Case 1:23-cv-00758-JLH-SRF Document 218-1 Filed 12/12/24 Page 1 of 27 PageID
`#: 5689
` Paper 8
`Trials@uspto.gov
`571-272-7822
`
`Date: December 9, 2024
`
`
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`____________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`____________
`
`WIZ, INC.,
`Petitioner,
`
`v.
`
`ORCA SECURITY LTD.,
`Patent Owner.
`____________
`
`IPR2024-00863
`Patent 11,663,031 B2
`
`
`Before MICHAEL R. ZECHER, GARTH D. BAER, and
`SCOTT RAEVSKY, Administrative Patent Judges.
`
`BAER, Administrative Patent Judge.
`
`
`
`
`
`
`
`____________
`
`
`DECISION
`Granting Institution of Inter Partes Review
`35 U.S.C. § 314
`
`
`
`

`

`Case 1:23-cv-00758-JLH-SRF Document 218-1 Filed 12/12/24 Page 2 of 27 PageID
`#: 5690
`IPR2024-00863
`Patent 11,663,031 B2
`
`
`INTRODUCTION
`I.
`Petitioner, Wiz, Inc., filed a Petition requesting an inter partes review
`(“IPR”) of claims 1–16 of U.S. Patent No. 11,663,031 B2 (Ex. 1001, “the
`’031 patent”). Paper 2 (“Pet.”). Patent Owner, Orca Security Ltd., filed a
`Preliminary Response. Paper 6 (“Prelim. Resp.”). Based on the authority
`delegated to us by the Director under 37 C.F.R. § 42.4(a), we may not
`institute an IPR unless the information presented in the Petition and any
`preliminary response thereto shows “there is a reasonable likelihood that the
`petitioner would prevail with respect to at least 1 of the claims challenged in
`the petition.” 35 U.S.C. § 314(a). Taking into account Patent Owner’s
`Preliminary Response, we conclude that the information presented in the
`Petition establishes that there is a reasonable likelihood that Petitioner would
`prevail in demonstrating at least one of claims 1–16 of the ’031 patent is
`unpatentable. Pursuant to § 314, we hereby institute an IPR as to these
`claims of the ’031 patent.
`
`Real Party in Interest (“RPI”)
`A.
`Petitioner identifies itself as an RPI. Pet. 1. Patent Owner identifies
`itself as an RPI. Paper 3 (Patent Owner’s Mandatory Notices), 1.
`
`Related Matters
`B.
`The parties indicate that the ’031 patent is the subject of a district
`
`court case titled Orca Security Ltd. v. Wiz, Inc., No. 1:23-cv-00758 (D. Del.
`filed July 12, 2023) (“Delaware Action”). Pet. 2; Paper 3, 1.
`
`The ’031 Patent
`C.
`The ’031 patent generally relates to “cyber-security systems and, more
`specifically, to techniques for securing virtual machines.” Ex. 1001, 1:14–
`
`2
`
`

`

`Case 1:23-cv-00758-JLH-SRF Document 218-1 Filed 12/12/24 Page 3 of 27 PageID
`#: 5691
`IPR2024-00863
`Patent 11,663,031 B2
`
`16. According to the ’031 patent, organizations like Amazon, Microsoft,
`and Google “have increasingly adapted their applications to be run from
`multiple cloud computing platforms.” Id. at 1:20–23. “Virtualization plays
`a key role in a cloud computing” by “allowing multiple applications and
`users to share the same cloud computing infrastructure.” Id. at 1:24–26.
`This is accomplished by using “virtual machines [VMs]” that “emulate[] a
`number of ‘computers’ or instances, all within a single physical device.” Id.
`at 1:28–30. The ’031 patent states that “virtual machines running on top of
`virtualization technologies are . . . vulnerable to some cyber threats,” but that
`“[p]rotection of a cloud computing infrastructure, and particularly, of virtual
`machines, can be achieved via inspection of traffic.” Id. at 1:39–46.
`Conventionally, traffic inspection may be accomplished by “a network
`device connected between a client and a server . . . hosting virtual
`machines,” “a network scanner deployed out of path,” “a traffic monitor that
`listens to traffic flows between clients and the server,” or by using
`“vulnerability management and security assessment solutions . . . based on
`agents installed in each server in a cloud computing platform.” Id. at 1:46–
`2:14. The ’031 patent, however, explains how there are certain
`disadvantages associated with each of these conventional ways of traffic
`inspection. Id.
`The ’031 patent ostensibly addresses these disadvantages by providing
`a method for “securing virtual cloud assets at rest against cyber threats.” Ex.
`1001, 2:56–57. Figure 1B of the ’031 patent, reproduced below, illustrates a
`network diagram that implements various embodiments. Id. at 3:24–25.
`
`3
`
`

