Agent Based System for Network Availability and Vulnerability Monitoring G. Sladić*, M. Vidaković* and Z. Konjović* *
Faculty of Technical Sciences/University of Novi Sad, Novi Sad, Serbia
[email protected] [email protected] [email protected]
Abstract— Monitoring of distributed systems for management purposes is a complex task aggravated by heterogeneity and distribution of resources and tools. This paper describes implementation of the agent-based system for network (Internet) services monitoring. The system is designed in a modular fashion to provide easy and efficient inclusion of diverse network services’ monitoring components. Software agents are implemented aimed at verification of accessibility of network services, as well as their potential vulnerability. Specialized services and verifiers for the web and e-mail services are also implemented. The system implementation is based on the XJAF agent framework and the Java EE technology.
I. INTRODUCTION A computer network is a complex system which commonly consists of the following elements: • workstations, • servers, • passive communication equipment (communication channels), and • active communication devices (routers, switches, etc.). Its functionality can be described by availability of the services for end users. It can be threatened if there are problems regarding functionality of network elements. These problems involve network elements failure and malfunctioning. Network management is a comprehensive activity whose goal is to minimize network failure and malfunctioning. It implies enforcement of the following processes: • monitoring, • identification, • notification, and • problem solving. Monitoring is the process of data acquisition regarding network elements functionality. Identification is the process of failure and malfunction detection, based on data gathered during network monitoring. Notification informs system environment about changes in network functioning. Problem solving involves actions required to fix malfunctioning or broken devices. Due to a lack of support for standardized monitoring and management protocols, heterogeneity of network components, ever-increasing network deployment, and rapid development of new network technologies, flexible mechanisms to monitor network are highly required. Instead of using one centralized application, which is usually complex, a group of simple collaborating software
systems can solve the same problem more efficiently. These facts implicate the agent paradigm (agent technology) as a suitable candidate solution for development of network management systems [1, 2] due to their commodity for implementation of small software components which can achieve the common goal in collaboration. They decentralize processing and control and, consequently, reduce the traffic around the management station and distribute processing load. II. RELATED WORK The solution proposed in [1] uses mobile agents to measure network monitoring performance. Mobile agents move across the network and gather responses of SNMP queries. Aglets Software Developer Kit was used as agent development environment. Initial results indicate that the mobile agent approach performs better in network monitoring when the number of network nodes increases significantly. The system presented in [2] consists of two modules. One provides the agent construction toolkit (the AgentBean Development Kit, ADK) and the other is a plug-in abstraction layer for existing mobile agent platforms enabling execution of mobile agents created with ADK. As a case study for this system, an example of network topology determining is presented. Agents are used for determining topology of the given network. Whenever an agent moves to a new place, it queries the local host routing table using the preconfigured SNMP query. The agent stores the routing table retrieved from the local host. Then, it checks which hosts from the routing table are running one of supported agent platforms. These hosts are stored in the list of hosts to be visited providing they have not already been visited. A distributed intrusion detection system for ad hoc wireless networks based on mobile agent technology is proposed in [3]. By efficiently merging audit data from multiple network sensors, authors analyze the entire ad hoc wireless network for intrusions and try to inhibit intrusion attempts. Presented approach restricts computation-intensive analysis of overall network security state to a few key nodes. These nodes are dynamically elected, and overall network security is not entirely dependent on any particular node. The authors in [4] describe the subject of using the multilevel distributed agent-based architecture for network monitoring purposes, thus making possible to efficiently gather data which may be useful for building comprehensive view of the whole network in automated way. A network model created by proposed approach may find applications in further stages of management process,
