DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is responsive to communication received on 03/16/2026.Claima 1-4,6-11,14-18 and 20-24 are pending of which claims 1, 4, 6-8, 11, 13-15, 18, 20, 21 are amended claims 22-24 new.
The Examiner recommends filing a written authorization for Internet communication in response to the present action. Doing so permits the USPTO to communicate with Applicant using Internet email to schedule interviews or discuss other aspects of the application. Without a written authorization in place, the USPTO cannot respond to Internet correspondence received from Applicant. The preferred method of providing authorization is by filing form PTO/SB/439, available at: https://www.uspto.gov/patent/forms/forms. See MPEP § 502.03 for other methods of providing written authorization.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13.
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer.
Claims 1-4,6-11,14-18 and 20-24 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-21 of U.S. Patent No. 10, 862,928, view of Badawy US 2020/0274880. The instant application 18/456,560 independent claims recite obtaining identity data to include identity, role, entitlement and performing a evaluation of identity data to identify unique and common access items. US 10,862,928 teaches the same system performing the obtaining of identity data and performing an evaluation. US 10.862,928 is different in it does not teach determination of a common and/or unique item. Anderson in the same field of endeavor teaches determining of common or unique/outlier permissions. It would have been obvious to a person of ordinary skill in the art at the time of the invention to modify the 18,456,560 with determination common and unique permissions as taught by Anderson. The reason for such a modification would be to detect anomalies, over or under provisioning of access rights where appropriate action can be taken in response.
18/456,560
US 10,862,928
1. An identity management system, comprising: a data store; a processor; a non-transitory, computer-readable storage medium including computer instructions for: obtaining identity management data from one or more source systems in an enterprise computing environment, the identity management data comprising data on a set of identity management access items associated with the enterprise computing environment, the identity management access items comprising a set of identities, a set of entitlements associated with the set of identities, or a set of roles associated with the set of entitlements, wherein the set of identities, set of entitlements or set of roles are utilized in identity management for the enterprise computing environment;
clusterinq job titles associated with the set of identities to determine a plurality of job title clusters;
training a machine learning model to generate a predictive score for each of the identity management access items in the set of identity management access items, wherein the machine learning model is trained based on a popularity of respective entitlements for respective job title clusters;
and determining a common or unique access item based on the generated predictive scores by comparing the predictive scores to a threshold.
querying an interpreter with the determined common or unique access item to build a localized model for the determined common or unique access item; and determining a top set of influential features for the determined common or unique access item based on coefficients of the localized model
1. An identity management system, comprising: a data store; a processor; a non-transitory, computer-readable storage medium, including computer instructions, when executed by the processor, cause the system to perform the steps of: obtaining identity management data from one or more identity management systems in a distributed enterprise computing environment, the identity management data comprising data on a set of roles, a set of entitlements, and a set of identities, wherein the set of roles, set of entitlements and set of identities are utilized in identity management in the distributed enterprise computing environment;
Badawy ¶55
Badawy ¶s166 176
Badawy ¶134(outliers) ¶165(threshold)
Badawy ¶s182-184
Claims 1-4,6-11,14-18 and 20-24 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims of 1-24 U.S. Patent No. 10,681,056 view of Badawy US 2020/0274880. The instant application 18/456,560 independent claims recite obtaining identity data to include identity, role, entitlement and performing a evaluation of identity data to identify unique and common access items. US 10,681,056 teaches the same system performing the obtaining of identity data and performing an evaluation. US 10,681,056 is different in it does not teach obtaining roles data or determination of a common and/or unique item. Anderson in the same field of endeavor teaches obtaining roles (¶42)determining of common or unique/outlier permissions(¶47). It would have been obvious to a person of ordinary skill in the art at the time of the invention to modify the 18,456,560 with determination common and unique permissions as taught by Anderson. The reason for such a modification would be to detect anomalies, over or under provisioning of access rights where appropriate action can be taken in response.
