Filed on behalf of: Wiz, Inc.
`By: Matthew A. Argenti (margenti@wsgr.com)
`
`Michael T. Rosato (mrosato@wsgr.com)
`Wesley E. Derryberry (wderryberry@wsgr.com)
`Tasha M. Thomas (tthomas@wsgr.com)
`Joseph M. Baillargeon (jbaillargeon@wsgr.com)
`WILSON SONSINI GOODRICH & ROSATI
`650 Page Mill Road
`Palo Alto, CA 94304
`
`
`
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`————————————————
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`————————————————
`
`WIZ, INC.,
`Petitioner,
`
`v.
`
`ORCA SECURITY LTD.,
`Patent Owner.
`
`————————————————
`Case IPR2025-00092
`Patent No. 11,516,231
`————————————————
`
`PETITION FOR INTER PARTES REVIEW
`OF U.S. PATENT NO. 11,516,231
`
`

`

`TABLE OF CONTENTS
`
`V.
`
`INTRODUCTION ........................................................................................... 1
`I.
`II. MANDATORY NOTICES UNDER 37 C.F.R. §42.8 .................................... 1
`III. CERTIFICATIONS ......................................................................................... 3
`IV.
`IDENTIFICATION OF CHALLENGE; STATEMENT OF PRECISE
`RELIEF REQUESTED ................................................................................... 3
`THE ’231 PATENT ......................................................................................... 4
`A.
`Prosecution History ............................................................................... 5
`VI. NO BASIS EXISTS FOR DENIAL UNDER 35 U.S.C. §325(D) ................. 5
`VII. LEVEL OF ORDINARY SKILL .................................................................... 6
`VIII. CLAIM CONSTRUCTION ............................................................................ 7
`A.
`“[Determining/Determine] a Location of a Snapshot” ......................... 7
`B.
`“[Analyzing/Analyze] the Snapshot” .................................................... 8
`IX. BACKGROUND ........................................................................................... 10
`A.
`Cloud Computing, Virtualization, and Snapshots ............................... 10
`B.
`Cyber Security ..................................................................................... 12
`PRIOR ART ................................................................................................... 14
`A. Veselov (U.S. Patent. No. 11,216,563; EX1007) ............................... 14
`B.
`Basavapatna (U.S. Pub. No. 2013/0191919, EX1008) ....................... 17
`C.
`VMware SDK (“Virtual Infrastructure SDK Reference
`Guide,” EX1109) ................................................................................. 18
`D. Kapoor (US Patent No. 10,498,845, EX1111) .................................... 20
`XI. GROUND 1: CLAIMS 1-7, 9-17, AND 19 WERE OBVIOUS OVER
`VESELOV, BASAVAPATNA, AND VMWARE SDK. ............................. 21
`A.
`Reasons to Combine Veselov and Basavapatna.................................. 22
`B.
`Reasons to Combine Veselov, Basavapatna, and VMware
`SDK ..................................................................................................... 24
`Independent Claims ............................................................................. 28
`1.
`Preambles .................................................................................. 28
`-i-
`
`X.
`
`C.
`
`

`

`
`
`Element 11.i .............................................................................. 29
`2.
`Elements 1.1, 10.1, and 11.1 ..................................................... 30
`3.
`Elements 1.2, 10.2, and 11.2 ..................................................... 34
`4.
`Elements 1.3, 10.3, and 11.3 ..................................................... 37
`5.
`Elements 1.4, 10.4, and 11.4 ..................................................... 38
`6.
`Elements 1.5, 10.5, and 11.5 ..................................................... 42
`7.
`D. Dependent Claims ............................................................................... 44
`1.
`Claims 2 and 12......................................................................... 44
`2.
`Claims 3 and 13......................................................................... 46
`3.
`Claims 4 and 14......................................................................... 48
`4.
`Claims 5 and 15......................................................................... 52
`5.
`Claims 6 and 16......................................................................... 57
`6.
`Claims 7 and 17......................................................................... 60
`7.
`Claims 9 and 19......................................................................... 64
`XII. GROUND 2: CLAIMS 8 AND 18 WERE OBVIOUS OVER
`VESELOV, BASAVAPATNA, VMWARE SDK, AND KAPOOR............ 65
`A.
`Reasons to Combine Veselov, Basavapatna, VMware
`SDK, and Kapoor. ............................................................................... 65
`Claims 8 and 18 ................................................................................... 67
`B.
`XIII. CONCLUSION .............................................................................................. 69
`
`
`
`
`
`-ii-
`
`

