`
`PCT/AU02/00530
`
`50
`
`far more likely to produce a complex family of inter—related concepts with ad—hoc
`
`exceptions. More likely, due to the total domain of discourse being so broad, ontology
`
`produced in this manner will be extremely context sensitive, leading to many
`
`possibilities for introducing ambiguities and contradictions.
`
`Taking a leaf from our earlier philosophy of simplification through abstraction
`
`layering, we instead choose to define a set of ontologies: one per inter-layer boundary.
`
`Figure 7 indicates these ontologies as curved arrows to the left of the agent stack.
`
`The communication of factual knowledge to [As in the first level of abstraction is
`
`represented by means of a simple ontology of facts (called the Level 1 Shapes Vector
`
`Ontology). All agents described within this portion of the specification make use of
`
`this mechanism to receive their input. It is worthwhile noting that the knowledge
`
`domain defined by this ontology is quite rigidly limited to incorporate only a universe
`
`of facts -- no higher-level concepts or meta-concepts are expressible in this ontology.
`
`This simplified knowledge domain is uniform enough that a reasonably clean set of
`
`ontological primitives can be concisely described.
`
`Interaction between IA’s is strictly limited to avoid the possibility of ambiguity. An
`
`agent may freely report outcomes to the Shapes Vector Event Delivery sub—system,
`
`but inter-IA communication is only possible between agents at adjacent layers in the
`
`architecture. It is specifically prohibited for any agent to exchange knowledge with a
`
`”peer” (an agent within the same layer). If communication is to be provided between
`
`peers, it must be via an intermediary in an upper layer. The reasons underlying these
`
`rules of interaction are principally that they remove chances for ambiguity by forcing
`
`consistent domain-restricted universes of discourse (see below). Furthermore, such
`
`restrictions allow for optimised implementation of the Knowledge Architecture.
`
`PART 2 OF 2 / APPL—1002 / Page 745 of 1488
`Apple v. Uniloc
`
`PART 2 OF 2 / APPL-1002 / Page 745 of 1488
`Apple v. Uniloc
`
`
`
`W0 02/088926
`
`PCT/A [NZ/00530
`
`51
`
`One specific optimisation made possible by these constraints —— largely due to their
`
`capacity to avoid ambiguity and context -- is that basic factual knowledge may be
`
`represented in terms of traditional context-free relational calculus. This permits the
`
`use of relational database technology in storage and management of knowledge.
`
`Thus, for simple selection and filtering procedures on the knowledge base we can
`
`utilise well known commercial mechanisms which have been optimised over a
`
`number years rather than having to build a custom knowledge processor inside each
`
`intelligent agent.
`
`Note that we are not suggesting that knowledge processing and retrieval is not
`
`required in an IA. Rather that by specifying certain requirements in a relational
`
`calculus (SQL is a preferable language), the database engine assists by undertaking a
`
`filtering process when presenting a View for processing by the IA. Hence the IA can
`
`potentially reap considerable benefits by only having to process the (considerably
`
`smaller) subset of the knowledge base which is relevant to the IA. This approach
`
`becomes even more appealing when we consider that the implementation of choice
`
`for Intelligent Agents is typically a logic language such as Prolog. Such environments
`
`may incur significant processing delays due to the heavy stack based nature of
`
`processing on modern Von Neumann architectures. However, by undertaking early
`
`filtering processes using optimised relational engines and a simple knowledge
`
`structure, we can minimise the total amount of data that is input into potentially time
`
`consuming tree and stack-based computational models.
`
`The placement of intelligent agents within the various layers of the knowledge
`
`architecture is decided based upon the abstractions embodied within the agent and
`
`the knowledge transforms provided by the agent. Two criteria are considered in
`
`determining whether a placement at layer 11 is appropriate:
`
`PART 2 OF 2 / APPL-1001 / Page 746 of 1488
`
`PART 2 OF 2 / APPL-1001 / Page 746 of 1488
`
`
`
`W0 02/088926
`
`PCT/A [NZ/00530
`
`52'
`
`0 would the agent be context sensitive in the level n ontology? If so, it should be split
`
`into two or more agents.
`
`° does the agent perform data fusion from one or more entities at level n? If so it must
`
`be promoted to at least level n+1 (to adhere to the requirement of no ”horizontal”
`
`interaction)
`
`2.2 A Note on the Tardis
`
`A more detailed description of the Tardis is provided in part 5 of the specification.
