Professional Documents
Culture Documents
By
Index
Introduction…………………………………………………………..4
Conclusion………………………………………………………………74
Bibliography……………………………………………………………..75
3
INTRODUCTION
CHARACTERTICS OF AGENTS
• Proactive ness:-The agent has an agenda to pursue and will persist in trying
to achieve its aims.
• Mobility:-It can passes the ability to move from place to place in a network
like Internet .It can move itself and execute afresh at a new location.
Sometimes an agent performs a task at one location ,saves the state ,migrates
to a new location and restores its execution state to continue where it left off
• E-Commerce
software agents are an integral part of the overall system and method of
approach. There are user agents acting on behalf of the consumer and
business agents representing the suppliers. Although currently beyond the
state of the art, it will not be long before users will be able to delegate to
their software agent the task of getting cinema tickets to see one of the latest
releases on Saturday night and then booking a meal in a nearby restaurant
afterwards. Given this objective and knowledge of its user’s preferences (eg
vegetarian, no spicyfood, comedies rather than action films, etc.), the proxy
will enter the appropriate electronic marketplace where it will encounter the
business agents (see figure 6)..
The proxy will first query the cinema agents to determine the most
appropriate film and the most convenient showing time. Having made this
decision, the proxy will then progress onto the restaurant agents to see which
one best fits with the user’s preferences and constraints. If no appropriate
restaurant can be found, the proxy will return to the cinema agent pool and
reassesses its choice of film or show time and then repeat the process.
Eventually, if successful, the proxy will report back to the user with the
cinema and restaurant booking information.— they are delegated a high-
level task which they have to complete on their own (autonomy), they need
to interact and negotiate with other service providing agents (social ability),
3
if the preferred restaurant is fully booked the proxy should try another one
(responsiveness),and the proxy might voluntarily check with the railway
company agent to find out the time of the last train home from the station
nearest the restaurant (proactive ness).
• Business Adaptation
This model defines the internal structure of the intelligent agent part of a
mobile agent.
• Life-cycle model
This model defines the different execution states of a mobile agent and the
events that cause the movement from one state to another. Thus, it is closely
3
This model defines the different execution states of a mobile agent and the
events that cause the movement from one state to another. Thus, it is closely
related to the computational model which describes how the execution
occurs. The first, and more powerful life cycle , starts with a ‘start’ state,
3
paradigms introduced above. The use of mobile code has a long history
dating back to the use of remote job entry systems in the 1960's. Today's
mobile agent incarnations can be characterized in a number of ways ranging
from simple distributed objects to highly organized software with embedded
intelligence , Mobile agent paradigm helps form a large-scale, loosely-
coupled distributed system. Because of its many salient merits, it ha
attracted tremendous attention in the last few years and become a promising
direction in distributed computing and processing, as well as high
performance network area.
3
host or to migrate to another node to perform other duties within the network
as shown in Fig. 2. PDA (wireless mode) PC (Wired mode)
Fig. 1. Client-server paradigm
perform data transfer activities in sharing with other agents within the given
environment. Learning refers to a mobile agent’s ability in gaining
information about the current environment, which will help MAs to modify
its behaviour. Cooperative, MAs should be able to coordinate with other
agents to achieve a common purpose. Ragged, MAs should be able to deal
with errors when encountered and during their (errors) occurrence.
Researchers have also attempted to classify the types of the agent based on
the above attributes. In many cases, it is not necessary to have an agent with
all the above properties.This will be determined by the nature of the task
which the agent should achieve. For example, Microsoft’s software agent
does not necessarily need to be mobile and cooperative but it must be smart
and proactive. “This agent proposed to enhance the user interface of their
applications with interactive personalities in the form of animated
characters. These characters can move freely within the computer display,
speak aloud (and by displaying text onscreen), and even listen for spoken
voice commands” . However, as mentioned earlier several types of agent
exist such as collaborative agents, interface agents, mobile
agents,information agents, reactive agents, hybrid agents and smart agents.
These types of agent are built based on their purpose. For this work the
mobility factor must exist as the main feature alongside one or many of the
previous attributes depends on the need of that characteristic.
a system requests a service to be done by the mobile agent, the system must
create a mobile agent instance in the first place before any work can be done.
During, this creation stage the mobile agent will be equipped with the
desired parameters in order to achieve its goal. Cloning basically creates a
copy of the original mobile agent object. This operation is used when the
need for another agent (with the same features and properties to do the same
or other job in conjunction with the original one ) arises. The dispatching or
migrating is another main function in the mobile agent life cycle. This
function is responsible for moving the agent from one node to another within
the network environment by specifying the destination address (e.g. URL) to
the agent. There are two main types of migration: strong and weak. The
retraction function is done where the agent’s source node requires its agent
to be returned to the original host or node. Activation and deactivation are
operations done when the mobile agent is required to start or to stop only
within certain time of its lifetime. Finally, the dispose operation is done
where the agent life comes to the end. Fig. 3 explains the above mobile
agent operations as suggested by an Aglet system
3
Mobile agents consist of three components: code, data, and execution state.
The code contains the logic of the agent, and all agents of the same type use
the same code.3 The code must be separated from the code of the agency so
that it can be transferred alone to another agency, and the code must be
identifiable and readable for an agency (e.g., in the form of a file from the
local file system or a byte stream from the network). Usually, as in other
programs, an agent’s code consists of more than one file (e.g., in the Java
programming language they could be many class files). The second
component of an agent is data. This term corresponds to the values of the
agent’s instance variables if we assume an agent to be an instance of a class
in object-oriented languages. The data is sometimes also called the object
state. It is important to note that not all data items an agent can access are
part of its object state. Some variables reference objects that are shared with
other agents or the agency software itself, for example, file handlers, threads,
the graphical user interface, or other resources and devices that cannot be
moved to other servers. Thus, we have to restrict the agent’s immediate data
to those data items the agent owns and that are movable. The third
component is the execution state. The difference between object and
execution state information is that the elements of the object state are
directly controlled by the agent itself, whereas execution state information is
usually controlled by the processor and the operating system. What this
means depends very much on the decision of the mobile agent toolkit
designer and the underlying execution environment (processor, operating
system, virtual machine), as we will see in Section 3.3, Design Issues of
Agent Migration. In some toolkits, an agent’s execution state is comprised
of the current value of the instruction pointer and the stack of the underlying
processor. In others it is not possible to determine the execution state of an
agent at all. In most Java-based toolkits, for example, the agent itself is
responsible for copying information about its current execution state on the
level of the programming language into the object state and restoring it after
successful migration.
