INTERNATIONAL JOURNAL OF TECHNOLOGY AND COMPUTING (IJTC)

ISSN-2455-099X,
Volume 1, Issue 1, OCTOBER 2015

PREVENTION OF ATTACKS ON MOBILE AGENTS BASED

E-SERVICE APPLICATIONS
Yogvinder Singh
Senior Software Engineer,
Location Labs,
5980 Horton Street, Suit 675 Emeryvile CA 94608 , USA
rrwsingh@gmail.com

ABSTRACT

.O

In recent years many researchers are incorporating the mobile agents in e-service applications especially in elearning and e-commerce to improve the network latency and to reduce the network traffic. On the other side, the
security issues degrade the mobile agent usage. The main intention of the attacker is to kill or modify the behavior
of the agent in the middle of the journey to degrade the trustiness of the agent environment. In this paper, we
propose fault tolerance mechanism for preventing the agent blocking in scenarios where the agent is captured by
malicious host in the network. This approach makes use of acknowledgements and partial result retrieval and
when implemented in mobile agent platform allows the originator to retrieve partial results and track the location
of mobile agent at any time during the process of transaction execution. During the recovery of the mobile agent
all the components (agent code, itinerary, credential information, collected information and state) are able to
recover. The proposed mechanism is capable of improving fault tolerant time, reliability and performance,
especially for mobile agents in e-commerce Internet applications.
Keywords: Mobile agents, Fault tolerance, e-services, Agent Recovery, Blocking, Acknowledgements.

IJ
TC

I. INTRODUCTION

In the growth of the Internet many network related technologies are examined for possible growth and
evolution. In this motive, mobile agent technology is introduced in the distributed systems in the line of
Message passing systems, Remote Procedure Call (RPC) and distributed object systems. The main
distinction being that in message passing systems, RPC and RMI, the functions and objects are predefined and lack the flexibility for customization. A mobile agent (Nwana,1996) is a piece of program
code that can execute autonomously without the supervision of owner. Mobile agents are capable of
interacting and learning from their environment and can react accordingly. The mobile agent performs
its job whenever it is found appropriate and it is not restricted to be collocated with its client. Mobility
(Lange, Oshima 1999) allows an agent to move to remote location and continue its thread of execution
on a remote host machine. Mobile agents are particularly attractive for designing distributed and
decentralized applications (Schoeman, Cloete 2003) as they can reduce the processing time and network
bandwidth usage by moving the code closer to the data located on a remote host. They are sent by
owners and they visit a series of hosts. The mobile agents are executed locally on these hosts to perform
their tasks and will return to the owners with their results. Mobile agent carries the application code with
them from the client to the server instead of transferring the data between a client and a server. Since the
size of code is often less than the amount of data interchanged between the client and the server, mobile
agent system provides considerable improvement in performance over client-server communication.
Hence the use of mobile agents is expanding rapidly in many Internet applications as described by
Manvi, Venkataram(2004).
1

INTERNATIONAL JOURNAL OF TECHNOLOGY AND COMPUTING (IJTC)

ISSN-2455-099X,
Volume 1, Issue 1, OCTOBER 2015

Communication over the Internet is not reliable. Hosts connected via the Internet constantly fail and
recover. The communications links go down any time. Due to high communication loads, link failure
and the software bugs, transient communications and node failures are common in the Internet.
Therefore reliability is an important issue for Internet application (Silva and Macdo 2000). Failure in
mobile agent may lead to partial or complete loss of an agent. The following undesirable scenario may
occur when mobile agents are sent from one host to another:
An agent travels from one host to another, it never reaches its destination due to crashes or because it
is terminated by a malicious host or agent. This is an agent failure.
The host platform on which an agent resides crashes or shuts down unexpectedly, due to failure.
Many agents on the hosts may be inactive but in waiting state due to unavailability of external events. If
more agents migrate through this host, it may run out of memory. This is an agent host failure.

Destination node fails or there is a failure in communication link.

