[Top]

[Back]

[Next]

[Bottom]

5 A Mobile Agent Framework to Support Distributed Information Management

"I had to quit my job to have time to read my email" - Adam Curry

5.1 Requirements

Therefore, a framework is needed that will address a number of issues, simultaneously, to ensure that the requirements of a distributed information management system are met. This chapter presents the potential requirements of such a system in the context of a mobile agent architecture and also details the initial framework and components required to support mobile agents that perform distributed information management tasks.

5.1.1 Arbitrary Migration

With stateless migration systems, the burden of ensuring that the data that needs transferring with the agent is in a well-defined area (for example, a folder within a briefcase in TACOMA) lies firmly with the programmer of the agent. Even though stateless migration requires less effort on behalf of the migration mechanism, it is considered an undesirable requirement due to the fact that it places some of the migration task with the programmer.

5.1.2 Persistence

For example, consider a resource discovery agent that visits nodes to find out about a particular subject. As the agent issues queries at each node, it can retain information about the range of facilities available, the number of query results found, the average response time, etc. When it is issued with a new request from its user, it can use this information to make a decision about which nodes might be worth visiting first.

The experience that individual agents gain might also be pooled into a collective experience-base that is stored at the node where a user launches their agents. In this way, new agents can be equipped with an existing knowledge-base with which to begin their search.

5.1.3 Fault Tolerance

• Network transmission fault. If an error occurs while the agent is in transit between nodes, then it must either be retransmitted or restarted at the side from which it was being transmitted. If it cannot be retransmitted or restarted, then it must be forwarded to the node where it originated, so that the information it contains can still be of use to the user or so that it can be restarted. Whatever the contingency plan, the data that the agent contains must be preserved in some manner.
• Node failure. If the agent is currently executing on a node that fails, then it should be possible to trace the agent back and retrieve a previous copy. This can be achieved by storing a copy of the agent at various nodes during its lifetime. This storage will obviously depend upon the facilities available at each node; some nodes may not desire versions of agents to be stored, especially if they are large. Another solution is for the agent to forward a copy of itself at regular intervals to the node where it originated. Node failure itself can be categorised as serious and non-serious. A serious node failure involves an unexpected error in the system which means that the node fails immediately and without prior warning: the result is that the agent's data is lost. A non-serious node failure is where there is prior warning of the node failing, for example a shutdown, and the agent has chance to migrate to another node (or it is automatically transferred to a backup node).
• Security violation. If an agent cannot be transmitted to a new location due to a security constraint (for example, the agent is not from a trusted node), then the agent should be restarted at the local node and given a chance to choose a new destination. This problem can be alleviated (but not totally solved) by requesting authentication in advance. For example, the agent might be rejected when it has been received and processed by some validation mechanism and the agent then attempts to execute a prohibited action. The action taken is the responsibility of the local node, since the agent might be a virus or a legitimate agent that has exceeded the bounds of its objectives. Potential solutions to this problem depend upon the severity of the security violation. If the agent attempts a prohibited action, it may be suspended and forced to execute in a very controlled environment so that it can choose another destination. However, if the agent fails a validation test, then is might either be destroyed (information and all), or destroyed and its information transmitted back to the node from where it originated.

KQML (Finin et al., 1995) is a high-level protocol and language for agent to service and agent to agent interaction and communication, commonly termed Agent Communication Languages (ACL). It is based around a notion derived from speech act theory in linguistics (Austin, 1962) where messages that are communicated consist of performatives indicating what the receiver should do with the message, for example, tell. Currently, KQML provides performatives which deal with belief revision, querying, knowledge-base maintenance, actions and services. Also, KQML has the ability to nest performatives, such that more specialised performatives can be built from more general-purpose performatives.

KIF (Genesereth et al., 1992) is a rich language that provides a standard representation of information. It can express beliefs, rules, facts and partial descriptions of functions amongst other things. However, KIF is used for more than just a information representation; it also provides a central language for communication between other ACLs. Translating between n ACLs and a central information language such as KIF, reduces the number of translators required from O(n²) to O(n+1).

The advantages of using ACLs and standard information representations are clear; if all agents within the system conform to an interchange standard, then the amount of data translation is reduced and the introduction of translation errors into the data are lessened.