`

`Case 1:23-cv-00758-JLH-SRF Document 218-1 Filed 12/12/24 Page 4 of 27 PageID
`#: 5692
`IPR2024-00863
`Patent 11,663,031 B2
`
`
`
`
`Figure 1B illustrates cloud computing platform 110 that includes client
`environment 130 with storage 117 containing virtual disks 118-1 and 118-2,
`server 115 hosting virtual machines 119-1 and 119-2, and security system
`140. Id. at 3:60–4:50. “[S]ecurity system 140 is configured to detect
`vulnerabilities and other cyber threats related to the execution [of] VM 119.”
`Id. at 5:19–21. More specifically, “security system 140 can scan and detect
`vulnerable software, non-secure configurations, exploitation attempts,
`compromised assets, data leaks, data mining, and so on,” as well as “provide
`security services, such as incident response, anti-ransomware, and cyber
`insurance by accessing the security posture.” Id. at 5:24–30.
`
`D. Challenged Claims
`Of the challenged claims, claims 1, 9, and 16 are independent.
`Independent claim 1 is illustrative of the challenged claims and is
`reproduced below.
`[1.i] A system for inspecting data, the system comprising:
`at least one processor configured to:
`
`4
`
`

`

`Case 1:23-cv-00758-JLH-SRF Document 218-1 Filed 12/12/24 Page 5 of 27 PageID
`#: 5693
`IPR2024-00863
`Patent 11,663,031 B2
`
`
`[1.1] establish an interface between a client environment
`and security components;
`[1.2] using the interface, utilize cloud computing platform
`[application programming interfaces (‘APIs’)] to identify virtual
`disks of a virtual machine in the client environment;
`[1.3] use the computing platform APIs to query a location
`of at least one of the identified virtual disks;
`[1.4] receive an identification of the location of the virtual
`disks of the virtual machine;
`[1.5] perform at least one of: (i) taking at least one
`snapshot, and (ii) requesting taking at least one snapshot of the
`virtual machine at rest, wherein the at least one snapshot
`represents a copy of the virtual disks of the virtual machine at a
`point in time;
`[1.6] analyze the at least one snapshot to detect
`vulnerabilities, wherein during
`the detection of
`the
`vulnerabilities by analyzing the at least one snapshot, the virtual
`machine is inactive; and
`[1.7] report the detected vulnerabilities as alerts.
`Id. at 10:44–64 (Petitioner’s element numbering added).
`
`Asserted Prior Art References
`E.
`Petitioner relies on the prior art references set forth in the tables
`below.
`Name1
`
`Reference
`
`Dates
`
`Exhibit
`No.
`1007
`
`1048
`
`1078
`
`Veselov
`
`US 11,216,563 B1
`
`Price
`
`issued Jan 4. 2022;
`filed May 19, 2017
`US 2013/0247133 A1 published Sept. 19, 2013;
`filed Oct. 13, 2011
`Hufsmith US 2020/0097662 A2 published Mar. 26, 2020;
`filed Sept. 28, 2018
`
`
`1 For clarity and ease of reference, we only list the first named inventor.
`
`5
`
`

