Filed on behalf of: Wiz, Inc.
`By: Matthew A. Argenti (margenti@wsgr.com)
`
`Michael T. Rosato (mrosato@wsgr.com)
`Wesley E. Derryberry (wderryberry@wsgr.com)
`Tasha M. Thomas (tthomas@wsgr.com)
`Joseph M. Baillargeon (jbaillargeon@wsgr.com)
`WILSON SONSINI GOODRICH & ROSATI
`650 Page Mill Road
`Palo Alto, CA 94304
`
`
`
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`————————————————
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`————————————————
`
`WIZ, INC.,
`Petitioner,
`
`v.
`
`ORCA SECURITY LTD.,
`Patent Owner.
`
`————————————————
`Case IPR2025-00095
`Patent No. 11,637,855
`————————————————
`
`PETITION FOR INTER PARTES REVIEW
`OF U.S. PATENT NO. 11,637,855
`
`

`

`TABLE OF CONTENTS
`
`V.
`
`INTRODUCTION ........................................................................................... 1
`I.
`II. MANDATORY NOTICES UNDER 37 C.F.R. §42.8 .................................... 2
`III. CERTIFICATIONS ......................................................................................... 3
`IV.
`IDENTIFICATION OF CHALLENGE; STATEMENT OF PRECISE
`RELIEF REQUESTED ................................................................................... 3
`THE ’855 PATENT ......................................................................................... 4
`A.
`Prosecution History ............................................................................... 5
`VI. NO BASIS EXISTS FOR DENIAL UNDER 35 U.S.C. §325(D) ................. 7
`VII. LEVEL OF ORDINARY SKILL .................................................................... 8
`VIII. CLAIM CONSTRUCTION ............................................................................ 9
`IX. BACKGROUND ............................................................................................. 9
`A. Virtualization and Cloud Computing .................................................... 9
`B.
`Cyber Security ..................................................................................... 10
`PRIOR ART ................................................................................................... 15
`A.
`Elder (U.S. Pub. No. 2014/0189873, EX1005) ................................... 15
`B.
`Kim (U.S. Pub. No. 2016/0092679, EX1006) .................................... 16
`C.
`Hufsmith (U.S. Pub. No. 2020/0097662, EX1007) ............................ 17
`XI. GROUND 1: CLAIMS 1-6, 8-9, AND 11-18 WERE OBVIOUS
`OVER ELDER AND KIM ............................................................................ 19
`A.
`Reasons to Combine Elder and Kim ................................................... 20
`B.
`Independent Claims ............................................................................. 27
`1.
`Preambles .................................................................................. 27
`2.
`Element 1.i ................................................................................ 28
`3.
`Elements 1.1, 12.1, and 18.1 ..................................................... 29
`4.
`Elements 1.2, 12.2, and 18.2 ..................................................... 32
`5.
`Elements 1.3, 12.3, and 18.3 ..................................................... 33
`6.
`Elements 1.4, 12.4, and 18.4 ..................................................... 36
`
`X.
`
`-i-
`
`

`

`
`
`C.
`
`Elements 1.5 and 12.5 ............................................................... 37
`7.
`Elements 1.6, 12.6, and 18.5 ..................................................... 38
`8.
`Dependent Claims ............................................................................... 45
`1.
`Claims 2-3 and 13-14 ................................................................ 45
`2.
`Claims 4 and 15......................................................................... 46
`3.
`Claims 5 and 16......................................................................... 49
`4.
`Claims 6 and 17......................................................................... 50
`5.
`Claim 8 ...................................................................................... 51
`6.
`Claim 9 ...................................................................................... 52
`7.
`Claim 11 .................................................................................... 52
`XII. GROUND 2: CLAIMS 1-18 WERE OBVIOUS OVER ELDER,
`KIM, AND HUFSMITH ............................................................................... 53
`A.
`Reasons to Combine Elder, Kim, and Hufsmith ................................. 53
`B.
`Claims 1, 12, and 18 ............................................................................ 59
`C.
`Claims 4 and 5 ..................................................................................... 60
`D.
`Claim 7 ................................................................................................ 62
`E.
`Claim 10 .............................................................................................. 63
`XIII. CONCLUSION .............................................................................................. 65
`
`
`
`
`
`-ii-
`
`

