DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Specification
The use of the trademarks MICROSOFT [paragraphs 0003, 0004, 0030, 0033], AMAZON [paragraphs 0003, 0004, 0030], and GOOGLE [paragraphs 0003, 0004, 0030] have been noted in this application. They should be capitalized wherever they appear and be accompanied by the generic terminology.
Although the use of trademarks is permissible in patent applications, the proprietary nature of the marks should be respected and every effort made to prevent their use in any manner which might adversely affect their validity as trademarks.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Claims 1-5, 8-12, and 15-18 are rejected under 35 U.S.C. 103 as being unpatentable over Badawy et al., (US 20200280564 A1) hereinafter referred to as Badawy in view of Wright et al., (US 20180046796 A1) hereinafter referred to as Wright.
Regarding Claims 1, 8, and 15, Badawy discloses A method comprising: performing graph-based role similarity inspection using a graph neural network (GNN), the graph-based role similarity inspection configured to identify roles, in a graph representation of relationships between identity and access management (IAM) roles of a cloud environment, that are most similar to a target role, [paragraph 0003, this disclosure relates to enhancing computer security in a distributed networked computing environment through the use of role mining in these artificial intelligence based identity management systems, including the use of graph based identity or entitlement peer grouping and analysis in association with such role mining][paragraph 0044, it may be understood that good governance practice in the identity space relies on the ‘social’ principle that identities with strongly similar attributes should be assigned similar, if not identical, access entitlements. In the realm of identity governance and administration, this approach allows for a separation of duties and thus makes it feasible to identify, evaluate, and prioritize risks associated with privileged access. As part of a robust identity management system, it is therefore highly desirable to analyze an enterprise's data to identify potential risks. In principle, strictly enforced pre-existing governance policies should ensure that identities with strongly similar access privileges are strongly similar. It would thus be desirable to group or cluster the identities of an enterprise into peer groups such that the identities in a peer group are similar with respect to the set of entitlements assigned to the identities of that group (e.g., relative to other identities or other groups)]
including: determining a graph structure of the graph representation; [Figure 2, element 220]
identifying the target role; performing a similarly calculation between the target role and other roles in the graph structure to determine similarity scores for the other roles; [paragraph 0115 and Fig. 3A, identity nodes 302 of the identity graph 300 are joined by edges formed by directed relationships 312a, 312b. Directed relationship 312a may represent that the identity of identity node 302a is similar to (represented by the labeled “SIM” relationship 312a) the identity represented by identity node 302b. Similarly, directed relationship 312b may represent that the identity of identity node 302b is similar to (represented by the labeled “SIM” relationship 312b) the identity represented by identity node 302a. Here, relationship 312b has been assigned a similarity weight of 0.79]
identifying a similar role having a same security vulnerability as the target role based on the similarity calculation; [paragraph 0126, The interface, or a portion thereof, may allow the user to navigate around the identity graph and “drill down” to obtain information on a represented node or entitlement. In the depicted example, the user has hovered above a node 510 of the identity graph and information about that identity is presented through the interface to the user. By looking at such an identity graph a user may be able to discern, for example, which identities which may be “highly contagious” or represent other identity management risks or compliance issues. An identity may be “highly contagious” or otherwise represent an identity governance risk]
Badawy does not explicitly teach and correcting the security vulnerability in the similar role based on the identification.
Wright teaches and correcting the security vulnerability in the similar role based on the identification. [paragraph 0053, the presentation of credentials may additionally or alternatively include account access policy, network access policy, and/or account configurations that function to prevent a similar attack against the compromised account and/or accounts having similar characteristics or attributes as the compromised account] [paragraph 0036, the cyber threat mitigation platform to trigger the implementation of cyber threat mitigation protocols that function to perform one or more of modifying access controls to the identified user accounts]
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Wright with the disclosure of Badawy. The motivation or suggestion would have been “for identifying compromised credentials and controlling account access.” (paragraph 0002)
Regarding Claims 2, 9, and 16, Badawy discloses further comprising ranking the other roles based on the similarity scores. [paragraph 0111, The relationships represented by the edges of the identity graph may be assigned weights or scores indicating a degree of similarity between the nodes related by a relationship, including, for example, the similarity between two nodes representing an identity or two nodes representing an entitlement, as discussed]
Regarding Claims 3 and 10, Badawy discloses further comprising: determining the graph structure includes computing embeddings for all roles in the graph representation, embeddings including vector representations of nodes in a graph, wherein the nodes represent the roles, wherein computing the embeddings includes: passing node features and graph structure through multiple layers of the GNN to iteratively aggregate information from neighboring nodes. [paragraph 0111, embodiments of the identity management systems as disclosed may create, maintain or utilize identity graphs. These identity graphs may include a graph comprised of nodes and edges, where the nodes may include identity management nodes representing, for example, an identity, entitlement or peer group, and the edges may include relationships between these identity management nodes. The relationships represented by the edges of the identity graph may be assigned weights or scores indicating a degree of similarity between the nodes related by a relationship, including, for example, the similarity between two nodes representing an identity or two nodes representing an entitlement, as discussed. Additionally, the relationships may be directional, such that they may be traversed only in a single direction, or have different weightings depending on the direction in which the relationship is traversed or the nodes related. Embodiments of such an identity graph can thus be searched (or navigated) to determine data associated with one or more nodes. Moreover, the similarity between, for example, the identities or entitlements may be determined using the weights of the relationships in the identity graph]