18/456,560
US 10,681,056
1. An identity management system, comprising: a data store; a processor; a non-transitory, computer-readable storage medium including computer instructions for: obtaining identity management data from one or more source systems in an enterprise computing environment, the identity management data comprising data on a set of identity management access items associated with the enterprise computing environment, the identity management access items comprising a set of identities, a set of entitlements associated with the set of identities, or a set of roles associated with the set of entitlements, wherein the set of identities, set of entitlements or set of roles are utilized in identity management for the enterprise computing environment;
clusterinq job titles associated with the set of identities to determine a plurality of job title clusters;
training a machine learning model to generate a predictive score for each of the identity management access items in the set of identity management access items, wherein the machine learning model is trained based on a popularity of respective entitlements for respective job title clusters;
and determining a common or unique access item based on the generated predictive scores by comparing the predictive scores to a threshold.
querying an interpreter with the determined common or unique access item to build a localized model for the determined common or unique access item; and determining a top set of influential features for the determined common or unique access item based on coefficients of the localized model
1. An identity management system of using property graphs for risk detection, comprising: a memory; a hardware processor; a non-transitory, computer-readable storage medium including computer instructions executable by the hardware processor for: obtaining first identity management data, at a first time, which is obtained from one or more identity management systems in a distributed enterprise computing environment;
(ANDERSON ROLES ¶42)
Badawy ¶55
Badawy ¶s166 176
Badawy ¶134(outliers) ¶165(threshold)
Badawy ¶s182-184ment artifact.
Claims 1-4,6-11,14-18 and 20-24 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims of 1-21 U.S. Patent No. 10,554,665 view of Badawy US 2020/0274880. The instant application 18/456,560 independent claims recite obtaining identity data to include identity, role, entitlement and performing a evaluation of identity data to identify unique and common access items. US 10,554,665 teaches the same system performing the obtaining of identity data and performing an evaluation. US 10,554,665 is different in it does not teach determination of a common and/or unique item. Anderson in the same field of endeavor teaches determining of common or unique/outlier permissions(¶47). It would have been obvious to a person of ordinary skill in the art at the time of the invention to modify the 18,456,560 with determination common and unique permissions as taught by Anderson. The reason for such a modification would be to detect anomalies, over or under provisioning of access rights where appropriate action can be taken in response.
18/456,560
US 10,554,665
1. An identity management system, comprising: a data store; a processor; a non-transitory, computer-readable storage medium including computer instructions for: obtaining identity management data from one or more source systems in an enterprise computing environment, the identity management data comprising data on a set of identity management access items associated with the enterprise computing environment, the identity management access items comprising a set of identities, a set of entitlements associated with the set of identities, or a set of roles associated with the set of entitlements, wherein the set of identities, set of entitlements or set of roles are utilized in identity management for the enterprise computing environment;
clusterinq job titles associated with the set of identities to determine a plurality of job title clusters;
training a machine learning model to generate a predictive score for each of the identity management access items in the set of identity management access items, wherein the machine learning model is trained based on a popularity of respective entitlements for respective job title clusters;
and determining a common or unique access item based on the generated predictive scores by comparing the predictive scores to a threshold.
querying an interpreter with the determined common or unique access item to build a localized model for the determined common or unique access item; and determining a top set of influential features for the determined common or unique access item based on coefficients of the localized model
1. An identity management system, comprising: a graph data store; a processor; a non-transitory, computer-readable storage medium, including computer instructions for: obtaining identity management data from one or more identity management systems in a distributed enterprise computing environment, the identity management data comprising data on a set of identities and a set of entitlements associated with the set of identities utilized in identity management in the distributed enterprise computing environment;
Badawy ¶55
Badawy ¶s166 176
Badawy ¶134(outliers) ¶165(threshold)
Badawy ¶s182-184
Claims 1-4,6-11,14-18 and 20-24 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims of 1-21 U.S. Patent No. 10,938,828 view of Badawy US 2020/0274880. The instant application 18/456,560 independent claims recite obtaining identity data to include identity, role, entitlement and performing a evaluation of identity data to identify unique and common access items. US 10,938,828 teaches the same system performing the obtaining of identity data and performing an evaluation. US 10,938,828 is different in it does not teach determination of a common and/or unique item. Anderson in the same field of endeavor teaches determining of common or unique/outlier permissions(¶47). It would have been obvious to a person of ordinary skill in the art at the time of the invention to modify the 18,456,560 with determination common and unique permissions as taught by Anderson. The reason for such a modification would be to detect anomalies, over or under provisioning of access rights where appropriate action can be taken in response.