`

`
`
`LISTING OF CHALLENGED CLAIMS
`
`1. A cyber security system for a cloud environment, the system comprising:
`
`[1.i] at least one processor configured to:
`
`[1.1] using a cloud provider API, access a block storage volume of a
`workload maintained in a cloud storage environment;
`
`[1.2] identify an installed software application in the accessed block
`storage volume;
`
`[1.3] analyze the identified installed software application to determine
`an associated software version;
`
`[1.4] access a data structure of known software vulnerabilities for a
`plurality of versions of software applications;
`
`[1.5] perform a lookup of the identified installed software version in
`the data structure to identify known vulnerabilities; and
`
`[1.6] use network accessibility information and at least one port to
`identify one or more of the known and identified vulnerabilities
`susceptible to attack from outside the workload, wherein the network
`accessibility information includes at least one of: data from an
`external data source, cloud provider information, or at least one
`network capture log.
`
`2. The system of claim 1, wherein the at least one processor is further
`configured to implement a remedial action in response to the identified one
`or more vulnerabilities.
`
`3. The system of claim 2, wherein the remedial action includes transmitting
`an alert to a device associated with an administrator.
`
`4. The system of claim 1, wherein the at least one processor is further
`configured to:
`
`query the cloud provider API to determine network accessibility
`information related to the workload further comprises examining data
`sources associated with the workload; and
`
`-iii-
`
`

`

`
`
`determine the network accessibility information based on the
`examined data sources.
`
`5. The system of claim 1, wherein to identify the installed software
`application, the at least one processor is configured to:
`
`extract data from at least one of operating system packages, libraries,
`or program language libraries; and
`
`identify the installed software application based on the extracted data.
`
`6. The system of claim 1, wherein the at least one processor is further
`configured to identify a version of the installed software application.
`
`7. The system of claim 1, wherein the identified installed software
`application includes one or more scripts.
`
`8. The system of claim 1, wherein the data structure includes aggregated
`vulnerability data.
`
`9. The system of claim 8, wherein the aggregated vulnerability data includes
`data from one or more third-party vendors.
`
`10. The system of claim 8, wherein the aggregated vulnerability data
`includes data collected by a scanner.
`
`11. The system of claim 8, wherein the aggregated vulnerability data
`includes at least one of an advisory, an exploit, a security announcement, or
`a known bug.
`
`12. A method, comprising:
`
`[12.1] using a cloud provider API, accessing a block storage volume
`of a workload maintained in a cloud storage environment;
`
`[12.2] identifying an installed software application in the accessed
`block storage volume;
`
`[12.3] analyzing the identified installed software application to
`determine an associated software version;
`
`-iv-
`
`

`

`
`
`[12.4] accessing a data structure of known software vulnerabilities for
`a plurality of versions of software applications;
`
`[12.5] performing a lookup of the identified installed software version
`in the data structure to identify known vulnerabilities; and
`
`[12.6] use network accessibility information and at least one port to
`identify one or more of the known and identified vulnerabilities
`susceptible to attack from outside the workload, wherein the network
`accessibility information includes at least one of: data from an
`external data source, cloud provider information, or at least one
`network capture log.
`
`13. The method of claim 12, further comprising implementing a remedial
`action in response to the identified one or more vulnerabilities.
`
`14. The method of claim 13, wherein the remedial action includes
`transmitting an alert to a device associated with an administrator.
`
`15. The method of claim 12, wherein the method further comprises query the
`cloud provider API to determine network accessibility information related to
`the workload, by
`
`examining data sources associated with the workload; and
`
`determining the network accessibility information based on the
`examined data sources.
`
`16. The method of claim 12, wherein identify the installed software
`application comprises:
`
`extracting data from at least one of OS packages, libraries, or program
`language libraries; and
`
`identifying the installed software application based on the extracted
`data.
`
`17. The method of claim 16, wherein the at least one processor is further
`configured to identify a version of the installed software application.
`
`-v-
`
`

