System and method for intelligent agents for decision support in network identity graph based identity management artificial intelligence systems

US 10,523,682 B1
Filed: 02/26/2019
Issued: 12/31/2019
Est. Priority Date: 02/26/2019
Status: Active Grant

First Claim

Patent Images

1. An identity management system, comprising:

a graph data store;

a processor;

a non-transitory, computer-readable storage medium, including computer instructions for;

obtaining historical certification data for an enterprise, the historical certification data comprising a set of historical certification decisions, each historical certification decision comprising a historical access request including an identity and an entitlement, and an approval or denial decision for the historical access request;

enhancing the historical certification data with a value for a feature for each historical access certification decision, the value for the feature determined from an identity graph associated with the enterprise;

training a classifier with the enhanced historical certification data;

receiving an access request including an identity and an entitlement and a request for an approval or denial decision for the access request;

enhancing the received access request with a value for the feature, based on the identity or entitlement of the access request and the identity graph associated with the enterprise;

submitting the enhanced access request to the classifier;

receiving an approval or denial decision for the enhanced access request from the classifier; and

returning the approval or denial decision for the access request to a user of the identity management system, wherein the identity graph associated with the enterprise comprises;

generating a first identity graph from the identity management data by;

creating a node of the first identity graph for each of a set of identities determined from identity management data of the enterprise, the identity management data comprising data on the set of identities and a set of entitlements associated with the set of identities utilized in identity management in the enterprise;

for each first identity and second identity that share at least one entitlement of the set of entitlements, creating an edge of the first identity graph between a first node representing the first identity and a second node of the identity graph representing the second identity, andgenerating a similarity weight for each edge of the first identity graph between each first node and second node based on a number of the set of entitlements shared between the first identity represented by the first node and the second identity represented by the second node.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for embodiments of a graph based artificial intelligence systems for identity management are disclosed. Embodiments of the identity management systems disclosed herein may utilize a network graph approach to analyzing identities or entitlements of a distributed networked enterprise computing environment. Specifically, in certain embodiments, an artificial intelligence based identity governance systems may include an intelligent decision support agent to provide an approval or denial recommendation for an access request. To provide an approval or denial recommendation, the intelligent agent may utilize a classifier trained on historical certification data. The intelligent agent may utilize features which represent relevant signals to the approval or denial decision including features that may be associated with a network graph of the identities and entitlements of the enterprise computing environment.

Citations

21 Claims

1. An identity management system, comprising:
- a graph data store;
  
  a processor;
  
  a non-transitory, computer-readable storage medium, including computer instructions for;
  
  obtaining historical certification data for an enterprise, the historical certification data comprising a set of historical certification decisions, each historical certification decision comprising a historical access request including an identity and an entitlement, and an approval or denial decision for the historical access request;
  
  enhancing the historical certification data with a value for a feature for each historical access certification decision, the value for the feature determined from an identity graph associated with the enterprise;
  
  training a classifier with the enhanced historical certification data;
  
  receiving an access request including an identity and an entitlement and a request for an approval or denial decision for the access request;
  
  enhancing the received access request with a value for the feature, based on the identity or entitlement of the access request and the identity graph associated with the enterprise;
  
  submitting the enhanced access request to the classifier;
  
  receiving an approval or denial decision for the enhanced access request from the classifier; and
  
  returning the approval or denial decision for the access request to a user of the identity management system, wherein the identity graph associated with the enterprise comprises;
  
  generating a first identity graph from the identity management data by;
  
  creating a node of the first identity graph for each of a set of identities determined from identity management data of the enterprise, the identity management data comprising data on the set of identities and a set of entitlements associated with the set of identities utilized in identity management in the enterprise;
  
  for each first identity and second identity that share at least one entitlement of the set of entitlements, creating an edge of the first identity graph between a first node representing the first identity and a second node of the identity graph representing the second identity, andgenerating a similarity weight for each edge of the first identity graph between each first node and second node based on a number of the set of entitlements shared between the first identity represented by the first node and the second identity represented by the second node.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein the feature is one of a set of features, the set of features comprising a primary feature and a composite feature.
  - 3. The system of claim 2, wherein the feature includes a shortest distance of any path in the identity graph between a node of the identity graph associated with the identity of the access request and a node of the identity graph associated with the entitlement of the access request, or a density of the entitlement of the access request within a peer group of the identity graph associated with the identity of the access request.
  - 4. The system of claim 2, wherein the instructions further comprise instructions for:
    - receiving a request for an interpretation of the approval or denial decision for the access request;
      
      determining a top set of features that resulted in the approval or denial decision based on the classifier; and
      
      returning the top set of features to the user.
  - 5. The system of claim 4, wherein determining the top set of features comprise querying the classifier to build a local model for the access request from the classifier and determining the top set of features from the local model.
  - 6. The system of claim 5, wherein the classifier includes an XGBoost model.
  - 7. The system of claim 1, wherein the instructions further comprise instructions for determining a user approval or denial decision for the access request, and storing the user approval or denial decision and the access request as part of the historical certification data.

