Filed on behalf of: Wiz, Inc.
`By: Matthew A. Argenti (margenti@wsgr.com)
`
`Michael T. Rosato (mrosato@wsgr.com)
`Wesley E. Derryberry (wderryberry@wsgr.com)
`Joseph M. Baillargeon (jbaillargeon@wsgr.com)
`WILSON SONSINI GOODRICH & ROSATI
`650 Page Mill Road
`Palo Alto, CA 94304
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`————————————————
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`————————————————
`
`WIZ, INC.,
`Petitioner,
`
`v.
`
`ORCA SECURITY LTD.,
`Patent Owner.
`
`————————————————
`Case IPR2024-01109
`Patent No. 11,726,809
`————————————————
`
`PETITION FOR INTER PARTES REVIEW
`OF U.S. PATENT NO. 11,726,809
`
`

`

`TABLE OF CONTENTS
`
`V.
`
`INTRODUCTION ........................................................................................... 1
`I.
`II. MANDATORY NOTICES UNDER 37 C.F.R. §42.8 .................................... 2
`III. CERTIFICATIONS ......................................................................................... 3
`IV.
`IDENTIFICATION OF CHALLENGE; STATEMENT OF PRECISE
`RELIEF REQUESTED ................................................................................... 3
`THE ’809 PATENT ......................................................................................... 4
`A.
`Prosecution History ............................................................................... 5
`VI. NO BASIS EXISTS FOR DISCRETIONARY DENIAL .............................. 5
`A.
`Discretionary Denial Is Not Warranted under Fintiv ............................ 5
`B.
`Discretionary Denial Is Not Warranted under 35 U.S.C.
`§325(d) .................................................................................................. 6
`VII. LEVEL OF ORDINARY SKILL .................................................................... 8
`VIII. CLAIM CONSTRUCTION ............................................................................ 8
`A.
`Determining/Determine a “Location” of a Snapshot ............................ 9
`B.
`“[Analyze/Analyzing] the Snapshot” .................................................. 10
`IX. BACKGROUND ........................................................................................... 11
`A.
`Cloud Computing, Virtualization, and Snapshots ............................... 11
`B.
`Cyber Security ..................................................................................... 13
`PRIOR ART ................................................................................................... 15
`A.
`Veselov (U.S. Patent. No. 11,216,563; EX1007) ............................... 15
`B. Mohanty (U.S. Patent No. 9,692,778; EX1075) ................................. 19
`C.
`Czarny (U.S. Patent No. 9,749,349; EX1084) .................................... 20
`D.
`Hutchins (U.S. Publication No. US 2013/0024940;
`EX1070) .............................................................................................. 20
`XI. GROUND 1: CLAIMS 1-10 AND 12-23 WERE OBVIOUS OVER
`VESELOV AND MOHANTY ...................................................................... 21
`A.
`Reasons to Combine Veselov and Mohanty ....................................... 21
`B.
`Independent Claims 1, 16, and 19 ....................................................... 25
`-i-
`
`X.
`
`

`

`C.
`
`Preambles .................................................................................. 25
`1.
`Element 19.i .............................................................................. 26
`2.
`Elements 1.1, 16.1, and 19.1 ..................................................... 27
`3.
`Elements 1.2, 16.2, and 19.2 ..................................................... 32
`4.
`Elements 1.3, 16.3, and 19.3 ..................................................... 34
`5.
`Elements 1.4, 16.4, and 19.4 ..................................................... 37
`6.
`Elements 1.5, 16.5, and 19.5 ..................................................... 38
`7.
`Elements 1.6, 16.6, and 19.6 ..................................................... 40
`8.
`Elements 1.7, 16.7, and 19.7 ..................................................... 42
`9.
`Elements 1.8, 16.8, and 19.8 ..................................................... 43
`10.
`Dependent Claims ............................................................................... 45
`1.
`Claim 2 ...................................................................................... 45
`2.
`Claim 3 ...................................................................................... 46
`3.
`Claims 4 .................................................................................... 47
`4.
`Claims 5 .................................................................................... 48
`5.
`Claims 6 and 17......................................................................... 50
`6.
`Claims 7 and 18......................................................................... 51
`7.
`Claim 8 ...................................................................................... 52
`8.
`Claim 9 ...................................................................................... 54
`9.
`Claim 10 .................................................................................... 55
`10. Claim 12 .................................................................................... 55
`11. Claims 13 and 20....................................................................... 57
`12. Claims 14 and 21....................................................................... 58
`13. Claims 15 and 22....................................................................... 60
`14. Claim 23 .................................................................................... 64
`XII. GROUND 2: CLAIMS 1-10 AND 12-23 WERE OBVIOUS OVER
`VESELOV, MOHANTY, AND CZARNY .................................................. 65
`A.
`Reasons to Combine Veselov, Mohanty, and Czarny ......................... 65
`
`-ii-
`
`