`

`
`
`18. A non-transitory computer-readable medium storing instructions that,
`when executed by at least one processor, are configured to cause the at least
`one processor to perform operations comprising:
`
`[18.1] using a cloud provider API, accessing a block storage volume
`of a workload maintained in a cloud storage environment;
`
`[18.2] identifying an installed software application in the accessed
`block storage volume;
`
`[18.3] analyzing the identified installed software application to
`determine an associated software version;
`
`[18.4] accessing a data structure of known software vulnerabilities for
`a plurality of versions of software applications; and
`
`[18.5] use network accessibility information and at least one port to
`identify one or more of the known and identified vulnerabilities
`susceptible to attack from outside the workload, wherein the network
`accessibility information includes at least one of: data from an
`external data source, cloud provider information, or at least one
`network capture log.
`
`
`
`-vi-
`
`

`

`I.
`
`INTRODUCTION
`
`Petitioner Wiz, Inc. (“Wiz”) respectfully requests review of U.S. Patent No.
`
`11,637,855 (“the ’855 patent”), currently assigned to Orca Security Ltd. (“Orca”).
`
`This petition demonstrates claims 1-18 are unpatentable.
`
`The ’855 claims describe well-known techniques for identifying software-
`
`specific vulnerabilities present on a workload in a cloud environment and
`
`analyzing the risk that the identified vulnerabilities are susceptible to attack from
`
`outside the workload. The techniques involve using a cloud provider API to access
`
`a block storage volume of a workload to identify software applications that are
`
`installed on the workload, analyzing those applications to determine an associated
`
`software version, and accessing a data structure of known software vulnerabilities
`
`to perform a lookup of the identified installed software version in the data structure
`
`to identify known vulnerabilities applicable to the workload. Network accessibility
`
`information and at least one port is then used to identify the known and identified
`
`vulnerabilities that are susceptible to attack from outside the workload.
`
`This type of software-matching vulnerability identification and subsequent
`
`attack risk analysis was already well known prior to the ’855 patent’s priority date,
`
`as demonstrated by the combination of Elder and Kim. Elder discloses most
`
`aspects of the independent claims, though it does not expressly discuss using cloud
`
`provider APIs for its approach or using at least one port to identify vulnerabilities
`
`-1-
`
`

`

`
`
`that are susceptible to outside attack. However, these techniques were well known
`
`as shown by Kim, which builds on Elder by referring to it as a background
`
`reference. A third reference, Hufsmith, further demonstrates that the techniques
`
`described by the ’855 patent claims were routine in the art by disclosing the use of
`
`additional types of network accessibility information in an analysis assessing the
`
`attack risk of identified software vulnerabilities. Furthermore, the dependent
`
`claims describe other well-known features, as demonstrated below.
`
`Accordingly, Wiz respectfully requests institution.
`
`II. MANDATORY NOTICES UNDER 37 C.F.R. §42.8
`
`Real Party-in-Interest (37 C.F.R. §42.8(b)(1)): Petitioner Wiz is the real
`
`party-in-interest.
`
`Related Matters (37 C.F.R. § 42.8(b)(2)): Wiz is involved in litigation
`
`involving Orca patents from a different patent family than those of the ’855 patent
`
`in Orca Security Ltd. v. Wiz, Inc., No. 1-23-cv-00758 (DDE), filed and served on
`
`July 12, 2023. Wiz has also filed the following IPR petitions challenging Orca
`
`patents unrelated to the ’855 patent: IPR2024-00220, IPR2024-00863, IPR2024-
`
`00864, IPR2024-00865, IPR2024-01109, IPR2024-01191, IPR2024-01190.
`
`Lead and Back-Up Counsel (37 C.F.R. §42.8(b)(3)):
`
`Lead Counsel: Matthew A. Argenti (Reg. No. 61,836)
`
`-2-
`
`