`

`
`
`LISTING OF CHALLENGED CLAIMS
`
`1. A method for securing virtual cloud assets in a cloud computing
`environment against cyber threats, comprising:
`
`[1.1] determining a location of a snapshot of at least one virtual disk
`of a protected virtual cloud asset, wherein the virtual cloud asset is
`instantiated in the cloud computing environment;
`
`[1.2] taking a new snapshot of the protected virtual cloud asset, when
`an existing snapshot cannot be located;
`
`[1.3] accessing the snapshot of the virtual disk based on the
`determined location;
`
`[1.4] analyzing the snapshot of the protected virtual cloud asset to
`detect potential cyber threats risking the protected virtual cloud asset;
`and
`
`[1.5] alerting detected potential cyber threats based on a determined
`priority.
`
`2. The method of claim 1, further comprising:
`
`[2.1] prioritizing each of the detected potential cyber threats based on
`their respective risk to the protected virtual cloud asset; and
`
`[2.2] mitigating a potential cyber threat posing a risk to the protected
`virtual cloud asset.
`
`3. The method of claim 1, wherein determining the location of the snapshot
`of at least one virtual disk further comprises: determining a virtual disk
`allocated to the protected virtual cloud asset.
`
`4. The method of claim 2, further comprising: querying a cloud management
`console of the cloud computing environment to determine the location of the
`snapshot and the location of the virtual disk.
`
`5. The method of claim 1, wherein analyzing the snapshot of the protected
`virtual machine further comprises:
`
`-iii-
`
`

`

`
`
`[5.1] parsing a copy of the snapshot; and
`
`[5.2] scanning the parsed copy to detect the potential cyber threats,
`
`[5.3] wherein the potential cyber threats include known and unknow
`vulnerabilities, and
`
`[5.4] wherein the detection is based on a type of vulnerability.
`
`6. The method of claim 5, wherein scanning the parsed copy further
`comprises any one of:
`
`[6.1] checking configuration files of applications and operating
`system installed in the protected virtual machine;
`
`[6.2] verifying access times to files by the operating system installed
`in the operating machine;
`
`[6.3] analyzing system logs to deduce what applications and modules
`executed in the protected virtual cloud asset; and
`
`[6.4] analyzing machine memory stored in the snapshot to deduce
`what applications and modules executed in the protected virtual cloud
`asset.
`
`7. The method of claim 5, further comprising:
`
`[7.1] instantiating a copy of the protected virtual machine from the
`snapshot; and
`
`[7.2] monitoring all activity performed by the instance of the
`protected virtual cloud asset.
`
`8. The method of claim 5, wherein scanning the parsed copy further
`comprises any one of: reading process identification number (PIO) files; and
`checking if the at least the PIO files access times match against process
`descriptors.
`
`9. The method of claim 1, wherein the protected virtual cloud asset includes
`any one of: a virtual machine, a software container, a micro-service.
`
`-iv-
`
`

`

`
`
`10. A non-transitory computer readable medium having stored thereon
`instructions for causing a processing circuitry to execute a process, the
`process comprising:
`
`[10.1] determining a location of a snapshot of at least one virtual disk
`of a protected virtual cloud asset, wherein the virtual cloud asset is
`instantiated in the cloud computing environment;
`
`[10.2] taking a new snapshot of the protected virtual cloud asset, when
`an existing snapshot cannot be located;
`
`[10.3] accessing the snapshot of the virtual disk based on the
`determined location;
`
`[10.4] analyzing the snapshot of the protected virtual cloud asset to
`detect potential cyber threats risking the protected virtual cloud asset;
`and
`
`[10.5] alerting detected potential cyber threats based on a determined
`priority.
`
`11. A system for securing virtual cloud assets in a cloud computing
`environment against cyber threats, comprising:
`
`[11.i] a processing circuitry; and a memory, the memory containing
`instructions that, when executed by the processing circuitry, configure
`the system to:
`
`[11.1] determine a location of a snapshot of at least one virtual disk of
`a protected virtual cloud asset, wherein the virtual cloud asset is
`instantiated in the cloud computing environment;
`
`[11.2] take a new snapshot of the protected virtual cloud asset, when
`an existing snapshot cannot be located;
`
`[11.3] access the snapshot of the virtual disk based on the determined
`location;
`
`[11.4] analyze the snapshot of the protected virtual cloud asset to
`detect potential cyber threats risking the protected virtual cloud asset;
`and
`
`-v-
`
`

