Wiz Inc v. Orca Security Ltd

1. Case Identification

• Case #: IPR2024-00865
• Patent #: 11,693,685
• Filed: May 24, 2024
• Petitioner(s): Wiz, Inc.
• Patent Owner(s): Orca Security Ltd.
• Challenged Claims: 1-22

2. Patent Overview

• Title: Securing Virtual Assets in a Cloud Environment
• Brief Description: The ’685 patent discloses a system and method for inspecting data in a cloud environment. The process involves using cloud computing platform APIs to identify and locate virtual disks of a virtual machine (VM), generating a snapshot of the disks, and analyzing the snapshot to detect vulnerabilities and sensitive data without interacting with the live VM.

3. Grounds for Unpatentability

Ground 1: Obviousness over Veselov and Hufsmith - Claims 1-22 are obvious over Veselov in view of Hufsmith.

• Prior Art Relied Upon: Veselov (Patent 11,216,563) and Hufsmith (Patent 8,595,845).
• Core Argument for this Ground:
  • Prior Art Mapping: Petitioner argued that Veselov, as the primary reference, taught the core elements of the challenged claims, including a system that establishes an interface to a client environment, uses APIs to identify virtual disks, generates snapshots, and analyzes them for security vulnerabilities without interacting with the target VM. Petitioner contended that Hufsmith supplied the remaining limitations not expressly taught by Veselov: detecting sensitive data, determining a risk level for the VM, and filtering and prioritizing the resulting alerts based on that risk level.
  • Motivation to Combine: A Person of Ordinary Skill in the Art (POSITA) would combine Veselov’s security assessment framework with Hufsmith's advanced risk analysis and alert prioritization techniques. The combination would predictably improve Veselov's system by providing a more comprehensive security assessment and addressing the well-known problem of "alert fatigue" by focusing on the most critical risks, including the exposure of sensitive data.
  • Expectation of Success: Petitioner asserted a reasonable expectation of success because the combination involved applying well-understood and predictable techniques (sensitive data detection, risk-level determination) to analogous systems in their conventional manner, presenting no meaningful technical challenges.

Ground 2: Obviousness over Veselov, Hufsmith, and Chari - Claims 1-22 are obvious over Veselov and Hufsmith in view of Chari.

• Prior Art Relied Upon: Veselov (Patent 11,216,563), Hufsmith (Patent 8,595,845), and Chari (Application # 2015/0033221).
• Core Argument for this Ground:
  • Prior Art Mapping: This ground built upon Ground 1, with Petitioner arguing that Chari provided an explicit and detailed teaching for detecting and remediating sensitive data, including specific types like encryption keys and passwords, within VM images and snapshots. This reinforced the argument that adding sensitive data detection to the Veselov system was obvious. Chari also taught implementing remedial actions, such as sanitizing the detected sensitive data, relevant to dependent claims 6 and 18.
  • Motivation to Combine: A POSITA would have been motivated to incorporate Chari's specific methods for sensitive data detection into the Veselov/Hufsmith system to address the critical security concern of residual sensitive data in cloud environments—a risk explicitly highlighted by Chari. This would provide a more complete security solution.
  • Expectation of Success: Applying Chari's specific teachings on sensitive data analysis to the VM snapshots in Veselov was a straightforward application of a known technique to a known problem, with predictable results and a high likelihood of success.

Ground 3: Obviousness over Veselov, Hufsmith, Chari, Price, and Huseinović - Claims 2-3 and 14-15 are obvious over Veselov, Hufsmith, and Chari in view of Price and Huseinović.

• Prior Art Relied Upon: Veselov (Patent 11,216,563), Hufsmith (Patent 8,595,845), Chari (Application # 2015/0033221), Price (Application # 2013/0247133), and Huseinović ("Virtual Machine Memory Forensics" conference publication).
• Core Argument for this Ground:
  • Prior Art Mapping: This ground targeted specific dependent claims requiring the VM to be inactive during analysis and the snapshot to include a page file for deducing running applications. Price was cited for teaching the analysis of a VM image while the VM is inactive (offline) to avoid risks associated with scanning a live system. Huseinović was cited for teaching that a snapshot of a suspended VM includes a page file containing memory state, which can be analyzed to deduce a list of then-running applications.
  • Motivation to Combine: A POSITA would combine these references to enhance security and efficiency. Price's offline analysis was a known method to avoid damaging a potentially compromised live VM. Huseinović's technique of analyzing page files provided valuable application-usage data, which could be used for more accurate risk assessments as taught by Hufsmith.
  • Expectation of Success: Performing analysis on an inactive VM (Price) and analyzing a page file from a snapshot to identify running applications (Huseinović) were well-understood practices in VM forensics and security, ensuring a high expectation of success.

4. Key Claim Construction Positions

• "location" of a Virtual Disk: Petitioner argued this term should be construed to encompass both virtual (e.g., virtual address) and non-virtual locations. This broad construction is asserted to be consistent with the specification and allows prior art disclosing either type of location to meet the claim limitation.
• "analyze the at least one snapshot": Petitioner contended this phrase encompasses both the direct analysis of snapshot data as a file and the analysis of a new VM instantiated from that snapshot. This interpretation allows prior art references like Veselov, which describe both approaches, to satisfy the limitation.

5. Arguments Regarding Discretionary Denial

• §314(a) / Fintiv Factors: Petitioner argued that discretionary denial under Fintiv is not warranted because the parallel district court litigation is at an early stage. The trial is not scheduled until December 8, 2025, which is well after the statutory deadline for a Final Written Decision in this IPR.
• §325(d): Petitioner asserted that the grounds presented are new and were not considered during prosecution. While Veselov was listed in an Information Disclosure Statement, it was never substantively applied in a rejection. The other key references—Hufsmith, Chari, Price, and Huseinović—were never before the U.S. Patent and Trademark Office at all.

6. Relief Requested

• Petitioner requests institution of an inter partes review and cancellation of claims 1-22 of Patent 11,693,685 as unpatentable.