Orca Security Ltd v. Wiz Inc

1. Case Identification

• Case #: IPR2025-01083
• Patent #: 11,722,554
• Filed: June 4, 2025
• Petitioner(s): Orca Security Ltd
• Patent Owner(s): Wiz, Inc.
• Challenged Claims: 1-5, 7-16, 18-21

2. Patent Overview

• Title: Determining Abnormal Configuration of Network Objects Deployed in a Cloud Computing Environment
• Brief Description: The ’554 patent is directed to analyzing a network within a cloud computing environment to determine abnormal configurations of network objects. The patent proposes using graphical solutions to overcome the challenges of time-consuming manual monitoring and resource-intensive agent-based monitoring.

3. Grounds for Unpatentability

Ground 1: Claims 1, 4, 7-12, 15, and 18-21 are obvious over Shivamoggi

• Prior Art Relied Upon: Shivamoggi (Patent 11,770,387).
• Core Argument for this Ground:
  • Prior Art Mapping: Petitioner argued that Shivamoggi, which was not cited during prosecution, teaches every limitation of the independent claims. Shivamoggi discloses a cyberattack detection system that monitors a computer network, including virtual machines hosted on cloud platforms like AWS and Microsoft Azure, for anomalous connections indicative of lateral movement. Petitioner asserted this system meets the claim limitations by: (a) collecting network data from nodes (network objects) in the cloud environment; (b) constructing a visual “connection graph” based on the collected data; (c) determining relationships by showing connections, protocols, and durations between nodes; (d) analyzing the graph to identify and rank suspected attack paths, which constitute “insights” including a list of abnormal connections; and (e) tagging objects by allowing a user to select elements (nodes, links) in the graph’s GUI to view detailed information (insights) about them.
  • Motivation to Combine (for §103 grounds): Not applicable (single reference).
  • Expectation of Success (for §103 grounds): Not applicable (single reference).

Ground 2: Claims 2, 3, 13, and 14 are obvious over Shivamoggi in view of Zhong

• Prior Art Relied Upon: Shivamoggi (Patent 11,770,387) and Zhong (Patent 10,693,743).
• Core Argument for this Ground:
  • Prior Art Mapping: Petitioner argued that while Shivamoggi teaches the base system for analyzing a cloud environment, it does not explicitly disclose an environment with a plurality of different cloud computing platforms or the use of an Application Programming Interface (API) to collect data from them, as required by the challenged dependent claims. Zhong was argued to supply these missing elements. Zhong teaches a cloud computing management application that collects and manages data from "any number of separate cloud computing services," including AWS, Microsoft Azure, and Google Cloud. Furthermore, Zhong expressly teaches using APIs provided by these cloud services to retrieve data, such as log files, for analysis.
  • Motivation to Combine (for §103 grounds): A POSITA would combine Shivamoggi with Zhong to improve the system’s efficiency and provide a more holistic view of a multi-cloud environment. Zhong provides an express motivation, noting that conventional single-platform consoles present challenges in obtaining broader information, and that a unified system provides significant benefits. This was a known desirable goal in the art.
  • Expectation of Success (for §103 grounds): A POSITA would have a reasonable expectation of success because the proposed modification is straightforward. Shivamoggi already contemplates using the same cloud services taught by Zhong (AWS, Azure), and integrating data sources via APIs is a well-known and ubiquitous technique for connecting different systems.

Ground 3: Claims 5 and 16 are obvious over Shivamoggi in view of Woolward

• Prior Art Relied Upon: Shivamoggi (Patent 11,770,387) and Woolward (Application # 2020/0382560).
• Core Argument for this Ground:
  • Prior Art Mapping: Petitioner argued this combination renders obvious claims requiring the further step of "determining impermissible relationships between the network objects." While Shivamoggi’s system detects abnormal behavior, Woolward was asserted to teach a specific method for determining impermissibility. Woolward discloses a method for validating security policies in a cloud environment by representing network workloads as nodes in a graph database and comparing the relationships (edges) between them against a repository of pre-defined rules (a security policy). This policy pre-tags relationships as permissible ("action permit") or impermissible ("action deny"), and the system generates a list of violations.
  • Motivation to Combine (for §103 grounds): A POSITA would combine these references to improve the accuracy and efficiency of Shivamoggi’s cyberattack detection system. Shivamoggi notes that "human analysis to verify detected attack signals" is labor-intensive and error-prone. Incorporating Woolward’s automated method of using a security policy would directly address this problem by providing a more robust and automated way to identify undesirable connections, thereby improving the detection of lateral movement attacks.
  • Expectation of Success (for §103 grounds): A high expectation of success would exist because both references describe systems operating in the same cloud environments (e.g., AWS, Azure). Combining known network management methods to improve the efficiency of detecting abnormal configurations was a predictable result.

4. Relief Requested

• Petitioner requests institution of an inter partes review and cancellation of claims 1-5, 7-16, and 18-21 of Patent 11,722,554 as unpatentable.