Upload
international-journal-of-technology-and-computing-ijtc
View
213
Download
0
Embed Size (px)
Citation preview
8/17/2019 IJTC201510009-Prevention of Attacks on Mobile Agents Based E-Service Applications
1/9
INTERNATIONAL JOURNAL OF TECHNOLOGY AND COMPUTING (IJTC) ISSN-2455-099X,
Volume 1, Issue 1, OCTOBER 2015
1
PREVENTION OF ATTACKS ON MOBILE AGENTS BASED
E-SERVICE APPLICATIONS
Yogvinder Singh
Senior Software Engineer,
Location Labs,5980 Horton Street, Suit 675 Emeryvile CA 94608 , USA
ABSTRACT
In recent years many researchers are incorporating the mobile agents in e-service applications especially in e-
learning and e-commerce to improve the network latency and to reduce the network traffic. On the other side, the
security issues degrade the mobile agent usage. The main intention of the attacker is to kill or modify the behavior
of the agent in the middle of the journey to degrade the trustiness of the agent environment. In this paper, we
propose fault tolerance mechanism for preventing the agent blocking in scenarios where the agent is captured by
malicious host in the network. This approach makes use of acknowledgements and partial result retrieval andwhen implemented in mobile agent platform allows the originator to retrieve partial results and track the location
of mobile agent at any time during the process of transaction execution. During the recovery of the mobile agent
all the components (agent code, itinerary, credential information, collected information and state) are able to
recover. The proposed mechanism is capable of improving fault tolerant time, reliability and performance,
especially for mobile agents in e-commerce Internet applications.
Keywords: Mobile agents, Fault tolerance, e-services, Agent Recovery, Blocking, Acknowledgements.
I. INTRODUCTION
In the growth of the Internet many network related technologies are examined for possible growth andevolution. In this motive, mobile agent technology is introduced in the distributed systems in the line of
Message passing systems, Remote Procedure Call (RPC) and distributed object systems. The main
distinction being that in message passing systems, RPC and RMI, the functions and objects are pre-defined and lack the flexibility for customization. A mobile agent (Nwana,1996) is a piece of program
code that can execute autonomously without the supervision of owner. Mobile agents are capable of
interacting and learning from their environment and can react accordingly. The mobile agent performsits job whenever it is found appropriate and it is not restricted to be collocated with its client. Mobility
(Lange, Oshima 1999) allows an agent to move to remote location and continue its thread of execution
on a remote host machine. Mobile agents are particularly attractive for designing distributed anddecentralized applications (Schoeman, Cloete 2003) as they can reduce the processing time and network
bandwidth usage by moving the code closer to the data located on a remote host. They are sent by
owners and they visit a series of hosts. The mobile agents are executed locally on these hosts to perform
their tasks and will return to the owners with their results. Mobile agent carries the application code withthem from the client to the server instead of transferring the data between a client and a server. Since the
size of code is often less than the amount of data interchanged between the client and the server, mobile
agent system provides considerable improvement in performance over client-server communication.
Hence the use of mobile agents is expanding rapidly in many Internet applications as described byManvi, Venkataram(2004).
8/17/2019 IJTC201510009-Prevention of Attacks on Mobile Agents Based E-Service Applications
2/9
INTERNATIONAL JOURNAL OF TECHNOLOGY AND COMPUTING (IJTC) ISSN-2455-099X,
Volume 1, Issue 1, OCTOBER 2015
2
Communication over the Internet is not reliable. Hosts connected via the Internet constantly fail and
recover. The communications links go down any time. Due to high communication loads, link failure
and the software bugs, transient communications and node failures are common in the Internet.Therefore reliability is an important issue for Internet application (Silva and Macêdo 2000). Failure in
mobile agent may lead to partial or complete loss of an agent. The following undesirable scenario may
occur when mobile agents are sent from one host to another:
• An agent travels from one host to another, it never reaches its destination due to crashes or because it
is terminated by a malicious host or agent. This is an agent failure.