18/456,560
US 10,938,828
1. An identity management system, comprising: a data store; a processor; a non-transitory, computer-readable storage medium including computer instructions for: obtaining identity management data from one or more source systems in an enterprise computing environment, the identity management data comprising data on a set of identity management access items associated with the enterprise computing environment, the identity management access items comprising a set of identities, a set of entitlements associated with the set of identities, or a set of roles associated with the set of entitlements, wherein the set of identities, set of entitlements or set of roles are utilized in identity management for the enterprise computing environment;
clusterinq job titles associated with the set of identities to determine a plurality of job title clusters;
training a machine learning model to generate a predictive score for each of the identity management access items in the set of identity management access items, wherein the machine learning model is trained based on a popularity of respective entitlements for respective job title clusters;
and determining a common or unique access item based on the generated predictive scores by comparing the predictive scores to a threshold.
querying an interpreter with the determined common or unique access item to build a localized model for the determined common or unique access item; and determining a top set of influential features for the determined common or unique access item based on coefficients of the localized model
1. An identity management system, comprising: a data store; a processor; a non-transitory, computer-readable storage medium, including computer instructions for: obtaining identity management data from one or more source systems in a distributed enterprise computing environment of an enterprise, the identity management data comprising data on a set of roles, a set of entitlements, and a set of identities, the set of roles, set of entitlements and set of identities utilized in identity management in the distributed enterprise computing environment;
Badawy ¶55
Badawy ¶s166 176
Badawy ¶134(outliers) ¶165(threshold)
Badawy ¶s182-184
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-4,6-11,14-18 and 20-24 are rejected under 35 U.S.C. 103 as being unpatentable over Anderson US 2020/0059476,further in view of Rice US 2019/0230088 and Badawy US 2020/0274880.
Regarding claims 1, 8 and 15, Anderson teaches a method and non-transitory CRM and an identity management system, comprising: a data store; a processor; a non-transitory, computer-readable storage medium including computer instructions for: obtaining identity management data from one or more source systems in an enterprise computing environment, the identity management data comprising data on a set of identity management access items associated with the enterprise computing environment(enterprise access data is obtained from database and analyzed such data includes access privilege data, ¶42),
[0042] The memory 108 may include a data analysis and transformation unit 120 and a business role identification unit 122. The data analysis and transformation unit 120 may receive and/or obtain access privileges data of an enterprise (via processor 104 and/or database(s) 112) and transform said data into data sets as will be further described below. The business role identification unit 122 may identify one or more business roles based on common patterns of the access privileges data. The business role identification unit 122 may include a function role factorization unit 124 for factoring out function roles associated with the access privileges common to at least two employees, and a business role generation unit 126 for generating business roles based on the function roles. The function role factorization unit 124 and business role generation unit 126 will be further described below.
the identity management access items comprising a set of identities, a set of entitlements associated with the set of identities, or a set of roles associated with the set of entitlements, wherein the set of identities, set of entitlements or set of roles are utilized in identity management for the enterprise computing environment; and(capture information include user identifier/logins, roles of the user and permission/entitlements of an business organization , ¶40,42,43)
[0040] The platform 100 can be operable to register and authenticate users (using a login, unique identifier, and password for example) prior to providing access to applications, a local network, network resources, other networks and network security devices. The platform 100 can connect to different machines or entities.
[0042] The memory 108 may include a data analysis and transformation unit 120 and a business role identification unit 122. The data analysis and transformation unit 120 may receive and/or obtain access privileges data of an enterprise (via processor 104 and/or database(s) 112) and transform said data into data sets as will be further described below. The business role identification unit 122 may identify one or more business roles based on common patterns of the access privileges data. The business role identification unit 122 may include a function role factorization unit 124 for factoring out function roles associated with the access privileges common to at least two employees, and a business role generation unit 126 for generating business roles based on the function roles. The function role factorization unit 124 and business role generation unit 126 will be further described below.
