Description:METHOD AND SYSTEM FOR ANOMALY DETECTION IN IDENTIFICATION MANAGMENT BY HUMAN RESOURCE (HR) USING ARTIFICIAL INTELLIGENCE (AI)

FIELD OF THE INVENTION
The present invention generally relates to anomaly detection by human resource. More specifically, the present invention relates to anomaly detection in identification management by human resource (HR) using Artificial Intelligence (AI).

BACKGROUND OF THE INVENTION

Acts of fraud, data tampering, privacy breaches, theft of intellectual property, and exposure of trade secrets have become front page news in today's business world. The security access risk posed by insiders—persons who are granted access to information assets—is growing in magnitude, with the power to damage brand reputation, lower profits, and erode market capitalization.
Identity Management (IM), also known as Identity and Access Management (IAM) or Identity Governance (IG), is, the field of computer security concerned with the enablement and enforcement of policies and measures which allow and ensure that the right individuals access the right resources at the right times and for the right reasons. It addresses the need to ensure appropriate access to resources across increasingly heterogeneous technology environments and to meet increasingly rigorous compliance requirements. Escalating security and privacy concerns are driving governance, access risk management, and compliance to the forefront of identity management. To effectively meet the requirements and desires imposed upon enterprises for identity management, these enterprises may be required to prove that they have strong and consistent controls over who has access to critical applications and data. And, in response to regulatory requirements and the growing security access risk, most enterprises have implemented some form of user access or identity governance.
Yet many companies still struggle with how to focus compliance efforts to address actual risk in what usually is a complex, distributed networked computing environment. Decisions about which access entitlements are desirable to grant a particular user are typically based on the roles that the user plays within the organization. In large organizations, granting and maintaining user access entitlements is a difficult and complex process, involving decisions regarding whether to grant entitlements to thousands of users and hundreds of different applications and databases. This complexity can be exacerbated by high employee turnover, reorganizations, and reconfigurations of the various accessible systems and resources.
Organizations that are unable to focus their identity compliance efforts on areas of greatest access risk can waste time, labor, and other resources applying compliance monitoring and controls across the board to all users and all applications. Furthermore, with no means to establish a baseline measurement of identity compliance, organizations have no way to quantify improvements over time and demonstrate that their identity controls are working and effectively reducing access risk.
Information Technology (IT) personnel of large organizations often feel that their greatest security risks stemmed from “insider threats,” as opposed to external attacks. The access risks posed by insiders range from careless negligence to more serious cases of financial fraud, corporate espionage, or malicious sabotage of systems and data. Organizations that fail to proactively manage user access can face regulatory fines, litigation penalties, public relations fees, loss of customer trust, and ultimately lost revenue and lower stock valuation. To minimize the security risk posed by insiders (and outsiders), business entities and institutions alike often establish access or other governance policies that eliminate or at least reduce such access risks and implement proactive oversight and management of user access entitlements to ensure compliance with defined policies and other good practices.
To assist in mitigating these risks, therefore, it is of utmost importance to effectively analyze access or entitlement data in the enterprise environment to determine or assess the efficacy or enforcement of such governance policies and to identify potential risks. Consequently, what is desired are improved ways to quantitatively or qualitatively analyze access data in distributed networked computing environment and to utilize the results of such analysis to improve identity governance in that environment.

BRIEF DESCRIPTION OF THE FIGURES
FIG. 1 is a block diagram of identity performance manager system using Artificial Intelligence (AI) in accordance with an embodiments of the present invention.
FIG. 2 is a diagram illustrating an identity performance manager process using AI in accordance with an embodiments of the present invention.
FIG. 3 illustrates an exemplary identity management architecture in accordance with an embodiment of the present invention.