• The host platform on which an agent resides crashes or shuts down unexpectedly, due to failure.
Many agents on the hosts may be inactive but in waiting state due to unavailability of external events. If
more agents migrate through this host, it may run out of memory. This is an agent host failure.
• Destination node fails or there is a failure in communication link.
For the continuous or free roaming mobile agent it is a serious issue because agent at the nth host willhave the information of the preceding n-1 hosts (Stratter, Rothermel, 1998). If the nth host (malicious)
killed the agent or the nth host (genuine) failed after receiving the agent then it is difficult to get the dataagain. Also the owner does not know about the dead stage of the agent. That is the owner is not able toknow anything whether the agent is alive or not. This is the serious issue for the e-service applications
especially for e-learning and e-commerce.
In an example scenario of e-learning environment the mobile agent (continuous or free roaming mobileagent) may be dispatched to collect the information like class schedule, internal marks, project details,
etc. on behalf of the learner. Every tutor has their own server with the details of the students in that someinformation may be secret. Consider, learner initiate his agent to collect the information from the n
number of tutors for his internal marks. Agent in the middle (say 3rd tutor server of 5 tutor servers) of
the itinerary is killed by some malicious or the agent currently residing server may fail due to some
reasons. In this context, the learner will wait for the agent for some time and again he will create a newagent and send until the agent back to him. Sometimes learner is not able to get the result from the tutor
servers because of malicious host in the middle of the journey. This will make the people avoid themobile agent based e-learning environment even though it has a number of advantages. To solve such
problem of capturing of agents by malicious hosts leading to subsequent data loss in e-services, this
paper proposes an agent platform independent mechanism using timely acknowledgement and partial
result method to recover when the mobile agent when the agent is killed or currently residing in agentserver failed.
The rest of paper is organized as follows. Section 2 discusses the related work, section 3 describes the proposed non-blocking approach deployed for prevention of agents by use of acknowledgements and
returning back of partial results back to the originator in scenario when the agent is captured bymalicious or hostile host. This is followed by experimental evaluation in Section 4 and conclusions inSection 5.
8/17/2019 IJTC201510009-Prevention of Attacks on Mobile Agents Based E-Service Applications
3/9
INTERNATIONAL JOURNAL OF TECHNOLOGY AND COMPUTING (IJTC) ISSN-2455-099X,
Volume 1, Issue 1, OCTOBER 2015
3
II. RELATED WORK
As mobile agent systems scale up, their failure rate may also be higher. Several techniques have been
proposed for providing fault tolerance in mobile-agent systems (Qu et al., 2005) which broadly fallunder two basic categories i.e. replication and checkpointing. Checkpointing is one of the widely used
fault tolerance techniques and can be classified into synchronous, asynchronous and quasi-synchronous
algorithms (Yang et al. 2006). For recovery an agent needs to rollback to its consistent state. Message
logging for rollback recovery require that each agent periodically saves its local state and logs its everymessage sent and received. Message logging protocols are classified into pessimistic, optimistic and
causal (Elnozahy et al. 2002). Replication schemes as discussed in (Pleisch, Schiper, 2001) mainly rely
on replicated servers or agents to mask the failures. Pair processing (Gray and Reuter 1993) is a famoustechnique for improving process reliability. It is a collection of two processes which provide a service.
One is considered as the primary and another one is considered as the shadow. If the primary gets any
changes, then shadow also got the changes. If the primary fails, then the shadow will take over. The two primary and shadow processes ping each other to determine that each is still alive. Unrh et al. (2005)
also apply this pair process model into his Semantic-Compensation-Based Recovery model. However,
this pair process is not applicable for colluded attacks. Vogler et al. (1997) propose that a mobile agentinject a replica into a stable storage upon arriving at an agent server. However, in the event of agent
server crash, the replica remains unavailable for an unknown period.Simon et al. (2003) proposes the mobile shadow scheme which includes the pair of replica mobileagents, master and shadow, to survive remote agent server crashes. The master is created by its home
agent server Hand it is responsible for executing a task T at a sequence of hosts described by its
itinerary. Initially the master spawns a shadow home at its homeagent server before it migrates andexecutes at the first agent server in its itinerary, i.e. AGi. Before the master migrates to the next host in
the itinerary, i.e. AGi+1, it spawns a clone or shadow i and sends a die message to shadowhome. The
shadow i repeatedly pings agent server AGi+1 until it receives a die message from its master.
