapping: Petitioner argued that Veselov teaches all elements of the independent claims except for taking a snapshot while the VM is "at rest" and analyzing the snapshot while the VM is "inactive." Veselov discloses a security assessment system that uses APIs to communicate with a target environment, obtains snapshots of a target resource (like a VM with virtual disks), analyzes the snapshot to detect security risks, and provides assessment results. Price was asserted to supply the missing elements by expressly teaching security assessments performed on images of offline VMs, noting that many VMs in cloud environments are not actively running when scans are requested.
  • Motivation to Combine: A POSITA would combine Price’s offline analysis with Veselov’s system to achieve predictable benefits. First, it provides the security advantage of analyzing a potentially compromised VM while it is inactive, preventing the vulnerability from being exploited or malware from spreading. Second, it offers cost and efficiency benefits, as many VMs are already at rest, and analyzing them in that state avoids the delay and cost of starting them up.
  • Expectation of Success: Petitioner asserted success was expected because offline snapshotting and analysis were routine and predictable techniques. Veselov's analysis is based on the snapshot, not the live VM, making its operational state irrelevant to the analysis itself. The combination was presented as a straightforward implementation of known techniques.

Ground 2: Obviousness over Veselov, Price, and Hufsmith - Claims 2 and 10 are obvious over Veselov, Price, and Hufsmith.

• Prior Art Relied Upon: Veselov (Patent 11,216,563), Price (Application # 2013/0247133), and Hufsmith (Application # 2020/0097662).
• Core Argument for this Ground:
  • Prior Art Mapping: This ground builds on the combination of Veselov and Price and adds Hufsmith to teach the limitations of dependent claims 2 and 10, which require reporting detected vulnerabilities with associated priority levels. Petitioner argued Hufsmith explicitly teaches security assessments that detect, prioritize, and filter security risks. Hufsmith describes assigning weights (priorities) to detected risks (e.g., malware/CVEs) and sending prioritized alerts to the user.
  • Motivation to Combine: A POSITA would combine Hufsmith’s prioritization teachings with the system of Veselov and Price to gain the known benefits of prioritized alerts. Hufsmith’s methods were described as a natural fit for Veselov's security assessment system, allowing users to rapidly identify the most dangerous threats and at-risk assets, thereby overcoming the problem of overwhelming, non-prioritized vulnerability reports.
  • Expectation of Success: Success was expected as alert prioritization was a well-understood and predictable technique. The technical contexts of all three references are similar (analyzing VM images for vulnerabilities), so integrating Hufsmith's reporting features would not present meaningful technical challenges.

Ground 3: Obviousness over Veselov, Price, Hufsmith, and Huseinović - Claims 6 and 14 are obvious over Veselov, Price, Hufsmith, and Huseinović.

• Prior Art Relied Upon: Veselov (Patent 11,216,563), Price (Application # 2013/0247133), Hufsmith (Application # 2020/0097662), and Huseinović ("Virtual Machine Memory Forensics," a 2013 conference publication).
• Core Argument for this Ground:
  • Prior Art Mapping: This ground builds on the previous combination and adds Huseinović to teach the limitations of dependent claims 6 and 14. These claims require the snapshot to include a page file of memory configured to allow the deduction of running applications. Petitioner contended that Huseinović expressly teaches analyzing a VM's page file from a snapshot to determine which applications are running, noting that this is achieved using standard, built-in virtualization options.
  • Motivation to Combine: A POSITA would be motivated to apply Huseinović’s teachings to obtain useful information for the security assessment. Hufsmith teaches adjusting risk levels based on application usage, and Huseinović provides a known, straightforward way to determine that usage from snapshot data. This allows for more nuanced and accurate risk prioritization.
  • Expectation of Success: Success was expected because the snapshot analysis in Huseinović was well-understood and predictable. Petitioner argued that the snapshots described by Veselov would often already contain the necessary machine memory for this analysis, and the page files could be readily interpreted with standard forensic tools.

4. Key Claim Construction Positions

• "location" of a Virtual Disk: Petitioner argued that a POSITA would understand this term to broadly encompass both virtual locations (e.g., a virtual network address) and non-virtual locations, as supported by the specification’s use of "e.g., virtual address."
• "analyze/analyzing the at least one snapshot": Petitioner adopted Patent Owner's apparent litigation position, arguing this term encompasses both direct analysis of snapshot data (e.g., as a data file) and analysis of a VM instantiated from the snapshot.

5. Arguments Regarding Discretionary Denial

• Petitioner argued against discretionary denial under Fintiv, stating that the parallel district court litigation was in a very early stage. The petition was filed over 1.5 months before the one-year bar, the court’s claim construction hearing is not scheduled until October 2024, and the trial is not scheduled until December 2025, well after the FWD in this inter partes review (IPR) would issue.
• Petitioner also argued against denial under §325(d), contending that the prior art references (Veselov, Price, Hufsmith, Huseinović) and arguments presented were not the same or substantially the same as those considered during prosecution. Petitioner asserted the examiner’s allowance was based on a material error regarding the novelty of analyzing a snapshot while the VM is inactive.

6. Relief Requested

• Petitioner requests institution of IPR and cancellation of claims 1-16 of the ’031 patent as unpatentable.