A Simulation _based Model for Tracing the Effect of Masquerading Security Threat in Mobile Agent Systems Mona M. Nasr Senior Software Process Improvement Engineer@ Sales Tax Authority PhD Candidate Information Systems Department Faculty of Computers and Information, Helwan University, Egypt e-Mail:
[email protected]
Abstract As wide-area open networks like the Internet and Intranets grow, Mobile Agent (MA) technology is attracting more attention. Mobile Agent go through many applications via web like auction rooms, job finder...etc. Mobile Agent (MA) technology may solve many problems for many enterprises. As Mobile Agent (MA) importance increase day after day, security of mobile agent became a must, because it contains all security topics. This paper presents a survey for the malicious (host /agent) facing Mobile Agent(MA). Platform to Agent P2A (Masquerading, Denial of Service, Eavesdropping, Alteration) Agent to Agent A2A (Masquerading, Denial of Service, Repudiation, Unauthorized Access). This paper, describes MA-based paradigm as a simulation based model for tracing the effect of masquerading security threat that has been entirely developed in java programming language. The proposed paradigm considers a range of techniques that provide high degree of security during the mobile agent system life cycle in its simulation environment.
This paper highlights the spot to two main design objectives: The importance of including various supportive types of agents within a system e.g., police agents, service agents,…etc. Second: Evaluation analysis and number of checks to be done to trace the MA if masqueraded during its path. eg. evaluation analysis for detecting tolerance differences for the calculated agent’s route before and during its journey, storing agent transactions, storing snapshots of agent state information, checking from time to time agent status and task completeness and lastly guard agent check the changed variables of migrated agent. During tracing and monitoring MA(s), the initiator node may destroy it and continue with another. In this paper we propose a new paradigm that detects and eliminate with high probability, any degree of tampering within a reasonable amount of time, also provide the ability of scalability of security administration
Keywords: Mobile Agent, Security, Java Security, Policy, Strong Mobility
Start
1. Introduction As wide-area open networks like the Internet and Intranets grow, mobile agent technology is attracting more attention. Mobile agents are units of software that can deal with environmental changes and the various requirements of open networks through features such as autonomy, mobility, intelligence, cooperation, and reactivity.
Reset Clock
Calc Proposed Path Time Ti= Ti = Ct + T(Ag) * Ntr + Lt + Network occupation (constant)/Bd
Encryption enabled?
Yes
Encrypt all results
Encapsulate all results
Digitally Signed
i = 1 & Masq = 0
Migrate Agent to 1st Node
Action
i < Pnd
No
Check Agent Status for Safely
Append to Log File
Check Agent Task Completeness Snap Shot to DB
If ((Ti )) reached
Yes
Yes
Check Agent Nodes Visited (Compare Results)
Yes
No Masq = 1 Agentn Masquered
No
i= i+1
Yes
There are two kinds of agents created within cat's eye mobile agent system these two types are police (guard) agent, service agent.
Assign a Path
Pnd > 1 & Pnd < 10
No
During Cat's eye mobile agent work, it generate a number of agents that have the ability to migrate from machine to another to do pre-defined task, return to it's home machine with results, through single hop trip or multiple hop journey.
Assign a task where i7
No
Cat's Eye Mobile Agent paradigm provides a set of achievable security goals for mobile software agent systems. In addition to establishing an approach for security in an open environment for using mobile agent for various transactions.
Ti
No
Cat's Eye MA-based paradigm is a simulator that has been entirely developed in java programming language, which consists of various types of classes and routines. Java programming language has been chosen mainly due to inheritance capability, rich class hierarchy and dynamic class loading capability. [3,4]
Generate Random Numbers
Yes
2. Cat's Eye Mobile Agent Paradigm
Creation of no. of Agents
Applying Security Techniques
No
Roughly speaking, information agents are computational software systems that have access to multiple, heterogeneous and geographically distributed information sources. Such agents may assist their users in finding useful, relevant information; in other word, managing and overcoming the difficulties associated with “Information overload”. Information agents not only have to provide transparent access to many different information sources, but also retrieve, analyze, manipulate, and integrate heterogeneous data and information on demand preferably in a just in time reply. Due to its salient properties, mobile agent technology has received a rapidly growing attention over the last few years. Many developments of mobile agent systems are under way in both academic and industrial environments. In addition, there are already various efforts to standardize mobile agent facilities and architectures. There is no working stable system without talking about security issue especially in open environment. Since code mobility is subject to intense research, code mobility creates new security problems, for the executing host as well as the program to execute. Today we have to acknowledge that we do not have good answers for all of these security problems, such as those related to security of mobile agent systems.
