ISA2008

IADIS INTERNATIONAL CONFERENCE
INTELLIGENT SYSTEMS AND
AGENTS 2008
part of the
IADIS MULTI CONFERENCE ON COMPUTER SCIENCE AND
INFORMATION SYSTEMS 2008

iii
PROCEEDINGS OF THE
IADIS INTERNATIONAL CONFERENCE
INTELLIGENT SYSTEMS AND
AGENTS 2008
part of the
IADIS MULTI CONFERENCE ON COMPUTER SCIENCE AND
INFORMATION SYSTEMS 2008
Amsterdam, The Netherlands
JULY 22 - 24, 2008
Organised by
IADIS
International Association for Development of the Information Society

iv
Copyright 2008
IADIS Press
All rights reserved
This work is subject to copyright. All rights are reserved, whether the whole or part of the material
is concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation,
broadcasting, reproduction on microfilms or in any other way, and storage in data banks.
Permission for use must always be obtained from IADIS Press. Please contact secretariat@iadis.org
Intelligent Systems and Agents Volume Editor:
António Palma dos Reis
Computer Science and Information Systems Series Editors:
Piet Kommers, Pedro Isaías and Nian-Shing Chen
Associate Editors: Luís Rodrigues and Patrícia Barbosa
ISBN: 978-972-8924-60-7

v
TABLE OF CONTENTS
FOREWORD ix
PROGRAM COMMITTEE xiii
KEYNOTE LECTURES xvii
FULL PAPERS
ANOMALIES DETECTION ON FIREWALLS USING THE MOBILE AGENTS
APPROACH
Fakher Ben Ftima, Kamel Karoui and Henda Ben Ghezala
3
USING HONEY-AGENTS FOR ESTABLISHING TRUST IN MOBILE-AGENTS
E-COMMERCE APPLICATIONS
Sandhya Armoogum and Nawaz Mohamudally
12
FRAMEWORK FOR DEFINING AND RUNNING INTEGRATION TESTS OF
MULTI AGENT SYSTEMS
Khaled Nagi
20
FRAMEWORK FOR AUTOMATED NEGOTIATION: PRELIMINARY REPORT
Fernando Lopes, A. Q. Novais and Helder Coelho
29
TOWARDS A DISTRIBUTED COGNITIVE VIEW OF THE AGENT-MEDIATED
SEMANTIC WEB
Amna Basharat and Gabriella Spinelli
37
A DECLARATIVE PROGRAMMING PARADIGM AND THE DEVELOPMENT OF
KNOWLEDGE MINING AGENTS
Nittaya Kerdprasop and Kittisak Kerdprasop
45
A NOVEL SEMANTIC APPROACH TO DOCUMENT COLLECTIONS
Andrea Addis, Manuela Angioni, Giuliano Armano, Roberto Demontis, Franco Tuveri and
Eloisa Vargiu
53
EFFICIENT QUERY PROCESSING OVER SEMANTIC CACHE
Munir Ahmad, Muhammad Abdul Qadir, Abdul Razaque and Muhammad Sana Ullah
61
VERT: AN AUTOMATIC SUMMARY EVALUATION SYSTEM
Paulo C F de Oliveira, Edson Wilson Torrens, Alexandre Cidral, Sidney Schossland and Evandro
Bittencourt
69

vi
A HYBRID ALGORITHM FOR THE FUZZY P-MEDIAN PROBLEM
J.M. Cadenas , J.V. Carrillo , M.C. Garrido, M.J. Canós , C. Ivorra and V. Liern
77
MODELING MULTIAGENT SYSTEMS USING COLORED PETRI NETS
Maryam Nooraee Abadeh and Kamran Zaminifar
85
ARARA: ARTIFACTS AND REQUIREMENTS AWARENESS REINFORCEMENT
AGENTS
Ester J. C. de Lima, José A. Rodrigues Nt., Geraldo B. Xexéo and Jano M. de Souza
92
OPEN HOLONIC MULTI-AGENT ARCHITECTURE FOR INTELLIGENT
TUTORING SYSTEM DEVELOPMENT
Egons Lavendelis and Janis Grundspenkis
100
RISKS IN AGENT-SUPPORTED STOCK MARKET TRADING DECISION MAKING
Shenghua Liu, Sacha Helfenstein and Pertti Saariluoma
109
FORMING TEAMS WITHIN WIKI
Andrew Burrow and Clemens Mayr
117
DISASTER EVACUATION SUPPORT SYSTEM FOR VISITORS
Yoshio Nakatani, Daisuke Watanabe and Mie Nakatani
127
OBJECT TRANSPORTATION WITH AN AGENT INSPIRED BY THE INNATE
AND ADAPTIVE IMMUNE RESPONSES
Fredy Fernando Munoz M., Luis Fernando Nino V. and Gerardo Quintana Lopez
135
THE EFFECT OF GENETIC OPERATIONS ON THE DIVERSITY OF EVOLVABLE
NEURAL NETWORKS
Hany Sallam, Carlo S. Regazzoni, Ihab Talkhan and Amir Atiya
143
AN AUTOMATIC METHOD TO ASSIGN LOCAL RISK
J.L. Castro, M. Navarro, J.M. Sánchez and J.M. Zurita
151
SHORT PAPERS
AGENT NEGOTIATION STRATEGY IN THE ELECTRONIC MARKETPLACE
Dorin Militaru
161
A MODEL FOR PERSONAL LEARNING AGENTS WITH AN INDUCTIVE
LEARNING AGENT-BASED SYSTEM
Hammoud Djamila, Sahnoun Zaidi, Kebache Ramzi and Benelmadani Billel
166
ASPECT-BASED MULTIAGENT SYSTEMS OBSERVATION FOR
PERFORMANCE EVALUATION
Faten Ben Hmida, Wided Lejouad Chaari, and Moncef Tagina
172
DEVELOPING OF AN INTELLIGENT SYSTEM FOR FUELS QUALITY CONTROL
AND MONITORING
Reinaldo de Jesus da Silva, Sofiane Labidi, Milson Silva Monteiro and Osevaldo da Silva Farias
177

vii
CELLULAR PETRI NETS
J.M. Maestre and E.F. Camacho
182
TOWARDS AUTONOMIC DEPLOYMENT DECISION MAKING
Rico Kusber, Sandra Haseloff and Klaus David
188
IMPLEMENTATION OF THE GENE EXPRESSION PROGRAMMING IN THE
GENERATION OF PROGRAM TO CALCULATE THE INTEREST RATE IN
UNIFORM PAYMENT SERIES
Evandro Bittencourt, Raul Landmann, Paulo César Oliveira, Sidney Schossland and Edson
Wilson Torrens
193
EVOLUTION OF ARTIFICIAL NEURAL NETWORKS FOR ROBOT CONTROL
USING SPECIATION AND COMPLEXITY MEASURES
Thomas Jorgensen and Barry Haynes
198
DESIGNING AN EXPERT SYSTEM OF LIVER DISORDERS BY USING NEURAL
NETWORK AND COMPARING IT WITH PARAMETRIC AND NONPARAMETRIC
SYSTEM
Mehdi Neshat , Mehdi Yaghobi and Mohammad Naghibi
202
REFLECTION PAPER
A HYBRID FRAMEWORK TOWARDS THE SOLUTION FOR PEOPLE WITH
DISABILITY EFFECTIVELY USING COMPUTER KEYBOARD
Karim Ouazzane, Jun Li and Marielle Brouwer
209
POSTERS
FUZZY LOGIC FOR FORMAL SPECIFICATIONS OF SYSTEMS
Victoria López and Javier Montero
215
AN APPROACH FROM COOPERATIVE GAMES TO THE ACCESSIBILITY IN
ORIENTED NETWORKS
Rafel Amer, Antonio Magaña and José Miguel Giménez
219
INTRODUCTION OF A COOPERATIVE GAME TO DEFINE A CONCEPT OF
WEIGHTED CONNECTIVITY ON THE NODES OF CONNECTED GRAPHS
Rafael Amer and José Miguel Giménez
222

viii
ENTERPRISE INFORMATION SYSTEMS ENGINEERING METHOD BASED ON
SEMANTIC MODELS OF MULTI-AGENT RESOURCE CONVERSION
PROCESSES AND SOFTWARE
Konstantin A. Aksyonov, Irina A. Spitsina, Evgeny A. Bykov and Natalia V. Goncharova
225
IMPLEMENTATION OF 2D OCCUPANCY MAP FOR EFFECTIVE PATH
PLANNING OF AN MOBILE ROBOT
Jung-hwan Ko and Jung-suk Lee
228
IMPLEMENTATION OF THE 3D ROBOT VISION SYSTEM THROUGH THE
CONVERGENCE CONTROL BASED ON THE OPTO-DIGITAL SCHEME
Jung-hwan Ko and Jung-suk Lee
231
R4P PROJECT, AN OPEN QUADRUPEDAL ROBOT
Luis I. Díaz del Dedo, Luis A. Pérez García, Fernando Berenguer and Nourdine Aliane
234
A FORMAL INTERPRETATION OF IMPLICIT MESSAGES IN AGENT
DIALOGUES
Fernando Ramos Quintana, Josefina Sámano Galindo and Víctor H. Zárate Silva
237
ARCHITECTURAL MODEL FOR MULTI-AGENTS SYSTEMS
González Moreno, Juan Carlos and Luis Vázquez López
241
DOCTORAL CONSORTIUM
COGNITIVE APPROACH TO THE DESIGN OF A USER-ADAPTIVE INTERFACE
FOR AN INTELLIGENT PRODUCT CONSULTING SYSTEM
Elena Minina
247
AUTHOR INDEX

ix
FOREWORD
These proceedings contain the papers of the IADIS International Conference on Intelligent
Systems and Agents 2008, which was organised by the International Association for
Development of the Information Society in Amsterdam, The Netherlands, July 22 – 24,
2008. This conference is part of the Multi Conference on Computer Science and
Information Systems 2008, 22 - 27 July 2008, which had a total of 1211 submissions.
The IADIS Intelligent Systems and Agents conference addresses in detail two main aspects:
intelligent systems and agents. The conference has the intention to provide a contribution to
academics and practitioners. So, both fundamental and applied research are considered
relevant.
Submissions were accepted under the following areas and topics:
Area 1 – Intelligent Systems
- Algorithms
- Artificial Intelligence
- Automation Systems and Control
- Bio Informatics
- Computational Intelligence
- Expert Systems
- Fuzzy Technologies and Systems
- Game and Decision Theories
- Intelligent Control Systems
- Intelligent Internet Systems
- Intelligent Software Systems
- Intelligent Systems
- Machine Learning
- Neural Networks
- Neurocomputers
- Optimization
- Parallel Computation
- Pattern Recognition
- Robotics and Autonomous Robots
- Signal Processing
- Systems Modelling
- Web Mining
Area 2 – Agents
- Adaptive Agent Systems
- Agent Applications
- Agent Communication
- Agent Development

