Constant interaction on social networks shapes individual decisions and behaviors, influencing both mental and social well-being. To address the complex and adversarial nature of these environments-marked by phenomena such as cyberbullying, grooming, and hate speech-this work examines the design of belief revision operators for processing streaming information within a multi-agent framework. Using the HEIST framework for hybrid socio-technical systems, we explore two knowledge dynamics operators: a cautious operator, which promotes stability in belief updates, and a credulous operator, which favors adaptability and rapid assimilation of new information. These operators define distinct reasoning behaviors for interacting agents engaged in continuous, dynamic, uncertain, and potentially adversarial information flows.
Much of our daily activities are based on continuous direct or indirect interaction with information and
news from the internet. This interaction generates large volumes of data, which are used for various
purposes. Within these purposes, those with malicious intent deserve special attention, since they can
cause harm in various areas and/or afect the decision-making processes of many people worldwide.
This motivates research and development closely related to eforts in cybersecurity, understanding this
area according to the general conception1 including not only low-level information security issues, but
also human-centered factors such as cyberbullying, hate speech, and attacks against mechanisms that
make online trust possible. These represent key challenges and motivate this line of work [
These problems, though diferent in nature, share the fact that solving or addressing them involve
an efective use of incomplete, uncertain, and even biased knowledge. Therefore, cybersecurity is a
broad area of research and practice that requires leveraging tools to address common issues for diferent
types of attacks. Artificial Intelligence is useful in this context since it provides many basic tools that
can be applied on their own or in combination towards the development of an efective and eficient
solution. The model we propose in this work is intended to be used in the context of social platforms in
general, allowing for systematic processing of a larger amount of data than what humans are capable
of. Our model is an instantiation of the HEIST (Hybrid Explainable and Interpretable Socio-Technical
Systems) [
In [
In this section, we briefly recall the proposed multi-agent system. Figure 1 provides an overview of the proposed system. Each agent in the system is responsible for supervising a particular social network, and exchanges information through a centralized knowledge base called Alerts-KB, which serves as a repository for the agents to have up-to-date information on security alerts arising from diferent social networks. This knowledge repository is reviewed and updated based on the information shared by each agent in the system. As a result, the agents exchange information that enables them to proactively address potential cybersecurity issues that have already been identified in other networks.
Each supervisor agent maintains its own knowledge base of the social network it operates in. Agents engage in belief revision processes in order to update their own KB. Continuous belief revision processes enable agents to make informed decisions and implement appropriate actions in a timely manner. Example 1. A recurring security issue in social media platforms is the distribution of sexually suggestive images of the human body. Various security measures are in place to filter out images containing certain sensitive content, such as uncovered body parts, including nipples. These measures aim to address security concerns, but they also hinder the positive uses of such images, such as breast cancer prevention campaigns.
Consider the scenario where a user called “Medical Center”, validated as a health authority, posts a video showing a breast as part of a breast cancer prevention campaign. In the proposed model, the intelligent agent can consult the information about this user in the knowledge base and determine that they consistently share legitimate medical content. Based on this knowledge, it would be best not to censor this particular post, since it would allow for more efective prevention campaigns. Alerts-KB
SA
SA
2.1. Modeling Social Networks
In order to address cybersecurity issues in social platforms, we must be able to model users and their
relationships, for which we first adopt the way social networks are modeled in [
Considering the specific characteristics of social networks, it is crucial to model the diferent users and their relationships, i.e., the edges and vertices of the network, as well as the various interactions among them. The latter are events within the social network, and thus we must model a continuous sequence of events that contain relevant information for the system, which we refer to as a data stream.
Events within the social network can take diferent forms. We now mention the most common events in these environments and their specific characteristics. However, a particular social network may have additional types of events beyond those mentioned here.
Post. Each time a user creates new content, a Post event is created. This event reaches the vertices that are connected to the posting vertex. It consists of: event ID, source (publisher), text, multimedia element, set of tags, and timestamp.
