Filed on behalf of: Wiz, Inc.
`By: Matthew A. Argenti (margenti@wsgr.com)
`
`Michael T. Rosato (mrosato@wsgr.com)
`Wesley E. Derryberry (wderryberry@wsgr.com)
`Tasha M. Thomas (tthomas@wsgr.com)
`Joseph M. Baillargeon (jbaillargeon@wsgr.com)
`WILSON SONSINI GOODRICH & ROSATI
`650 Page Mill Road
`Palo Alto, CA 94304
`
`
`
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`————————————————
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`————————————————
`
`WIZ, INC.,
`Petitioner,
`
`v.
`
`ORCA SECURITY LTD.,
`Patent Owner.
`
`————————————————
`Case IPR2024-01190
`Patent No. 11,740,926
`————————————————
`
`PETITION FOR INTER PARTES REVIEW
`OF U.S. PATENT NO. 11,740,926
`
`

`

`TABLE OF CONTENTS
`
`V.
`
`INTRODUCTION ........................................................................................... 1
`I.
`II. MANDATORY NOTICES UNDER 37 C.F.R. §42.8 .................................... 1
`III. CERTIFICATIONS ......................................................................................... 3
`IV.
`IDENTIFICATION OF CHALLENGE; STATEMENT OF PRECISE
`RELIEF REQUESTED ................................................................................... 3
`THE ’926 PATENT ......................................................................................... 4
`A.
`Prosecution History ............................................................................... 5
`VI. NO BASIS EXISTS FOR DISCRETIONARY DENIAL .............................. 5
`A.
`Fintiv...................................................................................................... 5
`B.
`Discretionary Denial Is Not Warranted under 35 U.S.C.
`§325(d) .................................................................................................. 6
`VII. LEVEL OF ORDINARY SKILL .................................................................... 8
`VIII. CLAIM CONSTRUCTION ............................................................................ 8
`A.
`“Locating” a Snapshot ........................................................................... 9
`B.
`“[Analyze/Analyzing] the Snapshot” .................................................. 10
`IX. BACKGROUND ........................................................................................... 11
`A.
`Cloud Computing, Virtualization, and Snapshots ............................... 11
`B.
`Cyber Security ..................................................................................... 13
`PRIOR ART ................................................................................................... 15
`A. Veselov (U.S. Patent. No. 11,216,563; EX1007) ............................... 15
`B. Mohanty (U.S. Patent No. 9,692,778; EX1075) ................................. 19
`C.
`Ranum (U.S. Patent No. 9,088,606; EX1093) .................................... 19
`D.
`Seo (U.S. Publication No. US 2019/0180028; EX1094) .................... 20
`E.
`Hutchins (U.S. Publication No. US 2013/0024940;
`EX1070) .............................................................................................. 21
`XI. GROUND 1: CLAIMS 1, 5-10, AND 12-15 WERE OBVIOUS
`OVER VESELOV AND MOHANTY .......................................................... 21
`A.
`Reasons to Combine Veselov and Mohanty ....................................... 22
`-i-
`
`X.
`
`

`

`
`
`B.
`
`C.
`
`Independent Claims 1, 14, and 15 ....................................................... 26
`1.
`Preambles .................................................................................. 26
`2.
`Element 15.i .............................................................................. 28
`3.
`Elements 1.1, 14.1, and 15.1 ..................................................... 28
`4.
`Elements 1.2, 14.2, and 15.2 ..................................................... 29
`5.
`Elements 1.3, 14.3, and 15.3 ..................................................... 33
`6.
`Elements 1.4, 14.4, and 15.4 ..................................................... 34
`7.
`Elements 1.5, 14.5, and 15.5 ..................................................... 41
`8.
`Elements 1.6, 14.6, and 15.6 ..................................................... 41
`9.
`Elements 1.7, 14.7, and 15.7 ..................................................... 42
`Dependent Claims ............................................................................... 45
`1.
`Claim 5 ...................................................................................... 45
`2.
`Claim 6 ...................................................................................... 45
`3.
`Claim 7 ...................................................................................... 46
`4.
`Claim 8 ...................................................................................... 48
`5.
`Claim 9 ...................................................................................... 50
`6.
`Claim 10 .................................................................................... 51
`7.
`Claim 12 .................................................................................... 52
`8.
`Claims 13 .................................................................................. 53
`XII. GROUND 2: CLAIMS 1-10 AND 12-15 WERE OBVIOUS OVER
`VESELOV, MOHANTY, AND RANUM .................................................... 57
`A.
`Reasons to Combine Veselov, Mohanty, and Ranum ......................... 57
`B.
`Claims 1, 14, and 15 ............................................................................ 61
`1.
`Elements 1.4, 14,4, and 15.4 ..................................................... 61
`2.
`Elements 1.7, 14.7, and 15.7 ..................................................... 62
`Claim 2 ................................................................................................ 63
`Claim 4 ................................................................................................ 64
`1.
`Element 4.1 ............................................................................... 64
`
`C.
`D.
`
`-ii-
`
`