x
- Agent middleware
- Agent Models and Architectures
- Agent Ontologies
- Agent Oriented Systems and Engineering
- Agent Programming, Languages and Environments
- Agent Systems
- Agent Technologies
- Agent Theories
- Agent Trends
- Agents Analysis and Design
- Agents and Learning
- Agents and Ubiquitous Computing
- Agents in Networks
- Agents Protocols and Standards
- Artificial Systems
- Computational Complexity
- eCommerce and Agents
- Embodied Agents
- Mobile Agents
- Multi-Agent Systems
- Negotiation Strategies
- Performance Issues
- Security, Privacy and Trust
- Semantic Grids
- Simulation
- Web Agents
The IADIS Intelligent Systems and Agents 2008 conference received 97 submissions from
more than 26 countries. Each submission has been anonymously reviewed by an average of
four independent reviewers, to ensure that accepted submissions were of a high standard.
Consequently only 19 full papers were approved which means an acceptance rate below 20
%. A few more papers were accepted as short papers, reflection papers and posters. An
extended version of the best papers will be published in the IADIS International Journal on
Computer Science and Information Systems (ISSN: 1646-3692) and also in other selected
journals.
Besides the presentation of full papers, short papers, reflection papers, doctoral papers and
posters, the conference also included two keynote presentations from internationally
distinguished researchers. We would therefore like to express our gratitude to Professor
James Hendler, Tetherless World Constellation Chair, Rensselaer Polytechnic Institute,
USA and Professor Lucia Rapanotti, Department of Computing, The Open University, UK
for accepting our invitation as keynote speakers.
As we all know, organising a conference requires the effort of many individuals. We would
like to thank all members of the Program Committee, for their hard work in reviewing and
selecting the papers that appear in the proceedings.

xi
This volume has taken shape as a result of the contributions from a number of individuals.
We are grateful to all authors who have submitted their papers to enrich the conference
proceedings. We wish to thank all members of the organizing committee, delegates,
invitees and guests whose contribution and involvement are crucial for the success of the
conference.
Last but not the least, we hope that everybody will have a good time in Amsterdam, and we
invite all participants for the next year edition of the IADIS International Conference on
Intelligent Systems and Agents 2009, that will be held in Algarve, Portugal.
António Palma dos Reis,
ISEG - Technical University of Lisbon,
Portugal
Intelligent Systems and Agents 2008 Conference Program Chair
Piet Kommers, University of Twente, The Netherlands
Pedro Isaías, Universidade Aberta (Portuguese Open University), Portugal
Nian-Shing Chen, National Sun Yat-sen University, Taiwan
MCCSIS 2008 General Conference Co-Chairs
Amsterdam, The Netherlands
July 2008

xiii
PROGRAM COMMITTEE
INTELLIGENT SYSTEMS AND AGENTS CONFERENCE
PROGRAM CHAIR
Antonio Palma dos Reis, ISEG - Technical University of Lisbon, Portugal
MCCSIS GENERAL CONFERENCE CO-CHAIRS
Piet Kommers, University of Twente, The Netherlands
Pedro Isaías, Universidade Aberta (Portuguese Open University), Portugal
Nian-Shing Chen, National Sun Yat-sen University, Taiwan
INTELLIGENT SYSTEMS AND AGENTS CONFERENCE COMMITTEE
MEMBERS
Adel M. Alimi, University of Sfax, Tunisia
Adina Magda Florea, University "Politehnica" of Bucharest, Romania
Adrian Perreau de Pinninck, Universitat Autonoma de Barcelona, Spain
Agris Nikitenko, Riga Technical University, Latvia
Alessandro Ricci, Università di Bologna in Cesena, Italy
Alfredo Cuzzocrea, University of Calabria, Italy
Alfredo Garro, Universita' della Calabria, Italy
Amar Balla, Institut National d'Informatique, Algeria
Amine Boumaza, LORIA, France
Andrea Addis, University of Cagliari, Italy
Andrea Giovannucci, Campus Universitat Autonoma de Barcelona, Spain
Angel García-Olaya, Universidad Carlos III de Madrid, Spain
Anton Bogdanovych, UTS, Australia
Anton Nijholt, University of Twente, The Netherlands
Baklouti Nesrine, University of Sfax, Tunisie
Behrouz Homayoun Far, University of Calgary, Canada
Boštjan Pajntar, Jožeph Stefan Institute, Slovenia
Clinton Woodward, Swinburne University of Technology, Australia
Costin Badica, University of Craiova, Romania
Dariusz Krol, Wroclaw University of Technology, Poland
David A. Pelta, University of Granada, Spain

xiv
Dickson K.W. Chiu, Computer Systems, Hong Kong
Dídac Busquets, Universitat de Girona, Spain
Djamel Bouchaffra, Grambling State University, USA
Djamila Ouelhadj, ASAP Research Group, UK
Eloisa Vargiu, DIEE - University of Cagliari, Italy
Esma Aimeur, University of Montréal, Canada
Ezendu Ariwa, London Metropolitan University, United Kingdom
Fariba Sadri, Imperial College London, UK
Federico Bergenti, Università degli Studi di Parma, Italy
Federico Castanedo Soltela, Universidad Carlos III de Madrid, Spain
Fernando Lyardet, Darmstadt University of Technology, Germany
Fernando Ramos, Tecnologico de Monterrey, México
Fikret Ercal, University of Missouri, USA
Francesco Amigoni, Politecnico di Milano, Italy
Germán Gutiérrez Sánchez, Universidad Carlos III de Madrid, Spain
Giovanni Semeraro, University of Bari, Italy
Giuliano Armano, University of Cagliari, Italy
Giuseppe Mangioni, Universita di Catania, Italy
Giuseppe Vizzari, University of Milano – Bicocca, Italy
Guillaume Muller, École d'Ingénieurs de Luminy, France
Hans Werner Guesgen, Massey University, New Zealand
Haralambos Mouratidis, University of East London, United Kingdom
Heinrich C. Mayr, Alpen-Adria-Universitaet Klagenfurt, Austria
Huiye Ma, Centrum voor Wiskunde en Informatica (CWI), The Netherlands
Ian Watson, The University of Auckland, New Zealand
Ilhem Kallel, University of Sfax, Tunisia
Jacek Unold, Wroclaw University of Economics, Poland
Jackeline Spinola de Freitas, Universidad Politécnica de Madrid, Spain
Jaime Ramírez, Universidad Politécnica de Madrid, Spain
James Montgomery, Swinburne University of Technology, Australia
Janis Grundspenkis, Riga Technical University, Latvia
Jaume Bacardit, University of Nottingham, UK
Javier Carbó Rubiera, Univ. Carlos III de Madrid, Spain
Jesualdo Tomás Fernández Breis, University of Murcia, Spain
Jesús García Herrero, Universidad Carlos III de Madrid, Spain
Jim Cunningham, Imperial College, UK
Jordi Sabater-Mir, IIIA-CSIC, Spain
Jorge A. Ramírez-Uresti, ITESM-CEM, Mexico
Jørgen Villadsen, Technical University of Denmark, Denmark
José Antonio Iglesias, University of Carlos III, Spain
José Carlos Cortizo Pérez, Universidad Europea de Madrid, Spain
José Manuel Molina López, Universidad Carlos III de Madrid, Spain

xv
Juan A. Rodríguez-Aguilar, Universitat Atuònoma de Barcelona, Spain
Juan Manuel Serrano, Universidad Rey Juan Carlos, Spain
Julius Stuller, Academy of Sciences of the Czech Republic, Czech Republic
Krysia Broda, Imperial College, UK
Lars Nolle, Nottingham Trend University, UK
Laura Naismith, McGill University, Canada
Laurent Vercouter, Ecole des Mines de Saint-Etienne, France
Laurentiu Vasiliu, DERI, National University of Ireland, Ireland
Leonardo Garrido, Tecnologico de Monterrey, México
Longbing Cao, Univ of Technology, Sydney, Australia
Luis Martí, University Carlos III of Madrid, Spain
Mª Araceli Sanchis de Miguel, Universidad Carlos III de Madrid, Spain
Maite López Sánchez, University of Barcelona, Spain
Manuel Atencia Arcas, Universitat Autonoma de Barcelona, Spain
Marc Esteva, University of Technology, Sydney, Australia
Maria Bielikova, Slovak University of Technology, Slovakia
María de los Angeles Constantino, Tecnologico de Monterrey, México
Maria Salamó Llorente, University of Barcelona, Spain
Mario Gomez, University of Aberdeen, UK
Marko Grobelnik, Josef Stefan Institute, Slovenia
Matjaz Gams, Jozef Stefan Institute, Slovenia
Mengjie Zhang, Victoria University of Wellington, New Zealand
Michelangelo Ceci, Università degli Studi di Bari, Italy
Miguel Angel Patricio, Universidad Carlos III de Madrid, Spain
Mirjana Ivanovic, University of Novi Sad, Serbia
Monique Calisti, Whitestein Technologies AG, Switzerland
Nicola Gatti, Politecnico di Milano, Italy
Nizar Rokbani, REGIM, Tunisia
P.K. Mahanti, University of New Brunswick, Canada
Paolo Petta, Austrian Research Institute for Artificial Intelligence, Austria
Patrick Wong, Open University, United Kingdom
Pilar Herrero, Universidad Politécnica de Madrid, Spain
Rainer Hilscher, New Vectors LLC, USA
Ramon F. Brena Pinero, Tecnológico de Monterrey, Mexico
Raúl Arrabales Moreno, Universidad Carlos III de Madrid, Spain
Raymond Chiong, Swinburne University of Technology, Malaysia
Razvan Andonie, Central Washington University, USA
Ricardo Imbert, l Universidad Politécnica de Madrid, Spain
Roland Kaschek, Massey University, New Zealand
Roman Neruda, Academy of Sciences of the Czech Republic, Czech Republic
Shenshneg Zhao, Governors State University, USA
Stuart Chalmers, University of Aberdeen, UK