`

`Case 1:23-cv-00758-JLH-SRF Document 218-1 Filed 12/12/24 Page 6 of 27 PageID
`#: 5694
`IPR2024-00863
`Patent 11,663,031 B2
`
`
`
`Printed Publication
`Alvin Huseinović & Samir Ribić, “Virtual Machine
`Memory Forensics” 2013 21st Telecommunications
`Forum Telfor2 (“Huseinović”).
`
`Exhibit No.
`1049
`
`
`
`Asserted Grounds of Unpatentability
`F.
`Petitioner challenges claims 1–16 of the ’031 patent based on the
`asserted grounds of unpatentability set forth in the table below. Pet. 3, 22–
`65.
`Claim(s) Challenged 35 U.S.C. § References/Basis
`1, 3–9, 11–16
`1033
`Veselov, Price
`2, 10
`103
`Veselov, Price, Hufsmith
`6, 14
`103
`Veselov, Price, Hufsmith,
`Huseinović
`
`
`2 To support its argument that Huseinović qualifies as a printed publication
`that was available publicly at least as of the ’031 patent’s earliest claimed
`priority date, Petitioner introduces a Declaration of Dr. Angelos Stavrou (Ex.
`1002 ¶¶ 97–100), a Declaration of Gordon MacPherson, who is the Director
`Board Governance & Policy Development of The Institute of Electrical and
`Electronic Engineers, Inc. (“IEEE”) (Ex. 1060), an IEEE Xplore webpage
`that presents usage metrics for Huseinović (Ex. 1050), and two other
`documents confirming that Huseinović was cited in other pre-2019
`publications (Exs. 1061, 1062).
`3 The Leahy-Smith America Invents Act (“AIA”), Pub. L. No. 112-29, 125
`Stat. 284, 287–88 (2011), amended 35 U.S.C. § 103, effective March 16,
`2013. Because the challenged patent claims the benefit of an application
`filed after this date, the post-AIA version of § 103 applies. Ex. 1001, code
`(60).
`
`6
`
`

`

`Case 1:23-cv-00758-JLH-SRF Document 218-1 Filed 12/12/24 Page 7 of 27 PageID
`#: 5695
`IPR2024-00863
`Patent 11,663,031 B2
`
`
`II. DISCUSSION
`A. Discretionary Denial under § 314(a)
`Patent Owner contends that we should exercise our discretion to deny
`the Petition under § 314(a) because “the overall balance of the Fintiv factors
`shows that ‘efficiency, fairness, and the merits support the exercise of
`authority to deny institution.’” Prelim. Resp. 50 (quoting Apple Inc. v.
`Fintiv, Inc., IPR2020-00019, Paper 11 at 6 (PTAB Mar. 20, 2020) (Order
`Authorizing Supplemental Briefing on Discretionary Denial) (precedential).
`After Patent Owner filed its Preliminary Response, however, Petitioner filed
`a stipulation consistent with the stipulation filed in Sotera Wireless, Inc. v.
`Masimo Corp., IPR2020-01019, Paper 12 (PTAB Dec. 1, 2020) (Decision
`Granting Institution) (precedential as to § II.A) (“Sotera”). Ex. 1083.
`On June 21, 2022, the Director issued interim guidance in the form of
`a memo that further clarifies how we should approach analyzing the Fintiv
`factors. See Interim Procedure for Discretionary Denials in AIA Post-grant
`Proceedings with Parallel District Court Litigation, available at
`https://www.uspto.gov/sites/default/files/documents/interim_proc_discretion
`ary_denials_aia_parallel_district_court_litigation_memo_20220621_.pdf.
`Notably, the Director stated that “the [Patent Trial and Appeal Board
`(‘PTAB’)] will not discretionarily deny institution in view of parallel district
`court litigation where a petitioner presents a stipulation not to pursue in a
`parallel proceeding the same grounds or any ground that could have
`reasonably been raised before the PTAB.” Id. With this interim guidance in
`mind, we decline to exercise our discretion to deny institution of this
`proceeding under Fintiv because Petitioner filed a Sotera stipulation.
`Ex. 1083.
`
`7
`
`

