Filed on behalf of: Wiz, Inc.
`By: Matthew A. Argenti (margenti@wsgr.com)
`
`Michael T. Rosato (mrosato@wsgr.com)
`Wesley E. Derryberry (wderryberry@wsgr.com)
`Tasha M. Thomas (tthomas@wsgr.com)
`Joseph M. Baillargeon (jbaillargeon@wsgr.com)
`WILSON SONSINI GOODRICH & ROSATI
`650 Page Mill Road
`Palo Alto, CA 94304
`
`
`
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`————————————————
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`————————————————
`
`WIZ, INC.,
`Petitioner,
`
`v.
`
`ORCA SECURITY LTD.,
`Patent Owner.
`
`————————————————
`Case IPR2024-01191
`Patent No. 11,775,326
`————————————————
`
`PETITION FOR INTER PARTES REVIEW
`OF U.S. PATENT NO. 11,775,326
`
`

`

`TABLE OF CONTENTS
`
`V.
`
`INTRODUCTION ........................................................................................... 1
`I.
`II. MANDATORY NOTICES UNDER 37 C.F.R. §42.8 .................................... 1
`III. CERTIFICATIONS ......................................................................................... 3
`IV.
`IDENTIFICATION OF CHALLENGE; STATEMENT OF PRECISE
`RELIEF REQUESTED ................................................................................... 3
`THE ’326 PATENT ......................................................................................... 4
`A.
`Prosecution History ............................................................................... 5
`VI. NO BASIS EXISTS FOR DISCRETIONARY DENIAL .............................. 5
`A.
`Fintiv...................................................................................................... 5
`B.
`35 U.S.C. §325(d).................................................................................. 6
`VII. LEVEL OF ORDINARY SKILL .................................................................... 8
`VIII. CLAIM CONSTRUCTION ............................................................................ 8
`A. Determining a “Location” of a Snapshot .............................................. 9
`B.
`“Analyzing the Snapshot” ................................................................... 10
`IX. BACKGROUND ........................................................................................... 11
`A.
`Cloud Computing, Virtualization, and Snapshots ............................... 11
`B.
`Cyber Security ..................................................................................... 13
`PRIOR ART ................................................................................................... 15
`A. Veselov (U.S. Patent. No. 11,216,563; EX1007) ............................... 15
`B.
`Basavapatna (U.S. Pub. No. 2013/0191919, EX1008) ....................... 18
`C.
`Czarny (U.S. Patent No. 9,749,349; EX1084) .................................... 19
`D. Giakouminakis (U.S. Patent No. 9,141,805; EX1044) ....................... 20
`XI. GROUND 1: CLAIMS 1-21 AND 28 WERE OBVIOUS OVER
`VESELOV AND BASAVAPATNA ............................................................ 20
`A.
`Reasons to Combine Veselov and Basavapatna.................................. 21
`B.
`Independent Claims 1, 15, and 18 ....................................................... 23
`1.
`Preambles .................................................................................. 24
`
`X.
`
`-i-
`
`

`

`
`
`C.
`
`Element 18.i .............................................................................. 25
`2.
`Elements 1.1, 15.1, and 18.1 ..................................................... 25
`3.
`Elements 1.2, 15.2, and 18.2 ..................................................... 26
`4.
`Elements 1.3, 15.3, and 18.3 ..................................................... 34
`5.
`Elements 1.4, 15.4, and 18.4 ..................................................... 34
`6.
`Dependent Claims ............................................................................... 36
`1.
`Claims 2 and 19......................................................................... 36
`2.
`Claim 3 ...................................................................................... 38
`3.
`Claims 4, 16, and 17 ................................................................. 40
`4.
`Claim 5 ...................................................................................... 43
`5.
`Claim 6 ...................................................................................... 44
`6.
`Claim 7 ...................................................................................... 45
`7.
`Claim 8 ...................................................................................... 45
`8.
`Claim 9 ...................................................................................... 48
`9.
`Claim 10 .................................................................................... 50
`10. Claim 11 .................................................................................... 51
`11. Claim 12 .................................................................................... 52
`12. Claim 13 .................................................................................... 53
`13. Claim 14 .................................................................................... 54
`14. Claim 20 .................................................................................... 57
`15. Claim 21 .................................................................................... 58
`16. Claim 28 .................................................................................... 58
`XII. GROUND 2: CLAIMS 4-5 AND 17 WERE OBVIOUS OVER
`VESELOV, BASAVAPATNA, AND CZARNY ......................................... 60
`A.
`Reasons to Combine Veselov, Basavapatna, and Czarny ................... 60
`B.
`Claims 4 and 17 ................................................................................... 62
`C.
`Claim 5 ................................................................................................ 63
`
`-ii-
`
`