DETAILED DESCRIPTION OF THE INVENTION

Accordingly, to ameliorate these issues, among other ends, embodiments of the identity management systems disclosed herein may utilize a network graph approach to peer grouping of identities of distributed networked enterprise computing environment. Specifically, in certain embodiments, data on the identities and the respective entitlements or other artifacts assigned to, or associated with, each identity as utilized in an enterprise computer environment may be obtained by an identity management system. Using the identity and entitlement data, then, a property graph may be constructed, where the nodes of the graph correspond to, and represent, each of the identities or other artifacts. Each edge (or relationship) of the graph may join two nodes of the graph and be associated with a similarity weight representing a degree of similarity between the identities (or other artifacts) of the respective nodes. The property graph may then be pruned to remove weak edges (e.g., those edges whose similarity weight may fall below a pruning threshold). The pruned graph can then be clustered into peer groups of identities or other artifacts (e.g., using a graph based community detection algorithm). These peer groups (e.g., of identities, entitlements, roles, etc.) can then be stored (e.g., separately or in the property graph) and used by the identity management system. For example, a visual representation of the graph may be presented to a user of the identity management to assist in compliance or certification assessments or evaluation of the identities and entitlements as currently used by the enterprise.
In certain embodiments, the clustering of identities or other artifacts (e.g., such as entitlements or roles) may be optimized based on a peer group assessment metric, such as, for example, graph modularity determined based on the identity graph or the determined peer groups. For instance, in one embodiment if a peer group assessment metric is below (or above) a quality threshold a feedback loop may be instituted whereby the pruning threshold is adjusted by some amount (up or down) and the originally determined identity graph is pruned based on the adjusted pruning threshold (or the previously pruned identity graph may be further pruned). This newly pruned identity graph can then be clustered into new peer groups of identities and a peer group assessment metric determined based on the newly pruned identity graph or the newly determined peer groups. If this new peer assessment metric is now above (or below) the quality threshold the feedback loop may stop and these peer groups of identities can then be stored (e.g., separately or in the identity graph) and used by the identity management system.
Otherwise, the feedback loop may continue by again adjusting the pruning threshold further (e.g., further up or further down relative to the previous iteration of the feedback loop), re-pruning the property graph based on the adjusted pruning threshold, clustering this newly pruned graph, determining another peer group assessment metric and comparing this metric to the quality threshold. In this manner, the feedback loop of adjustment of the pruning threshold, re-pruning the graph, re-clustering the identity graph into peer groups may be repeated until the peer group assessment metric reaches a desired threshold. Moreover, by tailoring the peer group assessment metric and quality threshold to include or reflect domain or enterprise specific criteria, the clustering results (e.g., the peer groups resulting from the clustering) may more accurately reflect particular requirements or the needs of a particular enterprise or be better tailored to a particular use.
The invention and the various features and advantageous details thereof are explained more fully with reference to the non-limiting embodiments that are illustrated in the accompanying drawings and detailed in the following description. Descriptions of well-known starting materials, processing techniques, components and equipment are omitted so as not to unnecessarily obscure the invention in detail. It should be understood, however, that the detailed description and the specific examples, while indicating some embodiments of the invention, are given by way of illustration only and not by way of limitation. Various substitutions, modifications, additions and/or rearrangements within the spirit and/or scope of the underlying inventive concept will become apparent to those skilled in the art from this disclosure.
Before delving into more detail regarding the specific embodiments disclosed herein, some context may be helpful. In response to regulatory requirements and security access risks and concerns, most enterprises have implemented some form of computer security or access controls. To assist in implementing security measures and access controls in an enterprise environment, many of these enterprises have implemented Identity Management in association with their distributed networked computer environments. Identity Management solutions allow the definition of a function or an entity associated with an enterprise. An identity may thus represent almost physical or virtual entity, place, person or other item that an enterprise would like to define. Identities can therefore represent, for example, functions or capacities (e.g., manager, engineer, team leader, etc.), title (e.g., Chief Technology Officer), groups (development, testing, accounting, etc.), processes (e.g., nightly back-up process), physical locations (e.g., cafeteria, conference room), individual users or humans (e.g., John Locke) or almost any other physical or virtual entity, place, person or other item. Each of these identities may therefore be assigned zero or more entitlements with respect to the distributed networked computer environments. An entitlement may be the ability to perform or access a function within the distributed networked computer environments, including, for example, accessing computing systems, applications, file systems, particular data or data items, networks, subnetworks or network locations, etc.