xvi
Sven Brueckner, New Vectors, LLC, USA
Sviatoslav Braynov, University of Illinois, USA
Tarek M. Hamdani, University of Sfax, Tunisia
Thierry Moyaux, University of Liverpool, UK
Thomas Bolander, Technical University of Denmark, Denmark
Tibor Bosse, Vrije Universiteit Amsterdam, Netherlands
Tjeerd olde Scheper, Oxford Brookes University, United Kingdom
Tomas Klos, Delft University of Technology, The Netherlands
Tony Hirst, The Open University, United Kingdom
Vincent Thomas, LORIA, France
Viorel Negru, West University of Timisoara, Romania
Walt Truszkowski, NASA, USA
William Song, Durham University, UK
Yubin Yang, Nanjing University, China
Zoran Budimac, University of Novi Sad, Serbia

xvii
KEYNOTE LECTURES
WHERE ARE ALL THE AGENTS?
James Hendler
Tetherless World Constellation Chair
Rensselaer Polytechnic Institute, USA
ABSTRACT
In the late 1990s, many of us believed we were at a time where the large-scale deployment of agent-
based computing was right around the corner. The key obstacles to the wider deployment of agent-
based systems were identified early on as a need for interoperability and intercommunication.
Today, however, we have Web Service standards, supported by the largest software development
and support companies, which provide for many of the interoperability needs we identified.
We also have the Semantic Web seeing wide deployment and support from some of the larger data
providing companies. Open source toolkits and tens of thousands of ontologies in OWL are now
available to make domain engineering easier. We have many large Web providers that make access
to their systems available through some sort of service interface or in easily programmable ways, so
access to service providers abounds. Technologies transitioning from research to industry also
include data access for Semantic Web resources, rule- based Web languages, and even expressive
logics for the high end KR needs of some applications. However, looking at what is hot on the Web,
in IT development, and in VC circles, I find myself shaking my head and wondering, "Where are all
the agents?"
PROBLEM ORIENTED ENGINEERING
Dr. Lucia Rapanotti
Department of Computing, The Open University, UK,
ABSTRACT
Problem Oriented Engineering (POE) is a formal system for engineering design. It views
engineering design as a problem solving process where knowledge exploration and design steps are
intertwined with validation, allowing for iteration between problem and solution spaces. Its
Gentzen-style formulation is meant as a system for 'natural' design, rather than mathematical
proof, to serve the needs of engineering. It also allows for an elegant encoding in Prolog, leading to
a powerful computational engine.
In this keynote lecture, I will introduce the basic elements of POE, and its engineering and logic
foundation, as well as provide an overview of POE current application and development.

ANOMALIES DETECTION ON FIREWALLS USING THE
MOBILE AGENTS APPROACH
Fakher Ben Ftima, Kamel Karoui, Henda Ben Ghezala
RIADI, ENSI, University of Manouba,
Tunisia
ABSTRACT
Firewalls are core elements in network security. However, detecting anomalies, particularly in distributed firewalls has
become a complex task. Mobile agents promise an interesting approach for communications between different distributed
systems. In this work, we propose a firewall anomalies’ detection system using the mobile agents approach and highlight
the trumps of this approach compared to the client/server model.
KEYWORDS
Mobile Agents, Firewalls, Anomalies detection, Client/Server
1. INTRODUCTION
Due to the increasing threat of network attacks, firewalls have become important elements not only in
enterprise networks but also in small-size and home networks. Firewalls have been the frontier defense for
secure networks against attacks and unauthorized traffic by filtering out unwanted network traffic
coming to or going out of the secured network [Bellovin94]. The filtering decision is based on a set of ordered
filtering rules defined according to predefined security policy requirements [Benelbahri07]. In spite of their
security aspect, firewalls suffer from incoherence problems in their functioning (blocking) owing to the
various rules which define them. This problem causes a set of anomalies between the rules of a firewall
(intra-firewall anomalies) or between various rules in several firewalls (inter-firewall anomalies) [Cobb97].
The idea is to use the trumps of the Mobile Agents (MA) paradigm to facilitate the anomalies detection on a
firewall or between firewalls. This paper is organized as follows:section 2 introduces a background on
firewalls and MA technologies. Section 3 presents firstly the advantages of the integration of MA on
firewalls, then explain the proposed model functioning. Section 4 studies an example of distributed firewalls
detection anomalies’ implemented with the MA approach. Section 5 evaluates our approach by comparing it
to the client/server model and section 6 concludes and recommends future trends.
2. BACKGROUND
2.1 Firewalls
A firewall is a network element that controls the crossing of packets through the boundaries of a secured
network based on a specific security policy. A firewall security policy is a list of ordered filtering rules
defining the actions performed on packets that satisfy specific conditions [Chapman00]. A rule is composed of
set of filtering fields (also called network fields) such as order, protocol type , source IP address (s_ip),
destination IP address (d_ip), source port (s_port) and destination port (d_port), as well as an action
field. The filtering fields of a rule represent the possible values of the corresponding fields in actual
network traffic that matches this rule. Each network field could be a single value or range of values.
Filtering actions are either to accept, which permits the packet into or out of the secure network, or to
deny, which blockes the packet [Chewsick95].
IADIS International Conference Intelligent Systems and Agents 2008
3

The packet is permitted or blocked by a specific rule if the packet header information matches all
the network fields of this rule [Wack02]. The following is the common format of packet filtering rules in a
firewall policy: <order><protocol><s_ip><s_port><d_ip><d_port><action>
An example of typical firewall rules is shown in Figure1.
2.1.1 Formalization of Firewall Rule Relations
To be able to build a useful model for filtering rules, we need to determine all the relations that may relate
packet filters. We define the possible relations that may exist between filtering rules by comparing the
network fields [Bellovin99].
Definition 1: Rules Rx and Ry are exactly matching if every field in Rx is equal to the
corresponding field in Ry . Formally, RR yEMx ℜ if
[i]R[i]R:i yx =∀ where d_port}d_ip,s_port,s_ip,{protocol,i∈
For example, in Figure1, Rule1 exactly matches Rule 5.
Definition 2: Rules Rx and Ry are inclusively matching if they do not exactly match and if every field in Rx
is a subset or equal to the corresponding field in Ry . Rx is called the subset match while Ry is called
the superset match. Formally, RR yIMx ℜ if
[i]R[i]R:i yx ⊆∀ and [j]R[j]Rsuch thatj yx ≠∃ where d_port}d_ip,s_port,s_ip,{protocol,ji, ∈
For example, in Figure1, Rule 1 inclusively matches Rule 2. Rule 1 is the subset match of the relation
while Rule 2 is the superset match.
Definition 3: Rules Rx and Ry are correlated if some fields in Rx are subsets or equal to the
corresponding fields in Ry , and the rest of the fields in Rx are supersets of the corresponding fields
in Ry . Formally, RR yCx ℜ if
:i∀ [j]R x [j]R y and [k]R[k]Rand[j]R[j]Rsuch thatkj, yxyx ⊃⊂∃
where { } kjd_port},d_ip,s_port,s_ip,{protocol,kj,,,, ≠∈=⊃⊂∈
For example, Rule 1 and Rule 3 in Figure1 are correlated.
order protocol s_ip s_port d_ip d_port action
1: tcp, 140.192.37.20, any, *.*.*.*, 80, deny
2: tcp, 140.192.37.*, any, *.*.*.*, 80, accept
3: tcp, *.*.*.*, any, 161.120.33.40, 80, accept
4: tcp, 140.192.37.*, any, 161.120.33.40, 80, deny
5: tcp, 140.192.37.20, any, *.*.*.*, 80, accept
6: tcp, 140.192.37.*, any, *.*.*.*, 21, accept
7: tcp, 140.192.37.*, any, 161.120.33.40, 21, accept
8: udp, 140.192.38.*, any, 161.120.35.*, any, accept
Figure 1. A typical firewall rule
2.1.2 Intra-firewalls Anomaly
An intra-firewall policy anomaly is defined by [Eronen01]:
-The existence of two or more filtering rules that may match the same packet
-The existence of a rule that can never match any packet on the network paths that cross the firewall.
In this section, we describe and formally define the possible intra-firewall policy anomalies [Al-Shaer04]:
a-Shadowing anomaly: A rule is shadowed when a previous rule matches all the packets that match this
rule, such that the shadowed rule will never be activated. Formally, rule Ry is shadowed by rule Rx if:
[action]R[action]R,RR[order],R[order]R yxyEMxyx ≠ℜ<
[action]R[action]R,RR[order],R[order]R yxyIMxyx ≠ℜ<
For example, Rule 4 is shadowed by Rule 3 in Figure1.
ISBN: 978-972-8924-60-7 © 2008 IADIS
4

b-Correlation anomaly: Two rules are correlated if they have different filtering actions, and the first rule
matches some packets that match the second rule and the second rule matches some packets that match the
first rule. Formally, rule Rx and rule Ry have a correlation anomaly if:
[action]R[action]R,RR yxyCx ≠ℜ . Rule 1 is in correlation with Rule 3 in Figure1
c-Generalization anomaly: A rule is a generalization of a preceding rule if they have different actions,
and if the first rule can match all the packets that match the second rule. Formally, rule Ry is a
generalization of rule Rx if:
[action]R[action]R,RR[order],R[order]R yxyIMxyx ≠ℜ<
Rule 2 is a generalization of Rule1 in Figure1.
d-Redundancy anomaly: A redundant rule performs the same action on the same packets as another
rule such that if the redundant rule is removed, the security policy will not be affected. Formally, rule Ry is
redundant to rule Rx if:
[action]R[action]R,RR[order],R[order]R yxyEMxyx =ℜ<
[action]R[action]R,RR[order],R[order]R yxyIMxyx =ℜ<
Referring to Figure1, Rule 7 is redundant to Rule 6
e-Irrelevance anomaly: A filtering rule in a firewall is irrelevant if this rule cannot match any traffic
that might flow through this firewall. This exists when both the source address and the destination address
fields of the rule do not match any domain that is reachable through this firewall. Formally, rule Rx in
firewall Fwi is irrelevant if:
{ }[dst]Rto[src]Rfrompathaonnodeaisn:nFw xxi ∉
Referring to Figure 1, Rule 8 is irrelevant because the traffic that goes between the source
(140.192.38.*) and the destination (161.120.35.*) doesn’t pass through this firewall.
2.1.3 Inter-Firewall Anomaly
In general, an inter-firewall anomaly may exist if any two firewalls on a network path take different
filtering actions on the same traffic [Ioannidis00]. We suppose a traffic stream flowing from sub-domain Dx
to sub-domain Dy across multiple cascaded firewalls installed on the network path between the two
sub-domains. At any point on this path in the direction of flow, a preceding firewall is called an
upstream firewall whereas a following firewall is called a downstream firewall [Hari00].
Using the above network model, we can say that for any traffic flowing from sub-domain Dx to
sub-domain Dy an anomaly exists if one of the following conditions holds:
1) The most-downstream firewall accepts a traffic that is blocked by any of the upstream firewalls.
2) The most-upstream firewall permits a traffic that is blocked by any of the downstream firewalls.
3) A downstream firewall denies a traffic that is already blocked by the most-upstream firewall.
We assume that the network traffic is flowing from domain Dx to domain Dy, rule Rx belongs to
the policy of the most-upstream firewall Fwx , while rule Ry belongs to the policy of the most-
downstream firewall Fwy. We classify anomalies in multi-firewall environments as follows (detailed
examples are given in section 4) [Lupu97]:
a-Shadowing Anomaly: A shadowing anomaly occurs if an upstream firewall blocks the network traffic
accepted by a downstream firewall. Formally, rule Ry is shadowed by rule Rx if one of the following
conditions holds:
accept[action]R,deny[action]R,RR yxxEMy ==ℜ
accept[action]R,deny[action]R,RR yxxIMy ==ℜ
accept[action]R,deny[action]R,RR yxyIMx ==ℜ
accept[action]R,accept[action]R,RR yxyIMx ==ℜ
b-Spuriousness Anomaly: A spuriousness anomaly occurs if an upstream firewall permits the network
traffic denied by a downstream firewall. Formally, rule Rx allows spurious traffic to rule Ry if one of the
following conditions holds:
deny[action]R,accept[action]R,RR yxyEMx ==ℜ
5

