Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

ISA2008

184 views

Published on

  • Be the first to comment

  • Be the first to like this

ISA2008

  1. 1. IADIS INTERNATIONAL CONFERENCE INTELLIGENT SYSTEMS AND AGENTS 2008 part of the IADIS MULTI CONFERENCE ON COMPUTER SCIENCE AND INFORMATION SYSTEMS 2008
  2. 2. ii
  3. 3. iii PROCEEDINGS OF THE IADIS INTERNATIONAL CONFERENCE INTELLIGENT SYSTEMS AND AGENTS 2008 part of the IADIS MULTI CONFERENCE ON COMPUTER SCIENCE AND INFORMATION SYSTEMS 2008 Amsterdam, The Netherlands JULY 22 - 24, 2008 Organised by IADIS International Association for Development of the Information Society
  4. 4. iv Copyright 2008 IADIS Press All rights reserved This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting, reproduction on microfilms or in any other way, and storage in data banks. Permission for use must always be obtained from IADIS Press. Please contact secretariat@iadis.org Intelligent Systems and Agents Volume Editor: António Palma dos Reis Computer Science and Information Systems Series Editors: Piet Kommers, Pedro Isaías and Nian-Shing Chen Associate Editors: Luís Rodrigues and Patrícia Barbosa ISBN: 978-972-8924-60-7
  5. 5. v TABLE OF CONTENTS FOREWORD ix PROGRAM COMMITTEE xiii KEYNOTE LECTURES xvii FULL PAPERS ANOMALIES DETECTION ON FIREWALLS USING THE MOBILE AGENTS APPROACH Fakher Ben Ftima, Kamel Karoui and Henda Ben Ghezala 3 USING HONEY-AGENTS FOR ESTABLISHING TRUST IN MOBILE-AGENTS E-COMMERCE APPLICATIONS Sandhya Armoogum and Nawaz Mohamudally 12 FRAMEWORK FOR DEFINING AND RUNNING INTEGRATION TESTS OF MULTI AGENT SYSTEMS Khaled Nagi 20 FRAMEWORK FOR AUTOMATED NEGOTIATION: PRELIMINARY REPORT Fernando Lopes, A. Q. Novais and Helder Coelho 29 TOWARDS A DISTRIBUTED COGNITIVE VIEW OF THE AGENT-MEDIATED SEMANTIC WEB Amna Basharat and Gabriella Spinelli 37 A DECLARATIVE PROGRAMMING PARADIGM AND THE DEVELOPMENT OF KNOWLEDGE MINING AGENTS Nittaya Kerdprasop and Kittisak Kerdprasop 45 A NOVEL SEMANTIC APPROACH TO DOCUMENT COLLECTIONS Andrea Addis, Manuela Angioni, Giuliano Armano, Roberto Demontis, Franco Tuveri and Eloisa Vargiu 53 EFFICIENT QUERY PROCESSING OVER SEMANTIC CACHE Munir Ahmad, Muhammad Abdul Qadir, Abdul Razaque and Muhammad Sana Ullah 61 VERT: AN AUTOMATIC SUMMARY EVALUATION SYSTEM Paulo C F de Oliveira, Edson Wilson Torrens, Alexandre Cidral, Sidney Schossland and Evandro Bittencourt 69
  6. 6. vi A HYBRID ALGORITHM FOR THE FUZZY P-MEDIAN PROBLEM J.M. Cadenas , J.V. Carrillo , M.C. Garrido, M.J. Canós , C. Ivorra and V. Liern 77 MODELING MULTIAGENT SYSTEMS USING COLORED PETRI NETS Maryam Nooraee Abadeh and Kamran Zaminifar 85 ARARA: ARTIFACTS AND REQUIREMENTS AWARENESS REINFORCEMENT AGENTS Ester J. C. de Lima, José A. Rodrigues Nt., Geraldo B. Xexéo and Jano M. de Souza 92 OPEN HOLONIC MULTI-AGENT ARCHITECTURE FOR INTELLIGENT TUTORING SYSTEM DEVELOPMENT Egons Lavendelis and Janis Grundspenkis 100 RISKS IN AGENT-SUPPORTED STOCK MARKET TRADING DECISION MAKING Shenghua Liu, Sacha Helfenstein and Pertti Saariluoma 109 FORMING TEAMS WITHIN WIKI Andrew Burrow and Clemens Mayr 117 DISASTER EVACUATION SUPPORT SYSTEM FOR VISITORS Yoshio Nakatani, Daisuke Watanabe and Mie Nakatani 127 OBJECT TRANSPORTATION WITH AN AGENT INSPIRED BY THE INNATE AND ADAPTIVE IMMUNE RESPONSES Fredy Fernando Munoz M., Luis Fernando Nino V. and Gerardo Quintana Lopez 135 THE EFFECT OF GENETIC OPERATIONS ON THE DIVERSITY OF EVOLVABLE NEURAL NETWORKS Hany Sallam, Carlo S. Regazzoni, Ihab Talkhan and Amir Atiya 143 AN AUTOMATIC METHOD TO ASSIGN LOCAL RISK J.L. Castro, M. Navarro, J.M. Sánchez and J.M. Zurita 151 SHORT PAPERS AGENT NEGOTIATION STRATEGY IN THE ELECTRONIC MARKETPLACE Dorin Militaru 161 A MODEL FOR PERSONAL LEARNING AGENTS WITH AN INDUCTIVE LEARNING AGENT-BASED SYSTEM Hammoud Djamila, Sahnoun Zaidi, Kebache Ramzi and Benelmadani Billel 166 ASPECT-BASED MULTIAGENT SYSTEMS OBSERVATION FOR PERFORMANCE EVALUATION Faten Ben Hmida, Wided Lejouad Chaari, and Moncef Tagina 172 DEVELOPING OF AN INTELLIGENT SYSTEM FOR FUELS QUALITY CONTROL AND MONITORING Reinaldo de Jesus da Silva, Sofiane Labidi, Milson Silva Monteiro and Osevaldo da Silva Farias 177
  7. 7. vii CELLULAR PETRI NETS J.M. Maestre and E.F. Camacho 182 TOWARDS AUTONOMIC DEPLOYMENT DECISION MAKING Rico Kusber, Sandra Haseloff and Klaus David 188 IMPLEMENTATION OF THE GENE EXPRESSION PROGRAMMING IN THE GENERATION OF PROGRAM TO CALCULATE THE INTEREST RATE IN UNIFORM PAYMENT SERIES Evandro Bittencourt, Raul Landmann, Paulo César Oliveira, Sidney Schossland and Edson Wilson Torrens 193 EVOLUTION OF ARTIFICIAL NEURAL NETWORKS FOR ROBOT CONTROL USING SPECIATION AND COMPLEXITY MEASURES Thomas Jorgensen and Barry Haynes 198 DESIGNING AN EXPERT SYSTEM OF LIVER DISORDERS BY USING NEURAL NETWORK AND COMPARING IT WITH PARAMETRIC AND NONPARAMETRIC SYSTEM Mehdi Neshat , Mehdi Yaghobi and Mohammad Naghibi 202 REFLECTION PAPER A HYBRID FRAMEWORK TOWARDS THE SOLUTION FOR PEOPLE WITH DISABILITY EFFECTIVELY USING COMPUTER KEYBOARD Karim Ouazzane, Jun Li and Marielle Brouwer 209 POSTERS FUZZY LOGIC FOR FORMAL SPECIFICATIONS OF SYSTEMS Victoria López and Javier Montero 215 AN APPROACH FROM COOPERATIVE GAMES TO THE ACCESSIBILITY IN ORIENTED NETWORKS Rafel Amer, Antonio Magaña and José Miguel Giménez 219 INTRODUCTION OF A COOPERATIVE GAME TO DEFINE A CONCEPT OF WEIGHTED CONNECTIVITY ON THE NODES OF CONNECTED GRAPHS Rafael Amer and José Miguel Giménez 222
  8. 8. viii ENTERPRISE INFORMATION SYSTEMS ENGINEERING METHOD BASED ON SEMANTIC MODELS OF MULTI-AGENT RESOURCE CONVERSION PROCESSES AND SOFTWARE Konstantin A. Aksyonov, Irina A. Spitsina, Evgeny A. Bykov and Natalia V. Goncharova 225 IMPLEMENTATION OF 2D OCCUPANCY MAP FOR EFFECTIVE PATH PLANNING OF AN MOBILE ROBOT Jung-hwan Ko and Jung-suk Lee 228 IMPLEMENTATION OF THE 3D ROBOT VISION SYSTEM THROUGH THE CONVERGENCE CONTROL BASED ON THE OPTO-DIGITAL SCHEME Jung-hwan Ko and Jung-suk Lee 231 R4P PROJECT, AN OPEN QUADRUPEDAL ROBOT Luis I. Díaz del Dedo, Luis A. Pérez García, Fernando Berenguer and Nourdine Aliane 234 A FORMAL INTERPRETATION OF IMPLICIT MESSAGES IN AGENT DIALOGUES Fernando Ramos Quintana, Josefina Sámano Galindo and Víctor H. Zárate Silva 237 ARCHITECTURAL MODEL FOR MULTI-AGENTS SYSTEMS González Moreno, Juan Carlos and Luis Vázquez López 241 DOCTORAL CONSORTIUM COGNITIVE APPROACH TO THE DESIGN OF A USER-ADAPTIVE INTERFACE FOR AN INTELLIGENT PRODUCT CONSULTING SYSTEM Elena Minina 247 AUTHOR INDEX
  9. 9. ix FOREWORD These proceedings contain the papers of the IADIS International Conference on Intelligent Systems and Agents 2008, which was organised by the International Association for Development of the Information Society in Amsterdam, The Netherlands, July 22 – 24, 2008. This conference is part of the Multi Conference on Computer Science and Information Systems 2008, 22 - 27 July 2008, which had a total of 1211 submissions. The IADIS Intelligent Systems and Agents conference addresses in detail two main aspects: intelligent systems and agents. The conference has the intention to provide a contribution to academics and practitioners. So, both fundamental and applied research are considered relevant. Submissions were accepted under the following areas and topics: Area 1 – Intelligent Systems - Algorithms - Artificial Intelligence - Automation Systems and Control - Bio Informatics - Computational Intelligence - Expert Systems - Fuzzy Technologies and Systems - Game and Decision Theories - Intelligent Control Systems - Intelligent Internet Systems - Intelligent Software Systems - Intelligent Systems - Machine Learning - Neural Networks - Neurocomputers - Optimization - Parallel Computation - Pattern Recognition - Robotics and Autonomous Robots - Signal Processing - Systems Modelling - Web Mining Area 2 – Agents - Adaptive Agent Systems - Agent Applications - Agent Communication - Agent Development
  10. 10. x - Agent middleware - Agent Models and Architectures - Agent Ontologies - Agent Oriented Systems and Engineering - Agent Programming, Languages and Environments - Agent Systems - Agent Technologies - Agent Theories - Agent Trends - Agents Analysis and Design - Agents and Learning - Agents and Ubiquitous Computing - Agents in Networks - Agents Protocols and Standards - Artificial Systems - Computational Complexity - eCommerce and Agents - Embodied Agents - Mobile Agents - Multi-Agent Systems - Negotiation Strategies - Performance Issues - Security, Privacy and Trust - Semantic Grids - Simulation - Web Agents The IADIS Intelligent Systems and Agents 2008 conference received 97 submissions from more than 26 countries. Each submission has been anonymously reviewed by an average of four independent reviewers, to ensure that accepted submissions were of a high standard. Consequently only 19 full papers were approved which means an acceptance rate below 20 %. A few more papers were accepted as short papers, reflection papers and posters. An extended version of the best papers will be published in the IADIS International Journal on Computer Science and Information Systems (ISSN: 1646-3692) and also in other selected journals. Besides the presentation of full papers, short papers, reflection papers, doctoral papers and posters, the conference also included two keynote presentations from internationally distinguished researchers. We would therefore like to express our gratitude to Professor James Hendler, Tetherless World Constellation Chair, Rensselaer Polytechnic Institute, USA and Professor Lucia Rapanotti, Department of Computing, The Open University, UK for accepting our invitation as keynote speakers. As we all know, organising a conference requires the effort of many individuals. We would like to thank all members of the Program Committee, for their hard work in reviewing and selecting the papers that appear in the proceedings.