8. A method, comprising:
- obtaining historical certification data for an enterprise, the historical certification data comprising a set of historical certification decisions, each historical certification decision comprising a historical access request including an identity and an entitlement, and an approval or denial decision for the historical access request;
  
  enhancing the historical certification data with a value for a feature for each historical access certification decision, the value for the feature determined from an identity graph associated with the enterprise;
  
  training a classifier with the enhanced historical certification data;
  
  receiving an access request including an identity and an entitlement and a request for an approval or denial decision for the access request;
  
  enhancing the received access request with a value for the feature, based on the identity or entitlement of the access request and the identity graph associated with the enterprise;
  
  submitting the enhanced access request to the classifier;
  
  receiving an approval or denial decision for the enhanced access request from the classifier; and
  
  returning the approval or denial decision for the access request to a user of the identity management system, wherein the identity graph associated with the enterprise comprises;
  
  generating a first identity graph from the identity management data by;
  
  creating a node of the first identity graph for each of a set of identities determined from identity management data of the enterprise, the identity management data comprising data on the set of identities and a set of entitlements associated with the set of identities utilized in identity management in the enterprise;
  
  for each first identity and second identity that share at least one entitlement of the set of entitlements, creating an edge of the first identity graph between a first node representing the first identity and a second node of the identity graph representing the second identity, andgenerating a similarity weight for each edge of the first identity graph between each first node and second node based on a number of the set of entitlements shared between the first identity represented by the first node and the second identity represented by the second node.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, wherein the feature is one of a set of features, the set of features comprising a primary feature and a composite feature.
  - 10. The method of claim 9, wherein the feature includes a shortest distance of any path in the identity graph between a node of the identity graph associated with the identity of the access request and a node of the identity graph associated with the entitlement of the access request, or a density of the entitlement of the access request within a peer group of the identity graph associated with the identity of the access request.
  - 11. The method of claim 9, wherein the instructions further comprising:
    - receiving a request for an interpretation of the approval or denial decision for the access request;
      
      determining a top set of features that resulted in the approval or denial decision based on the classifier; and
      
      returning the top set of features to the user.
  - 12. The method of claim 11, wherein determining the top set of features comprise querying the classifier to build a local model for the access request from the classifier and determining the top set of features from the local model.
  - 13. The method of claim 12, wherein the classifier includes an XGBoost model.
  - 14. The method of claim 8, further comprising determining a user approval or denial decision for the access request, and storing the user approval or denial decision and the access request as part of the historical certification data.

15. A non-transitory computer readable medium, comprising instruction for:
- obtaining historical certification data for an enterprise, the historical certification data comprising a set of historical certification decisions, each historical certification decision comprising a historical access request including an identity and an entitlement, and an approval or denial decision for the historical access request;
  
  enhancing the historical certification data with a value for a feature for each historical access certification decision, the value for the feature determined from an identity graph associated with the enterprise;
  
  training a classifier with the enhanced historical certification data;
  
  receiving an access request including an identity and an entitlement and a request for an approval or denial decision for the access request;
  
  enhancing the received access request with a value for the feature, based on the identity or entitlement of the access request and the identity graph associated with the enterprise;
  
  submitting the enhanced access request to the classifier;
  
  receiving an approval or denial decision for the enhanced access request from the classifier; and
  
  returning the approval or denial decision for the access request to a user of the identity management system, wherein the identity graph associated with the enterprise comprises;
  
  generating a first identity graph from the identity management data by;
  
  creating a node of the first identity graph for each of a set of identities determined from identity management data of the enterprise, the identity management data comprising data on the set of identities and a set of entitlements associated with the set of identities utilized in identity management in the enterprise;
  
  for each first identity and second identity that share at least one entitlement of the set of entitlements, creating an edge of the first identity graph between a first node representing the first identity and a second node of the identity graph representing the second identity, andgenerating a similarity weight for each edge of the first identity graph between each first node and second node based on a number of the set of entitlements shared between the first identity represented by the first node and the second identity represented by the second node.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The non-transitory computer readable medium of claim 15, wherein the feature is one of a set of features, the set of features comprising a primary feature and a composite feature.
  - 17. The non-transitory computer readable medium of claim 16, wherein the feature includes a shortest distance of any path in the identity graph between a node of the identity graph associated with the identity of the access request and a node of the identity graph associated with the entitlement of the access request, or a density of the entitlement of the access request within a peer group of the identity graph associated with the identity of the access request.
  - 18. The non-transitory computer readable medium of claim 16, wherein the instructions further comprise instructions for:
    - receiving a request for an interpretation of the approval or denial decision for the access request;
      
      determining a top set of features that resulted in the approval or denial decision based on the classifier; and
      
      returning the top set of features to the user.
  - 19. The non-transitory computer readable medium of claim 18, wherein determining the top set of features comprise querying the classifier to build a local model for the access request from the classifier and determining the top set of features from the local model.
  - 20. The non-transitory computer readable medium of claim 19, wherein the classifier includes an XGBoost model.
  - 21. The non-transitory computer readable medium of claim 15, wherein the instructions further comprise instructions for determining a user approval or denial decision for the access request, and storing the user approval or denial decision and the access request as part of the historical certification data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SailPoint Technologies, Inc. (SailPoint Technologies Holdings, Inc.)
Original Assignee
SailPoint Technologies, Inc. (SailPoint Technologies Holdings, Inc.)
Inventors
Badawy, Mohamed M., Ho, Jostine Fei, Kabra, Rajat
Primary Examiner(s)
Parsons, Theodore C

Application Number

US16/286,289
Time in Patent Office

308 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/316   by observing the pattern of...

G06F 21/45   Structures or tools for the...

G06F 21/604   Tools and structures for ma...

G06F 21/62   Protecting access to data v...

G06N 20/00   Machine learning

G06N 3/006   based on simulated virtual ...

G06N 5/025   Extracting rules from data

H04L 41/16   using machine learning or a...

H04L 41/22   comprising specially adapte...

H04L 63/08   for authentication of entit...

H04L 63/0823   using certificates cryptogr...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/104   Grouping of entities

H04L 63/1408   by monitoring network traff...

System and method for intelligent agents for decision support in network identity graph based identity management artificial intelligence systems

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for intelligent agents for decision support in network identity graph based identity management artificial intelligence systems

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links