deny[action]R,accept[action]R,RR yxyIMx ==ℜ
deny[action]R,accept[action]R,RR yxxIMy ==ℜ
accept[action]R,accept[action]R,RR yxxIMy ==ℜ
deny[action]R,deny[action]R,RR yxyIMx ==ℜ
c-Redundancy Anomaly: A redundancy anomaly occurs if a downstream firewall denies the network
traffic already blocked by an upstream firewall. Formally, rule Ry is redundant to rule Rx if, on every
path to which Rx and Ry are relevant, one of the following conditions holds:
deny[action]R,deny[action]R,RR yxxEMy ==ℜ
deny[action]R,deny[action]R,RR yxxIMy ==ℜ
d-Correlation Anomaly: A correlation anomaly occurs as a result of having two correlated rules
(rules having different filtering actions) in the upstream and downstream firewalls. Formally, the
correlation anomaly for rules Rx and Ry occurs if one of the following conditions holds:
accept[action]R,accept[action]R,RR yxyCx ==ℜ
deny[action]R,deny[action]R,RR yxyCx ==ℜ
deny[action]R,accept[action]R,RR yxyCx ==ℜ
accept[action]Rdeny,[action]R,RR yxyCx ==ℜ
2.2 Mobile Agents
MA is a programming paradigm used in distributed applications [Lange99]. It makes the implementation of
applications dynamically adaptable easier and facilitates the development of distributed applications on large
networks. This covers many domains such as e-commerce; telecommunications, workflow applications,
remote maintenance and park administration [Guttman98].
MA are execution programs that can migrate from one host in a network to another in order to satisfy
requests made by their clients. The state of the running program is saved, transported to the new host and
restored, allowing the program to continue where it left off. The MA properties are the following [Karoui05]:
-MA are autonomous; they have some degree of control over their data and states.
-MA have the ability to act without direct external interference.
-MA are interactive by communicating with the environment and other agents.
-MA are adaptive; they can integrate with other agents or their environment.
3. FIREWALL ANOMALIES’ DETECTION SYSTEM BASED ON MA
APPROACH
3.1 The MA Approach Advantages
The development of distributed firewalls and the introduction of software agents lead us to use the paradigm
of MA to perform anomalies detection intra-firewalls and inter-firewalls [Jansen99]. MA offer several
potential advantages [Karoui07a] when used in firewalls distributed system [Karoui07b]:
• Reducing network load: Firewalls are faced by the problem of processing a huge amount of data. Their
centralized administration is a complex task due to the great number of requests exchanged between
firewalls. MA can overcome this problem by reducing the number of requests exchanged between distributed
firewalls.
• Asynchronous execution and autonomy: MA perform tasks autonomously without disturbing the
functioning of firewalls. They are able to continue to operate asynchronously even if a firewall is not
available or if the administrator machine is disconnected form the network.
ISBN: 978-972-8924-60-7 © 2008 IADIS
6

• Dynamic adaptation: As the number of firewalls in the network increases, MA can be cloned and
dispatched to these new computing elements; MA adapt their behavior according to network’s topology and
traffic characteristics.
• Robustness and fault tolerance: MA are able to react to multiple situations, especially faulty ones. This
ability ensures the efficient functioning of distributed firewalls even if the system is faulty.
3.2 Principle of Functioning
Based on the advantages presented on section 3.1, we will present the architecture of our system: The
administrator sends a MA to the first firewall (1). The MA encapsulates the set of rules founded on this latter
and migrates to the next firewall (2). It correlates the list of rules (3) and passes to the next firewall. It repeats
the same processes (steps (2) and (3)) until finishing a complete tour of the system (see figure 2). In our
solution, the administrator has the possibility to detect anomalies on a particular firewall (intra-firewall) or on
the entire network (inter-firewalls); the MA returns result when anomaly is detected on the specific firewall
(4) or at the end of the complete tour (5).
Figure 2. Anomalies detection system with the MA approach
4. CASE STUDY
Based on the approach presented in section 3, we will present an experimental case study. We have
implemented a ring network composed of an administrator machine and three firewalls Fw1, Fw2 and Fw3.
These machines are equipped of Core 2 Duo processor with 1,6 MHZ frequency and 1GB of RAM. We used
the platform BeeGent [Toshiba01] to implement the MA approach and the firewalls IPTABLES [Russell99] for
firewalls rules description. We implemented our system under Linux FEDORA6 operating system (see figure
3).
4.1 Experimental Results
4.1.1 Intra-firewalls Anomalies Detection Results
To detect anomalies on a specific firewall, the MA moves to a particular firewall, with a formal description
of the anomalies. It takes the firewall rules one by one and compare them to the anomalies description (see
section 2.1.2). In our example, we suppose that our MA moves to Fw2 to detect eventual anomalies. The
detection results returned by the MA are the following (see figure 3):
Generalization anomalies: (Rule 7 is a generalization of Rule 6), (Rule 8, Rule1), (Rule 8, Rule 2), (Rule 8,
Rule 3), (Rule 8, Rule 5), (Rule 8, Rule 7), (Rule 5, Rule 4)
Redundancy anomalies: (Rule 1 is redundant to Rule 3)
Rules Fw1
Fw2
Fw4
Admin
(5)
(2)
(3)
(4)
(1)
Network
Rules
Rules
Fw3
Rules
7

4.1.2 Inter-firewalls Anomalies Detection Results
To detect anomalies on the entire system, the MA moves to the first firewall with a formal description of the
anomalies,encapsulates the set of rules found on Fw1 and begins its tour to Fw2 then to Fw3 (see section
2.1.3). In our example, the detection results returned by the MA are the followings (see figure 3):
Shadowing anomalies: (Rule 2 on Fw3 is shadowed by Rule 3 on Fw2), (8/Fw2, 4/Fw3),
(7/Fw2, 7/Fw1), (5/Fw2, 5/Fw1)
Spuriousness anomalies: (Rule 2 on Fw2 allows spurious traffic to Rule 4 on Fw1), (2/Fw2, 9/Fw3),
(5/Fw3, 4/Fw2), (3/Fw3, 3/Fw2), (5/Fw1, 4/Fw2)
Redundancy anomalies: (Rule 6 on Fw3 is redundant to Rule 6 on Fw2), (9/Fw3,6/Fw1)
Figure 3. The firewall anomalies’ detection system based on the MA approach
5. PERFORMANCES EVALUATION
To evaluate the performances of the proposed model (seen section 4), we have implemented this latter with
both approaches, viz; the client/server and the MA approaches. The functioning processes of both approaches
are presented on figure 4 and figure 5. We have chosen some criteria to compare them, viz: the bandwidth
use and the execution time.
i=2;
The administrator sends a MA;
The MA encapsulates rules on Fw1;
While (i<nb-firewalls)
The MA migrates to Fwi;
The MA correlates rules;
If (Detection anomaly)
The MA alerts the administrator;
;1+→ ii
The MA returns results to administrator;
The administrator treats the anomalies;
I=2,j=1;
The administrator requests Fw1;
While (i< nb-firewalls)
While (j< nb-rules)
The administrator correlates rule Rj;
If (Detection anomaly)
The administrator treats the anomaly;
;1+→ jj
;1+→ ii
The administrator treats the anomalies;
Figure 4. The MA process Figure 5. The Client/Server process
1: tcp, 161.120.*.* : any, 140.192.*.* : 80, accept
2: tcp, 161.120.*.* : any, 140.192.22.5 : 21, deny
3: tcp, 161.120.*.* : any, 140.192.*.* : 21, accept
4: tcp, 140.192.*.* : any, 161.120.33.* : 23, accept
5: tcp, 161.120.33.* : any, 140.192.*.* : 23, accept
6: tcp, 161.120.24.* : any, 140.192.37.3 : 25, deny
7: tcp, 161.120.24.* : any, 140.192.22.5 : 25, deny
8: tcp, 161.120.*.* : any, 140.192.37.* : 25, accept
9: tcp, *.*.*.* : any, *.*.*.* : any, deny
1: tcp, 161.120.*.* : any, *.*.*.* : 80, accept
2: tcp, 140.192.*.* : any, *.*.*.* : 25, accept
3: tcp, *.*.*.* : any, 140.192.*.* : 25, accept
4: tcp, 140.192.*.* : any, 161.120.*.* : 80, deny
5: tcp, 161.120.33.* : any, 140.192.37.1 : 23, deny
6: tcp, 161.120.*.* : any, 140.192.*.* : 22, deny
7: tcp, 161.120.*.* : any, 140.192.*.* : any, accept
8: tcp, 140.192.*.* : any, 161.120.*.* : any, accept
9: tcp, *.*.*.* : any, *.*.*.* : any, deny
1: tcp, 161.120.*.* : any 140.192.*.* : 80, accept
2: tcp, 140.192.*.* : any, 161.120.*.* : 80, accept
3: tcp, 161.120.*.* : any, 140.192.22.5 : 21, accept
4: tcp, 161.120.33.* : any 140.192.37.* : 23, deny
5: tcp, 161.120.*.* : any, 140.192.*.* : 23, accept
6: tcp, 161.120.24.* : any, 140.192.37.3 : 25, deny
7: tcp, 161.120.24.* : any, 140.192.*.* : 25, accept
8: tcp, *.*.*.* : any, *.*.*.* : any, deny
Fw1
Fw2
Fw3
Admin
(5)
(2)
(3)
(4)
(1)
(4)
ISBN: 978-972-8924-60-7 © 2008 IADIS
8

