IJTC201510009-Prevention of Attacks on Mobile Agents Based E-Service Applications

Embed Size (px)

Citation preview

  • 8/17/2019 IJTC201510009-Prevention of Attacks on Mobile Agents Based E-Service Applications

    1/9

     

    INTERNATIONAL JOURNAL OF TECHNOLOGY AND COMPUTING (IJTC) ISSN-2455-099X,

    Volume 1, Issue 1, OCTOBER 2015

    1

    PREVENTION OF ATTACKS ON MOBILE AGENTS BASED

    E-SERVICE APPLICATIONS

    Yogvinder Singh

    Senior Software Engineer,

    Location Labs,5980 Horton Street, Suit 675 Emeryvile CA 94608 , USA

    [email protected]

    ABSTRACT

    In recent years many researchers are incorporating the mobile agents in e-service applications especially in e-

    learning and e-commerce to improve the network latency and to reduce the network traffic. On the other side, the

    security issues degrade the mobile agent usage. The main intention of the attacker is to kill or modify the behavior

    of the agent in the middle of the journey to degrade the trustiness of the agent environment. In this paper, we

     propose fault tolerance mechanism for preventing the agent blocking in scenarios where the agent is captured by

    malicious host in the network. This approach makes use of acknowledgements and partial result retrieval andwhen implemented in mobile agent platform allows the originator to retrieve partial results and track the location

    of mobile agent at any time during the process of transaction execution. During the recovery of the mobile agent

    all the components (agent code, itinerary, credential information, collected information and state) are able to

    recover. The proposed mechanism is capable of improving fault tolerant time, reliability and performance,

    especially for mobile agents in e-commerce Internet applications.

     Keywords: Mobile agents, Fault tolerance, e-services, Agent Recovery, Blocking, Acknowledgements.

    I. INTRODUCTION

    In the growth of the Internet many network related technologies are examined for possible growth andevolution. In this motive, mobile agent technology is introduced in the distributed systems in the line of

    Message passing systems, Remote Procedure Call (RPC) and distributed object systems. The main

    distinction being that in message passing systems, RPC and RMI, the functions and objects are pre-defined and lack the flexibility for customization. A mobile agent (Nwana,1996) is a piece of program

    code that can execute autonomously without the supervision of owner. Mobile agents are capable of

    interacting and learning from their environment and can react accordingly. The mobile agent performsits job whenever it is found appropriate and it is not restricted to be collocated with its client. Mobility

    (Lange, Oshima 1999) allows an agent to move to remote location and continue its thread of execution

    on a remote host machine. Mobile agents are particularly attractive for designing distributed anddecentralized applications (Schoeman, Cloete 2003) as they can reduce the processing time and network

     bandwidth usage by moving the code closer to the data located on a remote host. They are sent by

    owners and they visit a series of hosts. The mobile agents are executed locally on these hosts to perform

    their tasks and will return to the owners with their results. Mobile agent carries the application code withthem from the client to the server instead of transferring the data between a client and a server. Since the

    size of code is often less than the amount of data interchanged between the client and the server, mobile

    agent system provides considerable improvement in performance over client-server communication.

    Hence the use of mobile agents is expanding rapidly in many Internet applications as described byManvi, Venkataram(2004).

    mailto:[email protected]:[email protected]

  • 8/17/2019 IJTC201510009-Prevention of Attacks on Mobile Agents Based E-Service Applications

    2/9

     

    INTERNATIONAL JOURNAL OF TECHNOLOGY AND COMPUTING (IJTC) ISSN-2455-099X,

    Volume 1, Issue 1, OCTOBER 2015

    2

    Communication over the Internet is not reliable. Hosts connected via the Internet constantly fail and

    recover. The communications links go down any time. Due to high communication loads, link failure

    and the software bugs, transient communications and node failures are common in the Internet.Therefore reliability is an important issue for Internet application (Silva and Macêdo 2000). Failure in

    mobile agent may lead to partial or complete loss of an agent. The following undesirable scenario may

    occur when mobile agents are sent from one host to another:

    •  An agent travels from one host to another, it never reaches its destination due to crashes or because it

    is terminated by a malicious host or agent. This is an agent failure.