`

`Claims 1, 16, and 19 ............................................................................ 68
`B.
`Claims 6 and 17 ................................................................................... 69
`C.
`Claims 7 and 18 ................................................................................... 70
`D.
`XIII. GROUNDS 3-4: CLAIM 11 WAS OBVIOUS OVER VESELOV,
`MOHANTY, AND HUTCHINS (WITH OR WITHOUT CZARNY) ......... 71
`A.
`Reasons to Combine Veselov, Mohanty, and Hutchins
`(with or without Czarny) ..................................................................... 71
`Claim 11 .............................................................................................. 73
`B.
`XIV. CONCLUSION .............................................................................................. 74
`
`-iii-
`
`

`

`LISTING OF CHALLENGED CLAIMS
`
`1. A method for securing virtual cloud assets against cyber vulnerabilities in
`a cloud computing environment, the method comprising:
`
`[1.1] determining, using an API or service provided by the cloud
`computing environment, a location of a snapshot of at least one virtual
`disk of a protected virtual cloud asset, wherein the protected virtual
`cloud asset is instantiated in the cloud computing environment;
`
`[1.2] accessing, based on the determined location and using an API or
`service provided by the cloud computing environment, the snapshot of
`the virtual disk;
`
`[1.3] analyzing the snapshot of the at least one virtual disk by matching
`installed applications with applications on a known list of vulnerable
`applications;
`
`[1.4] determining, based on the matching, an existence of a plurality of
`potential cyber vulnerabilities;
`
`[1.5] correlating the determined potential cyber vulnerabilities with a
`network location of the protected virtual cloud asset;
`
`[1.6] using the determined plurality of potential cyber vulnerabilities
`and the network location of the protected virtual cloud asset to
`determine a risk of the protected virtual cloud asset to the cloud
`computing environment;
`
`[1.7] prioritizing, by the determined risk, the plurality of potential cyber
`vulnerabilities; and
`
`the determined plurality of potential cyber
`reporting
`[1.8]
`vulnerabilities as alerts prioritized according to the determined risk
`
`2. The method of claim 1, wherein reporting the determined potential cyber
`vulnerabilities includes communicating the prioritized alerts to a user console
`or a security information and event management (SIEM) system.
`
`3. The method of claim 2, further comprising filtering the determined potential
`cyber vulnerabilities based on a determined risk level associated with each
`
`-iv-
`
`