• Shadow: A shadow or clone in the preceding sever will terminate when it receives a die message from
its master. This signifies the master has completed execution at AGi+1 and spawned a new cloneshadow i+1 to monitor agent server AGi+2. However, assume the master is lost due to an agent server
crash at AGi+1. In this case shadow i at AGi detects the crash of its master, spawns a new clone shadow
i and proceeds to visit agent server AGi+2. Consequently shadow i is the new master.
• Master: A master pings its shadow at AGi-1 concurrently with the execution of task t. In the normalcase the master completes its execution and spawns a new clone shadow to monitor the next host,
AGi+1. Before the master migrates, it will send a die message to terminate the shadow at AGi-1. If the
master detects a shadow crash it spawns and dispatches a replacement shadow to the preceding activeagent server. Before the master migrates to the next host in its itinerary it sends a die message to
terminate the replacement shadow.
The major drawback of this scheme is the timeout overhead and mobile shadow overhead. The timeout
overhead represents the re-sending of the agent and the mobile shadow overhead represents the time for
pinging the shadow with the master running in the remote agent server. Despite from this issue, it isconcentrating on the agent server crash (i.e., if an agent server crashes, then the agent will automatically
crash) not only the agent crash and also this schemes is not applicable to recover the agent from thecolluded attacks. In the colluded attacks, more than one can combined to crash the agent that may be the
preceding host and the current host. This all will be solved by the proposed approach of sending timely
acknowledgements and partial results focusing on reliably returning the information collected by the
mobile agent back to the originator even in the scenario of the mobile agent being captured by themalicious host(s).
8/17/2019 IJTC201510009-Prevention of Attacks on Mobile Agents Based E-Service Applications
4/9
INTERNATIONAL JOURNAL OF TECHNOLOGY AND COMPUTING (IJTC) ISSN-2455-099X,
Volume 1, Issue 1, OCTOBER 2015
4
III. METHODOLOGY
PROPOSED SCHEME FOR ACHIEVING NON BLOCKING PROPERTY
The main aim is to ensure that the originator of the mobile agent at any point of time would have the
information regarding the state of mobile agent, its partial results along with the ability to upgrade the preferences the mobile agent is carrying. The primary consideration is handling the scenario where the
hosts first obtains authentication but then after having obtained the authority for mobile agent execution, begins to behave maliciously. The hosts that turned hostile pose the danger of blocking the mobile agent
and halt its further movement in the network. It is assumed that the agent’s operations are idempotentthus overriding exactly once requirement and non blocking is primary property to be ensured.The notations used in implementing non blocking property in are as follows:
O*: Originator
Hi: Hosts visited by host during its movement in the network (1< i < n)
MA: Mobile agent originally launched.MAi: Mobile Agent with new / changed preferences.
pMA: Mobile Agent Carrying partial Results.
LTMA: Life Time of Mobile Agent.
Ii: Information collected from host i.FTMA: Fault Tolerant Time
ACK(Hi): Acknowledgement from host Hi
The implementation scenario considered is the web based e-market that provides user with the
information on the products for sale by collecting the prices and comparing the prices of the set of product specified by the user. The information needs to be collected in real time for time sensitive
applications such as stock market, online shopping, etc. from different hosts H1,H2…Hn selected
dynamically by freely roaming mobile agent over the network. Therefore the originator is assumed to be
always connected to the network to collect the results. The hostile turned host may block the mobileagent for its own interest. The following section describes the solution proposed to prevent execution of
Mobile Agent on the implementation scenario against blocking attacks.
