Patent 11722554
Derivative works
Defensive disclosure: derivative variations of each claim designed to render future incremental improvements obvious or non-novel.
Active provider: Google · gemini-2.5-flash
Derivative works
Defensive disclosure: derivative variations of each claim designed to render future incremental improvements obvious or non-novel.
Here are derivative variations and combination prior art scenarios for US Patent 11722554, framed as a Defensive Disclosure.
Defensive Disclosure for US Patent 11722554
Introduction
This document outlines several derivative works and combinations with existing open-source standards related to US Patent 11722554, "System and method for analyzing network objects in a cloud environment." The purpose is to broaden the scope of prior art, potentially rendering future incremental improvements by competitors as obvious or non-novel to a person skilled in the art. The analysis focuses on extending the core claims, particularly Independent Claim 1, across various technical axes.
Derivative Variations
1. Material & Component Substitution: Hardware-Accelerated Graph Processing for Real-time Analysis
Enabling Description: The network graph construction (S220), relationship determination (S230), and graph analysis for insight generation (S240) steps can be significantly accelerated through the deployment of specialized hardware. Specifically, Field-Programmable Gate Arrays (FPGAs) or Application-Specific Integrated Circuits (ASICs) are integrated into the processing circuitry (410) of the cyber-security system (150). These accelerators are configured to perform parallel computations on graph data structures, such as adjacency matrices or lists, for operations like shortest-path algorithms, centrality calculations, and pattern matching for anomaly detection. For instance, an FPGA fabric can be programmed with custom data paths to execute a breadth-first search (BFS) or depth-first search (DFS) across millions of graph nodes and edges in microsecond latency. The data collection (S210) from cloud provider APIs remains software-driven, but the subsequent graph processing pipelines are offloaded to these hardware units, allowing for real-time anomaly detection in large-scale cloud environments. The FPGAs would be reprogrammable to adapt to evolving graph schemas or new anomaly detection algorithms.
Mermaid Diagram:
flowchart TD A[Collect Network Object Data (S210)] --> B{Hardware-Accelerated Graph Construction (S220)} B -- Graph Data Stream --> C{FPGA/ASIC-based Relationship Determination (S230)} C -- Processed Graph Edges --> D[Parallel Graph Analysis for Insights (S240)] D --> E[Tag Network Objects (S250)] subgraph Cyber-Security System 150 (FIG. 4) A B C D E end subgraph Hardware Acceleration Module FPGA[FPGA Array / Custom ASIC] GPU[GPU (optional for ML-based analytics)] end C -. utilizes .-> FPGA D -. utilizes .-> GPU
2. Material & Component Substitution: Quantum-Resistant Cryptographic Modules for Secure Data Ingestion
Enabling Description: To future-proof the secure collection of network object data (S210) from diverse cloud computing platforms (Claim 2) via APIs (Claim 3), the cyber-security system (150) and cloud orchestrators (115) incorporate quantum-resistant cryptographic modules. These modules, implemented as dedicated hardware security modules (HSMs) or software libraries utilizing post-quantum cryptography (PQC) algorithms (e.g., lattice-based cryptography such as CRYSTALS-Kyber for key exchange, or hash-based signatures like XMSS/SPHINCS+ for authentication), encrypt and authenticate API requests and responses. This ensures the confidentiality and integrity of highly sensitive cloud configuration data and network object metadata during transit, safeguarding against potential compromise by future quantum computers. The network interface (440) of the cyber-security system (150) would feature these PQC-enabled communication stacks.
