The constant interaction of individuals on social networks and its implications in their lives, which afects decision-making and can even impact their mental and physical health, sparks interest in studying these environments from diferent perspectives. Of particular interest is the case of cyberattacks on these platforms, which includes not only low-level hacking activity but also other events like cyberbullying, grooming, and hate speech, among others. In this paper, we investigate the design and implementation challenges faced in the deployment of a multi-agent system that operates in social network platforms to prevent or mitigate cyberattacks through the processing of streaming information using belief revision operations. We instantiate the multi-agent system using the recently-proposed HEIST application framework, which guides the implementation of hybrid socio-technical systems with a focus on explainability, and discuss the main challenges in this process. We propose two possible approaches to building new knowledge dynamics operators: a cautious operator and a credulous operator, and evaluate the implications and challenges in each case. In this preliminary work, we adopt a non-technical approach, focusing on building a roadmap of the problems that need to be solved in order to develop a concrete solution, which is outside the scope of this paper. We conclude by suggesting the first steps towards achieving the objective.
ous direct or indirect interaction with information and news from the internet. This interaction generates large volumes of data, which are used for various purposes.
Within these purposes, those with malicious intent
deserve special attention, since they can cause harm in
various areas, afecting the decision-making processes
of many people worldwide. This motivates research and
development closely related to eforts in cybersecurity,
understanding this area according to the general
conception1 that includes not only low-level information
security issues, but also human-centered factors such as
cyberbullying, hate speech, and attacks against
mechanisms that make online trust possible [
The U.S. Surgeon General recently published an Advisory on Social Media and Youth Mental Health, which states that: “Extreme, inappropriate, and harmful content continues to be easily and widely accessible by children and adolescents. This can be spread through direct pushes, unwanted content exchanges, and algorithmic designs.
In certain tragic cases, childhood deaths
have been linked to suicide- and
self-harmrelated content and risk-taking challenges
on social media platforms. This content
may be especially risky for children and
adolescents who are already experiencing
mental health dificulties.” [
Cyber Attribution: Determining who is responsible
for an attack—a problem commonly referred to as cyber
attribution—is often a dificult proposition, and social
platforms are no exception. It requires great efort to
ifnd and process evidence that can lead to attributions, Medical content. In this context a supervising system
taking into account that attackers often plant false evi- should be able to distinguish between a post with
sexdence to cover their tracks or mislead law enforcement. ual content and a post that mentions sexual matters in a
Techniques such as reverse engineering, source tracking, medical/health context. For example, it should prevent
and honeypots, among others [5], are commonly used to censorship of content related to breast cancer awareness—
address cyber attribution. this would reduce false positives of sexual content on the
social network. It could adjust alerts for
dangerous/susBot/Botnet Detection: Botnets are sets of connected picious profiles against accounts that are whitelisted
beand organized bots (automated software agents operating cause they are known to disseminate alerts, educational
within a platform typically meant only for human users) content, awareness campaigns, etc. Currently, campaigns
designed to fulfill a specific objective. In this particular for breast cancer prevention cannot be freely shared as
case, we are interested in malicious bots that, in social social networks censor any image of a breast,
hinderenvironments, have objectives such as trolling, spread- ing the dissemination of proper self-examination and
ing false information, or generating hate speech, among warning signs.
many others. To mitigate these actions, it is essential to
determine whether an account on a social platform is
being controlled by a person or a bot [
aged as tools that can be applied by users themselves in specific platforms to exert personalized control. Such a Adversarial Deduplication: It is not uncommon for system could be conceived as an extension to be used “on multiple accounts on social media to belong to or be top of” the social platforms, as is the case with Google’s managed by the same real-world entity, often for the Family Link2. For instance, an application for mobile purposes of carrying out malicious or inauthentic actions; devices could, based on what is displayed on the screen, adversarial deduplication [7] seeks to determine which show alerts or—in the case in which the user is a minor— accounts are controlled by the same real-world entity. send notifications to guardians. In this case, the system Various practices can be grouped under this category, would have full access to all of the device’s activity; if such as sock puppets, Sybil attacks, and other malicious any suspicious behavior is detected, it can activate alerts hacker activities. Actors in these scenarios usually seek on the same device or on devices owned by guardians. to remain anonymous, but often also aim to be virtually
identifiable in order to maintain a reputation within the community. sibility that, with prior authorization, the device’s supervising system send alerts to devices owned by children/
These problems, though diferent in nature, share the guardians within the same class/school/interest group. fact that solving or addressing them involve an efective This would generate what we will refer to as a news use of incomplete, uncertain, and even biased knowledge. item for all such devices, and each corresponding agent Therefore, cybersecurity is a broad area of research and would have the chance to decide what to do with that practice that requires leveraging tools to address common new knowledge. issues for diferent types of attacks. Artificial Intelligence The main contributions of this work are the followis useful in this context since it provides many basic ing: (i) The proposal of a multi-agent system designed tools that can be applied on their own or in combination to address issues related to malicious behavior in social towards the development of an efective and eficient platforms; the system is based on the instantiation of solution. The model we propose in this work is intended to be used in the context of social platforms in general, 2https://families.google/familylink/ a recently-proposed application framework for XAI in socio-technical systems; (ii) the definition of a novel kind of belief dynamics operator to guide the flow of knowledge within the framework, which we call stream-based belief revision; and (iii) the identification of the hurdles that must be overcome for the development of efective and eficient stream-based revision operators. Though preliminary in nature, this article is meant to serve as a roadmap for ongoing and future research in the area of cybersecurity in social platforms.