[0043] In one embodiment, the scope of the business role mining project is focused on capital markets where permissions fall under one of four main categories: application roles, trade book entitlements, database entitlements and infrastructure entitlements. Access data is spread across: applications, trading books, databases and infrastructure, herein referred to as access points. Depending on the nature of the business, employees are granted unique permissions to either of the access points. These are referred to as additional entitlements and are used to represent unique permissions.
clusterinq job titles associated with the set of identities to determine a plurality of job title clusterander(Anderson teaches grouping employee into clusters having the same business role i.e. job tittle, ¶70);
[0070] Table 4 shows an example of the feature vector for a clustering algorithm. The first few columns correspond to HR data and the last 10 columns correspond to function roles generated from the first step of the approach. The motivation behind concatenating these columns together is to include access patterns of each of the employees and also the effect of other attributes like transit and city which are currently being used in the enterprise to mine these roles manually. The algorithm groups employees with similar features or attributes as clusters 908. These clusters correspond to business roles. While the algorithm produces an index of clusters, domain expertise of business users may be leveraged to name the function roles.
training a machine learning mode to generate a similarity score( a machine learning model can be received or trained to detect outliers, using a similarity score ¶34)
[0034] The platform 100 may include at least one processor 104 (herein referred to as “the processor 104”) and a memory 108 storing machine executable instructions to configure the processor 104 to receive a neural network (from e.g., data sources 160). The processor 104 can receive a trained neural network and/or can train a neural network using training engine 124. The platform 100 can include an I/O Unit 102, communication interface 106, and data storage 110. The processor 104 can execute instructions in memory 108 to implement aspects of processes described herein.
Anderson does no teach generate a predictive score for each of the identity management access items in the set of identity management access items
wherein the machine learning model is trained based on a popularity of respective entitlements for respective job title clusters;
and determining a common or unique access item based on the generated predictive scores by comparing the predictive scores to a threshold.
Rice in the same field of endeavor as the invention teaches a system for identifying users with outlier access permission for the purpose of authorizing or not authorizing such permissions.
Rice teaches generate a predictive score for each of the identity management access items in the set of identity management access items( generate an outlier ratio which is predictive of how many other users have the same outlier permission as the user versus all users with that role,m ¶6)
[0006] The system may, in some embodiments, compare current authorized access permissions of the user to the set of access permissions associated with the job role of the user. The system can then identify an outlier access permission of the user that is not in the set of access permissions associated with the job role of the user and identify one or more other users that are associated with the job role of the user. The system may next identify an outlier ratio of a number of the one or more other users that are authorized for the outlier access permission of the user versus a total number of the one or more other users that are associated with the job role of the user. The system can then determine whether the outlier ratio is greater than a predetermined threshold ratio and either authorize the user for the outlier access permission in response to determining that the outlier ratio is greater than the predetermined threshold ratio, or not authorize the user for the outlier access permission in response to determining that the outlier ratio is not greater than the predetermined threshold ratio.
wherein the machine learning model is trained based on a popularity of respective entitlements for respective job title clusters(outlier ratio is a ratio of users with a job role with an outlier permission as compared to all users that have that role…. Outlier ratio is a measure of how popular the outlier access permission with respect to the all users in the role, ¶6) ;
[0006] The system may, in some embodiments, compare current authorized access permissions of the user to the set of access permissions associated with the job role of the user. The system can then identify an outlier access permission of the user that is not in the set of access permissions associated with the job role of the user and identify one or more other users that are associated with the job role of the user. The system may next identify an outlier ratio of a number of the one or more other users that are authorized for the outlier access permission of the user versus a total number of the one or more other users that are associated with the job role of the user. The system can then determine whether the outlier ratio is greater than a predetermined threshold ratio and either authorize the user for the outlier access permission in response to determining that the outlier ratio is greater than the predetermined threshold ratio, or not authorize the user for the outlier access permission in response to determining that the outlier ratio is not greater than the predetermined threshold ratio.
and determining a common or unique access item based on the generated predictive scores by comparing the predictive scores to a threshold(identify outlier access permission to no be granted if below a predetermined threshold, ¶6).
