System and method for peer group detection, visualization and analysis in identity management artificial intelligence systems using cluster based analysis of network identity graphs

US 10,476,952 B1
Filed: 05/21/2019
Issued: 11/12/2019
Est. Priority Date: 11/27/2018
Status: Active Grant

First Claim

Patent Images

1. An identity management system, comprising:

a graph data store;

a processor;

a non-transitory, computer-readable storage medium including computer instructions for;

obtaining identity management data from one or more identity management systems in a distributed enterprise computing environment, the identity management data comprising data on a set of identities and a set of entitlements associated with the set of identities utilized in identity management in the distributed enterprise computing environment;

evaluating the identity management data to determine the set of identities and a set of entitlements associated with the set of identities;

generating a first identity graph from the identity management data by;

creating a node of the first identity graph for each of the determined set of identities,for each first identity and second identity that share at least one entitlement of the set of entitlements, creating an edge of the first identity graph between a first node representing the first identity and a second node of the identity graph representing the second identity, andgenerating a similarity weight for each edge of the first identity graph between each first node and second node based on the set of entitlements associated with the first identity represented by the first node and the second identity represented by the second node;

storing the first identity graph in the graph data store;

pruning the set of edges of the first identity graph to generate a second identity graph;

storing the second identity graph in the graph data store;

clustering the set of identities represented by the nodes of the second identity graph into a set of peer groups based on the second identity graph, including the nodes of the second identity graph representing the set of identities and the edges of the second identity graph;

associating each of the set of identities with a corresponding peer group; and

generating an interface based on the second identity graph and the association between each of the set of identities and the corresponding peer group.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for graph based artificial intelligence systems for identity management systems are disclosed. Embodiments of the identity management systems disclosed herein may utilize a network graph approach to peer grouping of identities of distributed networked enterprise computing environment. Specifically, in certain embodiments, data on the identities and the respective entitlements assigned to each identity as utilized in an enterprise computer environment may be obtained by an identity management system. A network identity graph may be constructed using the identity and entitlement data. The identity graph can then be clustered into peer groups of identities. The peer groups of identities may be used by the identity management system and users thereof in risk assessment or other identity management tasks.

53 Citations

View as Search Results

21 Claims

1. An identity management system, comprising:
- a graph data store;
  
  a processor;
  
  a non-transitory, computer-readable storage medium including computer instructions for;
  
  obtaining identity management data from one or more identity management systems in a distributed enterprise computing environment, the identity management data comprising data on a set of identities and a set of entitlements associated with the set of identities utilized in identity management in the distributed enterprise computing environment;
  
  evaluating the identity management data to determine the set of identities and a set of entitlements associated with the set of identities;
  
  generating a first identity graph from the identity management data by;
  
  creating a node of the first identity graph for each of the determined set of identities,for each first identity and second identity that share at least one entitlement of the set of entitlements, creating an edge of the first identity graph between a first node representing the first identity and a second node of the identity graph representing the second identity, andgenerating a similarity weight for each edge of the first identity graph between each first node and second node based on the set of entitlements associated with the first identity represented by the first node and the second identity represented by the second node;
  
  storing the first identity graph in the graph data store;
  
  pruning the set of edges of the first identity graph to generate a second identity graph;
  
  storing the second identity graph in the graph data store;
  
  clustering the set of identities represented by the nodes of the second identity graph into a set of peer groups based on the second identity graph, including the nodes of the second identity graph representing the set of identities and the edges of the second identity graph;
  
  associating each of the set of identities with a corresponding peer group; and
  
  generating an interface based on the second identity graph and the association between each of the set of identities and the corresponding peer group.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein generating the similarity weight for each edge of the first identity graph between each first node and second node based on the set of entitlements is done based on a number of the set of entitlements shared between the first identity represented by the first node and the second identity represented by the second node.
  - 3. The system of claim 1, wherein clustering the second identity graph is accomplished using community-detection.
  - 4. The system of claim 3, wherein clustering the second identity graph is optimized based on a peer group assessment metric.
  - 5. The system of claim 4, wherein the peer group assessment metric is a modularity value resulting from clustering of the set of identities.
  - 6. The system of claim 4, wherein the instructions are further for:
    - determining the peer group assessment metric based on the set of peer groups and comparing the peer group assessment metric to a quality threshold, andwhen the peer group assessment metric is below the quality threshold;
      