Mermaid Diagram:
sequenceDiagram participant CSS as Cyber-Security System 150 participant QRCM_CSS as Quantum-Resistant Cryptographic Module (CSS) participant CloudAPI as Cloud Platform API participant QRCM_Cloud as Quantum-Resistant Cryptographic Module (Cloud) participant Orchestrator as Orchestrator 115 CSS->>QRCM_CSS: Initiate Data Collection Request (S210) QRCM_CSS->>CloudAPI: Encrypt & Sign Request (PQC) CloudAPI->>QRCM_Cloud: Forward Encrypted Request QRCM_Cloud->>Orchestrator: Decrypt & Verify Request Orchestrator->>QRCM_Cloud: Generate & Sign Data Response (PQC) QRCM_Cloud->>CloudAPI: Encrypt & Sign Response CloudAPI->>QRCM_CSS: Transmit Encrypted Response QRCM_CSS->>CSS: Decrypt & Verify Response; Deliver Data
3. Operational Parameter Expansion: Ultra-Low Latency, Micro-Segmentation Policy Validation
Enabling Description: This derivative pushes the operational speed and granularity to extremes, focusing on validating micro-segmentation policies within highly dynamic, containerized cloud environments (e.g., Kubernetes deployments mentioned in the description). The network object data collection (S210) would occur at sub-millisecond intervals via eBPF (extended Berkeley Packet Filter) probes deployed directly on host kernels, capturing granular flow data and process-level network calls. The network graph (S220) would be a continuously updated, ephemeral, in-memory graph representing inter-process and inter-container communication flows. Relationship determination (S230) would involve real-time policy evaluation against a predefined micro-segmentation matrix, identifying unauthorized deviations from "least privilege" access in near real-time. Insights (S240) would pinpoint policy violations within 10-50 microseconds of occurrence, facilitating automated enforcement. Tagging (S250) would immediately label offending processes or containers with "policy-violation" or "quarantine" tags. This requires specialized, high-throughput network interfaces (440) and processing circuitry (410) optimized for parallel stream processing.
Mermaid Diagram:
sequenceDiagram participant HostKernel as Host Kernel (eBPF) participant CNOC as Containerized Network Object participant ELDC as Ultra-Low Latency Data Collector (S210) participant IMGDB as In-Memory Graph DB (S220) participant RTPV as Real-Time Policy Validator (S230) participant ULRIG as Ultra-Low Latency Insight Generator (S240) participant ANOMTAG as Anomaly Tagger (S250) participant Enforcer as Automated Policy Enforcer HostKernel->>ELDC: Stream eBPF Flow Data (<10µs) CNOC->>ELDC: Push Config Updates ELDC->>IMGDB: Update Ephemeral Graph (<20µs) IMGDB->>RTPV: Notify Graph Change Event RTPV->>ULRIG: Identify Policy Violation (<50µs) ULRIG->>ANOMTAG: Generate & Apply "Policy_Violation" Tag ANOMTAG->>Enforcer: Trigger Enforcement Action Enforcer->>HostKernel: Apply Network Rule / Quarantine
4. Operational Parameter Expansion: Multi-Temporal Graph Analysis for Predictive Anomaly Detection
Enabling Description: This derivative introduces a temporal dimension to the network graph analysis, operating at multiple time scales to enable predictive anomaly detection. Instead of a single snapshot or a continuously updating current graph, the system (150) maintains a series of historical network graphs (S220) at varying fidelities (e.g., hourly, daily, weekly aggregates). Data collection (S210) includes historical configurations and traffic patterns. Relationship determination (S230) then involves comparing the current network graph state and its relationships against these historical baselines. Machine learning models (e.g., recurrent neural networks or time-series analysis) are applied to these multi-temporal graphs to identify trends, predict future "normal" states, and detect deviations that indicate emerging abnormal configurations or events before they fully materialize. Insights (S240) would include "predicted abnormal connection in T+X hours" or "configuration drift detected, likely leading to exposure." Tagging (S250) would include a "predictive_alert" tag with a confidence score and predicted time horizon. This requires vast storage (430) and computational resources for historical graph processing.