5.1 Bandwidth Use
5.1.1 The client/server Model
In our system, according to the client/server process (figure 5), each firewall, has several rules to be
analyzed. To detect anomalies, the administrator requests every firewall, rule by rule; in our case, we have 9
requests on Fw1, )89( × correlation requests on Fw2 and )99( × correlation requests on Fw3. We note that there
are 162)99()89(9 =×+×+ requests exchanged between the firewalls and the administrator machine. In a
general case, with (n) firewalls to be analyzed, we have ∑
=
+×
n
i
ixN
2
)1( requests exchanged with the
administrator machine where N is the number of rules on Fw1 and xi is the number of rules on Fwi; it
constitutes a very important load for the whole network traffic especially if the number of firewalls is
important.
5.1.2 The MA Model
According to the MA process (figure 4), the administrator sends a MA that visits all firewalls to detect
anomalies. At the end of its complete tour, the MA returns results to the administrator. In our example, we
note that the MA moves 4 times between firewalls and the administrator machine. In a general case, with (n)
firewalls to be analyzed, we have (n+1) moves between firewalls and the administrator machine; it
constitutes a very important gain for the whole network traffic especially if the number of firewalls is
important.
5.1.3 Interpretations
With the MA approach, the total number of moves between firewalls on the network is lower than that with
the client/server requests. This gain will reduce the global bandwidth use.
5.2 Execution Time:
We define the execution time by [Longman95]:
Execution time=treatment time+ latency time
Latency time = transmission time + propagation time
The transmission time represents the necessary time to transmit data on network. It is defined by:
ratebit
messagetheofsize
ion timetransmissThe =
The propagation time is the necessary time to transfer data from the transmitter to the receiver. It is
defined by:
speednpropagatio
distance
n timepropagatioThe =
In our example, the links dij connecting all machines (i=1, j=2, 3 or 4) are equal to (5m) and the
propagation speed is equal to ( s/m102 8
× ) for all firewalls. Also, we suppose that the links joining all
firewalls have the same bit rate (10 Mbits/s).
5.2.1 The client/server Model
The global requests' treatment time which includes; interactions with Fw1, correlations of rules of Fw2 and
correlations of rules of Fw3 is estimated to 5(s). The administrator sends many requests to firewalls across the
links dij.The request size is equal to 1(kbits).The global requests size to Fw1, Fw2 and Fw3 are respectively
Q12 = 9 (kbits); Q13 =8 (kbits) and Q14 = 9 (kbits).The responses size from these latter are respectively A12 =9
(kbits), A13 = 24 (kbits) and A14 = 33 (kbits).
9

s
sMbits
AQAA 6141413131212
10
/10
)339()24(8)9(9
ratebit
)()(Q)(Q
ion timetransmissThe −
≈
+++++
=
+++++
=
s103
/102
5)(m)(1510)(1015)(5
speednpropagatio
)dd()dd()d(d
n timepropagatioThe 7
8
411431132112 −
×=
×
+++++
=
+++++
=
sm
s5)(10)103(5timeExecutionThe -67
≈+×+= −
5.2.2 The MA Model
The global treatment time which includes interactions with Fw1, correlations of rules on Fw2 and correlations
of rules on Fw3 is estimated to 3(s). The MA is composed of two elements: processing part (S) and data part
(Di). The global size of the MA on Fwi is (S+ Di). The processing part size (S) of the MA is 6 (kbits).
s10
/10
)476()25(66
ratebit
)()()(
ion timetransmissThe 6-321
≈
++++
=
+++++
=
sMbits
DSDSDS
s01
/102
5(m)4
speednpropagatio
dddd
n timepropagatioThe 7
8
41342312 −
=
×
×
=
+++
=
sm
s310103timeExecutionThe -67
≈++= −
5.2.3 Interpretations
According to the experimental results, we note that the execution time with the MA approach is less than that
with the client/server model. To consolidate our results, we have increased the number of firewalls. We have
noticed that more the number of firewalls increases, more the MA approach is better. (see figure 6). These
experimentations make our approach more efficient and more favorable.
Figure 6. MA approach versus Client/server approach
6. CONCLUSION
In this article, we exploited the advantages of the MA approach to ameliorate and make easier the anomalies’
detection in distributed firewalls. Also, the comparison of our model with the client/server model proves its
effectiveness and presents a certain number of trumps in comparison with the client/server model. Our case
study was accomplished in a specific network with the environment constraints (laboratory). We expect to
validate the efficiency of our approach on more complex network architectures.
0
5000
10000
15000
20000
25000
30000
35000
40000
45000
2 3 4 5 6 7 8 9 10
Client/server
Mobile Agents
Nb Firewalls
Execution time (ms)
ISBN: 978-972-8924-60-7 © 2008 IADIS
10

REFERENCES
[Al-Shaer04] Al-Shaer, E. Hamed, H.,2004. Discovery of policy anomalies in distributed firewalls. Sch. of Comput. Sci.,
Telecommun. & Inf. Syst.2004 DePaul Univ., Chicago, IL, USA.
[Bellovin94] Bellovin, M. and Chewsick, R.,1994.Network firewalls. IEEE Communications Magazine, pages 50-57.
[Bellovin99] Bellovin, M.,1999.Distributed Firewalls.Special Issue on Security, ISSN 1044-6397.
[Benelbahri07] Benelbahri, A. and Bouhoula, A.2007.Tuple Based Approach for Anomalies Detection within Firewall
Filtering Rules. IEEE Symposium on Computers and Communications. ISCC 2007. 12th Volume , Issue , 1-4
Page(s):63 – 70.
[Chapman00] Chapman, D. and Zwicky, E.,2000. Building Internet Firewalls, Second Edition, Orielly & Associates Inc.
[Chewsick95] Chewsick, W. and Belovin, S.,1995. Firewalls and Internet Security, Addison- Wesley.
[Cobb97] Cobb, S.,1997.ICSA Firewall Policy Guide v2.0. NCSA Security White Paper Series.
[Eronen01] Eronen, P. and Zitting, J.,2001.An Expert System for Analyzing Firewall Rules. Proceedings of 6th
Nordic
Workshop on Secure IT-Systems (NordSec 2001).
[Guttman98] Guttman, R. et al., 1998. Agent-mediated electronic commerce: a survey. Knowlrdge Engineering Review.
13(2):143-147.
[Hari00] Hari, B. et al.2000.Detecting and Resolving Packet Filter Conflicts. Proceedings of IEEE INFOCOM’00.
[Ioannidis00] Ioannidis, S. et al.,2000.Implementing a Distributed Firewall. Proceedings of 7th ACM Conference on
Computer and Comminications Security (CCS’00).
[Jansen99] Jansen, W et al.,1999. Applying mobile agents to intrusion detection and response. Technical report, NIST
Interim Report - 6416.
[Karoui05] Karoui, K.,2005. MA Overview, published in Encyclopedia of Multimedia Technology and Networking , Idea
Group.
[Karoui07a] Karoui, K. and B.Ftima, F., 2007.Interaction Mobile Agents – Web Services. Encyclopedia of Multimedia
Technology and Networking, IGI global.
[Karoui07b] Karoui, K. and B.Ftima, F., 2007. Effectiveness of Web Services-Mobile Agents Approach in E-commerce
System. Encyclopedia of Information Science and Technology, IGI global.
[Lange99] Lange, D. and Oshima, M.,1999. Seven Good Reasons for Mobile Agents - Dispatch your agents; shut off
your machine. Communications of the ACM Issue.
[Longman95] Longman, A and Halsall, F., 1995. Data Communications Computer Networks and Open System, , ISBN:0-
201-42293-X ,.Publishing Co., Inc. Redwood City, CA, USA.
[Lupu97] Lupu, E. and Sloman, M.,1997.Conflict Analysis for Management Policies. Proceedings of IFIP/IEEE
International Symposium on Integrated Network Management (IM’1997).
[Russell99] Russell, R.,1999. Linux iptables HOWTO, v0.0.2.
[Toshiba01] Toshiba Corporation,. 2001.Beegent Multi-Agent Framework.
[Wack02] Wack, J. et al,.2002. Guidelines on Firewalls and Firewall Policy. NIST Recommendations, SP 800-41.
11

USING HONEY-AGENTS FOR ESTABLISHING TRUST IN
MOBILE-AGENTS E-COMMERCE APPLICATIONS
Sandhya Armoogum, Nawaz Mohamudally
University of Technology, Mauritius
Pointe aux Sables, Mauritius
ABSTRACT
Agent technology has an immense potential in e-commerce. Personalised mobile-agents could be despatched by users to
find and recommend products and services, negotiate the terms of transactions, and even make payments. However,
among the reasons for the technology’s unmet potential are security concerns. In this paper, we propose the use of decoy
honey-agents to conduct transactions to monitor the actions of the agent servers towards the mobile-agent. Such
information can give an indication of the trustworthiness of agent servers.
KEYWORDS
E-commerce mobile-agent, Honey-Agent, Security, Trustworthiness, Social control
1. INTRODUCTION
Mobile code is an important programming paradigm for our increasingly networked world. It provides a
flexible way to structure cooperative computation in distributed systems. Mobile-agents are mobile code that
acts autonomously on behalf of a user for continuous collecting, filtering, and processing of information.
They combine the benefits of the mobile-agent paradigm, such as reacting to a changing environment and
autonomous operation, with the features of remote code execution. Important mobile-agent applications
include mobile computing, where bandwidth is limited or users are disconnected, data retrieval from large
repositories, configuration management of software and networks, and e-commerce applications. As such,
mobile-agents are believed to have an important role in future e-commerce systems as they provide a flexible
mechanism for gathering information about products and services available on the Internet by visiting several
servers. Knowing the user’s preference they can find required products and services, negotiate the terms of
transactions, make payments and arrange for delivery of the goods purchased to the required destination.
According to Maes in (Maes et al, 1999), agents can autonomously take care of all the different steps
involved in a typical e-commerce transaction such as Product brokering, Merchant brokering, Negotiation,
Payment and Delivery without interacting continuously with the user or in a semi-autonomous manner where
the mobile-agent seeks approval before making any purchase. Despite their benefits, massive use of mobile-
agents for e-commerce is restricted by security issues. Typically, four threat categories are identified (Jansen,
Karygianinis, 2000): (1) mobile-agent attacking an agent server, (2) agent server attacking a mobile-agent,
(3) a mobile-agent attacking another mobile-agent on the agent server, and (4) other entities attacking the
agent system.
Existing techniques for the protection of agent servers from malicious mobile-agents are sandboxing,
code signing, firewalling, and proof carrying codes. The protection of mobile-agents from malicious agent
servers is a more challenging problem. Existing mechanisms provide security against some types of threats
(e.g. tampering) posed to mobile-agents by malicious servers. But the protection of private information such
as credit card details or electronic monies or the confidentiality of code is still a major problem.
Honeypot technology has proven to be very beneficial in network security. A honeypot is a closely
monitored network decoy serving several purposes: it can distract adversaries from more valuable machines
on a network, can provide early warning about new attack and exploitation trends, or allow in-depth
examination of adversaries during and after exploitation of a honeypot. It is proposed to use the same
concepts in the form of honey-agents for evaluating the trustworthiness of agent servers on the Internet. If
ISBN: 978-972-8924-60-7 © 2008 IADIS
12