Share. Based on a Post event, a user can generate a Share event, which means sharing the original post with or without adding new data. Sharing increases the reach of the original post to the vertices connected to the Share-generating vertex. It contains the same elements as a Post event, plus a pointer to the ID of the original post: event ID, source (Share generator), text, multimedia element, set of tags, pointer to original post ID, and timestamp. Reaction. Refers to the reactions to a post, such as “like”, “love”, or other types of reactions depending on the platform. This event does not increase the reach of the original post but can influence its visibility to a greater number of users in their feeds. It consists of: event ID, source (Reaction generator), reaction type, pointer to original event ID, and timestamp. Comment. A comment is the addition of text to a previously generated post, either by the same user or another user. The event data includes: event ID, source (Comment generator), comment text, pointer to original event ID, and timestamp.
Connection. Connections between users can be created or removed—each such occurrence is encoded as a Connection event (if two nodes are already connected, a Connection event encodes the removal of the edge). The event data includes: event ID, source, target, and timestamp.
As mentioned above, we adapt here the NKB model presented in [
In our model, we make a slight modification: whereas in NKBs as proposed by Gallo et al. the KB associated with each vertex is meant to encode the corresponding user’s private beliefs, here it will group the posts made by that vertex and the interactions with posts from other vertices; () thus contains the events generated by that specific vertex; as shown in Figure 2, and as we discuss below, these KBs will be referred to as “SAKBs”.
With the necessary tools in place for understanding the structure of the social network and characterizing specific aspects of the environment, we can proceed with the definition of our framework. 2.2. Supervisor Agents Each Supervisor Agent (SA, for short) objective is to provide recommendations and/or make cybersecurity decisions based on the observation of the social network’s structure that it is monitoring, and the data stream generated by its events. SAs operate in an alert state within the social network they supervise, and have access both to the NKB model of the corresponding social network and its data stream, so it can access all the events generated by vertices in the network.
Each agent SA maintains its own KB, which we will call SAKB, containing information about the social network and the security alerts occurring in that particular platform. SAKB receives information from the NKB model of the social platform and its data stream. As we will discuss in Section 3, the SA must dynamically keep its KB up to date based on this knowledge. Furthermore, the SA also updates its KB with security alerts from other social platforms sent to Alerts-KB by other agents. We propose the application of belief revision operators for these purposes.
Example 2. Consider the network in Figure 2. The agent analyzes the data stream and observes that Beatriz made a post tagging Elsa that contains ofensive language.
Initially, the SA may decide to remain alert without taking action. At a later time, the SA observes that Daniel makes ofensive comments against Elsa in the original post by Beatriz. Subsequently, Amelia and Clara share Beatriz’s post, adding ofensive comments. Based on this behavior, the SA raises an alert and issues warnings to the involved users.
Making the decisions described in Example 2 is the central problem faced by each SA—there is a wide
range of possibilities, and exploring this in detail is outside the scope of this paper. Diferent alternatives
can be formalized as policies that the SA can carry out within its network. A simple approaches based
on thresholds (for instance, a three-strike rule that issues alerts after allowing two violations of a posting
policy), or more complex schemes such as implementing a user classification mechanism, for instance
based on user types as described in [
Among the tasks agents must carry out, we have: (i) maintaining an updated SAKB specific to the social network it operates in; (ii) detecting potential threats or suspicious behaviors within the platform;
Share(s0004; Clara; (*##*!?); multimedia; [tags,Elsa]; p0001; t11)
Share(s0002; Daniel; (*##*!?); multimedia; [tags,Elsa]; p0001; t4)
Data Stream Data Ingestion Module NKB
Symbolic Reasoning
Window Belief Revision
SAKB
Daniel
Elsa Daniel @dani Good event at #costaneraCdia
Views(2) Sub-symbolic Services
User type classifier Hate speech classifier
Fake news classifier Sensitive image classifier Sensitive video classifier
Viral content predictor Cyberbullying risk predictor …
Share(s0003; Amelia; (*##*!?); multimedia; [tags,Elsa]; p0001 t8)
Post(p0001; Beatriz; (#*!?*#);
multimedia; [tags,Elsa]; t1) Amelia
Beatriz Query Answering Module
Explanations Module (iii) sending notifications for security-based decision-making, (iv) notifying the individuals involved and the responsible party about security measures taken, (v) sending updates of new security alerts to the Alerts-KB, and (vi) revising their knowledge based on updates to the Alerts-KB made by other SAs.