`

`
`
`Element 4.2 ............................................................................... 65
`2.
`XIII. GROUNDS 3-4: CLAIM 3 WAS OBVIOUS OVER VESELOV,
`MOHANTY, AND SEO (WITH OR WITHOUT RANUM) ....................... 66
`A.
`Reasons to Combine Veselov, Mohanty, and Seo (with or
`without Ranum) ................................................................................... 66
`Claim 3 ................................................................................................ 69
`B.
`XIV. GROUNDS 5-6: CLAIM 11 WAS OBVIOUS OVER VESELOV,
`MOHANTY, AND HUTCHINS (WITH OR WITHOUT RANUM) .......... 70
`A.
`Reasons to Combine Veselov, Mohanty, and Hutchins
`(with or without Ranum) ..................................................................... 71
`Claim 11 .............................................................................................. 72
`B.
`XV. CONCLUSION .............................................................................................. 73
`
`
`
`
`
`-iii-
`
`

`

`
`
`LISTING OF CHALLENGED CLAIMS
`
`1. A method for securing virtual cloud assets against cyber threats in a cloud
`computing environment, the method comprising:
`
`[1.1] receiving a request to scan a protected virtual cloud asset in the
`cloud computing environment;
`
`[1.2] locating, using an API or service provided by the cloud computing
`environment, a snapshot of at least one virtual disk of the protected
`virtual cloud asset;
`
`[1.3] accessing, using an API or service provided by the cloud
`computing environment, the snapshot of the at least one virtual disk;
`
`[1.4] analyzing the snapshot of the at least one virtual disk to determine
`the existence of a plurality of potential cyber threats, each cyber threat
`based on data stored on the virtual disk, wherein the data includes at
`least one of: unencrypted sensitive data, unencrypted system
`credentials, weak passwords, weak encryption schemes, disabled
`Address Space Layout Randomization, boot record manipulation,
`suspicious definitions, services to be run on startup, personally
`identifiable information, data in application logs indicating that the
`protected virtual cloud asset accessed personally
`identifiable
`information, data in application logs indicating that the protected virtual
`cloud asset accessed a computer containing personally identifiable
`information, or at least one change in at least one area of the virtual
`disk, as compared to an earlier point in time;
`
`[1.5] determining a risk associated with each of the determined plurality
`of potential cyber threats;
`
`[1.6] prioritizing the potential cyber threats associated with the
`protected virtual cloud asset based on the determined risk associated
`with each of the plurality of potential cyber threats; and
`
`[1.7] reporting at least some of the determined plurality of potential
`cyber threats as alerts prioritized according to their associated risks.
`
`-iv-
`
`