  11. 11. xi This volume has taken shape as a result of the contributions from a number of individuals. We are grateful to all authors who have submitted their papers to enrich the conference proceedings. We wish to thank all members of the organizing committee, delegates, invitees and guests whose contribution and involvement are crucial for the success of the conference. Last but not the least, we hope that everybody will have a good time in Amsterdam, and we invite all participants for the next year edition of the IADIS International Conference on Intelligent Systems and Agents 2009, that will be held in Algarve, Portugal. António Palma dos Reis, ISEG - Technical University of Lisbon, Portugal Intelligent Systems and Agents 2008 Conference Program Chair Piet Kommers, University of Twente, The Netherlands Pedro Isaías, Universidade Aberta (Portuguese Open University), Portugal Nian-Shing Chen, National Sun Yat-sen University, Taiwan MCCSIS 2008 General Conference Co-Chairs Amsterdam, The Netherlands July 2008
  12. 12. xii
  13. 13. xiii PROGRAM COMMITTEE INTELLIGENT SYSTEMS AND AGENTS CONFERENCE PROGRAM CHAIR Antonio Palma dos Reis, ISEG - Technical University of Lisbon, Portugal MCCSIS GENERAL CONFERENCE CO-CHAIRS Piet Kommers, University of Twente, The Netherlands Pedro Isaías, Universidade Aberta (Portuguese Open University), Portugal Nian-Shing Chen, National Sun Yat-sen University, Taiwan INTELLIGENT SYSTEMS AND AGENTS CONFERENCE COMMITTEE MEMBERS Adel M. Alimi, University of Sfax, Tunisia Adina Magda Florea, University "Politehnica" of Bucharest, Romania Adrian Perreau de Pinninck, Universitat Autonoma de Barcelona, Spain Agris Nikitenko, Riga Technical University, Latvia Alessandro Ricci, Università di Bologna in Cesena, Italy Alfredo Cuzzocrea, University of Calabria, Italy Alfredo Garro, Universita' della Calabria, Italy Amar Balla, Institut National d'Informatique, Algeria Amine Boumaza, LORIA, France Andrea Addis, University of Cagliari, Italy Andrea Giovannucci, Campus Universitat Autonoma de Barcelona, Spain Angel García-Olaya, Universidad Carlos III de Madrid, Spain Anton Bogdanovych, UTS, Australia Anton Nijholt, University of Twente, The Netherlands Baklouti Nesrine, University of Sfax, Tunisie Behrouz Homayoun Far, University of Calgary, Canada Boštjan Pajntar, Jožeph Stefan Institute, Slovenia Clinton Woodward, Swinburne University of Technology, Australia Costin Badica, University of Craiova, Romania Dariusz Krol, Wroclaw University of Technology, Poland David A. Pelta, University of Granada, Spain
  14. 14. xiv Dickson K.W. Chiu, Computer Systems, Hong Kong Dídac Busquets, Universitat de Girona, Spain Djamel Bouchaffra, Grambling State University, USA Djamila Ouelhadj, ASAP Research Group, UK Eloisa Vargiu, DIEE - University of Cagliari, Italy Esma Aimeur, University of Montréal, Canada Ezendu Ariwa, London Metropolitan University, United Kingdom Fariba Sadri, Imperial College London, UK Federico Bergenti, Università degli Studi di Parma, Italy Federico Castanedo Soltela, Universidad Carlos III de Madrid, Spain Fernando Lyardet, Darmstadt University of Technology, Germany Fernando Ramos, Tecnologico de Monterrey, México Fikret Ercal, University of Missouri, USA Francesco Amigoni, Politecnico di Milano, Italy Germán Gutiérrez Sánchez, Universidad Carlos III de Madrid, Spain Giovanni Semeraro, University of Bari, Italy Giuliano Armano, University of Cagliari, Italy Giuseppe Mangioni, Universita di Catania, Italy Giuseppe Vizzari, University of Milano – Bicocca, Italy Guillaume Muller, École d'Ingénieurs de Luminy, France Hans Werner Guesgen, Massey University, New Zealand Haralambos Mouratidis, University of East London, United Kingdom Heinrich C. Mayr, Alpen-Adria-Universitaet Klagenfurt, Austria Huiye Ma, Centrum voor Wiskunde en Informatica (CWI), The Netherlands Ian Watson, The University of Auckland, New Zealand Ilhem Kallel, University of Sfax, Tunisia Jacek Unold, Wroclaw University of Economics, Poland Jackeline Spinola de Freitas, Universidad Politécnica de Madrid, Spain Jaime Ramírez, Universidad Politécnica de Madrid, Spain James Montgomery, Swinburne University of Technology, Australia Janis Grundspenkis, Riga Technical University, Latvia Jaume Bacardit, University of Nottingham, UK Javier Carbó Rubiera, Univ. Carlos III de Madrid, Spain Jesualdo Tomás Fernández Breis, University of Murcia, Spain Jesús García Herrero, Universidad Carlos III de Madrid, Spain Jim Cunningham, Imperial College, UK Jordi Sabater-Mir, IIIA-CSIC, Spain Jorge A. Ramírez-Uresti, ITESM-CEM, Mexico Jørgen Villadsen, Technical University of Denmark, Denmark José Antonio Iglesias, University of Carlos III, Spain José Carlos Cortizo Pérez, Universidad Europea de Madrid, Spain José Manuel Molina López, Universidad Carlos III de Madrid, Spain
  15. 15. xv Juan A. Rodríguez-Aguilar, Universitat Atuònoma de Barcelona, Spain Juan Manuel Serrano, Universidad Rey Juan Carlos, Spain Julius Stuller, Academy of Sciences of the Czech Republic, Czech Republic Krysia Broda, Imperial College, UK Lars Nolle, Nottingham Trend University, UK Laura Naismith, McGill University, Canada Laurent Vercouter, Ecole des Mines de Saint-Etienne, France Laurentiu Vasiliu, DERI, National University of Ireland, Ireland Leonardo Garrido, Tecnologico de Monterrey, México Longbing Cao, Univ of Technology, Sydney, Australia Luis Martí, University Carlos III of Madrid, Spain Mª Araceli Sanchis de Miguel, Universidad Carlos III de Madrid, Spain Maite López Sánchez, University of Barcelona, Spain Manuel Atencia Arcas, Universitat Autonoma de Barcelona, Spain Marc Esteva, University of Technology, Sydney, Australia Maria Bielikova, Slovak University of Technology, Slovakia María de los Angeles Constantino, Tecnologico de Monterrey, México Maria Salamó Llorente, University of Barcelona, Spain Mario Gomez, University of Aberdeen, UK Marko Grobelnik, Josef Stefan Institute, Slovenia Matjaz Gams, Jozef Stefan Institute, Slovenia Mengjie Zhang, Victoria University of Wellington, New Zealand Michelangelo Ceci, Università degli Studi di Bari, Italy Miguel Angel Patricio, Universidad Carlos III de Madrid, Spain Mirjana Ivanovic, University of Novi Sad, Serbia Monique Calisti, Whitestein Technologies AG, Switzerland Nicola Gatti, Politecnico di Milano, Italy Nizar Rokbani, REGIM, Tunisia P.K. Mahanti, University of New Brunswick, Canada Paolo Petta, Austrian Research Institute for Artificial Intelligence, Austria Patrick Wong, Open University, United Kingdom Pilar Herrero, Universidad Politécnica de Madrid, Spain Rainer Hilscher, New Vectors LLC, USA Ramon F. Brena Pinero, Tecnológico de Monterrey, Mexico Raúl Arrabales Moreno, Universidad Carlos III de Madrid, Spain Raymond Chiong, Swinburne University of Technology, Malaysia Razvan Andonie, Central Washington University, USA Ricardo Imbert, l Universidad Politécnica de Madrid, Spain Roland Kaschek, Massey University, New Zealand Roman Neruda, Academy of Sciences of the Czech Republic, Czech Republic Shenshneg Zhao, Governors State University, USA Stuart Chalmers, University of Aberdeen, UK
  16. 16. xvi Sven Brueckner, New Vectors, LLC, USA Sviatoslav Braynov, University of Illinois, USA Tarek M. Hamdani, University of Sfax, Tunisia Thierry Moyaux, University of Liverpool, UK Thomas Bolander, Technical University of Denmark, Denmark Tibor Bosse, Vrije Universiteit Amsterdam, Netherlands Tjeerd olde Scheper, Oxford Brookes University, United Kingdom Tomas Klos, Delft University of Technology, The Netherlands Tony Hirst, The Open University, United Kingdom Vincent Thomas, LORIA, France Viorel Negru, West University of Timisoara, Romania Walt Truszkowski, NASA, USA William Song, Durham University, UK Yubin Yang, Nanjing University, China Zoran Budimac, University of Novi Sad, Serbia
  17. 17. xvii KEYNOTE LECTURES WHERE ARE ALL THE AGENTS? James Hendler Tetherless World Constellation Chair Rensselaer Polytechnic Institute, USA ABSTRACT In the late 1990s, many of us believed we were at a time where the large-scale deployment of agent- based computing was right around the corner. The key obstacles to the wider deployment of agent- based systems were identified early on as a need for interoperability and intercommunication. Today, however, we have Web Service standards, supported by the largest software development and support companies, which provide for many of the interoperability needs we identified. We also have the Semantic Web seeing wide deployment and support from some of the larger data providing companies. Open source toolkits and tens of thousands of ontologies in OWL are now available to make domain engineering easier. We have many large Web providers that make access to their systems available through some sort of service interface or in easily programmable ways, so access to service providers abounds. Technologies transitioning from research to industry also include data access for Semantic Web resources, rule- based Web languages, and even expressive logics for the high end KR needs of some applications. However, looking at what is hot on the Web, in IT development, and in VC circles, I find myself shaking my head and wondering, "Where are all the agents?" PROBLEM ORIENTED ENGINEERING Dr. Lucia Rapanotti Department of Computing, The Open University, UK, ABSTRACT Problem Oriented Engineering (POE) is a formal system for engineering design. It views engineering design as a problem solving process where knowledge exploration and design steps are intertwined with validation, allowing for iteration between problem and solution spaces. Its Gentzen-style formulation is meant as a system for 'natural' design, rather than mathematical proof, to serve the needs of engineering. It also allows for an elegant encoding in Prolog, leading to a powerful computational engine. In this keynote lecture, I will introduce the basic elements of POE, and its engineering and logic foundation, as well as provide an overview of POE current application and development.