• The Migration Framework
the migration process the sender and the receiver must communicate over
the network and exchange data about the agent that wants to migrate. Thus,
we can say that some kind of communication protocol is driven, and we call
this the migration protocol. Some systems simplify this task to an
asynchronous communication, comparable to sending an email, whereas
other systems develop rather complicated network protocols in addition to
TCP/IP. The whole migration process contains six steps, which are executed
in sequence, except for S3 and R1, which are executed in parallel (Fig. 3.1).
The first three steps (S1–S3) are executed on the sender agency: S1
Initialize the migration process and suspend the thread. The process of
migration typically starts with a special command, the migration command,
by which the agent announces its intention to migrate to another agency,
whose name is given as parameter of the migration command. The first task
for the agency is now to suspend the execution thread
of the agent and to guarantee that no other child thread is still alive. This
requirement is important for the next step, for which it is imperative that
data and state be frozen and unable to be modified later on.
3
S2 Capture the agent’s data and execution state. The current state of all
variables (the data) of the agent is serialized; that is, their current values are
written to an external persistent representation, for example, a memory
block or a file. The agent’s state is also stored there so that the point of
suspension is known. The result of the serialization process is the serialized
agent, which is a flat byte stream that consists of the agent’s data and state
information.
S3 Transfer the agent. The serialized agent is transferred to the receiver
agency using a migration protocol. Whether any code is sent to the receiver
agency depends on different parameters and will be discussed later. The last
three steps (R1–R3) are executed on the receiver agency.
R1 Receive the agent. The serialized agent is received using the migration
protocol. The receiver agency checks whether the agent can be accepted
based on information about the agent’s owner and the sender agency. The
receiver agency may filter out agents that come from agencies that are
unknown or not trusted.
R2 Deserialize the agent. The serialized agent is deserialized; that is, the
variables and execution state are restored from the serialized agent. The
result of this step should be an exact copy of the agent that existed on
the sender agency just before reaching the migration command.
R3 Start agent execution in a new thread. The receiver agency resumes
agent execution by starting a new thread of control. When resuming
execution, the agent’s code is needed. In this general framework we make no
assumptions abouthowthe code is transferred to the receiver agency.One
possible technique is for the receiver agency to load the code from the
agent’s home agency or its code server.We will discuss those techniques. In
the next section we look at an implementation of a migration process. As an
example we chose our Tracy mobile agent toolkit, which is implemented in
the Java programming language.
Why Are Mobile Agents a Good Idea?
Now we want to describe some major advantages of mobile agents and try
to explain why they will meet the demands of future distributed
systems.Although mobile agents provide a new and interesting approach to
distributed systems, there must be clear arguments in favor of mobile agents
before they are substituted for more traditional techniques. However,
although we believe that mobile agents are the most promising technology to
solve most of the problems of the networked future, it should be said that we
also believe that mobile agents will supplement many older techniques
rather than replace them. We present four major technical advantages in
3
detail. It is this set of basic technical advantages that opens the chance for
improved and typical applications.
• Delegation of tasks.
Because mobile agents are simply a more specific type of software agent, a
user can employ a mobile agent as a representative to which the user may
delegate tasks. Instead of using computer system interactive tools that are
able to work only under direct control by a user, autonomous software
agents aim at taking care of entire tasks and working without permanent
contact and control. As a result, the user can devote time and attention to
other, more Iportant things. Thus, mobile software agents are a good means
to cope with the steady information overload we experience.
• Asynchronous processing.
Once mobile agents have been initialized a set up for a specific task, they
physically leave their owner’s computer system and from then on roam
freely through the Internet. Only for this first migration must a network
connection be established. This feature makes mobile agents suitable for
nomadic computing, meaning mobile users can start their agents from
mobile devices that offer only limited bandwidth and volatile network links.
Because the agent is less dependent on the network, it will be more stable
than client-server–based applications.
• Adaptable service interfa
Current techniques in distributed systems that offer application service
interfaces, usually as a collection of 2.5 Possible Application Domains
ofMobile Agents _ 27 functions, constitute only the least common
denominator of all possible clients. As a consequence, most of the interface
functions are more or less primitive, and clients will probably have to use a
workflow connecting these functions in order to execute a complex, user-
driven operation. If the communication overhead for exchanging messages
between client and server is high compared with the execution time of each
function, it would make sense to offer aggregated and more advanced
functions as combinations of the primitive ones. However, because it is
difficult to track down every possible scenario in advance or even during
runtime, these functions are usually not offered by the server’s multi-
purpose interface. Mobile agents can help in this situation by offering a
chance to design a client-driven interface that is optimized for the client
(user) but that is adaptable to different server interfaces. The key is to use a
mobile agent to translate the more complex and user-driven functions of the
client interface into the fitting primitive functions offered at the server node.
The mobile agent will simulate a constant and highly specialized interface
3
for the client (user) while talking to each server in its own language, which
will allow servers to become simpler and more generalized.