`

`
`
`[11.5] alert detected potential cyber threats based on a determined
`priority.
`
`12. The system of claim 11, wherein the system is further configured to:
`
`[12.1] prioritize each detected of potential cyber threats based on their
`respective risk to the protected virtual cloud asset; and
`
`[12.2] mitigate a potential cyber threat posing a risk to the protected
`virtual cloud asset.
`
`13. The system of claim 11, wherein determining the location of the
`snapshot of at least one virtual disk further comprises: determining a virtual
`disk allocated to the protected virtual cloud asset.
`
`14. The system of claim 12, wherein the system is further configured to:
`query a cloud management console of the cloud computing platform to
`determine the location of the snapshot and the location of the virtual disk.
`
`15. The system of claim 11, wherein analyzing the snapshot of the protected
`virtual machine further comprises:
`
`[15.1] parsing a copy of the snapshot; and
`
`[15.2] scanning the parsed copy to detect the potential cyber threats,
`
`[15.3] wherein the potential cyber threats include known and unknow
`vulnerabilities, and
`
`[15.4] wherein the detection is based on a type of vulnerability.
`
`16. The system of claim 15, wherein scanning the parsed copy further
`comprises any one of:
`
`[16.1] checking configuration files of applications and operating
`system installed in the protected virtual machine;
`
`[16.2] verifying access times to files by the operating system installed
`in the operating machine;
`
`[16.3] analyzing system logs to deduce what applications and modules
`executed in the protected virtual cloud asset; and
`-vi-
`
`

`

`
`
`[16.4] analyzing machine memory stored in the snapshot to deduce
`what applications and modules executed in the protected virtual cloud
`asset.
`
`17. The system of claim 15, wherein the system is further configured to:
`
`[17.1] instantiate a copy of the protected virtual machine from the
`snapshot; and
`
`[17.2] monitor all activity performed by the instance of the protected
`virtual cloud asset.
`
`18. The system of claim 15, wherein scanning the parsed copy further
`comprises any one of: reading process identification number (PIO) files; and
`checking if the at least the PIO files access times match against process
`descriptors.
`
`19. The system of claim 11, wherein the protected virtual cloud asset
`includes any one of: a virtual machine, a software container, a micro-service.
`
`
`
`-vii-
`
`

`

`I.
`
`INTRODUCTION
`
`Petitioner Wiz, Inc. (“Wiz”) respectfully requests review of U.S. Patent No.
`
`11,516,231 (“the ’231 patent”), currently assigned to Orca Security Ltd. (“Orca”).
`
`This petition demonstrates claims 1-19 are unpatentable.
`
`The ’231 claims describe well-known techniques for securing a plurality of
`
`virtual assets such as virtual machines (“VMs”) in a cloud computing environment.
`
`A “snapshot” of each of the assets’ virtual disks is located, accessed, and analyzed
`
`to determine potential cyber threats. If a snapshot cannot be located, a new
`
`snapshot is taken. Detected cyber threats are then reported based on a determined
`
`priority.
`
`This type of snapshot-based analysis was already well known, as
`
`demonstrated by the combination of Veselov, Basavapatna, and VMware SDK.
`
`Veselov discloses most aspects of the independent claims, though it does not
`
`expressly discuss determining a priority or taking a new snapshot if one cannot be
`
`located. However, these techniques were well known, as shown for example by
`
`Basavapatna and VMware SDK. The dependent claims describe other well-known
`
`features.
`
`Accordingly, Wiz respectfully requests institution.
`
`II. MANDATORY NOTICES UNDER 37 C.F.R. §42.8
`
`Real Party-in-Interest (37 C.F.R. §42.8(b)(1)): Petitioner Wiz is the real
`
`-1-
`
`