  18. 18. xviii
  19. 19. Full Papers
  20. 20. ANOMALIES DETECTION ON FIREWALLS USING THE MOBILE AGENTS APPROACH Fakher Ben Ftima, Kamel Karoui, Henda Ben Ghezala RIADI, ENSI, University of Manouba, Tunisia ABSTRACT Firewalls are core elements in network security. However, detecting anomalies, particularly in distributed firewalls has become a complex task. Mobile agents promise an interesting approach for communications between different distributed systems. In this work, we propose a firewall anomalies’ detection system using the mobile agents approach and highlight the trumps of this approach compared to the client/server model. KEYWORDS Mobile Agents, Firewalls, Anomalies detection, Client/Server 1. INTRODUCTION Due to the increasing threat of network attacks, firewalls have become important elements not only in enterprise networks but also in small-size and home networks. Firewalls have been the frontier defense for secure networks against attacks and unauthorized traffic by filtering out unwanted network traffic coming to or going out of the secured network [Bellovin94]. The filtering decision is based on a set of ordered filtering rules defined according to predefined security policy requirements [Benelbahri07]. In spite of their security aspect, firewalls suffer from incoherence problems in their functioning (blocking) owing to the various rules which define them. This problem causes a set of anomalies between the rules of a firewall (intra-firewall anomalies) or between various rules in several firewalls (inter-firewall anomalies) [Cobb97]. The idea is to use the trumps of the Mobile Agents (MA) paradigm to facilitate the anomalies detection on a firewall or between firewalls. This paper is organized as follows:section 2 introduces a background on firewalls and MA technologies. Section 3 presents firstly the advantages of the integration of MA on firewalls, then explain the proposed model functioning. Section 4 studies an example of distributed firewalls detection anomalies’ implemented with the MA approach. Section 5 evaluates our approach by comparing it to the client/server model and section 6 concludes and recommends future trends. 2. BACKGROUND 2.1 Firewalls A firewall is a network element that controls the crossing of packets through the boundaries of a secured network based on a specific security policy. A firewall security policy is a list of ordered filtering rules defining the actions performed on packets that satisfy specific conditions [Chapman00]. A rule is composed of set of filtering fields (also called network fields) such as order, protocol type , source IP address (s_ip), destination IP address (d_ip), source port (s_port) and destination port (d_port), as well as an action field. The filtering fields of a rule represent the possible values of the corresponding fields in actual network traffic that matches this rule. Each network field could be a single value or range of values. Filtering actions are either to accept, which permits the packet into or out of the secure network, or to deny, which blockes the packet [Chewsick95]. IADIS International Conference Intelligent Systems and Agents 2008 3
  21. 21. The packet is permitted or blocked by a specific rule if the packet header information matches all the network fields of this rule [Wack02]. The following is the common format of packet filtering rules in a firewall policy: <order><protocol><s_ip><s_port><d_ip><d_port><action> An example of typical firewall rules is shown in Figure1. 2.1.1 Formalization of Firewall Rule Relations To be able to build a useful model for filtering rules, we need to determine all the relations that may relate packet filters. We define the possible relations that may exist between filtering rules by comparing the network fields [Bellovin99]. Definition 1: Rules Rx and Ry are exactly matching if every field in Rx is equal to the corresponding field in Ry . Formally, RR yEMx ℜ if [i]R[i]R:i yx =∀ where d_port}d_ip,s_port,s_ip,{protocol,i∈ For example, in Figure1, Rule1 exactly matches Rule 5. Definition 2: Rules Rx and Ry are inclusively matching if they do not exactly match and if every field in Rx is a subset or equal to the corresponding field in Ry . Rx is called the subset match while Ry is called the superset match. Formally, RR yIMx ℜ if [i]R[i]R:i yx ⊆∀ and [j]R[j]Rsuch thatj yx ≠∃ where d_port}d_ip,s_port,s_ip,{protocol,ji, ∈ For example, in Figure1, Rule 1 inclusively matches Rule 2. Rule 1 is the subset match of the relation while Rule 2 is the superset match. Definition 3: Rules Rx and Ry are correlated if some fields in Rx are subsets or equal to the corresponding fields in Ry , and the rest of the fields in Rx are supersets of the corresponding fields in Ry . Formally, RR yCx ℜ if :i∀ [j]R x [j]R y and [k]R[k]Rand[j]R[j]Rsuch thatkj, yxyx ⊃⊂∃ where { } kjd_port},d_ip,s_port,s_ip,{protocol,kj,,,, ≠∈=⊃⊂∈ For example, Rule 1 and Rule 3 in Figure1 are correlated. order protocol s_ip s_port d_ip d_port action 1: tcp, 140.192.37.20, any, *.*.*.*, 80, deny 2: tcp, 140.192.37.*, any, *.*.*.*, 80, accept 3: tcp, *.*.*.*, any, 161.120.33.40, 80, accept 4: tcp, 140.192.37.*, any, 161.120.33.40, 80, deny 5: tcp, 140.192.37.20, any, *.*.*.*, 80, accept 6: tcp, 140.192.37.*, any, *.*.*.*, 21, accept 7: tcp, 140.192.37.*, any, 161.120.33.40, 21, accept 8: udp, 140.192.38.*, any, 161.120.35.*, any, accept Figure 1. A typical firewall rule 2.1.2 Intra-firewalls Anomaly An intra-firewall policy anomaly is defined by [Eronen01]: -The existence of two or more filtering rules that may match the same packet -The existence of a rule that can never match any packet on the network paths that cross the firewall. In this section, we describe and formally define the possible intra-firewall policy anomalies [Al-Shaer04]: a-Shadowing anomaly: A rule is shadowed when a previous rule matches all the packets that match this rule, such that the shadowed rule will never be activated. Formally, rule Ry is shadowed by rule Rx if: [action]R[action]R,RR[order],R[order]R yxyEMxyx ≠ℜ< [action]R[action]R,RR[order],R[order]R yxyIMxyx ≠ℜ< For example, Rule 4 is shadowed by Rule 3 in Figure1. ISBN: 978-972-8924-60-7 © 2008 IADIS 4
  22. 22. b-Correlation anomaly: Two rules are correlated if they have different filtering actions, and the first rule matches some packets that match the second rule and the second rule matches some packets that match the first rule. Formally, rule Rx and rule Ry have a correlation anomaly if: [action]R[action]R,RR yxyCx ≠ℜ . Rule 1 is in correlation with Rule 3 in Figure1 c-Generalization anomaly: A rule is a generalization of a preceding rule if they have different actions, and if the first rule can match all the packets that match the second rule. Formally, rule Ry is a generalization of rule Rx if: [action]R[action]R,RR[order],R[order]R yxyIMxyx ≠ℜ< Rule 2 is a generalization of Rule1 in Figure1. d-Redundancy anomaly: A redundant rule performs the same action on the same packets as another rule such that if the redundant rule is removed, the security policy will not be affected. Formally, rule Ry is redundant to rule Rx if: [action]R[action]R,RR[order],R[order]R yxyEMxyx =ℜ< [action]R[action]R,RR[order],R[order]R yxyIMxyx =ℜ< Referring to Figure1, Rule 7 is redundant to Rule 6 e-Irrelevance anomaly: A filtering rule in a firewall is irrelevant if this rule cannot match any traffic that might flow through this firewall. This exists when both the source address and the destination address fields of the rule do not match any domain that is reachable through this firewall. Formally, rule Rx in firewall Fwi is irrelevant if: { }[dst]Rto[src]Rfrompathaonnodeaisn:nFw xxi ∉ Referring to Figure 1, Rule 8 is irrelevant because the traffic that goes between the source (140.192.38.*) and the destination (161.120.35.*) doesn’t pass through this firewall. 2.1.3 Inter-Firewall Anomaly In general, an inter-firewall anomaly may exist if any two firewalls on a network path take different filtering actions on the same traffic [Ioannidis00]. We suppose a traffic stream flowing from sub-domain Dx to sub-domain Dy across multiple cascaded firewalls installed on the network path between the two sub-domains. At any point on this path in the direction of flow, a preceding firewall is called an upstream firewall whereas a following firewall is called a downstream firewall [Hari00]. Using the above network model, we can say that for any traffic flowing from sub-domain Dx to sub-domain Dy an anomaly exists if one of the following conditions holds: 1) The most-downstream firewall accepts a traffic that is blocked by any of the upstream firewalls. 2) The most-upstream firewall permits a traffic that is blocked by any of the downstream firewalls. 3) A downstream firewall denies a traffic that is already blocked by the most-upstream firewall. We assume that the network traffic is flowing from domain Dx to domain Dy, rule Rx belongs to the policy of the most-upstream firewall Fwx , while rule Ry belongs to the policy of the most- downstream firewall Fwy. We classify anomalies in multi-firewall environments as follows (detailed examples are given in section 4) [Lupu97]: a-Shadowing Anomaly: A shadowing anomaly occurs if an upstream firewall blocks the network traffic accepted by a downstream firewall. Formally, rule Ry is shadowed by rule Rx if one of the following conditions holds: accept[action]R,deny[action]R,RR yxxEMy ==ℜ accept[action]R,deny[action]R,RR yxxIMy ==ℜ accept[action]R,deny[action]R,RR yxyIMx ==ℜ accept[action]R,accept[action]R,RR yxyIMx ==ℜ b-Spuriousness Anomaly: A spuriousness anomaly occurs if an upstream firewall permits the network traffic denied by a downstream firewall. Formally, rule Rx allows spurious traffic to rule Ry if one of the following conditions holds: deny[action]R,accept[action]R,RR yxyEMx ==ℜ IADIS International Conference Intelligent Systems and Agents 2008 5
  23. 23. deny[action]R,accept[action]R,RR yxyIMx ==ℜ deny[action]R,accept[action]R,RR yxxIMy ==ℜ accept[action]R,accept[action]R,RR yxxIMy ==ℜ deny[action]R,deny[action]R,RR yxyIMx ==ℜ c-Redundancy Anomaly: A redundancy anomaly occurs if a downstream firewall denies the network traffic already blocked by an upstream firewall. Formally, rule Ry is redundant to rule Rx if, on every path to which Rx and Ry are relevant, one of the following conditions holds: deny[action]R,deny[action]R,RR yxxEMy ==ℜ deny[action]R,deny[action]R,RR yxxIMy ==ℜ d-Correlation Anomaly: A correlation anomaly occurs as a result of having two correlated rules (rules having different filtering actions) in the upstream and downstream firewalls. Formally, the correlation anomaly for rules Rx and Ry occurs if one of the following conditions holds: accept[action]R,accept[action]R,RR yxyCx ==ℜ deny[action]R,deny[action]R,RR yxyCx ==ℜ deny[action]R,accept[action]R,RR yxyCx ==ℜ accept[action]Rdeny,[action]R,RR yxyCx ==ℜ 2.2 Mobile Agents MA is a programming paradigm used in distributed applications [Lange99]. It makes the implementation of applications dynamically adaptable easier and facilitates the development of distributed applications on large networks. This covers many domains such as e-commerce; telecommunications, workflow applications, remote maintenance and park administration [Guttman98]. MA are execution programs that can migrate from one host in a network to another in order to satisfy requests made by their clients. The state of the running program is saved, transported to the new host and restored, allowing the program to continue where it left off. The MA properties are the following [Karoui05]: -MA are autonomous; they have some degree of control over their data and states. -MA have the ability to act without direct external interference. -MA are interactive by communicating with the environment and other agents. -MA are adaptive; they can integrate with other agents or their environment. 3. FIREWALL ANOMALIES’ DETECTION SYSTEM BASED ON MA APPROACH 3.1 The MA Approach Advantages The development of distributed firewalls and the introduction of software agents lead us to use the paradigm of MA to perform anomalies detection intra-firewalls and inter-firewalls [Jansen99]. MA offer several potential advantages [Karoui07a] when used in firewalls distributed system [Karoui07b]: • Reducing network load: Firewalls are faced by the problem of processing a huge amount of data. Their centralized administration is a complex task due to the great number of requests exchanged between firewalls. MA can overcome this problem by reducing the number of requests exchanged between distributed firewalls. • Asynchronous execution and autonomy: MA perform tasks autonomously without disturbing the functioning of firewalls. They are able to continue to operate asynchronously even if a firewall is not available or if the administrator machine is disconnected form the network. ISBN: 978-972-8924-60-7 © 2008 IADIS 6
