Patent 11929896

Derivative works

Defensive disclosure: derivative variations of each claim designed to render future incremental improvements obvious or non-novel.

Active provider: Google · gemini-2.5-flash

Derivative works

Defensive disclosure: derivative variations of each claim designed to render future incremental improvements obvious or non-novel.

✓ Generated

Defensive Disclosure Document: US Patent 11929896 Derivatives

This document describes various derivative works and technical disclosures related to US Patent 11929896, "System and method for generation of unified graph models for network entities." The purpose of this disclosure is to establish prior art for potential future incremental improvements, thereby rendering them obvious or non-novel, and to enhance the defensive posture against claims of infringement. This document focuses on variations derived from the core method claims of US11929896.

Derivatives based on Independent Method Claim Steps

The core method involves:

  1. Collecting, for at least one network entity, at least one network entity data feature (property).
  2. Genericizing the collected network entity.
  3. Generating a multi-dimensional network graph representing entities and relations.
  4. Storing the generated network graph.

1. Material & Component Substitution

These derivatives explore alternative hardware and software components for performing the collection, genericization, graph generation, and storage steps of the method claimed in US11929896.

Derivative 1.1: Neuromorphic Processing for Graph Generation and Resolution

  • Enabling Description: Instead of traditional CPU/GPU architectures for graph generation and resolution processes (as described in S240 of US11929896), a neuromorphic processing unit (NPU) cluster is employed. Network entity data features (S210) are collected and genericized (S220) as usual. The genericized entities and their initial relational hints are then loaded into the NPU's spiking neural network (SNN) architecture. The NPU is configured with specific synaptic weights and neuron models to represent generic entity types as neuronal populations and potential relationships as synaptic connections. Graph resolution (part of S240) becomes a parallel pattern matching and propagation task within the SNN, where the NPU rapidly identifies complex, multi-hop relationships and emergent properties by simulating neural activity. For example, firewall rules from collected data are translated into inhibitory/excitatory synaptic weights between generic network interface entities, allowing the NPU to infer reachability in parallel. The final graph structure is extracted from the stable state of the SNN's activation patterns. Graph storage (S250) remains in a conventional graph database or is serialized as NPU-specific memory snapshots.
    graph TD
    A[Collect Network Entity Data] --> B{Genericize Entity Data}
    B --> C{Load to Neuromorphic Processor}
    C --> D[NPU: Parallel Graph Resolution via SNN]
    D --> E{Extract Graph from NPU State}
    E --> F[Store Generated Graph]

Derivative 1.2: eBPF-driven Real-time Entity Data Collection

  • Enabling Description: For collecting network entity data features (S210), kernel-level telemetry is utilized via extended Berkeley Packet Filter (eBPF) programs. Rather than relying solely on API calls or orchestrator logs, eBPF probes are dynamically attached to network stack events (e.g., socket creation, packet ingress/egress, connection tracking, firewall rule evaluation) within the operating system kernels of network entities (e.g., VMs, containers, bare-metal servers). These eBPF programs filter, aggregate, and export relevant network entity properties (e.g., active ports, established connections, firewall rule hits, process IDs associated with network traffic) directly from the kernel in real-time. This low-overhead, event-driven collection mechanism augments or replaces traditional scanning/API methods, providing a more granular and up-to-date dataset for genericization (S220) and subsequent graph generation (S240). The collected eBPF maps and perf buffers are consumed by a userspace agent which transforms the raw kernel events into network entity data features.
    graph TD
    A[Network Entity (VM/Container)] --> B(eBPF Program in Kernel)
    B --> C{Filter & Aggregate Network Events}
    C --> D[Userspace eBPF Agent]
    D --> E[Export Network Entity Data Features]
    E --> F{Genericize Entity}
    F --> G[Generate Graph]

Derivative 1.3: Immutable Ledger for Graph Storage and Versioning

  • Enabling Description: The storage of the generated network graph (S250) is implemented using an immutable, append-only ledger database, such as Apache Cassandra with a versioning scheme, or a dedicated distributed ledger technology (DLT) platform. Each modification, update, or new generation of the unified network graph is committed as a new block or transaction record to the ledger. This provides a cryptographically verifiable history of all network states and relationships. When a graph is stored, a hash of the graph structure and its properties is calculated and recorded. Subsequent queries (as mentioned in US11929896, S240-S250) can specify a historical point in time, and the ledger retrieves the corresponding graph state, ensuring data integrity and non-repudiation of network configurations and relationships. This also enables robust auditing and rollback capabilities.
    graph TD
    A[Generate Network Graph] --> B{Calculate Graph Hash}
    B --> C[Commit Graph & Hash to Immutable Ledger]
    C --> D{Ledger Database}
    D -- "Verifiable History" --> E[Query Historical Graph States]