Fig. 1: Mobile agent executions on different hosts
Implementing the proposed solution, an agent is originally launched by the originator O*. Fig. 1 showsthe general operation of a mobile agent that returns to the originator after the expiry of its lifetime. Thevarious implementations schemes can be possibly used. One of them is sending timely
acknowledgements as shown in Fig. 2.
rMA(I0, I1,I2,I3…..I N))
LTMA
MA(I0) MA(I0, I1) MA(I0, I1,I2) MA(I0, I1,I2I3..IN-1))
STAGE S1 STAGE S2 ………….……. . STAGE N-1 STAGE N
Originator O* Host1 Host2 Host n-1 Host n
8/17/2019 IJTC201510009-Prevention of Attacks on Mobile Agents Based E-Service Applications
5/9
INTERNATIONAL JOURNAL OF TECHNOLOGY AND COMPUTING (IJTC) ISSN-2455-099X,
Volume 1, Issue 1, OCTOBER 2015
5
Fig. 2: Mobile agent execution with acknowledgement by each host
The host Hi+1 having received the mobile agent is required to send the acknowledgement ACK(Hi+1) to
the host Hi, conveying that the mobile agent has been successfully forwarded to the next host i.e. H i+2after its successful operation on Hi+1. Another implementation is by use of fault tolerant time as
parameter. FTMA is predefined depending on the networks transmission time and on the time sensitivity
of the application.
Fig. 3: Mobile agent execution scenario, with agent custody at host 4
If the expiry of the fault tolerant time occurs and there is no acknowledgement received from H i+1, then
the Hi would send the collected set of information till now back to the Originator in form of pMA. If the
agent lifetime expires and the partial results received by the originator, doesn’t prove sufficient, then theoriginator has the option of re-launching the mobile agent. The scenario in which the hostile agent
captures the mobile agent would result in time out of fault tolerance time thus resulting in pMA being
sent back to the originator by the preceding host of the hostile host is shown in Fig. 3 . The mobile agent
was captured at the host 4. The host 3 waits for duration FTMA. As no ACK is received, its sends its partial results back to the originator. Thus the owner would have all the information collected by themobile agent before being captured by the hostile host. Further strengthening the above scheme, the
concept of sending the partial results back to originator after a pre decided number of visited hosts is
used. After having collected information from n number of hosts, a host where the agent is currentlyresiding should send an acknowledgement to the originator as ACK(Hi) helping the originator to
periodically track the mobile agent, as shown in Fig. 4.
rMA(I0, I1,I2,I3…..I N))
LTMA
MA(I0) MA(I0, I1) MA(I0, I1,I2) MA(I0, I1,I2I3..IN-1))
STAGE S1 STAGE S2 ………….…… .STAGE N-1 STAGE N
Originato r O* Host1 Host2 Host n-1 Host N
ACK(H1) ACK(H2) ……ACK(H N-1)) ACK(H N)
pMA(I0, I1,I2,I3) FTMA
MA(I0) MA(I0, I1) MA(I0, I1,I2) MA(I0, I1,I2I3)
STAGE S1 STAGE S2 STAGE 3 STAGE 4
ACK(H1) ACK(H2) ACK(H3)
LTMA
Originato r O* Host1 Host2 Host 3 Host 4
8/17/2019 IJTC201510009-Prevention of Attacks on Mobile Agents Based E-Service Applications
6/9
INTERNATIONAL JOURNAL OF TECHNOLOGY AND COMPUTING (IJTC) ISSN-2455-099X,
Volume 1, Issue 1, OCTOBER 2015
6
Considering the scenario in which the agent has been captured by the hostile host H k . For example in
execution of mobile agent with the n= 3, the when the number of visited hosts reaches 3, an
acknowledgement is sent to the originator. The FTMA is also used as a check to send the
Fig. 4: Mobile agent execution with n=2 scenario
acknowledgement to the originator. But if the agent is captured when neither the fault tolerance time northe life time of the agent has expired, the originator wouldn’t do anything till any one of them expires.