`

`
`
`2. The method of claim 1, further comprising detecting the data stored on the
`virtual disk by determining an unexpected change in the data stored on the
`virtual disk.
`
`3. The method of claim 1, further comprising detecting the data stored on the
`virtual disk by determining added or changed files on the virtual disk without
`a corresponding installation process.
`
`4. The method of claim 1, further comprising detecting the data stored on the
`virtual disk by:
`
`[4.1] computing a cryptographic hash of at least one area of the virtual
`disk; and
`
`[4.2] comparing the computed cryptographic hash of the at least one
`area of the virtual disk to an earlier computer cryptographic hash of the at least
`one area of the virtual disk.
`
`5. The method of claim 1, wherein locating the snapshot of at least one virtual
`disk further includes taking a snapshot or requesting the taking of the
`snapshot.
`
`6. The method of claim 1, wherein the determined potential cyber threats are
`filtered based on a determined risk level of each determined potential cyber
`threat.
`
`7. The method of claim 6, wherein filtering a determined potential cyber threat
`is based on external intelligence on the likelihood of the determined potential
`cyber threat being exploited.
`
`8. The method of claim 1, wherein analyzing the copy of the snapshot of at
`least one virtual disk further includes:
`
`[8.1] parsing the copy of the snapshot of the at least one virtual disk;
`
`and
`
`[8.2] scanning the parsed copy of the snapshot of the at least one virtual
`disk to detect the potential cyber threats.
`
`9. The method of claim 8, wherein scanning the parsed copy further includes
`at least one of:
`
`-v-
`
`

`

`
`
`[9.1] checking configuration files of applications and an operating
`system installed in the respective protected virtual cloud asset;
`
`[9.2] verifying access times to files by the operating system installed in
`the in the respective protected virtual cloud asset; or
`
`[9.3] analyzing system logs to deduce applications and modules
`executed in the respective protected virtual cloud asset.
`
`10. The method of claim 1, further comprising mitigating at least one of the
`plurality of potential cyber threats posing a risk to the respective protected
`virtual cloud asset.
`
`11. The method of claim 8, wherein mitigating a potential cyber threat
`includes at least one of: blocking traffic from untrusted networks to the
`respective protected virtual cloud asset, halting operation of the respective
`protected virtual cloud asset, or quarantining the respective protected virtual
`cloud asset.
`
`12. The method of claim 1, wherein locating the snapshot of at least one virtual
`disk of the respective protected virtual cloud asset further includes
`determining a virtual disk allocated to the respective protected virtual cloud
`asset.
`
`13. The method of claim 1, wherein locating the snapshot of at least one virtual
`disk further includes querying a cloud management console of the cloud
`computing environment for the location of the snapshot and the location of
`the virtual disk of the respective protected virtual cloud asset.
`
`14. A non-transitory computer readable medium containing instructions that
`when executed by at least one processor cause the at least one processor to
`perform operations for securing virtual cloud assets against cyber threats in a
`cloud computing environment, the operations comprising:
`
`[14.1] receiving a request to scan a protected virtual cloud asset in the
`cloud computing environment;
`
`[14.2] locating, using an API or service provided by the cloud
`computing environment, a snapshot of at least one virtual disk of the
`protected virtual cloud asset;
`
`-vi-
`
`

`

`
`
`[14.3] accessing, using an API or service provided by the cloud
`computing environment, the snapshot of the at least one virtual disk;
`
`[14.4] analyzing the snapshot of the at least one virtual disk to
`determine the existence of a plurality of potential cyber threats, each
`cyber threat based on data stored on the virtual disk, wherein the data
`includes at least one of: unencrypted sensitive data, unencrypted system
`credentials, weak passwords, weak encryption schemes, disabled
`Address Space Layout Randomization, boot record manipulation,
`suspicious definitions, services to be run on startup, personally
`identifiable information, data in application logs indicating that the
`protected virtual cloud asset accessed personally
`identifiable
`information, data in application logs indicating that the protected virtual
`cloud asset accessed a computer containing personally identifiable
`information, or at least one change in at least one area of the virtual
`disk, as compared to an earlier point in time;
`
`[14.5] determining a risk associated with each of the determined
`plurality of potential cyber threats;
`
`[14.6] prioritizing the potential cyber threats associated with the
`protected virtual cloud asset based on the determined risk associated
`with each of the plurality of potential cyber threats; and
`
`[14.7] reporting at least some of the determined plurality of potential
`cyber threats as alerts prioritized according to their associated risks.
`
`15. A system for securing virtual cloud assets against cyber threats in a cloud
`computing environment, the system comprising:
`
`[15.i] at least one processor configured to:
`
`[15.1] receive a request to scan a protected virtual cloud asset in the
`cloud computing environment;
`
`[15.2] locating, using an API or service provided by the cloud
`computing environment, a snapshot of at least one virtual disk of the
`protected virtual cloud asset,
`
`[15.3] access, using an API or service provided by the cloud computing
`environment, the snapshot of the at least one virtual disk,
`-vii-
`
`