`

`determined potential cyber vulnerability, such that a number of the prioritized
`alerts reported to a user console or a SIEM system is less than a total number
`of determined potential cyber vulnerabilities.
`
`4. The method of claim 3, wherein determining the risk of the protected virtual
`cloud asset to the cloud computing environment is based on external
`intelligence on the likelihood of the determined potential cyber vulnerabilities
`being exploited.
`
`5. The method of claim 4, wherein determining a risk of the protected virtual
`cloud asset to the cloud computing environment includes analyzing a
`configuration of the protected virtual cloud asset, and wherein the method
`further comprises: weighting a takeover risk of the protected virtual cloud
`asset.
`
`6. The method of claim 1, wherein analyzing the snapshot of the at least one
`virtual disk includes matching application files on the snapshot of the at least
`one virtual disk directly against application files associated with a known list
`of vulnerable applications.
`
`7. The method of claim 1, wherein analyzing the snapshot of the at least one
`virtual disk includes matching application files on the snapshot of the at least
`one virtual disk by: computing a cryptographic hash against at least one
`application file to be matched; and matching the computed cryptographic hash
`against a database of files associated with a known list of vulnerable
`applications.
`
`8. The method of claim 1, wherein analyzing the snapshot of the at least one
`virtual disk includes:
`
`[8.1] parsing the snapshot of the at least one virtual disk; and
`
`[8.2] scanning the parsed snapshot of the at least one virtual disk to
`detect the potential cyber vulnerabilities.
`
`9. The method of claim 8, wherein scanning the parsed snapshot further
`includes at least one of:
`
`[9.1] checking configuration files of applications and an operating
`system installed in the protected virtual cloud asset;
`
`-v-
`
`

`

`[9.2] verifying access times to files by the operating system installed in
`the protected virtual cloud asset; or
`
`[9.3] analyzing system logs to deduce applications and modules
`executed in the protected virtual cloud asset.
`
`10. The method of claim 1, further comprising mitigating a potential cyber
`vulnerability posing a risk to the protected virtual cloud asset.
`
`11. The method of claim 10, wherein mitigating a potential cyber vulnerability
`includes at least one of: blocking traffic from untrusted networks to the
`protected virtual cloud asset, halting operation of the protected virtual cloud
`asset, or quarantining the protected virtual cloud asset.
`
`12. The method of claim 1, wherein determining the location of the snapshot
`of at least one virtual disk further includes determining a virtual disk allocated
`to the protected virtual cloud asset.
`
`13. The method of claim 1, wherein determining the location of the snapshot
`of at least one virtual disk further includes: using an API or service provided
`by the cloud computing environment for taking the snapshot or requesting the
`taking of the snapshot.
`
`14. The method of claim 13, wherein determining the location of the snapshot
`of at least one virtual disk further includes obtaining the location of the
`snapshot after the snapshot is taken.
`
`15. The method of claim 1, wherein determining the location of the snapshot
`of at least one virtual disk further includes querying a cloud management
`console of the cloud computing environment for the location of the snapshot
`and the location of the virtual disk.
`
`16. A non-transitory computer readable medium containing instructions that
`when executed by at least one processor cause the at least one processor to
`perform operations for securing virtual cloud assets against cyber
`vulnerabilities in a cloud computing environment, the operations comprising:
`
`[16.1] determining, using an API or service provided by the cloud
`computing environment, a location of a snapshot of at least one virtual
`disk of a protected virtual cloud asset, wherein the protected virtual
`cloud asset is instantiated in the cloud computing environment;
`-vi-
`
`

`

`[16.2] accessing, based on the determined location and using an API or
`service provided by the cloud computing environment, the snapshot of
`the virtual disk;
`
`[16.3] analyzing the snapshot of the at least one virtual disk by
`matching installed applications with applications on a known list of
`vulnerable applications;
`
`[16.4] determining, based on the matching, an existence of a plurality
`of potential cyber vulnerabilities;
`
`[16.5] correlating the determined potential cyber vulnerabilities with a
`network location of the protected virtual cloud asset;
`
`[16.6] using the determined plurality of potential cyber vulnerabilities
`and the network location of the protected virtual cloud asset to
`determine a risk of the protected virtual cloud asset to the cloud
`computing environment;
`
`[16.7] prioritizing, by the determined risk, the plurality of potential
`cyber vulnerabilities; and
`
`the determined plurality of potential cyber
`[16.8] reporting,
`vulnerabilities as alerts prioritized according to the determined risk.
`
`17. The non-transitory computer readable medium of claim 16, wherein
`analyzing the snapshot of the at least one virtual disk further includes
`matching application files on the snapshot of the at least one virtual disk
`directly against application files associated with a known list of vulnerable
`applications.
`
`18. The non-transitory computer readable medium of claim 16, wherein
`analyzing the snapshot of the at least one virtual disk further includes
`matching application files on the snapshot of the at least one virtual disk by:
`computing a cryptographic hash against at least one application file to be
`matched; and matching the computed cryptographic hash against a database
`of files associated with a known list of vulnerable applications.
`
`19. A system for securing virtual cloud assets against cyber vulnerabilities in
`a cloud computing environment, the system comprising:
`
`-vii-
`
`