Derivative 1.4: FPGA-accelerated Genericization Engine

  • Enabling Description: The genericization process (S220), especially for high-throughput or highly complex network environments with diverse and numerous specific entity types, is offloaded to a Field-Programmable Gate Array (FPGA) acceleration card. Pre-defined generic entity schemas and property mapping rules (as described in US11929896, S220) are compiled into custom logic on the FPGA. Incoming streams of raw network entity data features (collected at S210) are processed in parallel by the FPGA, performing rapid pattern matching, property extraction, normalization, and type assignment to convert specific objects into their generic counterparts. This hardware acceleration drastically reduces the latency and increases the throughput of the genericization step, making it suitable for environments requiring near real-time graph updates from large volumes of raw data.
    graph TD
    A[Collected Network Entity Data] --> B{Stream to FPGA Genericization Engine}
    B --> C[FPGA: Parallel Property Extraction & Mapping]
    C --> D[Output: Generic Network Entities]
    D --> E[Generate Network Graph]

Derivative 1.5: Satellite-based Telemetry Collection for Remote/Intermittent Networks

  • Enabling Description: For network entities deployed in geographically remote, intermittently connected, or low-bandwidth environments (e.g., remote IoT deployments, edge networks with satellite uplinks), network entity data features (S210) are collected via asynchronous satellite telemetry. Local data collection agents on edge devices cache network entity properties and changes. Periodically, or when a satellite link is available, these agents transmit compressed, incremental data updates via narrow-band satellite communication. A receiving ground station then reassembles these partial datasets. This approach prioritizes data resilience and intermittent connectivity over real-time updates, ensuring that even disconnected segments eventually contribute to the unified graph. The genericization (S220) and graph generation (S240) processes occur centrally once the data is successfully transmitted and reconstructed.
    graph TD
    subgraph IoT Swarm
        A[Remote Network Entity] --> B[Local Data Agent (Cache)]
        B -- "Compressed Updates" --> C(Satellite Link - Intermittent)
    end
    C --> D[Ground Station Receiver]
    D --> E[Reassemble Data]
    E --> F{Genericize Entity}
    F --> G[Generate Graph]

2. Operational Parameter Expansion

These derivatives expand the operational scales and environments in which the unified graph model generation operates, as claimed in US11929896.

Derivative 2.1: Hyperscale Multi-Cloud Graph Model for Global Infrastructure

  • Enabling Description: The system is applied to generate a unified graph model for a global hyperscale computing infrastructure spanning hundreds of cloud platforms (e.g., AWS, Azure, GCP, Alibaba Cloud, Oracle Cloud Infrastructure) across multiple continents, including private cloud deployments and edge computing clusters. This involves collecting network entity data features (S210) from hundreds of millions of entities, genericizing them (S220) using a standardized ontology across all providers, and generating a network graph (S240) comprising trillions of nodes and edges. The graph generation and resolution processes are distributed across a massively parallel compute cluster, employing techniques like sharding the graph into sub-graphs for localized processing and using distributed graph algorithms (e.g., Pregel-like models) for global coherence. Storage (S250) utilizes a distributed, petabyte-scale graph database. The system is designed to handle continuous updates at a rate of millions of entity changes per second.
    graph TD
    A[Global Cloud Infrastructure (100s of Platforms)] --> B(Distributed Data Collection Agents)
    B --> C(Massively Parallel Genericization Service)
    C --> D{Distributed Graph Generation & Resolution Cluster}
    D -- "Trillions of Nodes/Edges" --> E[Petabyte-Scale Graph DB]
    E --> F[Unified Global Graph]

Derivative 2.2: Nanoscale Molecular Network Graph for Biochemical Simulation

  • Enabling Description: The system is adapted to model nanoscale molecular networks, where "network entities" (S210) are individual atoms, molecules, proteins, or cellular organelles. "Network entity data features" include chemical properties (e.g., valence, charge, functional groups), physical properties (e.g., mass, size, position), and conformational states. These features are collected from molecular dynamics simulations or cryogenic electron microscopy data. Genericization (S220) involves categorizing molecules by functional class (e.g., enzyme, substrate, receptor) and standardizing interaction sites. The generated network graph (S240) represents biochemical pathways, protein-protein interaction networks, or drug-target interactions, with edges representing covalent bonds, weak interactions, catalytic reactions, or allosteric modulation. Storage (S250) involves specialized databases optimized for graph-based chemical structures, enabling queries about reaction pathways, binding affinities, or drug discovery. The graph resolution (S240) dynamically infers transient interactions based on proximity and energetic favorability.
    graph TD
    A[Molecular Dynamics Simulation / Cryo-EM Data] --> B{Collect Molecular Entity Data}
    B --> C{Genericize Molecules by Functional Class}
    C --> D[Generate Nanoscale Interaction Graph]
    D -- "Bonds, Interactions, Reactions" --> E[Specialized Chemical Graph DB]
    E --> F[Query Biochemical Pathways]