We now recall the basic details of two models that we leverage in the development of our Supervisor Agent framework.
framework3 that aims to guide the implementation of hybrid4 socio-technical systems that require explainable outputs.
addressing basic issues like data cleaning, schema matching, inconsistency, and incompleteness management. It also deals with higher-level challenges such as trust and uncertainty management, ensuring the proper handling of heterogeneous data.
that are best solved using data-driven (machine learning) services. Having such tools isolated in a module helps to identify specific application scenarios for each service, facilitating faster implementation, providing alternative implementations, and the generation of explanations.
The work developed in [9, 10] on Network Knowledge Symbolic Reasoning: High-level reasoning is key for Bases (NKBs) adopts the typical model of social networks addressing general problems. This module, which serves as sets of agents with various relationships among them; as the core of the framework, leverages preprocessed data however, in NKBs each agent (a user in the social net- from the Data Ingestion Module and outputs from the work) has its own knowledge base. Each agent is rep- Subsymbolic Services Module. Rule-based systems are resented as a vertex, and relationships are represented commonly employed here to perform complex tasks like as arcs between the vertices. NKBs can thus be seen combining low-level data and knowledge, or providing as complex multilayer networks that allow represent- responses based on well-defined reasoning mechanisms ing the individual beliefs of each network node, as well over structured knowledge. The reasoning processes as multiple attributes of the nodes and their relation- implemented in this module are essential for answering ships, afording the possibility of combining models for user queries. more than one social platform. Feeds—the pieces of information that each user sees when engaging with the Explanations: Generates diferent types of explanations platform—are modeled as news items that represent the associated with query answers. It leverages outputs from source, content, and an indication of whether the user the Symbolic Reasoning module (via the Query Answerwho posted it is signaling an addition or deletion to their ing module) and the Subsymbolic Services module. own KB. In [11], the authors show that the model can Human in the Loop: In socio-technical environments, be used for predicting users’ reactions to the content in the system’s efectiveness relies on adequately addressing their Twitter feed. user demands. This module aims to enhance system
For the purposes of this work, we will adopt a slightly performance by incorporating iterative feedback from modified model since we are not assuming that we have human users5. This feedback includes queries, responses, full access to users’ knowledge bases. Instead of address- explanation requests, explanation ratings, and utilitying the local belief revision problem (as is done in [9, 10]), based classification of data sources, among other options. we focus on analyzing the activity visible by a companion app as discussed in the examples above, which includes Query Answering: Focuses on answering user queries a rich variety of actions and content (cf. Section 3). As by coordinating the execution of all other modules. an additional novel aspect in this work with respect to Next, we discuss the building blocks that will be used the original research line on NKBs, we also take into ac- later on (in Section 4) to instantiate HEIST to obtain a count time, which is central to efectively tackle problems specific architectural model for our Supervisor Agent arising in cybersecurity domains [3]. framework.
HEIST (which stands for Hybrid Explainable and Interpretable Socio-Technical Systems) [3, 8] is an application 3A general-purpose software structure designed to facilitate the development of applications via instantiations or extensions.
symbolic tools.
case of HITL. Daniel ;) 1 k o o b e c a F ( w o llf o Elsa SA SAKB1
Platform1 Platformn SA SAKBn Clara
In this section, we develop the proposed model, a multiagent system aimed at addressing cybersecurity challenges in social networking environments; Figure 1 provides an overview of the proposed system. Each agent in the system is responsible for supervising a particular social network, and exchanges information through a centralized knowledge base called Alerts-KB, which serves as a repository for the agents to have up-to-date information on security alerts arising from diferent social networks. Alerts-KB consolidates knowledge related to cybersecurity events, encompassing various social networks regardless of their specific characteristics. This knowledge repository is reviewed and updated based on the information shared by each agent in the system. As a result, the agents exchange information that enables them to proactively address potential cybersecurity issues that have already been identified in other networks.