`

`
`
`party-in-interest.
`
`Related Matters (37 C.F.R. §42.8(b)(2)): Wiz is involved in litigation
`
`involving patents related to the ’231 patent in Orca Security Ltd. v. Wiz, Inc., No.
`
`1-23-cv-00758 (DDE), filed and served on July 12, 2023. Wiz also recently filed
`
`several IPR petitions, including IPR2024-00220 against U.S. Patent No.
`
`11,431,735 (“the ’735 patent”), which is a related patent owned by Patent Owner
`
`that contains claims similar to those of the ’231 patent. IPR2024-00220, Paper 2.
`
`Like the current petition, the petition in IPR2024-00220 included a Veselov-based
`
`ground. In response, Patent Owner disclaimed all challenged claims. IPR2024-
`
`00220, Paper 6. Wiz has also filed six petitions against patents that are involved in
`
`the abovementioned litigation, each of which is related to the ’231 patent:
`
`IPR2024-00863 against U.S. Patent No. 11,663,031, IPR2024-00864 against U.S.
`
`Patent No. 11,663,032, IPR2024-00865 against U.S. Patent No. 11,693,685,
`
`IPR2024-01109 against U.S. Patent No. 11,726,809, IPR2024-01190 against U.S.
`
`Patent No. 11,740,926, and IPR2024-01191 against U.S. Patent No. 11,775,326.
`
`Lead and Back-Up Counsel (37 C.F.R. §42.8(b)(3)):
`
`Lead Counsel: Matthew A. Argenti (Reg. No. 61,836)
`
`Back-Up Counsel: Michael T. Rosato (Reg. No. 52,182); Wesley E.
`
`Derryberry (Reg. No. 71,594); Tasha M. Thomas (Reg. No. 73,207); Joseph M.
`
`Baillargeon (Reg. No. 79,685).
`
`-2-
`
`

`

`
`
`Service Information–37 C.F.R. §42.8(b)(4): Wiz consents to electronic
`
`service. Please direct all correspondence to lead and back-up counsel at the
`
`contact information below. A power of attorney accompanies this petition.
`
`E-mail: margenti@wsgr.com; mrosato@wsgr.com; wderryberry@wsgr.com;
`
`tthomas@wsgr.com; jbaillargeon@wsgr.com
`
`Post: WILSON SONSINI GOODRICH & ROSATI, 650 Page Mill Road,
`
`Palo Alto, CA 94304
`
`Tel.: 650-354-4154
`
`
`
`Fax: 650-493-6811
`
`III. CERTIFICATIONS
`
`The ’231 patent is available for IPR, and Wiz is not barred or estopped from
`
`requesting IPR on these grounds.
`
`IV.
`
`IDENTIFICATION OF CHALLENGE; STATEMENT OF PRECISE RELIEF
`REQUESTED
`
`Wiz seeks cancellation of the challenged claims for the reasons stated below,
`
`which are supported with exhibits, including the Declaration of Dr. Angelos
`
`Stavrou (EX1002). See also EX1002, ¶¶2-5 (qualifications); EX1003 (CV). The
`
`claims are unpatentable under 35 U.S.C. §311 and AIA §6 based on at least the
`
`following grounds:
`
`Ground
`
`Claims
`
`1
`
`1-7, 9-17, and 19
`
`Basis
`§103(a): obviousness over Veselov,
`Basavapatna, and VMware SDK.
`
`-3-
`
`

`

`
`
`2
`
`8 and 18
`
`§103(a): obviousness over Veselov,
`Basavapatna, VMware SDK, and Kapoor.
`
`V. THE ’231 PATENT
`
`The ’231 patent issued from U.S. Application No. 17/330,998 (“the ’998
`
`Application”), filed September 27, 2019. EX1001, Face. The ’998 application
`
`claims priority to Provisional Application No. 62/797,718, filed January 28, 2019.
`
`The ’231 patent thus has an effective filing date no earlier than January 28, 2019,
`
`and is subject to AIA §102 and §103. Id.; EX1002, ¶20.
`
`The ’231 patent describes securing virtual assets in a cloud environment.
`
`EX1001, Abstract. The specification describes well-known snapshot-based
`
`analysis that includes determining the location of a snapshot of a virtual disk(s) for
`
`each of a plurality of assets, accessing/analyzing each of the snapshots to identify
`
`cyber threats, taking a snapshot if one cannot be located, and reporting the threats
`
`based on a determined priority. Id., Abstract, 3:47-4:3, 5:3-13, 5:44-54, 6:13-20,
`
`7:13-8:6, Figs. 1A-B, 2; EX1002, ¶¶71-72.
`
`The ’231 patent includes 19 claims. Claims 1, 10, and 11 are independent.
`
`Claims 10 and 11 essentially mirror claim 1, but whereas claim 1 is written as a
`
`method claim, independent claim 10 is directed to a computer-readable medium,
`
`and independent claim 11 is directed to a system. The dependent claims add other
`
`conventional aspects of cybersecurity and cloud computing. EX1002, ¶¶73-74.
`
`-4-
`
`