• Code-shipping versus Data-shipping
This is the probably most cited advantage of mobile agents, and it stands in
close relationship to adaptable service interfaces. Service interfaces
frequently offer only primitive functions to access databases. A single call
can therefore result in a huge amount of data being sent back to the client
because of the lack of precision in the request. Instead of transferring data to
the client, where it will be processed, filtered, and probably cause a new
request (data-shipping), this code can be transferred to the location of the
data (code-shipping) by means of mobile agents. In the latter case, only the
relevant data (i.e., the results after processing and filtering) is sent back to
the client, which reduces network traffic and saves time if the code for
filtering is smaller than the data that must be processed. This advantage has
been scrutinized in the last 5 years by many different research groups for
different application domains, and it has generally been verified
Mobile agents are also useful when it comes to reducing the flow of raw
data in the network. When very large volumes of data are stored at remote
hosts, these data should be processed in the locality of the data, rather that
transferred over the network. Mobile agents allow you to package a
conversation and dispatch it to a destination host where the interactions can
take place locally, see Figure 1.
3
Mobile agents improve the support for mobile computing, i.e., mobile
devices that are only intermittently connected. Mobile devices, such as
personal digital assistants (PDAs), web pads, and mobile phones, are not
general-purpose computing devices in the sense of personal computers, but
exhibit two key characteristics relevant in this discussion:
A user might choose to put together a query (a "task" for the agent), connect
to the network, launch the agent with the respective task, disconnect from
the network, and at a later time retrieve the agent along with the results it has
collected. This is beneficial not only when considering devices that are
occasionally disconnected but also when looking at devices, like cell phones,
that might be connected persistently, but only with a very low bandwidth.
such new environments, it would take great efforts to adopt all existing
components to the improved protocol. Two properties of the mobile agent
paradigm offer advantages in this field:
Let’s start with the notion of software agents. The word agent derives from
the Latin word for actor, meaning a person who acts on behalf of another.
In different languages the notion agent is used with different meanings. In
English-speaking countries, for example, the word agent is often used in
a more general context, whereas in German-speaking countries an agent
mostly works for the secret service. Usually, a real estate agent is employed
to aid in renting or buying a house, and a travel agent is visited to aid in
3
Proactivity Not only do agents react to stimuli from their environment, but
they are also able to take initiative and actively plan. B. Le Du explains
this with the following metaphor: “The difference between an automaton
and an agent is somewhat like the difference between a dog and a butler. If
you send your dog to buy a copy of the New York Times every morning, it
will come back with its mouth empty if the news stand happens to have run
3
out of this specific newspaper one day. In contrast, the butler will probably
take the initiative and buy a copy of the The interested reader is referred to
some books that serve as comprehensive introductions to all fields of
intelligent software agent research and from which more information about
these topics can be gleaned and also more definitions for software agents
found. Software Agents, contains a collection of papers concerning the
areas of agentsupported user interfaces, agents for learning and intelligent
assistance, and a summary of agent communication, collaboration, and
mobility. We can now try to add mobility to our definitions of software
agents: Mobile software agents are computer programs that act as
representatives in the global network of computer systems. The agent knows
its owner, knows his or her preferences, and learns by communicating with
its owner. The user can delegate tasks to the agent, which is able to search
the network efficiently by moving to the service or information provider.
Mobile agents support nomadic users because the agent can work
asynchronously while the user is offline. Finally, the agent reports results of
its work to the user through different communication channels such as
electronic mails, Web sites, pagers, or mobile phones. In this definition,
many of the characteristics of software agents that we described earlier can
be found. A mobile agent acts on behalf of a user; it knows its user and gets
to know him or her better over time. It has social behavior because it is able
to communicate with the user, services, or even other agents. It works
proactively, because it can, for example, contact its owner by many means of
communication. The additional property of mobility can be seen as a very
straightforward extension, at least from a human point of view, as it goes
well with our natural understanding of how to search for information in a
distributed environment.
There are at least seven main benefits, or good reasons, to start using
mobile agents:
• Requirements
Mobile agent fault tolerance requires at least mechanisms for making agents
persistent, for reactivating agents after a failure, for recovering the state of
the agent activity after a failure, and for reliably transporting agents between
agencies. Additionally, the execution of mobile agent-based applications
should be able to tolerate long-term failures of agencies. When a mobile
agent executing an application moves to an agency, it transfers the control
flow execution of that application to that agency. While executing at an
agency, an agent is completely subject to the execution rules and conditions
of that agency. If the agency where the agent is running fails, the execution
of that agent remains blocked while the agency is faulty. An agency may
remain faulty for a long time. Long unavailability periods have the obvious
undesirable effect of delaying the execution of an agent-based
application. Making the execution of an agent-based application tolerate
long-term failures of agencies is achieved by replicating agents. With
replication, an agent execution is seen as being performed in a sequence of
stages (see Figure 1). The first stage begins when the application execution
starts. A new stage then begins (and the previous terminates) when the
mobile agent execution reaches a movement operation, to continue at a new
agency. To provide agent fault-tolerance, copies of the agent are sent to
a non-empty set of agencies. Consider in Figure 1 that the agent application
has to perform actions sequentially at agencies agency_1_1, agency_2_1, ...,
agency_m_1, i.e., at the uppermost agencies at each stage represented in
the figure. As can be seen, at each stage copies of the agent are sent to the
desired agency and additionally to a set of n-1 other agencies. For example,
at stage 1, copies of the agent are sent to agencies agency_1_1,
agency_1_2, ..., agency_1_n. The n-1 additional agencies are used primarily
3
• Existing Approaches
Mobile agent fault tolerance and support for transactional behavior have
been considered in the context of some mobile agent projects. In
the authors consider agent replication as introduced in the previous section.
