Topology Learning From Operations

Mechanism

Topology learning is initiated by a learning event, a structured record carrying: the candidate edge specification (source node, destination node, proposed dependency class, proposed coupling parameters), the observation evidence (a vector of telemetry samples, refusal correlations, latency-coupling measurements, or cascade-co-occurrence statistics), the learning algorithm identifier (an enumerated reference to a registered inference procedure such as Granger-causality estimation, mutual-information thresholding, or Pearl-style intervention analysis), the observation interval, and one or more witness signatures from authorities with observational jurisdiction over the affected nodes.

A learning event entering the architecture does not directly mutate the credentialed topology graph. Instead it enters a candidate-edge buffer maintained by the topology authority. Candidate edges accumulate corroborating witness signatures from independent observers; promotion to a credentialed edge requires that the cumulative witness set satisfy the dependency-class-specific witness-multiplicity threshold defined by the governing topology policy. Upon promotion, the candidate edge is admitted into the graph through the standard credentialed-mutation pathway, with the learning event itself recorded in the graph's mutation lineage as the originating cause of the new edge. Subsequent cascade traversals admit the new edge under the same admissibility predicate as any other credentialed edge.

Negative learning is symmetric. When operational evidence indicates that a previously credentialed edge no longer reflects observable coupling (for example, a control relationship has been physically removed, or a data dependency has been replaced by a redundant alternate path), a witness-signed retirement event is admitted to the candidate buffer; upon corroboration, the edge is credentially revoked rather than deleted, preserving its presence in the lineage log while removing it from active cascade traversal. The architecture thus supports both expansion and contraction of the topology graph through symmetric, governance-bounded learning operations.

The buffer itself is structured as an append-only log keyed by candidate-edge identity hash, with each subsequent witness submission appended as a corroboration record rather than overwriting prior evidence. This append-only construction allows the topology authority to compute promotion eligibility incrementally as new witnesses arrive, without re-evaluating the full evidence set, and it allows post-hoc auditors to reconstruct the order and provenance of corroboration. When promotion fires, the authority emits a promotion event referencing the buffer's current evidence hash; that hash binds the admitted credentialed edge to the precise evidence set that justified its admission, so any subsequent retroactive challenge can reference an immutable evidence pointer rather than a reconstructed set.

Edge mutation is gated by a two-phase predicate. The first phase verifies that each witness signature resolves to an authority currently empowered for the affected nodes' jurisdiction; expired or revoked witness credentials are rejected even if their signatures remain cryptographically valid. The second phase verifies that the registered learning algorithm referenced in the event is itself currently credentialed and has not been deprecated by a governance action. Only when both phases succeed and the witness-multiplicity threshold is met does the candidate transition to a credentialed edge, ensuring that no edge enters the graph through an obsolete authority chain or a retired inference procedure.

Operating Parameters

Witness-multiplicity thresholds are configured per dependency class. Representative values place the safety-critical hard-control class at three or more independent witnesses with at least two distinct authority domains; soft-control and data classes typically require two witnesses; logical and timing classes may admit on a single witness when the witness is a designated topology-learning authority. The architecture exposes the witness-multiplicity policy as a credentialed configuration document, so threshold changes themselves are subject to governance oversight and lineage tracking.

Observation intervals are bounded by a minimum dwell time during which evidence accumulates before promotion is considered (typically 60 seconds for tactical meshes, 1 hour for civilian critical-infrastructure meshes) and a maximum staleness time after which uncorroborated candidate edges are discarded from the buffer (typically one to seven days). Coupling-parameter estimates from observation evidence are accompanied by confidence intervals; promotion is blocked when the lower confidence bound on the coupling coefficient falls below the dependency-class-specific minimum, preventing weakly supported edges from entering cascade evaluation.

Evidence-package size is bounded to control admission cost: a typical learning event carries 4 KB to 32 KB of telemetry summary statistics rather than raw sample streams, with raw samples retained at the witness for post-hoc dispute support. The architecture supports an evidence-pointer mode in which the learning event references a content-addressed evidence blob held by the witness, allowing dispute participants to retrieve the raw evidence under credentialed access while keeping the on-graph mutation log compact. Promotion latency from first observation to credentialed-edge admission is dominated by witness-multiplicity accumulation; representative single-domain deployments observe median promotion latencies of 90 to 600 seconds for tactical configurations and 30 to 90 minutes for civilian configurations.

Learning-algorithm registration is itself credentialed. Each registered algorithm carries a specification document, a reference implementation hash, and an authority signature attesting that the algorithm meets the topology-learning policy's soundness requirements. Implementations may not introduce candidate edges via unregistered algorithms, ensuring that the inference procedures admitting evidence into the graph are themselves auditable and replaceable through governance procedures rather than through ad-hoc code change.

Throughput parameters bound the rate at which the topology authority will admit new candidate edges, preventing evidence floods from monopolizing graph mutation bandwidth. A representative configuration caps candidate intake at 1,000 events per minute per witness, with per-domain aggregate caps of 10,000 events per minute; events arriving above the cap are deferred to a back-pressure queue that drains at the configured rate. Promotion-rate caps are configured separately, typically at 100 promotions per minute per dependency class, ensuring that even a coordinated burst of corroborated evidence cannot inject topology changes faster than downstream cascade-evaluation logic can re-plan against the updated graph.