`
`The Tardis connects the IA Gestalt to the real-time visualisation system. It also
`
`controls the system’s notion of time in order to permit facilities such as replay and
`
`visual or other analysis anywhere along the temporal axis from the earliest data still
`
`stored to the current real world time.
`
`The Tardis is unusual in its ability to connect an arbitrary semantic or deduction to a
`
`visual event. It does this by acting as a very large semantic patch-board. The basic
`
`premise is that for every agreed global semantic (e.g. X window packet arrived
`
`[attribute list]) there is a specific slot in an infinite sized table of globally agreed
`
`semantics. For practical purposes, there are 2 64 slots and therefore the current
`
`maximum number of agreed semantics available in our environment. No slot, once
`
`assigned a semantic, is ever reused for any other semantic. Agents that arrive at a
`
`deduction, which matches the slot semantic, simply queue an event into the slot, The
`
`PART 2 OF 2 / APPL-1001 / Page 747 of 1488
`
`PART 2 OF 2 / APPL-1001 / Page 747 of 1488
`
`
`
`W0 02/088926
`
`PCT/AUOZ/(NDSBU
`
`53
`
`visual system is profiled to match visual events with slot numbers. Hence visual
`
`events are matched to semantics.
`
`As for the well—known IP numbers and Ethernet addresses, the Shapes Vector strategy
`
`is to have incremental assignment of semantics to slots. Various taxonomies etc. are
`
`being considered for slot grouping. As the years go by, it is expected that some slots
`
`will fall into disuse as the associated semantic is no longer relevant, while others are
`
`added. It is considered highly preferable for obvious reasons, that no slot be reused.
`
`As mentioned, further discussion about the Tardis and its operation can be found in
`
`part 5 of the specification.
`
`3. Inferencing Strategies
`
`The fundamental inferencing strategy underlying Shapes Vector is to leave inductive
`
`inferencing as the province of the (human) user and deductive inferencing as typically
`
`the province of the IA’s. It is expected that a user of the system will examine
`
`deductive inferences generated by a set of IA’s, coupled with visualisation, in order to
`
`arrive at an inductive hypothesis. This separation of duties markedly simplifies the
`
`implementation strategies of the agents themselves. Nevertheless, we propose further
`
`aspects that may produce a very powerful inferencing system.
`
`3.1 Traditional
`
`Agents can employ either forward chaining or backward chaining, depending on the
`
`role they are required to fulfil. For example, some agents continuously comb their
`
`views of the knowledge base in attempts to form current, up to date, deductions that
`
`are as ”high level” as possible. These agents employ forward chaining and typically
`
`inhabit the lower layers of the agent architecture. Forward chaining agents also may
`
`have data stream inputs from low level ”sensors". Based on these and other inputs, as
`
`PART 2 OF 2 / APPL-1001 / Page 748 of 1488
`
`PART 2 OF 2 / APPL-1001 / Page 748 of 1488
`
`
`
`W0 02/088926
`
`PCT/A [NZ/00530
`
`54
`
`well as a set of input priorities, these agents work to generate warnings when certain
`
`security-significant deductions become true.
`
`Another set of agents within the Shapes Vector system will be backward chaining
`
`(goal driven) agents. These typically form part of the ”User Avatar Set”: a collection of
`
`knowledge elements, which attempt to either prove or disprove user queries
`
`(described more fully in Section 8 of this part).
`
`3.2 Possiblistic
`
`In executing the possiblistic features incorporated into the level 2 ontology (described
`
`in Section 7.1 of this part), agents may need to resort to alternative logics. This is
`
`implied by the inherent multi—valued nature of the possiblistic universe. Where a
`
`universe of basic facts can be described succinctly in terms of a fact existing or not
`
`existing, the situation is more complex when symbolic possibility is added. For our
`
`formulation we chose a three-valued possiblistic universe, in which a fact may be
`
`existent, non-existent, or possibly existent.