Based on the available knowledge, the SA could predict the viral efect of a post and recommend or
implement security actions such as detecting negative viral efects, suspending users, managing the
relevance level of posts, nullifying posts, or removing fake accounts. We instantiated and extended
the framework in HEIST [
Among all the modules that the architecture consists of, we will center our attention on the Symbolic Reasoning module and its specific challenges, as this module is the responsible of carrying out belief revision tasks based on inputs from the data stream.
Symbolic Reasoning. This module takes input from the Data Ingestion module and is thus responsible
for implementing the stream reasoning [
Belief revision is the problem of deciding how to react to epistemic inputs to a knowledge base [
Data Stream: The data stream produced by a social network is a continuous, a priori unbounded, sequence of social network events, where each event is generated by a vertex belonging to .
These streams contain information that needs to be processed promptly to extract knowledge as soon
as relevant information becomes available [
We first briefly discuss basic issues that need to be addressed when considering implementations in
this setting, then formalize the statement of the problem we wish to solve, discuss challenges that arise,
and give two preliminary proposals for solving our problem.
3.1. Information Stream Processing
Given the nature of social networks and the large volume of data generated in short periods of time,
conditions must be established to ensure that the processing of the data can be carried out in the best
possible way. To this end, it is necessary to evaluate how stream reasoning [
Window: A subset of events from a data stream selected according to a given criterion. This is typically
used to discretize streams [
Windows can be either logical, which implement a selection criterion based on bounds over timestamps, or physical, which work with prefixed bounds on the number of tuples to be considered. We also need to address how the bounds of the windows are updated, which corresponds to how the window “moves” with time. Here, we will adopt the more general case of the sliding window, where both lower and upper bounds advance with the arrival of new items or the passage of time. A special case of this is the tumbling window, in which all items change each time the bounds are updated. The following are two diferent types of options for discretizing the social platform data streams.
Sliding pane logical window: windows are specified by a fixed time interval, allowing us to know the processing schedule. Note that windows may become overloaded with data during peak activity and can result in processing time that is greater than the validity of the window itself. Sliding pane physical window: In this case, we cannot predict the speed at which the window is updated since it depends on the number of tuples that arrive in the stream. The advantage, of course, is that by knowing the number of items in each window, we can estimate how long it will take to process each window. On the other hand, we do not know now the frequency at which the window will be updated, which can again lead to problems during peak activity, as a large number of elements need to be processed in a short period of time and this may not be possible.
These two cases show that the processing model needs to define a load shedding policy [
K′ = (K, ) K′ is obtained by applying operator to K with epistemic inputs from arising from data stream DS.
Assuming a scenario with no computational resource limitations, applying would result in a consistent and updated K that could be handled with existing belief revision operators. However, this ideal scenario is not possible since in general we may not have enough time to process each window. Our system must therefore have principled mechanisms for deciding which elements in the window will not processed, and for this to be efective we must study how that impacts the result.
In the following section, we discuss several challenges that arise in practice: (i) real-time processing,
(ii) out-of-order events, and (iii) event overload during peak activity. Given that classical belief revision
operators—such as [
Since revision operators tend to be computationally costly [
t2 Cautious operator
t3 Cautious operator SAKB
t4 Cautious operator
t5 Cautious operator Unprocessed events the unprocessed events. Note that depending on the specific system load there may be windows in which all events can be processed resulting in the updated SAKB. We focus on the interesting case that corresponds to situations where the available time for window processing may be insuficient to process all events contained in the window.