`

`
`
`A.
`
`Prosecution History
`
`The ’998 application (i.e., the patent application that led to the ’231 patent)
`
`never received a rejection under §102 or §103. The first office action rejected the
`
`claims based on statutory double patenting over the parent application, which is
`
`now the ’735 patent. EX1004, 116-17. To secure allowance, the Applicant added
`
`the claims 5 and 16 language “taking a new snapshot of the protected virtual cloud
`
`asset, when an existing snapshot cannot be located” to each independent claim,
`
`cancelled claims 5 and 16, and then filed a terminal disclaimer to secure allowance
`
`over the ’735 patent which has now had all but two dependent claims disclaimed.
`
`Id., 95-96, 106-09; IPR2024-00220, Paper 7 at 3. In the notice of allowance, the
`
`Examiner identified three references as the closest prior art, but only broadly
`
`indicated the supposedly lacking teachings by listing most of the independent
`
`claim language without explanation. EX1004, 41-43; EX1002, ¶75.
`
`VI. NO BASIS EXISTS FOR DENIAL UNDER 35 U.S.C. §325(D)
`
`Under the two-part Advanced Bionics framework, §325(d) analysis considers
`
`several factors to determine:
`
`(1) whether the same or substantially the same art previously was
`presented to the Office or whether the same or substantially the same
`arguments previously were presented to the Office; and (2) if either
`condition of [the] first part of the framework is satisfied, whether the
`petitioner has demonstrated that the Office erred in a manner material
`to the patentability of challenged claims.
`-5-
`
`

`

`
`
`Advanced Bionics, LLC v. Med-El Elektromedizinische Geräte GmbH, IPR2019-
`
`01469, Paper 6 at 8 (precedential); 35 U.S.C. §325(d). The references applied
`
`here—Veselov, Basavapatna, VMware SDK, and Kapoor—were not disclosed to
`
`the Office or discussed by the Examiner, nor are they cumulative of references
`
`considered during prosecution. The Office thus did not consider any of the
`
`grounds presented herein. The Office also lacked additional evidence discussed
`
`herein, including the declaration provided by Wiz’s expert, Dr. Stavrou.
`
`Allowance of the claims also constituted material error under part two of the
`
`Advanced Bionics test. The ’998 application never received an art-based rejection,
`
`and no particular limitation was identified as a basis for allowance. Supra, §V.A.
`
`The reasons given for allowance simply list the majority of the claim limitations as
`
`supposedly not disclosed by the “closest” art. See EX1004, 41-43. By contrast,
`
`the present grounds teach all limitations of claims 1-19 as a whole. Infra, §§XI-
`
`XII. The claims therefore should not have issued, and they would not have issued
`
`if the Examiner had considered the present grounds.
`
`VII. LEVEL OF ORDINARY SKILL
`
`For purposes of this petition, Wiz assumes a priority date of January 28,
`
`2019. A POSA as of January 2019 would have held at least a bachelor’s degree in
`
`computer science, computer engineering, electrical engineering, or a related field,
`
`and would also have 2-3 years of professional experience working with cyber
`
`-6-
`
`

`

`
`
`security analysis and virtualization. Additional experience could compensate for
`
`less education and vice versa. Relevant work experience includes, for example,
`
`malware analysis, security analysis of cloud computing systems, and security
`
`analysis of VMs. EX1002, ¶¶21-22. Dr. Stavrou meets these requirements and is
`
`qualified to credibly opine on the state of the art and the POSA’s perspective. Id.,
`
`¶¶1-19. Section IX below summarizes the state of the art, including background
`
`knowledge that would have informed a POSA’s understanding of the references’
`
`teachings applied herein.
`
`VIII. CLAIM CONSTRUCTION
`
`Claim terms are given their ordinary and customary meaning, consistent with
`
`the specification, as a POSA understood them. 37 CFR §42.100(b); Phillips v. AWH
`
`Corp., 415 F.3d 1303, 1312-13 (Fed. Cir. 2005) (en banc). Unless otherwise stated,
`
`this petition applies the ordinary and customary meaning of the claim terms. See also
`
`EX1002, ¶76. The following limitations warrant discussion.
`
`A.
`
`“[Determining/Determine] a Location of a Snapshot”
`
`Each independent claim recites determining “a location of a snapshot” of a
`
`virtual disk of a protected virtual cloud asset. A POSA reading the claims in light of
`
`the specification would have understood that the recited “location” encompasses at
`
`least a virtual location and a non-virtual location.
`
`A POSA would have understood that the ordinary and customary meaning of a
`
`-7-
`
`