`

`
`
`[15.4] analyze the snapshot of the at least one virtual disk to determine
`the existence of a plurality of potential cyber threats, each cyber threat
`based on data stored on the virtual disk, wherein the data includes at
`least one of: unencrypted sensitive data, unencrypted system
`credentials, weak passwords, weak encryption schemes, disabled
`Address Space Layout Randomization, boot record manipulation,
`suspicious definitions, services to be run on startup, personally
`identifiable information, data in application logs indicating that the
`protected virtual cloud asset accessed personally
`identifiable
`information, data in application logs indicating that the protected virtual
`cloud asset accessed a computer containing personally identifiable
`information, or at least one change in at least one area of the virtual
`disk, as compared to an earlier point in time;
`
`[15.5] determine a risk associated with each of the determined plurality
`of potential cyber threats;
`
`[15.6] prioritize the potential cyber threats associated with the protected
`virtual cloud asset based on the determined risk associated with each of
`the plurality of potential cyber threats; and
`
`[15.7] report at least some of the determined plurality of potential cyber
`threats as alerts prioritized according to their associated risks.
`
`
`
`-viii-
`
`

`

`I.
`
`INTRODUCTION
`
`Petitioner Wiz, Inc. (“Wiz”) respectfully requests review of U.S. Patent No.
`
`11,740,926 (“the ’926 patent”), assigned to Orca Security Ltd. (“Orca”). This
`
`petition demonstrates claims 1-15 are unpatentable.
`
`The ’926 claims describe well-known techniques for securing virtual cloud
`
`assets such as virtual machines (“VMs”). A “snapshot” of the asset’s virtual disk
`
`is located, accessed, and analyzed to determine potential cyber threats based on
`
`data stored on the virtual disk. A risk is determined for each cyber threat and the
`
`cyber threats are prioritized based on that risk. Finally, the cyber threats are
`
`reported as prioritized alerts based on their associated risk.
`
`This type of snapshot-based analysis was already known, as demonstrated by
`
`the combination of Veselov and Mohanty. Veselov discloses most aspects of the
`
`independent claims, though it does not expressly discuss determining a risk for
`
`each of the determined cyber threats, and then prioritizing/reporting the cyber
`
`threats based on their associated risk. However, determining cyber threats and
`
`prioritizing those threats were well known, as shown for example by Mohanty.
`
`The dependent claims describe other well-known features.
`
`Accordingly, Wiz respectfully requests institution.
`
`II. MANDATORY NOTICES UNDER 37 C.F.R. §42.8
`
`Real Party-in-Interest (37 C.F.R. §42.8(b)(1)): Petitioner Wiz is the real
`
`-1-
`
`

`

`
`
`party-in-interest.
`
`Related Matters (37 C.F.R. §42.8(b)(2)): Wiz is involved in litigation
`
`involving the ’926 patent in Orca Security Ltd. v. Wiz, Inc., No. 1-23-cv-00758
`
`(DDE), filed and served on July 12, 2023. Wiz also recently filed several IPR
`
`petitions, including IPR2024-00220 against U.S. Patent No. 11,431,735, which is a
`
`related patent owned by Patent Owner that contains claims similar to those of the
`
`’926 patent. IPR2024-00220, Paper 2. Like the current petition, the petition in
`
`IPR2024-00220 included a Veselov-based ground. In response, Patent Owner
`
`disclaimed all challenged claims. IPR2024-00220, Paper 6. Wiz has also filed
`
`four petitions against other patents that are involved in the abovementioned
`
`litigation: IPR2024-00863 against U.S. Patent No. 11,663,031, IPR2024-00864
`
`against U.S. Patent No. 11,663,032, IPR2024-00865 against U.S. Patent No.
`
`11,693,685, and IPR2024-01109 against U.S. Patent No. 11,726,809.
`
`Lead and Back-Up Counsel (37 C.F.R. §42.8(b)(3)):
`
`Lead Counsel: Matthew A. Argenti (Reg. No. 61,836)
`
`Back-Up Counsel: Michael T. Rosato (Reg. No. 52,182); Wesley E.
`
`Derryberry (Reg. No. 71,594); Tasha M. Thomas (Reg. No. 73,207); Joseph M.
`
`Baillargeon (Reg. No. 79,685)
`
`-2-
`
`