`

`Case 1:23-cv-00758-JLH-SRF Document 218-1 Filed 12/12/24 Page 8 of 27 PageID
`#: 5696
`IPR2024-00863
`Patent 11,663,031 B2
`
`
`Claim Construction
`B.
`Independent claims 1, 9, and 16 each require “analyz[ing] the at least
`one snapshot.” Petitioner proposes we construe this term to encompasses
`two alternative approaches: (1) “direct analysis of the snapshot data”; and
`(2) “analysis of a VM instantiated from the snapshot.” See Pet. 10–11.
`Patent Owner disputes the second approach, but not the former. See Prelim.
`Resp. 12–14. For purposes of institution, we agree with Petitioner’s first
`alternative approach—“analyz[ing] the at least one snapshot” encompasses
`“direct analysis of the snapshot data.” This construction finds support in the
`specification of the ’031 patent. See e.g., Ex. 1001, 6:17–18 (“The snapshot
`is parsed and analyzed by the security system 140 to detect vulnerabilities.”),
`6:23–24 (“[T]he security system 140 may be configured to match the
`application files, either directly using binary comparison or by computing a
`cryptographic hash against [a] database of files in vulnerable applications.”).
`Because, as we explain below, Petitioner’s obviousness analysis is sufficient
`under this first approach, we take no position on Petitioner’s second
`alternative approach, which Patent Owner disputes. See Nidec Motor Corp.
`v. Zhongshan Broad Ocean Motor Co., 868 F.3d 1013, 1017 (Fed. Cir.
`2017) (noting that “we need only construe terms ‘that are in controversy, and
`only to the extent necessary to resolve the controversy’” (quoting Vivid
`Techs., Inc. v. Am. Sci. & Eng’g, Inc., 200 F.3d 795, 803 (Fed. Cir. 1999))).
`Although the parties submit additional terms for construction, see Pet.
`9–10; Prelim. Resp. 14–16, we do not need to further construe the claims to
`determine whether to institute IPR. See Nidec Motor Corp. 868 F.3d at
`1017.
`
`8
`
`

`

`Case 1:23-cv-00758-JLH-SRF Document 218-1 Filed 12/12/24 Page 9 of 27 PageID
`#: 5697
`IPR2024-00863
`Patent 11,663,031 B2
`
`
`Level of Skill in the Art
`C.
`Relying on the testimony of Dr. Stavrou, Petitioner argues the
`following:
`[a person of ordinary skill in the art] as of January 2019 would
`have held at least a bachelor’s degree in computer science,
`computer engineering, electrical engineering, or a related field,
`and would also have 2-3 years of professional experience
`working with cyber security analysis and virtualization.
`Additional experience could compensate for less education and
`vice versa. Relevant work experience includes, for example,
`malware analysis, security analysis of cloud computing systems,
`and security analysis of virtual machines.
`Pet. 8–9 (citing Ex. 1002 ¶¶ 21, 22).
`Patent Owner offers essentially the same assessment of the level of
`skill in the art as Petitioner, arguing the following:
`[a person of ordinary skill in the art] as of the ’031 patent’s
`earliest priority date (January 28, 2019), would have had at least
`a Bachelor’s degree in computer science, computer engineering,
`or a related field, and two years of industry experience or
`academic
`research experience
`in cyber security and
`virtualization,
`including cloud computing cybersecurity.
`Additional education can compensate for less experience and
`vice-versa.
`Prelim. Resp. 11–12 (citing Ex. 2001 ¶¶ 1–12, 19–26).
`We do not discern a material difference between the assessments of
`the level of skill in the art advanced by either party, nor does either party
`premise its arguments exclusively on its own assessment. For purposes of
`institution, we adopt Petitioner’s assessment, except that we delete the
`qualifier “at least” to eliminate vagueness as to the appropriate level of
`education. The qualifier expands the range without an upper bound (i.e.,
`encompassing a Ph.D. degree and beyond), and does not meaningfully
`
`9
`
`

`

`Case 1:23-cv-00758-JLH-SRF Document 218-1 Filed 12/12/24 Page 10 of 27 PageID
`#: 5698
`IPR2024-00863
`Patent 11,663,031 B2
`
`indicate the level of skill in the art. Petitioner’s assessment—without the
`qualifier—is supported by the testimony of Dr. Stavrou and it is consistent
`with the ’031 patent and the asserted prior art. We note, however, that our
`obviousness analysis would be the same under each party’s assessment.
`
`D. Description of Primary Prior Art References
`1. Veselov (Ex. 1007)
`Veselov generally relates to “a scanning system and associated
`method for performing security assessments on virtualized reproductions of
`the computing resource(s) that is/are the target of the security assessment.”
`Ex. 1007, 3:20–23. According to Veselov, “the scanning system obtains, or
`obtains access to, a state of the resource at a point in time (e.g., a ‘snapshot’)
`prior to, or in conjunction with, initiating the security assessment.” Id. at
`3:23–27. “The snapshot may” include “a copy of the state of memory, the
`state of any device (virtual or physical) allocated to the resource, block-level
`image of the entire logical volume; or . . . an image of only a portion of the
`logical volume containing the data required to embody an exact copy of the
`virtual machine instance; or . . . a copy of certain files of the target
`computing resource.” Id. at 3:32–40.
`Figure 2 of Veselov, reproduced below, illustrates “a flow diagram of
`an example method for executing the security assessment of one or more
`virtual machines in [a] virtual computing environment.” Ex. 1007, 1:61–63;
`see also id. at 2:64–67 (stating that an example of “a distributed computing
`environment” is “a ‘cloud’ computing environment”).
`
`10
`
`