    •  The host platform on which an agent resides crashes or shuts down unexpectedly, due to failure.

    Many agents on the hosts may be inactive but in waiting state due to unavailability of external events. If

    more agents migrate through this host, it may run out of memory. This is an agent host failure.

    •  Destination node fails or there is a failure in communication link.

    For the continuous or free roaming mobile agent it is a serious issue because agent at the nth host willhave the information of the preceding n-1 hosts (Stratter, Rothermel, 1998). If the nth host (malicious)

    killed the agent or the nth host (genuine) failed after receiving the agent then it is difficult to get the dataagain. Also the owner does not know about the dead stage of the agent. That is the owner is not able toknow anything whether the agent is alive or not. This is the serious issue for the e-service applications

    especially for e-learning and e-commerce.

    In an example scenario of e-learning environment the mobile agent (continuous or free roaming mobileagent) may be dispatched to collect the information like class schedule, internal marks, project details,

    etc. on behalf of the learner. Every tutor has their own server with the details of the students in that someinformation may be secret. Consider, learner initiate his agent to collect the information from the n

    number of tutors for his internal marks. Agent in the middle (say 3rd tutor server of 5 tutor servers) of

    the itinerary is killed by some malicious or the agent currently residing server may fail due to some

    reasons. In this context, the learner will wait for the agent for some time and again he will create a newagent and send until the agent back to him. Sometimes learner is not able to get the result from the tutor

    servers because of malicious host in the middle of the journey. This will make the people avoid themobile agent based e-learning environment even though it has a number of advantages. To solve such

     problem of capturing of agents by malicious hosts leading to subsequent data loss in e-services, this

     paper proposes an agent platform independent mechanism using timely acknowledgement and partial

    result method to recover when the mobile agent when the agent is killed or currently residing in agentserver failed.

    The rest of paper is organized as follows. Section 2 discusses the related work, section 3 describes the proposed non-blocking approach deployed for prevention of agents by use of acknowledgements and

    returning back of partial results back to the originator in scenario when the agent is captured bymalicious or hostile host. This is followed by experimental evaluation in Section 4 and conclusions inSection 5.

  • 8/17/2019 IJTC201510009-Prevention of Attacks on Mobile Agents Based E-Service Applications

    3/9

     

    INTERNATIONAL JOURNAL OF TECHNOLOGY AND COMPUTING (IJTC) ISSN-2455-099X,

    Volume 1, Issue 1, OCTOBER 2015

    3

    II. RELATED WORK

    As mobile agent systems scale up, their failure rate may also be higher. Several techniques have been

     proposed for providing fault tolerance in mobile-agent systems (Qu et al., 2005) which broadly fallunder two basic categories i.e. replication and checkpointing. Checkpointing is one of the widely used

    fault tolerance techniques and can be classified into synchronous, asynchronous and quasi-synchronous

    algorithms (Yang et al. 2006). For recovery an agent needs to rollback to its consistent state. Message

    logging for rollback recovery require that each agent periodically saves its local state and logs its everymessage sent and received. Message logging protocols are classified into pessimistic, optimistic and

    causal (Elnozahy et al. 2002). Replication schemes as discussed in (Pleisch, Schiper, 2001) mainly rely

    on replicated servers or agents to mask the failures. Pair processing (Gray and Reuter 1993) is a famoustechnique for improving process reliability. It is a collection of two processes which provide a service.

    One is considered as the primary and another one is considered as the shadow. If the primary gets any

    changes, then shadow also got the changes. If the primary fails, then the shadow will take over. The two primary and shadow processes ping each other to determine that each is still alive. Unrh et al. (2005)

    also apply this pair process model into his Semantic-Compensation-Based Recovery model. However,

    this pair process is not applicable for colluded attacks. Vogler et al. (1997) propose that a mobile agentinject a replica into a stable storage upon arriving at an agent server. However, in the event of agent

    server crash, the replica remains unavailable for an unknown period.Simon et al. (2003) proposes the mobile shadow scheme which includes the pair of replica mobileagents, master and shadow, to survive remote agent server crashes. The master is created by its home

    agent server Hand it is responsible for executing a task T at a sequence of hosts described by its

    itinerary. Initially the master spawns a shadow home at its homeagent server before it migrates andexecutes at the first agent server in its itinerary, i.e. AGi. Before the master migrates to the next host in

    the itinerary, i.e. AGi+1, it spawns a clone or shadow i and sends a die message to shadowhome. The

    shadow i repeatedly pings agent server AGi+1 until it receives a die message from its master.