Derivative 2.3: Historical Archival Graph for Regulatory Compliance and Forensic Analysis

  • Enabling Description: The unified graph model generation is extended to create a continuously updated, immutable historical archive of network states over a decade or more. Instead of merely storing the current graph (S250), every generated graph (S240) and every intermediate change during genericization (S220) or entity property update (S210) is timestamped and versioned. The "network entity data feature" collection (S210) includes forensic metadata, audit trails, and configuration change logs. The genericization (S220) and graph generation (S240) processes include algorithms to detect and record divergences from baseline configurations. The storage (S250) uses a temporal graph database designed for efficient querying of historical states (e.g., "What was the connectivity between VM 'X' and Database 'Y' on June 15, 2020?"). This enables long-term regulatory compliance audits, post-incident forensic analysis, and trend analysis of network evolution, even for ephemeral cloud resources.
    graph TD
    A[Network Entity Data (incl. Audit Trails)] --> B{Collect & Timestamp Data}
    B --> C{Genericize & Version Entities}
    C --> D[Generate Timestamped Network Graph]
    D --> E[Temporal Graph DB (Immutable History)]
    E -- "Historical Queries" --> F[Regulatory Audit / Forensic Analysis]

Derivative 2.4: Ultra-Low Power, Edge-Optimized Graph for Resource-Constrained IoT Swarms

  • Enabling Description: For very resource-constrained IoT swarms operating on battery power with limited processing capabilities and intermittent connectivity, the graph generation method is optimized for ultra-low power consumption and distributed edge processing. "Network entity data features" (S210) are minimalist (e.g., device ID, battery level, direct neighbors, simple sensor readings). Genericization (S220) uses highly compressed, pre-compiled templates specific to the IoT device type. Graph generation (S240) is performed incrementally and locally by a designated "leader" node within a small cluster of IoT devices, aggregating partial graph views from its neighbors. The resulting small sub-graphs are then transmitted via energy-efficient, short-range wireless protocols (e.g., Bluetooth Low Energy Mesh) to a local gateway. The "storing" step (S250) involves ephemeral caching on the leader node or aggregation at the gateway, with only critical changes or high-level summaries eventually propagated to a central system. This minimizes communication overhead and processing cycles on individual nodes.
    graph TD
    subgraph IoT Swarm
        A[IoT Node 1] --> B[IoT Node 2]
        A -- "Minimal Data" --> C(Leader Node)
        B -- "Minimal Data" --> C
        C -- "Partial Graph Gen" --> D[Local Graph Cache]
        D -- "Aggregated Summary" --> E(BLE Mesh / Low Power Wireless)
    end
    E --> F[Edge Gateway]
    F --> G[Central System (Aggregate)]

Derivative 2.5: Real-time Predictive Graph for Network Anomaly Detection (Sub-millisecond Latency)

  • Enabling Description: To achieve sub-millisecond latency for real-time network anomaly detection, the entire graph generation process (S210-S250) is tightly integrated within a high-speed data plane. Network entity data features (S210) are captured directly from network interfaces using specialized SmartNICs (Network Interface Cards) or programmable switches that perform initial parsing and feature extraction in hardware. Genericization (S220) and graph resolution (S240) are executed on in-memory graph databases residing in high-speed, non-volatile memory (e.g., Intel Optane Persistent Memory) co-located with the SmartNICs. Graph updates are atomic and continuously streamed. A predictive analytics engine, utilizing machine learning models trained on historical graph data, constantly analyzes the evolving graph for deviations from normal patterns. Any detected anomaly triggers an immediate alert and potentially an automated response based on graph traversal. The "storing" step (S250) represents a continuous stream of graph deltas rather than discrete snapshots.
    graph TD
    A[Network Traffic] --> B(SmartNIC / Programmable Switch)
    B -- "Hardware Feature Extraction" --> C[In-Memory Graph DB (P-Memory)]
    C --> D{Real-time Genericization & Graph Resolution}
    D -- "Graph Deltas" --> E[Predictive Analytics Engine]
    E --> F{Anomaly Detected?}
    F -- "Yes" --> G[Automated Alert/Response]
    F -- "No" --> D

3. Cross-Domain Application

These derivatives apply the unified graph modeling principles of US11929896 to unrelated industries.