`

`Case 1:23-cv-00758-JLH-SRF Document 218-1 Filed 12/12/24 Page 11 of 27 PageID
`#: 5699
`IPR2024-00863
`Patent 11,663,031 B2
`
`
`
`Figure 2 illustrates process 200 that begins at step 202 where “the scanning
`service may receive a signal to execute a security assessment of the target
`resource.” Id. at 8:62–64. “At step 204, the scanning service may optionally
`obtain scan data describing the parameters of the security assessment to be
`performed.” Id. at 9:9–11. “At step 206, the scanning service may obtain
`snapshot data representing the state of the target resource at the time the
`snapshot was captured.” Id. at 9:14–16. “At step 208, the scanning service
`may generate a scannable volume, or cause a scannable volume to be
`generated, based at least in part on the snapshot data.” Id. at 10:1–3.
`One example of generating a scannable volume includes “launching a
`duplicate virtual machine instance in an allocated logical volume.” Id. at
`
`11
`
`

`

`Case 1:23-cv-00758-JLH-SRF Document 218-1 Filed 12/12/24 Page 12 of 27 PageID
`#: 5700
`IPR2024-00863
`Patent 11,663,031 B2
`
`10:9–16. “At step 210, the scanning service may perform the security
`assessment on the scannable volume.” Id. at 10:17–18. “At step 212, the
`scanning service may associate the assessment results with the target
`resource . . . and then may take various actions on the assessment results,”
`including “if vulnerabilities are identified in the assessment results,
`comparing the assessment results to a remediation framework to identify one
`or more actions the user can take to address the vulnerabilities.” Id. at
`10:24–36.
`
`2. Price (Ex. 1048)
`Price generally relates to “computer security and, more particularly, to
`performing security tasks on virtual machines.” Ex. 1048 ¶ 1. Price
`discloses a feature directed to collecting “[r]esult data . . . from the security
`assessment of . . . offline virtual machines.” Id. ¶ 14. Price accomplishes
`this collection of data using computer system 100 that is “configured to scan
`offline virtual appliances, including those virtual appliances which had
`already been powered down, for vulnerabilities and policy compliance
`violations.” Id. ¶ 29, Fig. 1.
`
`III. OBVIOUSNESS ANALYSIS
`A. Ground 1: Obviousness based on Veselov and Price
`Petitioner contends that claims 1, 3–9, and 11–16 are unpatentable
`under 35 U.S.C. § 103 as obvious over Veselov and Price. Pet. 22–54.
`Based on the present record and for the reasons explained below, we
`determine that Petitioner has demonstrated a reasonable likelihood of
`success in demonstrating that claims 1, 3–9, and 11–16 would have been
`obvious over Veselov and Price.
`
`12
`
`

`

`Case 1:23-cv-00758-JLH-SRF Document 218-1 Filed 12/12/24 Page 13 of 27 PageID
`#: 5701
`IPR2024-00863
`Patent 11,663,031 B2
`
`
`1. Petitioner’s Proposed Combination of Veselov and Price
`Petitioner relies on Veselov for the bulk of the independent claim
`elements. Petitioner maps Veselov’s network communication channels that
`facilitate a scanning service for a target resource (as depicted in Veselov’s
`Figure 1) to the claimed client-security interface and cloud computing API
`that identifies and queries a VMs’ virtual disks. Pet. 25–36. Petitioner
`further relies on Veselov’s service that “obtain[s] and analyze[s] snapshot
`data 146” for teaching taking and analyzing snapshots of the virtual disks to
`detect and report vulnerabilities, as the independent claims require. Id. at 37
`(quoting Ex. 1007, 6:25–30); see id. at 36–45. Petitioner further explains
`that Veselov teaches the claimed reporting-vulnerabilities step because
`Veselov’s assessment results describe security vulnerabilities. Id. at 45.
`Because Veselov “does not expressly describe the state of the VM at
`the time the snapshot is captured,” Petitioner relies on Price for teaching the
`independent claims’ requirement that the VM be at rest and inactive. Id. at
`38–39. Price does so, Petitioner explains, by “determining whether VMs are
`online or offline and, for each offline VM, obtaining and scanning the VM’s
`image data to identify/report security issues.” Id. at 38 (citing Ex. 1048
`¶¶ 14, 21, 29, 42, 44–45, Fig. 6). Citing relevant support from Price and its
`declarant, Dr. Stavrou, Petitioner contends that a skilled artisan would have
`been motivated to combine Price’s inactive/at rest security assessments with
`Veselov’s virtual computing security assessment system “to provide the
`well-known security benefit of preventing further damage that might
`otherwise be caused if a potentially compromised VM actively runs (e.g., a
`vulnerability could be exploited, or suspected malware could contaminate
`other resources).” Id. at 24 (citing Ex. 1048 ¶ 14; Ex. 1002 ¶ 105).
`
`13
`
`