`

`
`
`Back-Up Counsel: Michael T. Rosato (Reg. No. 52,182); Wesley E.
`
`Derryberry (Reg. No. 71,594); Tasha M. Thomas (Reg. No. 73,207); Joseph M.
`
`Baillargeon (Reg. No. 79,685).
`
`Service Information–37 C.F.R. §42.8(b)(4): Wiz consents to electronic
`
`service. Please direct all correspondence to lead and back-up counsel at the
`
`contact information below. A power of attorney accompanies this petition.
`
`E-mail: margenti@wsgr.com; mrosato@wsgr.com; wderryberry@wsgr.com;
`
`tthomas@wsgr.com; jbaillargeon@wsgr.com
`
`Post: WILSON SONSINI GOODRICH & ROSATI, 650 Page Mill Road,
`
`Palo Alto, CA 94304
`
`Tel.: 650-354-4154
`
`
`
`Fax: 650-493-6811
`
`III. CERTIFICATIONS
`
`The ’855 patent is available for IPR, and Wiz is not barred or estopped from
`
`requesting IPR on these grounds.
`
`IV.
`
`IDENTIFICATION OF CHALLENGE; STATEMENT OF PRECISE RELIEF
`REQUESTED
`
`Wiz seeks cancellation of the challenged claims for the reasons stated below,
`
`which are supported with exhibits, including the Declaration of Dr. Angelos
`
`Stavrou (EX1002). The claims are unpatentable under 35 U.S.C. §311 and AIA §6
`
`based on at least the following grounds:
`
`-3-
`
`

`

`
`
`Ground
`
`1
`
`2
`
`Claims
`1-6, 8-9, and 11-
`18
`
`Basis
`§103(a): obviousness over Elder and Kim.
`
`1-18
`
`§103(a): obviousness over Elder, Kim, and
`Hufsmith.
`
`V. THE ’855 PATENT
`
`The ’855 patent issued from U.S. Application No. 17/657,972 (“the ’972
`
`Application”), filed April 5, 2022. EX1001, Face. The ’972 application claims
`
`priority to Provisional Application No. 63/180,048, filed April 26, 2021. The ’855
`
`patent thus has an effective filing date no earlier than April 26, 2021, and is subject
`
`to AIA §102 and §103. Id.; EX1002, ¶20.
`
`The ’855 patent describes techniques for securing a cloud infrastructure,
`
`including “a method of operating a cybersecurity system performing a side
`
`scanning function to protect against potential vulnerabilities.” EX1001, 1:15-18,
`
`22:31-33, Fig. 5; EX1002, ¶46. The specification describes well-known software-
`
`matching techniques in which software installed on a workload, along with the
`
`installed software’s version, is identified and the information is then compared
`
`against a list of known software vulnerabilities. EX1001, 22:55-60, 23:56-24:18;
`
`EX1002, ¶¶40, 47. The specification also describes the well-known concept of
`
`determining the risk that a vulnerability can be exploited by explaining that
`
`network accessibility information and at least one port may be used to identify one
`
`-4-
`
`

`

`
`
`or more vulnerabilities “susceptible to attack from outside the workload.” Id.,
`
`32:12-26; see also id., 22:60-67 (determining “an avenue for potential vulnerability
`
`513 to access and infiltrate” the workload), 24:19-35, 24:47-62; EX1002, ¶¶42-45,
`
`47.
`
`The ’855 patent includes 18 claims. Claims 1, 12, and 18 are independent.
`
`Claims 12 and 18 essentially mirror claim 1, but whereas claim 1 is written as a
`
`system claim, independent claim 12 is directed to a method, and independent claim
`
`18 is directed to a computer-readable medium. The dependent claims add other
`
`conventional aspects of cybersecurity and cloud computing. EX1002, ¶¶48-49.
`
`A.
`
`Prosecution History
`
`During prosecution, the claims of the ’972 application faced rejections under
`
`§§102 and 103. The last limitation of the independent claims originally recited
`
`that at least one of three actions were performed as part of the claimed
`
`cybersecurity analysis: (1) “query the cloud provider API to determine network
`
`accessibility information related to the workload”; (2) “identify at least one port on
`
`which the vulnerable application is accessible”; or (3) “use network accessibility
`
`information and at least one port to identify one or more vulnerabilities susceptible
`
`to attack from outside the workload.” EX1004, 770-71, 1234; EX1002, ¶50.
`
`In an Office Action, the Examiner rejected the claims as anticipated by Dye
`
`(U.S. Pub. No. 2020/0389482), asserting that Dye disclosed the first of the three
`
`-5-
`
`