Each supervisor agent maintains its own knowledge base about the social network it operates in. As we will discuss below, agents engage in belief revision processes in order to update their own KB. Continuous belief revision processes performed by agents enable them to make informed decisions and implement appropriate actions in a timely manner. ter”, validated as a health authority, posts a video showing a breast as part of a breast cancer prevention campaign. In the proposed model, the intelligent agent can consult the information about this user in the knowledge base and determine that they consistently share legitimate medical content. Based on this knowledge, it would be best not to censor this particular post, since it would allow for more efective prevention campaigns.
In order to address cybersecurity issues in social
platforms, we must be able to model users and their
relationships, for which we first adopt the way social networks
are modeled in [10]. According to this definition, a social
network is a tuple consisting of four elements: a finite set
of vertices, a finite set of edges, a vertex labeling function,
and an edge labeling function:
A Social Network is a 4-tuple (, , , ) where:
1. V is a finite set whose elements are called vertices.
2. ⊆ × is a finite set whose elements are
called edges.
3. vert : → 2 is a vertex labeling function,
where is a set of vertex labels.
4. edge : → 2 is an edge labeling function, where
= {⟨, ⟩ | ∈ , ∈ [
Example 1. Consider the context of a social network such as Instagram, Twitter, or Facebook. A recurring security issue is the distribution of sexually suggestive images of the human body. There are various security measures in place that filter out images containing certain sensitive content, such as uncovered body parts, including nipples.
While these measures aim to address security concerns, they also hinder the positive uses of such images, such as breast Considering the specific characteristics of social netcancer prevention campaigns. works, it is crucial to model the diferent users and their Consider the scenario where a user called “Medical Cen- relationships, i.e., the edges and vertices of the network, Example 2. Consider the social network depicted in Figure 2, where the users are Amelia, Bautista, Clara, Daniel, and Elsa. The graph encodes relationships between diferent users. For example, Elsa follows Amelia and Bautista, and she is followed by Bautista and Daniel. The relationships may not be reciprocal, as Clara follows Daniel, but Daniel does not follow Clara. as well as the various interactions among them. The lat- In our model, we make a slight modification: whereas ter are events within the social network, and thus we in NKBs as proposed by Gallo et al. the KB associated must model a continuous sequence of events that contain with each vertex is meant to encode the corresponding relevant information for the system, which we refer to user’s private beliefs, here it will group the posts made as a data stream. by that vertex and the interactions with posts from other
Events within the social network can take diferent vertices; () thus contains the events generated by that forms. We now mention the most common events in specific vertex; as shown in Figure 3, and as we discuss these environments and their specific characteristics. below, these KBs will be referred to as “SAKBs”. Another However, a particular social network may have additional diference with the original NKB model is that here we types of events beyond those mentioned here. explicitly model time via the assignment of timestamps to each event, as described above. Each event reaching verPost. Each time a user creates new content, a Post event tices through their feeds is assumed to do so immediately is created. This event reaches the vertices that are con- (based on the timestamp of the original event). nected to the posting vertex. It consists of: event ID, source (publisher), text, multimedia element, Example 3. Consider again the network from Figure 2. set of tags, and timestamp.
or without adding new data. Sharing increases the reach of the original post to the vertices connected to the Sharegenerating vertex. It contains the same elements as a Post event, plus a pointer to the ID of the original post: event ID, source (Share generator), text, multimedia element, set of tags, pointer to original post ID, and timestamp.