Alternative Embodiments

In a first alternative embodiment, the candidate-edge buffer is realized as a distributed gossip-replicated structure across the witness ensemble, with promotion triggered by a quorum-signed assertion that the witness-multiplicity threshold has been met. In a second alternative embodiment, learning operates in two tiers: a local tier in which individual nodes propose candidate edges based on their own telemetry, and a global tier in which a topology-learning authority aggregates local proposals and applies cross-domain corroboration before promotion.

A sixth alternative embodiment performs counterfactual learning by deliberately perturbing one node while observing downstream response correlations elsewhere in the mesh; perturbation-driven evidence is admitted under the same witness-multiplicity rules as observational evidence but is annotated with the perturbation specification so that downstream cascade evaluation can distinguish dependencies established under deliberate intervention from those established under passive observation. A seventh alternative embodiment supports privacy-preserving learning across organizational boundaries through secure multi-party computation: candidate edges spanning two organizations are corroborated using cryptographic protocols that produce a witness signature without revealing either organization's underlying telemetry to the other, with the resulting credentialed edge nonetheless carrying full lineage suitable for joint audit.

A third alternative embodiment integrates active probing with passive observation: when passive evidence is insufficient for promotion, the architecture issues a credentialed active probe (subject to the governed-active-probe primitive's admissibility checks) to disambiguate candidate dependency classes. A fourth embodiment composes learning with adversarial-action differentiation, in which proposed edges whose observation evidence correlates with hostile probing patterns are flagged for human review rather than automatic promotion. A fifth embodiment supports federated learning across mesh domains, in which candidate edges from one domain may be advertised to peer domains for cross-domain corroboration, enabling discovery of cross-domain cascade couplings without requiring either domain to expose its full telemetry stream.

Composition With Other Primitives

Topology learning composes directly with the credentialed-topology-graph primitive: it is the principal mechanism by which that graph evolves beyond its initial declared state. It composes with the witness primitive, drawing observation evidence from witness-signed telemetry; with the credential primitive, since promotion produces standard credentialed edges; and with the lineage primitive, since the originating learning event is preserved in the graph's mutation log.

Learning composes with cascade-propagation evaluation by feeding back observed cascade patterns as evidence for new or revised dependency-class assignments, producing a closed-loop refinement in which the topology graph becomes a more accurate predictor of future cascades over operational lifetime. It composes with the dispute primitive: a disputed promotion can be challenged by a counter-witness submitting contradictory evidence, freezing the candidate edge pending resolution. It composes with the audit primitive by exposing the full chain from raw observation through learning algorithm to admitted credentialed edge, allowing post-hoc reconstruction of why any given edge entered the graph.

Distinction From Prior Art

Topology learning is structurally distinct from automated network discovery protocols such as LLDP, CDP, OSPF neighbor discovery, and SNMP topology mapping. Those protocols learn physical adjacencies through unauthenticated or weakly authenticated link-layer exchanges and admit any observed adjacency without governance review; they have no notion of dependency class, no witness-multiplicity threshold, and no credentialed mutation lineage. The disclosed mechanism does not learn physical reachability — it learns governance-attested cascade-relevant relationships.

It is distinct from machine-learning approaches to network anomaly detection and causal-inference research applied to time-series telemetry, which produce probabilistic models of system behavior but do not produce credentialed graph mutations bound to a governance authority, do not require multi-witness corroboration, and do not preserve a tamper-evident lineage tying inferred relationships to the algorithms and observations that produced them. It is distinct from service-mesh service-discovery mechanisms (Consul, etcd-based registries, Kubernetes endpoint discovery), which register declared service identities rather than inferred dependency relationships and which lack the witness-corroboration structure disclosed here.

The combination of registered-algorithm-bounded inference, multi-witness corroboration, candidate-buffer staging, governance-credentialed promotion, and symmetric retirement semantics — all integrated with an underlying credentialed topology graph — is not found in any prior art known to the inventor.

The disclosed mechanism is further distinct from configuration-management databases (CMDBs) and IT-service-management dependency repositories such as ServiceNow, BMC Atrium, and Device42. Those systems maintain manually authored or scripted dependency catalogs and treat dependency assertions as administrative records rather than as governance-credentialed graph mutations; they offer no witness-multiplicity discipline, no registered-algorithm constraint on inference, and no cryptographic lineage suitable for cross-organizational audit. The disclosed primitive replaces the administrative-record model with a credentialed-mutation model in which every edge entering the graph is bound to attested evidence and an attested inference procedure.

Disclosure Scope

This disclosure encompasses any mesh architecture in which new cascade-relevant edges enter a credentialed topology graph via witness-signed observation evidence corroborated through a configured multiplicity threshold and admitted through a credentialed mutation pathway, and in which retirement of stale edges proceeds through a symmetric witness-corroborated revocation pathway. The scope is intended to cover implementations across inference algorithm families (statistical causal inference, information-theoretic coupling estimation, Bayesian network learning, neural-network-based dependency inference), witness organizational models (homogeneous, federated, hierarchical), and application domains (defense mesh resilience, civilian critical-infrastructure resilience, industrial supervisory control, multi-tenant cloud dependency mapping). Specific algorithms, witness models, and domains are recited as illustrative embodiments and do not limit the claims.