`
`To reason in such a universe we adopt two different algebra's. The first a simple
`
`extension of the basic principle of unification common to computational logic. Instead
`
`of the normal assignation of successful unifaction to existence and unsuccessful
`
`unification to non-existence, we adopt the following:
`
`' successful unification implies existence,
`
`0 the discovery of an explicit fact which precludes unification implies non-
`
`existence(this is referred to this as a hard fail),
`
`0 unsuccessful unification without an explicit precluding case implies possible
`
`existence (this is referred to as a soft fail)
`
`PART 2 OF 2 / APPL-1001 / Page 749 of 1488
`
`PART 2 OF 2 / APPL-1001 / Page 749 of 1488
`
`
`
`W0 02/088926
`
`PCT/A [NZ/00530
`
`55
`
`A second algebra, which may be used to reason in the possiblistic universe, involves a
`
`technique known as ”predicate grounding” in which a user-directed pruning of a
`
`unification search allows for certain specified predicates to be ignored (grounded)
`
`when possibilities are being evaluated.
`
`3.3 Vectors
`
`Agents operating at higher levels of the Shapes Vector Knowledge Architecture may
`
`require facilities for reasoning about uncertain and/ or incomplete information in a
`
`more continuous knowledge domain. Purely traditional forward or backward
`
`chaining does not easily express such reasoning, and the three-valued possiblistic
`
`logic may lack the necessary quantitative features desired. To implement such agents
`
`an alternative inferencing strategy is used based upon notions of vector algebra in a
`
`multi-dimensional semantic space. This alternative strategy is employed in
`
`conjunction with more conventional backward chaining techniques. The use of each of
`
`the paradigms is dependent on the agent, and the domain of discourse.
`
`Our vector—based approach to inferencing revolves around constructing an abstract
`
`space in which relevant facts and deductions may be represented by geometrical
`
`analogues (such as points and vectors), with the proper algebraic relationships
`
`holding true. In general, the construction of such a space for a large knowledge
`
`domain is extremely difficult. For Shapes Vector, we adopt a simplifying strategy of
`
`constructing several distinct deductive spaces, each limited to the (relatively small)
`
`domain of discourse of a single intelligent agent. The approach is empirical and is
`
`only feasible if each agent is restricted to a very small domain of knowledge so that
`
`construction of its space is not overly complex.
`
`The definition of the deductive space for an IA is a methodical and analytical process
`
`undertaken during the design of the agent itself. It involves a consideration of the set
`
`PART 2 OF 2 / APPL-1001 / Page 750 of 1488
`
`PART 2 OF 2 / APPL-1001 / Page 750 of 1488
`
`
`
`W0 02/088926
`
`PCT/A [NZ/00530
`
`56
`
`of semantic concepts (”nouns”) which are relevant to the agent, and across which the
`
`agent’s deductions operate. Typically this concept set will contain elements of the
`
`agent’s layer ontology as well as nouns which are meaningful only within the agent
`
`itself. Once the agent’s concept set has been discovered, we can identify within it a
`
`subset of ’base nouns’ -- concepts which cannot be defined in terms of other members
`
`of the set. This identification is undertaken with reference to a semi-formal
`
`’connotation spectrum’ (a comparative metric for ontological concepts).
`
`Such nouns have two important properties:
`
`0 each is semantically orthogonal to every other base noun, and
`
`- every member of the concept set which is not a base noun can be described as a
`
`combination of two or more base nouns.
`
`Collectively, an IA’s set of 11 base nouns defines a n-dimensionai semantic space (in
`
`which each base noun describes an axis). Deductions relevant to the agent constitute
`
`points within this space; the volume bounded by spatial points for the full set of agent
`
`deductions represents the sub-space of possible outputs from that agent. A rich set of
`
`broad-reaching deductions leads to a large volume of the space being covered by the
`
`agent, while a limited deduction set results in a very narrow agent of more limited
`
`utility (but easier to construct). Our present approach to populating the deductive
`
`space is purely empirical, driven by human expert knowledge. The onus is thus upon
`
`the designer of the IA to generate a set of deductions, which (ideally) populate the
`
`space in a uniform manner.
`
`In reality, the set of deductions that inhabit the space can become quite non-uniform
`
`(”clumpy”) given this empirical approach. Hence rigorous constraint on the domain
`
`covered by an agent is entirely appropriate. Of course this strategy requires an
`
`PART 2 OF 2 / APPL-1001 / Page 751 of 1488
`
`PART 2 OF 2 / APPL-1001 / Page 751 of 1488
`
`
`
`W0 02/088926
`
`PCT/A [NZ/00530
`
`57
`
`appropriate mechanism at a higher abstract layer. However, the population of a
`
`higher layer agent can utilise the agents below them in a behavioural manner thereby
`
`treating them as sub-spaces.