In, the author concentrates on the problem of protecting agents against being
subverted by malicious hosts. In the authors introduced the so-called rear
guards as agents left behind while an agent execution moves from agency to
agency that perform recovery if some failure causes the agent executing the
activity to vanish. The protocol used for managing rear guards is called the
NAP protocol. The NAP protocol is an efficient protocol based on reliable
broadcast. The NAP protocol, however, does not tolerate network
partitioning. In a specific protocol was described for mobile agent fault
tolerance that considers network partitioning. In this protocol, however, an
agent group cannot create new agent groups. This protocol is coupled with
the execution of a single atomic transaction by an agent at an agency. If a
new agent is activated to perform recovery of a failed agent, the state of the
execution backtracks to the point before the beginning of the execution of
the stage. an approach for mobile agent fault tolerance and a transaction
model (open nested) based on mobile agents are presented. The approach
supports the dynamic creation of agent groups by other agent groups,
recovery from long-term failures of agencies and network partitioning. This
approach, based on the use of transactions, fulfills the requirements defined
in the previous section. Another approach for agent fault tolerance is
presented in, but it does not tolerate long-term failures of agencies. In and
approaches for executing transactions with mobile agents are presented, but
no concept for fault tolerance is discussed. Finally, approaches for providing
mobile agent persistence and reactivation are common in existing mobile
agent systems. A mechanism for reliably transporting an agent from an
agency to another can be performed, for example, with the use of persistent
message queues.
the number and location of the members which form it. Essentially, in a
group communication mechanism, a message sent by a process must be
addressed to all processes in the group and message delivery must be
atomic: either all processes receive the message or no one receive it.
Additionally, message delivery order guarantees such as total or causal
ordering can also be provided by the group communication system A mobile
process group is an extension of the traditional concept of a group of
cooperating processes which can directly support migrating processes as
members of the group. Group communication systems have been
traditionally used to support fault tolerance of replicated components in a
system (e.g., replicated data bases) and for supporting groupware
applications. The coordination requirements of replicas of mobile agents
were made clear , where replication was presented as a means for addressing
mobile agent fault tolerance. Beyond the needs for maintaining consistency
of replicas or independent groups of replicas, mobile process group services
have a broader applicability in agent applications, specially in providing
message delivery guarantees (reliable multicast, causal and total order) for
any set of cooperating agents (for example, for guaranteeing atomic
multicasts to a group of agents that are looking for some information in the
distributed environment). Using mobile process groups represents a form of
unifying the underlying support for fault tolerance and agents coordination,
simplifying the existing solution and potentially increasing the level of fault
tolerance and the implied costs. In relation to support for agents
coordination, mobile process groups represent functionality not yet present
in agent systems. To the best of our knowledge, support for mobile process
groups is not present in existing group communication platforms, such as
Horus and Transis. Previous work exists in supporting group communication
for mobile device computing), but it is devoted to accommodating existing
protocols to the specific properties of the environment (low bandwidth links,
low capacity devices, etc.). Some of the results might be applicable to
mobile process groups. We are however extending traditional group
communication concepts to incorporate ne semantics of message delivery in
the presence of mobility, not present in those systems. Additionally, special
handling of events is being considered to provide a finer tuned way of
handling with movement.
Security Issues in a Mobile Agent System
Since a mobile agent system mainly consists of mobile agents and mobile
agent platforms, most attacks are towards these two main entities. We will
introduce the attacks to them respectively in the following.
• Possible attacks to a mobile agent
A mobile agent has to expose its own information to the platform it migrates
to so that it could be executed. In the case of strong migration, it has to
expose its code, data and state. In the case of strong mobility, its code and
data have to be exposed. Due to this fact, a mobile agent faces more severe
security risks. A malicious platform can try to attack Security Modeling and
Analysis of MAS it in different ways. If we consider the home platform
environment to be the totally secure environment and try to achieve such a
protection level for a mobile agent in other platform, we can identify the
following possible attacks of a malicious platform.
• Leak out/Modify mobile agent's code
The mobile agent's code has to be readable by a guest platform. This
characteristic makes the attack of leaking out/modifying mobile agent's code
unavoidable. A malicious platform could read and remember the instruction
going to be executed and might infer the rest of the program based on that
knowledge. Thus the platform could get to know the strategy and purpose of
the mobile agent. The situation becomes worse if the mobile agent
represents a class of mobile agents or is generated out of standard building
libraries. Therefore a malicious platform can have a complete picture of a
number of mobile agents' behavior. If the malicious platform infers the
physical address and has access to the code memory, it can modify the
agent's code either directly or through inserting some vicious part like a
virus. It could also change the code temporarily to avoid being detected by
modifying the code, executing the code modified and resuming the original
code before the mobile agent leaves.
• Leak out/Modify mobile agent's data
This could be very dangerous too. Since some data are security sensitive,
such as security keys, electronic cash, or social security numbers, it may
cause leak of privacy or loss of money. If a malicious platform knows the
physical location of data, it may modify the data in accordance with the
semantics of data. Therefore it can result in very severe consequences. In
some cases, even if the data being leaked is not that sensitive, a malicious
platform can still take advantage of those data and perform attack. For
example, if a malicious platform gets to know the traveling date of a person,
it may leak it to some thief.
• Leak out/Modify mobile agent's execution flow
3
If a malicious platform knows a mobile agent's code, data and the physical
location of its program counter, it can infer what instruction will be executed
next. Moreover, it can deduce the state of that mobile agent. Then it might
change the execution flow according to its will to achieve its goal. For
example, it may find that the mobile agent first compares the price of a
product or service provided by the platform with the expected price of the
agent itself, and decides to use it or not afterwards. A malicious platform
might force the mobile agent to ignore the result of the comparison and
accept its product or service directly by making the execution flow jump to
some point. A malicious platform can also take advantage of its ability to
modify the mobile agent's execution to deliberately execute agent's code in a
wrong way.
• Denial of service
A malicious platform can simply not execute the mobile agent migrating to
it or put the agent into waiting list and thus cause delay to that mobile agent.