Mermaid Diagram:
graph TD subgraph Cyber-Security System 150 A[Collect Network Object Data (S210)] B[Build Current Network Graph (S220)] C[Maintain Historical Graph Archive] D[Multi-Temporal Relationship Determiner (S230)] E[Predictive Insight Generator (S240)] F[Temporal Object Tagger (S250)] end A --> B B --> C: Archive Current Graph C --> D: Provide Historical Baselines B --> D: Provide Current Graph D --> E: Detect Anomalous Trends/Predictions E --> F: Tag with Prediction Metadata F -- "Predicted Anomaly Alerts" --> G[Security Operations]
5. Cross-Domain Application: Industrial Control Systems (ICS) and Operational Technology (OT) Networks
Enabling Description: The system and method are adapted for analyzing the complex and often air-gapped or segmented networks found in Industrial Control Systems (ICS) and Operational Technology (OT) environments (e.g., critical infrastructure like power grids, manufacturing plants). Here, "network objects" (105) would include Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs), Human-Machine Interfaces (HMIs), SCADA servers, and specialized industrial protocols (e.g., Modbus/TCP, OPC UA). The "cloud computing environment" (103) would be a segmented industrial DMZ or a secure on-premise industrial data historian. Data collection (S210) would involve passively sniffing industrial network traffic or querying asset management systems, carefully avoiding active interaction with sensitive control devices. The network graph (S220) would represent logical and physical connections within the OT network. Relationship determination (S230) would focus on identifying deviations from expected command flows, unauthorized peer-to-peer communication between control devices, or attempts to modify PLC logic. Insights (S240) would detect abnormal configurations such as a rogue HMI attempting to issue commands, unexpected device-to-device communication, or changes in industrial protocol parameters, with tagging (S250) categorizing threats as "safety_critical" or "operational_integrity_violation."
Mermaid Diagram:
graph TD subgraph Industrial Control Network (OT) PLC1[PLC 1] -- Modbus/TCP --> HMI[HMI Console] SCADAS[SCADA Server] -- OPC UA --> PLC2[PLC 2] Historian[Data Historian] -- Data Sync --> SCADAS IDS[Industrial IDS (Passive Sensor)] end subgraph Cyber-Security System 150 (OT-Optimized) OT_Collector[OT Data Collector (S210)] OT_Graph[OT Network Graph (S220)] OT_Relations[OT Relationship Determiner (S230)] OT_Insights[OT Insight Generator (S240)] OT_Tagger[OT Object Tagger (S250)] end IDS -- Traffic Mirror --> OT_Collector Historian -- Config/Logs --> OT_Collector OT_Collector --> OT_Graph OT_Graph --> OT_Relations OT_Relations --> OT_Insights OT_Insights --> OT_Tagger OT_Tagger -- "OT Security Alerts" --> ICS_SOC[ICS Security Operations Center]
6. Cross-Domain Application: Healthcare Interoperability and Medical Device Networks
Enabling Description: This invention can be applied to monitoring and securing the complex network of medical devices and healthcare IT systems within a hospital or a regional health network. "Network objects" (105) would include patient monitoring systems, infusion pumps, imaging devices (MRI, CT), Electronic Health Record (EHR) systems, lab equipment, and patient portals. The "cloud computing environment" (103) could be a hospital's private cloud, a hybrid cloud infrastructure for data archiving, or a secure health information exchange (HIE). Data collection (S210) would involve querying device configuration APIs, network access logs, and communication protocols specific to healthcare (e.g., DICOM, HL7). The network graph (S220) would visualize the flow of protected health information (PHI) between devices and systems, the control pathways for medical equipment, and administrative access points. Relationship determination (S230) would identify authorized vs. unauthorized data sharing (e.g., PHI moving to an unapproved endpoint), unusual command patterns to medical devices, or misconfigured access controls on EHR systems. Insights (S240) would flag abnormal configurations such as an infusion pump attempting to communicate with an external IP, an EHR system exposing PHI due to a misconfiguration, or an unauthorized device attempting to join the medical network, with tagging (S250) indicating "PHI_exposure_risk" or "patient_safety_impact."