`

`
`
`B.
`
`XIII. GROUND 3: CLAIMS 22-27 WERE OBVIOUS OVER VESELOV,
`BASAVAPATNA, AND GIAKOUMINAKIS ............................................. 64
`A.
`Reasons to Combine Veselov, Basavapatna, and
`Giakouminakis ..................................................................................... 64
`Claims 22 and 27 ................................................................................. 66
`1.
`Elements 22.1 and 27.1 ............................................................. 66
`2.
`Elements 22.2 and 27.2 ............................................................. 68
`Claim 23 .............................................................................................. 69
`C.
`Claim 24 .............................................................................................. 71
`D.
`Claim 25 .............................................................................................. 72
`E.
`Claim 26 .............................................................................................. 73
`F.
`XIV. CONCLUSION .............................................................................................. 74
`
`
`
`
`
`-iii-
`
`

`

`
`
`LISTING OF CHALLENGED CLAIMS
`
`1. A method for securing virtual cloud assets against cyber vulnerabilities in
`a cloud computing environment, the method comprising:
`
`[1.1] receiving a request to scan a protected virtual cloud asset in the
`cloud computing environment;
`
`[1.2] for each of the requested plurality of protected virtual cloud
`assets in the cloud computing environment:
`
`[1.2.a] determining, using an API or service provided by the
`cloud computing environment, a location of a snapshot of at
`least one virtual disk of a respective protected virtual cloud
`asset,
`
`[1.2.b] accessing, based on the determined location and using
`an API or service provided by the cloud computing
`environment, the snapshot of the at least one virtual disk,
`
`[1.2.c] analyzing the snapshot of the at least one virtual disk to
`determine an existence of potential cyber vulnerabilities, and
`
`[1.2.d] determining a risk associated with each of the
`determined potential cyber vulnerabilities, and
`
`[1.3] for each of the requested plurality of protected virtual cloud
`assets with the determined potential cyber vulnerabilities, determining
`a risk level to the cloud computing environment; and
`
`[1.4] reporting, for each of the requested plurality of protected virtual
`cloud assets with the determined potential cyber vulnerabilities, the
`existence of the potential cyber vulnerabilities, such that the plurality
`of protected virtual cloud assets with the determined potential cyber
`vulnerabilities are prioritized based on associated risk levels.
`
`2. The method of claim 1, wherein determining the location of the snapshot
`of at least one virtual disk further includes: taking a snapshot or requesting
`the taking of the snapshot; and obtaining the location of the snapshot after
`the snapshot is taken.
`
`-iv-
`
`

`

`
`
`3. The method of claim 1, wherein determining the risk associated with each
`of the determined plurality of potential cyber vulnerabilities is based on
`external intelligence on a likelihood of the determined potential cyber
`vulnerability being exploited, the method further comprising, prior to
`reporting, filtering the determined potential cyber vulnerabilities based on
`the associated risk.
`
`4. The method of claim 1, wherein analyzing the snapshot of the at least one
`virtual disk of the respective protected virtual cloud asset includes at least
`one of:
`
`[4.1] matching installed applications with applications on a known list
`of vulnerable applications; or
`
`[4.2] matching application files on the snapshot of the at least one
`virtual disk directly against application files associated with a known list of
`vulnerable applications.
`
`5. The method of claim 4, wherein matching application files on the
`snapshot of the at least one virtual disk includes: computing a cryptographic
`hash against at least one application file to be matched; and matching the
`computed cryptographic hash against a database of files associated with a
`known list of vulnerable applications.
`
`6. The method of claim 3, wherein determining the risk associated with one
`of the plurality of potential cyber vulnerabilities further comprises
`determining whether the one of the potential cyber vulnerabilities
`corresponds to an application that is in use by the respective protected
`virtual cloud asset.
`
`7. The method of claim 3, wherein determining the risk of one of the
`plurality of potential cyber vulnerabilities includes determining whether the
`one of the plurality of potential cyber vulnerabilities corresponds to an
`application that is not in use by the respective protected virtual cloud asset.
`
`8. The method of claim 7, wherein determining whether the matching
`installed applications are used by the respective protected virtual cloud asset
`includes checking configuration files of the matching installed applications
`to determine whether at least one of the matching installed applications is
`not in use, and wherein prioritizing reduces priority of the at least one
`matching installed application not in use.
`-v-
`
`

