2008 20th IEEE International Conference on Tools with Artificial Intelligence
Agent Based Activity Monitoring System – ABAMS Umar Manzoor, Samia Nefti Department of Computer Science, School of Computing, Science and Engineering, The University of Salford, Salford, Greater Manchester, United Kingdom
[email protected],
[email protected] detailed rewriting of the application. These systems also tend to be rapidly self-recovering and fault tolerant, usually due to self managed features. Multi-agent systems also offer the concept of mobility. The term mobile agent refers to a process that can transport its state from one environment to another, with its data intact, and still being able to perform appropriately in the new environment [16]. Mobile agents decide when and where to move next autonomously. When a mobile agent decides to move, it saves its own state and transports this saved state to next host and resume execution from the saved state. Mobile agents are being used in areas of information retrieval, network management, workflow, mobile computing, and telecommunications [11, 10]. Mobile agent paradigm has been identified as a natural solution to implement monitoring systems [3]. In mobile agent-based monitoring, autonomous software agents migrate to remote hosts and cooperate among themselves for system wide monitoring [2]. We propose the use of multi-agent system to ensure proper system operation by watching for inconsistencies in user activities and internet monitoring. Agent Based Activity Monitoring System (ABAMS) is a multi-agent based approach for the monitoring of resources over a network, suitable for network of networks; commonly known as CAN (Campus Area Network). The system initially supports monitoring two aspects of network system such as user activities and internet monitoring. The system is fully autonomous and once initialized with the given rules and domain knowledge ABAMS manages resources on its own with the help of mobile agents.
Abstract Multi-Agent System (MAS) is a system composed of several agents, collectively capable of achieving goals that are difficult to achieve by an individual agent or monolithic system. MAS is ideal for a network-like application for its flexibility, distributed nature, and modifiability, without the need for detailed rewriting of the application. In this paper, we have proposed Agent Based Activity Monitoring System (ABAMS) for the monitoring of resources over a network, suitable for network of networks; commonly known as CAN (Campus Area Network). The system is fully autonomous and once initialized with the given rules and domain knowledge ABAMS manages resources on its own with the help of mobile agents.
1. Introduction Computer networks today are far more complex than in 1980's and managing such network recourses is a challenging job for an IT professional and perhaps becoming difficult humanly. On one hand computer network as a force drags its customers to share more and more resources while on the other hand managing resources becomes difficult. Usually organizations install resources in a network without any concern about their monitoring. Many organizations claim to have problems of miss use, under and over utilization of resources. In a situation like this having a monitoring system is also a cautious step, what if it takes a significant share of resources itself; processing cycles or bandwidth, i.e. the cost to manage such systems could be high. The need of the time is to develop a tool which is so light and transparent such that user even does not know that a system is being run in the background to monitor activities of the whole network. Our architecture is inspired by the paradigm of Multi-Agent System (MAS). MAS is a system composed of several agents, collectively capable of achieving goals that are difficult to achieve by an individual agent or monolithic system. MAS is ideal for a network-like application for its flexibility, distributed nature, and modifiability, without the need for
1082-3409/08 $25.00 © 2008 IEEE DOI 10.1109/ICTAI.2008.129
2. Related Work Network hardware and software vendors typically provide means for monitoring and managing network but many of these are device or vendor specific. There are many efforts to monitor and manage network [12, 13, 14] but these monitoring systems either rely on single node or in a centralized architecture which makes it vulnerable to failures. Many professional software / spywares (for example VNC [5], ActiveSpy [6]) are available to monitor the activity of the single node i.e. Internet
220
Master Controller Agent – MCA can be thought as brain of the system as it initializes and manages the system autonomously. In initialization step MCA loads IP addresses and corresponding aliases of all the lab servers in the network from a pre-configured XML file. MCA is also responsible for creation and initialization of Controller Agents (CA) passing destination machines as parameter and these CA(s) move to destination machines to monitor the activities of specific lab. MCA uses an agent to node ratio of 1:1. Dispatched from MCA, Controller Agent – CA performs set of tasks after reaching destination lab server. CA loads IP addresses and corresponding aliases of all the nodes in the network from a pre-configured XML file. Subsequently a rule file is also loaded, which contains user-defined rules in the form of process action pair to monitor network activities. CA is also responsible for the creation and initialization of monitor agents and uses an agent to node ratio of 1:8 (configurable).
