System and method for outlier and anomaly detection in identity management artificial intelligence systems using cluster based analysis of network identity graphs

US 10,681,056 B1
Filed: 11/22/2019
Issued: 06/09/2020
Est. Priority Date: 11/27/2018
Status: Active Grant

First Claim

Patent Images

1. An identity management system of using property graphs for risk detection, comprising:

a memory;

a hardware processor;

a non-transitory, computer-readable storage medium including computer instructions executable by the hardware processor for;

obtaining first identity management data, at a first time, which is obtained from one or more identity management systems in a distributed enterprise computing environment;

evaluating the obtained first identity management data to determine a first set of identities and a first set of entitlements associated with the first set of identities, wherein the first set of identities and the associated first set of entitlements utilized in identity management of the distributed enterprise computing environment;

generating a first property graph from the first identity management data by;

creating a node of the first property graph for each of the determined first set of identities,for each first identity and second identity, from the determined first set of identities, that share at least one entitlement of the determined first set of entitlements, creating an edge of the first property graph between a first node and a second node representing respectively the first identity and the second identity of the first property graph, andgenerating a similarity weight for each of the created edges of the first property graph based on the at least one shared entitlement between the first identity and the second identity;

pruning a set of edges of the first property graph based on the set of similarity weights of the set of edges to generate a second property graph;

storing the second property graph in a data store;

analyzing the second property graph to identify an outlier node of the graph; and

identifying an identity management artifact associated with the outlier node as a high risk identity management artifact.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for artificial intelligence systems for identity management systems are disclosed. Embodiments may perform outlier detection and risk assessment based on identity management data, including one or more property graphs or peer groups determined from those property graphs, to determine identity management artifacts with ‘abnormal’ patterns when compared to other related identity management artifacts.

Citations

24 Claims

1. An identity management system of using property graphs for risk detection, comprising:
- a memory;
  
  a hardware processor;
  
  a non-transitory, computer-readable storage medium including computer instructions executable by the hardware processor for;
  
  obtaining first identity management data, at a first time, which is obtained from one or more identity management systems in a distributed enterprise computing environment;
  
  evaluating the obtained first identity management data to determine a first set of identities and a first set of entitlements associated with the first set of identities, wherein the first set of identities and the associated first set of entitlements utilized in identity management of the distributed enterprise computing environment;
  
  generating a first property graph from the first identity management data by;
  
  creating a node of the first property graph for each of the determined first set of identities,for each first identity and second identity, from the determined first set of identities, that share at least one entitlement of the determined first set of entitlements, creating an edge of the first property graph between a first node and a second node representing respectively the first identity and the second identity of the first property graph, andgenerating a similarity weight for each of the created edges of the first property graph based on the at least one shared entitlement between the first identity and the second identity;
  
  pruning a set of edges of the first property graph based on the set of similarity weights of the set of edges to generate a second property graph;
  
  storing the second property graph in a data store;
  
  analyzing the second property graph to identify an outlier node of the graph; and
  
  identifying an identity management artifact associated with the outlier node as a high risk identity management artifact.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, wherein the instructions are further for:
    - obtaining second identity management data obtained from the one or more identity management systems in the distributed enterprise computing environment at a second time;
      
      evaluating the second identity management data to determine a second set of identities and a second set of entitlements associated with the second set of identities, the second set of identities and the second set of entitlements utilized in identity management of the distributed enterprise computing environment; and
      
      generating a third property graph based on the second set of identities, wherein the identity management artifact associated with the outlier node is identified by comparing a first node in the first property graph associated with the identity management artifact with a second node in the second property graph associated with the identity management artifact.
  - 3. The system of claim 1, wherein analyzing the second property graph to identify an outlier node of the graph comprises determining a centrality measure for the outlier node, wherein the centrality measure is over a threshold.
  - 4. The system of claim 1, wherein the centrality measure is one or more of a betweenness centrality measure or a degree centrality measure.
  - 5. The system of claim 1, wherein the identity management artifact is an identity with a number of associated entitlements over an upper entitlement threshold or the number of associated entitlements below a lower entitlement threshold.
  - 6. The system of claim 1, wherein the outlier node is a singleton node where any weights for any edges associated with the outlier node fall below a pruning threshold used to prune the set of edges of the first property graph to generate a second property graph.
  - 7. The system of claim 1, wherein the identity management artifact associated with the outlier node is an identity without an assigned role.
  - 8. The system of claim 1, wherein the instructions are for:
    - presenting the identity management artifact associated with the outlier node to the user as the high risk identity management artifact in association with a risk amelioration recommendation.

9. A method of using property graphs for risk detection, comprising:
- obtaining first identity management data, at a first time, which is obtained from one or more identity management systems in a distributed enterprise computing environment;
  
  evaluating the obtained first identity management data to determine a first set of identities and a first set of entitlements associated with the first set of identities, wherein the first set of identities and the associated first set of entitlements utilized in identity management of the distributed enterprise computing environment;
  
  generating a first property graph from the first identity management data by;
  
  creating a node of the first property graph for each of the determined first set of identities,for each first identity and second identity, from the determined first set of identities, that share at least one entitlement of the determined first set of entitlements, creating an edge of the first property graph between a first node and a second node representing respectively the first identity and the second identity of the first property graph, andgenerating a similarity weight for each of the created edges of the first property graph based on the at least one shared entitlement between the first identity and the second identity;
  
  pruning a set of edges of the first property graph based on the set of similarity weights of the set of edges to generate a second property graph;
  
  storing the second property graph in a data store;
  
  analyzing the second property graph to identify an outlier node of the graph; and
  