      a) adjusting a pruning threshold associated with the pruning of the set of edges of the first identity graph to generate the second identity graph;
      
      b) pruning the set of edges of the first identity graph to generate the second identity graph based on the similarity weight associated with each edge of the first identity graph and the adjusted pruning threshold;
      
      c) clustering the set of identities represented by the nodes of the second identity graph into a set of peer groups based on the second identity graph, including the nodes of the second identity graph representing the set of identities, the edges of the second identity graph and the similarity weights of each of the edges of the second identity graph;
      
      d) determining the peer group assessment metric and comparing the peer group assessment metric to the quality threshold; and
      
      e) repeating steps a-d until the peer group assessment metric exceeds the quality threshold.
  - 7. The system of claim 6, wherein the instructions are further for adjusting the pruning threshold a first amount a first time steps a-d are performed and adjusting the pruning threshold a second amount a second time steps a-d are performed.

8. A method, comprising:
- obtaining identity management data from one or more identity management systems in a distributed enterprise computing environment, the identity management data comprising data on a set of identities and a set of entitlements associated with the set of identities utilized in identity management in the distributed enterprise computing environment;
  
  evaluating the identity management data to determine the set of identities and a set of entitlements associated with the set of identities;
  
  generating a first identity graph from the identity management data by;
  
  creating a node of the first identity graph for each of the determined set of identities,for each first identity and second identity that share at least one entitlement of the set of entitlements, creating an edge of the first identity graph between a first node representing the first identity and a second node of the identity graph representing the second identity, andgenerating a similarity weight for each edge of the first identity graph between each first node and second node based on the set of entitlements associated with the first identity represented by the first node and the second identity represented by the second node;
  
  storing the first identity graph in a graph data store;
  
  pruning the set of edges of the first identity graph to generate a second identity graph;
  
  storing the second identity graph in the graph data store;
  
  clustering the set of identities represented by the nodes of the second identity graph into a set of peer groups based on the second identity graph, including the nodes of the second identity graph representing the set of identities and the edges of the second identity graph;
  
  associating each of the set of identities with a corresponding peer group; and
  
  generating an interface based on the second identity graph and the association between each of the set of identities and the corresponding peer group.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, wherein generating the similarity weight for each edge of the first identity graph between each first node and second node based on the set of entitlements is done based on a number of the set of entitlements shared between the first identity represented by the first node and the second identity represented by the second node.
  - 10. The method of claim 8, wherein clustering the second identity graph is accomplished using community-detection.
  - 11. The method of claim 10, wherein clustering the second identity graph is optimized based on a peer group assessment metric.
  - 12. The method of claim 11, wherein the peer group assessment metric is a modularity value resulting from clustering of the set of identities.
  - 13. The method of claim 11, further comprising:
    - determining the peer group assessment metric based on the set of peer groups and comparing the peer group assessment metric to a quality threshold, andwhen the peer group assessment metric is below the quality threshold;
      
      a) adjusting a pruning threshold associated with the pruning of the set of edges of the first identity graph to generate the second identity graph;
      
      b) pruning the set of edges of the first identity graph to generate the second identity graph based on the similarity weight associated with each edge of the first identity graph and the adjusted pruning threshold;
      
      c) clustering the set of identities represented by the nodes of the second identity graph into a set of peer groups based on the second identity graph, including the nodes of the second identity graph representing the set of identities, the edges of the second identity graph and the similarity weights of each of the edges of the second identity graph;
      
      d) determining the peer group assessment metric and comparing the peer group assessment metric to the quality threshold; and
      
      e) repeating steps a-d until the peer group assessment metric exceeds the quality threshold.
  - 14. The method of claim 13, further comprising adjusting the pruning threshold a first amount a first time steps a-d are performed and adjusting the pruning threshold a second amount a second time steps a-d are performed.