`

`
`
`Service Information – 37 C.F.R. §42.8(b)(4): Wiz consents to electronic
`
`service. Please direct all correspondence to lead and back-up counsel at the
`
`contact information below. A power of attorney accompanies this petition.
`
`E-mail: margenti@wsgr.com; mrosato@wsgr.com; wderryberry@wsgr.com;
`
`tthomas@wsgr.com; jbaillargeon@wsgr.com
`
`Post: WILSON SONSINI GOODRICH & ROSATI, 650 Page Mill Road,
`
`Palo Alto, CA 94304
`
`Tel.: 650-354-4154
`
`
`
`Fax: 650-493-6811
`
`III. CERTIFICATIONS
`
`The ’926 patent is available for IPR, and Wiz is not barred or estopped from
`
`requesting IPR on these grounds.
`
`IV.
`
`IDENTIFICATION OF CHALLENGE; STATEMENT OF PRECISE RELIEF
`REQUESTED
`
`Wiz seeks cancellation of the challenged claims for the reasons below,
`
`which are supported with exhibits, including the Declaration of Dr. Angelos
`
`Stavrou (EX1002). The claims are unpatentable under 35 U.S.C. §311 and AIA §6
`
`based on at least the following grounds:
`
`Ground
`
`Claims
`
`1
`
`1, 5-10, 12-15
`
`Basis
`§103(a): obviousness over Veselov and
`Mohanty.
`
`-3-
`
`

`

`
`
`2
`
`3
`
`4
`
`5
`
`6
`
`1-2, 4-10, 12-15
`
`3
`
`3
`
`11
`
`11
`
`§103(a): obviousness over Veselov, Mohanty,
`and Ranum.
`§103(a): obviousness over Veselov, Mohanty,
`and Seo.
`§103(a): obviousness over Veselov, Mohanty,
`Ranum, and Seo.
`§103(a): obviousness over Veselov, Mohanty,
`and Hutchins.
`§103(a): obviousness over Veselov, Mohanty,
`Ranum, and Hutchins.
`
`V. THE ’926 PATENT
`
`The ’926 patent issued from U.S. Application No. 18/055,220 (“the ’220
`
`application”), filed November 14, 2022. EX1001, Face. The ’220 application
`
`claims priority to Provisional Application No. 62/797,718, filed January 28, 2019.
`
`The ’926 patent thus has an effective filing date no earlier than January 28, 2019,
`
`and is subject to AIA §102 and §103. Id.; EX1002, ¶20.
`
`The ’926 patent describes securing virtual assets in a cloud environment.
`
`EX1001, Abstract. The specification describes well-known snapshot-based
`
`analysis that includes determining the location of a snapshot of an instantiated
`
`asset’s virtual disk, accessing/analyzing the snapshot to identify cyber threats,
`
`determining a risk of the cyber threats, prioritizing the cyber threats based on their
`
`risk, and issuing prioritized alerts. Id., 7:13-8:6, Fig. 2; EX1002, ¶¶70-71.
`
`-4-
`
`