Task / Action
Migrate Agent to next Node
Destroy an Agent End Send Initiator Results
Figure 1 Masquerading Threat Procedural Flowchart
3. Proposed Cat’s Eye Scenario At Cat's Eye Scenario the agent can travel to the most confident node according to the confidence node tree that pre- drawn or the agent can continue through its path. The creation of the agent: The agent number is generated randomly, with ownerID, creation time, and proposed path time. When the agent arrives at one node, the node checks about its credentials: The owner of the agent is checked whether it is from trusty node. Ask about its confidence ratio followed confidence ratio structure. If found a digital signature of owner author. The visited node authenticates and authorizes the agent and begins its execution. Agent execution starts with decryption of the contents and starts to follow up of its instructions and authorizing for usage of the node resources. The owner of the agent has various ways for tracing agent path: e.g. through inconsistency of the pre-calculated. The agent may faced by a malicious agent/host at a visited node, where the attacked malicious agent/host may divert the path of the agent or steal critical information or corrupt agent. As shown in figure 1 life cycle of the agent from creation time, task assignment applying security techniques in addition to the tracing for the effect of masquerading on it.
Giving an example from real life e.g.: Assuming we visit Bee Network, there are two types of bees where found the queen bee and the servant bees. The “servants” bees are many but the queen is one. Police/ Guard agents = Queen Bee Service agents Police/ Guard agent features (Queen Bee) a) Check the trusty of the host. b) Monitoring various nodes, to detect agent parameters and variables at each node and order for destruct of an agent if unexpected modification had been happened and notify the owner machine.
During the agent life cycle from creation time till its destruction a detailed steps for each functionality is shown for the proposed paradigm. We try in this model to simulate some of the threats that may attack the agent during its life in a real environment.
= Servant bee(s) We supposed some a combination of some techniques that provide high degree of security during the mobile agent system life cycle in its environment in addition to suggesting some new security goals which will be represented in the following few pages. Masquerading Milestone Duration Between CreateTime-MigrateTime
Service agent features (Servant bee(s)) a) Perform multiple tasks. b) It assumed to travel to un-trusted and trusted nodes. c) Don't hold sensitive information d) Its credentials being checked from the visited node. - On creation of an agent secure random number is assigned to each agent. The agent is encrypted at home node by private key and the public key traveled to any node the agent visit en-order to decrypt it authenticate the agent and execute its tasks. The agent is digitally signed in DSA algorithm 1024 bit by the public key through stream of bit. - If the agent has visited a node that can attacked it, doing modification to its state, values the next visited node can detect the destruction happen to the agent body, also Cat' Eye mobile agent with its guarding eye execute from home node to know if any modification has been happened to the agent this routine has all the agent input parameter and used variables, so any changes will be easily detected. - Cat's eye MA has entirely a clock, for calculation each agent the time spent at each node. Knowing that before agent migration and assignment of a task to an agent must wait till the agent route been calculated before migration process began. - Journey details on agent detecting any rerouting to its prefixed itinerary with digital signature, checked also within monitoring routine. - In addition to existence of auditing log for keeping and comparing the inconsistency that may happen during the journey.[5]
Agent Creation Milestone
Migration Time
LiveLocked
?
11 12 1 2 10 9 3 8 4 7 6 5
Figure 2 Intelligent TimeLine of Agent Route
As shown in the figure 2 the Agent is created at creation time at its agent owner node. The creation time here we assumed that it is a milestone of agent creation, after that the agent migrate from its agent owner node through its route (path) between various nodes. The mobile agent may be faced by various threats, it may faced with extra tasks make it live locked or may attacked by an malicious host/node as a way of a threat (masquerading), they may steel, corrupt or divert an agent from it right route. The agent may override the threat and arrive to its owner node successfully at a return time. This return time must be pre-calculated in-order to detect the delay due to prioritization, or network delay.