Monitoring, illegal activities etc, but problem with these software is that we have to install these software on the node(s) to be monitored and user can detect these software easily by using tools available on Internet [15, 16]. For example if we want to monitor a lab of 40 PCs we have to install the software on all of these PCs which requires manual maintenance of these systems. The proposed architecture is implemented in Java using Java Agent Development framework (JADE) [4]. ABAMS is scalable, easily manageable and adaptable because of its distributed design.
3. System Architecture Agent Based Activity Monitoring System (ABAMS) is a mobile agent based application for the monitoring of activities over a network. The system is fully autonomous, once initialized with given rules and domain knowledge ABAMS manage resources on its own with the help of mobile agents.
Figure 1: System Architecture of Agent Based Activity Monitoring System – ABAMS.
221
compiled to a separate EXE file. As Agents have to carry this executable from machine to machine to carry out native operations, special focus was paid to optimize the size of the executable (the size of this EXE is only 98KB). Administrator can insert, delete or update rules in the Rule XML file or can add new Lab servers or work stations using the Rule Insert Module (RIM). Encryption Module (ENM) is responsible for the encryption / decryption and integrity of the message. Triple DES [14] is used for the encryption / decryption of the message and MD5 Algorithm [15] is used for the integrity of the message. Statistical Module contains all the necessary data base related functions.
Dispatched from CA, Monitor Agent follows a list of nodes to monitor. On arriving to each node it looks for activities defined in the rule-set, e.g. look for the specific illegal processes. On capturing such activity, the information about process and node is sent to CA, which takes an action by dispatching Action Agent. After monitoring one node, Monitor Agent continues to move to the next node in the list. Monitor Agent monitors specified nodes in a loop like fashion. After completing one cycle Monitor Agent sleeps for a specific time (sleep time defined in configuration file) and after awaking it again start monitoring the nodes. Action Agent dispatched from CA; reaches its destination and invokes an executable program with specified argument(s) taken from CA to perform appropriate action that was stated in the rule set. Action may include killing the process, logoff, or force log off the user, or even shutting down the system. After successfully completing the action, it sends a message to the CA about the task and waits for the acknowledgment from CA. CA can send two kinds of messages in return, Kill or Task assignment. Statistical agent stays alive as long as MCA stays alive. Whenever a violation is spotted by Monitor Agent a message is sent to CA to dispatch Action Agent, message also contains the details about the violation. That detail is passed to Statistical Agent which makes use of Statistics Module to saves the violation information into a database. Information Agent is dispatched from MCA and reaches the destination if available. It also makes use of executable component and collects the information about the node in an input buffer and sends a message containing the detail of the system to MCA. Information Agent after sending the message waits for the acknowledgement of message from MCA and on receiving the acknowledgement it kills itself. Messaging Agent originates from MCA and contains the message (in String form). On reaching the destination node it displays the message on the display of the destination in a GUI dialog box. The dialog can have Yes / No buttons or it can only have an OK button. The format of the dialog depends on the message. The message can be a warning to the user or it can be general information. On getting the response from the user, it forwards the response to MCA (if required) and kills itself. ABAMS is built on JADE (Java Agent Development Framework) [4] platform using JAVA programming language. JADE is a middle-ware written entirely in the Java language, which simplifies the implementation of multi-agent systems by providing a set of graphical tools that support debugging and deployment phases. Another advantage of using JAVA as development language is that of platform independence. On the other hand the major disadvantage of Java is that we cannot do coding at the system level. So the Executable Component Module of ABAMS is written in C++ programming language and is
4. Experiment and Results We have run this system on experimental basis at the university campus having seven labs equipped with 20 to 300 number of PCs in various labs. Some of the performance analysis is presented in this section. When the system starts up MCA is created and it loads the network information from pre-configured XML file and this activity takes 2.43 seconds. After initialization MCA creates and initializes CA(s) and it takes 2.96 seconds. Each of these CA’s will create and initialize monitor agents in parallel in 2.17 seconds.
L a b S i z e s (N o o f P C 's )
Total Scanning Times Labs and the Network 300 200 100 20 48
49
50
51
52
53
54
55
56
Monitoring Time (Seconds)
Figure 2: Total Scanning different sizes of Labs.