To facilitate the assignment of these entitlements, enterprises may also be provided with the ability to define roles within the context of their Identity Management solution. A role within the context of Identity Management may be a collection of entitlements. These roles may be assigned a name or identifiers (e.g., manager, engineer, team leader) by an enterprise that designate the type of user or identity that should be assigned such a role. By assigning a role to an identity in the Identity Management context, the identity may be assigned the corresponding collection of entitlements associated with the assigned role. Accordingly, by defining these roles enterprises may define a “gold standard” of what they desire their identity governance to look like.
Thus, by managing the identity or identities to which users within the enterprise computing environment are assigned, the entitlements which a user may assigned (e.g., the functions or access which a user may be allowed) may be controlled. However, escalating security and privacy concerns are driving governance, access risk management, and compliance to the forefront of Identity Management. Yet many companies still struggle with how to focus compliance efforts to address actual risk in what usually is a complex, distributed networked computing environment. Decisions about which access entitlements are desirable to grant a particular user are typically based on the roles that the user plays within the organization. In large organizations, granting and maintaining user access entitlements is a difficult and complex process, involving decisions regarding whether to grant entitlements to thousands of users and hundreds of different applications and databases. This complexity can be exacerbated by high employee turnover, reorganizations, and reconfigurations of the various accessible systems and resources.
Yet many companies still struggle with how to focus compliance efforts to address actual risk in what usually is a complex, distributed networked computing environment. Decisions about which access entitlements are desirable to grant a particular user are typically based on the roles that the user plays within the organization. In large organizations, granting and maintaining user access entitlements is a difficult and complex process, involving decisions regarding whether to grant entitlements to thousands of users and hundreds of different applications and databases. This complexity can be exacerbated by high employee turnover, reorganizations, and reconfigurations of the various accessible systems and resources.
FIG. 1 is a functional block diagram of an exemplary identity performance manager (IPM) system 100 according to some embodiments of the present disclosure. IPM system is illustrated as a series of functional blocks. These blocks may represent hardware structures, software components, or various combinations of hardware and software. For example, the functional blocks may represent application-specific integrated circuits (ASICs), field-programmable gate arrays (FPGAs), processors running software programs, and/or software routines. The functional blocks may be rearranged or combined so long as they provide the disclosed functionality consistent with this disclosure.
System 100 may include IPM 110 to measure the quality of services provided by an IDM product. For example, IPM 110 may monitor, record, and track individualized data for each distinct service provided by an IDM product. IMP 110 may track affected dependencies within and between IDM products. For example, IPM 110 may determine and record the path of actions between services that may be affected by a particular change. By clearly distinguishing affected services and functions, IPM 110 may also minimize the man hours and material cost required by a product change. IPM 110 may measure the quality of each resource by capturing the behavior of the data in a current environment. IPM 110 may compare the results after a change with the best performance results that were achieved prior to implementing any changes. IPM 110 may set baseline expectations based the best practices of the IDM product or expected process goals.
IPM 110 have an architecture that operates using Available Environment Workload Traffic (AEWT) principles. In an embodiment, IPM 110 may use real-time system status data to provide performance predictions reflective of current conditions. For example, all measurements used by system 100 may depend on actual resource availability at a particular instant.
System 100 may allow IPM 110 to connect to resources 160 and identity access manager (IDAM) system 170. In an embodiment, IPM 110 may determine real-time system data by connecting to resources 160 and IDAM system 170. IDAM system 170 may be a single system or multiple systems. In an embodiment, IDAM System 170 may be an IDM product deployed in a customer environment. For example, IDAM system 170 may include identity manager, access manager, access governance products, such as Ping, SUN now ‘Oracle’, IBM TIM, CA, Novell, and Hitachi. Resources 160 may be internal and/or external applications that are integrated with IDAM system 170. In an embodiment, resources 160 may be third party systems used by an organization. For example, resources 160 may include databases, directories, servers, thick and thin applications, and/or repositories, resources 160 may be implemented on hardware servers or virtualized environments.