which tends to increase system dependability, e.g. using it as one of inputs of computer network simulator. The network performance monitoring using mobile agents is presented in [5]. The proposed solution is used for monitoring following parameters: source address, destination address, number of packets, startup time, down time and bandwidth utilization of the network component. A distributed model for delivery of services which exploit pervasive extension composed of different kind of sensors and actuators is proposed in [6]. The presented solution uses autonomous agents which execute on embedded devices. They can be configured to collect information from close sensors and to check the compliance of user activities with a set of rules. The paper [7] presents a scalable framework for wireless network monitoring. The proposed framework relies on a distributed set of agents within the network to monitor network devices and store the collected information at data repositories. Its key features are its extensibility for new functionality and seamless support for new devices and agents in the monitoring framework. The research [8] discusses different attacks in wireless sensor networks and how these attacks were efficiently detected by using the proposed agent based model. The given model identifies the abnormal events in a largely deployed distributed sensor network. III. EXTENSIBLE JAVA-BASED AGENT FRAMEWORK The main goal of this research was to develop agentrelated technologies in the field of network monitoring. Since our previous research [9, 10, 11, 12] has produced the fully operational Java-based agent framework, the decision was made to use Extensible Java-based Agent Framework (XJAF) as the basis of this project. The framework is based on the Java EE technology. It uses the plug-in technology which provides additional flexibility, since it allows components to be substituted by others without rebuilding the whole framework. XJAF is FIPA [13] compliant agent framework based on the Java technology and introduces the following concepts: • message exchange, • agent mobility • security, and • agent and service directories. Also, this framework proposes additional component of the agent framework: the interfacilitator connectivity component which defines how separate facilitators form a network. The XJAF system consists of clients and facilitators. The clients refer to the facilitators for task execution. The task is being executed by the agents recruited by the facilitator. FacilitatorProxy ensures that the client application can access the facilitator. It also hides all techniques necessary for work with agents from the client. The client only needs to connect to FacilitatorProxy and pass it the task or the KQML message. It also passes the corresponding listener, which would notify it of the execution result. All other details are managed by FacilitatorProxy. Fig. 1 shows the link between a client and the facilitator. The facilitator forwards parts of its job to the corresponding managers. The managers are instances of
Figure 1. Client and Agent link
classes implementing the corresponding managerial interfaces. The AgentManager interface is responsible for allocating and releasing agents. The TaskManager interface manages the tasks. The MessageManager interface is responsible for inter-agent communication. The ConnectionManager interface manages facilitator connection and relations between facilitators. SecurityManager handles security of inter-agent communication. ServiceManager handles the service directory. The classes which implement the mentioned interfaces respect the corresponding algorithms for individual functions. The system is designed so that it is possible to choose an arbitrary manager when configuring provided that it implements the given interface. This enables use of arbitrary managers whose existence is not necessary at compile-time, but is at the time of initialization (plug-in concept). Fig. 2 lists all the managers in the framework. The facilitators are connected into the hierarchically organized agent network (as shown in Fig. 3). This network generally has one root node and a number of descendant nodes. Each facilitator is automatically registered on the network at the initialization time. This means that the developer does not have to know the exact address of an arbitrary facilitator and does not have to maintain the list of all available facilitators. Instead, the nodes are registered automatically and the list of all available facilitators is maintained automatically. IV. SYSTEM ARCHITECTURE XJAF agents are developed for network services availability and vulnerability monitoring. Agents perform
Figure 2. Functionality of individual parts is assigned to managers
Figure 3. Example of agent framework network
network monitoring using facilitator network and appropriate agent services. The system consists of the network monitoring client and facilitator network. The client initiates monitoring and gathers data. It sends a network monitoring task to the facilitator. The facilitator looks for an appropriate agent (the network monitoring agent) and forwards the task to it. Fig. 4 shows task execution. Communication between a client and the facilitator is asynchronous. When the task is finished, the facilitator notifies the client using the AgentListener listener [9]. This interface defines three methods: • actionStarted method, which is invoked when an agent starts the task execution, • actionPerforming method, which is invoked when an agent partially finishes execution of the task, and
• actionPerformed method, which is invoked when an agent finishes the task execution. The only parameter of these three methods is the instance of the AgentEvent class, which contains the result of task execution [9]. Fig. 5 shows relation between the client application and an agent.