`

`
`
`9. The method of claim 1, wherein analyzing the snapshot of the at least one
`virtual disk of the respective protected virtual cloud asset further includes:
`
`[9.1] parsing the snapshot of the at least one virtual disk; and
`
`[9.2] scanning the parsed snapshot of the at least one virtual disk to
`detect the potential cyber vulnerabilities.
`
`10. The method of claim 9, wherein scanning the parsed snapshot further
`includes at least one of:
`
`[10.1] checking configuration files of applications and an operating
`system installed in the respective protected virtual cloud asset;
`
`[10.2] verifying access times to files by the operating system installed
`in the in the respective protected virtual cloud asset; or
`
`[10.3] analyzing system logs to deduce applications and modules
`executed in the respective protected virtual cloud asset.
`
`11. The method of claim 1, further comprising mitigating at least one of the
`potential cyber vulnerabilities.
`
`12. The method of claim 8, wherein mitigating a potential cyber threat
`includes at least one of: blocking traffic from untrusted networks to the
`respective protected virtual cloud asset, halting operation of the respective
`protected virtual cloud asset, or quarantining the respective protected virtual
`cloud asset.
`
`13. The method of claim 1, wherein determining the location of the snapshot
`of the at least one virtual disk of the respective protected virtual cloud asset
`further includes determining a specific virtual disk allocated to the
`respective protected virtual cloud asset.
`
`14. The method of claim 1, wherein determining the location of the snapshot
`of at least one virtual disk further includes querying a cloud management
`console of the cloud computing environment for the location of the snapshot
`and the location of a specific virtual disk of the respective protected virtual
`cloud asset.
`
`-vi-
`
`

`

`
`
`15. A non-transitory computer readable medium containing instructions that
`when executed by at least one processor cause the at least one processor to
`perform operations for securing virtual cloud assets against cyber
`vulnerabilities in a cloud computing environment, the operations
`comprising:
`
`[15.1] receiving a request to scan a plurality of protected virtual cloud
`assets in the cloud computing environment;
`
`[15.2] for each of the requested plurality of protected virtual cloud
`assets in the cloud computing environment:
`
`[15.2.a] determining, using an API or service provided by the
`cloud computing environment, a location of a snapshot of at
`least one virtual disk of a respective protected virtual cloud
`asset,
`
`[15.2.b] accessing, based on the determined location and using
`an API or service provided by the cloud computing
`environment, the snapshot of the at least one virtual disk,
`
`[15.2.c] analyzing the snapshot of the at least one virtual disk to
`determine existence of a plurality of potential cyber
`vulnerabilities, and
`
`[15.2.d] determining a risk associated with each of the
`determined potential cyber vulnerabilities;
`
`[15.3] for each of the requested plurality of protected virtual cloud
`assets with the determined potential cyber vulnerabilities, determining
`a risk level to the cloud computing environment; and
`
`[15.4] reporting, for each of the requested plurality of protected virtual
`cloud assets with the determined potential cyber vulnerabilities, the
`existence of the potential cyber vulnerabilities, such that the plurality
`of protected virtual cloud assets with the determined potential cyber
`vulnerabilities are prioritized based on associated risk levels.
`
`16. The non-transitory computer readable medium of claim 15, wherein
`analyzing the snapshot of the at least one virtual disk of the respective
`
`-vii-
`
`