Time
for
Monitor agent(s) will start monitoring each PC and it takes 5.41 seconds to complete monitoring of single PC; for 8 PCs it will take 43.28 seconds to complete the monitoring. Fig 2 shows the performance of the monitoring system on varying size of labs. If the lab has 20 PCs the system will complete one round of monitoring in less then 52 seconds. If we increase the size of lab from 20 to 50, one round of monitoring will take approximate 2 more seconds than previous case. This small difference is because of the distributed design of ABAMS. As we increase the number of PCs to be monitored, CA will create more MA accordingly and due to parallelism of
222
mobile agents. In our experiments we have shown that our proposed architecture is effective in both monitoring and action time. This work can be extended in many directions. One possible extension is to introduce learning in Mobile Agents so that it can dynamically define illegal activities and action against the illegal activities. Predefined XML files are used for Network configuration, dynamic network detection algorithms can be devised for ABAMS.
MA’s the monitoring time difference between the lab of size 20 and 300 is only 6 seconds approximate.
172.24.18.22
172.25.138.24
172.24.36.46
172.29.44.247
172.18.98.59
172.27.223.17
172.19.198.3
172.16.252.102
172.30.191.151
172.22.19.159
172.18.113.227
172.17.189.72
172.29.19.101
172.21.181.166
172.28.73.72
172.26.142.237
12 10 8 6 4 2 0 172.25.1.143
No of Violations
Number of Violations per IP Address
6. References [1] Summiya, Kiran Ijaz, Umar Manzoor, Arshad Ali Shahid “A Fault Tolerance Infrastructure for Mobile Agents” IEEE Intelligent Agents, Web Technologies and Internet Commerce (IAWTIC 06) Sydney, Australia, 29 Nov – 01 Dec, 2006. [2] Anand Tripathi, Tanvir Ahmed, Sumedh Pathak, Abhijit Pathak, Megan Carney, Muralidhar Koka, and Paul Dokas, Active Monitoring of Network Systems Using Mobile Agents. In Joint International Conference on Wireless LANs and Home Networks (ICWLHN 2002) and Networking (ICN 2002), 269-280, 2002. [3] Wayne Jansen, Peter Mell, Tom Karygiannis, and Don Marks, Applying Mobile Agents to Intrusion Detection and Response. National Institute of Standards and Technology Interim Report – 6416 October 1999. [4] JADE Programmer Guide, http://jade.tilab.com [5] VNC, http://kaboodle.sourceforge.net [6] ActiveSpy, http://www.activespy.org/ [7] Marina Thottan and Chuanyi Ji, Anomaly Detection in IP Networks, IEEE Transaction on Signal Processing Vol.51, No. 8, August 2003. [8] Cynthia S. Hood and Chuanyi Ji, Intelligent Agents for Proactive Fault Detection, IEEE Internet Computing, Vol 2, No. 2, pp. 65-72, Mar/Apr 1998. [9] “TCPdump”, http://www.tcpdump.org/ [10] “Ethereal – A Network Protocol Analyzer”, http://www.ethereal.org [11] “NTOP – Network TOP” http://www.ntop.org [12] Active Sypware Remover, http://www.activespywareremoval.com/ [13] Spy Guardian, http://www.synergeticsoft.com/docs/spyware_adware_re moval/ [14] Triple DES Algorithm, http://www.tropsoft.com/strongenc/des3.htm [15] MD5 Algorithm, http://en.wikipedia.org/wiki/MD5 [16] Gerhard Weiss. “Multiagent Systems A Modern Approach to Distributed Artificial Intelligence”, Chapters: 1-4, The MIT Press Cambridge, Massachusetts London, England, 1999.
IP Address
Figure 3(a): No of Violations per IP Address Administrator of ABAMS can pin point individual machine / user having high rate of violations by using graphs generated for number of violations per IP Address and number of violations per User as shown in Fig 3 (a) and Fig 3 (b).
i030169
i030552
i030624
i030529
i030428
i030542
i030101
i030433
i030693
i030530
i030310
i030124
i030303
i030623
i030357
i030392
i030450
i030178
40 35 30 25 20 15 10 5 0 i030210
No of V iolations
No of Violations per Users
User ID
Figure 3(b): No of Violations per Users Using this information administrator can track the user / machine and can take action accordingly i.e. he can disable user account, send a warning to the user etc. Even if the user change the IP Address of the machine, user can easily be tracked using the machine name, as ABAMS store machine name, IP Address, and the lab name where the machine reside.
5. Conclusion In this paper we have proposed Agent Based Activity Monitoring System (ABAMS) to ensure proper system operation by watching for inconsistencies in user activities and internet monitoring. ABAMS is a mobile agent based application for the monitoring of activities over a network. The system is fully autonomous, once initialized with given rules and domain knowledge ABAMS manage resources on its own with the help of
223