At expiry of either of the time, the originator sends a PROBE(Hj) to the host Hj (Hj (j
8/17/2019 IJTC201510009-Prevention of Attacks on Mobile Agents Based E-Service Applications
7/9
INTERNATIONAL JOURNAL OF TECHNOLOGY AND COMPUTING (IJTC) ISSN-2455-099X,
Volume 1, Issue 1, OCTOBER 2015
7
The security and fault tolerance been taken care of, the above approach may be efficient in handling
time sensitive applications where information acquired by the mobile agent may loose value over time
(for e.g. stock market). Thus time to time retrieval of results may prove useful along with protectingagents against blocking attacks. If during the execution of the mobile agent, the user wishes to make
changes in the preferences, the originator may launch another mobile agent with renewed preferences.
The timing of sending back partial information or results could be based on any of the two parametersdiscussed above, the user decides on new preferences based on the received partial results. The
originator may send an updated mobile agent pMA containing the new preferences to the Host Hi (Hi
being the host from which the acknowledgement was last received). Thus the user has the ability of
changing the preferences and criteria gradually based on information collected by agent and user’s own preferences.
IV. IMPLEMENTATION AND PERFORMANCE STUDY
The proposed system of multiple agents performing in collaboration in a group has been implemented
on IBM Aglets over a network of systems with configuration of 1 GB RAM and 3.2 GHz processorconnected be 10/100 MBPS Ethernet. Aglets is a java based graphical interface for developing the
distributed multi-agent systems. All hosts need not have same configuration and but must have installedAglets platform on each host. For gauging the performance of the implemented scheme we intentionally
made some host(s) behave as malicious and got the agent captured during its execution. The ability of
the approach to prevent the agent from attacks was then revealed.
An agent moves from one node to another by sending a message between these nodes. In this
experiment, we look at the behavior for hosts. This experiment examined the cost of sendingacknowledgements and partial results in the case that host speeds are uniform. We are interested in how
n i.e the number of hosts visited prior to sending acknowledgement or partial results, effect the
communication overhead. The communication cost here is the time (in ms) needed to send a message toa processor and to receive a reply message from the processor.
As shown in Fig. 6, it was found that the communication overhead decreased with increase in n. The blocking attacks may be considerable prevented by deciding upon an optimal value of n. The deciding
factor for n could be the network performance and speed. If the probability of encountering a malicious
host is high then it is seen that the optimal number of n ensures that partial or complete results reach back to the originator thereby preventing complete loss of information or results collected.
Fig. 6: Communication overhead with variation in number of hosts visited prior to sending back
acknowledgement (n ).
0
500
1000
1500
2000
2500
4 6 8 10 12 14
C o m m u n i c a t i o n
O v e r h e a ( b y t s )
Number of Hosts
n=2 n=3 n=4
8/17/2019 IJTC201510009-Prevention of Attacks on Mobile Agents Based E-Service Applications
8/9
INTERNATIONAL JOURNAL OF TECHNOLOGY AND COMPUTING (IJTC) ISSN-2455-099X,
Volume 1, Issue 1, OCTOBER 2015
8
Fig.7 shows the comparison of execution time of mobile agent carrying partial results back to the
originator. As the updating cost is function of acknowledging frequency, we compare the execution time
of mobile agent containing the rescued data by gauging the performance of an agent that acknowledgedafter visiting every 2, 3 and 4 hosts. Deciding upon a small number of n may cause increase in message
size resulting in higher execution time but for time sensitive real time applications the overhead may be
bearable. The returning of partial results to the originator assures that the originator has the latest results
even in case of the agent being captured by the malicious host. Thus the possibility of originator losingall information is considerably lowered.
Fig. 7: Comparison of execution time of mobile agent with partial results
V. CONCLUSION
In this paper, we proposed platform independent non blocking mechanism for fault tolerance has beenintegrated into e-services applications for prevention against attacks in various Internet applications.