Based on its structure and available event data, we can observe the reach of events that occur. For example, if Bautista generates a Post event, it will reach the vertices connected to it: Amelia, Daniel, and Elsa. Furthermore, if Daniel shares the post by Bautista, it will also be seen by Amelia and Clara, and Bautista will see the event with the additions made by Daniel.
the structure of the social network and characterizing specific aspects of the environment, we can proceed with Reaction. Refers to the reactions to a post, such as the definition of our framework. “like”, “love”, or other types of reactions depending on the platform. This event does not increase the reach of the 3.2. Supervisor Agents original post but can influence its visibility to a greater number of users in their feeds. It consists of: event ID, We now discuss the requirements for Supervisor Agents source (Reaction generator), reaction type, (SA, for short) in our model—in Section 4 we provide pointer to original event ID, and timestamp. an architectural design based on the HEIST application framework. Each SA’s objective is to provide recommenComment. A comment is the addition of text to a pre- dations and/or make cybersecurity decisions based on viously generated post, either by the same user or an- the observation of the social network’s structure that it is other user. The event data includes: event ID, source monitoring, and the data stream generated by its events. (Comment generator), comment text, pointer to SAs operate in an alert state within the social network original event ID, and timestamp. they supervise, and have access both to the NKB model Connection. Connections between users can be cre- of the corresponding social network and its data stream, ated or removed—each such occurrence is encoded as a so it can access all the events generated by vertices in Connection event (if two nodes are already connected, a the network.
Connection event encodes the removal of the edge). The Each agent SA maintains its own KB, which we will event data includes: event ID, source, target, and call SAKB, containing information about the social nettimestamp. work and the security alerts occurring in that particular platform. SAKB receives information from the NKB Figure 3 illustrates these events in the context of the model of the social platform and its data stream. As we network from Figure 2. will discuss in Section 5, the SA must dynamically keep
As mentioned above, we adapt here the NKB model its KB up to date based on this knowledge. Furthermore, presented in [9, 10]: the SA also updates its KB with security alerts from other social platforms sent to Alerts-KB by other agents. We propose the application of belief revision operators for these purposes.
(, , vert, edge, ) where the first four elements comprise a social network, and is a mapping assigning a knowledge base to each vertex. Given , () is called the knowledge base associated with vertex .
SA SAKB
Clara Share(s0003; Amelia; (*##*!?); multimedia; [tags,Elsa]; p0001 t8) Post(p0001; Beatriz; (#*!?*#); multimedia; [tags,Elsa]; t1) Example 4. Consider the network in Figure 3. The agent analyzes the data stream and observes that Beatriz made a post tagging Elsa that contains ofensive language.
Initially, the SA may decide to remain alert without taking action. At a later time, the SA observes that Daniel makes ofensive comments against Elsa in the original post by Beatriz. Subsequently, Amelia and Clara share Beatriz’s post, adding ofensive comments. Based on this behavior, the SA raises an alert and issues warnings to the involved users. and then in Section 5 we focus on how the data stream of the social network will be processed, and how the belief revision problem for each SA’s KB can be formulated.
We now present HEIST-SA, an extension of HEIST [3, 8] that yields an architectural design that guides the implementation of Supervisor Agents. We choose this model for its flexibility in combining both symbolic and subsymbolic tools, and because it explicitly considers explanations for query answers, which is central to cybersecurity applications.
typical social platform where users generate events as described in Section 3 that must be processed in HEIST-SA.
Data Ingestion. This component receives all the activity
from the social platform, which includes all the events
generated by each vertex of the network. The stream
activity is continuous and unbounded, so this module
must deal with aspects related to stream processing such
as windowing, load shedding, etc. [
Making the decisions described in Example 4 is the
central problem faced by each SA—there is a wide range Sub-symbolic Services. This module provides support
of possibilities, and exploring this in detail is outside the in the form of basic services, such as user classification
scope of this paper. Diferent alternatives can be for- to predict certain behaviors in users [11], determining if
malized as policies that the SA can carry out within its posts contain hate speech, predicting virality of posts, etc.
network. Examples include simple approaches based on This will allow making more relevant security decisions,
thresholds (for instance, a three-strike rule that issues deploying specific services depending on the context,
alerts after allowing two violations of a posting policy), or such as image, audio, or video-based classifiers.