`
`Once an agent’s deductive space has been constructed and populated with deductions
`
`(points), it may be used to draw inferences from observed facts. This is achieved by
`
`representing all available and relevant facts as vectors in the multi-dimensional
`
`semantic space and considering how these vectors are located with respect to
`
`deduction points or volumes. A set of fact vectors, when added using vector algebra
`
`may precisely reach a deduction point in the space. In that situation, a deductive
`
`inference is implied. Alternatively, even in the situation where no vectors or
`
`combinations of vectors precisely inhabits a deduction point, more uncertain
`
`reasoning can be performed using mechanisms such as distance metrics. For example,
`
`it may be implied that a vector, which is "close enough" to a deduction point, is a
`
`weak indicator of that deduction. Furthermore, in the face of partial data, vector
`
`techniques may be used to hone in on inferences by identifying Facts (vectors),
`
`currently not asserted, which would allow for some significant deduction to be
`
`drawn. Such a situation may indicate that the system should perhaps direct extra
`
`resources towards discovering the existence (or otherwise) of a key fact.
`
`The actual inferencing mechanism to be used within higher-level Shapes Vector
`
`agents is slightly more flexible than the scheme we have described above. Rather than
`
`simply tying facts to vectors defined in terms of the [A's base nouns, we can define an
`
`independent but spatially continuous ’fact space’. Figure 8 demonstrates the concept:
`
`a deductive space has been defined in terms of a set of base nouns relevant to the IA.
`
`Occupying the same spatial region is a fact space, whose axes are derived from the
`
`agent's layer ontology. Facts are defined as vectors in this second space: that is, they
`
`are entities fixed with respect to the fact axes. However, since the fact space and
`
`deduction space overlap, these fact vectors also occupy a location with respect to the
`
`PART 2 OF 2 / APPL-1001 / Page 752 of 1488
`
`PART 2 OF 2 / APPL-1001 / Page 752 of 1488
`
`
`
`W0 02/088926
`
`PCT/A [NZ/00530
`
`58
`
`base noun axes. It is this location which we use to make deductive inferences based
`
`upon fact vectors. Thus, in the Figure, the fact that the observed fact vector (arrow) is
`
`close to one of the deductions (dots) may allow for assertion of that deduction with a
`
`particular certainty value (a function of exactly how close the vector is to the
`
`deduction point). Note that, since the axes of the fact space are independent of the
`
`axes of the deductive space, it is possible for the former to vary (shift, rotate and/ or
`
`translate, perhaps independently) with respect to the latter. If such a variation occurs,
`
`fact vectors (fixed with regard to the fact axes) will have different end-points in
`
`deduction-space. Therefore, after such a relative change in axes, a different set of
`
`deductions may be inferred with different confidence ratings. This mechanism of
`
`semantic relativity may potentially be a powerful tool for performing deductive
`
`inferencing in a dynamically changing environment.
`
`An interesting aspect of the preferred approach to vector—based deductive inference is
`
`that it is based fundamentally upon ontological concepts, which can in turn be
`
`expressed as English nouns. This has the effect that the deductions made by an agent
`
`will resemble simple sentences in a very small dialect of pseudo-English. This
`
`language may be a useful medium for a human to interact with the agent in a
`
`relatively natural fashion.
`
`While the inferencing strategy described above has some unorthodox elements in its
`
`approach to time-varying probabilistic reasoning for security applications, there are
`
`more conventional methods that may be used within Shapes Vector IA's in the
`
`instance that the method falls short of its expected deductive potential. Frame based
`
`systems offer one well understood (although inherently limited) alternative paradigm.
`
`Indeed, it is expected that some IA's will be frame based in any case (obtained off the
`
`shelf and equipped with ontology to permit knowledge transfer with the knowledge
`
`base).
`
`PART 2 OF 2 / APPL-1001 / Page 753 of 1488
`
`PART 2 OF 2 / APPL-1001 / Page 753 of 1488
`
`
`
`WO 02/088926
`
`PCT/A U02/(NlS30
`
`59
`
`As described above, the vector-based deductive engine is able to make weak
`
`assertions of a deduction with an associated certainty value (based on distances in n-
`
`Dimensional space). This value can be interpreted in a variety of ways to achieve
`
`different flavours of deductive logic. For example, the certainty value could
`
`potentially be interpreted as a probability of the assertion holding true, derived from a
`
`consideration of the current context and encoded world knowledge. Such an
`
`interpretation delivers a true probabilistic reasoning system. Alternatively, we could
`
`potentially consider a more rudimentary interpretation wherein we consider
`
`assertions with a certainty above a particular threshold (e.g. 0.5) to be ”possible"
`
`within a given context. Under these circumstances, our system would deliver a
`
`possiblistic form of reasoning. Numerous other interpretations are also possible.
