Wiz Inc v. Orca Security Ltd

1. Case Identification

• Case #: IPR2024-01190
• Patent #: 11,740,926
• Filed: July 31, 2024
• Petitioner(s): Wiz, Inc.
• Patent Owner(s): Orca Security Ltd.
• Challenged Claims: 1-15

2. Patent Overview

• Title: Securing Virtual Cloud Assets Against Cyber Threats
• Brief Description: The ’926 patent relates to methods and systems for securing virtual assets in a cloud computing environment. The technology involves locating and analyzing a snapshot of a virtual disk to identify potential cyber threats, determining an associated risk for each threat, prioritizing the threats based on risk, and reporting them as prioritized alerts.

3. Grounds for Unpatentability

Ground 1: Obviousness over Veselov and Mohanty - Claims 1, 5-10, and 12-15 are obvious over Veselov in view of Mohanty.

• Prior Art Relied Upon: Veselov (Patent 11,216,563) and Mohanty (Patent 9,692,778).
• Core Argument for this Ground:
  • Prior Art Mapping: Petitioner argued that Veselov discloses most limitations of the independent claims, including the core process of locating, accessing, and analyzing a virtual machine snapshot in a cloud environment to identify security issues and report the results. However, Petitioner contended Veselov does not explicitly teach determining a specific risk for each threat and then prioritizing and reporting those threats based on the determined risk. Mohanty was argued to supply these missing elements by teaching a context-sensitive system for calculating threat scores, prioritizing security vulnerabilities based on those scores, and reporting prioritized alerts.
  • Motivation to Combine: A POSITA would combine these analogous arts to improve upon Veselov's snapshot-based security assessment by integrating Mohanty's more sophisticated risk characterization and prioritization methods. This combination would predictably result in more comprehensive and actionable security alerts, a well-known objective in the cybersecurity field.
  • Expectation of Success: Petitioner asserted a POSITA would have had a clear expectation of success, as applying Mohanty's known risk analysis and prioritization logic to the security data obtained via Veselov's snapshot analysis was a straightforward application of established techniques to achieve predictable improvements in threat reporting.

Ground 2: Obviousness over Veselov, Mohanty, and Ranum - Claims 1-2, 4-10, and 12-15 are obvious over Veselov and Mohanty in view of Ranum.

• Prior Art Relied Upon: Veselov (Patent 11,216,563), Mohanty (Patent 9,692,778), and Ranum (Patent 9,088,606).

• Core Argument for this Ground:

  • Prior Art Mapping: This ground builds on Ground 1 by adding Ranum. Petitioner argued Ranum teaches specific methods for detecting cyber threats by identifying changes in stored data, particularly the use of cryptographic hash comparisons against a baseline to find unexpected or suspicious file changes. This teaching was mapped to the limitations of dependent claims 2 (detecting an unexpected change) and 4 (computing and comparing cryptographic hashes), which are not explicitly detailed in Veselov or Mohanty.
  • Motivation to Combine: A POSITA would be motivated to incorporate Ranum's hash-based change detection into the Veselov/Mohanty system to provide a more robust and efficient method for identifying malware or unauthorized file modifications. This addition would further the known goal of creating a more thorough and accurate threat detection system.
  • Expectation of Success: Petitioner claimed success would be expected, as applying Ranum's well-understood hash comparison techniques to a snapshot-based analysis was a predictable and common practice in virtual machine security forensics.

• Additional Grounds: Petitioner asserted additional obviousness challenges for claim 3 based on combinations including Seo (Application # US 2019/0180028) for its teachings on identifying illegitimate files without a corresponding installation process, and for claim 11 based on combinations including Hutchins (Application # US 2013/0024940) for its teachings on quarantining virtual machines as a mitigation step.

4. Key Claim Construction Positions

• “Locating” a Snapshot: Petitioner argued this term should be construed to encompass both virtual (e.g., a virtual address) and non-virtual locations. This construction was based on the specification's language and the common technical practice of storing virtual machine snapshots in non-virtual storage locations.
• “[Analyze/Analyzing] the Snapshot”: Petitioner asserted this term encompasses both the direct analysis of snapshot data as a static data file and the analysis of a virtual machine instantiated from that snapshot. This position was supported by the specification and the Patent Owner's alleged interpretation in related district court litigation.

5. Arguments Regarding Discretionary Denial

• Discretionary Denial under Fintiv: Petitioner argued denial is unwarranted because the parallel district court litigation is in a very early stage. Key milestones, such as claim construction and expert discovery, are scheduled far in the future, and the trial is not set to begin until March 2026, well after the projected Final Written Decision in this inter partes review (IPR).
• Discretionary Denial under §325(d): Petitioner contended that denial is inappropriate because the primary prior art combinations and arguments were never considered by the USPTO. Although Veselov was cited during prosecution, it was never applied in a rejection or substantively discussed. The key secondary references, including Mohanty, Ranum, Seo, and Hutchins, were never presented to or considered by the Examiner, constituting a material difference from the prior prosecution record.

6. Relief Requested

• Petitioner requests institution of an IPR and cancellation of claims 1-15 of Patent 11,740,926 as unpatentable.