    • Shadow: A shadow or clone in the preceding sever will terminate when it receives a die message from

    its master. This signifies the master has completed execution at AGi+1 and spawned a new cloneshadow i+1 to monitor agent server AGi+2. However, assume the master is lost due to an agent server

    crash at AGi+1. In this case shadow i at AGi detects the crash of its master, spawns a new clone shadow

    i and proceeds to visit agent server AGi+2. Consequently shadow i is the new master.

    • Master: A master pings its shadow at AGi-1 concurrently with the execution of task t. In the normalcase the master completes its execution and spawns a new clone shadow to monitor the next host,

    AGi+1. Before the master migrates, it will send a die message to terminate the shadow at AGi-1. If the

    master detects a shadow crash it spawns and dispatches a replacement shadow to the preceding activeagent server. Before the master migrates to the next host in its itinerary it sends a die message to

    terminate the replacement shadow.

    The major drawback of this scheme is the timeout overhead and mobile shadow overhead. The timeout

    overhead represents the re-sending of the agent and the mobile shadow overhead represents the time for

     pinging the shadow with the master running in the remote agent server. Despite from this issue, it isconcentrating on the agent server crash (i.e., if an agent server crashes, then the agent will automatically

    crash) not only the agent crash and also this schemes is not applicable to recover the agent from thecolluded attacks. In the colluded attacks, more than one can combined to crash the agent that may be the

     preceding host and the current host. This all will be solved by the proposed approach of sending timely

    acknowledgements and partial results focusing on reliably returning the information collected by the

    mobile agent back to the originator even in the scenario of the mobile agent being captured by themalicious host(s).

  • 8/17/2019 IJTC201510009-Prevention of Attacks on Mobile Agents Based E-Service Applications

    4/9

     

    INTERNATIONAL JOURNAL OF TECHNOLOGY AND COMPUTING (IJTC) ISSN-2455-099X,

    Volume 1, Issue 1, OCTOBER 2015

    4

    III. METHODOLOGY

    PROPOSED SCHEME FOR ACHIEVING NON BLOCKING PROPERTY

    The main aim is to ensure that the originator of the mobile agent at any point of time would have the

    information regarding the state of mobile agent, its partial results along with the ability to upgrade the preferences the mobile agent is carrying. The primary consideration is handling the scenario where the

    hosts first obtains authentication but then after having obtained the authority for mobile agent execution, begins to behave maliciously. The hosts that turned hostile pose the danger of blocking the mobile agent

    and halt its further movement in the network. It is assumed that the agent’s operations are idempotentthus overriding exactly once requirement and non blocking is primary property to be ensured.The notations used in implementing non blocking property in are as follows:

    O*: Originator

    Hi: Hosts visited by host during its movement in the network (1< i < n)

    MA: Mobile agent originally launched.MAi: Mobile Agent with new / changed preferences.

     pMA: Mobile Agent Carrying partial Results.

    LTMA: Life Time of Mobile Agent.

    Ii: Information collected from host i.FTMA: Fault Tolerant Time

    ACK(Hi): Acknowledgement from host Hi

    The implementation scenario considered is the web based e-market that provides user with the

    information on the products for sale by collecting the prices and comparing the prices of the set of product specified by the user. The information needs to be collected in real time for time sensitive

    applications such as stock market, online shopping, etc. from different hosts H1,H2…Hn selected

    dynamically by freely roaming mobile agent over the network. Therefore the originator is assumed to be

    always connected to the network to collect the results. The hostile turned host may block the mobileagent for its own interest. The following section describes the solution proposed to prevent execution of

    Mobile Agent on the implementation scenario against blocking attacks.