`
`3.4
`
`Inferencing for Computer Security Applications
`
`As presented, our IA architecture is appropriate to knowledge processing in any
`
`number of domains. To place the work into the particular context, for which it is
`
`primarily intended, we will now consider a simple computer security application of
`
`this architecture.
`
`One common, but often difficult, task facing those charged with securing a computer
`
`network is detecting access of network assets which appears authorised (e. g., the user
`
`has the proper passwords etc) but is actually malicious. Such access incorporates the
`
`so-called ”insider threat" (i.e., an authorised user misusing their privileges) as well as
`
`the situation where confidentiality of the identification system has been compromised
`
`(e.g., passwords have been stolen). Typically, Intrusion Detection Systems are not
`
`good at detecting such security breaches, as they are purely based on observing
`
`signatures relating to improper use or traffic.
`
`Shapes Vector’s comprehensive inferencing systems allow it to deduce a detailed
`
`semantic model of the network under consideration. This model coupled with a user’s
`
`PART 2 OF 2 / APPL-1001 / Page 754 of 1488
`
`PART 2 OF 2 / APPL-1001 / Page 754 of 1488
`
`
`
`WO 02/088926
`
`PCT/AUDZ/UOSBO
`
`6O
`
`inductive reasoning skills, permits detection of such misuse even in the absence of any
`
`prior-known ”signature".
`
`This application of Shapes Vector involves constructing a Gestalt of Intelligent Agents
`
`that are capable of reasoning about relatively low-level facts derived from the
`
`network. Typically these facts would be in the form of observations of traffic flow on
`
`the network. Working collaboratively, the agents deduce the existence of computers
`
`on the network and their intercommunication. Other agents also deduce attributes of
`
`the computers and details of their internal physical and logical states. This
`
`information serves two purposes: one is to build up a knowledge base concerning the
`
`network, and another is to facilitate the visualisation of the network. This latter output
`
`from the agents is used to construct a near real-time 3D visualisation showing the
`
`computers and network interfaces known to exist and their interconnection. Overlaid
`
`onto this ”map" is animation denoting the traffic observed by the agents, classified
`
`according to service type.
`
`Observing such a Shapes Vector visualisation a user may note some visual aspect that
`
`they consider being atypical. For example, the user may note a stream of telnet
`
`packets (which itself might be quite normal) traversing the network between the
`
`primary network server and node which the visualisation shows as only a network
`
`interface. The implications of such an observation are that a node on the network is
`
`generating a considerable body of data, but this data is formatted such that none of
`
`the Shapes Vector agents can deduce anything meaningful about the computer issuing
`
`the baffle (thus no computer shape is visualised, just a bare network interface).
`
`The human user may consider this situation anomalous: given their experience of the
`
`network, most high volume traffic emitters are identified quickly by one or more of
`
`the various IAs. While the telnet session is legitimate, in as much as the proper
`
`passwords have been provided, the situation bears further investigation.
`
`PART 2 OF 2 / APPL-1001 / Page 755 of 1488
`
`PART 2 OF 2 / APPL-1001 / Page 755 of 1488
`
`
`
`W0 02/088926
`
`PCT/A [NZ/00530
`
`61
`
`To probe deeper, the User Avatar component of Shapes Vector, described more fully
`
`in Section 8 in Part 2 of the specification, can be used to directly query the detailed
`
`knowledge base the agents have built up behind to the (less-detailed) visualisation.
`
`The interaction in this situation might be as follows:
`
`human> answer what User is-logged-into Computer ”MainServer”?
`
`gestalt> Relationship is-logged-into [User Boris, Computer MainServer]
`
`This reveals a user name for the individual currently logged into the server. A further
`
`interaction might be:
`
`human> find all User where id=”Boris”?
`
`gestalt> Entity User (id=Boris, narne=”Boris Wolfgang”, type=” guest user")
`
`An agent has deduced at some stage of knowledge processing that the user called
`
`Boris is logged in using a guest user account. The Shapes Vector user would be aware
`
`that this is also suspicious, perhaps eliciting a further question:
`
`human> answer what is-owned-by User Boris"?
