System and method for peer group detection, visualization and analysis in identity management artificial intelligence systems using cluster based analysis of network identity graphs

US 10,476,953 B1
Filed: 07/01/2019
Issued: 11/12/2019
Est. Priority Date: 11/27/2018
Status: Active Grant

First Claim

Patent Images

1. An identity management system, comprising:

a memory;

a processor;

a non-transitory, computer-readable storage medium including computer instructions for;

obtaining identity management data from one or more identity management systems in a distributed enterprise computing environment;

evaluating the identity management data to determine a set of identities and a set of entitlements associated with the set of identities, the set of identities and the set of entitlements utilized in identity management of the distributed enterprise computing environment;

generating a first identity graph from the identity management data by;

creating a node of the first identity graph for each of the determined set of identities,for each first identity and second identity that share at least one entitlement of the set of entitlements, creating an edge of the first identity graph between a first node representing the first identity and a second node of the identity graph representing the second identity, andgenerating a weight for each edge of the first identity graph between each first node and second node based on the at least one entitlement shared between the first identity represented by the first node and the second identity represented by the second node;

storing the first identity graph in the graph data store;

pruning the set of edges of the first identity graph to generate a second identity graph;

storing the second identity graph in the graph data store;

clustering the set of identities or set of entitlements represented by the second identity graph into a set of peer groups based on the second identity graph, including the nodes of the second identity graph representing the set of identities and the edges of the second identity graph; and

storing the set of peer groups, including an identification of the set of identities or set of entitlements.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for graph based artificial intelligence systems for identity management systems are disclosed. Embodiments of the identity management systems disclosed herein may utilize a network graph approach to peer grouping of identities of distributed networked enterprise computing environment. Specifically, in certain embodiments, data on the identities and the respective entitlements assigned to each identity as utilized in an enterprise computer environment may be obtained by an identity management system. A network identity graph may be constructed using the identity and entitlement data. The identity graph can then be clustered into peer groups of identities. The peer groups of identities may be used by the identity management system and users thereof in risk assessment or other identity management tasks.

Citations

21 Claims

1. An identity management system, comprising:
- a memory;
  
  a processor;
  
  a non-transitory, computer-readable storage medium including computer instructions for;
  
  obtaining identity management data from one or more identity management systems in a distributed enterprise computing environment;
  
  evaluating the identity management data to determine a set of identities and a set of entitlements associated with the set of identities, the set of identities and the set of entitlements utilized in identity management of the distributed enterprise computing environment;
  
  generating a first identity graph from the identity management data by;
  
  creating a node of the first identity graph for each of the determined set of identities,for each first identity and second identity that share at least one entitlement of the set of entitlements, creating an edge of the first identity graph between a first node representing the first identity and a second node of the identity graph representing the second identity, andgenerating a weight for each edge of the first identity graph between each first node and second node based on the at least one entitlement shared between the first identity represented by the first node and the second identity represented by the second node;
  
  storing the first identity graph in the graph data store;
  
  pruning the set of edges of the first identity graph to generate a second identity graph;
  
  storing the second identity graph in the graph data store;
  
  clustering the set of identities or set of entitlements represented by the second identity graph into a set of peer groups based on the second identity graph, including the nodes of the second identity graph representing the set of identities and the edges of the second identity graph; and
  
  storing the set of peer groups, including an identification of the set of identities or set of entitlements.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein the weight generated for each edge of the first identity graph between each first node and second node is a similarity weight.
  - 3. The system of claim 2, wherein the similarity weight is an approximate weight based on the at least one entitlement shared between the first identity represented by the first node and the second identity represented by the second node.
  - 4. The system of claim 2, wherein the similarity weight is an actual weight calculated based on a number of the set of entitlements shared between the first identity represented by the first node and the second identity represented by the second node.
  - 5. The system of claim 3, wherein the pruning of the set of edges of the first identity graph to generate a second identity graph is based on these similarity weights.
  - 6. The system of claim 1, wherein the memory is a SQL data store.
  - 7. The system of claim 1, wherein storing the set of peer groups comprises representing the set of peer groups as nodes in the second identity graph.