[0006] The system may, in some embodiments, compare current authorized access permissions of the user to the set of access permissions associated with the job role of the user. The system can then identify an outlier access permission of the user that is not in the set of access permissions associated with the job role of the user and identify one or more other users that are associated with the job role of the user. The system may next identify an outlier ratio of a number of the one or more other users that are authorized for the outlier access permission of the user versus a total number of the one or more other users that are associated with the job role of the user. The system can then determine whether the outlier ratio is greater than a predetermined threshold ratio and either authorize the user for the outlier access permission in response to determining that the outlier ratio is greater than the predetermined threshold ratio, or not authorize the user for the outlier access permission in response to determining that the outlier ratio is not greater than the predetermined threshold ratio.
It would have been obvious to a person of ordinary skill in the art at the time of the effective filing of the instant application to modify Anderson training of a machine learning model with method identifying outlier permissions with using a ratio(i.e. popularity) of the permission in relation to all users in a role as taught by Rice. The reason for this modification would be to implement a simple substitution of the similarity score of Anderson with outlier ratio as alternate metric for identifying users with outlier permissions.
Anderson/Rice do not teach querying an interpreter with the determined common or unique access item to build a localized model for the determined common or unique access item; and determining a top set of influential features for the determined common or unique access item based on coefficients of the localized model. Badawy in the same field of endeavor as the invention teaches identity graph based artificial intelligence decision systems. Badawy teaches querying an interpreter with the determined common or unique access item to build a localized model for the determined common or unique access item;
[0182] In some embodiments when the user requests such interpretations for one or more access requests, these access requests may be submitted to the intelligent agent 880 through the intelligent agent interface 882 in a request for an interpretation for those access requests. To determine an interpretation for these access requests, intelligent agent may include interpreter 830. In some embodiments, interpreter 830 may utilize a principle referred to as ‘Interpretability of Models’ whereby the interpreter 830 may be utilized as an independent process from the classifier's 878 training. This interpreter 830 can be queried to provide explanations in terms of how much and what type (positive or negative) of influence did the features have over the classifier modules 870 decision.
[0183] The access requests for which an interpretation is desired can be submitted to the interpreter 830 by the intelligent agent 880 through the interpreter interface 832. For each of these access requests (e.g., identity and entitlement pair), the local model builder 834 may build a localized model for that access request by querying the classifier 878 (e.g., through classifier interface 872) in a “neighborhood” of that access request to build a local generalized linear model for that access request out of what may be a highly non-linear classifier 878. This querying may be accomplished by determining values for a set of features associated with the access request (e.g., one or more of the same features used to train the classifier) and varying one or more of these values within a tolerance for a plurality of requests to the classifier module 870 to determine approval or denial recommendations for values for the set of features that are close, but not the same as, the values for those features associated with the access request itself.
and determining a top set of influential features for the determined common or unique access item based on coefficients of the localized model
[0184] In one embodiment, the local builder 834 may be, for example, based on Local Interpretable Model-Agnostic Explanations (LIME). Embodiments of such a localized model may, for example, be a logistic regression model or the like with a set of coefficients for a corresponding set of features. While such an approximation may be valid within a small neighborhood of the access request, the coefficients of the approximate (e.g., linear) model may be utilized to provide the most influential features. A feature corresponding to a coefficient of the localized model with a large magnitude may indicates a strong influence, while the sign of the coefficient will indicate whether the effect of the corresponding feature was in the positive (approval) or negative (denial). Based on the magnitude or signs of the coefficients associated with each feature of the localized model for the access request a top number (e.g., top 2, top 5, etc.) of influential features (e.g., positive or negative) may be determined.
It would have been obvious to a person of ordinary skill in the art before the effective filing of the invention to modify Anderson/Rice with application of interpreters to contextualize outliers in a machine learning model. The reason for this modification would be to apply known methods for handling outliers and abnormal output to machine learning based pattern analysis systems.
