The RF hypergraph models network host relationships by representing individual hosts as nodes and their shared characteristics as hyperedges. This approach integrates traditional network scanning data, such as that provided by Nmap, into a spatial and signal-based visualization framework.
1. Modeling Network Hosts as Nodes
When a network host is discovered, it is added to the hypergraph store as a specialized node. The modeling process involves several key translations:
- Node Identification: Each host is assigned a unique
node_idderived from its IP address (e.g.,net_192_168_1_1). - Pseudo-Geospatial Positioning: For visualization purposes, the system converts IP address octets into coordinates (latitude and longitude) to spread the hosts across a map view.
- RF Metric Analogies: To maintain consistency with the RF model, network attributes are mapped to signal properties:
- Frequency: A “pseudo-frequency” is calculated based on the number of open ports discovered on the host.
- Power: Signal strength is estimated based on network activity levels, also derived from port counts.
- Metadata: Nodes store rich technical details, including hostnames, operating systems, MAC addresses, and lists of active services.
2. Modeling Relationships via Hyperedges
The core of the hypergraph model lies in hyperedges, which connect groups of two or more nodes that share specific network relationships. The system automatically generates these based on two primary criteria:
- Service-Based Relationships (
service_group): The model groups hosts that are running the same network services (e.g., all hosts runninghttporssh). These hyperedges carry metadata describing the relationship as a “shared service” and assign a signal strength value based on the number of nodes in the group. - Subnet-Based Relationships (
subnet_group): The model identifies hosts belonging to the same /24 subnet. It creates hyperedges to link these hosts, representing their topological proximity within the network infrastructure.
3. Integration and Discovery
These relationships are dynamically modeled through the Network Hypergraph Scan process. The server initiates an Nmap scan (e.g., a ping sweep or service discovery) and feeds the resulting structured data into the RFHypergraphStore. Once the hosts are added as nodes, the system executes logic to “create service hyperedges” and “create subnet hyperedges,” instantly forming the relational web of the network for visualization and metrics analysis.
In the RF hypergraph model, subnet and service hyperedges are automatically generated through dedicated methods in the RFHypergraphStore following a network scan. This process organizes discovered network hosts into relational groups based on shared technical characteristics.
1. Generation of Service Hyperedges
The system identifies relationships between hosts running identical network applications through the create_service_hyperedges method.
- Grouping Logic: The system iterates through all nodes in the store, filtering for those labeled as
network_host. It then groups these nodes by the entries in theirserviceslist (e.g., all hosts running “http” or “ssh”). - Edge Creation: A hyperedge of the type
service_groupis created for every identified service that is shared by at least two nodes. - Metrics and Metadata: Each generated edge is assigned a signal strength starting at -60, which increases by 2 for every additional node in the group. The metadata includes a specific description of the relationship, such as “shared_http_service”.
2. Generation of Subnet Hyperedges
Hosts are also grouped based on their topological proximity within the network infrastructure using the create_subnet_hyperedges method.
- Subnet Identification: The system extracts the IP address of each
network_hostand determines its /24 subnet by grouping the first three octets (e.g.,192.168.1.x). - Edge Creation: If two or more hosts belong to the same subnet, a hyperedge of type
subnet_groupis generated to link them. - Metrics and Metadata: These edges receive a signal strength starting at -50, increasing by 3 for every node in the group. The metadata explicitly labels the relationship as “same_subnet” and identifies the specific subnet range (e.g.,
192.168.1.0/24).
3. Automatic Triggering Process
The generation of these hyperedges is typically integrated into the Network Hypergraph Scan workflow:
- Discovery: The server initiates an Nmap scan against a target range.
- Node Creation: Discovered hosts are converted into hypergraph nodes with metadata including their IP, hostname, and active ports/services.
- Relationship Building: Once all nodes are added, the server automatically calls
create_service_hyperedges()andcreate_subnet_hyperedges()to populate the store with relational data before returning the final visualization to the user.
This same automated logic is applied during specialized scans, such as the quick-scan for discovery or the localhost scan for internal services.