Derivative 3.1: Supply Chain Vulnerability Graph for Global Logistics

  • Enabling Description: The system is applied to model global supply chains. "Network entities" (S210) include raw material suppliers, manufacturers, logistics providers, distribution centers, retail outlets, and transportation assets (ships, trucks, planes). "Network entity data features" include supplier certifications, material origins, production capacities, inventory levels, shipping routes, customs compliance status, and geopolitical risk scores. Genericization (S220) categorizes entities by role (e.g., "Tier 1 Supplier," "Logistics Hub," "Final Assembly Plant") and standardizes attributes like "compliance status" or "transportation mode." The generated network graph (S240) represents the end-to-end supply chain, with edges indicating material flow, contractual relationships, and dependency pathways. Graph resolution identifies critical single points of failure, geopolitical risk exposure, and potential for counterfeit goods. Storage (S250) enables querying of supply chain provenance, resilience, and compliance.
    graph TD
    A[Supply Chain Data (Suppliers, Logistics, etc.)] --> B{Collect Supply Chain Entity Data}
    B --> C{Genericize Entities (Supplier, Manufacturer, Hub)}
    C --> D[Generate Supply Chain Vulnerability Graph]
    D -- "Material Flow, Dependencies" --> E[Supply Chain Graph DB]
    E --> F[Identify Single Points of Failure / Risks]

Derivative 3.2: Precision Agriculture Field-to-Fork Traceability Graph

  • Enabling Description: This system is used in precision agriculture to create a field-to-fork traceability graph. "Network entities" (S210) include individual sensors (soil moisture, nutrient, weather), farm equipment (tractors, drones), specific plant batches, harvest lots, processing facilities, transportation vehicles, and retail points. "Network entity data features" include sensor readings, equipment maintenance logs, pesticide/fertilizer application records, crop yields, harvest dates, storage conditions, processing steps, and retail distribution paths. Genericization (S220) standardizes entities by type (e.g., "Field Sensor," "Crop Batch," "Processing Plant," "Retail Location") and properties like "soil type," "pesticide used," or "temperature zone." The generated network graph (S240) links every stage from cultivation to consumption, providing full provenance for agricultural products. Graph resolution can trace contamination sources or optimize resource allocation. Storage (S250) allows for rapid querying of a product's history for recalls or quality assurance.
    graph TD
    A[Agricultural Data (Sensors, Equipment, Crops)] --> B{Collect Ag Entity Data}
    B --> C{Genericize Entities (Sensor, Crop Batch, Processing Plant)}
    C --> D[Generate Field-to-Fork Traceability Graph]
    D -- "Growth, Harvest, Processing, Distribution" --> E[Agri-Graph DB]
    E --> F[Trace Contamination / Optimize Resources]

Derivative 3.3: Patient Journey & Care Pathway Graph for Healthcare Systems

  • Enabling Description: The system is adapted for healthcare management. "Network entities" (S210) include patients, healthcare providers (doctors, nurses), medical devices, medications, treatment protocols, diagnostic tests, and hospital departments. "Network entity data features" encompass patient demographics, medical history, diagnoses, prescribed treatments, test results, device calibrations, provider specializations, and inter-departmental workflows. Genericization (S220) standardizes entities like "Patient Record," "Diagnosis," "Treatment Event," "Medication," and "Care Provider," abstracting specific medical codes into generic categories. The generated network graph (S240) models individual patient journeys and broader care pathways, with edges representing consultations, referrals, medication administrations, test orders, and physiological dependencies. Graph resolution identifies potential drug interactions, inefficient care pathways, or bottlenecks in patient flow. Storage (S250) enables querying for personalized treatment plans, public health analytics, or resource optimization.
    graph TD
    A[Healthcare Data (EHR, Device Logs, Prescriptions)] --> B{Collect Healthcare Entity Data}
    B --> C{Genericize Entities (Patient, Provider, Medication, Diagnosis)}
    C --> D[Generate Patient Journey & Care Pathway Graph]
    D -- "Consults, Referrals, Treatments" --> E[Healthcare Graph DB]
    E --> F[Optimize Care / Identify Interactions]

Derivative 3.4: Urban Mobility & Infrastructure Resilience Graph for Smart Cities