more complex schemes such as implementing a user
classification mechanism, for instance based on user types Symbolic Reasoning. This module takes input from
as described in [9], that can be used to predict behaviors the Data Ingestion module and is thus responsible for
of interest. implementing the stream reasoning [
Among the tasks that agents must carry out, we have: discuss in more detail in Section 5, as well as
maintain(i) maintaining an updated SAKB specific to the social ing the agent’s SAKB. Concretely, the SA must perform
network it operates in; (ii) detecting potential threats or stream reasoning-based belief revision in its SAKB as
suspicious behaviors within the platform; (iii) sending events occur in the social platform, seeking to detect
notifications for security-based decision-making, (iv) no- malicious behavior. Specifically, the module receives a
tifying the individuals involved and the responsible party window from the stream, with which the NKB model is
about security measures taken, (v) sending updates of updated at the same time that the sub-symbolic services
new security alerts to the Alerts-KB, and (vi) revising are applied to the events of that window. Rule-based
their knowledge based on updates to the Alerts-KB made approaches such as [
Based on the available knowledge, the SA could predict ing such functionalities. the viral efect of a post and recommend or implement Query Answering. The QA module is responsible for security actions such as detecting negative viral efects, user interaction—it coordinates the other modules to resuspending users, managing the relevance level of posts, spond to user queries. Diferent types of users need to nullifying posts, or removing fake accounts. Several is- be distinguished, including regular users, expert users sues need to be addressed to enable SA’s to carry out such who are part of the working team, cybersecurity experts, tasks. In the following section we provide details regard- and administrators of various groups within the social ing the use of HEIST to implement supervisor agents, network, such as groups or pages, as explored in [3]. Social Network
Views(0)
Data Stream Data Ingestion Module NKB
Symbolic Reasoning
Window Belief Revision
SAKB
Daniel @dani Good event at #costaneraCdia
Views(2) Sub-symbolic Services
User type classifier Hate speech classifier
Fake news classifier Sensitive image classifier Sensitive video classifier
Viral content predictor Cyberbullying risk predictor … Query Answering Module
Explanations Module
the decisions made or actions suggested by the SA. As the agent’s decision-making is governed by the Symbolic
conjunction with the Query Answering module (and the
recording and responding to user feedback, which may involve updating the SAKB, reissuing a query, maintaining statistics of interest, etc. It also manages the type of explanations presented to each type of user in the social network, as discussed above.
network is a continuous, a priori unbounded, sequence of social network events, where each event is generated by a vertex belonging to .
be processed promptly to extract knowledge as soon as
relevant information becomes available [
address the processing of the data stream that the Data
In the rest of this section, we first discuss basic issues that need to be addressed when considering implementations in this setting, then formalize the statement of the problem we wish to solve, discuss challenges that arise, and propose two preliminary proposals for solving our problem.
Peak activity t1 t2 t3 t4 t5 t1 t2 t3 t4 t5 t6 • Connection: ⟨event_id, user1, user2, time⟩ • Post: ⟨event_id, user_src, text, media_elem,
tag_set, time⟩ • Share: ⟨event_id, user_src, text, media_elem, tag_set, post_id, time⟩ • Reaction: ⟨event_id, user_src, react_type,
orig_event, time⟩ • Comment: ⟨event_id, user_src, text,
orig_event, time⟩
Given the nature of social networks and the large volume
of data generated in short periods of time, conditions
must be established to ensure that the processing of the
data can be carried out in the best possible way. To this
end, it is necessary to evaluate how stream reasoning [
to how information is represented. The data stream is comprised of events represented as tuples whose structure depends on the specific type of event, as discussed in Section 3. In summary, we have the following five types of event: number of tuples to be considered. A second factor that needs to be addressed is how the bounds of the windows will be updated, which corresponds to how the window “moves” with time. Here, we will adopt the more general case of the sliding window, where both lower and upper bounds advance with the arrival of new items or the passage of time. A special case of this is the tumbling window, in which all items change each time the bounds are updated.
Sliding pane physical window: In this case, we cannot predict the speed at which the window is updated since it depends on the number of tuples that arrive in the stream (cf. Figure 6). The advantage, of course, is that by knowing the number of items in each window, we can estimate how long it will take to process each window.
which the window will be updated, which can again lead to problems during peak activity, as a large number of elements need to be processed in a short period of time and this may not be possible.
to define a load shedding policy [
Once the data model is established, the next relevant seems unavoidable that such a policy be used since the
aspect for data stream processing in our context is to volume of data streams varies depending on the number
consider windows, which is the construct typically used of active users on the platform at a given time, resulting
to discretize streams [
Windows can be either logical, which implement a of efectiveness, and whether hybrid solutions might be
selection criterion based on bounds over timestamps, possible.