5.1.5 Communication

The Heterogeneous Communication Model (Goose, 1995; Goose, 1996) provides a similar mechanism for agents to communicate with other agents through an addressing mechanism; as agents transport to a domain, they register their presence with a central router. The form of this registration determines which types of messages the agents is willing to receive: this is analogous to offering server-style functions to other clients. In an example scenario, an agent could register once to indicate that it had information on a particular subject and again to say that it required information on another subject. Due to the configurable and modular nature of the HCM, these concepts can be extended over domains by adopting a DNS-like architecture.

5.1.6 Heterogeneity

• Platform. Architecture and operating system heterogeneity can be achieved by transmitting agents as source code and interpreting them at their destinations, or by pre-compiling them into byte code and interpreting the byte code at their destinations. The latter is more privacy-oriented, since it might not be prudent to allow the source code of an agent to be inspected. Also, byte code is less bulky than source code, can be interpreted faster and can be authenticated easier than either machine code or source code.
• Network. To ensure that the agent has access to as wide a range of resources as possible, it should support interchangeable network protocols. This can be achieved at a network level through the use of gateways, which equip agents with a suitable protocol module that allows them to exist on the other side of the gateway.
• Language. Agents should be able to be written in any language that is suitable to their task or with which the programmer is most familiar. However, to ensure that the agent offers the maximum flexibility, it must be transmitted in a form that can be interpreted rather than compiled. This has the implication that an interpreter has to be written or modified for each target language, to support the extra functionality of the mobile agent system. If this is not an option for some languages, then it may be that some will not be able to support all the features that are available, for example, an agent that has been written and compiled in C would not be heterogeneous enough to migrate to different platforms.

5.1.7 Security

• Permission. The actions that an agent is able to perform should be regulated against a permission set for the intended recipient to ensure that they are allowed within the current context. This means that the permission set used to protect objects must be rich and flexible enough to ensure that its integrity is maintained from unauthorised accesses. Additionally, different nodes may assign different permission sets to similar objects, for example, on a node where security is very tight, all query accesses must be checked.
• Authentication. Before a permission system can be implemented, the identity of the agent must be confirmed and its point or origin established. If neither of these points can be determined, then the agent may be granted the lowest access permission or removed from the node, as detailed previously. However, authentication may be required once per access (for high security systems) or once per session (for lower security systems).
• Transmission. While the agent is in transit, it is vulnerable either to being modified in order to change its original purpose or to being duplicated to obtain its authentication signature. Therefore, when the agent is transmitted, it needs to be protected in some way. Encryption mechanisms such as PGP (Garfinkel, 1994) can be used to protect the agent at a data level, and mechanisms such as the Secure Sockets Layer (SSL) (Freier et al., 1995) at a network level.
• Verification. When the agent arrives at a node, certain verification tests can be made upon its byte code to ensure that it will neither perform malicious acts nor prohibited acts. This type of verification is performed rigorously by Telescript engines and less complete security is provided by the validation component of a Java-aware browser.
• Charging. As an agent interrogates information, it may be charged for access on the amount of data it requests, or once per access. Either way, some system needs to be employed to ensure that the agent has funds to pay for services, that those funds belong to the agent and the agent belongs to the right user. Existing technologies, such as the Electronic Cash Unit (ECU) (Chaum, 1992) can ensure that mobile agents have to pay for the services that they use.

One policy involves giving an agent exactly the right amount of permission required to complete its pre-authorised task. If an agent requires more permission, it must apply to the regulatory body of the node. Access or denial will depend upon a number of factors; the ability of the agent to pay for the new permission and the trustworthiness of the agent in the past, as examples.

5.1.8 Summary

It is hoped that requirements such as arbitrary migration and ACLs will give the programmer flexibility when writing agents, heterogeneity and communication will allow an agent to reach as many distributed information resources as possible, and security and fault tolerance will make the mobile agent system both trustworthy and robust.

5.2 The Framework

It is envisaged that mobile agents will migrate in a state-oriented fashion and be comprised of code, state and some form of knowledge base. The code segment of an agent will describe the functionality of the agent, for example a resource discovery agent or a link maintenance agent. The state segment will include the stack and local data that the agent is currently executing upon; this will be transferred with the agent transparently. Finally, the knowledge-base will contain the `intelligence' of the agent, that is, its experiences, its goals and its beliefs. This segment will also contain temporary information that the agent is working upon before it is returned to the user.