  • Enabling Description: The system is deployed in a smart city context to model urban mobility and infrastructure resilience. "Network entities" (S210) include traffic sensors, public transit vehicles, pedestrian pathways, power grid nodes, water supply pipes, emergency services vehicles, and environmental monitoring stations. "Network entity data features" include real-time traffic flow, transit schedules, energy consumption, water pressure, emergency response times, and air quality data. Genericization (S220) categorizes entities by function (e.g., "Traffic Sensor," "Bus Route," "Power Substation," "Hydrant") and standardizes properties like "operational status" or "capacity." The generated network graph (S240) models the interconnectedness of urban systems, with edges representing physical connections (e.g., power lines), logical dependencies (e.g., traffic lights controlling road segments), or data flows. Graph resolution identifies cascading failure points during disasters, optimizes traffic flow, or predicts infrastructure maintenance needs. Storage (S250) enables real-time city management and predictive analytics.
    graph TD
    A[City Data (Traffic, Transit, Utilities, Sensors)] --> B{Collect Urban Entity Data}
    B --> C{Genericize Entities (Sensor, Transit Line, Power Node)}
    C --> D[Generate Urban Mobility & Resilience Graph]
    D -- "Physical, Logical, Data Connections" --> E[Smart City Graph DB]
    E --> F[Predict Failures / Optimize Traffic]

Derivative 3.5: Geological Fault & Resource Interdependency Graph for Mining Operations

  • Enabling Description: This system is adapted for complex geological and mining operations. "Network entities" (S210) include geological fault lines, ore deposits, mining shafts, ventilation systems, dewatering pumps, power grids, and underground transportation routes. "Network entity data features" comprise seismic activity data, rock mechanics properties, ore grades, ventilation flow rates, pump capacities, power consumption, and geological survey results. Genericization (S220) categorizes entities by type (e.g., "Fault Segment," "Ore Body," "Ventilation Fan," "Power Cable") and standardizes properties like "stability rating" or "resource dependency." The generated network graph (S240) visualizes the intricate interdependencies within a mine, with edges representing geological stresses, resource extraction dependencies, safety system linkages, or operational energy flows. Graph resolution predicts seismic risks, identifies optimal extraction paths, or highlights vulnerabilities in safety systems. Storage (S250) supports real-time mine monitoring and long-term strategic planning.
    graph TD
    A[Geological & Mining Data (Seismic, Ore, Equipment)] --> B{Collect Geo-Mining Entity Data}
    B --> C{Genericize Entities (Fault, Ore Deposit, Ventilation System)}
    C --> D[Generate Geo-Mining Interdependency Graph]
    D -- "Stresses, Dependencies, Flows" --> E[Mining Graph DB]
    E --> F[Predict Seismic Risk / Optimize Extraction]

4. Integration with Emerging Tech

These derivatives integrate the unified graph modeling of US11929896 with cutting-edge technologies.

Derivative 4.1: AI-Driven Graph Optimization for Proactive Network Security

  • Enabling Description: The unified network graph (generated at S240) is continuously fed into an AI-driven optimization engine. The AI component, utilizing deep reinforcement learning or graph neural networks (GNNs), learns from historical graph states, simulated attack scenarios, and observed network events (collected at S210). The AI identifies optimal network security configurations, rule sets, and access controls that minimize attack surfaces and enhance resilience. It proposes changes to the generic entities (S220) and their relationships within the graph, for example, suggesting new firewall rules, optimal subnet segmentation, or least-privilege access policies. These AI-suggested modifications are then applied to the network after human review or automatically if confidence levels are high. The graph serves as the AI's "world model," enabling it to predict the impact of changes and proactively recommend security posture improvements before vulnerabilities are exploited. Graph storage (S250) includes versioning to track AI-driven changes.
    graph TD
    A[Collected Entity Data] --> B{Genericize Entity}
    B --> C[Generate Network Graph]
    C --> D(AI-Driven Optimization Engine)
    D -- "Analyze Vulnerabilities, Predict Impacts" --> E{Propose Security Changes}
    E -- "New Rules, Segmentation, Policies" --> F[Update Network Configuration]
    F --> G[Update Collected Entity Data]

Derivative 4.2: IoT Sensor-Augmented Real-time Operational Graph

  • Enabling Description: The "collecting network entity data features" step (S210) is significantly augmented by direct, real-time telemetry from thousands of IoT sensors embedded throughout the physical and virtual infrastructure. These IoT sensors monitor environmental conditions (temperature, humidity), power consumption, physical access, network device health, and application performance metrics. Each IoT sensor itself is treated as a network entity, and its readings become critical data features. Genericization (S220) includes mapping diverse IoT sensor data formats to a unified schema. The generated network graph (S240) thus provides a living, real-time operational view, blending logical network connectivity with physical environmental factors. Edges in the graph can represent "monitors," "powers," or "is located in" relationships between logical and physical entities. Storage (S250) must handle high-volume, continuous streams of IoT data, potentially using time-series databases for metrics alongside the graph database for relationships.
    graph TD
    subgraph Data Collection
        A[Traditional API/Orchestrator Data]
        B[IoT Sensor Telemetry (Real-time)]
        A & B --> C{Aggregate & Normalize Data Features}
    end
    C --> D{Genericize Entities (Network + IoT)}
    D --> E[Generate Real-time Operational Graph]
    E -- "Logical & Physical Connections" --> F[Graph DB + Time-Series DB]