4. Security Aspects: Security is the most important principle when talking about distributed systems[13]. This complexity is due mainly to the size of the problem, moreover, in open networks, security problems and costs of potential solutions might outweigh the benefits of mobility[8]. The previous sections discuss Cat's Eye Mobile Agent paradigm, this section will show the security aspects that need to be considered for Cat's Eye MA-Paradigm: As security is the most critical issue in a mobile-agent system. We must try to detect tampering as soon as the agent migrates from a malicious machine back to its owner machine. On case of tampering of an agent we can terminate, fix, destruct the agent.
Authentication: Verify the identity of an agent's owner.[11] Authorization and enforcement: Assign resource limits to the agent based on the identity and enforce those resource limits. Mobile agent not migrate to nodes had lower degree of trustworthy. Sensitive migrated data must be in an encryption form. Audit log be created on case of failure. The scope of work is for protecting agent in mobile agent systems.
Figure 3 represent a class hierarchy of the Cat's Eye Mobile Agent Simulator
Simulation SecMa.java
SecMaPass.java
MobileAgent.java
MonaNotePad.java
ThreadedApplication.java
DBNodeConfidenceRatio.java AddDlgDBNCR
DrawingThread.java
MigrateAgent.java
Tree.java
MyDate.java
EncryptorRun.java
KeyPGRun.java
MemoryMonitor.java
EncryptoRun.java
CaptureScreenFrame.java
SystemTraceRun.java
ViewLogs.java
DataBaseUsers.java AddDlgUsr
MobileAgent.java AboutDlg
clsTimerTime.java
DataBaseTables.java StatusCanvas.java
DateCanvas.java
DrawDate.java
MemoryMonitor.java Surface
KeyPG.java
GetProps.java
JDBCAdapter.java
SecRandNum.java BtnCreatAgnt.java
BtnActvAgnt.java
BtnSuspndAgnt.java
BtnCreatAgntAK.java
AgentCanvas.java
AgentCanvasAK.java
TableSorter.java DataBaseAgentCycle.java
Encryptor.java
AddDlgAgntCycl
Encrypto.java
TableMap.java DataBaseAgent.java DataBaseAgent.java
AddDlgAgnt
AddDlgAgntAttck
ProgressBar.java
Java Language Legend: File name
Class
From Up to Down
LongTask.java
Down Up
SwingWorker.java
SecMa Class Hierarchy
Figure 3 Cat's Eye Class Hierarchy
Symbol 5. Example: Mobile agent is a program that moves from machine to machine and executes on each[7]. As an example of Cat's Eye paradigm, As shown in the following figure Cat's Eye simulation environmemt network consists of three entrance points(domains) to many disricts in real life network at taxing authority (Ministry of Finance in Arab Republic of Egypt).
Bd TR Ag N Ntr T(Ag) Ct
Meaning
Dimension
The network bandwidth Bytes/Sec. The total time elapsed Seconds. in a single hop. Agent Bytes. (Code + Data + State) Number of Nodes Integer no. Number of trips Integer no. The time needed to migrate Seconds. an agent between nodes Creation Time Seconds.
Mt
Migrate Time
Seconds.
Rt
Return Time
Seconds.
Ti
Real agent route time
Seconds.
Lt Ri No tk
Latency Pre- Calc. Agent Route time Network Occupation Assigned Task to Agent
Seconds. Seconds. Bytes. Integer no.
Table 1 Used Notation(s)
The Constant with asterisk at the beginning has been taken from a similar working environment: ((Local Network)) The Average of Create Time within our research: 0.3 sec * Minimal Agent Migration on the Local Network : 35ms. ((0.035 Sec.)) * Latency on the Local Network : 0.6 ms ((0.0006 Sec.)) * Bandwidth on the Local Network: 6.736 Mbits/s Network Occupation : 6 Bytes Figure 4 Deployment of Agent though the Network
Ti = Rt - Ct
(1)
Cat's eye within simulation environment supposed to work within the network shown in the above diagram for three domains of machines and entries (Sales Tax, Income Tax, and Custom). Cat's Eye Simulator supposed to be placed at sales tax main entrance machine (Central Site and more than 125+ district/region/office).
TRi = Ti + Dt
According to the deployment scenario of the the agent is generated at sales node then migrate to take it’s pass rondomly depends upon the node confidence ratio after that the agent may face an attack agent that it may divert it’s pass again.
