Wiz, Inc. v. Orca Security Ltd.

1. Case Identification

• Case #: IPR2024-01190
• Patent #: 11,740,926
• Filed: July 31, 2024
• Petitioner(s): Wiz, Inc.
• Patent Owner(s): Orca Security LTD.
• Challenged Claims: 1-15

2. Patent Overview

• Title: Securing Virtual Cloud Assets Against Cyber Threats
• Brief Description: The ’926 patent relates to a system and method for securing virtual assets in a cloud computing environment. The technology involves receiving a scan request, locating and accessing a snapshot of a virtual disk using a cloud provider API, analyzing the snapshot for various potential cyber threats, determining an associated risk for each threat, and reporting the threats as prioritized alerts.

3. Grounds for Unpatentability

Ground 1: Obviousness over Veselov and Mohanty - Claims 1, 5-10, and 12-15 are obvious over Veselov in view of Mohanty.

• Prior Art Relied Upon: Veselov (Patent 11,216,563) and Mohanty (Patent 9,692,778).
• Core Argument for this Ground:
  • Prior Art Mapping: Petitioner argued that Veselov taught the core method of the independent claims, including using a scanning service in a cloud environment to locate, access, and analyze a snapshot of a virtual asset to identify security risks like vulnerabilities and bad configurations. However, Petitioner contended Veselov did not explicitly teach determining a risk for each threat and then prioritizing/reporting alerts based on that risk. Mohanty was argued to supply these missing elements by teaching a context-sensitive system that calculates threat scores to quantify the impact of vulnerabilities, prioritizes threats based on these scores, and reports them as prioritized alerts.
  • Motivation to Combine: A Person of Ordinary Skill in the Art (POSITA) would combine Veselov and Mohanty to enhance Veselov’s snapshot-based security assessment with Mohanty’s more sophisticated risk characterization and prioritization techniques. This combination would predictably result in a more comprehensive and effective security system by enabling better focus on the most critical threats, a known goal in the field of cybersecurity.
  • Expectation of Success: A POSITA would have a reasonable expectation of success because applying Mohanty's known risk analysis and prioritization logic to the security data identified by Veselov's snapshot analysis represented a combination of known elements for a predictable result.

Ground 2: Obviousness over Veselov, Mohanty, and Ranum - Claims 1-2, 4-10, and 12-15 are obvious over Veselov and Mohanty in view of Ranum.

• Prior Art Relied Upon: Veselov (Patent 11,216,563), Mohanty (Patent 9,692,778), and Ranum (Patent 9,088,606).
• Core Argument for this Ground:
  • Prior Art Mapping: This ground built upon Ground 1, adding Ranum to teach specific limitations of dependent claims 2 and 4. Petitioner argued Ranum taught detecting threats by identifying "at least one change in at least one area of the virtual disk, as compared to an earlier point in time." Specifically, Ranum disclosed computing cryptographic hashes of files on a host and comparing them to a baseline (an earlier scan) to identify new or changed files, which could indicate malware.
  • Motivation to Combine: A POSITA would be motivated to incorporate Ranum's hash-based comparison technique into the Veselov/Mohanty system to provide a more robust and efficient method for detecting unexpected changes and malware. This well-known technique would address gaps in other detection methods and improve the overall accuracy of the security assessment.

Ground 3: Obviousness over Veselov, Mohanty, and Seo - Claim 3 is obvious over Veselov and Mohanty in view of Seo.

• Prior Art Relied Upon: Veselov (Patent 11,216,563), Mohanty (Patent 9,692,778), and Seo (Application # US 2019/0180028).

• Core Argument for this Ground:

  • Prior Art Mapping: This ground added Seo to the base combination to address dependent claim 3, which required detecting data by "determining added or changed files on the virtual disk without a corresponding installation process." Petitioner asserted Seo taught this precise technique, describing a method to identify potentially malicious applications by determining if they lack a legitimate installation history record.
  • Motivation to Combine: A POSITA would be motivated to add Seo's teachings as an additional security measure to the Veselov/Mohanty system. Analyzing installation history provides another layer of security analysis to identify illegitimate files that might be missed by other vulnerability checks, thereby improving the snapshot-based assessment.

• Additional Grounds: Petitioner asserted additional obviousness challenges, including combining Veselov, Mohanty, Ranum, and Seo for claim 3, and combining Veselov, Mohanty, and Hutchins (with or without Ranum) for claim 11, which recites mitigating threats by quarantining the virtual asset.

4. Key Claim Construction Positions

• "Locating" a Snapshot: Petitioner argued that a POSITA would understand this term to broadly encompass both virtual locations (e.g., a virtual address) and non-virtual locations (e.g., a path in non-virtual storage). This construction was based on the specification's use of "e.g., virtual address" and the common knowledge that snapshots were often stored in non-virtual storage.
• "[Analyze/Analyzing] the Snapshot": Petitioner contended this term covers both direct analysis of the snapshot data as a file and the analysis of a virtual machine (VM) that has been instantiated from that snapshot. Petitioner noted it was adopting this broad interpretation, which it alleged the Patent Owner used in related district court litigation.

5. Arguments Regarding Discretionary Denial

• Fintiv Factors: Petitioner argued that discretionary denial under Fintiv was not warranted. It asserted that the parallel district court litigation was in a very early stage, with a claim construction hearing not scheduled until late 2024 and a trial date set for March 2026, well after the statutory deadline for a Final Written Decision (FWD) in this inter partes review (IPR).
• §325(d) Factors: Petitioner argued denial under §325(d) would be inappropriate because the petition raised new invalidity grounds not previously considered by the USPTO. While Veselov was before the Examiner, it was never applied in a rejection or combined with Mohanty, Ranum, Seo, or Hutchins. Petitioner contended the Examiner's reasons for allowance were conclusory and constituted a material error that would have been avoided had the present grounds and expert declaration been considered.

6. Relief Requested

• Petitioner requested institution of an IPR and cancellation of claims 1-15 of Patent 11,740,926 as unpatentable.