`

`[19.i] at least one processor configured to:
`
`[19.1] determine, using an API or service provided by the cloud
`computing environment, a location of a snapshot of at least one virtual
`disk of a protected virtual cloud asset, wherein the protected virtual
`cloud asset is instantiated in the cloud computing environment;
`
`[19.2] access, based on the determined location and using an API or
`service provided by the cloud computing environment, the snapshot of
`the virtual disk;
`
`[19.3] analyze the snapshot of the at least one virtual disk by matching
`installed applications with applications on a known list of vulnerable
`applications;
`
`[19.4] determine, based on the matching, an existence of a plurality of
`potential cyber vulnerabilities;
`
`[19.5] correlate the determined potential cyber vulnerabilities with a
`network location of the protected virtual cloud asset;
`
`[19.6] use the determined plurality of potential cyber vulnerabilities
`network location of the protected virtual cloud asset to determine a risk
`of the protected virtual cloud asset to the cloud computing environment;
`
`[19.7] prioritize, by the determined risk, the plurality of potential cyber
`vulnerabilities; and
`
`[19.8] report the determined plurality of potential cyber vulnerabilities
`as alerts prioritized according to the determined risk.
`
`20. The system of claim 19, wherein determining the location of the snapshot
`of at least one virtual disk further includes: using an API or service provided
`by the cloud computing environment for taking the snapshot or requesting the
`taking of the snapshot.
`
`21. The system of claim 20, wherein determining the location of the snapshot
`of at least one virtual disk further includes obtaining the location of the
`snapshot that is taken.
`
`-viii-
`
`

`

`22. The system of claim 19, wherein determining the location of the snapshot
`of at least one virtual disk further includes querying a cloud management
`console of the cloud computing environment for the location of the snapshot
`and the location of the virtual disk.
`
`23. The method of claim 1, further comprising copying the snapshot of the at
`least one virtual disk; and further wherein analyzing the snapshot of the at
`least one virtual disk comprises analyzing the copy of the snapshot.
`
`-ix-
`
`

`

`I.
`
`INTRODUCTION
`
`Petitioner Wiz, Inc. (“Wiz”) respectfully requests review of U.S. Patent No.
`
`11,726,809 (“the ’809 patent”), currently assigned to Orca Security Ltd. (“Orca”).
`
`This petition demonstrates that claims 1-23 are unpatentable.
`
`The ’809 claims describe well-known techniques for securing virtual cloud
`
`assets such as virtual machines (“VMs”). A “snapshot” of the asset’s virtual disk
`
`is located, accessed, and analyzed to determine vulnerabilities by matching
`
`installed applications with a known list of vulnerable applications. A risk is
`
`determined based on the determined vulnerabilities and correlating the determined
`
`vulnerabilities with a network location. The vulnerabilities are then prioritized and
`
`reported as prioritized alerts based on the determined risk.
`
`This type of snapshot-based analysis was already well known, as
`
`demonstrated by the combination of Veselov and Mohanty. Veselov discloses
`
`most aspects of the independent claims, though it does not expressly discuss
`
`correlating the detected vulnerabilities with a network location, determining a risk
`
`based on the network location and the detected vulnerabilities, and then
`
`prioritizing/reporting based on that risk. However, this type of network-location-
`
`based prioritization was well known, as shown for example by Mohanty. The
`
`dependent claims describe other well-known features.
`
`Accordingly, Wiz respectfully requests institution of inter partes review.
`
`-1-
`
`

