Wiz Inc v. Orca Security Ltd

1. Case Identification

• Case #: IPR2025-00441
• Patent #: 11,868,798
• Filed: January 17, 2025
• Petitioner(s): Wiz, Inc.
• Patent Owner(s): Orca Security Ltd.
• Challenged Claims: 1-34

2. Patent Overview

• Title: Securing Virtual Cloud Assets Against Cyber Threats
• Brief Description: The ’798 patent discloses methods and systems for securing virtual assets in a cloud computing environment. The claimed technology involves taking a snapshot of a virtual disk, accessing and analyzing the snapshot to detect potential cyber threats, and then alerting on those threats based on a determined risk level.

3. Grounds for Unpatentability

Ground 1: Claims 1-5, 7-15, 17-22, 24-32, and 34 are obvious over Veselov and Basavapatna.

• Prior Art Relied Upon: Veselov (Patent 11,216,563) and Basavapatna (Application # 2013/0191919).
• Core Argument for this Ground:
  • Prior Art Mapping: Petitioner argued that Veselov teaches all core elements of independent claims 1 and 18, including a method and system for securing virtual assets by taking a snapshot of a virtual disk, accessing it, and analyzing it to detect cyber threats. However, Veselov does not explicitly teach alerting based on risk-based filtering or prioritization. Petitioner asserted that Basavapatna remedies this deficiency by teaching the determination of vulnerability-centric and threat-centric risk metrics for detected threats and using those metrics to filter and prioritize alerts, facilitating user focus on the most critical security issues.
  • Motivation to Combine: A POSITA would combine these references to enhance the snapshot-based security assessment of Veselov with the well-known and predictable benefits of risk-based prioritization taught by Basavapatna. This combination would improve security by providing more robust and accurate risk assessments, allowing for more effective communication of important risks in snapshot-based security assessments of virtual machines.
  • Expectation of Success: A POSITA would have a reasonable expectation of success because the underlying techniques—snapshot-based analysis, threat detection, risk assessment, and risk-based alerting—were all well-known and routinely implemented. The combination presented no significant technical challenges.

Ground 2: Claims 6 and 23 are obvious over Veselov, Basavapatna, and Kapoor.

• Prior Art Relied Upon: Veselov (Patent 11,216,563), Basavapatna (Application # 2013/0191919), and Kapoor (Patent 10,498,845).
• Core Argument for this Ground:
  • Prior Art Mapping: This ground builds on the combination of Veselov and Basavapatna. Petitioner argued that claims 6 and 23 require scanning a parsed copy of the snapshot by reading process identification number (PID) files to determine running processes. While Veselov and Basavapatna teach analyzing system configuration data to identify running applications generally, Kapoor was introduced to explicitly teach the well-known technique of scanning PID files within a PID directory to determine which processes are currently running on a node, such as a virtual machine.
  • Motivation to Combine: A POSITA, seeking to implement the general teachings of Basavapatna regarding the determination of running applications, would be motivated to incorporate Kapoor's specific method. Kapoor's use of PID files provided a simple, effective, and predictable way to make this determination, representing a routine implementation of Basavapatna's broader security assessment goals.
  • Expectation of Success: The method of reading PID files to identify running processes was a well-understood and routinely practiced technique in system administration and security. A POSITA would expect this technique to be readily accomplished in the context of analyzing a snapshot containing a virtual machine's file system.

Ground 3: Claims 11 and 28 are obvious over Veselov, Basavapatna, and Roth.

• Prior Art Relied Upon: Veselov (Patent 11,216,563), Basavapatna (Application # 2013/0191919), and Roth (Patent 9,524,389).

• Core Argument for this Ground:

  • Prior Art Mapping: This ground also builds on the core combination of Veselov and Basavapatna. Petitioner contended that claims 11 and 28 add the limitation that taking the snapshot is performed based on the detection of a network event or an abnormal event. Veselov teaches event-triggered assessments generally. Roth was added to provide specific, predictable teachings on taking snapshots for security analysis in response to particular security-relevant events, such as a system intrusion (a network event) or an execution error (an abnormal event).
  • Motivation to Combine: A POSITA would be motivated to apply Roth's teachings to the Veselov-Basavapatna system to efficiently capture snapshots with data most relevant to a security analysis. Triggering snapshots upon detection of specific security events, as taught by Roth, would facilitate a more efficient and targeted analysis of the system's state at times of particular concern, a clear benefit over scheduled or manual snapshots.
  • Expectation of Success: Event detection and snapshot generation were routine and predictable techniques. As Veselov already taught the concept of event-triggered assessments, applying Roth's specific teachings on trigger types would be a straightforward and predictable implementation.

• Additional Grounds: Petitioner asserted additional obviousness challenges based on the core combination of Veselov and Basavapatna in view of Czarny (for claims 14 and 31, teaching hash-based file comparison) and in view of Chari (for claims 13, 16, 30, and 33, teaching detection of sensitive data like PII and private keys).

4. Key Claim Construction Positions

• "[Analyzing/Analyze] the Snapshot": Petitioner argued this term should be construed to encompass both direct analysis of the snapshot data (e.g., as a data file) and indirect analysis via a virtual machine instantiated from the snapshot. Petitioner asserted this interpretation is supported by the patent's specification and the Patent Owner's own infringement contentions in related litigation. This construction is central to the obviousness arguments, as the primary reference, Veselov, explicitly discloses both types of analysis.

5. Arguments Regarding Discretionary Denial

• Petitioner argued that discretionary denial under 35 U.S.C. §325(d) is unwarranted. It was asserted that while the primary reference, Veselov, was disclosed to the USPTO during prosecution, it was never applied in a rejection or substantively discussed in combination with the other asserted references (Basavapatna, Kapoor, etc.), which were not before the Examiner. Petitioner contended that the allowance of the claims constituted a material error because the Examiner never received an art-based rejection and the reasons for allowance failed to identify any specific patentable limitation, instead broadly listing claim language.

6. Relief Requested

• Petitioner requests institution of an inter partes review and cancellation of claims 1-34 of Patent 11,868,798 as unpatentable.