`

`
`
`“location” in this context broadly encompassed a virtual location and a non-virtual
`
`location. EX1002, ¶¶77-78; see also id., ¶¶30 (data locations), 38 (snapshot
`
`locations).
`
`The specification confirms this understanding. It states that the “management
`
`console 150 may be queried, by the security system 140, about as the location (e.g.,
`
`virtual address) of the virtual disk 118-1 in the storage 117.” EX1001, 4:29-32
`
`(emphasis added). This parenthetical makes it clear that the recited location at least
`
`encompasses a virtual address, and the “e.g.” indicates that the location is not limited
`
`to a virtual address. EX1002, ¶78. Indeed, snapshots of virtual assets were routinely
`
`stored in non-virtual storage and accessed by referencing non-virtual locations. Id. A
`
`POSA therefore would have interpreted the term “location” to encompass both virtual
`
`and non-virtual locations. Id., ¶¶78-79 (citing EX1009, 242, 246-57; EX1010, 3-4;
`
`EX1015, 56; EX1021, 8).
`
`B.
`
`“[Analyzing/Analyze] the Snapshot”
`
`Each independent claim recites analyzing “the snapshot.”
`
`The ordinary and customary meaning of this language encompasses direct
`
`analysis of the snapshot data (e.g., analyzing the snapshot as a data file without
`
`instantiating an assessment VM). EX1002, ¶¶80-81. This understanding is confirmed
`
`by the specification. See, e.g., EX1001, 5:20-21 (“The snapshot is parsed and
`
`analyzed by the security system 140 to detect vulnerabilities.”), 5:37-40 (direct or
`
`-8-
`
`

`

`
`
`hash-based matching of application files); see also id., 6:5-12 (analyzing page file),
`
`6:36-39 (security system computes cryptographic hash of sensitive areas in virtual
`
`disk and checks for differences), 6:56-60 (analysis of logs “derived from the
`
`snapshot”); EX1002, ¶81. Veselov describes this approach. Infra, §X.A.
`
`In the related litigation (supra, §II), Orca’s infringement allegations treat this
`
`limitation as encompassing analysis of a VM instantiated from a snapshot, which
`
`Veselov also describes (infra, §X.A). For example, Orca alleges that the accused
`
`product satisfies “analyzing the at least one snapshot,” as recited in claim 9 of related
`
`U.S. Patent No. 11,693,685 because it “‘analyzes [the] operating system, application
`
`layer, and data layer’ of virtual machines.” EX1006, 23, 57-58. For purposes of this
`
`IPR, Wiz also applies that interpretation. See also EX1002, ¶82.
`
`Orca has since argued that this limitation does not encompass analyzing a VM
`
`instantiated from the snapshot, though Orca still maintains that the limitation
`
`encompasses indirect snapshot analysis. See, e.g., IPR2024-00864, Paper 6, 9-11.
`
`Orca has not explained the contradiction between its recent statements and its
`
`infringement allegations—and, regardless, Veselov teaches that disclosures presented
`
`in its discussion of indirect snapshot analysis (i.e., analysis of a duplicate VM
`
`instantiated from the snapshot) apply to embodiments involving direct snapshot
`
`analysis (EX1002, ¶¶91, 202, 214, 218, 229; EX1007 at, e.g., 4:19-29, 8:52-62,
`
`10:37-41, 16:15-18, 16:56-67, 18:16-18, 18:56-59, 24:54-25:2)—so this petition
`
`-9-
`
`

`

`
`
`discusses both of Veselov’s approaches. Infra, §XI.C.6.
`
`Accordingly, the discussion below applies a construction of
`
`“[analyzing/analyze] the snapshot” encompassing both direct analysis of the snapshot
`
`data and analysis of a VM instantiated from the snapshot. EX1002, ¶83.
`
`IX. BACKGROUND
`A. Cloud Computing, Virtualization, and Snapshots
`
`Cloud computing was well known long before 2019. EX1002, ¶¶23, 40-42;
`
`EX1015, 55-58, 62-66, 164-66, 118, 138, Figs. 8-2, 9-1; EX1021, 1, 18-19, 94-95;
`
`EX1022, 29. The physical infrastructure was often provided by data centers that
`
`included large collections of physical resources. EX1002, ¶44; EX1013, 229;
`
`EX1021, 19.
`
`Cloud systems typically used a “virtualization” layer that abstracts the
`
`underlying resources to efficiently manage the operation of multiple applications
`
`across multiple physical servers. EX1002, ¶¶24, 43; EX1009, xxiii; EX1010, 2;
`
`EX1011, 35; EX1021, 19. Each physical server could emulate multiple virtualized
`
`computer systems (e.g., VMs), running their own operating system/applications:
`
`-10-
`
`