It is also an attack to the mobile agent since it may make the mobile agent
miss some good chances if the agent can finish its execution on that platform
in time and travel to other platforms.
• Masquerade
A malicious platform may disguise itself as a platform to which a mobile
agent will migrate to or even as the home platform when the mobile agent
returns. If it succeeds, it can get the secrets of the mobile agent by cheating
and at the same time hurt the reputation of the original platform. For
example, a malicious platform may pretend to be an airline company and
give a mobile agent a fake ticket after it gets the money. But the mobile
agent doesn't really get the ticket and may have dispute with the real airline
company later.
• Leak out/Modify the interaction between a mobile agent and other
parties
A malicious platform may eavesdrop on the interaction between a mobile
agent and other parties like another agent or another platform. From the
information it gets, it may infer some secrets about the mobile agent and the
third party. Moreover, if it can alternate the content of the interaction, or
disguise itself as part of the interaction, or direct the interaction to another
unexpected third party, it may perform attacks to the mobile agent and the
third party as well.
• Possible attacks to a mobile agent platform
A mobile agent platform provides the execution and communication
environment for incoming mobile agents. A malicious mobile agent may
3
• Masquerade
A malicious mobile agent may claim itself as another agent on a mobile
agent platform. Such masquerading action can also be called "faking". The
aim of masquerading of a malicious agent is either to fake as an authorized
agent so as to gain access to the services and resources of this mobile agent
platform which are not assigned to it; or to fake as another unauthorized
agent so as to find a "scapegoat" and shift the blame and punishment of any
malicious actions it will conduct. The results of masquerading include
unauthorized access and even damage to platform resources, leaking
confidential secrets, and ruining the established trust and reputation of the
legitimate agent.
• Denial of Service
The denial of service attack to a mobile agent platform may be from
a malicious mobile agent that deliberately exploits system vulnerabilities or
a mobile agent written with programming errors unintentionally. But the
consequences are similar. The "bad" mobile agents consume an excessive
amount of the resources of this mobile agent platform, degrade the
performance of the platform, make the platform unavailable to other
legitimate agents, or even completely terminate the platform or shut it down.
• Unauthorized Access
If a mobile agent platform is not equipped with an authorization mechanism,
or such mechanism fails for a malicious agent that takes advantage of the
vulnerability of the platform, a malicious agent may have unauthorized
access to the resources of the platform. Not only the privacy and integrity of
this platform may be detrimentally affected, but also other mobile agents
would be attacked from a variety of aspects, which in turn will have a
negative impact on the entire mobile agent system. Obviously, those attacks
are dangerous and harmful to mobile agent systems. In order to avoid those
attacks, a secure mobile agent system must satisfy the following
requirements.
3
• Requirement 3
Encryption and authentication is used for agent communication. In the rest
of this section we will describe the implementation in greater detail. But
few words on Erlang, our implementation language.
• Erlang
Erlang is a fairly clean functional language: it does not have global variables
and no destructive assignment. State changes are modeled by processes.
3
In Erlang, processes are created explicitly through the spawn primitive. The
Result Of Spawn is Identier is a reference to the created process and is used
to address it, e.g. when sending messages to the process. On a Unix system
all Erlang processes typically reside in a single Unix process, and the Erlang
run time system schedules all processes in a fair way. The Erlang system
supports distribution since version 4.0, i.e. processes may be spawned on
remote nodes. For a large class of applications, it is quite transparent on
which node a process resides, except for performance, as the send operation
works equally well for processes on distributed nodes. The main di
erence is that it is possible to specify on which node a spawn operation
should be performed. A certain degree of security is provided through a
cookie mechanism. All distributed Er- lang nodes that need to communicate
must know each others cookies. The cookies work essentially like
passwords. It should be noted that this protocol has serious weaknesses.
Once started on a certain node there is no direct way for an Erlang process to
move. The state is carried over through the arguments to the spawned
process.
• Meeting the requirements
In the distributed Erlang system it is quite possible for a process to
misbehave in various ways.. It can spawn thousands of processes stealing
all processing power, or it can allocate large amounts of memory etc. In the
following sections we will see how these problems are solved in STEAM.
Agent closure Our solution to the above mentioned problems is divided in
two parts. The rst is to encapsulate the agent in an agent closure. An agent
can consist of several Erlang processes and these processes execute within
the agent closure. The closure consists of three main parts. First there is an
Agent Supervisor which is responsible for the agent, serving agent processes
and handling charging for resource usage. At regular intervals the Agent
Supervisor checks how much resources the agent processes are using.
Typical resources are the CPU usage, i.e. in the number of reductions of the
virtual machine in the Erlang system and the amount of memory which is
used by each agent process. When the agent cannot pay for its resource
usage the agent will be terminated. With this approach an agent can only use
up a limited amount of resources, To prevent an agent from being equipped
with too much resource use credit, the payment for resource use has to be
con0nected to some sort of real money, e.g. electronic cash. The second part
of the agent is the agent dictionary which acts as a shared persistent memory
for the agent processes. The agent dictionary follows the agent when it
travels between stations. The last part of the agent closure is the KQML
Gate through which the agent can communicate with other agents.
3
For the agent specic functionality we choose to stay with Erlang as the agent
programming language, instead of implementing a new special-purpose
3
can build such a system. The security though seems in exible: the message
\security violation" pops up as soon as you try to do something useful.
Java vs. Erlang As the project was using both Java and Erlang it is natural to
compare the two languages, although they were used for di
erent purposes. Java was mainly used for the graphical interface, but code
was also written to parse and generate KQML. The execution performance
of Java was much lower than we had expected, especially in the parser,
which we could compare directly to the corresponding code in Erlang.