    Fig. 1: Mobile agent executions on different hosts

    Implementing the proposed solution, an agent is originally launched by the originator O*. Fig. 1 showsthe general operation of a mobile agent that returns to the originator after the expiry of its lifetime. Thevarious implementations schemes can be possibly used. One of them is sending timely

    acknowledgements as shown in Fig. 2.

    rMA(I0, I1,I2,I3…..I N))

    LTMA 

    MA(I0) MA(I0, I1) MA(I0, I1,I2) MA(I0, I1,I2I3..IN-1))

    STAGE S1 STAGE S2 ………….……. . STAGE N-1 STAGE N

    Originator O* Host1 Host2 Host n-1  Host n

  • 8/17/2019 IJTC201510009-Prevention of Attacks on Mobile Agents Based E-Service Applications

    5/9

     

    INTERNATIONAL JOURNAL OF TECHNOLOGY AND COMPUTING (IJTC) ISSN-2455-099X,

    Volume 1, Issue 1, OCTOBER 2015

    5

    Fig. 2: Mobile agent execution with acknowledgement by each host

    The host Hi+1 having received the mobile agent is required to send the acknowledgement ACK(Hi+1) to

    the host Hi, conveying that the mobile agent has been successfully forwarded to the next host i.e. H i+2after its successful operation on Hi+1. Another implementation is by use of fault tolerant time as

     parameter. FTMA is predefined depending on the networks transmission time and on the time sensitivity

    of the application.

    Fig. 3: Mobile agent execution scenario, with agent custody at host 4

    If the expiry of the fault tolerant time occurs and there is no acknowledgement received from H i+1, then

    the Hi would send the collected set of information till now back to the Originator in form of pMA. If the

    agent lifetime expires and the partial results received by the originator, doesn’t prove sufficient, then theoriginator has the option of re-launching the mobile agent. The scenario in which the hostile agent

    captures the mobile agent would result in time out of fault tolerance time thus resulting in pMA being

    sent back to the originator by the preceding host of the hostile host is shown in Fig. 3 .  The mobile agent

    was captured at the host 4. The host 3 waits for duration FTMA. As no ACK is received, its sends its partial results back to the originator. Thus the owner would have all the information collected by themobile agent before being captured by the hostile host. Further strengthening the above scheme, the

    concept of sending the partial results back to originator after a pre decided number of visited hosts is

    used. After having collected information from n number of hosts, a host where the agent is currentlyresiding should send an acknowledgement to the originator as ACK(Hi) helping the originator to

     periodically track the mobile agent, as shown in Fig. 4.

    rMA(I0, I1,I2,I3…..I N))

    LTMA 

    MA(I0) MA(I0, I1) MA(I0, I1,I2) MA(I0, I1,I2I3..IN-1))

    STAGE S1 STAGE S2 ………….…… .STAGE N-1 STAGE N

    Originato r O* Host1 Host2  Host n-1  Host  N 

    ACK(H1) ACK(H2) ……ACK(H N-1)) ACK(H N)

     pMA(I0, I1,I2,I3) FTMA 

    MA(I0) MA(I0, I1) MA(I0, I1,I2) MA(I0, I1,I2I3)

    STAGE S1 STAGE S2 STAGE 3 STAGE 4

    ACK(H1) ACK(H2) ACK(H3)

    LTMA 

    Originato r O* Host1  Host2 Host 3 Host 4 

  • 8/17/2019 IJTC201510009-Prevention of Attacks on Mobile Agents Based E-Service Applications

    6/9

     

    INTERNATIONAL JOURNAL OF TECHNOLOGY AND COMPUTING (IJTC) ISSN-2455-099X,

    Volume 1, Issue 1, OCTOBER 2015

    6

    Considering the scenario in which the agent has been captured by the hostile host H k . For example in

    execution of mobile agent with the n= 3, the when the number of visited hosts reaches 3, an

    acknowledgement is sent to the originator. The FTMA is also used as a check to send the

    Fig. 4: Mobile agent execution with n=2 scenario

    acknowledgement to the originator. But if the agent is captured when neither the fault tolerance time northe life time of the agent has expired, the originator wouldn’t do anything till any one of them expires.