`

`
`
`
`
`EX1009, 505 (Fig. A-5); see also EX1002, ¶¶25-27; EX1009, xxiii, 5, 505;
`
`EX1010, 2; EX1013, 229. Virtualized resources were commonly referenced via
`
`various types of virtual or non-virtual locations, including more general locations
`
`(e.g., the resource’s computing environment, storage service, or directory) and
`
`more specific locations (e.g., an address or file path). EX1002, ¶¶28-31; EX1009,
`
`xxiv, 2, 22, 242, 246-57, 505, 514-15, Fig. A-5; EX1010, 3-4; EX1012, 9:9-25;
`
`EX1013, 229; EX1014, 22, Fig. 2.1; EX1015, 56, 124; EX1016, ii; EX1017, 1:16-
`
`35; EX1021, 8; EX1031, 1; EX1048, ¶¶21, 31; EX1054, 1:31-42; EX1074, 12;
`
`EX1080, 5:34-42.
`
`As early as 2005, virtualized systems employed backup techniques involving
`
`“snapshots,” which often saved data from the VM’s memory and disks, including
`
`sensitive data and any system/application vulnerabilities, to allow reversion to a
`
`previous state. EX1002, ¶¶32-37; EX1009, 257; EX1015, 164; EX1018, 2-6;
`
`EX1019, Abstract; EX1020, Abstract, 21:42-22:58; EX1049, 940-41; EX1051, 77,
`
`119, 297; EX1052, 203; EX1069, 18:23-32; EX1064, ¶¶23, 31. Snapshot
`-11-
`
`

`

`
`
`generation routinely involved determining a location to store the snapshot files for
`
`later access. EX1002, ¶¶38-39; EX1009, 32, 221, 257-60; EX1015, 56, 164-66;
`
`EX1071, 6:35-39; EX1072, 4:1-13. Furthermore, snapshot generation routinely
`
`involved preliminary steps such as identifying/locating virtual disks that would be
`
`part of the snapshot. EX1002, ¶¶45-47; EX1048, ¶¶21, 42; EX1051, 47, 119, 125;
`
`EX1052, 445-46; EX1053, ¶¶36, 87-92, Fig. 7; EX1020, 21:9-22:18, Fig. 4;
`
`EX1055, 13, 23, 32-33, 53-56, 68-69.
`
`B. Cyber Security
`
`Traditional security systems sought to improve security by identifying
`
`security risks including vulnerabilities and potential exposure of sensitive data.
`
`EX1002, ¶¶48-49, 51, 55, 58; EX1023, 1-2; EX1024, 1; EX1036, 12:36-45;
`
`EX1044, 3:50-54;EX1056, ¶¶38-39, 60-62, 64-67; EX1057, 1-2; EX1058, 1-4;
`
`EX1059, 1-3; EX1075, 3:43-67, 5:16-58; EX1079, 31-36. Security scans
`
`commonly searched for known risks—e.g., those in published lists such as the
`
`Common Vulnerabilities and Exposures (“CVEs”)—and unknown risks that might
`
`be indicated, for example, by behavioral abnormalities. EX1002, ¶¶50, 59-60;
`
`EX1023, 1-3; EX1025, 12, 21, 29; EX1026, 9, 24-25; EX1044, 5:28-32; EX1047,
`
`1-5, 7; EX1068, 14:58-15:18; EX1076, 2:24-67; EX1077, 2:45-51, 8:1-30;
`
`EX1084, 56-4:24, 11:27-47. VMs were known to be subject to at least the same
`
`security risks as nonvirtualized machines. EX1002, ¶¶52-53; EX1018, 3-1, ES-2,
`
`-12-
`
`