`

`
`
`recited actions (i.e., “query the cloud provider API to determine network
`
`accessibility information related to the workload”). EX1004, 580-82, 1030-31;
`
`EX1002, ¶50. The applicant amended the claims to remove recitation of the first
`
`action, but the Examiner responded, in an Advisory Action, that Stopel (U.S. Pub.
`
`No. 2019/0116199) taught the second recited action (i.e., “identify at least one port
`
`through which an application is accessible”). EX1004, 548, 563 (claim
`
`amendment).
`
`The applicant then removed the second recited action from the claims,
`
`resulting in only the third action—which recited “network accessibility
`
`information” rather than “network accessibility information related to the
`
`workload” recited in the first action—remaining in the claims. Id., 461-62. The
`
`applicant also amended the third action to further recite “use network accessibility
`
`information and at least one port to identify one or more of the known and
`
`identified vulnerabilities susceptible to attack from outside the workload, wherein
`
`the network accessibility information includes at least one of: data from an external
`
`data source, cloud provider information, or at least one network capture log.” Id.
`
`The applicant distinguished Stopel by arguing “Stopel teaches a host device using
`
`an at least one port to attempt to access an application to determine whether a
`
`vulnerability exists based on an application’s misconfiguration, … rather than
`
`identifying ‘one or more of the known and identified vulnerabilities’ from a ‘data
`
`-6-
`
`

`

`
`
`structure of known software vulnerabilities.’” Id., 468. The Examiner
`
`subsequently allowed the claims. Id., 16-25; EX1002, ¶51.
`
`VI. NO BASIS EXISTS FOR DENIAL UNDER 35 U.S.C. §325(D)
`
`Under the two-part Advanced Bionics framework, §325(d) analysis considers
`
`several factors to determine:
`
`(1) whether the same or substantially the same art previously was
`presented to the Office or whether the same or substantially the
`same arguments previously were presented to the Office; and (2) if
`either condition of [the] first part of the framework is satisfied,
`whether the petitioner has demonstrated that the Office erred in a
`manner material to the patentability of challenged claims.
`
`Advanced Bionics, LLC v. Med-El Elektromedizinische Geräte GmbH, IPR2019-
`
`01469, Paper 6 at 8 (precedential); 35 U.S.C. §325(d).
`
`Elder and Kim were not presented to the Office and Hufsmith, while
`
`disclosed by the applicant in an IDS, was not discussed by the Examiner. See
`
`EX1001, (56); EX1004, 618. The references are also not cumulative of references
`
`considered during prosecution. The Office thus did not consider any of the
`
`grounds presented herein. The Office also lacked additional evidence discussed
`
`herein, including the declaration provided by Wiz’s expert, Dr. Stavrou.
`
`Allowance of the claims also constituted material error under part two of the
`
`Advanced Bionics test. The Examiner allowed the claims of the ’855 patent
`
`-7-
`
`