.O

For the continuous or free roaming mobile agent it is a serious issue because agent at the nth host will
have the information of the preceding n-1 hosts (Stratter, Rothermel, 1998). If the nth host (malicious)
killed the agent or the nth host (genuine) failed after receiving the agent then it is difficult to get the data
again. Also the owner does not know about the dead stage of the agent. That is the owner is not able to
know anything whether the agent is alive or not. This is the serious issue for the e-service applications
especially for e-learning and e-commerce.

IJ
TC

In an example scenario of e-learning environment the mobile agent (continuous or free roaming mobile
agent) may be dispatched to collect the information like class schedule, internal marks, project details,
etc. on behalf of the learner. Every tutor has their own server with the details of the students in that some
information may be secret. Consider, learner initiate his agent to collect the information from the n
number of tutors for his internal marks. Agent in the middle (say 3rd tutor server of 5 tutor servers) of
the itinerary is killed by some malicious or the agent currently residing server may fail due to some
reasons. In this context, the learner will wait for the agent for some time and again he will create a new
agent and send until the agent back to him. Sometimes learner is not able to get the result from the tutor
servers because of malicious host in the middle of the journey. This will make the people avoid the
mobile agent based e-learning environment even though it has a number of advantages. To solve such
problem of capturing of agents by malicious hosts leading to subsequent data loss in e-services, this
paper proposes an agent platform independent mechanism using timely acknowledgement and partial
result method to recover when the mobile agent when the agent is killed or currently residing in agent
server failed.
The rest of paper is organized as follows. Section 2 discusses the related work, section 3 describes the
proposed non-blocking approach deployed for prevention of agents by use of acknowledgements and
returning back of partial results back to the originator in scenario when the agent is captured by
malicious or hostile host. This is followed by experimental evaluation in Section 4 and conclusions in
Section 5.

INTERNATIONAL JOURNAL OF TECHNOLOGY AND COMPUTING (IJTC)

ISSN-2455-099X,
Volume 1, Issue 1, OCTOBER 2015

II. RELATED WORK

As mobile agent systems scale up, their failure rate may also be higher. Several techniques have been
proposed for providing fault tolerance in mobile-agent systems (Qu et al., 2005) which broadly fall
under two basic categories i.e. replication and checkpointing. Checkpointing is one of the widely used
fault tolerance techniques and can be classified into synchronous, asynchronous and quasi-synchronous
algorithms (Yang et al. 2006). For recovery an agent needs to rollback to its consistent state. Message
logging for rollback recovery require that each agent periodically saves its local state and logs its every
message sent and received. Message logging protocols are classified into pessimistic, optimistic and
causal (Elnozahy et al. 2002). Replication schemes as discussed in (Pleisch, Schiper, 2001) mainly rely
on replicated servers or agents to mask the failures. Pair processing (Gray and Reuter 1993) is a famous
technique for improving process reliability. It is a collection of two processes which provide a service.
One is considered as the primary and another one is considered as the shadow. If the primary gets any
changes, then shadow also got the changes. If the primary fails, then the shadow will take over. The two
primary and shadow processes ping each other to determine that each is still alive. Unrh et al. (2005)
also apply this pair process model into his Semantic-Compensation-Based Recovery model. However,
this pair process is not applicable for colluded attacks. Vogler et al. (1997) propose that a mobile agent
inject a replica into a stable storage upon arriving at an agent server. However, in the event of agent
server crash, the replica remains unavailable for an unknown period.

.O

Simon et al. (2003) proposes the mobile shadow scheme which includes the pair of replica mobile
agents, master and shadow, to survive remote agent server crashes. The master is created by its home
agent server Hand it is responsible for executing a task T at a sequence of hosts described by its
itinerary. Initially the master spawns a shadow home at its homeagent server before it migrates and
executes at the first agent server in its itinerary, i.e. AGi. Before the master migrates to the next host in
the itinerary, i.e. AGi+1, it spawns a clone or shadow i and sends a die message to shadowhome. The
shadow i repeatedly pings agent server AGi+1 until it receives a die message from its master.