System 100 may include identity management attribute (IMA) interface 150. IPM 110 may utilize IMA interface 150 to communicate with IDAM system 170 and resources 160. In an embodiment, a set of pre-defined interfaces and methods are used to create a communication link between IPM 110 with IDAM system 170 and resources 160. IDAM system 170 may invoke predefined methods to establish the connection and execute data transfer.
IPM 110 may include IMA importer 140. In an embodiment, IMA importer 140 may receive data from IDAM system 170 and resources 160. IMA importer 140 may collect data to measure the performance of IDM deployments, such as in IDAM system 170. IMA importer 140 may contain information about the components inside IDAM system 170. The component information may describe the services inside each component in the form of parameters, attributes, and custom or user-defined data.
IMA importer 140 may import and store server parameters 141. For example, server parameters 141 may include real-time server data, such as server connection status information. IMA importer 140 may import and store resource parameters 143 of resources 160. For example, resource parameters 143 may include real-time processing availability, such as available memory storage, current processing bandwidth, and any queued processes. IMA importer 140 may import and store IDM attributes 145. For example, IMA importer 140 may create a data store to indicate the enabled and/or required components data 147. Example IDM components may include an identity manager, access manager, policy manager, directory servers, data stores, switches, routers, and/or network components. Each IDM component may provide an IDM services. IMA importer 140 may store services data 148 to record data related to IDM services of the IDM components. Services may include, for example, user identity creation, revoking a user identity, adding roles to a role identity, and managing privileges. IDM services may utilize specific attributes and/or custom parameters. IMA importer 140 may process and store IDM attributes 145 and custom parameters 149. For example, IMA importer 140 may log the data used by various services. Exemplary IDM attributes 145 may include a user identifier, a privilege code, a role, and/or a screenname.
IMA importer 140 may import the data to IMA engine 130 to process the consolidated data. In an embodiment, IMA engine 130 may perform core processing functions for IPM 110.
IMA importer may include IMA processor 136. In an embodiment, IMA processor 136 may process and cleanse the raw data from IMA importer 140. For example, IMA processor 136 may store the cleansed data in an organized group based on the segregation of identities based on a corresponding IMA Architecture and UPEARL mode. The UPEARL may provide a framework for organizing the mode of operation of the identities in an organization. For example, UPEAL may facilitate the segregation of modes based on the following type:
U—User Identity.
P—Physical & Privilege Identity.
E—Environment & Event Identity.
A—Access Identity.
R—Resource & Role Identity.
L—Logical Identity.
IMA engine 130 may utilize Deliver & Retain Identity Quality (DRIQ) model to measure the quality and behavior of the product. In an embodiment, IMA engine 130 may include DRIQ processor 131 to implement a model to measure the quality of service provided by the product. For example, DRIQ processor 131 may measure the ratio of success to failure. DRIQ processor 131 may store the optimal proportion of resources to provide un-interrupt services.
In an embodiment, DRIQ processor 131 may measure perform metrics calculations for individual attributes or for the entire system. For example, DRIQ processor 131 may measure both SIQAM (Single Identity Quotient Attribute Measurement) and MIQAM (Multiple Identity Quotient Attribute Measurement) from the data received from IMA Processor. In an embodiment, DRIQ processor 131 may include dedicated processors to provide analysis under separate schemes of the DRIQ model. DRIQ processor 131 may include SIQAM 132 and MIQAM 133 to perform the respective calculations.
IMA engine 130 may classify the results provided by DRIQ processor 131. In an embodiment, IMA engine may include QM composer 135 to identify a particular quotient mode for the results. QM composer 135 may receive SIQAM and MIQAM data and classify system performance based on the ratios of various results. For example, QM composer 135 may perform calculations for a high quotient mode (HQM), interim quotient mode (IQM), and poor quotient mode (PQM). HQM have provide short execution time with expected results. IQM may provide expected results with standard execution time. PQM may provide unexpected results with excessive execution time. For example, PQM may indicate that the service or component failed to provide correct results regardless of how long of a run time is used. Such a designation may indicate the use of incorrect logic in the IDM system.