  identifying an identity management artifact associated with the outlier node as a high risk identity management artifact.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The method of claim 9, further comprising:
    - obtaining second identity management data obtained from the one or more identity management systems in the distributed enterprise computing environment at a second time;
      
      evaluating the second identity management data to determine a second set of identities and a second set of entitlements associated with the second set of identities, the second set of identities and the second set of entitlements utilized in identity management of the distributed enterprise computing environment; and
      
      generating a third property graph based on the second set of identities, wherein the identity management artifact associated with the outlier node is identified by comparing a first node in the first property graph associated with the identity management artifact with a second node in the second property graph associated with the identity management artifact.
  - 11. The method of claim 9, wherein analyzing the second property graph to identify an outlier node of the graph comprises determining a centrality measure for the outlier node, wherein the centrality measure is over a threshold.
  - 12. The method of claim 9, wherein the centrality measure is one or more of a betweenness centrality measure or a degree centrality measure.
  - 13. The method of claim 9, wherein the identity management artifact is an identity with a number of associated entitlements over an upper entitlement threshold or the number of associated entitlements below a lower entitlement threshold.
  - 14. The method of claim 9, wherein the outlier node is a singleton node where any weights for any edges associated with the outlier node fall below a pruning threshold used to prune the set of edges of the first property graph to generate a second property graph.
  - 15. The method of claim 9, wherein the identity management artifact associated with the outlier node is an identity without an assigned role.
  - 16. The method of claim 9, further comprising:
    - presenting the identity management artifact associated with the outlier node to the user as the high risk identity management artifact in association with a risk amelioration recommendation.

17. A non-transitory computer readable storage medium of using property graphs for risk detection, comprising instructions executable by the hardware processor for:
- obtaining first identity management data, at a first time, which is obtained from one or more identity management systems in a distributed enterprise computing environment;
  
  evaluating the obtained first identity management data to determine a first set of identities and a first set of entitlements associated with the first set of identities, wherein the first set of identities and the associated first set of entitlements utilized in identity management of the distributed enterprise computing environment;
  
  generating a first property graph from the first identity management data by;
  
  creating a node of the first property graph for each of the determined first set of identities,for each first identity and second identity, from the determined first set of identities, that share at least one entitlement of the determined first set of entitlements, creating an edge of the first property graph between a first node and a second node representing respectively the first identity and the second identity of the first property graph, andgenerating a similarity weight for each of the created edges of the first property graph based on the at least one shared entitlement between the first identity and the second identity;
  
  pruning a set of edges of the first property graph based on the set of similarity weights of the set of edges to generate a second property graph;
  
  storing the second property graph in a data store;
  
  analyzing the second property graph to identify an outlier node of the graph; and
  
  identifying an identity management artifact associated with the outlier node as a high risk identity management artifact.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The non-transitory computer readable medium of claim 17, further comprising instructions for:
    - obtaining second identity management data obtained from the one or more identity management systems in the distributed enterprise computing environment at a second time;
      
      evaluating the second identity management data to determine a second set of identities and a second set of entitlements associated with the second set of identities, the second set of identities and the second set of entitlements utilized in identity management of the distributed enterprise computing environment; and
      
      generating a third property graph based on the second set of identities, wherein the identity management artifact associated with the outlier node is identified by comparing a first node in the first property graph associated with the identity management artifact with a second node in the second property graph associated with the identity management artifact.
  - 19. The non-transitory computer readable medium of claim 17, wherein analyzing the second property graph to identify an outlier node of the graph comprises determining a centrality measure for the outlier node, wherein the centrality measure is over a threshold.
  - 20. The non-transitory computer readable medium of claim 17, wherein the centrality measure is one or more of a betweenness centrality measure or a degree centrality measure.
  - 21. The non-transitory computer readable medium of claim 17, wherein the identity management artifact is an identity with a number of associated entitlements over an upper entitlement threshold or the number of associated entitlements below a lower entitlement threshold.
  - 22. The non-transitory computer readable medium of claim 17, wherein the outlier node is a singleton node where any weights for any edges associated with the outlier node fall below a pruning threshold used to prune the set of edges of the first property graph to generate a second property graph.
  - 23. The non-transitory computer readable medium of claim 17, wherein the identity management artifact associated with the outlier node is an identity without an assigned role.
  - 24. The non-transitory computer readable medium of claim 17, further comprising instructions for:
    - presenting the identity management artifact associated with the outlier node to the user as the high risk identity management artifact in association with a risk amelioration recommendation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SailPoint Technologies, Inc. (SailPoint Technologies Holdings, Inc.)
Original Assignee
SailPoint Technologies, Inc. (SailPoint Technologies Holdings, Inc.)
Inventors
Badawy, Mohamed M., Ho, Jostine Fei
Primary Examiner(s)
Chai, Longbit

Application Number

US16/691,998
Publication Number

US 20200169565A1
Time in Patent Office

200 Days
Field of Search

726 2- 8
US Class Current
CPC Class Codes

G06F 16/9024   Graphs; Linked lists G06F16...

G06F 21/316   by observing the pattern of...

G06F 21/45   Structures or tools for the...

G06F 21/552   involving long-term monitor...

G06F 21/577   Assessing vulnerabilities a...

G06Q 10/00   Administration; Management

H04L 63/102   Entity profiles

H04L 63/104   Grouping of entities

H04L 63/105   Multiple levels of security

H04L 63/1425   Traffic logging, e.g. anoma...

System and method for outlier and anomaly detection in identity management artificial intelligence systems using cluster based analysis of network identity graphs

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for outlier and anomaly detection in identity management artificial intelligence systems using cluster based analysis of network identity graphs

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links