IJ
TC

Shadow: A shadow or clone in the preceding sever will terminate when it receives a die message from
its master. This signifies the master has completed execution at AGi+1 and spawned a new clone
shadow i+1 to monitor agent server AGi+2. However, assume the master is lost due to an agent server
crash at AGi+1. In this case shadow i at AGi detects the crash of its master, spawns a new clone shadow
i and proceeds to visit agent server AGi+2. Consequently shadow i is the new master.
Master: A master pings its shadow at AGi-1 concurrently with the execution of task t. In the normal
case the master completes its execution and spawns a new clone shadow to monitor the next host,
AGi+1. Before the master migrates, it will send a die message to terminate the shadow at AGi-1. If the
master detects a shadow crash it spawns and dispatches a replacement shadow to the preceding active
agent server. Before the master migrates to the next host in its itinerary it sends a die message to
terminate the replacement shadow.
The major drawback of this scheme is the timeout overhead and mobile shadow overhead. The timeout
overhead represents the re-sending of the agent and the mobile shadow overhead represents the time for
pinging the shadow with the master running in the remote agent server. Despite from this issue, it is
concentrating on the agent server crash (i.e., if an agent server crashes, then the agent will automatically
crash) not only the agent crash and also this schemes is not applicable to recover the agent from the
colluded attacks. In the colluded attacks, more than one can combined to crash the agent that may be the
preceding host and the current host. This all will be solved by the proposed approach of sending timely
acknowledgements and partial results focusing on reliably returning the information collected by the
mobile agent back to the originator even in the scenario of the mobile agent being captured by the
malicious host(s).
3

INTERNATIONAL JOURNAL OF TECHNOLOGY AND COMPUTING (IJTC)

ISSN-2455-099X,
Volume 1, Issue 1, OCTOBER 2015

III. METHODOLOGY
PROPOSED SCHEME FOR ACHIEVING NON BLOCKING PROPERTY

The main aim is to ensure that the originator of the mobile agent at any point of time would have the
information regarding the state of mobile agent, its partial results along with the ability to upgrade the
preferences the mobile agent is carrying. The primary consideration is handling the scenario where the
hosts first obtains authentication but then after having obtained the authority for mobile agent execution,
begins to behave maliciously. The hosts that turned hostile pose the danger of blocking the mobile agent
and halt its further movement in the network. It is assumed that the agents operations are idempotent
thus overriding exactly once requirement and non blocking is primary property to be ensured.
The notations used in implementing non blocking property in are as follows:
O*: Originator
Hi: Hosts visited by host during its movement in the network (1< i < n)
MA: Mobile agent originally launched.
MAi: Mobile Agent with new / changed preferences.
pMA: Mobile Agent Carrying partial Results.
LTMA: Life Time of Mobile Agent.
Ii: Information collected from host i.
FTMA: Fault Tolerant Time
ACK(Hi): Acknowledgement from host Hi

IJ
TC

.O

The implementation scenario considered is the web based e-market that provides user with the
information on the products for sale by collecting the prices and comparing the prices of the set of
product specified by the user. The information needs to be collected in real time for time sensitive
applications such as stock market, online shopping, etc. from different hosts H1,H2Hn selected
dynamically by freely roaming mobile agent over the network. Therefore the originator is assumed to be
always connected to the network to collect the results. The hostile turned host may block the mobile
agent for its own interest. The following section describes the solution proposed to prevent execution of
Mobile Agent on the implementation scenario against blocking attacks.
STAGE S2 ..

STAGE S1

MA(I0)

Originator O*

MA(I0, I1)

Host1

. STAGE N-1

MA(I0, I1,I2I3..IN-1))

MA(I0, I1,I2)

Host2

STAGE N

Host n-1

Host n

rMA(I0, I1,I2,I3..IN))
LTMA

Fig. 1: Mobile agent executions on different hosts

Implementing the proposed solution, an agent is originally launched by the originator O*. Fig. 1 shows
the general operation of a mobile agent that returns to the originator after the expiry of its lifetime. The
various implementations schemes can be possibly used. One of them is sending timely
acknowledgements
as
shown
in
Fig.
2.

INTERNATIONAL JOURNAL OF TECHNOLOGY AND COMPUTING (IJTC)

ISSN-2455-099X,
Volume 1, Issue 1, OCTOBER 2015

STAGE S2 .