The manner in which mobile agents (and indeed, static agents) achieve the requirements identified earlier forms the discussion in chapter 6, Future Work. The next sections take each component of the framework and detail its general activities and purpose in the mobile agent infrastructure.

5.2.1 Domain Agent

• Providing a migration service to mobile agents wishing to leave the domain; the domain agent is responsible for ensuring that the mobile agent is transferred successfully. Upon valid exit, notification should be sent to the node which originally launched the agent, to enable a user to keep track of their mobile agents.
• Providing an authentication and validation check on mobile agents wishing to enter the domain; agents that cannot be authenticated or fail the validation check are rejected. Upon valid entry, notification should be sent to the node which originally launched the agent, to enable a user to keep track of their mobile agents.
• Launching received mobile agents in a suitable runtime environment, which will be related to the amount of trust given to an agent; agents from trustworthy nodes may be allowed access to more information resources than agents from unknown nodes. A suitable runtime environment will depend upon the language that the mobile agent is written in, the access level it is allocated and the functions it wishes to perform.
• Mediating global access to information resources; before a mobile agent can access an information resource it must obtain permission from the domain agent. Depending upon the policies imposed on the domain agent, public resources might grant read access automatically. However, for read access to restricted information or modification access, the domain agent must approve and grant access.
• Providing a central message router; all message interactions between static and mobile agents are routed through the domain agent. This allows agents to communicate in an asynchronous fashion. However, once two agents have become aware of each other's presence (through communicating initially through the domain agent), they can initiate a direct and synchronous communication between themselves, to transfer high-bandwidth data for example.
• Providing a central registration area where static and mobile agents can register and advertise their resources and interests.
• Ensuring that the domain does not become swamped by mobile agents. This can be achieved by limiting the amount of agents that can exist within the system at a given time and implementing a charge for processor cycles and resource access. This way, even if a mobile agent attempted to hog a resource, it could only do so for as long as its credit limited lasted.
• Advertising public information resources and the presence of mobile agents to enquiring agents. In this way, mobile agents can interrogate the contents of a particular domain before moving, to ensure that it contains information resources will help it to achieve its goals. It also provides a rudimentary mechanism for agents to locate each other.
• Periodically announce their presence (through broadcasting or multicasting) to the larger community of domain agents. This will allow each domain agent to maintain a list of other domains that is available for mobile agents to use in determining their next jump point.

5.2.2 Resource Agent

The resource agent has a number of functions to fulfil:

• To be fully conversant in the protocols of the information resource to provide complete access; the information resource should be completely accessible by agents, so that user intervention directly on the documents is not required. This would imply that the user has a set of distributed information management mobile agents that are able to manage and control their information resources through resource agents.
• To provide a standard and generic set of services which all mobile agents can utilise, for example, query, get, delete, add, alter. The more specialist functions of an information resource, for example linking, would be handled by other service primitives that would imply that the mobile agent understood some of the functionality and capabilities of the information resource. It would be desirable to decouple this relationship entirely, that is, to provide an extensible set of services across information resources. This could be achieved by attributing the functionality of a service to an associated specification of its behaviour, rather than its descriptive title.
• To mediate access to the resource on a per agent basis; once an agent has been granted access to an information resource, it is the task of the resource agent to ensure that the integrity and privacy of the resource is maintained. To this end, once the agent enters the domain, the domain agent should allocate the mobile agent a permission set which is recognised locally by the individual resource agents.
• To provide conversion between the information representation of the mobile agent and the information representation of the information resource that the resource agent is managing.
• To advertise the presence of the information resource by registering the services available to the domain agent. In this way, mobile agents can be aware of what information resources are available within a domain (by querying the domain agent) before they arrive at a domain.

5.2.3 Mobile Agent

Mobile agents are equipped with a set of user-defined goals which describe the nature and limits of their functionality, for example, a resource discovery agent is a mobile agent with a different goal set than, say, a navigation assistant agent. It is probable that, in addition to the limits on the functionality that users place on their mobile agents, the mobile agents themselves will encounter limits (in the form of security, authentication and validation) that exist within domains. In some cases, these limits (for example, lack of funds to pay for resources) will compromise the goals that have been given to the mobile agent.