`
`gestalt> Relationship is-owned-by [File passwords, User Boris]
`Relationship is-owned-by [Process keylogger, User Boris]
`Relationship is-owned-by [Process passwordCracker, User Boris]
`
`The facts have, again, been deduced by one or more of the [A’s during their
`
`processing of the original network facts. The human user, again using their own
`
`knowledge and inductive faculties, would become more suspicious. Their level of
`
`suspicion might be such that they take action to terminate Boris’ connection to the
`
`main server.
`
`PART 2 OF 2 / APPL-1001 / Page 756 of 1488
`
`PART 2 OF 2 / APPL-1001 / Page 756 of 1488
`
`
`
`W0 02/088926
`
`PCT/A [NZ/00530
`
`62
`
`In addition to this, the user could ask a range of possiblistic and probabilistic
`
`questions about the state of the network, invoking faculties in the agent Gestalt for
`
`more speculative reasoning.
`
`3.4 Other Applications
`
`The IA architecture disclosed herein lends itself to other applications. For example, it
`
`is not uncommon for the Defence community to have many databases in just as many
`
`formats. It is very difficult for analysts to peruse these databases in order to gain
`
`useful insight. There has been much effort aimed at considering how particular
`
`databases may be structured in order for analysts to achieve their objectives. The
`
`problem has proved to be difficult. One of the major hurdles is that extracting the
`
`analysts’ needs and codifying them to structure the data leads to different
`
`requirements not only between analysts, but also different requirements depending
`
`on their current focus. One of the consequences is that in order to structure the data
`
`correctly, it must be context sensitive, which a relational database is not equipped to
`
`handle.
`
`Shapes Vector can overcome many of the extant difficulties by permitting knowledge
`
`and deduction rules to be installed into an IA. This IA, equipped with a flexible user
`
`interface and strictly defined query language, can then parse the data in a database in
`
`order to arrive at a conclusion. The knowledge rules and analyst—centric processing
`
`are encoded in the IA, not in the structure of the database itself, which can thus
`
`remain context free. The Shapes Vector system allows incremental adjustment of the
`
`IA without having to re-format and restructure a database through enhancement of
`
`the IA, or through an additional IA with relevant domain knowledge. Either the IA
`
`makes the conclusion, or it can provide an analyst with a powerful tool to arrive at
`
`low level deductions that can be used to arrive at the desired conclusion.
`
`PART 2 OF 2 / APPL-1001 / Page 757 of 1488
`
`PART 2 OF 2 / APPL-1001 / Page 757 of 1488
`
`
`
`W0 02/088926
`
`PCT/A [NZ/00530
`
`4. Rules for Constructing an Agent
`
`63
`
`In Section 2 of this part of the specification, several rules governing agents were
`
`mentioned, e.g. no intra level communication and each agent must be context free
`
`within its domain of discourse. Nevertheless, there are still a number of issues, which
`
`need clarification to see how an agent can be constructed, and some of the resultant
`
`implications.
`
`In a preferred arrangement the three fundamental rules that govern the construction
`
`of an agent are:
`
`1. All agents within themselves must be context free;
`
`2. If a context sensitive rule or deduction becomes apparent, then the agent must be
`
`split into two or more agents;
`
`3. No agent can communicate with its peers in the same level. If an agent's deduction
`
`requires input from a peer, then the agent must be promoted to a higher level, or a
`
`higher level agent constructed which utilises the agent and the necessary peer(s).
`
`In our current implementation of Shapes Vector, agents communicate with other
`
`entities via the traditional UNIX sockets mechanism as an instantiation of a
`
`component control interface. The agent architecture does not preclude the use of third
`
`party agents or systems. The typical approach to dealing with third party systems is
`
`to provide a ”wrapper” which permits communication between the system and
`
`Shapes Vector. This wrapper needs to be placed carefully within the agent hierarchy
`
`so that interaction with the third party system is meaningful in terms of the Shapes
`
`Vector ontologies, as well as permitting the wrapper to act as a bridge between the
`
`third party system and other Shapes Vector agents. The wrapper appears as just
`
`another SV agent.
`
`PART 2 OF 2 / APPL-1001 / Page 758 of 1488
`
`PART 2 OF 2 / APPL-1001 / Page 758 of 1488
`
`
`
`W0 02/088926
`
`PCT/A [NZ/00530
`
`64
`
`One of the main implications of the wrapper system is that it may not be possible to
`
`gain access to all of the features of a third party system- If the knowledge cannot be
`
`carried by the ontologies accessible to the wrapper, then the knowledge elements
`
`cannot be transported throughout the system. There are several responses to such
`cases:
`
`‘1. The wrapper may be placed at the wrong level.