Regarding claims 2, 9 and 16, Anderson teaches wherein determining the common or unique access item comprises: determining concurrency of the set of identity management access items(access data of user over a period of time(concurrency , ¶s 47, 85)
[0047] FIG. 5A illustrates, in a component diagram, an example of a visualization 300 of the steps of outlier identification 220 (in some embodiments performed by the data analysis and transformation unit 120) and function role factorization 230 for an enterprise (in some embodiments performed by the function role factorization unit 124), in accordance with some embodiments. In this example, employees 302, application roles 304, books 306 and additional entitlements 308 are shown as nodes in graphs. A current access cluster 310 shows 733 lines of access for 11 employees. After outlier identification 220, 658 common permissions (cluster 320) and 75 unique permissions (cluster 325) were located. After function role factorization 230, a function role access cluster 330 shows the 658 common permissions reduced to 90 lines of access. The function role access cluster 330 graph shows employees 302, function roles 334 and additional entitlements 308 as nodes. Thus, in this example, the original 733 lines of access for has been reduced to 165 total lines of access.
[0085] In some embodiments, existing bundles of roles and their respective access rights may be read and analysed by the model to find access changes that occurred in the past time period (e.g., past year). Such changes may then be applied to other employees that have similar roles.
determining a distribution of the set of identity management access items based on the concurrency; and( clustering of user access data is analyzed to determine a pattern(i.e. distribution) of the user access, ¶s27,45)
[0027] Embodiments described herein relate to machine learning which is a field of computer science that configures computing devices to process data using programming rules and code that can dynamically update over time. Machine learning involves programming rules and code that can detect patterns and generate output data that represents predictions or forecasting. Role mining is the process of using machine learning techniques to find and extract patterns in existing access data in pursuit of minimizing effort required for access management, and to minimize risk associated with access. By clustering permissions into common patterns that can be packaged into business roles, managers may review and approve a single business role for an employee, rather than reviewing every granular instance of access that that employee requires to do their job.
[0045] In some embodiments, another step employs various techniques from machine learning, data mining visualization clustering and matrix factorization, and principles from graph theory to identify common patterns of access. These patterns are used to establish business roles, which are packages of common accesses that can be assigned to enterprise employees. These business roles are then stored in an internal database to be interoperable with an array of existing systems across the access control ecosystem.
determining the common or unique access item based on the distribution of the set of identity management access items(identifying common patterns and outliers with respect to such common patterns, ¶47)
[0047] FIG. 5A illustrates, in a component diagram, an example of a visualization 300 of the steps of outlier identification 220 (in some embodiments performed by the data analysis and transformation unit 120) and function role factorization 230 for an enterprise (in some embodiments performed by the function role factorization unit 124), in accordance with some embodiments. In this example, employees 302, application roles 304, books 306 and additional entitlements 308 are shown as nodes in graphs. A current access cluster 310 shows 733 lines of access for 11 employees. After outlier identification 220, 658 common permissions (cluster 320) and 75 unique permissions (cluster 325) were located. After function role factorization 230, a function role access cluster 330 shows the 658 common permissions reduced to 90 lines of access. The function role access cluster 330 graph shows employees 302, function roles 334 and additional entitlements 308 as nodes. Thus, in this example, the original 733 lines of access for has been reduced to 165 total lines of access.
Regarding claims 3, 10 and 17, Anderson teaches wherein the instructions further comprise instructions for: generating a network identity graph from the identity management data, wherein the concurrency of the set of identity management access items is based on the network identity graph(user access pattern represented as a user access /entitlement graph, ¶53 fig. 5B)
[0053] FIG. 5B illustrates, in a graph, an example of an access graph 400 showing access privileges, in accordance with some embodiments. The access privilege cluster graph 400 comprises nodes for employees 302, application role 304, book 306, and additional entitlements 308. Each edge is an instance of access to which a manager is to attested. FIG. 5B represents a visualization of a current access of an employee. Each edge comprises an instance of access that is to be attested.
Regarding claims 4, 11 and 18, Badawy teaches wherein the localized model is a generalized linear model or a logistic regression model.