Derivative 4.3: Blockchain-Verified Network Provenance Graph

  • Enabling Description: To enhance trust and auditability, the "storing the generated network graph" step (S250) integrates with a private or consortium blockchain. Key network entity properties (S210), such as configuration baselines, ownership, and critical relationships after genericization (S220) and graph generation (S240), are cryptographically hashed and immutably recorded as transactions on the blockchain. The full graph data itself might reside in a conventional graph database (e.g., Neo4j), but its integrity and provenance are verified by referencing the hashes on the blockchain. Any changes to a network entity or relationship (e.g., a firewall rule modification, a new peering connection) result in a new transaction on the blockchain, creating an auditable, tamper-proof log of all network states. This allows for verifiable compliance checks and ensures that the reported graph is indeed the authorized and current representation.
    graph TD
    A[Generate Network Graph] --> B{Extract Critical Properties & Relations}
    B --> C[Calculate Cryptographic Hash]
    C --> D[Record Hash on Blockchain (Immutable Log)]
    D -- "Verification Link" --> E[Conventional Graph DB (Full Graph)]
    E --> F[Query & Verify Graph Provenance]

Derivative 4.4: Digital Twin Integration for Predictive Network Simulation

  • Enabling Description: The unified network graph (S240), after genericization (S220) and collection (S210), serves as the foundational data model for a digital twin of the entire computing environment. This digital twin allows for advanced predictive simulations. Instead of merely storing the graph (S250), the graph is loaded into a simulation engine that can model network traffic, application workloads, and failure scenarios. Users or automated agents can then pose "what-if" questions, for example, "What if Firewall X fails?" or "What if traffic to service Y doubles?". The simulation engine traverses the digital twin graph to predict the impact, identify bottlenecks, or assess resilience, without affecting the live production environment. The results of these simulations, including new inferred relationships or performance metrics, can then be fed back into the graph as additional data features for subsequent analysis and optimization.
    graph TD
    A[Collected Entity Data] --> B{Genericize Entity}
    B --> C[Generate Network Graph]
    C --> D(Digital Twin Simulation Engine)
    D -- "Simulate Scenarios, Predict Impact" --> E{Output: Simulation Results}
    E -- "Inferred Relations, Metrics" --> F[Update Graph Data Features]

Derivative 4.5: Federated Graph Generation with Privacy-Preserving Techniques

  • Enabling Description: For multi-organizational or highly sensitive environments, the system employs federated graph generation using privacy-preserving techniques. Each organization's network entity data (S210) is genericized (S220) locally. Instead of transmitting raw entity data, only anonymized or differentially private representations of generic entities and their connections are exchanged between organizations. A secure multi-party computation (MPC) or homomorphic encryption scheme allows a federated graph generation engine (S240) to build a unified graph of the combined environment without any single party revealing its sensitive internal network structure. For example, edge properties between generic entities from different organizations are only revealed if they meet certain aggregation thresholds or are sufficiently anonymized. Storage (S250) of the federated graph also incorporates access controls to ensure that each organization only views aggregated, non-attributable segments unless explicit permissions are granted.
    graph TD
    subgraph Org A
        A1[Collect A Data] --> A2{Genericize A}
        A2 --> A3[Anonymized A Graph Share]
    end
    subgraph Org B
        B1[Collect B Data] --> B2{Genericize B}
        B2 --> B3[Anonymized B Graph Share]
    end
    A3 & B3 --> C(Federated Graph Generation Engine - MPC/HE)
    C --> D[Privacy-Preserving Unified Graph]
    D --> E[Secure Federated Graph DB]

5. The "Inverse" or Failure Mode

These derivatives explore scenarios where the invention operates under constraints, in a limited capacity, or for an "inverse" purpose, building on the concepts of US11929896.

Derivative 5.1: Graceful Degradation: Critical Path Graph Generation during Network Outage

  • Enabling Description: In a scenario where the network is experiencing a significant outage or resource contention, preventing full-scale network entity data collection (S210) and comprehensive graph generation (S240), the system enters a graceful degradation mode. It prioritizes the collection of data features (S210) for only critical network entities and their direct connections (e.g., core routers, essential load balancers, database clusters) via out-of-band management interfaces or cached configuration data. Genericization (S220) focuses on identifying the most essential properties. The system then generates (S240) a "critical path graph" or a "survival graph"—a simplified, partial network graph highlighting only the operational core and potential recovery paths. This limited graph, though incomplete, provides crucial insights for incident response teams. Storage (S250) might involve ephemeral, local caching for rapid access by recovery tools.
    graph TD
    A[Network Outage Detected] --> B{Prioritize Critical Entity Data Collection (OOB)}
    B --> C{Limited Genericization (Essential Properties)}
    C --> D[Generate Critical Path Graph (Partial)]
    D --> E[Ephemeral Local Storage / Recovery Console]
    E --> F[Incident Response Team]