`

`Case 1:23-cv-00758-JLH-SRF Document 218-1 Filed 12/12/24 Page 14 of 27 PageID
`#: 5702
`IPR2024-00863
`Patent 11,663,031 B2
`
`
`Beyond the independent claims, Petitioner asserts that Veselov also
`teaches the limitations in dependent claims 3–8 and 11–15 including
`implementing a remedial action (claims 3 and 11), identifying a virtual
`disk’s address (claims 4 and 12), a change log to restore the virtual machine
`to a particular point in time (claims 5 and 13), a page file of memory to
`deduct running applications (claims 6 and 14), generating a plurality of
`snapshots according to a predetermined schedule (claims 7 and 15), and
`generating a snapshot in response to a predetermined trigger event (claim 8).
`Pet. 46–54.
`Patent Owner challenges several aspects of Petitioner’s obviousness
`challenge. We address those issues below.
`
`2. Petitioner’s Rationale for Combining Veselov and Price
`Patent Owner asserts that Petitioner’s rationale for combining Veselov
`and Price is flawed because “Veselov discloses taking or obtaining
`snapshots only of active VMs and assessing active VM instances, because its
`systems are designed to address the particular problem that security
`assessments can reduce an active target computing device’s capabilities.”
`Prelim. Resp. 25. Further, Patent Owner asserts, “[persons of ordinary skill
`in the art] reading Veselov would not have sought out or searched for, much
`less combined the teachings of, systems and methods directed to assessing
`the security of offline or inactive VMs.” Id. at 26. Lastly, Patent Owner
`asserts Petitioner does not meet its burden of demonstrating that there is a
`reasonable expectation of success in combining the teachings of Veselov and
`Price because nothing in Veselov discloses or suggests taking snapshots of
`inactive or at rest VMs. Id. at 31. We preliminarily disagree.
`
`14
`
`

`

`Case 1:23-cv-00758-JLH-SRF Document 218-1 Filed 12/12/24 Page 15 of 27 PageID
`#: 5703
`IPR2024-00863
`Patent 11,663,031 B2
`
`
`As noted above, Petitioner explains that a skilled artisan would have
`been motivated to combine Veselov’s virtual computing security assessment
`system with Price’s inactive/at rest security assessments “to provide the
`well-known security benefit of preventing further damage that might
`otherwise be caused if a potentially compromised VM actively runs (e.g., a
`vulnerability could be exploited, or suspected malware could contaminate
`other resources).” Pet. 24 (citing Ex. 1048 ¶ 14; Ex. 1002 ¶ 105). With this
`rationale, Petitioner has articulated sufficient reasoning with rational
`underpinning to support the legal conclusion that its proffered combination
`would have been obvious to one skilled in the art. See KSR Int’l Co. v.
`Teleflex Inc., 550 U.S. 398, 418 (2007). Patent Owner’s argument
`highlighting mere differences between Veselov and Price—i.e., Veselov’s
`active VMs versus Price’s inactive ones—does not undermine Petitioner’s
`proffered rationale and does not suggest that Price’s inactive security
`assessments are incompatible with Veselov’s general security-assessment
`structure.
`In addition, Petitioner presents sufficient arguments and evidence for
`purposes of institution that a skilled artisan would have a reasonable
`expectation of success in making the proposed combination. Specifically,
`Petitioner explains, with relevant support from its declarant, Dr. Stavrou,
`and the prior art, that “[o]ffline snapshotting and offline analysis were
`routine and predictable.” Pet. 25 (citing Exs. 1002, 1073, 1081).
`“Moreover,” Petitioner explains, “most of Veselov’s snapshot-generation
`and analysis techniques require no interaction with the original VM and, as a
`result, the state of the original VM can be inactive or at rest when the
`snapshot is taken and while the snapshot analysis is being performed.” Id.
`
`15
`
`