`

`
`
`because the applicant distinguished a reference as not disclosing identifying
`
`network accessible vulnerabilities that first were identified from a data structure of
`
`known software vulnerabilities. See EX1004, 468; supra, §V.A. However, as
`
`discussed in more detail below, Elder teaches first identifying software
`
`vulnerabilities present on a workload using a data structure of known
`
`vulnerabilities and then assessing each of those vulnerabilities for susceptibility to
`
`outside attack by using network accessibility information related to the
`
`vulnerability. Infra, §XI. Moreover, Kim and Hufsmith describe the well-known
`
`practices of also using port status information and workload-specific network
`
`accessibility information as part of a security risk analysis. Infra, §§XI, XII. The
`
`claims therefore should not have issued, and they would not have issued if the
`
`Examiner had considered the present grounds.
`
`VII. LEVEL OF ORDINARY SKILL
`
`For purposes of this petition, Wiz assumes a priority date of April 26, 2021.
`
`A POSA as of April 2021 would have held at least a bachelor’s degree in computer
`
`science, computer engineering, electrical engineering, or a related field, and would
`
`also have 2-3 years of professional experience working with cyber security
`
`analysis and virtualization. Additional experience could compensate for less
`
`education and vice versa. Relevant work experience includes, for example,
`
`malware analysis, security analysis of cloud computing systems, and security
`
`-8-
`
`

`

`
`
`analysis of VMs. EX1002, ¶¶21-22. Dr. Stavrou meets these requirements and is
`
`qualified to credibly opine on the state of the art and the POSA’s perspective. Id.,
`
`¶¶1-19; see also id., ¶¶2-5 (qualifications); EX1003 (Stavrou CV). Section IX
`
`below summarizes the state of the art, including background knowledge that would
`
`have informed a POSA’s understanding of the references’ teachings applied herein.
`
`VIII. CLAIM CONSTRUCTION
`
`Claim terms are given their ordinary and customary meaning, consistent with
`
`the specification, as a POSA understood them. 37 CFR §42.100(b); Phillips v. AWH
`
`Corp., 415 F.3d 1303, 1312-13 (Fed. Cir. 2005) (en banc). This petition applies the
`
`ordinary and customary meaning of the claim terms. See also EX1002, ¶52.
`
`IX. BACKGROUND
`A. Virtualization and Cloud Computing
`
`Cloud computing and virtualization technology were well known long
`
`before 2021. EX1002, ¶¶23-24; EX1008, 1; EX1009, xxiii; EX1010, 2; EX1011,
`
`35. The physical infrastructure for cloud computing was often provided by data
`
`centers that included large collections of physical resources. EX1002, ¶29;
`
`EX1008, 19; EX1016, 229.
`
`Cloud systems typically used a “virtualization” layer that abstracts the
`
`underlying resources to efficiently manage the operation of multiple applications
`
`across multiple physical servers. EX1002, ¶¶25-29. Each physical server could
`
`-9-
`
`

`

`
`
`emulate multiple physical computers, called a “virtual machine” (VM), running
`
`their own operating system/applications. EX1002, ¶25; EX1009, xxiii; EX1010, 2.
`
`Software containers were another form of virtualization known and widely used at
`
`the time. EX1002, ¶25; EX1012, ii; EX1013, 1:16-35. Desktop, server, cloud, and
`
`datacenter providers routinely used many different virtualization solutions and
`
`products. EX1002, ¶25; see also id., ¶¶26-29 (detailing three-layered framework
`
`of cloud computing) (citing EX1008, 18-19, 94-95; EX1014, 29; EX1015, 55-58,
`
`62-66, 118, 138, 164-66; EX1016, 229).
`
`Off-the-shelf virtualization tools (e.g., VMWare® VirtualCenter) routinely
`
`used APIs to query information about a cloud-based resource, such as a VM.
`
`EX1002, ¶30. These tools allowed users to select a particular VM to obtain more
`
`detailed information about the VM based on API calls. Id.; EX1017, 445-46;
`
`EX1018, ¶¶21, 42. Moreover, common cloud/virtualization platforms included
`
`APIs that were routinely used for querying information about virtual resources and
`
`used as building blocks for more complex tasks, such as performing scans of the
`
`virtual disks of a target VM. EX1002, ¶31; EX1019, 13, 23, 32-33, 53-56, 68-69;
`
`EX1017, 445-46.
`
`B. Cyber Security
`
`Traditional security systems sought to improve security by identifying
`
`security risks including vulnerabilities present on the resource. EX1002, ¶¶32-33,
`
`-10-
`
`