Ri = (4) 0.3sec +(0.035* 4) + 0.6ms/1000+ 6/6.736Mbits/s =3.3Seconds. 0.3 + 0.14 + 0.0006 + 0.8907 = 1.331Seconds. Calculated Path = 0.022Minutes.
N
_____
Delay Time (Dt)i-0=
(2)
Mt – Ct + Network Delay +Network occupation(constant)/Bd Ri = (3) Ct + T(Ag) * Ntr + Lt + Network occupation (constant)/Bd
Figure 5 Agent and it's Calculated Path Time
As shown in figure 5 all the generated agent(s) and its calculated path are within 0.022Minutes. This time considered to be an appropriate time after applying Cat's Eye Mobile Agent paradigm techniques compared to similar MA Simulators.
Figure 7 MA Threats through Nodes
As shown in figure 7 a java-based graph every agent and the affecting threats at each of the three entrance nodes. This graph depend on a recent four agent and there migration data, every agent shown in the graph with different color. The masquerading threat take the lowest degree compared to other threats after applying Cat's Eye MA paradigm.
6. Working Environment: Since agents are mainly intended to be used for applications over large-scale network. Here mentioned below the simulation environment as a step towards large scale environment.[6]
Figure 6 Mobile Agent Detailed Report for his Multi-Hop Journey
As shown in Figure 6 a detailed representation of the number of threats affect the MA with a specific ID and if Masquerading threat included the total time spend in overcoming of Masquerading threat, in addition to a table shows a clear representation of the threats at the three main entrance nodes, these threats are classified according to the National Institute of Standards and Technology (NIST) and according to more than code security techniques classifications: 1- Masquerading 2 Denial of Service Attacks 3- Alteration of Carried Results 4Repudiating of Action 5Eavesdropping 6 -(1) Masquerading + (2) Denial of Service Attacks[9,12].
6.1 Simulation Environment In our simulation model we supposed that there are three main entrance nodes to the nework. Sales Tax centeral site, Income central site, and custom cetral site. 6.2 Large-Scale Environmet In large scale these three entrance node are within domain each of the main entrance node are connected with number of machine. For example the sales tax central site is connected more than 125+ district /regional /office, the same to the income and the customs but with different number of connections. On the large scale environment the factor of network bandwidth must be taken in consideration, where in our simulation environment we have given it fixed number.
Service
Meaning
Execution Transaction
Execute Agent instructions
Enables grouping of agent actions into atomic transactions Authentication Provides mechanisms
The proposed paradigm combines the benefits of the black box approach with trustworthy nodes structure approach. -
The proposed solution covers the security of mobile agent from various sides (against the visited hosts and against other agents).
-
Ease and scalability of security administration of the proposed solution.
-
The proposed paradigm directs the lights to the survivability of agent and the believability where the available information in mobile agent system where survivability appears to be better.[1]
-
In designing the proposed security mechanism the security architectures should not ask whether mobile agents are a component of the architecture, but rather what type of agents the architecture uses so we use service agent for un-necessary information and police (guard) agents for monitoring.
-
The proposed solution provides the ease of integration with existing applications/products.
-
The proposed solution provides reduction of network bandwidth, as agent holds on its body versioning of states inform the owner at the end of its journey. We place journey details on agent.
-
This solution is greatly feasible for operation. As this solution present volatile store for agents so that an agent can restart after a machine failure.
Cryptographic Provides mechanisms for secure Agents DataBase Messaging CheckPoint
authentication & access. Number of Agents Provide multipurpose database service Encodes/decodes and sends/receives messages. Stores snapshots of agent state information.
Table 2 A Summary of possible Services provided by Cat’s Eye Mobile Agent Simulation
Table 2 shows the possible services provided by Cat's Eye Mobile Agent Simulator.
7. Conclusion & Prespective Work: 7.1 Conclusion: Knowing that mobile agent is a new technology world wide, which attracts more attention, and as mobile agent importance increase day after day, security of mobile agent became a must. Mobile agent go through many application through the web like auction rooms, job finder[2], which attract the attention to all security topics related to mobile agent systems. Also mobile agent technology may solve problems of many enterprises. By studying the tools, languages used for issuing software mobile agent, and the approaches for securing agent journey we found the following: - Many approaches deal with the agent protection against host only, other deals with protection against the agent only. - Many security issues for data and information are constrained and don’t provide efficient solution for the complex problems. - Many approaches not realistic in practical and operational use. - Many approaches deal with agent security without using the agent as a tool for applying the security. - Applying mobile agent technology has many benefits for example the mobile agent can apply security and help in reduction of network bandwidth.