`

`
`
`protected virtual cloud asset includes matching installed applications with
`applications on a known list of vulnerable applications.
`
`17. The non-transitory computer readable medium of claim 16, wherein
`analyzing the snapshot of the at least one virtual disk further includes
`matching application files on the snapshot of the at least one virtual disk
`directly against application files associated with a known list of vulnerable
`applications.
`
`18. A system for securing virtual cloud assets against cyber vulnerabilities in
`a cloud computing environment, the system comprising:
`
`
`
`[18.i] at least one processor configured to:
`
`[18.1] receive a request to scan a plurality of protected virtual cloud
`assets in the cloud computing environment;
`
`[18.2] for each of the requested plurality of protected virtual cloud
`assets in the cloud computing environment:
`
`[18.2.a] determining, using an API or service provided by the
`cloud computing environment, a location of a snapshot of at
`least one virtual disk of a respective protected virtual cloud
`asset,
`
`[18.2.b] accessing, based on the determined location and using
`an API or service provided by the cloud computing
`environment, the snapshot of the at least one virtual disk,
`
`[18.2.c] analyzing the snapshot of the at least one virtual disk to
`determine existence of a plurality of potential cyber
`vulnerabilities, and
`
`[18.2.d] determining a risk associated with each of the
`determined potential cyber vulnerabilities;
`
`[18.3] for each of the requested plurality of protected virtual cloud
`assets with determined potential cyber vulnerabilities, determine a risk
`level to the cloud computing environment; and
`
`-viii-
`
`

`

`
`
`[18.4] report, for each of the requested plurality of protected virtual
`cloud assets with the determined potential cyber vulnerabilities, the
`existence of potential cyber vulnerabilities, such that the plurality of
`protected virtual cloud assets with the determined potential cyber
`vulnerabilities are prioritized based on associated risk levels.
`
`19. The system of claim 18, wherein determining the location of the
`snapshot of at least one virtual disk further includes taking a snapshot or
`requesting the taking of the snapshot; and obtaining the location of the
`snapshot after the snapshot is taken.
`
`20. The method of claim 7, wherein determining whether one of the plurality
`of potential cyber vulnerabilities corresponds to an application that is not in
`use by one of the respective protected virtual cloud assets lowers the risk
`associated with the potential cyber vulnerability.
`
`21. The method of claim 1, wherein determining the risk level of a protected
`virtual cloud asset is based in part on the determined risks of existing
`potential cyber vulnerabilities on the protected virtual cloud asset.
`
`22. The method of claim 1, wherein determining the risk level associated
`with a particular protected virtual cloud asset further includes
`
`[22.1] analyzing configurations for each of the requested plurality of
`protected virtual cloud assets in the cloud computing environment,
`and
`
`[22.2] weighting a takeover risk of the particular protected virtual
`cloud asset.
`
`23. The method of claim 22, wherein weighting the takeover risk of the
`particular protected virtual cloud asset includes correlating at least one of the
`determined potential cyber vulnerabilities with a network location of the
`particular protected virtual cloud asset.
`
`24. The method of claim 22, wherein weighting the takeover risk of the
`particular protected virtual cloud asset includes determining a criticality of
`the particular protected virtual cloud asset in the cloud computing
`environment based on contents stored from the particular protected virtual
`cloud asset.
`
`-ix-
`
`

`

`
`
`25. The method of claim 22, wherein weighting the takeover risk of the
`particular protected virtual cloud asset includes determining a criticality of
`the particular protected virtual cloud asset in the cloud computing
`environment based on other assets in the cloud computing environment that
`are accessible from the particular protected virtual cloud asset.
`
`26. The method of claim 22, wherein weighting the takeover risk of the
`particular protected virtual cloud asset includes correlating at least one of the
`determined potential cyber vulnerabilities with a network location of the
`particular protected virtual cloud asset, and determining a criticality of the
`particular protected virtual cloud asset in the cloud computing environment
`based on other assets in the cloud computing environment that are accessible
`from the particular protected virtual cloud asset and based on the contents
`stored from the particular protected virtual cloud asset.
`
`27. The method of claim 1, wherein determining the risk level associated
`with a particular protected virtual cloud asset further includes
`
`[27.1] analyzing a configuration for each of the requested plurality of
`protected virtual cloud assets in the cloud computing environment,
`and
`
`[27.2] weighting a takeover risk of the particular protected virtual
`cloud asset.
`
`28. The method of claim 1, wherein reporting potential cyber vulnerabilities
`for a particular protected virtual cloud asset further includes prioritizing the
`reported potential cyber vulnerabilities based on the risk level associated
`with the particular protected virtual cloud asset.
`
`
`
`
`
`
`
`
`
`-x-
`
`