`

`II. MANDATORY NOTICES UNDER 37 C.F.R. §42.8
`
`Real Party-in-Interest (37 C.F.R. §42.8(b)(1)): Petitioner Wiz is the real
`
`party-in-interest.
`
`Related Matters (37 C.F.R. §42.8(b)(2)): Wiz is involved in litigation
`
`involving the ’809 patent in Orca Security Ltd. v. Wiz, Inc., No. 1-23-cv-00758
`
`(DDE), filed and served on July 12, 2023. Wiz also recently filed several IPR
`
`petitions, including IPR2024-00220 against U.S. Patent No. 11,431,735, which is
`
`a related patent owned by Patent Owner that contains claims similar to those of the
`
`’809 patent. IPR2024-00220, Paper 2. Like the current petition, the petition in
`
`IPR2024-00220 included a Veselov-based ground. In response, Patent Owner
`
`disclaimed all challenged claims. IPR2024-00220, Paper 6. Wiz has also filed
`
`three petitions against other patents that are involved in the abovementioned
`
`litigation: IPR2024-00863 against U.S. Patent No. 11,663,031, IPR2024-00864
`
`against U.S. Patent No. 11,663,032, and IPR2024-00865 against U.S. Patent No.
`
`11,693,685.
`
`Lead and Back-Up Counsel (37 C.F.R. §42.8(b)(3)):
`
`Lead Counsel: Matthew A. Argenti (Reg. No. 61,836)
`
`Back-Up Counsel: Michael T. Rosato (Reg. No. 52,182); Wesley E.
`
`Derryberry (Reg. No. 71,594); Joseph M. Baillargeon (Reg. No. 79,685)
`
`-2-
`
`

`

`Service Information – 37 C.F.R. §42.8(b)(4): Wiz consents to electronic
`
`service. Please direct all correspondence to lead and back-up counsel at the
`
`contact information below. A power of attorney accompanies this petition.
`
`E-mail: margenti@wsgr.com; mrosato@wsgr.com; wderryberry@wsgr.com;
`
`jbaillargeon@wsgr.com
`
`Post: WILSON SONSINI GOODRICH & ROSATI, 650 Page Mill Road,
`
`Palo Alto, CA 94304
`
`Tel.: 650-354-4154
`
`Fax: 650-493-6811
`
`III. CERTIFICATIONS
`
`The ’809 patent is available for IPR, and Wiz is not barred or estopped from
`
`requesting IPR on these grounds.
`
`IV.
`
`IDENTIFICATION OF CHALLENGE; STATEMENT OF PRECISE RELIEF
`REQUESTED
`
`Wiz seeks cancellation of the challenged claims for the reasons stated below,
`
`which are supported with exhibits, including the Declaration of Dr. Angelos
`
`Stavrou (EX1002). The claims are unpatentable under 35 U.S.C. §311 and AIA §6
`
`based on at least the following grounds:
`
`Ground
`
`Claims
`
`1
`
`1-10, 12-23
`
`Basis
`§103(a): obviousness over Veselov and
`Mohanty.
`
`-3-
`
`