tampering or spying is detected during interaction with a honey-agent, the honey-agent can inform the server
that maintains records on a server’s trustworthiness thereby implementing social control. This approach can
provide an effective stop-gap measure as it discourages servers to behave badly in order to maintain a good
reputation. However, this approach does not eliminate the problem of malicious servers nor is it successful in
detecting all malicious activities of a malevolent agent server.
The next section briefly describes the mobile-agent system model and the threats posed by malicious
agent servers to mobile-agents. Existing techniques for mobile-agent security are presented in section 3.
Section 4 describes the concept of social control. Section 5 and 6 describes the trust evaluation architecture
and how Honey-agents are deployed for evaluating the trustworthiness of the agent servers. Finally, we
conclude and present future works.
2. MOBILE-AGENT SYSTEM MODEL AND MALICIOUS HOST
PROBLEM
Mobile-agents are capable of continued, autonomous operation disconnected from the owner and they
migrate to other hosts during their lifetime to perform their task. The use of mobile-agents saves bandwidth
and permits off-line and autonomous execution in comparison to usual distributed systems based on message
passing as shown in Figure 1 below. Essentially, a mobile-agent consists of code, data and state information
needed to carry some computation.
Figure 1. Client-Server model versus Mobile-Agent computing model
Several models exist for describing agent systems (Fuggetta, 1998), (FIPA, 1998), (OMG, 1997). For
discussing security related issues though, it suffices to consider a very simple model consisting of the mobile-
agent and the agent platform provided by the agent server as described in (Jansen, Karygianinis, 2000). The
agent platform provides the necessary computational environment for the mobile-agent to operate. The
platform from which a mobile-agent originates is referred to as the home platform, and normally is the most
trusted environment for a mobile-agent. A simple mobile-agent system model is as depicted in Figure 2.
As can be observed from Figure 1 and 2, mobile agents hop from agent server to agent server and execute
locally on the destination agent platform. The agent servers have complete control on the executing mobile-
agents and thus many attacks may be performed by malicious servers on the mobile-agent. The malicious
server can modify the code, data, and/or state information being carried by the mobile-agent. Likewise the
malicious server can inspect the code of the mobile-agent to learn about the decision making strategy of the
agent. Again the malicious server may inspect the confidential data such as credit card details or signing key
being carried by the mobile-agent. Thus, the protection of mobile-agents from malevolent agent servers is as
important as the protection of the host from malicious mobile-agents. Ideally, it is required that the mobile
agent be equipped with security features that enables it to execute in an untrusted environment autonomously
(i.e. without interactions with its originating site) and without the untrusted host being able to read and
modify the mobile-agent’s code and data.
Client
Client
API Server
Agent
Platform
Server
(a) Client Server Model: Information
exchanged between client and server
(b) Mobile-agent Computing Model:
Mobile-agent travels to server (agent
platform) and locally interacts with server
13

Figure 2. Mobile-agent computing model
3. EXISITNG MOBILE-AGENT PROTECTION SCHEMES
Many proposed systems suggest the use of trusted servers in a network for processing of critical information.
(Guan et al, 2000) suggests that the network be divided in regions and in each region there is a trusted host
called police office (PO). Agents’ critical code such as the decision making strategy are executed only on
trusted hosts i.e. the PO. (Marques et al, 1999) and (Farmer et al, 1996) suggest that the decision making
algorithm or any other such critical code and sensitive data be carried encrypted by the mobile-agent and is
only executed on some specified trusted hosts in the network. However, this approach is restrictive and
involves increase in network traffic which defies the concept of mobile-agent because then the mobile-agent
would communicate with the server in a client server way from the trusted server.
Another approach is to enhance the mobile-agent with security features such that it can detect or even
prevent attacks. As such several cryptographic and non cryptographic techniques exist for detection of
tampering of code, state, data and partial results being carried by the mobile-agent. For instance, the static
agent-code can be digitally signed, Partial Result Authentication Code (PRAC) can be used for detecting
tampering of partial results. In (F.Hohl, 2000) and (F.Hohl, 1999b), “reference states” are used to detect state
modification attacks. Farmer, Guttman and Swarup present in (Farmer et al, 1996) a “state appraisal”
mechanism for detecting state change whereby the mobile-agent is equipped with a state appraisal function
that checks the validity of the current state of a mobile-agent. (Minsky et al, 1996) propose to use a fault
tolerance mechanism to detect attacks by malicious hosts. In (Vigna, 1997) and (Vigna, 1998), Vigna
presents an approach that allows detection of tampering by the agent platform via execution checking of a
mobile-agent by using cryptographic traces which are logs of the operations performed by the mobile-agent
during its lifetime. In (Park et al, 2001), a One-time Key Generation System (OKGS) is proposed to
effectively provide confidentiality and integrity of agent data gathered on the itinerary as well as the integrity
of agent code. (Karjoth et al, 1998) proposes a mechanism for enabling a mobile-agent to securely collect
computation results against prying and tampering by malicious hosts visited by the mobile-agent.
Furthermore, based on the idea that malicious hosts need time to analyse and modify a mobile-agent code,
and/or data, state, the protocol in (Esparza et al, 2003) detects manipulation attacks performed during the
agent’s execution (when a host spends more time than needed executing the mobile-agent) by controlling the
execution time in hosts. All, these techniques detect modification attacks but do not prevent modification or
inspection of data and code. In some cases, detection does not help; for instance detection of tampering for E-
cash would not prevent the loss caused; prevention is fundamental.
To prevent attacks against mobile-agents by malicious servers, secure trusted hardware (secure co-
processor) can be used. The main idea is to equip mobile-agent systems with additional hardware, which is
not under control of the local system and which can host and execute mobile-agents, thus providing a secure
execution environment for mobile-agents (Bennet, 1997.). Using a secure trusted hardware ensures protection
Internet
Home
Agent
Server
Agent
Server
Agent
Server
Agent
ISBN: 978-972-8924-60-7 © 2008 IADIS
14

against tampering and eavesdropping. But unfortunately, it is not practical and feasible for all servers to be
equipped with a trusted hardware. A further step towards protecting a mobile-agent against malicious hosts is
to make eavesdropping and tampering difficult or expensive. Code obfuscation, for example, tries to make
the mobile-agent’s program illegible, the data hidden and thus difficult to understand and manipulate. (Hohl,
1998) proposes to generate an executable mobile-agent from a given agent specification such that the
generated agent cannot be attacked by read or modify attacks i.e. mobile-agent is a blackbox using code
obfuscation techniques. However, code obfuscation only provides time limited protection because given
enough time, the code can be analysed. In (Sander, Tschudin, 1998) the use of mobile cryptography whereby
encrypted programs – mobile-agent program can be converted into a ciphered-program such that it can
execute on the untrusted host while remaining in the encrypted form - is proposed as the only way to give
privacy and integrity to mobile code (and data). However, mobile cryptography is expensive as it is difficult
to implement. The proposed scheme intends to complement the existing schemes for protecting agents by
adding social control mechanisms as described next.
4. SOCIAL CONTROL MECHANISMS
Introduced in sociology as early as the end of the 19th
century, the concept of social control originally
denoted the capacity of a group or society to regulate itself and to secure coherency and unity in social life
(Martingale, 1978). Social control in this sense, relates to how social action is coordinated toward a chosen or
an emergent social order. Modern theories of social control focus on the strategies and techniques that help
regulate mobile-agent and agent server behaviour, and lead to conformity and compliance with the rules of
society (at both the macro and micro levels). The main elements used in the enforcement of social
commitments are: (1) sanctions, which are considered in their general sense of incentives, and (2)
philosophies of punishment, which result in punishment strategies determining the type of sanction (and its
magnitude) to be applied, and explains how sanctions are assigned to social commitments (Pasquier et al,
2006). For our purpose, we believe that social sanctions are applied. Trust, credibility and reputation are
social values that could be affected by social sanctions. As pointed out in (Posner, Rasmusen, 1999), social
sanctions are usually the effects of some implicit informational disclosure where the violator’s action
conveys information about him that he would rather not have others know. For example, the fact that an
agent server inspects the code of a mobile-agent to learn about its decision making strategy might be taken
into account by other mobile-agents when evaluating his reputation and the trust they put in him. Social
control mechanisms to enforce social commitments are designed according to a philosophy of punishment.
Unless there is an international infrastructure to legally deal with wrongdoers, deterrence is the only
punishment policy that can be applied. Deterrence is a utilitarian principle stating that the aim of sanctions is
to prevent future violation. Applied to the enforcement of social commitment in mobile-agent based e-
commerce, it means that using severe sanctions with a high prohibitive effect tends to transform social
commitments into strict obligations.
5. TRUST EVALUATION ARCHITECTURE
We propose the use of a trust evaluation architecture which: (1) uses honey-agents to evaluate the
trustworthiness of agent servers; (2) provide information to mobile-agents about trustworthiness of agents
servers (social sanction); (3) prevents or mitigate subsequent damage caused by interacting with malicious
servers; and (4) allows mobile-agents interaction not to be restricted only on few trusted servers. The
architecture is as shown in Figure 3.
15