15. A non-transitory computer readable medium, comprising instructions for:
- obtaining identity management data from one or more identity management systems in a distributed enterprise computing environment, the identity management data comprising data on a set of identities and a set of entitlements associated with the set of identities utilized in identity management in the distributed enterprise computing environment;
  
  evaluating the identity management data to determine the set of identities and a set of entitlements associated with the set of identities;
  
  generating a first identity graph from the identity management data by;
  
  creating a node of the first identity graph for each of the determined set of identities,for each first identity and second identity that share at least one entitlement of the set of entitlements, creating an edge of the first identity graph between a first node representing the first identity and a second node of the identity graph representing the second identity, andgenerating a similarity weight for each edge of the first identity graph between each first node and second node based on the set of entitlements associated with the first identity represented by the first node and the second identity represented by the second node;
  
  storing the first identity graph in a graph data store;
  
  pruning the set of edges of the first identity graph to generate a second identity graph;
  
  storing the second identity graph in the graph data store;
  
  clustering the set of identities represented by the nodes of the second identity graph into a set of peer groups based on the second identity graph, including the nodes of the second identity graph representing the set of identities and the edges of the second identity graph;
  
  associating each of the set of identities with a corresponding peer group; and
  
  generating an interface based on the second identity graph and the association between each of the set of identities and the corresponding peer group.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The non-transitory computer readable medium of claim 15, wherein generating the similarity weight for each edge of the first identity graph between each first node and second node based on the set of entitlements is done based on a number of the set of entitlements shared between the first identity represented by the first node and the second identity represented by the second node.
  - 17. The non-transitory computer readable medium of claim 15, wherein clustering the second identity graph is accomplished using community-detection.
  - 18. The non-transitory computer readable medium of claim 17, wherein clustering the second identity graph is optimized based on a peer group assessment metric.
  - 19. The non-transitory computer readable medium of claim 18, wherein the peer group assessment metric is a modularity value resulting from clustering of the set of identities.
  - 20. The non-transitory computer readable medium of claim 18, further comprising instructions for:
    - determining the peer group assessment metric based on the set of peer groups and comparing the peer group assessment metric to a quality threshold, andwhen the peer group assessment metric is below the quality threshold;
      
      a) adjusting a pruning threshold associated with the pruning of the set of edges of the first identity graph to generate the second identity graph;
      
      b) pruning the set of edges of the first identity graph to generate the second identity graph based on the similarity weight associated with each edge of the first identity graph and the adjusted pruning threshold;
      
      c) clustering the set of identities represented by the nodes of the second identity graph into a set of peer groups based on the second identity graph, including the nodes of the second identity graph representing the set of identities, the edges of the second identity graph and the similarity weights of each of the edges of the second identity graph;
      
      d) determining the peer group assessment metric and comparing the peer group assessment metric to the quality threshold; and
      
      e) repeating steps a-d until the peer group assessment metric exceeds the quality threshold.
  - 21. The non-transitory computer readable medium of claim 20, further comprising instructions for adjusting the pruning threshold a first amount a first time steps a-d are performed and adjusting the pruning threshold a second amount a second time steps a-d are performed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SailPoint Technologies, Inc. (SailPoint Technologies Holdings, Inc.)
Original Assignee
SailPoint Technologies, Inc. (SailPoint Technologies Holdings, Inc.)
Inventors
Badawy, Mohamed M., Ho, Jostine Fei
Primary Examiner(s)
Higa, Brendan Y

Application Number

US16/417,803
Time in Patent Office

175 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/345   Summarisation for human users

G06F 16/355   Class or cluster creation o...

G06F 16/9024   Graphs; Linked lists G06F16...

G06F 16/906   Clustering; Classification

G06F 21/45   Structures or tools for the...

G06F 21/57   Certifying or maintaining t...

G06N 20/00   Machine learning

G06N 5/01   Dynamic search techniques; ...

H04L 41/22   comprising specially adapte...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/104   Grouping of entities

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

H04L 67/1044   Group management mechanisms...

H04L 67/1074   for supporting data block t...

System and method for peer group detection, visualization and analysis in identity management artificial intelligence systems using cluster based analysis of network identity graphs

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

53 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for peer group detection, visualization and analysis in identity management artificial intelligence systems using cluster based analysis of network identity graphs

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

53 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links