`

`I.
`
`INTRODUCTION
`
`Petitioner Wiz, Inc. (“Wiz”) respectfully requests review of U.S. Patent No.
`
`11,775,326 (“the ’326 patent”), currently assigned to Orca Security Ltd. (“Orca”).
`
`This petition demonstrates claims 1-28 are unpatentable.
`
`The ’326 claims describe well-known techniques for securing a plurality of
`
`virtual assets such as virtual machines (“VMs”) in a cloud computing environment.
`
`A “snapshot” of each the assets’ virtual disks is located, accessed, and analyzed to
`
`determine potential cyber vulnerabilities. A risk is determined for each cyber
`
`vulnerability and then a risk level to the cloud computing environment is
`
`determined for each asset. Vulnerabilities are reported, and assets are prioritized
`
`based on their associated risk level.
`
`This type of snapshot-based analysis was already well known, as
`
`demonstrated by the combination of Veselov and Basavapatna. Veselov discloses
`
`most aspects of the independent claims, though it does not expressly discuss
`
`determining risk levels or prioritizing assets. However, these techniques were well
`
`known, as shown for example by Basavapatna. The dependent claims describe
`
`other well-known features.
`
`Accordingly, Wiz respectfully requests institution.
`
`II. MANDATORY NOTICES UNDER 37 C.F.R. §42.8
`
`Real Party-in-Interest (37 C.F.R. §42.8(b)(1)): Petitioner Wiz is the real
`
`-1-
`
`

`

`
`
`party-in-interest.
`
`Related Matters (37 C.F.R. §42.8(b)(2)): Wiz is involved in litigation
`
`involving the ’326 patent in Orca Security Ltd. v. Wiz, Inc., No. 1-23-cv-00758
`
`(DDE), filed and served on July 12, 2023. Wiz also recently filed several IPR
`
`petitions, including IPR2024-00220 against U.S. Patent No. 11,431,735, which is a
`
`related patent owned by Patent Owner that contains claims similar to those of the
`
`’326 patent. IPR2024-00220, Paper 2. Like the current petition, the petition in
`
`IPR2024-00220 included a Veselov-based ground. In response, Patent Owner
`
`disclaimed all challenged claims. IPR2024-00220, Paper 6. Wiz has also filed
`
`five petitions against other patents that are involved in the abovementioned
`
`litigation: IPR2024-00863 against U.S. Patent No. 11,663,031, IPR2024-00864
`
`against U.S. Patent No. 11,663,032, IPR2024-00865 against U.S. Patent No.
`
`11,693,685, IPR2024-01109 against U.S. Patent No. 11,726,809, and IPR2024-
`
`01190 against U.S. Patent No. 11,740,926.
`
`Lead and Back-Up Counsel (37 C.F.R. §42.8(b)(3)):
`
`Lead Counsel: Matthew A. Argenti (Reg. No. 61,836)
`
`Back-Up Counsel: Michael T. Rosato (Reg. No. 52,182); Wesley E.
`
`Derryberry (Reg. No. 71,594); Tasha M. Thomas (Reg. No. 73,207); Joseph M.
`
`Baillargeon (Reg. No. 79,685)
`
`-2-
`
`

`

`
`
`Service Information – 37 C.F.R. §42.8(b)(4): Wiz consents to electronic
`
`service. Please direct all correspondence to lead and back-up counsel at the
`
`contact information below. A power of attorney accompanies this petition.
`
`E-mail: margenti@wsgr.com; mrosato@wsgr.com; wderryberry@wsgr.com;
`
`tthomas@wsgr.com; jbaillargeon@wsgr.com
`
`Post: WILSON SONSINI GOODRICH & ROSATI, 650 Page Mill Road,
`
`Palo Alto, CA 94304
`
`Tel.: 650-354-4154
`
`
`
`Fax: 650-493-6811
`
`III. CERTIFICATIONS
`
`The ’326 patent is available for IPR, and Wiz is not barred or estopped from
`
`requesting IPR on these grounds.
`
`IV.
`
`IDENTIFICATION OF CHALLENGE; STATEMENT OF PRECISE RELIEF
`REQUESTED
`
`Wiz seeks cancellation of the challenged claims for the reasons stated below,
`
`which are supported with exhibits, including the Declaration of Dr. Angelos
`
`Stavrou (EX1002). The claims are unpatentable under 35 U.S.C. §311 and AIA §6
`
`based on at least the following grounds:
`
`Ground
`
`Claims
`
`1
`
`1-21 and 28
`
`Basis
`§103(a): obviousness over Veselov and
`Basavapatna.
`
`-3-
`
`