Figure 4. Task execution sequence diagram
Figure 5. Relation between client and agent
V. NETWORK MONITORING AGENTS Agents do not directly monitor the network. Instead, they use specialized services for that purpose, as shown in Fig. 6. An agent invokes the NetMonService service, which uses the appropriate implementation of ServiceVerifier. NetMonService is facilitator’s service for network monitoring. This service looks for an adequate verifier based on the request for monitoring. A verifier is a specialized class developed for monitoring certain type of network service. It must implement the ServiceVerifier interface (Fig. 7). The result of verification is returned to the agent through the NetMonService service. HTTPServiceVerifier is developed for HTTP monitoring. SMTPServiceVerifier is developed for e-mail server monitoring (Figure 7). The HTTPServiceVerifier class tries to get default home page from the designated web address. If there is a working web server, network monitoring service returns the default page to the agent. If the web server is not available, the appropriate message is sent to the agent. The SMTPServiceVerifier verifier tries to send an e-mal to the specified e-mail address. The result of sending is returned back to the agent. Beside this, it is possible to specify if the e-mail server supports relaying. This conclusion is based on the result, the e-mail address and the domain from which the e-mail was sent. The fact that an e-mail server supports or does not support relaying can be interpreted as vulnerability of that server.
For availability and vulnerability detection two types of agents have been developed: NetMonAgent and DistributedNetMonAgent (Fig. 7).
Figure 6. Network monitoring using the NetMonService service
Figure 7. Network monitoring services and agents
NetMonAgent is the central agent which receives the task. This agent performs monitoring on its (local) monitoring domain. Also, it sends the same task to remote agents (DistributedNetMonAgent) and gathers results from them. There are two types of tasks that the NetMonAgent agent can receive: complex and simple tasks. A complex task consists of the list of (computer address, port, and service type) items. A simple task does not contain a list of addresses or services. Instead, agents will monitor default services on preconfigured addresses, which can be specified in the XML configuration file.
If a task is the complex one (Figure 8), the NetMonAgent agent obtains the list of all available facilitators. NetMonAgent assigns one task from the task list to each facilitator in that list. Instead of using one agent for executing all network monitoring tasks, multiple agents from remote facilitators are used. Load balance between facilitators is achieved using round-robin principle. If a local agent should execute the task, it uses its local NetMonService service. In case that task should be executed by a remote agent, the NetMonAgent agent sends a KQML message [14] to the DistributedNetMonAgent agent. The DistributedNetMonAgent agent sends back the result via a KQML message, too. In case of a simple task (Figure 9) each network monitoring agent has a list of hosts and services which need to be monitored. An agent obtains this list from the XML configuration file. The NetMonAgent agent performs local network monitoring and recruits remote agents (DistributedNetMonAgent). Remote agents perform network monitoring in their subnetwork and send results to the NetMonAgent agent.
Figure 8. Complex task execution sequence diagram
Figure 9. Simple task execution sequence diagram
VI. CONCLUSION Disadvantages of centralized network monitoring applications are complexity and the need for monitoring different types of network services. This model of monitoring can be replaced by a large number of small software systems capable of cooperative network monitoring. This distributed model can be more efficient than the centralized one. Agent technology can be utilized as an approach to distributed network monitoring. This paper presents one example agent-based technology used for network availability and vulnerability. Software agents are used for network monitoring. These software agents operate in the XJAF agent framework. There are two types of agents: the central agent and the remote agent. The central agent engages remote agents to perform network monitoring on remote network nodes. Two types of monitoring have been implemented: complex and simple network monitoring. The complex type of monitoring starts with the list of network nodes and services to be monitored. This list is distributed between agents in different facilitators in order to maintain load balancing. The simple type of monitoring is based on the preconfigured list of network nodes and services for each agent. Network agents use specialized network monitoring service. This service uses different service verifier implementations depending on the type of service to be monitored. There are two types of service verifier implementations at the moment: for HTTP server monitoring, and for scanning SMTP servers and checks if relaying is enabled. Future work will include implementation of more sophisticated algorithms for task distribution between agents and implementation of service verifiers for other network services. Also, functionality of existing service verifiers will be improved. The whole system is implemented in the Java EE technology to provide platform independence. The JBoss application server is used as an application server. All required software is open source, which gives opportunity for wide use of this solution.