In the following, in order to be able to use classical revision operators, we simplify the knowledge representation model and assume SAKBs and are formulas in a propositional language ℒ. Furthermore, let () represent the set of elements in window that have been processed so far, and () = ∖ () represent the set of elements in window that have not been processed. Option 1: Ignore unprocessed events. Let “* ” be a classical multiple revision operator; a cautious operator Υ can be defined as follows:
Υ(K, ) = K * ()
If the unprocessed knowledge ( ()) from the current window is discarded, the SAKB will be consistent, and consequently, queries can be resolved using classical reasoning. This simplifies the processing of the SAKB, but it results in partial knowledge, since a significant number of events may be left out. This could include a multitude of attacks or events that could indicate potential threats, which would not be processed by the SA. This is illustrated in Figure 4.
Consider a scenario where a user on the social network is being targeted by other users, such as a case of cyberbullying. Since the SA does not process all of the events, it may only see a fraction of the comments and overlook the attack. Let’s say there were 50 comments in the window, but the agent only processed 10 of them, along with other unrelated events. If we consider an agent that takes action when it detects 30 ofensive comments, by processing only 10 comments, it would miss identifying the attack. This simple example highlights the drawbacks of this decision.
Option 2: Allow inconsistency by incorporating unprocessed events. Let “* ” be a classical multiple revision operator, and “+” be a classical expansion operator; a credulous operator Φ is defined as follows: Φ(K, ) = K * () + ()
Here, we incorporate the unevaluated knowledge into the SAKB, which may become inconsistent (cf. Figure 5). It is at inference or query time where inconsistency-tolerant methods need to be applied.
By incorporating unevaluated data into the SAKB, we may include information that appears to be a
threat but is actually not. For example, we may have comments in a post that contain inappropriate
words, but this may be consistent with their way of communicating. Since the SA could not evaluate
this event and it was incorporated directly into the SAKB, this incident may play a role it wouldn’t have
if the window had been processed fully. In this case, the problem is pushed to the QA module since
Data Stream
decisions made by the agent will be “contaminated” by unevaluated data. For instance, it would be
necessary to define the level of confidence in the information provided by the AS. We could establish
a semantics based on trust for conflict resolution. To achieve this, a measure indicating the level of
confidence should be assigned to each piece of information and updated in each application of the
revision operator. One possibility would be to consider a form of stratified SAKB [
These operators could address the issue of event overload during peak activity, allowing (near) real-time processing. However, a policy for handling out-of-order events needs to be defined. As for concretization of the operators, as future work, we need to define postulates and constructs that allow us to apply belief revision in these environments. For some of the behavior, one could consider classical postulates (such as consistency) that do not necessarily have to be fully satisfied, but rather think about degrees of satisfaction that provide flexibility to better characterize real-world environments.
This work outlines a preliminary approach to addressing cybersecurity challenges in social networks through a multi-agent system grounded in a recent application framework. We emphasize the central role of stream-based belief revision operators and the complexities introduced by diferent windowing strategies. The behavior of two classical operators highlights key limitations and motivates the need for new postulates and operator designs. Future eforts will focus on empirical validation and advancing this line of research toward trustworthy-by-design socio-technical systems.
This work was funded in part by Universidad Nacional del Sur (UNS) under grant PGI 24/ZN057, Secretaría de Investigación Científica y Tecnológica FCEN–UBA (RESCS-2020-345-E-UBA-REC), Universidad Nacional de Entre Ríos under grant PDTS-UNER 7066, CONICET under the grant PIP (11220200101408CO), and Agencia Nacional de Promoción Científica y Tecnológica, Argentina under grants PICT-2018-0475 (PRH-2014-0007) and PICT-2020 SERIE A-01481.
The authors have not employed any Generative AI tools.