`

`
`
`2
`
`3
`
`4-5 and 17
`
`22-27
`
`§103(a): obviousness over Veselov,
`Basavapatna, and Czarny.
`§103(a): obviousness over Veselov,
`Basavapatna, and Giakouminakis.
`
`V. THE ’326 PATENT
`
`The ’326 patent issued from U.S. Application No. 18/055,181 (“the ’181
`
`application”), filed November 14, 2022. EX1001, Face. The ’181 application
`
`claims priority to Provisional Application No. 62/797,718, filed January 28, 2019.
`
`The ’326 patent thus has an effective filing date no earlier than January 28, 2019,
`
`and is subject to AIA §102 and §103. Id.; EX1002, ¶20.
`
`The ’326 patent describes securing virtual assets in a cloud environment.
`
`EX1001, Abstract. The specification describes well-known snapshot-based
`
`analysis that includes determining the location of a snapshot of a virtual disk(s) for
`
`each of a plurality of assets, accessing/analyzing each of the snapshots to identify
`
`cyber vulnerabilities, determining a risk of the cyber vulnerabilities, determining a
`
`risk level to the cloud computing environment of each asset, and reporting the
`
`assets prioritized by their associated risk level along with the cyber vulnerabilities.
`
`Id., 7:13-8:6, Fig. 2; EX1002, ¶¶71-72.
`
`The ’326 patent includes 28 claims. Claims 1, 15, and 18 are independent.
`
`Claims 15 and 18 essentially mirror claim 1, but whereas claim 1 is written as a
`
`method claim, independent claim 15 is directed to a computer-readable medium,
`-4-
`
`

`

`
`
`and independent claim 18 is directed to a system. The dependent claims add other
`
`conventional aspects of cybersecurity and cloud computing. EX1002, ¶¶73-74.
`
`A.
`
`Prosecution History
`
`The ’181 application never received a rejection under §102 or §103. The
`
`first office action rejected the claims based on statutory double patenting over
`
`parent applications but indicated that the claims were otherwise allowable.
`
`EX1004, 97-101. The Applicant then filed terminal disclaimers to secure
`
`allowance. Id., 85-86, 89-90. As to the basis of allowance, the Examiner simply
`
`identified three references as the closest art and indicated that they did not teach
`
`most of the independent claim elements as a whole. Id., 21-23; EX1002, ¶75.
`
`VI. NO BASIS EXISTS FOR DISCRETIONARY DENIAL
`A. Fintiv
`
`This petition does not implicate the Board’s discretion according to Fintiv.
`
`Apple Inc., v. Fintiv, Inc., IPR2020-00019, Paper 11. See generally Memorandum
`
`on Interim Procedure for Discretionary Denials in AIA Post-Grant Proceedings
`
`with Parallel District Court Litigation (June 21, 2022) (Fintiv Memo). Orca filed
`
`its complaint in the District of Delaware on July 12, 2023, then filed two amended
`
`complaints on September 15, 2023, and October 10, 2023 (the first complaint that
`
`alleged infringement of the ’326 patent), respectively. This petition is filed over
`
`two months before the one-year bar date, under three months after receiving Orca’s
`
`-5-
`
`

`

`
`
`initial infringement contentions identifying the asserted claims, and just one month
`
`after becoming IPR eligible.
`
`The district court litigation is also at an early stage, and the final written
`
`decision in this IPR should issue well before the district court trial. For example,
`
`under the current amended schedule, the claim construction hearing will not occur
`
`until December 27, 2024, and expert discovery will not close until August 5, 2025.
`
`EX1083, 3; see also EX1005, 15-16 (previous schedule). Trial is not scheduled to
`
`begin until March 2, 2026, which is over 1.5 years from the filing of this petition
`
`and after a projected final written decision. EX1083, 4. Moreover, this district’s
`
`average time to trial is 38 months—which would put the trial in September 2026
`
`based on the filing of the original complaint—so the actual trial date is reasonably
`
`expected to be well after issuance of a final written decision here. EX1082, 14; see
`
`also Fintiv Memo (Fintiv factor two weighs against denial “if the median time-to-
`
`trial is around the same time or after the projected statutory deadline for the
`
`PTAB’s final written decision.”).
`
`B.
`
`35 U.S.C. §325(d)
`
`Under the two-part Advanced Bionics framework, §325(d) analysis considers
`
`several factors to determine:
`
`(1) whether the same or substantially the same art previously was
`presented to the Office or whether the same or substantially the same
`arguments previously were presented to the Office; and (2) if either
`-6-
`
`