`

`
`
`The ’926 patent includes 15 claims. Claims 1, 14, and 15 are independent.
`
`Claims 14 and 15 essentially mirror claim 1, but whereas claim 1 is a method
`
`claim, claim 14 is directed to a computer-readable medium, and claim 15 is
`
`directed to a system. The dependent claims add other conventional aspects of
`
`cybersecurity and cloud computing. EX1002, ¶¶72-73.
`
`A.
`
`Prosecution History
`
`The ’926 application never received a rejection under §102 or §103. The
`
`first office action rejected the claims based only on statutory double-patenting.
`
`EX1004, 101-02. In allowing the claims, the Examiner identified three references
`
`as the closest prior art and broadly indicated their deficiencies by copying and
`
`pasting most of the claim language without explanation. Id., 6, 102-05; EX1002,
`
`¶74.
`
`VI. NO BASIS EXISTS FOR DISCRETIONARY DENIAL
`A. Fintiv
`
`This petition does not implicate the Board’s discretion according to Fintiv.
`
`Apple Inc., v. Fintiv, Inc., IPR2020-00019, Paper 11. See generally Memorandum
`
`on Interim Procedure for Discretionary Denials in AIA Post-Grant Proceedings
`
`with Parallel District Court Litigation (June 21, 2022) (Fintiv Memo). Orca filed
`
`its complaint on July 12, 2023, then filed two amended complaints on September
`
`15, 2023 (the first complaint that alleged infringement of the ’926 patent), and
`
`-5-
`
`

`

`
`
`October 10, 2023, respectively. This petition is filed over six weeks before the
`
`one-year bar date and less than three months after receiving Orca’s initial
`
`infringement contentions identifying the asserted claims.
`
`The district court litigation is also at an early stage, and the final written
`
`decision in this IPR should issue well before the district court trial. For example,
`
`under the current amended schedule, the claim construction hearing will not occur
`
`until December 27, 2024, and expert discovery will not close until August 5,
`
`2025. EX1083, 3; see also EX1005, 15-16 (previous schedule). Trial is not
`
`scheduled to begin until March 2, 2026, which is over 1.5 years from the filing of
`
`this petition and a month after a projected final written decision. EX1083, 4.
`
`Moreover, this district’s average time to trial is 38 months—which would put the
`
`trial in September 2026 based on the filing of the original complaint—so the actual
`
`trial date is reasonably expected to be well after issuance of a final written decision
`
`here. EX1082, 14; see also Fintiv Memo (Fintiv factor two weighs against denial
`
`“if the median time-to-trial is around the same time or after the projected statutory
`
`deadline for the PTAB’s final written decision.”).
`
`B. Discretionary Denial Is Not Warranted under 35 U.S.C. §325(d)
`
`Under the two-part Advanced Bionics framework, §325(d) analysis considers
`
`several factors to determine:
`
`-6-
`
`

`

`
`
`(1) whether the same or substantially the same art previously was
`presented to the Office or whether the same or substantially the same
`arguments previously were presented to the Office; and (2) if either
`condition of [the] first part of the framework is satisfied, whether the
`petitioner has demonstrated that the Office erred in a manner material
`to the patentability of challenged claims.
`
`Advanced Bionics, LLC v. Med-El Elektromedizinische Geräte GmbH, IPR2019-
`
`01469, Paper 6 at 8 (precedential); 35 U.S.C. §325(d). While Veselov was
`
`disclosed during prosecution, it was never applied in a rejection or substantively
`
`discussed. EX1004, 11, 63, 98-107, 142-43, 170-71. Veselov was also never
`
`considered in combination with Mohanty, Ranum, Seo, or Hutchins, since these
`
`references were not disclosed. The Office thus did not consider any of the grounds
`
`presented herein. The Office also lacked additional evidence discussed herein,
`
`including the declaration provided by Wiz’s expert, Dr. Stavrou.
`
`Allowance of the claims also constituted material error under part two of the
`
`Advanced Bionics test. The ’220 application never received an art-based rejection.
`
`Supra, §V.A. The reasons given for allowance simply list the majority of the claim
`
`limitations as supposedly not disclosed by the “closest” art. See EX1004, 102-05.
`
`By contrast, the present grounds teach all limitations of claims 1-15 as a whole.
`
`Infra, §§XI-XIV. The claims therefore should not have issued, and they would not
`
`have issued if the Examiner had considered the present grounds.
`
`-7-
`
`