To us it seems the garbage collector in our version Java for SUN (JD 1.0.2)
was one of the main reasons for this in efficiency, but the implementation of
the Java Virtual Machine was probably also not particularly client. Some
bugs in the Java development environment indicated that the product is a bit
immature, but nothing that prevents it from being usable. Java (in JDK
1.0.2) uses cooperative multitasking, where each thread must give up its
execution voluntarily. This complicated programming. Erlang on the other
hand has full preemptive multitasking, and seems to handle a large number
of processes much more eciently. Both languages are nice to work with,
although the code in Erlang is more compact and readable. Further work
Although Erlang has some shortcomings as an agent programming language
it seems better suited than most alternative approaches. One aspect that
should be improved is the fact that there is no way to really migrate
processes in Erlang. The only way to achieve this now is to spawn new
processes in the new runtime system and kill the old processes. We intend to
investigate the possibility of extending the Erlang run time system so that a
group of processes may be explicitly moved to another node. We would also
like to add basic security support to the Erlang run time system, based on
results from this work and work on SafeErlang. Mobile agents are
particularly advantageous in systems where it is hard or impossible to
maintain a connection between the nodes, such as in radio-based systems.
An agent with a complicated task need be sent just once, and this will reduce
the trac on the connection considerably. This is particularly important in the
case when the user agent is simplistic,and requires a lot of interaction. A
promising for exploration is therefore the use of mobile agents for
implementing advanced functions in PDA:s and other portable
terminals,such as mobile phones. These systems are a challenge as they have
limited memory and computing capacity, and the security requirements are
vital for most applications.
3
mobility have been noted. Probably the best known of the safe interpreters
for script-based languages is Safe Tcl which was used in the early
development of the Agent Tcl system. Safe Tclemploys a padded cell
concept, whereby a second “safe” interpreter pre-screens anyharmful
commands from being executed by the main Tcl interpreter. The term
padded cell refers to this isolation and access control technique, which
provides the foundation for implementing the reference monitor concept.
More than one safe interpreter can be used to implement different security
policies, if needed. Constructing policy-based interpreters requires skill to
avoid overly restrictive or unduly protected computing environments.
In general, current script-based languages do not incorporate an explicit
security model in their design, and rely mainly on decisions taken during
implementation. One recent exception is the implementation of secure
JavaScript in Mozilla . The implementation uses a padded cell to control
access to resources and external interfaces, prevents residual information
from being retained and accessible among different contexts operating
simultaneously or sequentially, and allows policy, which partitions the name
space for access control purposes, to be specified independently of
mechanism.
Signed Code
A fundamental technique for protecting an agent system is signing code or
other objects with a digital signature. A digital signature serves as a means
of confirming the authenticity of an object, its origin, and its integrity.
Typically the code signer is either the creator of the agent, the user of the
agent, or some entity that has reviewed the agent. Because an agent operates
on behalf of an end-user or organization, mobile agent systems commonly
use the signature of the user as an indication of the authority under which the
agent operates. Code signing involves public cryptography, which relies on a
pair of keys associated with an entity. One key is kept private by the entity
and the other is made publicly available. Digital signatures benefit greatly
from the availability of a public key infrastructure, since certificates
containing the identity of an entity and its public key (i.e., a public key
certificate) can be readily located and verified. Passing the agent’s code
through a non-reversible hash function, which provides a fingerprint or
unique message digest of the code, and then encrypting the result with the
private key of the signer forms a digital signature. Because the message
digest is unique, and thus bound to the code, the resulting signature also
serves as an integrity mechanism. The agent code, signature, and public key
certificate can then be forwarded to a recipient, who can easily verify the
source and authenticity of the code. Note that the meaning of a signature
3
• Security Requirements
The users of networked computer systems have four main security
requirements:
confidentiality, integrity, availability, and accountability. The users of
agent and mobile agent frameworks also have these same security
requirements. This section provides a brief overview of these security
requirements and how they apply to agent frameworks.
• Confidentiality
Any private data stored on a platform or carried by an agent must remain
confidential. Agent frameworks must be able to ensure that their intra- and
inter-platform communications remain confidential. Eavesdroppers can
gather information about an agent's activities not only from the content of
the messages exchanged, but also from the message flow from one agent to
another agent or agents. Monitoring the message flow may allow other
agents to infer useful information without having access to the actual
message content. A burst of messages from one agent to another, for
example, may be an indication that an agent is in the market for a particular
set of services offered by the other agent. The eavesdropping agent or
external entity may use this information to gain an unfair advantage. Agents
may be able to detect an Agent Communication Language (ACL)
conversation signature pattern to infer further meaning from an agent
conversation. A procurement agent may, for example, send three messages
to a vendor agent, followed by one message to its home platform, and
conclude the transaction with two messages to the vendor agent. The vendor
agent may send two messages to a credit-checking agency and conclude with
a message to its banking agent. Although the contents of the messages
have never been disclosed, an eavesdropper may be able to infer that the
procurement and vendor agents have successfully completed a sale of some
commodity or service. Mobile agents may also want to keep their location
confidential. Mobile agents may communicate through a proxy whose
location is publicly known if the agents want to conceal their presence on a
particular platform. Agents must be allowed to decide if their presence will
be publicly available through platform directories, and platforms may
enforce different security policies on agents that chose to be anonymous. An
3
agent shopping for goods and services may wish to do so in privacy, but
when a financial transaction is to be carried out the platform may require
some form of authentication. Agents can assume a pseudonym to conceal
their identity from other agents, but this pseudonym is reversible and cannot
be used to conceal its identity from the platform itself. In addition, an agent
may not want to disclose which platforms it has visited on its itinerary, but
the platform security policy of its host may not be willing to accept agents
that have been on certain platforms outside the authority of certain approved
security domains. Since audit logs maintain a detailed record of an agent's
activities on the platform, the contents of the audit log must also be carefully
protected and remain confidential. Access to the audit logs must be restricted
to authorized administrators. A mobile agents' audit log may be distributed
across several security domains, each having a different audit policy, so
some agents may want to carry certain parts of their audit log with them for
future reference. In some cases the mobile agent may require the host
platform to sign portions of the audit log for which it was responsible.