  24. 24. • Dynamic adaptation: As the number of firewalls in the network increases, MA can be cloned and dispatched to these new computing elements; MA adapt their behavior according to network’s topology and traffic characteristics. • Robustness and fault tolerance: MA are able to react to multiple situations, especially faulty ones. This ability ensures the efficient functioning of distributed firewalls even if the system is faulty. 3.2 Principle of Functioning Based on the advantages presented on section 3.1, we will present the architecture of our system: The administrator sends a MA to the first firewall (1). The MA encapsulates the set of rules founded on this latter and migrates to the next firewall (2). It correlates the list of rules (3) and passes to the next firewall. It repeats the same processes (steps (2) and (3)) until finishing a complete tour of the system (see figure 2). In our solution, the administrator has the possibility to detect anomalies on a particular firewall (intra-firewall) or on the entire network (inter-firewalls); the MA returns result when anomaly is detected on the specific firewall (4) or at the end of the complete tour (5). Figure 2. Anomalies detection system with the MA approach 4. CASE STUDY Based on the approach presented in section 3, we will present an experimental case study. We have implemented a ring network composed of an administrator machine and three firewalls Fw1, Fw2 and Fw3. These machines are equipped of Core 2 Duo processor with 1,6 MHZ frequency and 1GB of RAM. We used the platform BeeGent [Toshiba01] to implement the MA approach and the firewalls IPTABLES [Russell99] for firewalls rules description. We implemented our system under Linux FEDORA6 operating system (see figure 3). 4.1 Experimental Results 4.1.1 Intra-firewalls Anomalies Detection Results To detect anomalies on a specific firewall, the MA moves to a particular firewall, with a formal description of the anomalies. It takes the firewall rules one by one and compare them to the anomalies description (see section 2.1.2). In our example, we suppose that our MA moves to Fw2 to detect eventual anomalies. The detection results returned by the MA are the following (see figure 3): Generalization anomalies: (Rule 7 is a generalization of Rule 6), (Rule 8, Rule1), (Rule 8, Rule 2), (Rule 8, Rule 3), (Rule 8, Rule 5), (Rule 8, Rule 7), (Rule 5, Rule 4) Redundancy anomalies: (Rule 1 is redundant to Rule 3) Rules Fw1 Fw2 Fw4 Admin (5) (2) (3) (4) (1) Network Rules Rules Fw3 Rules IADIS International Conference Intelligent Systems and Agents 2008 7
  25. 25. 4.1.2 Inter-firewalls Anomalies Detection Results To detect anomalies on the entire system, the MA moves to the first firewall with a formal description of the anomalies,encapsulates the set of rules found on Fw1 and begins its tour to Fw2 then to Fw3 (see section 2.1.3). In our example, the detection results returned by the MA are the followings (see figure 3): Shadowing anomalies: (Rule 2 on Fw3 is shadowed by Rule 3 on Fw2), (8/Fw2, 4/Fw3), (7/Fw2, 7/Fw1), (5/Fw2, 5/Fw1) Spuriousness anomalies: (Rule 2 on Fw2 allows spurious traffic to Rule 4 on Fw1), (2/Fw2, 9/Fw3), (5/Fw3, 4/Fw2), (3/Fw3, 3/Fw2), (5/Fw1, 4/Fw2) Redundancy anomalies: (Rule 6 on Fw3 is redundant to Rule 6 on Fw2), (9/Fw3,6/Fw1) Figure 3. The firewall anomalies’ detection system based on the MA approach 5. PERFORMANCES EVALUATION To evaluate the performances of the proposed model (seen section 4), we have implemented this latter with both approaches, viz; the client/server and the MA approaches. The functioning processes of both approaches are presented on figure 4 and figure 5. We have chosen some criteria to compare them, viz: the bandwidth use and the execution time. i=2; The administrator sends a MA; The MA encapsulates rules on Fw1; While (i<nb-firewalls) The MA migrates to Fwi; The MA correlates rules; If (Detection anomaly) The MA alerts the administrator; ;1+→ ii The MA returns results to administrator; The administrator treats the anomalies; I=2,j=1; The administrator requests Fw1; While (i< nb-firewalls) While (j< nb-rules) The administrator correlates rule Rj; If (Detection anomaly) The administrator treats the anomaly; ;1+→ jj ;1+→ ii The administrator treats the anomalies; Figure 4. The MA process Figure 5. The Client/Server process 1: tcp, 161.120.*.* : any, 140.192.*.* : 80, accept 2: tcp, 161.120.*.* : any, 140.192.22.5 : 21, deny 3: tcp, 161.120.*.* : any, 140.192.*.* : 21, accept 4: tcp, 140.192.*.* : any, 161.120.33.* : 23, accept 5: tcp, 161.120.33.* : any, 140.192.*.* : 23, accept 6: tcp, 161.120.24.* : any, 140.192.37.3 : 25, deny 7: tcp, 161.120.24.* : any, 140.192.22.5 : 25, deny 8: tcp, 161.120.*.* : any, 140.192.37.* : 25, accept 9: tcp, *.*.*.* : any, *.*.*.* : any, deny 1: tcp, 161.120.*.* : any, *.*.*.* : 80, accept 2: tcp, 140.192.*.* : any, *.*.*.* : 25, accept 3: tcp, *.*.*.* : any, 140.192.*.* : 25, accept 4: tcp, 140.192.*.* : any, 161.120.*.* : 80, deny 5: tcp, 161.120.33.* : any, 140.192.37.1 : 23, deny 6: tcp, 161.120.*.* : any, 140.192.*.* : 22, deny 7: tcp, 161.120.*.* : any, 140.192.*.* : any, accept 8: tcp, 140.192.*.* : any, 161.120.*.* : any, accept 9: tcp, *.*.*.* : any, *.*.*.* : any, deny 1: tcp, 161.120.*.* : any 140.192.*.* : 80, accept 2: tcp, 140.192.*.* : any, 161.120.*.* : 80, accept 3: tcp, 161.120.*.* : any, 140.192.22.5 : 21, accept 4: tcp, 161.120.33.* : any 140.192.37.* : 23, deny 5: tcp, 161.120.*.* : any, 140.192.*.* : 23, accept 6: tcp, 161.120.24.* : any, 140.192.37.3 : 25, deny 7: tcp, 161.120.24.* : any, 140.192.*.* : 25, accept 8: tcp, *.*.*.* : any, *.*.*.* : any, deny Fw1 Fw2 Fw3 Admin (5) (2) (3) (4) (1) (4) ISBN: 978-972-8924-60-7 © 2008 IADIS 8
  26. 26. 5.1 Bandwidth Use 5.1.1 The client/server Model In our system, according to the client/server process (figure 5), each firewall, has several rules to be analyzed. To detect anomalies, the administrator requests every firewall, rule by rule; in our case, we have 9 requests on Fw1, )89( × correlation requests on Fw2 and )99( × correlation requests on Fw3. We note that there are 162)99()89(9 =×+×+ requests exchanged between the firewalls and the administrator machine. In a general case, with (n) firewalls to be analyzed, we have ∑ = +× n i ixN 2 )1( requests exchanged with the administrator machine where N is the number of rules on Fw1 and xi is the number of rules on Fwi; it constitutes a very important load for the whole network traffic especially if the number of firewalls is important. 5.1.2 The MA Model According to the MA process (figure 4), the administrator sends a MA that visits all firewalls to detect anomalies. At the end of its complete tour, the MA returns results to the administrator. In our example, we note that the MA moves 4 times between firewalls and the administrator machine. In a general case, with (n) firewalls to be analyzed, we have (n+1) moves between firewalls and the administrator machine; it constitutes a very important gain for the whole network traffic especially if the number of firewalls is important. 5.1.3 Interpretations With the MA approach, the total number of moves between firewalls on the network is lower than that with the client/server requests. This gain will reduce the global bandwidth use. 5.2 Execution Time: We define the execution time by [Longman95]: Execution time=treatment time+ latency time Latency time = transmission time + propagation time The transmission time represents the necessary time to transmit data on network. It is defined by: ratebit messagetheofsize ion timetransmissThe = The propagation time is the necessary time to transfer data from the transmitter to the receiver. It is defined by: speednpropagatio distance n timepropagatioThe = In our example, the links dij connecting all machines (i=1, j=2, 3 or 4) are equal to (5m) and the propagation speed is equal to ( s/m102 8 × ) for all firewalls. Also, we suppose that the links joining all firewalls have the same bit rate (10 Mbits/s). 5.2.1 The client/server Model The global requests' treatment time which includes; interactions with Fw1, correlations of rules of Fw2 and correlations of rules of Fw3 is estimated to 5(s). The administrator sends many requests to firewalls across the links dij.The request size is equal to 1(kbits).The global requests size to Fw1, Fw2 and Fw3 are respectively Q12 = 9 (kbits); Q13 =8 (kbits) and Q14 = 9 (kbits).The responses size from these latter are respectively A12 =9 (kbits), A13 = 24 (kbits) and A14 = 33 (kbits). IADIS International Conference Intelligent Systems and Agents 2008 9
  27. 27. s sMbits AQAA 6141413131212 10 /10 )339()24(8)9(9 ratebit )()(Q)(Q ion timetransmissThe − ≈ +++++ = +++++ = s103 /102 5)(m)(1510)(1015)(5 speednpropagatio )dd()dd()d(d n timepropagatioThe 7 8 411431132112 − ×= × +++++ = +++++ = sm s5)(10)103(5timeExecutionThe -67 ≈+×+= − 5.2.2 The MA Model The global treatment time which includes interactions with Fw1, correlations of rules on Fw2 and correlations of rules on Fw3 is estimated to 3(s). The MA is composed of two elements: processing part (S) and data part (Di). The global size of the MA on Fwi is (S+ Di). The processing part size (S) of the MA is 6 (kbits). s10 /10 )476()25(66 ratebit )()()( ion timetransmissThe 6-321 ≈ ++++ = +++++ = sMbits DSDSDS s01 /102 5(m)4 speednpropagatio dddd n timepropagatioThe 7 8 41342312 − = × × = +++ = sm s310103timeExecutionThe -67 ≈++= − 5.2.3 Interpretations According to the experimental results, we note that the execution time with the MA approach is less than that with the client/server model. To consolidate our results, we have increased the number of firewalls. We have noticed that more the number of firewalls increases, more the MA approach is better. (see figure 6). These experimentations make our approach more efficient and more favorable. Figure 6. MA approach versus Client/server approach 6. CONCLUSION In this article, we exploited the advantages of the MA approach to ameliorate and make easier the anomalies’ detection in distributed firewalls. Also, the comparison of our model with the client/server model proves its effectiveness and presents a certain number of trumps in comparison with the client/server model. Our case study was accomplished in a specific network with the environment constraints (laboratory). We expect to validate the efficiency of our approach on more complex network architectures. 0 5000 10000 15000 20000 25000 30000 35000 40000 45000 2 3 4 5 6 7 8 9 10 Client/server Mobile Agents Nb Firewalls Execution time (ms) ISBN: 978-972-8924-60-7 © 2008 IADIS 10
  28. 28. REFERENCES [Al-Shaer04] Al-Shaer, E. Hamed, H.,2004. Discovery of policy anomalies in distributed firewalls. Sch. of Comput. Sci., Telecommun. & Inf. Syst.2004 DePaul Univ., Chicago, IL, USA. [Bellovin94] Bellovin, M. and Chewsick, R.,1994.Network firewalls. IEEE Communications Magazine, pages 50-57. [Bellovin99] Bellovin, M.,1999.Distributed Firewalls.Special Issue on Security, ISSN 1044-6397. [Benelbahri07] Benelbahri, A. and Bouhoula, A.2007.Tuple Based Approach for Anomalies Detection within Firewall Filtering Rules. IEEE Symposium on Computers and Communications. ISCC 2007. 12th Volume , Issue , 1-4 Page(s):63 – 70. [Chapman00] Chapman, D. and Zwicky, E.,2000. Building Internet Firewalls, Second Edition, Orielly & Associates Inc. [Chewsick95] Chewsick, W. and Belovin, S.,1995. Firewalls and Internet Security, Addison- Wesley. [Cobb97] Cobb, S.,1997.ICSA Firewall Policy Guide v2.0. NCSA Security White Paper Series. [Eronen01] Eronen, P. and Zitting, J.,2001.An Expert System for Analyzing Firewall Rules. Proceedings of 6th Nordic Workshop on Secure IT-Systems (NordSec 2001). [Guttman98] Guttman, R. et al., 1998. Agent-mediated electronic commerce: a survey. Knowlrdge Engineering Review. 13(2):143-147. [Hari00] Hari, B. et al.2000.Detecting and Resolving Packet Filter Conflicts. Proceedings of IEEE INFOCOM’00. [Ioannidis00] Ioannidis, S. et al.,2000.Implementing a Distributed Firewall. Proceedings of 7th ACM Conference on Computer and Comminications Security (CCS’00). [Jansen99] Jansen, W et al.,1999. Applying mobile agents to intrusion detection and response. Technical report, NIST Interim Report - 6416. [Karoui05] Karoui, K.,2005. MA Overview, published in Encyclopedia of Multimedia Technology and Networking , Idea Group. [Karoui07a] Karoui, K. and B.Ftima, F., 2007.Interaction Mobile Agents – Web Services. Encyclopedia of Multimedia Technology and Networking, IGI global. [Karoui07b] Karoui, K. and B.Ftima, F., 2007. Effectiveness of Web Services-Mobile Agents Approach in E-commerce System. Encyclopedia of Information Science and Technology, IGI global. [Lange99] Lange, D. and Oshima, M.,1999. Seven Good Reasons for Mobile Agents - Dispatch your agents; shut off your machine. Communications of the ACM Issue. [Longman95] Longman, A and Halsall, F., 1995. Data Communications Computer Networks and Open System, , ISBN:0- 201-42293-X ,.Publishing Co., Inc. Redwood City, CA, USA. [Lupu97] Lupu, E. and Sloman, M.,1997.Conflict Analysis for Management Policies. Proceedings of IFIP/IEEE International Symposium on Integrated Network Management (IM’1997). [Russell99] Russell, R.,1999. Linux iptables HOWTO, v0.0.2. [Toshiba01] Toshiba Corporation,. 2001.Beegent Multi-Agent Framework. [Wack02] Wack, J. et al,.2002. Guidelines on Firewalls and Firewall Policy. NIST Recommendations, SP 800-41. IADIS International Conference Intelligent Systems and Agents 2008 11