`

`
`
`VII. LEVEL OF ORDINARY SKILL
`
`For purposes of this petition, Wiz assumes a priority date of January 28,
`
`2019. A POSA as of January 2019 would have held at least a bachelor’s degree in
`
`computer science, computer engineering, electrical engineering, or a related field,
`
`and would also have 2-3 years of professional experience working with cyber
`
`security analysis and virtualization. Additional experience could compensate for
`
`less education and vice versa. Relevant work experience includes, for example,
`
`malware analysis, security analysis of cloud computing systems, and security
`
`analysis of virtual machines. EX1002, ¶¶21-22. Dr. Stavrou meets these
`
`requirements and is qualified to credibly opine on the state of the art and the
`
`POSA’s perspective. Id., ¶22. Section IX below summarizes the state of the art,
`
`including background knowledge that would have informed a POSA’s
`
`understanding of the applied references’ teachings.
`
`VIII. CLAIM CONSTRUCTION
`
`Claim terms are given their ordinary and customary meaning, consistent with
`
`the specification, as a POSA understood them. 37 CFR §42.100(b); Phillips v. AWH
`
`Corp., 415 F.3d 1303, 1312-13 (Fed. Cir. 2005) (en banc). Unless otherwise stated,
`
`this petition applies the ordinary and customary meaning of the claim terms. See also
`
`EX1002, ¶75. The following limitations warrant discussion.
`
`-8-
`
`

`

`
`
`A.
`
`“Locating” a Snapshot
`
`Each independent claim recites “locating” a snapshot of a virtual disk of a
`
`protected virtual cloud asset. A POSA reading the claims in light of the specification
`
`would have understood the recited “locating” encompasses at least a virtual location
`
`and a non-virtual location.
`
`A POSA would have understood that the ordinary and customary meaning of
`
`“locating” in this context broadly encompassed a virtual location and a non-virtual
`
`location. EX1002, ¶¶76-77; see also id., ¶¶30 (data locations), 38 (snapshot
`
`locations).
`
`The specification confirms this, stating the “management console 150 may be
`
`queried, by the security system 140, about as the location (e.g., virtual address) of
`
`the virtual disk 118-1 in the storage 117.” EX1001, 4:29-32 (emphasis added). This
`
`parenthetical makes it clear that the recited locating at least encompasses locating a
`
`virtual address, and the “e.g.” indicates that locating is not limited to locating a virtual
`
`address. EX1002, ¶77. Indeed, snapshots of virtual assets were routinely stored in
`
`non-virtual storage and accessed by referencing non-virtual locations. Id. A POSA
`
`therefore would have interpreted the term “locating” to encompass both virtual and
`
`non-virtual locations. Id., ¶¶77-78 (citing EX1009, 242, 246-57; EX1010, 3-4;
`
`EX1015, 56; EX1021, 8).
`
`-9-
`
`

`

`
`
`B.
`
`“[Analyze/Analyzing] the Snapshot”
`
`Each independent claim recites “analyzing the snapshot” (or a system
`
`configured to “analyze the snapshot”).
`
`The ordinary and customary meaning of this language encompasses direct
`
`analysis of the snapshot data (e.g., analyzing the snapshot as a data file without
`
`instantiating an assessment VM). EX1002, ¶¶79-80. This understanding is confirmed
`
`by the specification. See, e.g., EX1001, 5:20-21 (“The snapshot is parsed and
`
`analyzed by the security system 140 to detect vulnerabilities.”), 5:37-40 (direct or
`
`hash-based matching of application files), 6:5-12 (analyzing page file), 6:36-39
`
`(security system computes cryptographic hash of sensitive areas in virtual disk and
`
`checks for differences), 6:56-60 (analysis of logs “derived from the snapshot”);
`
`EX1002, ¶80.
`
`In the related litigation (supra, §II), Orca appears to treat this limitation as also
`
`encompassing analysis of a VM instantiated from a snapshot. For example, Orca
`
`alleges that the accused product satisfies “analyzing the at least one snapshot,” as
`
`recited in claim 9 of related U.S. Patent No. 11,693,685, because it “‘analyzes [the]
`
`operating system, application layer, and data layer’ of virtual machines to provide full
`
`visibility into vulnerabilities across the cloud computing environment.” EX1006, 23,
`
`57-58. For purposes of this IPR, Wiz also applies Orca’s interpretation. See also
`
`EX1002, ¶81.
`
`-10-
`
`