• Integrity
The agent platform must protect agents from unauthorized modification of
their code, state, and data and ensure that only authorized agents or
processes carry out any modification of shared data. The agent itself cannot
prevent a malicious agent platform from tampering with its code, state, or
data, but the agent can take measures to detect this tampering. The secure
operation of mobile agent systems also depends on the integrity of the local
and remote agent platforms themselves. A malicious host can easily
compromise the integrity of a mobile agent that is visiting a remote agent
platform. The trend towards releasing open source platforms and operating
systems makes it easier for unscrupulous administrators or organizations to
make unauthorized modifications to the agent platform and the underlying
framework. The agent's user and developer may have no knowledge of
the behavior of this modified framework and the effects it will have on the
agent's code, state and data that are under the platform's complete control. A
malicious platform may make subtle changes in the execution flow of the
agent’s code and make changes to computed results that are difficult to
detect. A malicious platform could interfere in transactions between agents
representing different organizations and tamper with the audit trails. This
could result in each organization involved in the transaction blaming the
other for not delivering promised goods or services.System access controls
must be in place to protect the integrity of the agent platform from
unauthorized users. Changes to the platform by unauthorized users are more
likely to be detected over time than changes to the platform by authorized
3
authenticated agent may comply with the security policies of the agent
platform, but still exhibit malicious behavior by lying or deliberately
spreading false information. Additional auditing may be helpful in proving
the malicious agent's attempts at deception. For example, the communication
acts of an ACL conversation could be logged, but this results in costly
overhead. If it is assumed that the malicious agent does not value its
reputation within an agent community, then it would be difficult to prevent
malicious agents from lying.
• Availability
The agent platform must be able to ensure the availability of both data and
services to local and remote agents. The agent platform must be able to
provide controlled concurrency, support for simultaneous access, deadlock
management, and exclusive access as required. Shared data must be
available in a usable form, capacity must be available to meet service needs,
and provisions for the fair allocation of resources and timeliness of service
must be made. The agent platform must be able to detect and recover from
system software and hardware failures. While the platform can provide some
level of fault-tolerance and fault-recovery, agents may be required to assume
responsibility for their own fault-recovery. The agent platform must be able
to handle the requests of hundreds or thousands of visiting and remot agents
or risk creating an unintentional denial of service. In the event that a
platform cannot handle its computational and communication load, the
platform must provide graceful degradation of services and notify agents
that it can no longer provide the level and quality of service expected by the
agents requesting its services. The threat of a denial of service attack being
launched by rogue or flawed agents underscores the need for the control and
monitoring of platform resources. A denial of service attack against the
platform is an indirect attack on all the agents that rely on this platform for
agent services and platform resources. Since the platform may be hosting
agents from several other organizations, a denial of service attack on a single
platform may adversely impact more than one agent, platform, organization.
Ensuring confidentiality and integrity places restraints on availability and
also has performance costs. Encrypting agents and messages in transit may
impose unacceptable delays in environments where near real-time response
is required. Ensuring accountability may also place restraints on the
availability of platform services. For example, when the audit log storage
media exhausts its capacity, many security policies disable all services
that create records in the audit log. In an effort to maintain accountability,
this policy may inadvertently create an opportunity for a denial of service
attack by simply producing an inordinate amount of auditable events, such
3
as repeated failed login attempts, and consume the remaining capacity of the
audit log storage media.
• Anonymity
The agent platform may need to balance an agent's need for privacy with the
platform's need to hold the agent accountable for its actions. The platform
may be able to keep the agent's identity secret from other agents and still
maintain a form of reversible anonymity where it can determine the agent’s
identity if necessary and legal. Anonymity in human communities may help
foster certain types of commerce or promote the freedom of expression by
eliminating the fear of retribution for voicing unpopular viewpoints. There
are many situations, however, in which the participants are reluctant or
unwilling to engage in a transaction with an anonymous counterpart.
Purchasers of goods and services may want to protect their privacy by
remaining anonymous, but credit agencies would not extend credit to
anonymous consumers without being able to verify their credit history and
credit worthiness. The anonymity issues affecting human communities also
apply to agent communities. The security policies of agent platforms and
their auditing requirements must be carefully balanced with agent privacy
expectations. The collection and use of audit information for uses other than
security must also be understood by the agents visiting the agent platform.
Moreover, what information belongs in public agent directories and under
what conditions can the information be accessed from these directories must
also be carefully controlled.
• Countermeasures
Many conventional security techniques used in contemporary distributed
applications (e.g., client-server) also have utility as countermeasures within
the mobile agent paradigm. Moreover, there are a number of extensions to
conventional techniques and techniques devised specifically for controlling
mobile code and executable content (e.g., Java applets) that are applicable to
mobile agent security. We review these countermeasures by considering
those techniques that can be used to protect agent platforms, separately from
those used to protect the agents that run on them. Most agent systems rely on
a common set of baseline assumptions regarding security. The first is that an
agent trusts the home platform where it is instantiated and begins execution.
The second is that the home platform and other equally trusted platforms are
implemented securely, with no flaws or trapdoors that can be exploited, and
behave non-maliciously. The third is that public key cryptography, primarily
in the form of digital signature, is utilized through certificates and revocation
lists managed through a public key infrastructure.
3
sooner, and therefore the mobile agents spend less time on the network.A
mobile agent based solution is very fault tolerant. Even if some of the
mobile agents are destroyed, all surviving ones will have a positive impact.
Indeed, the destroyed mobile agents will have benefited every peer up to the
point where they were destroyed.Finally, a mobile agent based solution can
be combined with successful features from other P2P based systems to
provide an improved final solution.
Mobile Agent Use In Dynamic View System?