Figure 3. Trust Evaluation Architecture
Computers are organized in domains. In each domain, there is a trusted server – evaluator - which
evaluates the trustworthiness of agent servers in that domain by sending honey-agents to interact with the
agent server. Based on the interaction of the honey-agent with the servers, the evaluator is able to provide
information to all other mobile-agents operating in that domain about the trustworthiness of the server, thus
implementing social sanction. It is expected that this sanction acts as deterrence to malicious activity. When a
mobile-agent needs to interact with a particular agent server in a domain, the mobile-agent may interact with
the evaluator to find information about the agent server. For instance, if an agent server has previously been
found to be malicious, the mobile-agent will be able to learn about the specifics of the attack made by the
server. The mobile-agent will then have to determine, if it has security features inbuilt to resist such attacks
before deciding to migrate to that server or if it still trusts the agent server enough to interact with the agent
server. It is assumed that the evaluator is a trusted entity and is implemented on secure host such that it
cannot be compromised. The information provided to mobile-agents can be communicated by using the
blackboard coordination, Linda-like coordination or reactive tuple space (Cabri et al, 1998).
6. USING HONEY-AGENTS TO DETECT CODE INSPECTION
The honey-agents are derived from the same concept as Honeypots. “A Honeypot is nothing but a security
resource whose value lies in being probed, attacked, or compromised (Spitzner, 2002).” It usually is a
resource that has no production value and thus usually no legitimate user would interact with it. Thus,
whenever any packet or any interaction is attempted with the honeypot, it’s most likely a probe or an attack.
Similarly, a honey-agent is a closely monitored mobile-agent which travels on the network and performs
certain transaction but it value lies in it being attacked or compromised.
As discussed in section 2 a mobile-agent may face the following threats from the agent server: (1)
disclosure of confidential data and/or code of the mobile-agent, and (2) tampering of code, data and/or state
of the mobile-agent. To detect tampering, any of the existing schemes mentioned in section 3 can be
implemented by the honey-agent. When tampering is detected, the evaluator will inform other mobile-agents
about the attack of the involved agent server. Assuming, an associative blackboard mechanism is used for
coordination of attack information, the detection of tampering would result in message being posted on the
blackboard. All mobile-agents would be able to read the messages from the blackboard but only the evaluator
is authorized to write on the blackboard. Thus honey-agents can be effectively deployed for detecting
modification attacks on agent code, data, state and/or partial results. The use of the proposed mechanism is
more interesting in the case of detecting code and/or data inspection because it is difficult, if not impossible,
to detect inspection and often expensive to prevent code and/or data inspection.
We assume that a honey-agent with the goal of detecting code inspection by the malicious agent server is
deployed to perform product brokering only. Hence, the honey-agent would visit the targeted agent server to
Agent Evaluator
ISBN: 978-972-8924-60-7 © 2008 IADIS
16

find product details and price for a specific product with the aim of choosing the best option to its owner. It
may further negotiate for better price but is not allowed to purchase products. Once, a product is chosen from
the server, the mobile-agent informs its owner, such that the owner starts a dialogue with the server for
purchase. We implement a simple decision making strategy of the honey-agent as shown in Figure 4. Our
aim is to identify those agent servers which inspect the agent code to find the decision-making logic of the e-
commerce agents on how acquisitions are made.
Figure 4. Decision making algorithm of honey-agent
To be able to successfully identify the malicious server, the honey-agent is programmed to be a single
hop mobile-agent i.e. it moves from the evaluator to one agent server and back again. It does not hop from
server to server as then it may be difficult to determine the malicious server in the itinerary of the mobile-
agent. However, it may be argued that such honey-agents can be easily detected by the malicious agent server
as it has been sent by the evaluator. However, this may not be the case as often mobile agents sent to do
product brokering are anonymous as users like to maintain their anonymity unless they effectively have to
reveal it. Picturing a global electronic commerce framework, users prefer to make queries about prices and
assets anonymously and only reveal their identities at the places where they actually make the acquisitions
(Marques et al, 1999). An anonymous agent is simply one that has not authenticated with the platform though
it may authenticate the platform as is the case with honey-agents. When an agent is unauthenticated, its
functionality on the platform is restrained to read-only certain designated data, write to a blackboard, perform
simple computations, or leave. This is often enough for the agent to find information about required products.
Moreover, the receiving server would know that the last platform visited by the agent is the evaluator server,
but this is not a give-away of the honey-agents as it is typical for mobile-agent, in this scenario, to visit the
evaluator to learn about the trustworthiness of the agent server before moving to a particular agent server.
Similarly, it is plausible that the mobile-agent after execution on an agent server moves back to the evaluator
before moving to its next agent server.
To detect code inspection and consequently cheating by the server, several such Honey-agents can be sent
to the targeted server but with different threshold price for the same product. It would be possible to observe
some pattern in the proposed price by the server. For, instance we would be able to detect if the mobile-agent
after inspection of code is proposing prices higher than its normal rate because, it knows from inspection that
the mobile-agent is highly likely to accept such a price. This shows the intent of the agent server to cheat on
its offers by selling cheaper product for higher value. Figure 5 shows how the behaviour of a few agent
servers vary. We assume that the server does not implement offer and demand law as then the more the
demand, the higher the price are but rather the servers use fixed selling prices. As can be seen from Figure 5,
the server may not cheat every time. Thus, the evaluator may not be able to always detect trustworthiness
effectively everytime and more honey-agents interaction may be required to determine trustworthiness. In
case, more complex e-commerce strategies are used, then properly constructed games can be used to obtain
important insights to evaluate trustworthiness.
7. CONCLUSION
We have seen that the proposed mechanism uses the same concepts as honeypots in the context of e-
commerce for detecting attacks on mobile-agents by malicious agent servers. Once an attack is detected, the
social sanction is that the information pertaining to the attack is published such that other mobile-agents are
able to evaluate the trustworthiness of the agent servers. This also acts as a deterrent to other servers.
However, the proposed scheme has two primary disadvantages. The first is that trust of an agent server is
only evaluated during its interaction with the honey-agent. Assuming that a malicious server is always
malicious then the interaction with the honey-agent would be a good indication of the trustworthiness of the
if proposedprice <= thresholdprice
select server for purchase
else
reject server
end if
17

agent server. However, if the agent server behaves differently with different mobile-agents, then we may not
be able to evaluate the trustworthiness of the agent server clearly. Moreover, just as in the case of honeypots
where the honeypot should camouflage as a productive system, it is important in the proposed system for the
honey-agent to appear to be genuine mobile-agent with a goal to achieve, otherwise the agent servers would
change their behaviour when interacting with known honey-agent and the honey-agents would not serve its
purpose.
Experimental Response
0
20
40
60
80
100
120
10 20 30 40 50 60 70 80 90 100
Threshold Price($)
Proposedprice($)
Malicious Server, Proposed price = 75%
of Threshold price
Malicious Server, Proposed price =
Threshold Price
Non-Malicious Server
Randomly-Malicious Server, Proposed
price = 75% of Threshold price
Figure 5. Experimental Results for case where fixed product price is $20.
Furthermore, the proposed system is centralized (in terms of data), since the information gathered by the
honey-agents has to be stored on the trusted platform which is the evaluator. As such, the evaluator which
implements the sanctions by publishing the wrongdoings of the malicious servers is the weak point in the
system as it may be attacked e.g. denial of service such that mobile-agents no longer have information about
malicious servers, or some malicious entity may intrude the evaluator with the aim of tampering the
information published. Consequently, the evaluator should be implemented on a hardened server and be well
protected against security breaches. Implementing replication of data on a backup evaluator server may also
be helpful. Finally, in spite of the presence of the proposed architecture, it is still recommended for mobile-
agents to use existing security technologies for protection for defence in depth in case the Honey-agents have
been detected. The honey-agents themselves do not prevent attacks from occurring but they just help to
reduce the probability of it happening due to the social control mechanisms of sanctions and punishment.
Thus, the proposed mechanism complements and adds value to current architectures. Future work being
considered consists of using honey-agents for detecting other attacks on mobile agents such as data
inspection, obfuscated code analysis, replay attacks.
ACKNOWLEDGEMENT
The authors wish to thank the anonymous referees for their valuable comments.
ISBN: 978-972-8924-60-7 © 2008 IADIS
18

REFERENCES
Bennet S. Yee, 1997. A Sanctuary for Mobile Agents. Technical Report CS97-537, University of California in San
Diego, April 28, 1997.
Giacomo Cabri, Letizia Leonardi, Franco Zambonelli, 1998. How to Coordinate Internet Applications based on Mobile
Agents. Proceedings of the 7th Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises,
pp. 104 - 109
O. Esparza. Miguel Soriano. Jose L. Muñoz. Jordi Forné. 2003. A protocol for detecting malicious hosts based on
limiting the execution time of mobile agents. Proceedings of the Eighth IEEE International Symposium on
Computers and Communication (ISCC’03). pp. 251
W.Farmer, J.Guttman, and V.Swarup. 1996. Security for Mobile Agents: Authentication and State Appraisal.
Proceedings of the Fourth European Symposium on Research in Computer Security. pp 118 – 130.
FIPA Specification, part 1, version 2.0, Agent Management. Foundation for Intelligent Physical Agents, October 1998.
Fuggetta A., G.P. Picco, and G. Vigna. 1998. Understanding Code Mobility. IEEE Transactions on Software
Engineering, 24(5).
Xudong Guan, Yiling Yang, Jinyuan You. 2000. POM – A mobile agent security model against malicious hosts.
Proceedings of the fourth international conference on high performance computing in asia-pacific region. pp. 1165-
1166 vol.2.
Fritz Hohl. 2000. A Framework to Protect Mobile Agents by Using Reference States. Proceedings of the 20th
International Conference on Distributed Computing Systems ( ICDCS 2000), p.410.
Fritz Hohl. 1999. A Protocol to Detect Malicious Hosts Attacks by Using Reference States. Technical Report Nr. 09/99.
Faculty of Informatics, University of Stuttgart, Germany. http://www.informatik.uni-stuttgart.de/cgi-bin/
Wayne Jansen, Tom Karygiannis, 2000. NIST Special Publication 800-19 Mobile Agent Security (2000), pp. 2-8.
Hohl Fritz. 1998. Time Limited Blackbox Security: Protecting Mobile Agents From Malicious Hosts. Giovanni Vigna
(Ed.): Mobile Agents and Security, pp. 92-113. Springer-Verlag
G. Karjoth, N. Asokan, and C. Gülcü. 1998. Protecting the Computation Results of Free-roaming Agents. Proceedings of
Second International Workshop on Mobile Agents (MA' 98), Stuttgart, Germany. Lecture Notes In Computer
Science; Vol. 1477. pp. 195 - 207
Maes P., R. Guttman, and A. Moukas, 1999. Agents that Buy and Sell. Communications of the ACM, vol. 42, pp. 81-91.
P.Pasquier, R.Flores, B.Chaib-draa. 2006. An ontology of Social Control Tools. Proceedings of AAMAS06, Japan
R.A. Posner and E.B. Rasmusen. 1999. Creating and Enforcing norms, with special reference to sanctions. International
Review of Law and Economics. 19(3), 369-382.
Paulo Jorge Marques, Luis Moura Silva, Joao Gabriel Silva, 1999. Security mechanism for using mobile agents in
electronic commerce. Proceedings of the 18th IEEE Symposium on Reliable Distributed Systems. pp. 378
D.Martingale. 1978. Social Control for the 1980s: A Handbook for Order in a Democratic Society. Chapter: The Theory
of Social Control, pages 46 – 58. Wesport. CT Greenwood Press
Minsky, Y.; van Renesse, R.; Schneider, F.; Stoller, S. 1996. Cryptographic support for fault-tolerant distributed
computing. Proceedings of the Seventh ACM SIGOPS European Workshop, pp. 109-114
Object Management Group (OMG) Technical Committee (TC). 1997. Mobile Agent System Interoperability Facilities
Specification. Document orbos/97-10-05.
Jong-Youl Park, Dong-Ik Lee and Hyung-Hyo Lee. 2001. Data Protection in Mobile Agents; one-time key based
approach. Proceedings of the Fifth International Symposium on Autonomous Decentralized Systems (ISADS01), pp.
411 - 418
Tomas Sander, Christian F. Tschudin. 1998. Protecting Mobile Agents Against Malicious Hosts. In G. Vigna (ed.),
Mobile Agent Security, Springer-Verlag. Lecture Notes in Computer Science. No. 1419
L. Spitzner. 2002. Honeypots: Tracking Hackers, Addison-Wesley.
Giovanni Vigna. 1997. Protecting mobile agents through tracing. Proceedings of the Third ECOOP Workshop on Mobile
Object Systems, Jyv¨askyl¨a Finnland,
Giovanni Vigna. 1998. Cryptographic traces for mobile agents. In: G.Vigna (Ed): Mobile Agents and Security, volume
1419 of LNCS. Springer-Verlag, pp. 137-153
19