Derivative 5.2: Low-Power, Asynchronous Graph Update for Hybrid Edge Environments

  • Enabling Description: For hybrid edge environments where the graph analysis system 150 (as per US11929896, FIG. 1A) might operate on battery-powered edge devices or with highly constrained power budgets, the graph update process is optimized for minimal energy consumption. Instead of continuous real-time collection (S210), data features are collected asynchronously in batches during periods of low activity or when external power is available. Genericization (S220) and graph generation (S240) are triggered on a low-frequency schedule (e.g., hourly, daily) or upon significant detected changes, rather than continuously. The generated graph is initially stored (S250) locally on the edge device in a compressed format (e.g., using a binary graph serialization). Only highly summarized graph deltas or critical alerts (derived from graph analysis) are transmitted to a central cloud system, minimizing power-intensive wireless communication.
    graph TD
    A[Edge Device (Battery Powered)] --> B{Asynchronous/Batched Data Collection}
    B --> C{Low-Frequency Genericization}
    C --> D[Generate Compressed Local Graph]
    D --> E(Central Cloud System)
    D -- "Summarized Deltas (Low Power Tx)" --> E

Derivative 5.3: Deception Graph Generation for Cybersecurity Honeypots

  • Enabling Description: This derivative uses the system to generate "deception graphs" for cybersecurity purposes. Instead of accurately representing the true network, the "genericizing" step (S220) and "generating a network graph" step (S240) are modified to deliberately create a misleading, yet plausible, network topology. This involves fabricating or altering network entity data features (S210) for fictitious "honeypot" entities (e.g., fake databases, vulnerable servers, non-existent network interfaces) and generating (S240) graph edges that lure attackers into controlled, monitored environments. The genericization process (S220) ensures that these fabricated entities and relationships conform to realistic, generic object schemas (e.g., a "generic vulnerable web server") to appear authentic. The "deception graph" is then stored (S250) and presented to potential attackers, while the true network graph remains secure and hidden. Analysis of attacker interactions with the deception graph provides threat intelligence.
    graph TD
    A[True Network Entity Data] --> B{Modify Data: Introduce Honeypot Features}
    B --> C{Genericize Entity (incl. Fabricated)}
    C --> D[Generate Deception Network Graph]
    D --> E[Store Deception Graph (Honeypot View)]
    E --> F(Attacker Interaction Monitoring)
    F --> G[Threat Intelligence]

Derivative 5.4: Anomaly-Triggered Graph Reversion & Root Cause Analysis

  • Enabling Description: The system continuously monitors for network anomalies (e.g., unusual traffic patterns, unauthorized access attempts). Upon detection of a significant anomaly, the "storing the generated at least a network graph" (S250) is leveraged to perform a rapid historical graph reversion. The system queries the immutable historical graph (as in Derivative 2.3) to retrieve the network graph state immediately prior to the anomaly's detection. Concurrently, a "delta graph" is generated, highlighting the specific changes (new entities, modified relationships, altered properties) between the pre-anomaly state and the current anomalous state. This delta graph, along with the reverted historical graph, is presented to operators to accelerate root cause analysis. The genericization (S220) and graph generation (S240) processes are then used to build a "forensic graph" focused on the anomalous elements and their immediate context.
    graph TD
    A[Real-time Anomaly Detection] --> B{Trigger: Anomaly Detected}
    B --> C[Retrieve Pre-Anomaly Graph State (from History)]
    C --> D[Generate Delta Graph (Pre- vs. Post-Anomaly)]
    D & C --> E[Present for Root Cause Analysis]
    B --> F{Generate Forensic Graph (Focus on Anomaly)}
    F --> E

Derivative 5.5: Minimal Viable Graph (MVG) for Initial Deployment & Resource Savings