There are two general approaches to the coordination of mobile agents:

• Single-agent systems. Within single-agent systems, the functionality of the system is expressed in terms of solitary agents; mobile agents are allocated tasks and must achieve those tasks personally, albeit through interaction with other agents. Whilst this is limiting in the tasks that an agent can fulfil and can incur latency in the turnaround of results, it does make that task of programming the framework easier since only agent to agent communication has to be considered. To alleviate the latency problem, agent cloning can be instantiated to allow agents to create replications of themselves. This would allow agents to cover a much wider area of information space in a shorter time than a solitary agent crossing the same amount of space.
• Multi-agents systems. These systems differ from single-agent systems in the fact that a mobile agent can spawn other related agents. Hierarchies of communicating and cooperating static and mobile agents can be constructed to assist the original agent in fulfilling its goals. This field is closely related to the principles of Distributed AI (as mentioned in chapter 3) and is more suited to complex problem solving than distributed information management.

• Mobile agents determine where to migrate to next by initially querying the local domain agent for a list of domains of which it is aware. The mobile agent can then use this information to contact each domain agent and determine which one offers a compatible set of information resources.
• Mobile agents are authenticated by an electronic signature that they carry; this signature is encrypted and is verifiable with the host domain of the mobile agent (which implies that the host domain is also authenticated in some manner). Additionally, mechanisms must be employed to ensure that mobile agents are not compromised during transit or within a domain and that the behaviour of a given mobile agent is consistent with the behaviour that it was given when it was launched. Due to the fact that it is impossible to guarantee these requirements, since a malicious agent may be launched from an authentic domain, mobile agents should be taken on face value and given the minimum amount of permission possible.
• Mobile agents possess the characteristic of persistence; they use migration as a mechanism to achieve longevity. Mobile agents must learn from the domains that they visit, the actions that they perform and the results they receive by augmenting their knowledge-base accordingly. Therefore, the `older' a mobile agent is, the more `experience' it will have gained; this experience can become invaluable to new `raw' agents.
• Mobile agents may communicate with other mobile agents to achieve their goals. There are a number of advantages to this approach; in the global information space, certain mobile agents will be performing the same or similar tasks and therefore it makes sense if they can trade information. Additionally, mobile agent might trade other services, such as experiences of productive domains for electronic cash or information. However, the disadvantages of mobile agent communication rationalises to one of trust; is it possible to trust the information given by one mobile agent to another, especially when electronic cash is concerned?
• Mobile agents should transmit the results of their findings and actions regularly to their user on the host domain. This way, the user can ensure that the mobile agent is functioning correctly and also helps prevent the mobile agent from becoming too big (in terms of size, memory and processing requirements) to move or to process.

5.2.4 User Interface Agent

• To launch distributed information management mobile agents on behalf of the user and to track their progress and position.
• To provide mobile agents with a communication point through which they can return the results of their tasks. User interface agents may need to possess local mobility to allow for node failures, since they need to be executing even when a user is disconnected from the system.
• To organise and preprocess information returned from mobile agents into a form that is suitable to the user. This may involve filtering out replicated information, presenting urgent information to the user quickly, rendering information using the tools that the user is most familiar with, etc.
• To provide domain agents with the authentication credentials of the mobile agents of a user. It is the task of the domain agent to ensure that the requesting entity is itself an authentic domain agent, to make certain that authentication credentials are not given to unauthorised systems.

5.2.5 Gateway Agent

• Network heterogeneity. This can be achieved by equipping mobile agents with interchangeable protocol modules; these modules would allow an agent to move between networking protocols. It would be the task of a gateway agent to grant the mobile agent access to the new network and to remove old networking modules and add new ones to enable the mobile agent to communicate in the new network.
• Firewalling. A domain, or set of domains, can still exist within the same networking protocol, but be protected from unauthorised access at a higher level than the domain. The gateway agent would filter all incoming and outgoing agents to ensure that they did not contain malicious intent or were not trying to leave with sensitive material.

The realisation of this framework will take two stages; production of the infrastructure components and the development of a set of mobile agent-based tools to support the user in achieving distributed information management goals. The next chapter identifies some of these issues as future work and discusses their potential implementations.

[Top]

[Back]

[Next]

[Bottom]