STAGE S1
ACK(H1)

.STAGE N-1
ACK(HN-1))

ACK(H2)

MA(I0)

Originator O*

STAGE N

MA(I0, I1)

ACK(HN)

MA(I0, I1,I2I3..IN-1))

MA(I0, I1,I2)

Host1

Host2

Host n-1

Host N

rMA(I0, I1,I2,I3..IN))
LTMA

Fig. 2: Mobile agent execution with acknowledgement by each host

STAGE S1

STAGE S2

ACK(H2)

MA(I0)

ACK(H3)

MA(I0, I1)

Host1

Host2

pMA(I0, I1,I2,I3)

STAGE 4

MA(I0, I1,I2I3)

MA(I0, I1,I2)

IJ
TC

Originator O*

STAGE 3

.O

ACK(H1)

The host Hi+1 having received the mobile agent is required to send the acknowledgement ACK(Hi+1) to
the host Hi, conveying that the mobile agent has been successfully forwarded to the next host i.e. Hi+2
after its successful operation on Hi+1. Another implementation is by use of fault tolerant time as
parameter. FTMA is predefined depending on the networks transmission time and on the time sensitivity
of the application.

Host 3

Host 4
FTMA

LTMA

Fig. 3: Mobile agent execution scenario, with agent custody at host 4

If the expiry of the fault tolerant time occurs and there is no acknowledgement received from Hi+1, then
the Hi would send the collected set of information till now back to the Originator in form of pMA. If the
agent lifetime expires and the partial results received by the originator, doesnt prove sufficient, then the
originator has the option of re-launching the mobile agent. The scenario in which the hostile agent
captures the mobile agent would result in time out of fault tolerance time thus resulting in pMA being
sent back to the originator by the preceding host of the hostile host is shown in Fig. 3. The mobile agent
was captured at the host 4. The host 3 waits for duration FTMA. As no ACK is received, its sends its
partial results back to the originator. Thus the owner would have all the information collected by the
mobile agent before being captured by the hostile host. Further strengthening the above scheme, the
concept of sending the partial results back to originator after a pre decided number of visited hosts is
used. After having collected information from n number of hosts, a host where the agent is currently
residing should send an acknowledgement to the originator as ACK(Hi) helping the originator to
periodically track the mobile agent, as shown in Fig. 4.

INTERNATIONAL JOURNAL OF TECHNOLOGY AND COMPUTING (IJTC)

ISSN-2455-099X,
Volume 1, Issue 1, OCTOBER 2015

Considering the scenario in which the agent has been captured by the hostile host Hk. For example in
execution of mobile agent with the n= 3, the when the number of visited hosts reaches 3, an
acknowledgement is sent to the originator. The FTMA is also used as a check to send the
ACK(H4)

ACK (H2)

MA(I0)
Originator O*

MA(I0,
I1,I2I3)

MA(I0, I1,I2)

MA(I0, I1)
Host1

Host2

MA(I0,
I1,I2,I3,I4)

Host 3

rMA(I0,I1,I2,I3,I4,I5)

Host 4

Host 5

LTMA

Fig. 4: Mobile agent execution with n=2 scenario

IJ
TC

.O

acknowledgement to the originator. But if the agent is captured when neither the fault tolerance time nor
the life time of the agent has expired, the originator wouldnt do anything till any one of them expires.
At expiry of either of the time, the originator sends a PROBE(Hj) to the host Hj (Hj (j<k) being the last
Host from which Originator has received acknowledgement). The Host Hj then sends the Originator the
offered information collected till Host Hj. The combination of the two tracking parameters i.e. FTMA
and acknowledgement after n number of hosts visited, limits the loss of information as shown in figure
5. The agents along with receiving timely acknowledgements also has ability to trace the agents
location at end of fault tolerant time or after mobile agent has visited n number of hosts. The storage
burden on the hosts may be lowered by allowing the hosts to flush the information after some safe time
period if there are no PROBEs received from the originator. The safe period may usually be set as
multiple of FTMA. For time sensitive applications over unreliable networks, fault tolerant time could be
kept small, but may lead to excessive communication and storage overheads. The two parameters may
be defined according to the security requirement and time sensitivity of the application.