`

`2
`
`3
`
`4
`
`1-10, 12-23
`
`11
`
`11
`
`§103(a): obviousness over Veselov, Mohanty,
`and Czarny.
`§103(a): obviousness over Veselov, Mohanty,
`and Hutchins.
`§103(a): obviousness over Veselov, Mohanty,
`Czarny, and Hutchins.
`
`V.
`
`THE ’809 PATENT
`
`The ’809 patent issued from U.S. Application No. 18/055,201 (“the ’201
`
`application”), filed November 14, 2022. EX1001, Face. The ’201 application
`
`claims priority to Provisional Application No. 62/797,718, filed January 28, 2019.
`
`The ’809 patent thus has an effective filing date no earlier than January 28, 2019,
`
`and is subject to AIA §102 and §103. Id.; EX1002, ¶20.
`
`The ’809 patent describes securing virtual assets in a cloud environment.
`
`EX1001, Abstract. The specification describes well-known snapshot-based
`
`analysis that includes determining the location of a snapshot of an asset’s virtual
`
`disk, accessing/analyzing the snapshot to identify vulnerabilities, and issuing
`
`prioritized alerts. Id., Abstract, 3:48-54, 3:67-4:3, 4:38-42, 5:33-40, 6:40-43, 7:53-
`
`67; EX1002, ¶¶71-72.
`
`The ’809 patent includes 23 claims. Claims 1, 16, and 19 are independent.
`
`Claims 16 and 19 essentially mirror claim 1, but whereas claim 1 is written as a
`
`method claim, independent claim 16 is directed to a computer-readable medium,
`
`-4-
`
`

`

`and independent claim 19 is directed to a system. The dependent claims add other
`
`conventional aspects of cybersecurity and cloud computing. EX1002, ¶¶73-74.
`
`A.
`
`Prosecution History
`
`The ’201 application underwent a brief examination and never received a
`
`rejection under §102 or §103. The first office action rejected the claims based on
`
`statutory double patenting but indicated that the claims were otherwise allowable.
`
`EX1004, 109-14. The Applicant then filed terminal disclaimers to secure
`
`allowance. Id., 91-93, 98-100, 104. As to the basis of allowance, the Examiner
`
`simply identified three references as the closest art and indicated that they did not
`
`teach most of the independent claim elements as a whole. Id., 26-29; see also
`
`EX1002, ¶75.
`
`VI. NO BASIS EXISTS FOR DISCRETIONARY DENIAL
`
`A.
`
`Discretionary Denial Is Not Warranted under Fintiv
`
`This petition does not implicate the Board’s discretion according to Fintiv.
`
`Apple Inc., v. Fintiv, Inc., IPR2020-00019, Paper 11. See generally Memorandum
`
`on Interim Procedure for Discretionary Denials in AIA Post-Grant Proceedings
`
`with Parallel District Court Litigation (June 21, 2022) (Fintiv Memo). Patent
`
`Owner filed its complaint in the District of Delaware on July 12, 2023, then filed
`
`two amended complaints on September 15, 2023 (the first complaint that alleged
`
`infringement of the ’809 patent), and October 10, 2023, respectively. This petition
`
`-5-
`
`

`

`is filed two-and-a-half months before the one-year bar date and less than two
`
`months after receiving Patent Owner’s initial infringement contentions identifying
`
`the asserted claims.
`
`The district court litigation is also at an early stage, and the final written
`
`decision in this IPR should issue well before the district court trial. For example,
`
`under the current amended schedule, the claim construction hearing will not occur
`
`until December 27, 2024, and expert discovery will not close until August 5,
`
`2025. EX1083, 3; see also EX1005, 15-16 (previous schedule). The trial is not
`
`scheduled to begin until March 2, 2026, which is over 1.5 years from the filing of
`
`this petition and a projected two months after a final written decision. EX1083, 4.
`
`Moreover, this district’s average time to trial is 38 months—which would put the
`
`trial in September 2026 based on the filing of the original complaint—so the actual
`
`trial date is reasonably expected to be well after issuance of a final written decision
`
`here. EX1082, 14; see also Fintiv Memo (Fintiv factor two weighs against denial
`
`“if the median time-to-trial is around the same time or after the projected statutory
`
`deadline for the PTAB’s final written decision.”).
`
`B.
`
`Discretionary Denial Is Not Warranted under 35 U.S.C. §325(d)
`
`Under the two-part Advanced Bionics framework, §325(d) analysis considers
`
`several factors to determine:
`
`-6-
`
`