Mermaid Diagram:
graph LR subgraph Healthcare Cloud Environment 103 PMS[Patient Monitoring System] -- HL7 --> EHR[EHR System] InfusionP[Infusion Pump] -- DICOM --> ImagingD[Imaging Device] LabEq[Lab Equipment] -- Data --> EHR PatientPortal[Patient Portal] -- HTTPS --> EHR end subgraph Cyber-Security System 150 (Healthcare-Optimized) HC_DC[Healthcare Data Collector (S210)] HC_NGB[Healthcare Network Graph (S220)] HC_RD[Healthcare Relationship Determiner (S230)] HC_IG[Healthcare Insight Generator (S240)] HC_OT[Healthcare Object Tagger (S250)] end PMS -- API/Logs --> HC_DC EHR -- API/Logs --> HC_DC InfusionP -- Logs --> HC_DC HC_DC --> HC_NGB HC_NGB --> HC_RD HC_RD --> HC_IG: Detect PHI Misconfigurations / Device Anomalies HC_IG --> HC_OT HC_OT -- "Compliance/Security Alerts" --> HospitalSOC[Hospital Security Operations Center]
7. Integration with Emerging Tech: AI-Driven Contextual Anomaly Detection with Explainable AI (XAI)
Enabling Description: This derivative integrates advanced AI, specifically Explainable AI (XAI), into the insight generation (S240) process. Machine learning models, such as Graph Neural Networks (GNNs) or deep learning autoencoders, are used to analyze the network graph and relationships (S230) to identify subtle, non-obvious patterns indicative of abnormal behavior that might be missed by rule-based systems. However, unlike black-box AI, this derivative incorporates XAI techniques (e.g., SHAP values, LIME, attention mechanisms in GNNs) to provide human-understandable explanations for why a particular connection or configuration is flagged as abnormal. For example, an insight (S240) might state: "VM 'Web-App-Prod-02' is exhibiting anomalous outbound traffic to 'unknown.evil.com' (detected by GNN). The XAI model highlights its unusual port activity (port 22, typically SSH, now used for HTTP) and its atypical connection frequency as the primary contributing factors for this 'abnormal connection' tag." This significantly improves the actionable nature of the generated insights, reducing false positives and accelerating incident response. The processing circuitry (410) would be heavily GPU-accelerated for AI model inference.
Mermaid Diagram:
flowchart TD A[Collect Network Object Data (S210)] --> B[Construct Network Graph (S220)] B --> C{AI-Enhanced Relationship Determination (S230)} C --> D{XAI-Powered Insight Generation (S240)} D --> E[Tag Network Objects with Explanations (S250)] subgraph AI/XAI Components GNN_Model[Graph Neural Network Model] XAI_Engine[Explainable AI Engine] end C -. feeds .-> GNN_Model D -. interprets .-> GNN_Model D -. generates explanations .-> XAI_Engine E -. includes explanations .-> User[Security Analyst]
8. Integration with Emerging Tech: IoT Sensors for Correlated Physical-Cyber Anomaly Detection
Enabling Description: The data collection (S210) is augmented by integrating real-time data from a network of IoT sensors deployed within the physical infrastructure underpinning the cloud environment (103). These sensors would monitor environmental parameters (temperature, humidity, airflow), physical access (door/cabinet open/close, motion detection), and power consumption at the rack, server, and even component levels. The collected network object data (S210) now includes both virtual/logical configurations and physical telemetry. The analysis (S240) correlates logical network abnormalities with physical environmental anomalies. An insight (S240) detecting an "abnormal connection" on a virtual machine could be cross-referenced with "unusual temperature spikes" on its host server or "unauthorized physical access" to the server rack, providing a holistic view of the threat. This allows for the detection of sophisticated attacks that blend cyber and physical components, or physical failures masquerading as cyber incidents. The cyber-security system (150) would include an IoT data ingestion and correlation engine.