`
`2. The Ontology may be deficient and in need of revision.
`
`3. The feature of the third party system may be irrelevant and therefore no
`
`adjustments are required.
`
`5. Agents and Time
`
`In this section we discuss the relationship between the operation of agents and time.
`
`The two main areas disclosed are how the logic based implementation of agents can
`
`handle data streams without resorting to an embedded, sophisticated temporal logic,
`
`and the notion of synthetic time in order to permit simulation, and analysis of data
`
`from multiple time periods.
`
`5.1 Data Streams and IA's
`
`One of the fundamental problems facing the use of IA's in the Shapes Vector system is
`
`the changing status of propositions. More precisely, under temporal shifts, all ”facts”
`
`are predicates rather than propositions. This issue is further complicated when we
`
`consider that typical implementations of an IA do not handle temporal data streams.
`
`We address this problem by providing each IA with a ”time aperture" over which it is
`
`currently processing. A user or a higher level agent can set the value of this aperture.
`
`PART 2 OF 2 / APPL-1001 / Page 759 of 1488
`
`PART 2 OF 2 / APPL-1001 / Page 759 of 1488
`
`
`
`W0 02/088926
`
`PCT/A [NZ/00530
`
`65
`
`Any output from an IA is only relevant to its time aperture setting (Figure 10). The
`
`aperture mechanism allows the avoidance of issues such as contradictions in facts
`
`over time, as well providing a finite data set in what is really a data stream. In fact, the
`
`mechanism being implemented in our system permits multiple, non-intersecting
`
`apertures to be defined for data input.
`
`With time apertures, we can ”stutter” or ”sweep” along the temporal domain in order
`
`to analyse long streams of data. Clearly, there are a number of issues, which still must
`
`be addressed. Chief amongst these is the fact that an aperture may be set which does
`
`not, or rather partially, covers the data set whereby a critical deduction must be made.
`
`Accordingly, strategies such as aperture change and multiple apertures along the
`
`temporal domain must be implemented in order to raise confidence that the relevant
`
`data is input in order to arrive at the relevant deduction.
`
`While we are aware that we can implement apertures in order to supply us with
`
`useful deductions for a number of circumstances, it is still an open question on how to
`
`achieve an optimal set of sweep strategies for a very broad class of deductions where
`
`confidence is high that we obtain what we are scanning for. One area, which comes to
`
`mind, is the natural ”tension” between desired aperture settings. For example, an
`
`aperture setting of 180 degrees (ie., the whole fact space) is desirable as this considers
`
`all data possible in the stream from the beginning of the epoch of capture to the end of
`
`time, or rather the last data captured. However, this setting is impractical from an
`
`implementation point of View, as well as introducing potential contradictions in the
`
`deductive process. On the other hand, a very small aperture is desirable in that
`
`implementation is easy along with fast processing, but can result in critical packets not
`
`being included in the processing scan.
`
`Initial test of an agent, which understands portions of the HTTP protocol, has yielded
`
`anecdotal evidence that there may be optimum aperture settings for specific domains
`
`PART 2 OF 2 / APPL-1001 / Page 760 of 1488
`
`PART 2 OF 2 / APPL-1001 / Page 760 of 1488
`
`
`
`W0 02/088926
`
`PCT/A [NZ/00530
`
`66
`
`of discourse. HTTP protocol data from a large (56B) corpus were analysed for a large
`
`network. It was shown that an aperture setting of 64 packets produced the largest set
`
`of deductions for the smallest aperture setting while avoiding the introduction of
`
`contradictions.
`
`The optimal aperture setting is of course affected by the data input, as well as the
`
`domain of discourse. However, if we determine that our corpus is representative of
`
`expected traffic, then default optimal aperture setting is possible for an agent. This
`
`aperture setting need only then be adjusted as required in the presence of
`
`contradicting deductions or for special processing purposes.
`
`5.2 Temporal Event Mapping for Agents
`
`In the previous section, we discussed how an agent could have time apertures in
`
`order to process data streams. The issue of time is quite important, especially when
`
`considering that it takes a finite amount of time for a set of agents to arrive at a
`
`deduction and present a visualisation. Also, a user may