  29. 29. USING HONEY-AGENTS FOR ESTABLISHING TRUST IN MOBILE-AGENTS E-COMMERCE APPLICATIONS Sandhya Armoogum, Nawaz Mohamudally University of Technology, Mauritius Pointe aux Sables, Mauritius ABSTRACT Agent technology has an immense potential in e-commerce. Personalised mobile-agents could be despatched by users to find and recommend products and services, negotiate the terms of transactions, and even make payments. However, among the reasons for the technology’s unmet potential are security concerns. In this paper, we propose the use of decoy honey-agents to conduct transactions to monitor the actions of the agent servers towards the mobile-agent. Such information can give an indication of the trustworthiness of agent servers. KEYWORDS E-commerce mobile-agent, Honey-Agent, Security, Trustworthiness, Social control 1. INTRODUCTION Mobile code is an important programming paradigm for our increasingly networked world. It provides a flexible way to structure cooperative computation in distributed systems. Mobile-agents are mobile code that acts autonomously on behalf of a user for continuous collecting, filtering, and processing of information. They combine the benefits of the mobile-agent paradigm, such as reacting to a changing environment and autonomous operation, with the features of remote code execution. Important mobile-agent applications include mobile computing, where bandwidth is limited or users are disconnected, data retrieval from large repositories, configuration management of software and networks, and e-commerce applications. As such, mobile-agents are believed to have an important role in future e-commerce systems as they provide a flexible mechanism for gathering information about products and services available on the Internet by visiting several servers. Knowing the user’s preference they can find required products and services, negotiate the terms of transactions, make payments and arrange for delivery of the goods purchased to the required destination. According to Maes in (Maes et al, 1999), agents can autonomously take care of all the different steps involved in a typical e-commerce transaction such as Product brokering, Merchant brokering, Negotiation, Payment and Delivery without interacting continuously with the user or in a semi-autonomous manner where the mobile-agent seeks approval before making any purchase. Despite their benefits, massive use of mobile- agents for e-commerce is restricted by security issues. Typically, four threat categories are identified (Jansen, Karygianinis, 2000): (1) mobile-agent attacking an agent server, (2) agent server attacking a mobile-agent, (3) a mobile-agent attacking another mobile-agent on the agent server, and (4) other entities attacking the agent system. Existing techniques for the protection of agent servers from malicious mobile-agents are sandboxing, code signing, firewalling, and proof carrying codes. The protection of mobile-agents from malicious agent servers is a more challenging problem. Existing mechanisms provide security against some types of threats (e.g. tampering) posed to mobile-agents by malicious servers. But the protection of private information such as credit card details or electronic monies or the confidentiality of code is still a major problem. Honeypot technology has proven to be very beneficial in network security. A honeypot is a closely monitored network decoy serving several purposes: it can distract adversaries from more valuable machines on a network, can provide early warning about new attack and exploitation trends, or allow in-depth examination of adversaries during and after exploitation of a honeypot. It is proposed to use the same concepts in the form of honey-agents for evaluating the trustworthiness of agent servers on the Internet. If ISBN: 978-972-8924-60-7 © 2008 IADIS 12
  30. 30. tampering or spying is detected during interaction with a honey-agent, the honey-agent can inform the server that maintains records on a server’s trustworthiness thereby implementing social control. This approach can provide an effective stop-gap measure as it discourages servers to behave badly in order to maintain a good reputation. However, this approach does not eliminate the problem of malicious servers nor is it successful in detecting all malicious activities of a malevolent agent server. The next section briefly describes the mobile-agent system model and the threats posed by malicious agent servers to mobile-agents. Existing techniques for mobile-agent security are presented in section 3. Section 4 describes the concept of social control. Section 5 and 6 describes the trust evaluation architecture and how Honey-agents are deployed for evaluating the trustworthiness of the agent servers. Finally, we conclude and present future works. 2. MOBILE-AGENT SYSTEM MODEL AND MALICIOUS HOST PROBLEM Mobile-agents are capable of continued, autonomous operation disconnected from the owner and they migrate to other hosts during their lifetime to perform their task. The use of mobile-agents saves bandwidth and permits off-line and autonomous execution in comparison to usual distributed systems based on message passing as shown in Figure 1 below. Essentially, a mobile-agent consists of code, data and state information needed to carry some computation. Figure 1. Client-Server model versus Mobile-Agent computing model Several models exist for describing agent systems (Fuggetta, 1998), (FIPA, 1998), (OMG, 1997). For discussing security related issues though, it suffices to consider a very simple model consisting of the mobile- agent and the agent platform provided by the agent server as described in (Jansen, Karygianinis, 2000). The agent platform provides the necessary computational environment for the mobile-agent to operate. The platform from which a mobile-agent originates is referred to as the home platform, and normally is the most trusted environment for a mobile-agent. A simple mobile-agent system model is as depicted in Figure 2. As can be observed from Figure 1 and 2, mobile agents hop from agent server to agent server and execute locally on the destination agent platform. The agent servers have complete control on the executing mobile- agents and thus many attacks may be performed by malicious servers on the mobile-agent. The malicious server can modify the code, data, and/or state information being carried by the mobile-agent. Likewise the malicious server can inspect the code of the mobile-agent to learn about the decision making strategy of the agent. Again the malicious server may inspect the confidential data such as credit card details or signing key being carried by the mobile-agent. Thus, the protection of mobile-agents from malevolent agent servers is as important as the protection of the host from malicious mobile-agents. Ideally, it is required that the mobile agent be equipped with security features that enables it to execute in an untrusted environment autonomously (i.e. without interactions with its originating site) and without the untrusted host being able to read and modify the mobile-agent’s code and data. Client Client API Server Agent Platform Server (a) Client Server Model: Information exchanged between client and server (b) Mobile-agent Computing Model: Mobile-agent travels to server (agent platform) and locally interacts with server IADIS International Conference Intelligent Systems and Agents 2008 13
  31. 31. Figure 2. Mobile-agent computing model 3. EXISITNG MOBILE-AGENT PROTECTION SCHEMES Many proposed systems suggest the use of trusted servers in a network for processing of critical information. (Guan et al, 2000) suggests that the network be divided in regions and in each region there is a trusted host called police office (PO). Agents’ critical code such as the decision making strategy are executed only on trusted hosts i.e. the PO. (Marques et al, 1999) and (Farmer et al, 1996) suggest that the decision making algorithm or any other such critical code and sensitive data be carried encrypted by the mobile-agent and is only executed on some specified trusted hosts in the network. However, this approach is restrictive and involves increase in network traffic which defies the concept of mobile-agent because then the mobile-agent would communicate with the server in a client server way from the trusted server. Another approach is to enhance the mobile-agent with security features such that it can detect or even prevent attacks. As such several cryptographic and non cryptographic techniques exist for detection of tampering of code, state, data and partial results being carried by the mobile-agent. For instance, the static agent-code can be digitally signed, Partial Result Authentication Code (PRAC) can be used for detecting tampering of partial results. In (F.Hohl, 2000) and (F.Hohl, 1999b), “reference states” are used to detect state modification attacks. Farmer, Guttman and Swarup present in (Farmer et al, 1996) a “state appraisal” mechanism for detecting state change whereby the mobile-agent is equipped with a state appraisal function that checks the validity of the current state of a mobile-agent. (Minsky et al, 1996) propose to use a fault tolerance mechanism to detect attacks by malicious hosts. In (Vigna, 1997) and (Vigna, 1998), Vigna presents an approach that allows detection of tampering by the agent platform via execution checking of a mobile-agent by using cryptographic traces which are logs of the operations performed by the mobile-agent during its lifetime. In (Park et al, 2001), a One-time Key Generation System (OKGS) is proposed to effectively provide confidentiality and integrity of agent data gathered on the itinerary as well as the integrity of agent code. (Karjoth et al, 1998) proposes a mechanism for enabling a mobile-agent to securely collect computation results against prying and tampering by malicious hosts visited by the mobile-agent. Furthermore, based on the idea that malicious hosts need time to analyse and modify a mobile-agent code, and/or data, state, the protocol in (Esparza et al, 2003) detects manipulation attacks performed during the agent’s execution (when a host spends more time than needed executing the mobile-agent) by controlling the execution time in hosts. All, these techniques detect modification attacks but do not prevent modification or inspection of data and code. In some cases, detection does not help; for instance detection of tampering for E- cash would not prevent the loss caused; prevention is fundamental. To prevent attacks against mobile-agents by malicious servers, secure trusted hardware (secure co- processor) can be used. The main idea is to equip mobile-agent systems with additional hardware, which is not under control of the local system and which can host and execute mobile-agents, thus providing a secure execution environment for mobile-agents (Bennet, 1997.). Using a secure trusted hardware ensures protection Internet Home Agent Server Agent Server Agent Server Agent ISBN: 978-972-8924-60-7 © 2008 IADIS 14
  32. 32. against tampering and eavesdropping. But unfortunately, it is not practical and feasible for all servers to be equipped with a trusted hardware. A further step towards protecting a mobile-agent against malicious hosts is to make eavesdropping and tampering difficult or expensive. Code obfuscation, for example, tries to make the mobile-agent’s program illegible, the data hidden and thus difficult to understand and manipulate. (Hohl, 1998) proposes to generate an executable mobile-agent from a given agent specification such that the generated agent cannot be attacked by read or modify attacks i.e. mobile-agent is a blackbox using code obfuscation techniques. However, code obfuscation only provides time limited protection because given enough time, the code can be analysed. In (Sander, Tschudin, 1998) the use of mobile cryptography whereby encrypted programs – mobile-agent program can be converted into a ciphered-program such that it can execute on the untrusted host while remaining in the encrypted form - is proposed as the only way to give privacy and integrity to mobile code (and data). However, mobile cryptography is expensive as it is difficult to implement. The proposed scheme intends to complement the existing schemes for protecting agents by adding social control mechanisms as described next. 4. SOCIAL CONTROL MECHANISMS Introduced in sociology as early as the end of the 19th century, the concept of social control originally denoted the capacity of a group or society to regulate itself and to secure coherency and unity in social life (Martingale, 1978). Social control in this sense, relates to how social action is coordinated toward a chosen or an emergent social order. Modern theories of social control focus on the strategies and techniques that help regulate mobile-agent and agent server behaviour, and lead to conformity and compliance with the rules of society (at both the macro and micro levels). The main elements used in the enforcement of social commitments are: (1) sanctions, which are considered in their general sense of incentives, and (2) philosophies of punishment, which result in punishment strategies determining the type of sanction (and its magnitude) to be applied, and explains how sanctions are assigned to social commitments (Pasquier et al, 2006). For our purpose, we believe that social sanctions are applied. Trust, credibility and reputation are social values that could be affected by social sanctions. As pointed out in (Posner, Rasmusen, 1999), social sanctions are usually the effects of some implicit informational disclosure where the violator’s action conveys information about him that he would rather not have others know. For example, the fact that an agent server inspects the code of a mobile-agent to learn about its decision making strategy might be taken into account by other mobile-agents when evaluating his reputation and the trust they put in him. Social control mechanisms to enforce social commitments are designed according to a philosophy of punishment. Unless there is an international infrastructure to legally deal with wrongdoers, deterrence is the only punishment policy that can be applied. Deterrence is a utilitarian principle stating that the aim of sanctions is to prevent future violation. Applied to the enforcement of social commitment in mobile-agent based e- commerce, it means that using severe sanctions with a high prohibitive effect tends to transform social commitments into strict obligations. 5. TRUST EVALUATION ARCHITECTURE We propose the use of a trust evaluation architecture which: (1) uses honey-agents to evaluate the trustworthiness of agent servers; (2) provide information to mobile-agents about trustworthiness of agents servers (social sanction); (3) prevents or mitigate subsequent damage caused by interacting with malicious servers; and (4) allows mobile-agents interaction not to be restricted only on few trusted servers. The architecture is as shown in Figure 3. IADIS International Conference Intelligent Systems and Agents 2008 15