Regarding Claims 4, 12, and 18, Badawy discloses further comprising: determining the graph structure via an automated process, wherein the GNN includes an unsupervised GNN model which does not utilize manually labeled data. [Abstract, graph based artificial intelligence systems for identity management are disclosed. Embodiments of the identity management systems disclosed herein may utilize a network graph approach to analyzing identities or entitlements of a distributed networked enterprise computing environment. Specifically, in certain embodiments, an artificial intelligence based identity management systems may utilize the peer grouping of an identity graph (or peer grouping of portions or subgraphs thereof) to identify roles from peer groups or the like]
Regarding Claims 5 and 11, Badawy discloses further comprising: performing the similarity calculation based on a first embedding of the target role and embeddings of the other roles in the graph representation. [paragraph 0111, embodiments of the identity management systems as disclosed may create, maintain or utilize identity graphs. These identity graphs may include a graph comprised of nodes and edges, where the nodes may include identity management nodes representing, for example, an identity, entitlement or peer group, and the edges may include relationships between these identity management nodes. The relationships represented by the edges of the identity graph may be assigned weights or scores indicating a degree of similarity between the nodes related by a relationship, including, for example, the similarity between two nodes representing an identity or two nodes representing an entitlement, as discussed. Additionally, the relationships may be directional, such that they may be traversed only in a single direction, or have different weightings depending on the direction in which the relationship is traversed or the nodes related. Embodiments of such an identity graph can thus be searched (or navigated) to determine data associated with one or more nodes. Moreover, the similarity between, for example, the identities or entitlements may be determined using the weights of the relationships in the identity graph]
Regarding Claim 17, Badawy discloses storing instructions that, when executed, cause the processor to perform the method further comprising: determining the graph structure includes computing embeddings for all roles in the graph representation, embeddings including vector representations of nodes in a graph, wherein the nodes represent the roles, wherein computing the embeddings includes: passing node features and graph structure through multiple layers of the GNN to iteratively aggregate information from neighboring nodes; and performing the similarity calculation based on a first embedding of the target role and embeddings of the other roles in the graph representation.[paragraph 0111, embodiments of the identity management systems as disclosed may create, maintain or utilize identity graphs. These identity graphs may include a graph comprised of nodes and edges, where the nodes may include identity management nodes representing, for example, an identity, entitlement or peer group, and the edges may include relationships between these identity management nodes. The relationships represented by the edges of the identity graph may be assigned weights or scores indicating a degree of similarity between the nodes related by a relationship, including, for example, the similarity between two nodes representing an identity or two nodes representing an entitlement, as discussed. Additionally, the relationships may be directional, such that they may be traversed only in a single direction, or have different weightings depending on the direction in which the relationship is traversed or the nodes related. Embodiments of such an identity graph can thus be searched (or navigated) to determine data associated with one or more nodes. Moreover, the similarity between, for example, the identities or entitlements may be determined using the weights of the relationships in the identity graph]
Claims 6-7, 13-14, and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Badawy in view of Wright, as applied to Claims 1, 8, and 15, respectively, above, and further in view of Cella et al., (WO 2024233674 A2) hereinafter referred to as Cella.
Regarding Claims 6, 13, and 19, the combination of Badawy and Wright does not explicitly teach further comprising: performing the similarity calculation based on cosine similarity, wherein node similarity scores closer to 1.0 indicates more similarity to the target role.
Cella teaches further comprising: performing the similarity calculation based on cosine similarity, wherein node similarity scores closer to 1.0 indicates more similarity to the target role. [paragraph 1891, The input sequence is processed by a position encoder that determines, for each token, an encoding of the position. In some embodiments, the position encoding may include an ordinal numerical value that indices the ordinal position of each token in the sequence, such as an index beginning at zero or one. In some embodiments, the position encoding may include a relative numerical value that indicates a position of each token in the sequence relative to a fixed position, such as a current word (encoded position 0), an immediately preceding word (encoded position -1), or an immediately following word (encoded position 1). In some embodiments, the position encoding may include non-integer values and/or multiple values, such as a first index indicating a sine calculation (with a given frequency) of the position of each token and a second index indicating a cosine calculation (with a same or different frequency) of the position of each token]
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Cella with the disclosures of Badawy and Wright. The motivation or suggestion would have been “to automatically adapt a set of supply chain application control signals,” (paragraph 0418)
Regarding Claims 7, 14, and 20, the combination of Badawy and Wright does not explicitly teach further comprising: determining the graph structure via a graph auto-encoder (GAE) function, including: utilizing an encoder to compute a latent space representation of the graph structure; and utilizing a decoder to reconstruct an adjacency matrix.
Cella teaches further comprising: determining the graph structure via a graph auto-encoder (GAE) function, including: utilizing an encoder to compute a latent space representation of the graph structure; [paragraph 1892, The embedding model determines, for each token in the input sequence, a mapping of the token into a latent space representation of the input (e.g., a latent space representation of a language). The latent space may position each token along a plurality of n dimensions, wherein each dimension represents a distinct type of relationship among the elements of the language]
and utilizing a decoder to reconstruct an adjacency matrix. [paragraph 1914, The transformer model of FIG. 103 is based on an encoder-decoder architecture in which an encoder processes an input sequence and a decoder processes an output sequence to generate output probabilities]
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Cella with the disclosures of Badawy and Wright. The motivation or suggestion would have been “to automatically adapt a set of supply chain application control signals,” (paragraph 0418)
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ANDREW J STEINLE whose telephone number is (571)272-9923. The examiner can normally be reached M-F 10am-6pm CT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni Shiferaw can be reached at (571) 272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/ANDREW J STEINLE/Primary Examiner, Art Unit 2497