`

`(1) whether the same or substantially the same art previously was
`presented to the Office or whether the same or substantially the same
`arguments previously were presented to the Office; and (2) if either
`condition of [the] first part of the framework is satisfied, whether the
`petitioner has demonstrated that the Office erred in a manner material
`to the patentability of challenged claims.
`
`Advanced Bionics, LLC v. Med-El Elektromedizinische Geräte GmbH, IPR2019-
`
`01469, Paper 6 at 8 (precedential); 35 U.S.C. §325(d). While Veselov was
`
`disclosed as one of many references across multiple information disclosure
`
`statements, it was never applied in a rejection or substantively discussed. EX1004,
`
`73, 107-15, 156-57, 181-82. Veselov was also never considered in combination
`
`with Mohanty, Czarny, or Hutchins since these references were not disclosed. The
`
`Office also lacked additional evidence discussed herein, including the declaration
`
`provided by Wiz’s expert, Dr. Stavrou.
`
`Allowance of the claims also constituted material error under part two of the
`
`Advanced Bionics test. The ’201 application never received an art-based rejection,
`
`and no particular limitation was identified as a basis for allowance. Supra, §V.A.
`
`The notice of allowance simply lists the majority of the claim limitations as
`
`supposedly not disclosed by the “closest” art. EX1004, 26-29. By contrast, the
`
`present grounds teach all limitations of claims 1-23 as a whole. Infra, §§XI-XIII.
`
`-7-
`
`

`

`The claims therefore should not have issued, and they would not have issued if the
`
`Examiner had considered the present grounds.
`
`VII. LEVEL OF ORDINARY SKILL
`
`For purposes of this petition, Wiz assumes a priority date of January 28,
`
`2019. A POSA as of January 2019 would have held at least a bachelor’s degree in
`
`computer science, computer engineering, electrical engineering, or a related field,
`
`and would also have 2-3 years of professional experience working with cyber
`
`security analysis and virtualization. Additional experience could compensate for
`
`less education and vice versa. Relevant work experience includes, for example,
`
`malware analysis, security analysis of cloud computing systems, and security
`
`analysis of virtual machines. EX1002, ¶¶21-22. Dr. Stavrou meets these
`
`requirements and is qualified to credibly opine on the state of the art and the
`
`POSA’s perspective. Id., ¶¶1-19. Section IX below summarizes the state of the
`
`art, including background knowledge that would have informed a POSA’s
`
`understanding of the references’ teachings applied herein.
`
`VIII. CLAIM CONSTRUCTION
`
`Claim terms are given their ordinary and customary meaning, consistent with
`
`the specification, as a POSA understood them. 37 CFR §42.100(b); Phillips v. AWH
`
`Corp., 415 F.3d 1303, 1312-13 (Fed. Cir. 2005) (en banc). Unless otherwise stated,
`
`this petition applies the ordinary and customary meaning of the claim terms. See also
`
`-8-
`
`

`

`EX1002, ¶76. The following limitations warrant discussion.
`
`A.
`
`Determining/Determine a “Location” of a Snapshot
`
`Each independent claim recites determining (or a system configured to
`
`determine) “a location of a snapshot” of a virtual disk of a protected virtual cloud
`
`asset. A POSA reading the claims in light of the specification would have understood
`
`that the recited “location” encompasses at least a virtual location and a non-virtual
`
`location.
`
`A POSA would have understood that the ordinary and customary meaning of a
`
`“location” in this context broadly encompassed a virtual location and a non-virtual
`
`location. EX1002, ¶¶77-78; see also id., ¶¶30 (data locations), 38 (snapshot
`
`locations).
`
`The specification confirms this understanding. It states that the “management
`
`console 150 may be queried, by the security system 140, about as the location (e.g.,
`
`virtual address) of the virtual disk 118-1 in the storage 117.” EX1001, 4:29-32
`
`(emphasis added). This parenthetical makes it clear that the recited location at least
`
`encompasses a virtual address, and the “e.g.” indicates that the location is not limited
`
`to a virtual address. EX1002, ¶78. Indeed, snapshots of virtual assets were routinely
`
`stored in non-virtual storage and accessed by referencing non-virtual locations. Id. A
`
`POSA therefore would have interpreted the term “location” to encompass both virtual
`
`and non-virtual locations. Id., ¶¶78-79 (citing EX1009, 242, 246-57; EX1010, 3-4;
`
`-9-
`
`