ACKNOWLEDGMENT This paper is part of the research project “Infrastructure for Technology Enhanced Learning in Serbia” supported by the Ministry of Education and Science of the Republic of Serbia [Project No. 47003]. REFERENCES [1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
P. I. Adhicandra, C. Pattinson, and E. Shaghouei, “Using mobile agents to improve performance of network management operations,” Proceeding of 4th Annual Symposium of Postgraduate Networking Conference, Liverpool, UK, June 16-17, 2003. T. Gschwind, M. Feridun and S. Pleisch, “Building mobile agents for network and systems management from reusable components,” Proceedings of the First International Symposium on Agent Systems and Applications and Third International Symposium on Mobile Agents, Palm Springs, CA, USA, October 3-6, pp. 13-21, 1999. O. Kachirski and R. Guha, “Intrusion detection using mobile agents in wireless ad hoc networks,” IEEE Workshop on Knowledge Media Networking (KMN'02), Kyoto, Japan, July 1012, pp. 153-158, 2002. K. Nowak and L. Bagrij, “Using distributed multilevel agentbased monitoring technique for automated network modelling approach,” International Conference on Dependability of Computer Systems, Szklarska Poreba, Poland, June 14-16, pp. 6172, 2007. R. Pugazendi and K. Duraiswamy, “Mobile agents - A solution for network monitoring,” International Conference on Advances in Recent Technologies in Communication and Computing, Kottayam, Kerala, India, October 27-28, pp. 579-584, 2009. R. Aversa, B. Di Martino and S. Venticinque, “Distributed agents network for ubiquitous monitoring and services exploitation,” IEEE International Conference on Computational Science and Engineering, Vancouver, Canada, August 29-31, pp. 197-204, 2009. C.Ho, K. Ramachandran, K. Almeroth, and E.Belding-Royer, “A scalable framework for wireless network monitoring,” 2nd ACM International Workshop on Wireless Mobile Applications and Services on WLAN Hotspots (WMASH '04), Philadelphia, USA, September 26-October 1, pp. 93-101, 2004. M. Sa and A. K. Rath, "A simple agent based model for detecting abnormal event patterns in distributed wireless sensor networks," International Conference on Communication, Computing & Security (ICCCS '11), Rourkela, India, Februar 12-14, pp. 67-70, 2011.
[9]
M. Vidaković and Z. Konjović, “EJB based intelligent agents framework,” Proceedings of the 6th IASTED International Conference on Software Engineering and Applications, Cambridge, Massachusetts, USA, November, pp. 343-348, 2002. [10] M. Vidaković, G. Sladić, and Z. Konjović, “Security management in J2EE based intelligent agent framework,” Proceedings of the 7th IASTED International Conference on Software Engineering and Application, Marina Del Rey, CA, USA, November 3-5, pp. 128-133, 2003. [11] M. Vidaković, G. Sladić and M. Zarić, "Metadata harvesting using agent technology," Proceedings of the 8th IASTED International Conference on Software Engineering and Applications, Cambridge, USA, November 9-11 pp. 489-493. 2004.
[12] M. Vidaković, B. Milosavljević, Z. Konjović, G. Sladić, “Extensible Java EE-based agent framework and its application on distributed library catalogues,” Computer Science and Information Systems, vol. 6(2) pp. 1-28, 2009, doi:10.2298/csis0902001V [13] The Foundation of Intelligent Physical Agents (FIPA), http://www.fipa.org/,(accessed May 10. 2010) [14] T. Finin, R. Fritzson, D. MacKay and R. McEntir, “KQML as an agent communication language,” Proceedings of the Third International Conference on Information and Knowledge Management," Gaithersburg, Maryland, US, November 29 December 2, pp. 456-463, 1994.