This presented system of sending acknowledgements makes mobile agent tracking possible for the
originator of the mobile agent in case of blocking attack by malicious host. In addition sending back of partial results after some predefined fault tolerant time and after having visited a predefined number of
hosts provide protection against complete loss of information due to blocking attacks. Implementation
and experimental studies prove that with balanced acknowledging frequencies and message overhead,the probability of complete loss of mobile agent due to agent capturing by malicious host in the network,
is significantly reduced. This would make the mobile agents to be better suited for time sensitive e-
services applications along with providing protection against possible faults. As a part of future work
we propose comparative experimental studies for implementation of proposed mechanism with otherexisting mechanisms.
REFERENCES
[1] Nwana, H. S. (1996) Software Agents: An Overview, Knowledge Engineering Review, Vol. 11, No.3, pp.1 - 40, Cambridge University Pre.
[2] Lange, D.B. and Oshima, M. (1999) Seven Good Reasons for Mobile Agents, Communications of
the ACM, vol. 42, No. 3, pp. 88-89.
[3] Silva, M.A. and Macêdo, R. J. A. (2000) Reliability Requirements in Mobile Agent Systems, SecondWorkshop on Tests and Fault-Tolerance (II WTF2000), Curitiba, Brazil.
0
100
200
300
400
500
600
700
5 10 15 20 25 30 35
T i m e ( m s )
Number of agents visited
n=2 n=3 n=4
8/17/2019 IJTC201510009-Prevention of Attacks on Mobile Agents Based E-Service Applications
9/9
INTERNATIONAL JOURNAL OF TECHNOLOGY AND COMPUTING (IJTC) ISSN-2455-099X,
Volume 1, Issue 1, OCTOBER 2015
9
[4] Schoeman, M. and Cloete, E. (2003) Architectural components for the efficient design of mobile
agent systems, ACM 2003 annual Research Conference of the South African Institute of Computer
Scientists and Information Technologists on Enablement through Technology , pp. 48-58, South Africa.
[5] Stratter, M. and Rothermel, K. (1998) Reliability Concrpts for Mobile Agents, International Journal
of Cooperative Information Systems 7(4) pp. 355-382.
[6] Manvi, S.S. and Venkataram, P. (2004) Applications of agent technology in communications: a
review, Springer Computer Communication, 2004, pp. 1493-1508.
[7] Qu, W. , Shen, H. and Defago, X. (2005) A survey of mobile agent-based fault-tolerant technology,
Proceedings of Sixth IEEE International Conference on Parallel and Distributed Computing
Applications and Technologies,, pp. 446-450.
[8] Yang, J., Cao, J. and W. Wu, (2006) CIC: An integrated approach to checkpointing in mobile agent
systems”, Proceedings of the Second IEEE International Conference on Semantics, Knowledge and
Grid.
[9] Elnozahy, E. N. M, Alvisi, L. , Wang, Y. and Johnson, D. B. (2002), A survey of rollback-recovery protocols in message-passing systems, ACM Computing Surveys, Vol. 34, Nr. 3, 2002, pp. 375-408.
[10] Pleisch, S. and Schiper, A. (2003) S-A Fault-Tolerant Mobile Agent System Based on the Agent-
Dependent Approach”, Proceedings of the IEEE International Conference on Dependable Systems and
Networks, pp. 215-224.
[11] Gray, J. and Reuter, A. (1993) Transaction Processing: Concepts and Techniques, The MorganKaufmann Series in Data Management Systems.
[12] Unrh, A., Harjadi, H. and Bailey,J. (2008) Semantic-compensation-based recovery in multi-agent
systems, 2nd symposium on Multi-agent Security and Survivability, pp. 85 – 94.
[13] Vogler, H. , Hunklemann, T. and Moschgath, M.(1997) An approach for mobile agent security andfault tolerance using distributed transactions, International Conference on Parallel and Distributed
Systems (ICPADS'97), Seoul,pp. 268 – 274.
[14] Simon, P., Jie, X. and Cornelia, B. (2009) Mobile agent fault tolerance for information retrievalapplications: an exception handling approach, Proceedings of the Sixth International Symposium on
Autonomous Decentralized Systems (ISADS'03), pp. 115 – 122.