ACK + pMA(I0, I1,I2,I3,I4)

ACK + pMA(I0, I1,I2)

MA(I0)

Originator o*

MA(I0, I1)

Host1

MA(I0, I1,I2)

Host2

MA(I0,
I1,I2I3)
Host 3

MA(I0,
I1,I2,I3,I4)
Host 4

Host 5

rMA(I0, I1,I2,I3,I4,I5)

FTMA

FTMA

FTMA

LifeTime (Lt)

Fig. 5: Mobile agent execution with partial results being returned after FTMA (n=4)

INTERNATIONAL JOURNAL OF TECHNOLOGY AND COMPUTING (IJTC)

ISSN-2455-099X,
Volume 1, Issue 1, OCTOBER 2015

The security and fault tolerance been taken care of, the above approach may be efficient in handling
time sensitive applications where information acquired by the mobile agent may loose value over time
(for e.g. stock market). Thus time to time retrieval of results may prove useful along with protecting
agents against blocking attacks. If during the execution of the mobile agent, the user wishes to make
changes in the preferences, the originator may launch another mobile agent with renewed preferences.
The timing of sending back partial information or results could be based on any of the two parameters
discussed above, the user decides on new preferences based on the received partial results. The
originator may send an updated mobile agent pMA containing the new preferences to the Host Hi (Hi
being the host from which the acknowledgement was last received). Thus the user has the ability of
changing the preferences and criteria gradually based on information collected by agent and users own
preferences.

IV. IMPLEMENTATION AND PERFORMANCE STUDY

.O

The proposed system of multiple agents performing in collaboration in a group has been implemented
on IBM Aglets over a network of systems with configuration of 1 GB RAM and 3.2 GHz processor
connected be 10/100 MBPS Ethernet. Aglets is a java based graphical interface for developing the
distributed multi-agent systems. All hosts need not have same configuration and but must have installed
Aglets platform on each host. For gauging the performance of the implemented scheme we intentionally
made some host(s) behave as malicious and got the agent captured during its execution. The ability of
the approach to prevent the agent from attacks was then revealed.

IJ
TC

An agent moves from one node to another by sending a message between these nodes. In this
experiment, we look at the behavior for hosts. This experiment examined the cost of sending
acknowledgements and partial results in the case that host speeds are uniform. We are interested in how
n i.e the number of hosts visited prior to sending acknowledgement or partial results, effect the
communication overhead. The communication cost here is the time (in ms) needed to send a message to
a processor and to receive a reply message from the processor.
As shown in Fig. 6, it was found that the communication overhead decreased with increase in n. The
blocking attacks may be considerable prevented by deciding upon an optimal value of n. The deciding
factor for n could be the network performance and speed. If the probability of encountering a malicious
host is high then it is seen that the optimal number of n ensures that partial or complete results reach
back to the originator thereby preventing complete loss of information or results collected.

Communication
Overhea(byts)

2500

n=2

2000

n=3

n=4

10

1500
1000
500
0

Number of Hosts

12

14

Fig. 6: Communication overhead with variation in number of hosts visited prior to sending back
acknowledgement (n).
7

INTERNATIONAL JOURNAL OF TECHNOLOGY AND COMPUTING (IJTC)

ISSN-2455-099X,
Volume 1, Issue 1, OCTOBER 2015

Fig.7 shows the comparison of execution time of mobile agent carrying partial results back to the
originator. As the updating cost is function of acknowledging frequency, we compare the execution time
of mobile agent containing the rescued data by gauging the performance of an agent that acknowledged
after visiting every 2, 3 and 4 hosts. Deciding upon a small number of n may cause increase in message
size resulting in higher execution time but for time sensitive real time applications the overhead may be
bearable. The returning of partial results to the originator assures that the originator has the latest results
even in case of the agent being captured by the malicious host. Thus the possibility of originator losing
all information is considerably lowered.