  33. 33. Figure 3. Trust Evaluation Architecture Computers are organized in domains. In each domain, there is a trusted server – evaluator - which evaluates the trustworthiness of agent servers in that domain by sending honey-agents to interact with the agent server. Based on the interaction of the honey-agent with the servers, the evaluator is able to provide information to all other mobile-agents operating in that domain about the trustworthiness of the server, thus implementing social sanction. It is expected that this sanction acts as deterrence to malicious activity. When a mobile-agent needs to interact with a particular agent server in a domain, the mobile-agent may interact with the evaluator to find information about the agent server. For instance, if an agent server has previously been found to be malicious, the mobile-agent will be able to learn about the specifics of the attack made by the server. The mobile-agent will then have to determine, if it has security features inbuilt to resist such attacks before deciding to migrate to that server or if it still trusts the agent server enough to interact with the agent server. It is assumed that the evaluator is a trusted entity and is implemented on secure host such that it cannot be compromised. The information provided to mobile-agents can be communicated by using the blackboard coordination, Linda-like coordination or reactive tuple space (Cabri et al, 1998). 6. USING HONEY-AGENTS TO DETECT CODE INSPECTION The honey-agents are derived from the same concept as Honeypots. “A Honeypot is nothing but a security resource whose value lies in being probed, attacked, or compromised (Spitzner, 2002).” It usually is a resource that has no production value and thus usually no legitimate user would interact with it. Thus, whenever any packet or any interaction is attempted with the honeypot, it’s most likely a probe or an attack. Similarly, a honey-agent is a closely monitored mobile-agent which travels on the network and performs certain transaction but it value lies in it being attacked or compromised. As discussed in section 2 a mobile-agent may face the following threats from the agent server: (1) disclosure of confidential data and/or code of the mobile-agent, and (2) tampering of code, data and/or state of the mobile-agent. To detect tampering, any of the existing schemes mentioned in section 3 can be implemented by the honey-agent. When tampering is detected, the evaluator will inform other mobile-agents about the attack of the involved agent server. Assuming, an associative blackboard mechanism is used for coordination of attack information, the detection of tampering would result in message being posted on the blackboard. All mobile-agents would be able to read the messages from the blackboard but only the evaluator is authorized to write on the blackboard. Thus honey-agents can be effectively deployed for detecting modification attacks on agent code, data, state and/or partial results. The use of the proposed mechanism is more interesting in the case of detecting code and/or data inspection because it is difficult, if not impossible, to detect inspection and often expensive to prevent code and/or data inspection. We assume that a honey-agent with the goal of detecting code inspection by the malicious agent server is deployed to perform product brokering only. Hence, the honey-agent would visit the targeted agent server to Agent Evaluator ISBN: 978-972-8924-60-7 © 2008 IADIS 16
  34. 34. find product details and price for a specific product with the aim of choosing the best option to its owner. It may further negotiate for better price but is not allowed to purchase products. Once, a product is chosen from the server, the mobile-agent informs its owner, such that the owner starts a dialogue with the server for purchase. We implement a simple decision making strategy of the honey-agent as shown in Figure 4. Our aim is to identify those agent servers which inspect the agent code to find the decision-making logic of the e- commerce agents on how acquisitions are made. Figure 4. Decision making algorithm of honey-agent To be able to successfully identify the malicious server, the honey-agent is programmed to be a single hop mobile-agent i.e. it moves from the evaluator to one agent server and back again. It does not hop from server to server as then it may be difficult to determine the malicious server in the itinerary of the mobile- agent. However, it may be argued that such honey-agents can be easily detected by the malicious agent server as it has been sent by the evaluator. However, this may not be the case as often mobile agents sent to do product brokering are anonymous as users like to maintain their anonymity unless they effectively have to reveal it. Picturing a global electronic commerce framework, users prefer to make queries about prices and assets anonymously and only reveal their identities at the places where they actually make the acquisitions (Marques et al, 1999). An anonymous agent is simply one that has not authenticated with the platform though it may authenticate the platform as is the case with honey-agents. When an agent is unauthenticated, its functionality on the platform is restrained to read-only certain designated data, write to a blackboard, perform simple computations, or leave. This is often enough for the agent to find information about required products. Moreover, the receiving server would know that the last platform visited by the agent is the evaluator server, but this is not a give-away of the honey-agents as it is typical for mobile-agent, in this scenario, to visit the evaluator to learn about the trustworthiness of the agent server before moving to a particular agent server. Similarly, it is plausible that the mobile-agent after execution on an agent server moves back to the evaluator before moving to its next agent server. To detect code inspection and consequently cheating by the server, several such Honey-agents can be sent to the targeted server but with different threshold price for the same product. It would be possible to observe some pattern in the proposed price by the server. For, instance we would be able to detect if the mobile-agent after inspection of code is proposing prices higher than its normal rate because, it knows from inspection that the mobile-agent is highly likely to accept such a price. This shows the intent of the agent server to cheat on its offers by selling cheaper product for higher value. Figure 5 shows how the behaviour of a few agent servers vary. We assume that the server does not implement offer and demand law as then the more the demand, the higher the price are but rather the servers use fixed selling prices. As can be seen from Figure 5, the server may not cheat every time. Thus, the evaluator may not be able to always detect trustworthiness effectively everytime and more honey-agents interaction may be required to determine trustworthiness. In case, more complex e-commerce strategies are used, then properly constructed games can be used to obtain important insights to evaluate trustworthiness. 7. CONCLUSION We have seen that the proposed mechanism uses the same concepts as honeypots in the context of e- commerce for detecting attacks on mobile-agents by malicious agent servers. Once an attack is detected, the social sanction is that the information pertaining to the attack is published such that other mobile-agents are able to evaluate the trustworthiness of the agent servers. This also acts as a deterrent to other servers. However, the proposed scheme has two primary disadvantages. The first is that trust of an agent server is only evaluated during its interaction with the honey-agent. Assuming that a malicious server is always malicious then the interaction with the honey-agent would be a good indication of the trustworthiness of the if proposedprice <= thresholdprice select server for purchase else reject server end if IADIS International Conference Intelligent Systems and Agents 2008 17
  35. 35. agent server. However, if the agent server behaves differently with different mobile-agents, then we may not be able to evaluate the trustworthiness of the agent server clearly. Moreover, just as in the case of honeypots where the honeypot should camouflage as a productive system, it is important in the proposed system for the honey-agent to appear to be genuine mobile-agent with a goal to achieve, otherwise the agent servers would change their behaviour when interacting with known honey-agent and the honey-agents would not serve its purpose. Experimental Response 0 20 40 60 80 100 120 10 20 30 40 50 60 70 80 90 100 Threshold Price($) Proposedprice($) Malicious Server, Proposed price = 75% of Threshold price Malicious Server, Proposed price = Threshold Price Non-Malicious Server Randomly-Malicious Server, Proposed price = 75% of Threshold price Figure 5. Experimental Results for case where fixed product price is $20. Furthermore, the proposed system is centralized (in terms of data), since the information gathered by the honey-agents has to be stored on the trusted platform which is the evaluator. As such, the evaluator which implements the sanctions by publishing the wrongdoings of the malicious servers is the weak point in the system as it may be attacked e.g. denial of service such that mobile-agents no longer have information about malicious servers, or some malicious entity may intrude the evaluator with the aim of tampering the information published. Consequently, the evaluator should be implemented on a hardened server and be well protected against security breaches. Implementing replication of data on a backup evaluator server may also be helpful. Finally, in spite of the presence of the proposed architecture, it is still recommended for mobile- agents to use existing security technologies for protection for defence in depth in case the Honey-agents have been detected. The honey-agents themselves do not prevent attacks from occurring but they just help to reduce the probability of it happening due to the social control mechanisms of sanctions and punishment. Thus, the proposed mechanism complements and adds value to current architectures. Future work being considered consists of using honey-agents for detecting other attacks on mobile agents such as data inspection, obfuscated code analysis, replay attacks. ACKNOWLEDGEMENT The authors wish to thank the anonymous referees for their valuable comments. ISBN: 978-972-8924-60-7 © 2008 IADIS 18