`

`
`
`37. Security scans commonly searched for known risks—e.g., those in published
`
`lists such as the Common Vulnerabilities and Exposures (“CVEs”)—and unknown
`
`risks that might be indicated, for example, by behavioral abnormalities. EX1002,
`
`¶¶33-34; EX1020, 1-3; EX1021, 1; EX1022, 12; EX1023, 9. Virtual machines
`
`were known to be subject to at least the same security risks as nonvirtualized
`
`machines. EX1002, ¶¶35-36; EX1024, ES-2, 3-1, 4-1, 4-3; EX1025, 8; EX1026,
`
`171-72; EX1008, 45-46; EX1027, 321.
`
`A POSA would have been familiar with a variety of scanning techniques.
`
`EX1002, ¶37; EX1028, 116; EX1029, 22; EX1030, ¶¶27, 43; EX1033, 2; EX1032,
`
`¶43. Both agent-based techniques—in which a security application, or agent, scans
`
`the same computer in which it has been installed—and agentless techniques were
`
`well-known and commonly used. EX1002, ¶¶38-39; EX1034, 5643; EX1033, 1;
`
`EX1032, ¶¶5-6. For example, virtual machine introspection (“VMI”) is an
`
`agentless technique that was commonly used in virtualized environments and
`
`known to have several advantages (e.g., increasing efficiency and keeping the
`
`security software isolated from the potentially compromised guest VM). EX1002,
`
`¶39; EX1033, 1; EX1034, 5643-44; EX1035, 389; EX1036, 3:56-65; EX1024, 3-3;
`
`EX1037, 10:9-10; EX1038, 133-34.
`
`Security systems typically evaluated the computer system to identify
`
`different types of vulnerabilities, such as checking the configuration files of
`
`-11-
`
`

`

`
`
`operating systems and installed applications to identify out-of-date software that
`
`needed to be patched. EX1002, ¶40; EX1039, 3:50-54, 5:28-32; EX1040, 31-36.
`
`Matching system data against public repositories of known vulnerabilities was a
`
`common way to detect security issues such as applications (or versions of
`
`applications) known to be vulnerable or files infected with malware, and various
`
`types of matching techniques were well known and routinely used. EX1002, ¶40;
`
`EX1041, 2:24-67; EX1042, 2:45-51; EX1059, ¶¶41-51, 56; EX1047, 1-5, 7;
`
`EX1043, 14:58-15:18; EX1044, 3:56-4:24, 11:27-47.
`
`Security systems also commonly identified and prioritized risks based on
`
`multiple factors, including factors based on the network accessibility of a
`
`vulnerability present on an asset. EX1002, ¶41; EX1039, 6:9-18; EX1045, 1:5-42,
`
`4:24-6:44, Figs. 2-4; EX1046, ¶¶48, 75-77. For example, it was known that
`
`vulnerabilities often existed in software applications installed on an asset and
`
`identifying such vulnerabilities was important due to the risk that the vulnerability
`
`could be exploited by an outside attacker, resulting in unauthorized access into the
`
`asset. EX1002, ¶42; EX1048, ¶¶3, 37, 44, 53, 60, 79-80; EX1039, 1:18-31, 3:50-
`
`57. Thus, well before 2021, POSAs appreciated that identifying ways in which an
`
`attacker could exploit an existing software vulnerability over a network allowed
`
`administrators to understand the most at-risk vulnerabilities and assets, which
`
`-12-
`
`