  • Enabling Description: For initial deployments, proof-of-concept evaluations, or cost-sensitive environments, the system generates a "Minimal Viable Graph" (MVG). In the "collecting network entity data features" step (S210), only a pre-defined subset of essential data features is collected (e.g., basic connectivity, IP addresses, critical services, ignoring verbose configurations). Genericization (S220) applies only a foundational set of generic entity types and properties, stripping away non-critical metadata. The "generating a network graph" step (S240) focuses on establishing core connectivity and hierarchy, omitting fine-grained relationships or imputed entities unless explicitly required. The resulting MVG is stored (S250) in a highly optimized, compact format, reducing storage costs and processing overhead. The MVG can then be incrementally enriched with more data features and relationships as requirements evolve, essentially starting with a bare-bones graph and progressively adding complexity.
    graph TD
    A[Network Entity Data (Full)] --> B{Filter: Collect Essential Data Features}
    B --> C{Apply Foundational Genericization Rules}
    C --> D[Generate Minimal Viable Graph (Core Only)]
    D --> E[Store Compact MVG]
    E --> F{Incremental Enrichment (Add Detail)}

Combination Prior Art Scenarios

These scenarios combine the teachings of US11929896 with existing open-source standards to establish prior art for integrated solutions.

1. Combination with Apache TinkerPop for Graph Traversal and Querying

  • Scenario: The system of US11929896 collects network entity data (S210), genericizes it (S220), and generates a multi-dimensional network graph (S240). This generated graph, instead of being stored in a proprietary format, is explicitly mapped and ingested into an Apache TinkerPop-compliant graph database (e.g., JanusGraph, Neo4j with TinkerPop integration). The genericized network entities become TinkerPop vertices, and their relations become TinkerPop edges, labeled according to the genericization schema (e.g., "Generic_VM" vertex, "connects_to" edge). The "querying of the graph using a simplified and unified set of queries" (as mentioned in US11929896, S250) is then performed using TinkerPop's Gremlin graph traversal language. This combination leverages the robust, standardized graph model and traversal capabilities of TinkerPop directly on the unified and genericized network representation.
    graph TD
    A[Collect Network Entity Data] --> B{Genericize Entity}
    B --> C[Generate Network Graph]
    C --> D(Map to Apache TinkerPop Graph Schema)
    D --> E[Store in TinkerPop-Compliant Graph DB]
    E --> F[Query using Gremlin Traversal Language]

2. Combination with Prometheus and Grafana for Unified Network Monitoring and Visualization

  • Scenario: The network entity data collection (S210) from US11929896 is augmented to include Prometheus-compatible metrics endpoints on each genericized network entity (S220). For example, a "Generic_VM" entity exposes CPU utilization, memory usage, and network I/O through a /metrics endpoint. Prometheus scrapes these endpoints, collecting operational metrics. Concurrently, the unified network graph (S240) is generated and stored (S250). Grafana, an open-source visualization tool, is then integrated to display both the network graph (using a graph visualization plugin) and the corresponding Prometheus metrics. The genericized entities and their relationships within the graph are used to automatically generate Grafana dashboards, allowing users to drill down from a graph node (representing a generic entity) to its real-time operational metrics in Prometheus.
    graph TD
    subgraph US11929896 System
        A[Collect Network Entity Data] --> B{Genericize Entity}
        B --> C[Generate Network Graph]
        C --> D[Store Graph]
    end
    B -- "Expose Prometheus Metrics" --> E(Prometheus Scraper)
    E --> F[Prometheus Time-Series DB]
    D & F --> G(Grafana Dashboard: Graph + Metrics)
    G --> H[Unified Network Monitoring]

3. Combination with Open-source Cloud Orchestration APIs (e.g., Kubernetes API) for Dynamic Graph Updates

  • Scenario: The system of US11929896 actively uses open-source cloud orchestration APIs, specifically the Kubernetes API, for its "collecting network entity data features" (S210) and for "genericizing the collected at least one network entity" (S220). The system subscribes to Kubernetes API events (e.g., Pod creation, Service deployment, NetworkPolicy changes) to receive real-time updates on containerized network entities. These Kubernetes resources (Pods, Deployments, Services, Ingresses, NetworkPolicies) are directly ingested, genericized into corresponding generic entities (e.g., "Generic_Container_Workload," "Generic_Network_Rule"), and their relationships (e.g., Pod belongs_to Deployment, Service exposes Pods) are inferred. The generated network graph (S240) then seamlessly integrates both Kubernetes-native entities and traditional cloud infrastructure entities (e.g., AWS EC2, Azure VMs), all unified under generic schemas. This allows for a comprehensive graph model that spans Kubernetes clusters and underlying cloud infrastructure, with dynamic updates driven by the Kubernetes control plane.
    graph TD
    A[Kubernetes API Events] --> B{Collect K8s Entity Data (Real-time)}
    C[Traditional Cloud APIs] --> D{Collect Cloud Entity Data}
    B & D --> E{Aggregate & Genericize Entities (K8s & Cloud)}
    E --> F[Generate Unified Network Graph]
    F --> G[Store Graph]
    G --> H[Unified K8s & Cloud Visibility]

Generated 5/16/2026, 12:50:17 PM