7.2 Perspective Work We suggest in addition to the presented functions in this paper the following items to be added on future work on real environment. Appropriate servelt classes: en-order to ensure the availability of access the application via web. In this case a threat is appeared, so we must ensure about applet downloaded from un-trusted server or applet from trusted server but contains bugs[10]. Trace mobile transaction: Enhance cat’s eye simulator adding: -Network sensing-tools. -Resource Manager …with graphical user Interface. -Guard the access for Screen, Network & Disk. -Decide which actions an agent can perform based on the Authenticated identity of the agent’s owner.
Debugger (for Keep tracking of an agent as it moves through the network, monitors its communication with other agents, and provides traditional debugger features such as breakpoints, watch conditions and line-at-time execution). Docking system that allows an agent to transparently migrate to or from a mobile computer, even if the mobile computer is not currently connected to the network.
8.
Klusch, M., “Intelligent Information Agents, AgentBased Information Discovery and Management on the Internet”, Springer -Verlag, Berlin Heidelberg, 1999.
9.
Jansen, W., and Karygiannis, T., “Mobile Agents Security”, NIST Special Publication 800-19, National Institute of Standards and Technology, 2000.
a)Books, Thesis and Papers
10. Marques, P., Fonseca, R., Simões, P., Silva, L., and Silva, J., “A Component-Based Approach for Integrating Mobile Agents Into the Existing Web Infrastructure”, University of Coimbra, Portugal, 2002.
1.
Bryce, C., “A Security Framework for a Mobile Agent System”, In: Technical Report, University of Geneva, 2000.
11. Noordende, G., Brazier, F., Tanenbaum, “A Security Framework for a Mobile Agent System”, In: Proceedings of SEMAS at AAMAS2002, 2002.
2.
Cabri, G., Leonardi, L., Zambonelli, F., “Engineering Mobile Agent Applications via Context-dependent Coordination”, In Proceedings of the 23rd International Conference on Software Engineering (ICSE 2001), pp.371-380, Toronto, Canada, 2001.
12. Thomas, R., “A Survey of Mobile Code Security Techniques”, Time-Stamping”, Laboratory for Theoretical Computer Science, Department of Computer Science and Engineering, Helsinki University of Technology, Finland, 2002.
3.
Eckle, B.,“Thinking in Java Second Edition”, Prentice Hall PTR, Upper Saddle River, New Jersey 07458, http://www.phptr.com, 2000.
4.
Eckle, B.,“Thinking in Java”, Prentice Hall PTR, Upper Saddle River, New Jersey 07458, http://www.phptr.com, 1998.
References
13. Tanenbaum, S., A., Steen, V., M., “Distributed
5.
6.
7.
Gray, S. Robert, “Agent-Tcl: A Flexible and Secure Mobile-Agent System”, PhD Thesis, Dartmouth College, Hanover, New Hampshire, 30 June 1997. Ismail, L., and Hagimont, D., “A Performance Evaluation of the Mobile Agent Paradigm”, In Proceedings of the Conference on Object-Oriented Programming, Systems, Languages, and Applications, pages 306-313, 1999. Gray, R., Kotz, D., Cybenko, G., and Rus. D., “D’Agents: Security in a Multiple - Language, Mobile - Agent System”, Springer - Verlag, A Chapter in the Book “Mobile Agents and Security”, Pages 154 –187, edited by Vigna, G., 1998.
Systems: Principles and Paradigms”, P. 414 - 488, Prentice-Hall Inc., USA, 2002.
b) Web Sites
http://csrc.nist.gov/, NIST Computer Security Division 893 and CSRC. http://www.fipa.org http://java.sun.com, Sun Microsystems, Inc., JDK 1.4.2 Documentation. http://rational.com/uml, OMG Unified Modeling Language Specification: Rational Rose. http://www.deis.unibo.it, "SOMA-based Applications". http://www.informatik.uniessen.de/SysMod/JavaDemos/ http://www.grasshopper.de/ http://www.ibm.com http://www.jguru.com http://www.oracle.com http://www.sun.com, Sun Microsystems, Inc. http://www.swarm.org http://wwwlia.deis.unibo.it/Software/MADAMA/