Mermaid Diagram:
graph TD subgraph Cloud Environment 103 CPL[Cloud Platform Logical Layer] CPH[Cloud Platform Hardware Layer] IoTS[IoT Sensors (Physical Environment, Access, Power)] end subgraph Cyber-Security System 150 API_DC[API Data Collector (S210)] IoT_DC[IoT Data Collector (S210)] Fusion_Engine[Data Fusion Engine] NGB[Network Graph Builder (S220)] Corr_IG[Correlated Insight Generator (S240)] Tag_Corr[Tag with Physical Context (S250)] end CPL -- Logical Configs --> API_DC CPH -- Physical Status --> IoTS IoTS -- Telemetry Stream --> IoT_DC API_DC --> Fusion_Engine IoT_DC --> Fusion_Engine Fusion_Engine --> NGB NGB --> Corr_IG Corr_IG --> Tag_Corr Tag_Corr -- "Integrated Cyber-Physical Alerts" --> SOC[Security Operations Center]
9. The "Inverse" or Failure Mode: Stealthy Threat Emulation and "Dark Network" Probing
Enabling Description: This derivative implements the "inverse" of anomaly detection: actively generating and analyzing "abnormal connections" in a controlled, isolated "dark network" or sandbox environment to emulate advanced persistent threats (APTs) and test the resilience of detection mechanisms. The "cloud computing environment" (103) here is a dedicated threat emulation sandbox. Data collection (S210) focuses on logging all actions of emulated threats and their impact on honeypot "network objects" (e.g., intentionally vulnerable virtual machines, containers). The network graph (S220) maps the attack kill chain, showing how an emulated threat establishes "abnormal relationships" (e.g., lateral movement, command and control communication). Relationship determination (S230) actively seeks to identify successful exploitations and lateral movement paths. Insights (S240) document the adversary tactics, techniques, and procedures (TTPs) used to create these "abnormal connections," providing threat intelligence that informs the defense of production environments. Tagging (S250) categorizes these simulated abnormal connections by attack type, severity, and mitigation strategy. This represents an "inverse" application where the system is designed to facilitate and learn from generated "failures" (successful attacks).
Mermaid Diagram:
stateDiagram-v2 state "Threat Emulation Sandbox" as Sandbox state "Emulated Adversary Activity" as ThreatActivity state "Monitoring & Data Collection" as Monitoring state "Network Graph Generation" as GraphGen state "Attack Chain Analysis" as AttackAnalysis state "Threat Intelligence Generation" as ThreatIntel [*] --> Sandbox: Initialize Sandbox Environment Sandbox --> ThreatActivity: Deploy Emulated Threat ThreatActivity --> Monitoring: Execute Attack Steps (generate "abnormal" connections) Monitoring --> GraphGen: Collect Object & Connection Data (S210, S220) GraphGen --> AttackAnalysis: Determine Attack Relationships (S230) AttackAnalysis --> ThreatIntel: Generate TTP Insights (S240) ThreatIntel --> ThreatIntel: Tag Attack Patterns (S250) ThreatIntel --> [*]: Output Threat Intelligence
10. The "Inverse" or Failure Mode: Secure Decommissioning and "Zero-Configuration" Verification
Enabling Description: This derivative applies the patent's methodology in an "inverse" context: to verify the secure decommissioning of network objects and to ensure a "zero-configuration" state for non-operational components. When a network object (e.g., a virtual machine, a container) is intended to be decommissioned or isolated, the system (150) performs data collection (S210) to confirm all network object data indicates a complete shutdown or removal. A network graph (S220) is constructed for the decommissioned component's intended state. Relationship determination (S230) actively looks for the absence of any relationships or connections, or the presence of only explicit "isolation" relationships. Insights (S240) are generated for "abnormal connections" if any unexpected relationships are detected (e.g., a "decommissioned" VM still has an active network interface or a connection to a storage bucket). The goal is to detect the "failure" to achieve a fully isolated or removed state, preventing resource leaks or security vulnerabilities from lingering components. Tagging (S250) would indicate "decommissioning_failed," "residual_connection," or "zero_config_violation."