IMA engine 130 may store pre-defined attribute data and identity attribute data. In an embodiment, IMA engine 130 may include specific storage for data using pre-defined attribute table (PAT) 138 and identity attribute table (IAT) 139.
In an embodiment, PAT 138 may store pre-defined attribute data used to measure and maintain the identity attributes. For example, PAT 138 may store mandatory IDM attributes and user-defined IDM attributes. IMA engine 130 may use the attributes to calculate the actual and potential performance of the system.
In an embodiment, IAT 139 may store the real time performance of identity attributes. For example, IAT 139 may record alphanumeric values.
IPM 110 may include IMA exporter 120 to hold processed data. In an embodiment, IMA exporter 120 may store alphanumeric values, reports, and graphs. It contains both Before Execution Result (BER) and After Execution Result (AER) data. The BER and AER data may be used by IPM 110 to determine the optimized performance configuration and update IAT 139 to identify the best fit.
IMA exporter 120 may include separate processors to present data for different modes. In an embodiment, IMA exporter 120 may include HQM 122, IQM 124, and PQM 126. These distinct components may provide data to generate a report recording the changes to optimize performance of an IDM system. In an embodiment, IMA exporter 120 may include report generator 128 to receive data from HQM 122, IQM 124, and/or PQM 126. Report generator 128 may format received data and provide output indicating the various quotients and resulting modes.
FIG. 2 is a flow diagram illustrating an exemplary identity performance manager process 200 in accordance with some embodiments of the present disclosure. Process 200 may be implemented using some or all of system 100. The steps of process 200 may be performed out of order commensurate with the objects of this disclosure.
Process 200 may begin with step 205, where IPM 110 identifies the IMA components and services of a target system. In an embodiment, IMP 110 may Identify the IMA components and services by analyzing the IDM architecture. IPM 110 may first analyze the IDM architecture that is implemented in IDAM system 170. IPM 110 may identify the components that are used by the IDM product to perform the IDM operations. Next step, IMP 110 may identify the services that are provided by each component. Based on the provided services, system 100 may identify all the attributes that are utilized in the services.
In an embodiment, IPM 110 may analyze the current IDM architecture of IDAM system 170. For example, IPM 110 may connect with IDAM system 170 and resources 160 through IMA interface 150. IPM 110 may analyze the entire IDM architecture IDAM system 170, including resources 160.
FIG. 3 illustrates an exemplary identity management architecture 300 according to some embodiments of the present disclosure. In an embodiment, IPM 110 may analyze architecture 300 (step 205). IPM 110 may connect to application server 310. For example, IPM 110 may analyze IDM system 312 of application server 310. In an embodiment, IPM 110 may determine which components IDM system 312 interacts with. By crawling the connection of application server 310, IPM 110 may determine that IMS system 312 interacts with human resource management system (HRMS) 380, directories 370, policy store 360, external data store 350, web application 340, thick client 330, and servers 320. IPM 110 may map and store architecture 300.
Returning to FIG. 2, in certain embodiments, IPM 110 may identify the components in step 205. Based on the IDM architecture analysis performed by IMA Importer 140, IPM 110 may identify the components that are involved in IDM architecture 300. As each component in the IDM system performs some operation on the resource side IPM 110 may record the types of identities from each component in architecture 300.
In an embodiment, IMA importer 140 may use the UPEARL model to segregate the identities from IDM system 170 and resources 160. The UPEARL Model may allow IMA importer to separate the organization identities into a list of identities.
Embodiments discussed herein can be implemented in a set of distributed computers communicatively coupled to a network (for example, the Internet). Any suitable programming language can be used to implement the routines, methods or programs of embodiments of the invention described herein, including R, Python, C, C++, Java, JavaScript, HTML, or any other programming or scripting code, etc. Other software/hardware/network architectures may be used. Communications between computers implementing embodiments can be accomplished using any electronic, optical, radio frequency signals, or other suitable methods and tools of communication in compliance with known network protocols.