`

`EX1015, 56; EX1021, 8).
`
`B.
`
`“[Analyze/Analyzing] the Snapshot”
`
`Each independent claim recites “analyzing the snapshot” (or a system
`
`configured to “analyze the snapshot”).
`
`The ordinary and customary meaning of this language encompasses direct
`
`analysis of the snapshot data (e.g., analyzing the snapshot as a data file without
`
`instantiating an assessment VM). EX1002, ¶¶80-81. This understanding is confirmed
`
`by the specification. See, e.g., EX1001, 5:20-21 (“The snapshot is parsed and
`
`analyzed by the security system 140 to detect vulnerabilities.”), 5:37-40 (direct or
`
`hash-based matching of application files); see also id., 6:5-12 (analyzing page file),
`
`6:36-39 (security system computes cryptographic hash of sensitive areas in virtual
`
`disk and checks for differences), 6:56-60 (analysis of logs “derived from the
`
`snapshot”); EX1002, ¶81.
`
`In the related litigation (supra, §II), Orca appears to treat this limitation as also
`
`encompassing analysis of a VM instantiated from a snapshot. For example, Orca
`
`alleges that the accused product satisfies “analyzing the at least one snapshot,” as
`
`recited in claim 9 of related U.S. Patent No. 11,693,685 because it “‘analyzes [the]
`
`operating system, application layer, and data layer’ of virtual machines to provide full
`
`visibility into vulnerabilities across the cloud computing environment.” EX1006, 23,
`
`57-58. For purposes of this IPR, Wiz also applies Orca’s interpretation. See also
`
`-10-
`
`

`

`EX1002, ¶82.
`
`Accordingly, the discussion below applies a construction of
`
`“[analyze/analyzing] the snapshot” encompassing both direct analysis of the snapshot
`
`data and analysis of a VM instantiated from the snapshot. EX1002, ¶83. Veselov
`
`describes both of these approaches. Infra, §XI.B.5.
`
`IX. BACKGROUND
`
`A.
`
`Cloud Computing, Virtualization, and Snapshots
`
`Cloud computing was well known long before 2019. EX1002, ¶¶23, 40-42;
`
`EX1021, 1, 18-19. The physical infrastructure was often provided by data centers
`
`that included large collections of physical resources. EX1002, ¶44; EX1013, 229;
`
`EX1021, 18-19.
`
`Cloud systems typically used a “virtualization” layer that abstracts the
`
`underlying resources to efficiently manage the operation of multiple applications
`
`across multiple physical servers. EX1002, ¶43; EX1010, 2; EX1011, 35; EX1021,
`
`19. Each physical server could emulate multiple virtualized computer systems
`
`(e.g., VMs), running their own operating system/applications:
`
`-11-
`
`

`

`EX1009, 505 (Fig. A-5); see also EX1002, ¶¶24-25; EX1010, 2; EX1013, 229.
`
`Virtual machines were commonly managed by a virtual machine manager
`
`(“VMM”)—sometimes called a hypervisor or virtual machine monitor. EX1002,
`
`¶¶26-29; EX1009, xxiv, 22, 505; EX1012, 9:9-25; EX1015, 55-58, 62-66, 118,
`
`138, 163; EX1016, ii; EX1021, 94-95; EX1022, 29; EX1048, ¶31. Virtualized
`
`resources—including VMs themselves, allocated virtual disks, and particular
`
`data—were commonly referenced via various types of virtual or non-virtual
`
`locations, including more general locations (e.g., the resource’s computing
`
`environment, storage service, or directory) and more specific locations (e.g., an
`
`address or file path). EX1002, ¶¶29-31; EX1009, 2,