[0184] In one embodiment, the local builder 834 may be, for example, based on Local Interpretable Model-Agnostic Explanations (LIME). Embodiments of such a localized model may, for example, be a logistic regression model or the like with a set of coefficients for a corresponding set of features. While such an approximation may be valid within a small neighborhood of the access request, the coefficients of the approximate (e.g., linear) model may be utilized to provide the most influential features. A feature corresponding to a coefficient of the localized model with a large magnitude may indicates a strong influence, while the sign of the coefficient will indicate whether the effect of the corresponding feature was in the positive (approval) or negative (denial). Based on the magnitude or signs of the coefficients associated with each feature of the localized model for the access request a top number (e.g., top 2, top 5, etc.) of influential features (e.g., positive or negative) may be determined.
Regarding claims 6, 13 and 20, Rice teaches wherein the threshold is determined based on the predictive scores for each of the set of identity management access items(.predetermined threshold is different for each outlier access permission, ¶85)
[0085] The system then determines whether the outlier ratio is greater than a predetermined threshold ratio. The predetermined threshold ratio may be different for each access permission, each type of business component associated with the access permissions (e.g., a database storing client information may have a very high predetermined threshold ratio while a read-only database with published marketing images may have a low predetermined threshold ratio), and the like. In some embodiments, an outlier access permission may require manual approval from a manager or executive, and therefore could not be approved through this process.
Regarding claims 7, 14 and 21, Anderson teaches wherein the interpreter is based on Local Interpretable Model-Agnostic Explanations (LIME) or Shapley Additive exPlanations (SHAP) (LIME interpreter ¶184).
[0184] In one embodiment, the local builder 834 may be, for example, based on Local Interpretable Model-Agnostic Explanations (LIME). Embodiments of such a localized model may, for example, be a logistic regression model or the like with a set of coefficients for a corresponding set of features. While such an approximation may be valid within a small neighborhood of the access request, the coefficients of the approximate (e.g., linear) model may be utilized to provide the most influential features. A feature corresponding to a coefficient of the localized model with a large magnitude may indicates a strong influence, while the sign of the coefficient will indicate whether the effect of the corresponding feature was in the positive (approval) or negative (denial). Based on the magnitude or signs of the coefficients associated with each feature of the localized model for the access request a top number (e.g., top 2, top 5, etc.) of influential features (e.g., positive or negative) may be determined.
Claims 22-24 are rejected under 35 U.S.C. 103 as being unpatentable over Anderson/Rice/Badawy as applied to claim 1, 8 and 15 above, and further in view of Branson US 2021/0304853.
Regarding claims 22-24, Badawy/Rice/Anderson does not teach wherein the machine learning model is an isolation forest model. Branson being reasonably pertinent to the problem of outlier handing in machine learning based pattern analysis. Branson teaches wherein the machine learning model is an isolation forest model.
[0060] For example, to assess the overall validity of the interpretability model, the relationship between the first and second deltas can be measured. Such a measurement can be by the coefficient of determination (R2) or Pearson correlation coefficient between the deltas, where a larger R2 or Pearson correlation means an interpretability model of greater validity. Models with high overall validity can still have low validity for specific transformations, however. Problematic transformations can be identified using outlier detection methods, including but not limited to: local outlier factor, isolation forest, and others known to those skilled in the art. Scientists can then make decisions to exclude such outlier transformations from any analysis using the interpretability model.
It would have been obvious to a person of ordinary skill in the art before the effective filing of the invention to modify Anderson/Rice/Badawy with use of isolation forests for outlier detection as taught by Branson. The reason for this modification would be to provide a way to detect and handle outliers in machine learning based pattern analysis. Applying a random forest technique is a simple substitution of a method known in the art that leads to predictable results.
Applicant Remarks
Applicant’s arguments with respect to claims 1-4,6-11,14-18 and 20-24 have been considered but are moot because the new ground of rejection does not rely on the references applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Tom Y. Chang whose telephone number is 571-270-5938. The examiner can normally be reached on Monday-Friday from 9am to 5pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Emmanuel Moise , can be reached on (571)272-7872. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from Patent Center. Status information for published applications may be obtained from Patent Center. Status information for unpublished applications is available through Patent Center for authorized users only. Should you have questions about access to Patent Center, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) Form at https://www.uspto.gov/patents/uspto-automated- interview-request-air-form.
/TOM Y CHANG/
Primary Examiner, Art Unit 2455