  36. 36. REFERENCES Bennet S. Yee, 1997. A Sanctuary for Mobile Agents. Technical Report CS97-537, University of California in San Diego, April 28, 1997. Giacomo Cabri, Letizia Leonardi, Franco Zambonelli, 1998. How to Coordinate Internet Applications based on Mobile Agents. Proceedings of the 7th Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises, pp. 104 - 109 O. Esparza. Miguel Soriano. Jose L. Muñoz. Jordi Forné. 2003. A protocol for detecting malicious hosts based on limiting the execution time of mobile agents. Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCC’03). pp. 251 W.Farmer, J.Guttman, and V.Swarup. 1996. Security for Mobile Agents: Authentication and State Appraisal. Proceedings of the Fourth European Symposium on Research in Computer Security. pp 118 – 130. FIPA Specification, part 1, version 2.0, Agent Management. Foundation for Intelligent Physical Agents, October 1998. Fuggetta A., G.P. Picco, and G. Vigna. 1998. Understanding Code Mobility. IEEE Transactions on Software Engineering, 24(5). Xudong Guan, Yiling Yang, Jinyuan You. 2000. POM – A mobile agent security model against malicious hosts. Proceedings of the fourth international conference on high performance computing in asia-pacific region. pp. 1165- 1166 vol.2. Fritz Hohl. 2000. A Framework to Protect Mobile Agents by Using Reference States. Proceedings of the 20th International Conference on Distributed Computing Systems ( ICDCS 2000), p.410. Fritz Hohl. 1999. A Protocol to Detect Malicious Hosts Attacks by Using Reference States. Technical Report Nr. 09/99. Faculty of Informatics, University of Stuttgart, Germany. http://www.informatik.uni-stuttgart.de/cgi-bin/ Wayne Jansen, Tom Karygiannis, 2000. NIST Special Publication 800-19 Mobile Agent Security (2000), pp. 2-8. Hohl Fritz. 1998. Time Limited Blackbox Security: Protecting Mobile Agents From Malicious Hosts. Giovanni Vigna (Ed.): Mobile Agents and Security, pp. 92-113. Springer-Verlag G. Karjoth, N. Asokan, and C. Gülcü. 1998. Protecting the Computation Results of Free-roaming Agents. Proceedings of Second International Workshop on Mobile Agents (MA' 98), Stuttgart, Germany. Lecture Notes In Computer Science; Vol. 1477. pp. 195 - 207 Maes P., R. Guttman, and A. Moukas, 1999. Agents that Buy and Sell. Communications of the ACM, vol. 42, pp. 81-91. P.Pasquier, R.Flores, B.Chaib-draa. 2006. An ontology of Social Control Tools. Proceedings of AAMAS06, Japan R.A. Posner and E.B. Rasmusen. 1999. Creating and Enforcing norms, with special reference to sanctions. International Review of Law and Economics. 19(3), 369-382. Paulo Jorge Marques, Luis Moura Silva, Joao Gabriel Silva, 1999. Security mechanism for using mobile agents in electronic commerce. Proceedings of the 18th IEEE Symposium on Reliable Distributed Systems. pp. 378 D.Martingale. 1978. Social Control for the 1980s: A Handbook for Order in a Democratic Society. Chapter: The Theory of Social Control, pages 46 – 58. Wesport. CT Greenwood Press Minsky, Y.; van Renesse, R.; Schneider, F.; Stoller, S. 1996. Cryptographic support for fault-tolerant distributed computing. Proceedings of the Seventh ACM SIGOPS European Workshop, pp. 109-114 Object Management Group (OMG) Technical Committee (TC). 1997. Mobile Agent System Interoperability Facilities Specification. Document orbos/97-10-05. Jong-Youl Park, Dong-Ik Lee and Hyung-Hyo Lee. 2001. Data Protection in Mobile Agents; one-time key based approach. Proceedings of the Fifth International Symposium on Autonomous Decentralized Systems (ISADS01), pp. 411 - 418 Tomas Sander, Christian F. Tschudin. 1998. Protecting Mobile Agents Against Malicious Hosts. In G. Vigna (ed.), Mobile Agent Security, Springer-Verlag. Lecture Notes in Computer Science. No. 1419 L. Spitzner. 2002. Honeypots: Tracking Hackers, Addison-Wesley. Giovanni Vigna. 1997. Protecting mobile agents through tracing. Proceedings of the Third ECOOP Workshop on Mobile Object Systems, Jyv¨askyl¨a Finnland, Giovanni Vigna. 1998. Cryptographic traces for mobile agents. In: G.Vigna (Ed): Mobile Agents and Security, volume 1419 of LNCS. Springer-Verlag, pp. 137-153 IADIS International Conference Intelligent Systems and Agents 2008 19
  37. 37. FRAMEWORK FOR DEFINING AND RUNNING INTEGRATION TESTS OF MULTI AGENT SYSTEMS Khaled Nagi Dept. of Computer and Systems Engineering, Faculty of Engineering, Alexandria University, Egypt. Elshatby, Alexandria, Egypt. ABSTRACT The testing of Multi Agent Systems (MAS) has not been subject to extensive research yet. We build a framework for defining and performing integration tests on a multi agent platform. The framework controls the vital functions of the MAS platform and stimulates actions according to the different use cases under test. It provides a mechanism for validation and has a success / failure reporting tool. The test scenario is defined in a declarative manner while the execution can be unattended allowing its integration in common regression test environments. In this paper, we describe the framework and use three examples to illustrate how to design and define integration tests. The scenarios show the testing of the macro behavior of a multi agent system consisting of hundreds of agents, the micro behavior of individual agents after a long set of interactions and finally the state of the platform after a long sequence of interactions. KEYWORDS Multi Agent Systems, Software Engineering, Integration Tests, Testing frameworks. 1. INTRODUCTION The traditional approaches to software engineering, e.g., the waterfall model, consider testing after implementation (Royce 1970). However, the view of testing has evolved over the last years and testing is no longer seen as an activity which starts only after the coding phase is completed. Software testing is now seen as a whole process that permeates the development and maintenance activities. Agile software engineering approaches, e.g., extreme programming, address testing continuously within the implementation process (Beck & Andres 2004). Furthermore, developers formulate test cases before or during implementation, which may be executed automatically on demand. This procedure is also known as Test Driven Development (Beck 2002). In Multi Agent Systems, the non deterministic nature of the problem increases the complexity of testing, so that developers tend to test the behavior of each individual agent individually and jump to run-time monitoring of the system that is necessary for acceptance tests. This way, integration tests are implicitly performed with a greater cost during the performance tuning phase of the system development life cycle. The current work presents a framework for defining and executing integration tests for multi agent systems. The test scenario is described in a declarative way using a test script in XML; which describes the events that - under the satisfaction of the given conditions- launch the desired actions. The actions can be changes in the world model, the creation and deletion of agents, or assertions on the world model, the state of the agents, or the hosting platform. As a case study, we base our framework on JADE (Bellifemine, et al. 1999) which is widely used in both research and industry. Moreover, it is FIPA (FIPA) compliant which is the well established standard for inter-operative MAS. To validate our framework, we use three simple multi agent application scenarios. The scenarios aim at performing integration tests on the macro level of a multi agent system, the micro level of agents after a long set of interactions and the state of the platform as well. The rest of the paper is organized as follows. Section 2 presents a background on testing of MAS. In Section 3, we describe the framework. In Section 4, we validate our framework by presenting three examples of Multi Agent Systems and show that there is no extra effort in writing unnecessary code either to interact with the platform or to implement details of the test scenario. Section 5 concludes the paper. ISBN: 978-972-8924-60-7 © 2008 IADIS 20
  38. 38. 2. BACKGROUND 2.1 Overview of Testing During the software life cycle of monolithic systems, usually three main models are generated: requirements model, design model, and implementation model. These models have to be validated in order to ensure high quality software. In Figure 1, the process of the minimal validation within software engineering is illustrated (Thaller 2002). The testing of the models is performed in opposite direction of their building. In the first step, the implementation is tested by unit test during the coding. The purpose of unit testing is to identify errors within the algorithms on the level of individual classes. Tests are case-based, i.e., the test program creates defined sequences of input patterns and evaluates whether the output meets the pre-defined requirements. With a proper architectural framework, e.g., Spring framework in Java (Walls & Breidenbach, 2007), it is possible to isolate each class, and test it outside the application container. If the implementation model appears to be correct, modules are integrated and their composite behavior is tested. Integration tests are scenario-based, i.e., the test program implements a complete sequence of events and simulates user interactions and the outputs and the internal states of the system are evaluated along the execution of the scenario. Usually, a test outside the container is not possible here. After completion of these tests the software is supposed to satisfy the specification of the design model. However, there may be inconsistencies between the design model and the requirements model. These are identified in the acceptance tests, which are the final stage of testing (Thaller 2002). They are sometimes also called run-time monitoring. Run-time monitoring is a procedure to analyze the behavior of a system in run-time. They often serve in performance tuning and acceptance tests concerning the key performance indices. Figure 1. Minimal validation in software engineering Other formal methods of testing knowledge engineering and mission critical subsystems include static analysis, model checking, and theorem proving (Menzies & Pecheur 2004). Static analysis concentrates on the structures within the source code without execution of the system. Model checking is to verify a property of a system by exploring all of the systems reachable states. Theorem proving is used for formal verification of software systems. Here, a mathematical model of a computer program is generated to determine whether it satisfies desired properties. 2.2 Overview of MAS Testing Frameworks Since March 2004, JADE comes with its own test suite (Cortese, et al. 2005). The JADE test suite permits to create tests that can be executed in a uniform and automatic way. It is mainly used by the JADE team to test JADE itself. Users are encouraged to use the suite to test JADE-based agent systems. However, it seems that the tool is best suited for testing the system infrastructure and related services rather the logic of the agents themselves. Passi (Care, et al. 2004) provides a simple testing framework which lets developers build a test suite. It is built on top of JADE and is based on a two-level model. At the first level, the agent is treated as an atomic entity. The second level is the specific agent tasks. However, Passi does not support testing at the agent society level. In (Rouff 2002), a test agent is introduced which is inserted into a community of agents to examine each of the agents as well as the community as whole. The test agent can send or receive specific messages, handle IADIS International Conference Intelligent Systems and Agents 2008 21
  39. 39. invalid ones, and monitor scalability issues. The focus is clearly set on the interaction protocols. The drawback of this approach is that the introduction of the test agent often requires changing the interaction protocols and it is difficult to test the agent internal state or the state of the world model. Madkit (Huget & Demazeau 2004) provides a testing platform that is based on record & replay. The group message tracer agent, the organization tracer agent and the environment tracer agent are responsible for the record phase. The replay phase is coupled to clever post-mortem analysis. The platform is easy to use. However, it is difficult to filter out the non-deterministic and non-relevant events from the record phase. The post-mortem analysis also lacks a visualization tool. XMLaw (Rodrigues et al. 2005) is designed for integration tests in open MAS. In open MAS, agents must obey social conventions in order to maintain predictable integration across heterogeneous MAS systems. XMLaw is a law enforcement language and environment that allows designers to specify the interaction between agents, the enforcement of the rules through a mediator agent to verify the interaction protocols and block the non compliant agents. This approach seems to be very useful only in open MAS. 3. THE PROPOSED FRAMEWORK The components of the proposed integration test framework are illustrated in Figure 2. The test script describing the test scenario is defined in XML format. It is the input to the test execution engine. Since integration tests can seldom run outside the hosting container, the test execution engine controls the MAS container; in our case the JADE deployment platform. It submits commands to the AMS, the DF, and can start primary and secondary containers in several Java virtual machines. At the end of the test execution, it performs a normal shutdown of the JADE platform. According to the test script, the engine can create agents, suspend their activities and destroy them. The engine stimulates changes in the world model as declared in the test script in order to initiate a sequence of actions at the agent level. At any time during the execution of the test run, assertions on the state of the platform, the agents or the world model can be done. The results of these assertions are recorded in the test result report; which is also stored in XML format. Figure 2. Components of the proposed framework 3.1 Structure of the Test Script The test script defines a sequence of events which take place if a set of conditions is met. The events lead to triggering of actions. Figure 3 illustrates a sample test script. Each test script has a mandatory id and an optional name. The same applies to the event. The tag <Event> is repeated as many as events are required. An event is triggered if the set of conditions is met. Conditions can be combined by recursively repeating the <conditions> tag into a complex condition term bound with the logicalOperator parameter AND | OR. Each atomic condition – marked by the tag <condition> - is based on the state of an event (start | end) and its outcome (success | fail | error). We intentionally use the same outcome as from unit tests for the sake of unification. Additionally, the atomic condition can be temporal; i.e., x milliseconds from starting the ISBN: 978-972-8924-60-7 © 2008 IADIS 22