`

`Case 1:23-cv-00758-JLH-SRF Document 218-1 Filed 12/12/24 Page 16 of 27 PageID
`#: 5704
`IPR2024-00863
`Patent 11,663,031 B2
`
`(citing Exs. 1002, 1007). Patent Owner’s arguments that “[n]othing in
`Veselov discloses or suggests” either no-interaction snapshots or that the
`original VM can be inactive when the snapshot is taken, see Prelim. Resp.
`31, does not undermine that one skilled in the art would have a reasonable
`expectation of success in taking and analyzing snapshots of inactive VMs.
`
`3. Element [1.2]
`Claim 1 requires “utilize[ing] cloud computing platform APIs to
`identify virtual disks of virtual machine.” Ex. 1001, 10:48–49. Independent
`claims 9 and 16 include parallel limitations. Id. at 11:26–27, 12:27–28.
`Petitioner contends that Veselov teaches this feature in at least two ways.
`Pet. 29. First, Veselov discloses that “[u]sers can request a security
`assessment by identifying a target VM hosted in a virtual computer
`environment . . . and that VM can have multiple virtual disks.” Pet. 29
`(citing Ex. 1007, 3:20–40, 6:30–43, 9:55–62, 11:31–32, 11:37–46, 16:21–
`23, Figs. 3A, 3B, 5A 5B). Petitioner asserts that Veselov’s “scanning
`service would first identify the virtual disks that will be part of the snapshot,
`particularly since the user may simply provide the scanning service with an
`identifier of the VM.” Id. at 30 (citing Ex. 1007, 6:30–43, Ex. 1002 ¶ 124).
`Second, Veselov also teaches this limitation because it discloses “an API-
`based UI [user interface] [that] can be used to select assessment targets and
`other assessment parameters,” and that through this UI, the user can
`“perform general management of ‘virtual resource allocations.’” Id. at 32
`(citing Ex. 1007, 4:19–48, 5:1–8, 14:37–15:29). According to Petitioner,
`Veselov teaches or suggests the claimed “utiliz[ing] cloud computing
`platform APIs” to identify the virtual disks because Veselov teaches that the
`“[t]he scanning service communicates with the target resource’s
`
`16
`
`

`

`Case 1:23-cv-00758-JLH-SRF Document 218-1 Filed 12/12/24 Page 17 of 27 PageID
`#: 5705
`IPR2024-00863
`Patent 11,663,031 B2
`
`environment via API calls” and “that the target environment can be part of a
`cloud computing platform.” Id. at 30 (citing Ex. 1007, 2:22–67, 5:1–5,
`5:59–60); see id. at 32–33.
`Patent Owner contends that Veselov does not teach this element
`because Veselov “only uses the word ‘cloud’ once, where it provides that ‘a
`“cloud” computing environment’ is a type of ‘distributed computing
`environment.’” Prelim. Resp. 34 (quoting Ex. 1007, 2:64–67). Patent
`Owner further argues that Veselov only discloses identifying a VM
`generally—“not the identification of virtual disks of a VM made using cloud
`computing platform APIs.” Id. Patent Owner asserts that Veselov’s
`disclosure of simply identifying a VM generally is not, by itself, a sufficient
`disclosure to support Petitioner’s positions of identifying any components
`thereof, including virtual disks of the VM. Id.; see also id. at 37 (further
`arguing that tertiary references not asserted in Petitioner’s obviousness
`ground based on Veselov and Price fail to motivate a person of ordinary skill
`in the art to modify Veselov to do anything more than identify a “VM
`generally”). In addition, Patent Owner contends that Petitioner relies on
`different embodiments in Veselov as illustrated in Figures 3A, 3B, 5A, and
`5B, but Petitioner fails to appreciate “those embodiments’ distinctions and
`fail[s] to explain why the embodiments are interchangeable.” Id. at 35–36
`(citing Pet. 27, 28, 30; Ex. 1007, 10:37–41, 14:37–41, Figs. 3A, 3B, 5A,
`5B).
`
`17
`
`