DVS provides an infrastructure for the dynamic deployment of views over
remote databases. It can be viewed as a multilevel dictionary that maintains
information about the remote databases to allow clients to define and
materialize such views. It also maintains information about previously
materialized views, so that they can be subsequently re-used. Materialized
views can be mobile; they are dynamically relocated following their clients
so that as to stay close to their clients.
DVS consists of six types of Java agents: two of them are stationary,
namely, the Dictionary_Vagent and the Assistant_Agent, and four are
mobile, namely, the Dictionary_Sagent, the Dictionary_Vclient, the
DBInfo_Agent, and the View_Agent. The two stationary types constitute
the fixed part of the architecture. The four mobile agent types comprise the
dynamic part of the architecture. Mobile agents are dynamically created and
cooperate with each other and the stationary agents in creating, maintaining,
and querying the views
3
N e w C li e n t
O p e r a te d b y C e n tr a l A g e n t o f D V S fr a m e w o rk D a ta b a s e S e rv e r
D ic tio n a r y _ V a g e n t O p e r a te d b y a c c e s s e d th ro u g h
D ic ti o n a r y _ S a g e n t D ic t io n a r y _ V a g e n t A s s is ta n t A g e n t
D is p a t c h e s t o r e g is t e r
t h e N e w C lie n t
& d is p o s e s i ts e lf a f te r w a r d s
R e p ly M e s s a g e
- L is t o f M a t e r i a lie d v ie w s
R e q u e s t fo r a - O t h e r O p t io n s
n e w V ie w D B In fo _ A g e n t
D is p a t c h e s t o r e t r ie v e D B In fo _ A g e n t
C lie n t c o n s tr u c ts D a ta b a s e M e ta -D a ta q u e r ie s t h e
a n e w V ie w D a ta b a s e S e r v e r 's
D B In fo _ A g e n t
C a t a lo g
M e t a - D a t a is S e n d s M e ta - D a ta
s e n t to c lie n t
R e q u e s t fo r a V ie w _ A g e n t
n e w V ie w V ie w _ A g e n t
D i s p a t c h e s w it h
c re a te s
C li e n t c a n Q u e r y t h e V i e w r e q u e s te d V ie w
& m a i n ta in s V i e w
Other Features
Task Handlers. The mobile shell is separated from the specific task code of
the target application via TaskHandlers . A TaskHandler is a Java object that
implements a particular task, i.e., a specific view update protocol. A
TaskHandler library is a collection of such objects that are serializable and
can travel along with the mobile agents. Each mobile object can load one or
more TaskHandlers and dynamically choose which one to use. For example,
for view maintenance the VA is loaded (and if necessary updated) with the
appropriate TaskHandlers implementing various view materialization
algorithms.
3
Load Balancing. The DVA and the VAs synchronize and coordinate the
creation, update and use of each view. Since a view may be shared by
multiple clients, in the event that the corresponding VA becomes heavily
loaded, the DVA may clone (i.e., create a copy of) the VA. Thus, there may
be more that one VA per view. Furthermore, there may be replicas of the
view, in which case, the VA is responsible to choose the most appropriate
replica for a given request, thus balancing the load on the various replicas.
View Mobility. The VA and the view for a client may move following its
clients . A dynamic location management subsystem is under development
to aid the automatic acquisition of an agent’s location.
Why Mobile (movable) Web Services? First of the reasons is the utilized
capacity of the server (which provides a service), shortage of resources when
it should serve a huge stream of online queries. That problem concerns a
service provider, and can be solved by means of service reproduction and
distribution of its copies to other servers in the Web. In this case it is
possible to decrease the utilized capacity of the concrete source. That will
also improve service discovery among a large amount of the services.
3
In this case, it would be more effective to place all frequently used services
at the client side. In this case we need to take into account the storage
capacity of a client.
Who and how will provide mobility of services? One solution to this
problem might be the implementation of “Agent-Shell Platforms”.
..
Platform Stew ard M obile agents
Network Center
Agents-Services Agents-Services
Requestor Provider
A gents-Services A gents-Services
Requestor Provider
A gents-Services A gents-Services
R equestor Provider
P2P Network
Agents-Services Agents-Services
Requestor Provider
Consider the case, when such complex service receives a request and
provides another request as an output of one of its components. Assume that
there are no other components in its platform, which can resolve this request.
The service queries the network. As a result, such service will be found, and
the request will be resolved. Evidently, it would be better for the service to
accumulate its own set of links to services, which satisfy the requirements,
and use them in violation of the standard search scheme in case of need.
Then we will have a direct interaction between services (peer-to-peer
interaction), not only between elements on some level, but also in the
“vertical” and the “horizontal” plane of the service network hierarchy
(Fig.12).
Requestor
objects that provide and consume the service. While previously services
were meant to be consumed by humans, now industry needs services for
another group of customers like various software applications and even
smart industrial field devices. On the other hand, both humans and artificial
objects (software or devices) can finally provide the service, which was
discovered in the Web.
Human component
Translation
services
This kind of relation between information type, access device type and
information representation format for human interface can be semantically
annotated. For that it is reasonable to elaborate an appropriate ontology.
Conclusion
Mobile agent technology can offer a new paradigm for communication over
heterogonous network channels. A number of advantages of using mobile
agent computing paradigms have been proposed and identified. These
advantages include: overcoming network latency, reducing network load,
executing asynchronously and autonomously, adapting dynamically,
operating in heterogeneous environments, and having robust and fault-
tolerant behaviour. However, the security and standardising issues still
represent a significant obstacle. The main conclusion which can be drawn
from our findings and investigation is that mobile agent technology has the
potential in increasing the performance of networks as well as for software
adopting MAs. Due to its nature of being a futuristic technology from
the programming environment perspective a lot of work is still required
before the average programmer can buildapplications based on the mobile
agent technology paradigm in an easy manner.
3
Bibliography