8. A method, comprising:
- obtaining identity management data from one or more identity management systems in a distributed enterprise computing environment;
  
  evaluating the identity management data to determine a set of identities and a set of entitlements associated with the set of identities, the set of identities and the set of entitlements utilized in identity management of the distributed enterprise computing environment;
  
  generating a first identity graph from the identity management data by;
  
  creating a node of the first identity graph for each of the determined set of identities,for each first identity and second identity that share at least one entitlement of the set of entitlements, creating an edge of the first identity graph between a first node representing the first identity and a second node of the identity graph representing the second identity, andgenerating a weight for each edge of the first identity graph between each first node and second node based on the at least one entitlement shared between the first identity represented by the first node and the second identity represented by the second node;
  
  storing the first identity graph in the graph data store;
  
  pruning the set of edges of the first identity graph to generate a second identity graph;
  
  storing the second identity graph in the graph data store;
  
  clustering the set of identities or set of entitlements represented by the second identity graph into a set of peer groups based on the second identity graph, including the nodes of the second identity graph representing the set of identities and the edges of the second identity graph; and
  
  storing the set of peer groups, including an identification of the set of identities or set of entitlements.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, wherein the weight generated for each edge of the first identity graph between each first node and second node is a similarity weight.
  - 10. The method of claim 9, wherein the similarity weight is an approximate weight based on the at least one entitlement shared between the first identity represented by the first node and the second identity represented by the second node.
  - 11. The method of claim 9, wherein the similarity weight is an actual weight calculated based on a number of the set of entitlements shared between the first identity represented by the first node and the second identity represented by the second node.
  - 12. The method of claim 10, wherein the pruning of the set of edges of the first identity graph to generate a second identity graph is based on these similarity weights.
  - 13. The method of claim 8, wherein the memory is a SQL data store.
  - 14. The method of claim 8, wherein storing the set of peer groups comprises representing the set of peer groups as nodes in the second identity graph.

15. A non-transitory computer readable medium, comprising instructions for:
- obtaining identity management data from one or more identity management systems in a distributed enterprise computing environment;
  
  evaluating the identity management data to determine a set of identities and a set of entitlements associated with the set of identities, the set of identities and the set of entitlements utilized in identity management of the distributed enterprise computing environment;
  
  generating a first identity graph from the identity management data by;
  
  creating a node of the first identity graph for each of the determined set of identities,for each first identity and second identity that share at least one entitlement of the set of entitlements, creating an edge of the first identity graph between a first node representing the first identity and a second node of the identity graph representing the second identity, andgenerating a weight for each edge of the first identity graph between each first node and second node based on the at least one entitlement shared between the first identity represented by the first node and the second identity represented by the second node;
  
  storing the first identity graph in the graph data store;
  
  pruning the set of edges of the first identity graph to generate a second identity graph;
  
  storing the second identity graph in the graph data store;
  
  clustering the set of identities or set of entitlements represented by the second identity graph into a set of peer groups based on the second identity graph, including the nodes of the second identity graph representing the set of identities and the edges of the second identity graph; and
  
  storing the set of peer groups, including an identification of the set of identities or set of entitlements.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The non-transitory computer readable medium of claim 15, wherein the weight generated for each edge of the first identity graph between each first node and second node is a similarity weight.
  - 17. The non-transitory computer readable medium of claim 16, wherein the similarity weight is an approximate weight based on the at least one entitlement shared between the first identity represented by the first node and the second identity represented by the second node.
  - 18. The non-transitory computer readable medium of claim 16, wherein the similarity weight is an actual weight calculated based on a number of the set of entitlements shared between the first identity represented by the first node and the second identity represented by the second node.
  - 19. The non-transitory computer readable medium of claim 17, wherein the pruning of the set of edges of the first identity graph to generate a second identity graph is based on these similarity weights.
  - 20. The non-transitory computer readable medium of claim 15, wherein the memory is a SQL data store.
  - 21. The non-transitory computer readable medium of claim 15, wherein storing the set of peer groups comprises representing the set of peer groups as nodes in the second identity graph.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SailPoint Technologies, Inc. (SailPoint Technologies Holdings, Inc.)
Original Assignee
SailPoint Technologies, Inc. (SailPoint Technologies Holdings, Inc.)
Inventors
Badawy, Mohamed M., Ho, Jostine Fei
Primary Examiner(s)
Higa, Brendan Y

Application Number

US16/459,104
Time in Patent Office

134 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/345   Summarisation for human users

G06F 16/355   Class or cluster creation o...

G06F 16/9024   Graphs; Linked lists G06F16...

G06F 16/906   Clustering; Classification

G06F 21/45   Structures or tools for the...

G06F 21/57   Certifying or maintaining t...

G06N 20/00   Machine learning

G06N 5/01   Dynamic search techniques; ...

H04L 41/22   comprising specially adapte...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/104   Grouping of entities

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

H04L 67/1044   Group management mechanisms...

H04L 67/1074   for supporting data block t...

System and method for peer group detection, visualization and analysis in identity management artificial intelligence systems using cluster based analysis of network identity graphs

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for peer group detection, visualization and analysis in identity management artificial intelligence systems using cluster based analysis of network identity graphs

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links