Mermaid Diagram:
graph TD subgraph Decommissioning Process DO[Decommission Object] --> Verify[Verify Decommissioned State] end subgraph Cyber-Security System 150 (Decom-Mode) DC[Data Collector (S210)] NGC[Network Graph Constructor (S220)] RD[Relationship Determiner (S230)] IG[Insight Generator (S240)] OT[Object Tagger (S250)] end Verify -- Query Decommissioned Object(s) --> DC DC --> NGC: Construct Graph of Decom State NGC --> RD: Determine *Existing* Relationships RD --> IG: Generate Insight: "Abnormal (Undesired) Connections" IG --> OT: Tag with "Decommission_Failure" OT -- Report --> Auditor[Auditor/Compliance Team]
Combination Prior Art Scenarios with Open-Source Standards
US11722554 + Open-Source Graph Databases (e.g., Apache TinkerPop with JanusGraph or Neo4j Community Edition):
The patent's methodology of constructing a network graph (S220) and determining relationships (S230) for cloud objects is directly implementable using existing open-source graph database technologies. For instance, Apache TinkerPop provides a graph computing framework (Gremlin API) that can be used for graph traversal and analysis. When combined with a graph database implementation like JanusGraph (which can use Apache Cassandra or Apache HBase for storage) or Neo4j Community Edition, the collection of network object data (S210) can be ingested and modeled as nodes and edges. The relationship determination (S230) would then involve executing Gremlin queries or Cypher queries to discover connections and dependencies. The analysis (S240) for insights could use standard graph algorithms available in these platforms to identify abnormal patterns (e.g., detecting isolated nodes, unexpected hub-and-spoke patterns). The visual representation (S220) could be achieved via integration with open-source graph visualization libraries (e.g., D3.js). This combination renders the fundamental graph-based analysis as obvious to one skilled in the art.US11722554 + Cloud Native Computing Foundation (CNCF) Kubernetes API and Prometheus Monitoring:
Claim 3 describes collecting network object data via an API, including platform-specific APIs for cloud platforms. The Kubernetes API, a widely adopted CNCF standard, provides comprehensive programmatic access to the state and configuration of containerized network objects (pods, services, deployments, network policies) within a Kubernetes cluster (a specific type of cloud platform 104 or container orchestration system mentioned in the patent description). Combining the data collection (S210) with the Kubernetes API to gather real-time configuration data is an obvious application. Furthermore, for relationship determination (S230) using observational methods (Claim 7) and detecting "spikes of network activity" (Claim 4), integrating with Prometheus (another CNCF project and open-source monitoring solution) to collect metrics on network traffic, connection counts, and resource utilization from Kubernetes-managed objects makes the monitoring aspect straightforward. The patent's insight generation (S240) then becomes the application of anomaly detection logic to this readily available data.US11722554 + Open Policy Agent (OPA) with Rego Policy Language:
The patent mentions determining "impermissible relationships" (Claim 5) and generating insights about "unauthorized connections" (Claim 4). Open Policy Agent (OPA), an open-source, general-purpose policy engine, allows for defining policies as code using its Rego language. When combined with US11722554, the determined relationships (S230) between network objects can be fed into OPA as input. OPA then evaluates these relationships against predefined security and compliance policies written in Rego (e.g., "no public access to database VMs," "only specific subnets can communicate with specific services"). The output of OPA (policy violations) directly informs the "abnormal connections" insights generated at S240, effectively automating the "permissibility analysis" described in the patent. This external, standardized policy engine makes the logic for identifying unauthorized or impermissible connections readily apparent to those in the cloud security domain.
Generated 5/16/2026, 12:49:41 PM