or physical, which work with prefixed bounds on the
Other challenges related to stream processing. There 5.3. Challenges in Stream-based Belief
are several challenges that need to be addressed in this Revision
context. First, we need to establish the relationship
between items and the passage of time so that some kind of Though in abstract the stream-based belief revision
proborder among the items can be established. In cybersecu- lem is straightforward—simply apply a belief revision
oprity applications, it is crucial to know when an incident erator to the current window and continue doing so each
originated and who replicated or amplified it. In our case, time it is updated—things fall apart when we consider the
though items have timestamps, these may be fixed either challenges described above that arise when processing
at the origin by the social platform itself or, when this data streams. For instance, events in the stream may
aris not the case, by the Data Ingestion module as events rive out of order; applying an operator with incomplete
are read. Related to this issue, in stream processing items information can generate diferent results than if we have
may arrive out of order, meaning that we receive an item all the information in a timely manner, and by the time
after receiving others that have a more recent timestamp. the remaining data arrives it may be too late to correct
This has been studied recently in the Databases commu- the mismatch. Therefore, policies for handling out of
nity [
Other important challenges involve providing support thoroughly studied.
for uncertainty. Agents should be able to handle inputs Since belief revision operators tend to be
computationwith uncertainty, as they may for instance encounter in- ally costly [
Assuming a scenario with no computational resource limitations, applying would result in a consistent and updated K that could be handled with existing belief revision operators. However, this ideal scenario is not possible since in general we may not have enough time 5.4. First Steps towards a Solution to process each window. Our system must therefore have principled mechanisms for deciding which elements in To tackle the challenges identified above, we may conthe window will not processed, and for this to be efective sider two possibilities: (i) ignoring the unprocessed events we must study how that impacts the result. (i.e., not addressing them at all), and (ii) allowing the KB
In the following section, we discuss several challenges to accept inconsistency by incorporating the unprocessed that arise in practice: (i) real-time processing, (ii) out-of- events. order events, and (iii) event overload during peak activity. These two options represent distinct semantic deciGiven that classical belief revision operators—such as [17, sions that we discuss below. Note that depending on the 20, 21, 22, 23]—are not designed to work in this setting, specific system load there may be windows in which all their direct application would lead to one or more of such events can be processed resulting in the updated SAKB. requirements to not be met. We focus on the interesting case that corresponds to situations where the available time for window processing may be insuficient to process all events contained in the t1 Cautious operator t2 Cautious operator
t3 Cautious operator SAKB
t4 Cautious operator
t5 Cautious operator Unprocessed events t1 Credulous operator
t2 Credulous operator
t3 Credulous operator SAKB
t4 Credulous operator
t5 Credulous operator window.
In the following, in order to be able to use classical revision operators, we simplify the knowledge representation model and assume SAKBs and are formulas in a propositional language ℒ. Furthermore, let () represent the set of elements in window that have been processed so far, and () = ∖ () represent the set of elements in window that have not been processed.
into the SAKB, and it may therefore become inconsistent as a result (cf. Figure 8). Though this deals with the probOption 1: Ignore unprocessed events lem initially, it pushes the issue to the Query Answering module, which must apply costly inconsistency-tolerant Let “* ” be a classical multiple revision op- methods in order to function properly. erator; a cautious operator Υ can be de- By incorporating unevaluated data into the SAKB, we ifned as follows: may include information that appears to be a threat but is actually not. For example, we may have comments Υ( K, ) = K * () in a post that contain inappropriate words, but due to If the unprocessed knowledge ( ()) from the current the existing relationship between the involved parties window is discarded, the SAKB will be consistent, and and the stored knowledge, it may be consistent with their consequently, queries can be resolved using classical rea- way of communicating. These comments could be insults soning. This simplifies the processing of the SAKB, but it used in a playful manner and therefore do not represent a results in partial knowledge, since a significant number real attack. Since the SA could not evaluate this event and of events may be left out. This could include a multi- it was incorporated directly into the SAKB, this incident tude of attacks or events that could indicate potential may play a role it wouldn’t have if the window had been threats, which would not be processed by the SA. This is processed fully. illustrated in Figure 7. In this case, the problem is pushed to the QA module
Consider a scenario where a user on the social net- since decisions made by the agent will be “contaminated”
work is being targeted by other users, such as a case of by unevaluated data. For instance, it would be necessary
cyberbullying. Since the SA does not process all of the to define the level of confidence in the information
proevents, it may only see a fraction of the comments and vided by the AS. We could establish a semantics based on
overlook the attack. Let’s say there were 50 comments trust for conflict resolution. To achieve this, a measure
in the window, but the agent only processed 10 of them, indicating the level of confidence should be assigned to
along with other unrelated events. If we consider an each piece of information and updated in each
applicaagent that takes action when it detects 30 ofensive com- tion of the revision operator. One possibility would be
ments, by processing only 10 comments, it would miss to consider a form of stratified SAKB [