`

`
`
`condition of [the] first part of the framework is satisfied, whether the
`petitioner has demonstrated that the Office erred in a manner material
`to the patentability of challenged claims.
`
`Advanced Bionics, LLC v. Med-El Elektromedizinische Geräte GmbH, IPR2019-
`
`01469, Paper 6 at 8 (precedential); 35 U.S.C. §325(d). While Veselov was
`
`disclosed as one of many references across multiple information disclosure
`
`statements, it was never applied in a rejection or substantively discussed. EX1004,
`
`95-102, 138-39, 168-69. Veselov was also never considered in combination with
`
`Basavapatna, or Giakouminakis, since these references were not disclosed. The
`
`Office thus did not consider any of the grounds presented herein. The Office also
`
`lacked additional evidence discussed herein, including the declaration provided by
`
`Wiz’s expert, Dr. Stavrou.
`
`Allowance of the claims also constituted material error under part two of the
`
`Advanced Bionics test. The ’181 application never received an art-based rejection,
`
`and no particular limitation was identified as a basis for allowance. Supra, §V.A.
`
`The reasons given for allowance simply list the majority of the claim limitations as
`
`supposedly not disclosed by the “closest” art. See EX1004, 21-23. By contrast,
`
`the present grounds teach all limitations of claims 1-28 as a whole. Infra, §§XI-
`
`XIII. The claims therefore should not have issued, and they would not have issued
`
`if the Examiner had considered the present grounds.
`
`-7-
`
`

`

`
`
`VII. LEVEL OF ORDINARY SKILL
`
`For purposes of this petition, Wiz assumes a priority date of January 28,
`
`2019. A POSA as of January 2019 would have held at least a bachelor’s degree in
`
`computer science, computer engineering, electrical engineering, or a related field,
`
`and would also have 2-3 years of professional experience working with cyber
`
`security analysis and virtualization. Additional experience could compensate for
`
`less education and vice versa. Relevant work experience includes, for example,
`
`malware analysis, security analysis of cloud computing systems, and security
`
`analysis of virtual machines. EX1002, ¶¶21-22. Dr. Stavrou meets these
`
`requirements and is qualified to credibly opine on the state of the art and the
`
`POSA’s perspective. Id., ¶1-19. Section IX below summarizes the state of the art,
`
`including background knowledge that would have informed a POSA’s
`
`understanding of the references’ teachings applied herein.
`
`VIII. CLAIM CONSTRUCTION
`
`Claim terms are given their ordinary and customary meaning, consistent with
`
`the specification, as a POSA understood them. 37 CFR §42.100(b); Phillips v. AWH
`
`Corp., 415 F.3d 1303, 1312-13 (Fed. Cir. 2005) (en banc). Unless otherwise stated,
`
`this petition applies the ordinary and customary meaning of the claim terms. See also
`
`EX1002, ¶76. The following limitations warrant discussion.
`
`-8-
`
`

`

`
`
`A. Determining a “Location” of a Snapshot
`
`Each independent claim recites determining “a location of a snapshot” of a
`
`virtual disk of a protected virtual cloud asset. A POSA reading the claims in light of
`
`the specification would have understood that the recited “location” encompasses at
`
`least a virtual location and a non-virtual location.
`
`A POSA would have understood that the ordinary and customary meaning of a
`
`“location” in this context broadly encompassed a virtual location and a non-virtual
`
`location. EX1002, ¶¶77-78; see also id., ¶¶30 (data locations), 38 (snapshot
`
`locations).
`
`The specification confirms this understanding. It states that the “management
`
`console 150 may be queried, by the security system 140, about as the location (e.g.,
`
`virtual address) of the virtual disk 118-1 in the storage 117.” EX1001, 4:28-31
`
`(emphasis added). This parenthetical makes it clear that the recited location at least
`
`encompasses a virtual address, and the “e.g.” indicates that the location is not limited
`
`to a virtual address. EX1002, ¶78. Indeed, snapshots of virtual assets were routinely
`
`stored in non-virtual storage and ac