Although the steps, operations, or computations may be presented in a specific order, this order may be changed in different embodiments. In some embodiments, to the extent multiple steps are shown as sequential in this specification, some combination of such steps in alternative embodiments may be performed at the same time. The sequence of operations described herein can be interrupted, suspended, or otherwise controlled by another process, such as an operating system, kernel, etc. The routines can operate in an operating system environment or as stand-alone routines. Functions, routines, methods, steps and operations described herein can be performed in hardware, software, firmware or any combination thereof.
Embodiments described herein can be implemented in the form of control logic in software or hardware or a combination of both. The control logic may be stored in an information storage medium, such as a computer-readable medium, as a plurality of instructions adapted to direct an information processing device to perform a set of steps disclosed in the various embodiments. Based on the disclosure and teachings provided herein, a person of ordinary skill in the art will appreciate other ways and/or methods to implement the invention.
A “computer-readable medium” may be any medium that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, system or device. The computer readable medium can be, by way of example only but not by limitation, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, system, device, propagation medium, or computer memory. Such computer-readable medium shall generally be machine readable and include software programming or code that can be human readable (e.g., source code) or machine readable (e.g., object code). Examples of non-transitory computer-readable media can include random access memories, read-only memories, hard drives, data cartridges, magnetic tapes, floppy diskettes, flash memory drives, optical data storage devices, compact-disc read-only memories, and other appropriate computer memories and data storage devices.
As used herein, the terms “comprises,” “comprising,” “includes,” “including,” “has,” “having,” or any other variation thereof, are intended to cover a non-exclusive inclusion. For example, a process, product, article, or apparatus that comprises a list of elements is not necessarily limited only those elements but may include other elements not expressly listed or inherent to such process, product, article, or apparatus.
Furthermore, the term “or” as used herein is generally intended to mean “and/or” unless otherwise indicated. For example, a condition A or B is satisfied by any one of the following: A is true (or present) and B is false (or not present), A is false (or not present) and B is true (or present), and both A and B are true (or present). As used herein, a term preceded by “a” or “an” (and “the” when antecedent basis is “a” or “an”) includes both singular and plural of such term, (i.e., that the reference “a” or “an” clearly indicates only the singular or only the plural). Also, as used in the description herein and throughout the meaning of “in” includes “in” and “on” unless the context clearly dictates otherwise.
, Claims:I/WE CLAIM:
1. A method for anomaly detection in identification management by human resource (HR) using Artificial Intelligence (AI), the method comprising:
receiving, via one or more hardware processors, an identity management architecture specification;
identifying, via the one or more hardware processors, a plurality of identity management attributes for the identity management architecture specification;
selecting, via the one or more hardware processors, measurement criteria based on a target environment for implementing the identity management architecture;
calculating, via the one or more hardware processors, an attribute measurement quotient for the plurality of identified identity management attributes using the selected measurement criteria; and
generating, via the one or more hardware processors, instructions to improve performance of the identity management architecture in the target environment based on the calculated attribute measurement quotient.

2. The method for anomaly detection in identification management by human resource (HR) using Artificial Intelligence (AI), as claimed in Claim 1, wherein determining, via the one or more hardware processors, that the target environment is a standalone environment and that a first resource threshold of the identity management architecture specification is met.

3. The method for anomaly detection in identification management by human resource (HR) using Artificial Intelligence (AI), as claimed in Claim 1, wherein calculating, via the one or more hardware processors, for each of the plurality of identified identity management attributes a single measurement that is a ratio of expected performance to actual performance.

4. The method for anomaly detection in identification management by human resource (HR) using Artificial Intelligence (AI), as claimed in Claim 1, wherein determining, via the one or more hardware processors, that the target environment is a cluster environment, that a second resource threshold of the identity management architecture specification is met, and the identity management architecture operates in active-active and active-passive mode.

5. The method for anomaly detection in identification management by human resource (HR) using Artificial Intelligence (AI), as claimed in Claim 1, wherein calculating, via the one or more hardware processors, a single measurement that is a ratio of the sum of expected performance for the plurality of identified identity management attributes to a sum of actual performance for the plurality of identified identity management attributes.