`

`
`
`4-1, 4-3; EX1021, 45-46; EX1027, 8, 24-26; EX1028, 6-7, 171-72; EX1029, 1,
`
`321.
`
`A POSA would have been familiar with a variety of scanning techniques.
`
`Both agent-based techniques—in which a security application, or agent, scans the
`
`same computer in which it has been installed—and agentless techniques were well-
`
`known and commonly used. EX1002, ¶¶54, 56-57; EX1030, 116; EX1031, 22;
`
`EX1032, ¶¶27, 43; EX1033, 1-2; EX1034, 5643; EX1037, 10:5; EX1038, 133-34;
`
`EX1040, Abstract (passive monitoring of virtual server “without utilizing agents
`
`executing within the virtual server”), ¶43; EX1095, ¶¶5-6, 43. For example,
`
`virtual machine introspection (“VMI”) is an agentless technique that was
`
`commonly used in virtualized environments and known to have several advantages
`
`(e.g., increasing efficiency and keeping the security software isolated from the
`
`potentially compromised guest VM). EX1002, ¶57; EX1018, 3-3; EX1033, 1;
`
`EX1034, 5643-44; EX1035, 389; EX1036, 3:56-65; EX1037, 10:9-10; EX1038,
`
`133-34.
`
`For virtualized systems, security scans were often performed on a snapshot
`
`of the protected resource rather than directly on the resource itself. EX1002, ¶57;
`
`EX1014, 25, 55; EX1038, 134-35; EX1039, 9; EX1040, Abstract, ¶43. Another
`
`common technique involved “parsing” snapshots or other data (e.g., reformatting
`
`the data) before scanning it. EX1002, ¶¶58, 62-63; EX1007, 15:60-16:3; EX1035,
`
`-13-
`
`

`

`
`
`389; EX1039, 14; EX1041, 3:1-9; EX1042, 10:45-55, 12:54-60; EX1043, 12:10;
`
`EX1048, Abstract, ¶¶14, 29, 32, 42, 45, Figs. 3A-C, 4, 6, claim 17; EX1065, 2:29-
`
`33; EX1066, 2; EX1067, 390; EX1073, 1; EX1081, ¶79.
`
`Security systems typically alerted users of the identified risks. EX1002, ¶64;
`
`EX1025, 21. Given the number of risks typically identified and their varying
`
`importance, alerts were commonly prioritized. EX1002, ¶¶61, 65-68; EX1008,
`
`Abstract; EX1025, 32; EX1042, 2:10-27; EX1044, 6:9-18, 11:51-67; EX1045, ¶7;
`
`EX1046, 11:52-12:14; EX1048, ¶43, Fig. 5; EX1063, ¶¶80, 100-113; EX1075,
`
`1:5-22, 1:23-42, 3:9-42, 4:24-5:15, 5:16-58, 5:59-9:26, Figs. 2-4; EX1085, ¶¶48,
`
`75-77. Cybersecurity systems also routinely provided remedial actions to mitigate
`
`identified risks (e.g., software patches or asset quarantining). EX1002, ¶¶69-70;
`
`EX1025, 21, 24; EX1032, ¶33; EX1046, 12:15-53; EX1095, ¶¶54-55; EX1067,
`
`390; EX1070, Abstract, ¶53, claim 2; EX1048, ¶14, claim 17; EX1081, ¶79.
`
`X.
`
`PRIOR ART
`A. Veselov (U.S. Patent. No. 11,216,563; EX1007)
`
`Veselov was filed May 19, 2017, and is therefore prior art under 35 U.S.C.
`
`§102(a)(2).
`
`Veselov describes scanning techniques mirroring those of the ’231 patent.
`
`EX1007, Abstract; EX1002, ¶84. A scanning service generates/requests a snapshot
`
`(or obtains/accesses an existing snapshot), accesses/analyzes the snapshot, and
`
`-14-
`
`

`

`
`
`reports assessment results. EX1007, Abstract, 2:35-41, 3:20-4:18, 5:9-22, 8:16-51,
`
`9:9-10:36, 11:5-33, 16:47-53; EX1002, ¶85. An exemplary process is depicted
`
`below:
`
`EX1007, Fig. 2; see also id., 8:52-10:36 (describing Fig. 2), 16:15-17:9 (describing
`
`Fig. 4), 18:16-56 (describing Fig. 6), Figs. 4, 6. Veselov indicates that teachings
`
`
`
`-15-
`
`

`

`
`
`discussed for certain embodiments broadly apply to other embodiments. EX1002,
`
`¶91.
`
`The scanning service can directly analyze the snapshot and/or analyze an
`
`assessment VM instantiated from the snapshot. EX1007, Figs. 3A-B (assess