`

`
`
`would help guide remediation efforts. EX1002, ¶42; EX1048, ¶¶21, 29; EX1045,
`
`3:28-42.
`
`Information known to be useful in providing insight into the risk that an
`
`existing software vulnerability was susceptible to outside attack was the type of
`
`network accessibility needed to exploit a known vulnerability. EX1002, ¶43. For
`
`example, risk analysis systems often used the Common Vulnerability Scoring
`
`System (“CVSS”), which was “an open framework for communicating the
`
`characteristics and severity of software vulnerabilities.” EX1049, 3; see also
`
`EX1002, ¶43; EX1048, ¶55; EX1045, 4:36-50; EX1045, 3:50-54; EX1007, ¶¶116-
`
`17; EX1056, 2. Each known software vulnerability (identified by a given CVE
`
`identifier) was associated with a CVSS score that included a numerical score and a
`
`vector string used to derive the numerical score, with the vector string being
`
`comprised of a number of metrics regarding the exploitability characteristics of the
`
`associated vulnerability. EX1002, ¶43; EX1049, 3-5, Fig. 1; EX1031, 1; EX1050,
`
`7. For example, the base metrics of a CVSS score provided information as to the
`
`network conditions needed to exploit a vulnerability, such as the type of network
`
`access required to exploit the vulnerability (e.g., whether an attacker needed local
`
`access or could exploit the vulnerability remotely), the types of access conditions
`
`needed, and the privileges required to successfully exploit the vulnerability.
`
`EX1002, ¶43; EX1049, 6-7, Tables 1-3; EX1050, 7-9; EX1007, ¶117.
`
`-13-
`
`

`

`
`
`Another type of information known to be useful in accessing the risk of a
`
`successful attack was the network port settings for the asset having the
`
`vulnerability. EX1002, ¶44; EX1048, ¶37; EX1006, ¶15; EX1056, 2. For
`
`instance, it was known that software applications commonly communicated
`
`through open ports to receive data, but open ports represented a point of entry for
`
`an outside attacker to exploit vulnerable applications communicating through those
`
`ports. EX1002, ¶44; EX1051, ¶¶5-8; EX1052, ¶6; EX1057, ¶¶39, 57; EX1058,
`
`4:10-36, Fig. 4; EX1048, ¶22. Thus, it was appreciated that the status of a port
`
`(e.g., open or closed) on an asset provided information relevant to assessing
`
`whether a software vulnerability was susceptible to outside attack. EX1002, ¶44.
`
`It was also commonplace for security systems to use additional
`
`environment-specific information in determining whether a vulnerable application
`
`could be attacked, such as the location and accessibility in the network
`
`environment of the asset containing the vulnerable software. EX1002, ¶45;
`
`EX1048, ¶¶15, 22, 55-56; EX1045, 3:43-47, 5:16-6:1. For example, whether the
`
`asset has Web-connectivity or the asset’s placement relative to other resources in
`
`the network were considerations known to provide additional contextual
`
`information of the risk that a particular software vulnerability was susceptible to
`
`attack. EX1002, ¶45; EX1045, 4:41-46, 8:47-50; EX1048, ¶¶59; EX1039, 5:4-22,
`
`8:46-9:3; EX1007, ¶¶92, 140-41; EX1059, ¶¶76-81.
`
`-14-
`
`

`

`
`
`X.
`
`PRIOR ART
`A. Elder (U.S. Pub. No. 2014/0189873, EX1005)
`
`Elder was filed May 21, 2010, and published July 3, 2014. It is therefore
`
`prior art under 35 U.S.C. §§102(a)(1)-(2).
`
`Elder describes systems and methods for automated risk analysis that
`
`identifies and prioritizes vulnerabilities found in host devices located in a network
`
`environment, which can be a cloud computing environment. EX1005, Abstract,
`
`¶¶5-6, 27, Fig. 1. As summarized in Kim, Elder “discloses technology related to
`
`an automation system which collects the configuration information of a host,
`
`analyzes the collected information based on information stored in a vulnerability
`
`database (DB), and calculates vulnerability scores.” EX1006, ¶10; EX1002, ¶53.
`
`Elder’s risk analysis system first accesses host configuration information of
`
`a host, which includes “configuration details regarding hardware, operating
`
`system, patches, hotfixes, applications, and associated versions of each.” EX1005,
`
`¶¶7, 28, 33-34, 37-38, Fig. 3. Using the host configuration information, the system
`
`then queries a vulnerability d