    At expiry of either of the time, the originator sends a PROBE(Hj) to the host Hj (Hj (j

  • 8/17/2019 IJTC201510009-Prevention of Attacks on Mobile Agents Based E-Service Applications

    7/9

     

    INTERNATIONAL JOURNAL OF TECHNOLOGY AND COMPUTING (IJTC) ISSN-2455-099X,

    Volume 1, Issue 1, OCTOBER 2015

    7

    The security and fault tolerance been taken care of, the above approach may be efficient in handling

    time sensitive applications where information acquired by the mobile agent may loose value over time

    (for e.g. stock market). Thus time to time retrieval of results may prove useful along with protectingagents against blocking attacks. If during the execution of the mobile agent, the user wishes to make

    changes in the preferences, the originator may launch another mobile agent with renewed preferences.

    The timing of sending back partial information or results could be based on any of the two parametersdiscussed above, the user decides on new preferences based on the received partial results. The

    originator may send an updated mobile agent pMA containing the new preferences to the Host Hi (Hi

     being the host from which the acknowledgement was last received). Thus the user has the ability of

    changing the preferences and criteria gradually based on information collected by agent and user’s own preferences.

    IV. IMPLEMENTATION AND PERFORMANCE STUDY

    The proposed system of multiple agents performing in collaboration in a group has been implemented

    on IBM Aglets over a network of systems with configuration of 1 GB RAM and 3.2 GHz processorconnected be 10/100 MBPS Ethernet. Aglets is a java based graphical interface for developing the

    distributed multi-agent systems. All hosts need not have same configuration and but must have installedAglets platform on each host. For gauging the performance of the implemented scheme we intentionally

    made some host(s) behave as malicious and got the agent captured during its execution. The ability of

    the approach to prevent the agent from attacks was then revealed.

    An agent moves from one node to another by sending a message between these nodes. In this

    experiment, we look at the behavior for hosts. This experiment examined the cost of sendingacknowledgements and partial results in the case that host speeds are uniform. We are interested in how

    n  i.e the number of hosts visited prior to sending acknowledgement or partial results, effect the

    communication overhead. The communication cost here is the time (in ms) needed to send a message toa processor and to receive a reply message from the processor.

    As shown in Fig. 6, it was found that the communication overhead decreased with increase in n. The blocking attacks may be considerable prevented by deciding upon an optimal value of n. The deciding

    factor for n could be the network performance and speed. If the probability of encountering a malicious

    host is high then it is seen that the optimal number of n ensures that partial or complete results reach back to the originator thereby preventing complete loss of information or results collected.

    Fig. 6: Communication overhead with variation in number of hosts visited prior to sending back

    acknowledgement (n ).

    0

    500

    1000

    1500

    2000

    2500

    4 6 8 10 12 14

       C   o   m   m   u   n   i   c   a   t   i   o   n

       O   v   e   r   h   e   a   (   b   y   t   s   )

    Number of Hosts

    n=2 n=3 n=4

  • 8/17/2019 IJTC201510009-Prevention of Attacks on Mobile Agents Based E-Service Applications

    8/9

     

    INTERNATIONAL JOURNAL OF TECHNOLOGY AND COMPUTING (IJTC) ISSN-2455-099X,

    Volume 1, Issue 1, OCTOBER 2015

    8

    Fig.7 shows the comparison of execution time of mobile agent carrying partial results back to the

    originator. As the updating cost is function of acknowledging frequency, we compare the execution time

    of mobile agent containing the rescued data by gauging the performance of an agent that acknowledgedafter visiting every 2, 3 and 4 hosts. Deciding upon a small number of n may cause increase in message

    size resulting in higher execution time but for time sensitive real time applications the overhead may be

     bearable. The returning of partial results to the originator assures that the originator has the latest results

    even in case of the agent being captured by the malicious host. Thus the possibility of originator losingall information is considerably lowered. 

    Fig. 7: Comparison of execution time of mobile agent with partial results

    V. CONCLUSION

    In this paper, we proposed platform independent non blocking mechanism for fault tolerance has beenintegrated into e-services applications for prevention against attacks in various Internet applications.