`

`Case 1:23-cv-00758-JLH-SRF Document 218-1 Filed 12/12/24 Page 18 of 27 PageID
`#: 5706
`IPR2024-00863
`Patent 11,663,031 B2
`
`
`Based on the preliminary record, we agree with Petitioner that
`Veselov teaches “using the interface, utilize cloud computing platform APIs
`to identify virtual disks of a virtual machine in the client environment.”
`Pet. 29–33. As an initial matter, Veselov provides security assessments of a
`service or distributed application using a distributed computing environment,
`such as “a ‘cloud’ computing environment.” Ex. 1007, 2:64–67. Figure 1 of
`Veselov illustrates that computing environment 100 includes scanning
`service 110 that targets computing resources via API 120 or another API.
`Id. at 5:1–5. In our view, these APIs may constitute “cloud computing
`platform APIs” because, as we explain above, Veselov explicitly
`contemplates that its computing environment 110 may be “a ‘cloud’
`computing environment.” Id. at 2:64–67.
`Veselov further discloses that “[t]he ‘state’ of the target resource
`represented by snapshot data may include any properties of the target
`resource,” including “properties of logical volume(s) containing the target
`resource.” Ex. 1007, 9:55–60. Veselov discloses that one example of these
`logical volumes is a “virtual disk drive” of a VM (e.g., logical volume 306
`of VM 312 illustrated in Figures 3A and 3B). Id. at 11:28–33; see also id. at
`11:5–9 (“[V]irtual machine 312 may be executed on a server and use a
`logical volume 306, which is composed of a fixed or variable allocation of
`physical data storage resources, such as data storage blocks selected from
`one or more hard disk drives of one or more server computers.”). With this
`in mind, there is sufficient evidence at this stage to support Petitioner’s
`argument that these APIs are used to “identify virtual disks of a virtual
`machine in client environment,” as the challenged claims require.
`
`18
`
`

`

`Case 1:23-cv-00758-JLH-SRF Document 218-1 Filed 12/12/24 Page 19 of 27 PageID
`#: 5707
`IPR2024-00863
`Patent 11,663,031 B2
`
`
`In addition, at this stage in the proceeding, we are not persuaded by
`Patent Owner’s argument that Petitioner relies on different embodiments in
`Veselov as illustrated in Figures 3A, 3B, 5A, and 5B, but fails to appreciate
`“those embodiments’ distinctions and fail[s] to explain why the
`embodiments are interchangeable.” Prelim. Resp. 36 (citing Pet. 27, 28, 30).
`Instead, it appears that Petitioner relies upon common features across
`different exemplary systems illustrated in Veselov’s Figures 3A, 3B, 5A,
`and 5B. See, e.g., Pet. 29 (relying on logical volume 306 of VM 312
`illustrated in Figures 3A and 3B, as well as logical volume 506 of VM 512
`illustrated in Figures 5A and 5B). That is, Veselov discloses exemplary
`systems, each of which executes a security assessment of a virtual machine.
`Ex. 1007, 1:64–2:13, Figs. 3A, 3B, 5A, 5B. These exemplary systems all
`have common features, such as user devices 302 and 502, scanning services
`310 and 510, virtual machines 312 and 512, and logical volumes 306 and
`506. Id. at Figs. 3A, 3B, 5A, 5B. We do not fault Petitioner for relying on
`those features, even though they appear in multiple figures.
`
`4. Element [1.3]
`Claim 1 requires “us[ing] the computer platform APIs to query a
`location of at least one of the identified virtual disks.” Ex. 1001, 10:51–52.
`Independent claims 9 and 16 include parallel limitations. Id. at 11:29–30,
`12:30–31. Petitioner contends that Veselov teaches this limitation because a
`person of ordinary skill in the art would have understood that “Veselov’s
`scanning service . . . queries the location of the identified virtual disks so
`that it can locate them when generating a snapshot that includes those disks.”
`Pet. 33 (citing Ex. 1007, 9:25–28; Ex. 1002 ¶ 134). According to Petitioner,
`these “disk-location q