700

n=2

600

n=3

n=4

Time(ms)

500

400
300

200
0
5

10

100
15

20

25

30

35

.O

Number of agents visited

Fig. 7: Comparison of execution time of mobile agent with partial results

V. CONCLUSION

IJ
TC

In this paper, we proposed platform independent non blocking mechanism for fault tolerance has been
integrated into e-services applications for prevention against attacks in various Internet applications.
This presented system of sending acknowledgements makes mobile agent tracking possible for the
originator of the mobile agent in case of blocking attack by malicious host. In addition sending back of
partial results after some predefined fault tolerant time and after having visited a predefined number of
hosts provide protection against complete loss of information due to blocking attacks. Implementation
and experimental studies prove that with balanced acknowledging frequencies and message overhead,
the probability of complete loss of mobile agent due to agent capturing by malicious host in the network,
is significantly reduced. This would make the mobile agents to be better suited for time sensitive eservices applications along with providing protection against possible faults. As a part of future work
we propose comparative experimental studies for implementation of proposed mechanism with other
existing mechanisms.
REFERENCES

[1] Nwana, H. S. (1996) Software Agents: An Overview, Knowledge Engineering Review, Vol. 11, No.
3, pp.1 - 40, Cambridge University Pre.
[2] Lange, D.B. and Oshima, M. (1999) Seven Good Reasons for Mobile Agents, Communications of
the ACM, vol. 42, No. 3, pp. 88-89.
[3] Silva, M.A. and Macdo, R. J. A. (2000) Reliability Requirements in Mobile Agent Systems, Second
Workshop on Tests and Fault-Tolerance (II WTF2000), Curitiba, Brazil.
8

INTERNATIONAL JOURNAL OF TECHNOLOGY AND COMPUTING (IJTC)

ISSN-2455-099X,
Volume 1, Issue 1, OCTOBER 2015

[4] Schoeman, M. and Cloete, E. (2003) Architectural components for the efficient design of mobile
agent systems, ACM 2003 annual Research Conference of the South African Institute of Computer
Scientists and Information Technologists on Enablement through Technology , pp. 48-58, South Africa.
[5] Stratter, M. and Rothermel, K. (1998) Reliability Concrpts for Mobile Agents, International Journal
of Cooperative Information Systems 7(4) pp. 355-382.
[6] Manvi, S.S. and Venkataram, P. (2004) Applications of agent technology in communications: a
review, Springer Computer Communication, 2004, pp. 1493-1508.

[7] Qu, W. , Shen, H. and Defago, X. (2005) A survey of mobile agent-based fault-tolerant technology,
Proceedings of Sixth IEEE International Conference on Parallel and Distributed Computing
Applications and Technologies,, pp. 446-450.
[8] Yang, J., Cao, J. and W. Wu, (2006) CIC: An integrated approach to checkpointing in mobile agent
systems, Proceedings of the Second IEEE International Conference on Semantics, Knowledge and
Grid.

[9] Elnozahy, E. N. M, Alvisi, L. , Wang, Y. and Johnson, D. B. (2002), A survey of rollback-recovery

protocols in message-passing systems, ACM Computing Surveys, Vol. 34, Nr. 3, 2002, pp. 375-408.

.O

[10] Pleisch, S. and Schiper, A. (2003) S-A Fault-Tolerant Mobile Agent System Based on the AgentDependent Approach, Proceedings of the IEEE International Conference on Dependable Systems and
Networks, pp. 215-224.

IJ
TC

[11] Gray, J. and Reuter, A. (1993) Transaction Processing: Concepts and Techniques, The Morgan
Kaufmann Series in Data Management Systems.
[12] Unrh, A., Harjadi, H. and Bailey,J. (2008) Semantic-compensation-based recovery in multi-agent
systems, 2nd symposium on Multi-agent Security and Survivability, pp. 8594.
[13] Vogler, H. , Hunklemann, T. and Moschgath, M.(1997) An approach for mobile agent security and
fault tolerance using distributed transactions, International Conference on Parallel and Distributed
Systems (ICPADS'97), Seoul,pp. 268274.
[14] Simon, P., Jie, X. and Cornelia, B. (2009) Mobile agent fault tolerance for information retrieval
applications: an exception handling approach, Proceedings of the Sixth International Symposium on
Autonomous Decentralized Systems (ISADS'03), pp. 115122.