  40. 40. run. In Figure 3, the event is triggered if event1 ends successfully and event2 ends with a failure or after 120 seconds from starting the test. Figure 3. A sample test script in XML format With each event, there can be one or more actions –marked by the tags <action> - that are carried on when the event is triggered. An action can be carried out once or more. This is determined by the tag <Frequency> which determines the number of runs and the time interval between them. There four types of actions: platform actions, agent actions, world model actions and assertions. Platform actions, such as CreatePlatform and CreateAgentContainer are JADE specific operations. Currently, we support most of the operations mentioned in the JADE administrator guide (Bellifemine, et al. 2007). The necessary parameters are passed over to these actions using the optional <Parameters> tag. Agent actions, such as CreateAgent and CreateAgentGroup, are responsible for creating, suspending or destroying agents in the JADE platform. Almost all actions have their *Group counterpart that allow the same action on a set of agents. The range of their agent identifiers are declared in the <Parameters> tag. World model actions manipulate non agent objects in the system. This way, the test script is capable of indirectly stimulating the agents to engage in the desired interaction. The action declares a Java class, a method to invoke and a set of parameters to pass in the <ActionDescription> tag. The assertions are encapsulated in a method of a java class; which is also described in the <ActionDescription> tag. As short hand, some of the standard state queries in JADE are encoded in special action types; such as AMSQuery which invokes a standard AMS state query to the hosting platform. The parameters needed for such queries are declared in the optional <Parameters> tag. The results of these queries are also passed to the Java class declared in the <ActionDescription> tag. 3.2 The Test Execution Engine The test execution engine consists of an event, condition, action (ECA) processing engine. A simple dispatcher implements a partial order serialized invocation of actions. The standard topological sort algorithm is slightly modified in order to incorporate temporal conditions (such as start after 100 ms). Time is simply IADIS International Conference Intelligent Systems and Agents 2008 23
  41. 41. mapped into a sequence of discrete events taking place every x milliseconds. The time interval is defined by each test script individually based on the time resolution of the test scenario. Typical time interval varies between 100 milliseconds and 60 seconds. The engine can run in a test blocking or unblocking mode. Blocking means that the test is aborted and the normal shutdown sequence of the multi agent container is started as soon as one test fails. The default behavior is the unblocking mode which terminates the tests only at the end of the execution of the test script. Since the test script defines the java classes to be used in a declarative manner, the test execution agent depends on Java reflection to invoke the right class. The class loader of the engine keeps all instantiated classes alive during the whole run. In case of multiple invocations of actions, the action class must contain a static part that holds the information across the multiple invocations. Typically, such actions follow the singleton design pattern. 3.3 Structure of the Test Result Report We choose to generate a detailed test result report that has a verbose log character. We use the XML format to be layout neutral; which enables easy integration in commercial or open source regression testing environments such as anthill, bamboo, etc. Using simple XSLT transformation, the desired HTML view is generated. A basic extract of a typical test result report is illustrated in Figure 4. Each log entry corresponding to one execution of the method of the class defined in the <ActionDescription> tag. The time is recorded in the <At> tag and the outcome of the assertion is stated in the <Outcome> tag and the possible assertion text or exception is dumped in the <OutcomeDescription>. Figure 4. One entry in the test result XML file Using a simple XSLT, the above mentioned verbose format is transformed to the summarized HTML view, illustrated in Figure 5a. By clicking one of the actions, a detailed HTML view is opened as illustrated in Figure 5b. The table contains the same information as the verbose XML format <LogEntry> of the XML test report. It is only filtered on the desired action. Figure 5. (a) Summarized HTML view (b) Detailed HTML view ISBN: 978-972-8924-60-7 © 2008 IADIS 24
  42. 42. 4. VALIDATION In order to validate our proposed framework, we implement three simple multi agent applications and use the framework to define and perform integration tests. In the first scenario, we test the macro behavior of a large group of agents. We make assertion on both the world model and the internal states of the agents. The second scenario consists of only two agents. Its purpose is to assert on their internal state after a longer set of interactions which implies testing the micro behavior of the system. In the third scenario, we assert on the state of the MAS platform. 4.1 Testing the Macro Behavior: The Ant Colony In this multi agent application scenario, the standard ant colony is implemented. Each ant is an agent. Agents have a home zone and they search for food to bring in back home as illustrated in Figure 6a. If an agent has no clue where to find food, it just performs a random walk in equal probably to move to front (Pf), to the right (Pr), to the back (Pb), or to the left (Pl) as illustrated in Figure 6b. However, if it finds food, it deploys a pheromone, which is a hormone that can be smelled by other ants. The strength of the pheromone decreases with time till it vanishes. If there are pheromones in the neighborhood of an agent, its probability to move (Pf, Pr, Pb, Pl) is changed to be proportional to the density of the pheromone in the corresponding direction. To find the way back home, the ants produce another type of pheromone whose strength is inversely proportional to the distance they walk away from home. Again, the strength of this pheromone decreases with time until it vanishes. The ants should be able to transport food back home even if an obstacle is placed between them as illustrated in Figure 6c. Figure 6. (a) Ant colony looking for food. (b) Probabilistic model for ant movement (c) Placing an obstacle between home and food A typical Agent unit test would be to take one ant, distribute pheromones around it and assert that on average, the ant moves in the right direction. If the pheromone is implemented as an agent too, a valid test for this agent would to assert that the strength of the pheromone decreases with time. Having done these tests however does need assert that the ants will find food and bring it home. An integration test is needed. We use our framework to create the MAS platform, deploy 100 ants, and assert that after a certain setup time, the quantity of the food is decreasing which requires an assertion on the world model. Another valid assertion on the state of the agents is to assert that the majority if the agents are around the imaginary line connecting home with food. Then, the scenario introduces an obstacle between home and food, and then asserts that food is still decreasing after waiting for a certain time needed by the agents to readapt. On a later phase, the run- time monitoring tests aim at fine tuning the probabilities Pf, Pr, Pb, Pl and the rate of decay of pheromone to get the food transported as fast and efficient as possible to home. Figure 7 illustrates the test script file used in our validation case. Lines 2-10 start the JADE platform. The optional parameters cover all startup parameters of JADE and lines 11-14 start one agent container. The event Start Agent Group (line 15-20) creates 100 agents all from the same base class AntAgent. They all have the same prefix ant_ and they are numbered from 0 to 99. The class getAgentLocation (lines 21-34) asserts that the majority of the ants are on the right track. The measurement repeated 10 times with 10 seconds between each measurement, while the class getFoodLevel (lines 35-46) checks that the IADIS International Conference Intelligent Systems and Agents 2008 25
  43. 43. level of food is continuously decreasing. The obstacle is introduced through a change in the world model (lines 47-55) and the check for the decreasing food level is repeated. Figure 7. The test script for the ant colony scenario. 4.2 Testing the Micro Behavior: The Betting Agents In this scenario, we have two agents betting on the results of flipping a coin. Each time a coin is flipped and both agents place their bets. If one fails to bet or both agents bet on the same result, the round is cancelled. Both begin with the same amount of money. Agent1 implements a simple betting strategy. It simply bets according to the result of the last coin flip. Agent2 keeps history of the last x bets and tries to find a way to anticipate the next result according to some heuristics. The goal of this game is to win the money of the other agent. Certainly, we know that both strategies have the same result if we believe in the randomness of flipping a coin. Independent of the strategy, both agents implement a random walk on their money amount. The chance of winning each other’s money is reaching the terminal state of having twice the original amount of money. A unit test of Agent1 is simply to assert that the next bet is the same as the outcome of the previous run. The unit test of Agent2 is more complicated and depends on the algorithm it implements. The integration test is simple. We use our framework to create the MAS platform, deploy the two agents and stimulate lots of coin flips (changes in the world model). The assertion is that the difference between the amount of money of both agents remains within a reasonable range. Here, the assertion is placed on the internal state of the agents and we are not interested in their internal algorithms used for betting. Run-time monitoring is to determine the initial amount of money that statistically guarantees that the game would last more than x runs. Figure 8 illustrates the test script file used. The platform, the container and both agents are started by lines 2-27. Lines 28-40 inject 100 rounds of coin flipping. Simultaneously, lines 41-54 checks that the difference between both money levels remains within 80% of the starting value. The test inspects the internal state of both agents by reading their amount of money and the test is repeated also 100 times. ISBN: 978-972-8924-60-7 © 2008 IADIS 26
  44. 44. Figure 8. The test script for the betting agents’ scenario. 4.3 Testing the State of the Platform: The Mobile Agent In this scenario, there is only one mobile agent that hops between four agent containers according to a transition probability matrix. The steady state distribution of the presence of the agent on each of the containers can be mathematically calculated easily. The unit test is to test a single agent transition from one container to the other. The assertion is one by querying the AMS on the location of the agent before and after the transition. An integration test as defined and executed using our framework is to test that the average stay in the agent in one container is almost equal to the corresponding mathematical value. The run-time monitoring is interested in measuring the number of bytes that are sent through the transportation layer, the latency during the migration, etc. Figure 9 illustrates the test script file used in our validation case. Lines 2-32 create the platform, the four containers and the hopping agent. Lines 33-45 periodically query the AMS to find out the location of the agent and ensure that the average stay in each location is almost the same as the mathematical steady state value. Figure 9. The test script for the mobile agent’s scenario IADIS International Conference Intelligent Systems and Agents 2008 27

×