`

`
`
`Accordingly, the discussion below applies a construction of
`
`“[analyze/analyzing] the snapshot” encompassing both direct analysis of the snapshot
`
`data and analysis of a VM instantiated from the snapshot. EX1002, ¶82. Veselov
`
`describes both approaches. Infra, §XI.B.6.
`
`IX. BACKGROUND
`A. Cloud Computing, Virtualization, and Snapshots
`
`Cloud computing was well known long before 2019. EX1002, ¶¶23, 40-42;
`
`EX1015, 55-58, 62-66, 164-66, 118, 138, Figs. 8-2, 9-1; EX1021, 1, 18-19, 94-95;
`
`EX1022, 29. The physical infrastructure was often provided by data centers that
`
`included large collections of physical resources. EX1002, ¶44; EX1013, 229;
`
`EX1021, 19.
`
`Cloud systems typically used a “virtualization” layer that abstracts the
`
`underlying resources to efficiently manage the operation of multiple applications
`
`across multiple physical servers. EX1002, ¶¶24, 43; EX1009, xxiii; EX1010, 2;
`
`EX1011, 35; EX1021, 19. Each physical server could emulate multiple virtualized
`
`computer systems (e.g., VMs), running their own operating system/applications:
`
`-11-
`
`

`

`
`
`
`
`EX1009, 505 (Fig. A-5); see also EX1002, ¶¶25-27; EX1009, xxiii, 5, 505;
`
`EX1010, 2; EX1013, 229. Virtualized resources were commonly referenced via
`
`various types of virtual or non-virtual locations, including more general locations
`
`(e.g., the resource’s computing environment, storage service, or directory) and
`
`more specific locations (e.g., an address or file path). EX1002, ¶¶28-31; EX1009,
`
`xxiv, 2, 22, 242, 246-57, 505, 514-15, Fig. A-5; EX1010, 3-4; EX1012, 9:9-25;
`
`EX1013, 229; EX1014, 22, Fig. 2.1; EX1015, 56, 124; EX1016, ii; EX1017, 1:16-
`
`35; EX1021, 8; EX1031, 1; EX1048, ¶¶21, 31; EX1054, 1:31-42; EX1074, 12;
`
`EX1080, 5:34-42.
`
`As early as 2005, virtualized systems employed backup techniques involving
`
`“snapshots,” which often saved data from the VM’s memory and disks, including
`
`sensitive data and any system/application vulnerabilities, to allow reversion to a
`
`previous state. EX1002, ¶¶32-37; EX1009, 257; EX1015, 164; EX1018, 2-6;
`
`EX1019, Abstract; EX1020, Abstract, 21:42-22:58; EX1049, 940-41; EX1051, 77,
`
`119, 297; EX1052, 203; EX1069, 18:23-32; EX1064, ¶¶23, 31. Snapshot
`-12-
`
`

`

`
`
`generation routinely involved determining a location to store the snapshot files for
`
`later access. EX1002, ¶¶38-39; EX1009, 32, 221, 257-60; EX1015, 56, 164-66;
`
`EX1071, 6:35-39; EX1072, 4:1-13. Furthermore, snapshot generation routinely
`
`involved preliminary steps such as identifying/locating virtual disks that would be
`
`part of the snapshot. EX1002, ¶¶45-47; EX1048, ¶¶21, 42; EX1051, 47, 119, 125;
`
`EX1052, 445-46; EX1053, ¶¶36, 87-92, Fig. 7; EX1020, 21:9-22:18, Fig. 4;
`
`EX1055, 13, 23, 32-33, 53-56, 68-69.
`
`B. Cyber Security
`
`Traditional security systems sought to improve security by identifying
`
`security risks i