    This presented system of sending acknowledgements makes mobile agent tracking possible for the

    originator of the mobile agent in case of blocking attack by malicious host. In addition sending back of partial results after some predefined fault tolerant time and after having visited a predefined number of

    hosts provide protection against complete loss of information due to blocking attacks. Implementation

    and experimental studies prove that with balanced acknowledging frequencies and message overhead,the probability of complete loss of mobile agent due to agent capturing by malicious host in the network,

    is significantly reduced. This would make the mobile agents to be better suited for time sensitive e-

    services applications along with providing protection against possible faults. As a part of future work

    we propose comparative experimental studies for implementation of proposed mechanism with otherexisting mechanisms.

    REFERENCES

    [1] Nwana, H. S. (1996) Software Agents: An Overview, Knowledge Engineering Review, Vol. 11, No.3, pp.1 - 40, Cambridge University Pre.

    [2] Lange, D.B. and Oshima, M. (1999) Seven Good Reasons for Mobile Agents, Communications of

    the ACM, vol. 42, No. 3, pp. 88-89.

    [3] Silva, M.A. and Macêdo, R. J. A. (2000) Reliability Requirements in Mobile Agent Systems, SecondWorkshop on Tests and Fault-Tolerance (II WTF2000), Curitiba, Brazil.

    0

    100

    200

    300

    400

    500

    600

    700

    5 10 15 20 25 30 35

         T     i    m    e      (    m    s      )

    Number of agents visited

    n=2 n=3 n=4

  • 8/17/2019 IJTC201510009-Prevention of Attacks on Mobile Agents Based E-Service Applications

    9/9

     

    INTERNATIONAL JOURNAL OF TECHNOLOGY AND COMPUTING (IJTC) ISSN-2455-099X,

    Volume 1, Issue 1, OCTOBER 2015

    9

    [4] Schoeman, M. and Cloete, E. (2003) Architectural components for the efficient design of mobile

    agent systems, ACM 2003 annual Research Conference of the South African Institute of Computer

    Scientists and Information Technologists on Enablement through Technology , pp. 48-58, South Africa.

    [5] Stratter, M. and Rothermel, K. (1998) Reliability Concrpts for Mobile Agents, International Journal

    of Cooperative Information Systems 7(4) pp. 355-382.

    [6] Manvi, S.S. and Venkataram, P. (2004) Applications of agent technology in communications: a

    review, Springer Computer Communication, 2004, pp. 1493-1508.

    [7] Qu, W. , Shen, H. and Defago, X. (2005) A survey of mobile agent-based fault-tolerant technology,

    Proceedings of Sixth IEEE International Conference on Parallel and Distributed Computing

    Applications and Technologies,, pp. 446-450.

    [8] Yang, J., Cao, J. and W. Wu, (2006) CIC: An integrated approach to checkpointing in mobile agent

    systems”, Proceedings of the Second IEEE International Conference on Semantics, Knowledge and

    Grid.

    [9] Elnozahy, E. N. M, Alvisi, L. , Wang, Y. and Johnson, D. B. (2002), A survey of rollback-recovery protocols in message-passing systems, ACM Computing Surveys, Vol. 34, Nr. 3, 2002, pp. 375-408.

    [10] Pleisch, S. and Schiper, A. (2003) S-A Fault-Tolerant Mobile Agent System Based on the Agent-

    Dependent Approach”, Proceedings of the IEEE International Conference on Dependable Systems and

     Networks, pp. 215-224.

    [11] Gray, J. and Reuter, A. (1993) Transaction Processing: Concepts and Techniques, The MorganKaufmann Series in Data Management Systems.

    [12] Unrh, A., Harjadi, H. and Bailey,J. (2008) Semantic-compensation-based recovery in multi-agent

    systems, 2nd symposium on Multi-agent Security and Survivability, pp. 85 – 94.

    [13] Vogler, H. , Hunklemann, T. and Moschgath, M.(1997) An approach for mobile agent security andfault tolerance using distributed transactions, International Conference on Parallel and Distributed

    Systems (ICPADS'97), Seoul,pp. 268 – 274.

    [14] Simon, P., Jie, X. and Cornelia, B. (2009) Mobile agent fault tolerance for information retrievalapplications: an exception handling approach, Proceedings of the Sixth International Symposium on

    Autonomous Decentralized Systems (ISADS'03), pp. 115 – 122.