FRAMEWORK FOR DEFINING AND RUNNING
INTEGRATION TESTS OF MULTI AGENT SYSTEMS
Khaled Nagi
Dept. of Computer and Systems Engineering, Faculty of Engineering, Alexandria University, Egypt.
Elshatby, Alexandria, Egypt.
ABSTRACT
The testing of Multi Agent Systems (MAS) has not been subject to extensive research yet. We build a framework for
defining and performing integration tests on a multi agent platform. The framework controls the vital functions of the
MAS platform and stimulates actions according to the different use cases under test. It provides a mechanism for
validation and has a success / failure reporting tool. The test scenario is defined in a declarative manner while the
execution can be unattended allowing its integration in common regression test environments. In this paper, we describe
the framework and use three examples to illustrate how to design and define integration tests. The scenarios show the
testing of the macro behavior of a multi agent system consisting of hundreds of agents, the micro behavior of individual
agents after a long set of interactions and finally the state of the platform after a long sequence of interactions.
KEYWORDS
Multi Agent Systems, Software Engineering, Integration Tests, Testing frameworks.
1. INTRODUCTION
The traditional approaches to software engineering, e.g., the waterfall model, consider testing after
implementation (Royce 1970). However, the view of testing has evolved over the last years and testing is no
longer seen as an activity which starts only after the coding phase is completed. Software testing is now seen
as a whole process that permeates the development and maintenance activities. Agile software engineering
approaches, e.g., extreme programming, address testing continuously within the implementation process
(Beck & Andres 2004). Furthermore, developers formulate test cases before or during implementation, which
may be executed automatically on demand. This procedure is also known as Test Driven Development (Beck
2002).
In Multi Agent Systems, the non deterministic nature of the problem increases the complexity of testing,
so that developers tend to test the behavior of each individual agent individually and jump to run-time
monitoring of the system that is necessary for acceptance tests. This way, integration tests are implicitly
performed with a greater cost during the performance tuning phase of the system development life cycle.
The current work presents a framework for defining and executing integration tests for multi agent
systems. The test scenario is described in a declarative way using a test script in XML; which describes the
events that - under the satisfaction of the given conditions- launch the desired actions. The actions can be
changes in the world model, the creation and deletion of agents, or assertions on the world model, the state of
the agents, or the hosting platform. As a case study, we base our framework on JADE (Bellifemine, et al.
1999) which is widely used in both research and industry. Moreover, it is FIPA (FIPA) compliant which is
the well established standard for inter-operative MAS. To validate our framework, we use three simple multi
agent application scenarios. The scenarios aim at performing integration tests on the macro level of a multi
agent system, the micro level of agents after a long set of interactions and the state of the platform as well.
The rest of the paper is organized as follows. Section 2 presents a background on testing of MAS. In
Section 3, we describe the framework. In Section 4, we validate our framework by presenting three examples
of Multi Agent Systems and show that there is no extra effort in writing unnecessary code either to interact
with the platform or to implement details of the test scenario. Section 5 concludes the paper.
ISBN: 978-972-8924-60-7 © 2008 IADIS
20

2. BACKGROUND
2.1 Overview of Testing
During the software life cycle of monolithic systems, usually three main models are generated: requirements
model, design model, and implementation model. These models have to be validated in order to ensure high
quality software. In Figure 1, the process of the minimal validation within software engineering is illustrated
(Thaller 2002). The testing of the models is performed in opposite direction of their building. In the first step,
the implementation is tested by unit test during the coding. The purpose of unit testing is to identify errors
within the algorithms on the level of individual classes. Tests are case-based, i.e., the test program creates
defined sequences of input patterns and evaluates whether the output meets the pre-defined requirements.
With a proper architectural framework, e.g., Spring framework in Java (Walls & Breidenbach, 2007), it is
possible to isolate each class, and test it outside the application container. If the implementation model
appears to be correct, modules are integrated and their composite behavior is tested. Integration tests are
scenario-based, i.e., the test program implements a complete sequence of events and simulates user
interactions and the outputs and the internal states of the system are evaluated along the execution of the
scenario. Usually, a test outside the container is not possible here. After completion of these tests the
software is supposed to satisfy the specification of the design model. However, there may be inconsistencies
between the design model and the requirements model. These are identified in the acceptance tests, which are
the final stage of testing (Thaller 2002). They are sometimes also called run-time monitoring. Run-time
monitoring is a procedure to analyze the behavior of a system in run-time. They often serve in performance
tuning and acceptance tests concerning the key performance indices.
Figure 1. Minimal validation in software engineering
Other formal methods of testing knowledge engineering and mission critical subsystems include static
analysis, model checking, and theorem proving (Menzies & Pecheur 2004). Static analysis concentrates on
the structures within the source code without execution of the system. Model checking is to verify a property
of a system by exploring all of the systems reachable states. Theorem proving is used for formal verification
of software systems. Here, a mathematical model of a computer program is generated to determine whether it
satisfies desired properties.
2.2 Overview of MAS Testing Frameworks
Since March 2004, JADE comes with its own test suite (Cortese, et al. 2005). The JADE test suite permits to
create tests that can be executed in a uniform and automatic way. It is mainly used by the JADE team to test
JADE itself. Users are encouraged to use the suite to test JADE-based agent systems. However, it seems that
the tool is best suited for testing the system infrastructure and related services rather the logic of the agents
themselves. Passi (Care, et al. 2004) provides a simple testing framework which lets developers build a test
suite. It is built on top of JADE and is based on a two-level model. At the first level, the agent is treated as an
atomic entity. The second level is the specific agent tasks. However, Passi does not support testing at the
agent society level.
In (Rouff 2002), a test agent is introduced which is inserted into a community of agents to examine each
of the agents as well as the community as whole. The test agent can send or receive specific messages, handle
21

invalid ones, and monitor scalability issues. The focus is clearly set on the interaction protocols. The
drawback of this approach is that the introduction of the test agent often requires changing the interaction
protocols and it is difficult to test the agent internal state or the state of the world model.
Madkit (Huget & Demazeau 2004) provides a testing platform that is based on record & replay. The
group message tracer agent, the organization tracer agent and the environment tracer agent are responsible
for the record phase. The replay phase is coupled to clever post-mortem analysis. The platform is easy to use.
However, it is difficult to filter out the non-deterministic and non-relevant events from the record phase. The
post-mortem analysis also lacks a visualization tool.
XMLaw (Rodrigues et al. 2005) is designed for integration tests in open MAS. In open MAS, agents must
obey social conventions in order to maintain predictable integration across heterogeneous MAS systems.
XMLaw is a law enforcement language and environment that allows designers to specify the interaction
between agents, the enforcement of the rules through a mediator agent to verify the interaction protocols and
block the non compliant agents. This approach seems to be very useful only in open MAS.
3. THE PROPOSED FRAMEWORK
The components of the proposed integration test framework are illustrated in Figure 2. The test script
describing the test scenario is defined in XML format. It is the input to the test execution engine. Since
integration tests can seldom run outside the hosting container, the test execution engine controls the MAS
container; in our case the JADE deployment platform. It submits commands to the AMS, the DF, and can
start primary and secondary containers in several Java virtual machines. At the end of the test execution, it
performs a normal shutdown of the JADE platform. According to the test script, the engine can create agents,
suspend their activities and destroy them. The engine stimulates changes in the world model as declared in
the test script in order to initiate a sequence of actions at the agent level. At any time during the execution of
the test run, assertions on the state of the platform, the agents or the world model can be done. The results of
these assertions are recorded in the test result report; which is also stored in XML format.
Figure 2. Components of the proposed framework
3.1 Structure of the Test Script
The test script defines a sequence of events which take place if a set of conditions is met. The events lead to
triggering of actions. Figure 3 illustrates a sample test script. Each test script has a mandatory id and an
optional name. The same applies to the event. The tag <Event> is repeated as many as events are required.
An event is triggered if the set of conditions is met. Conditions can be combined by recursively repeating the
<conditions> tag into a complex condition term bound with the logicalOperator parameter AND |
OR. Each atomic condition – marked by the tag <condition> - is based on the state of an event (start |
end) and its outcome (success | fail | error). We intentionally use the same outcome as from unit tests for the
sake of unification. Additionally, the atomic condition can be temporal; i.e., x milliseconds from starting the
ISBN: 978-972-8924-60-7 © 2008 IADIS
22

run. In Figure 3, the event is triggered if event1 ends successfully and event2 ends with a failure or after
120 seconds from starting the test.
Figure 3. A sample test script in XML format
With each event, there can be one or more actions –marked by the tags <action> - that are carried on
when the event is triggered. An action can be carried out once or more. This is determined by the tag
<Frequency> which determines the number of runs and the time interval between them. There four types
of actions: platform actions, agent actions, world model actions and assertions.
Platform actions, such as CreatePlatform and CreateAgentContainer are JADE specific
operations. Currently, we support most of the operations mentioned in the JADE administrator guide
(Bellifemine, et al. 2007). The necessary parameters are passed over to these actions using the optional
<Parameters> tag. Agent actions, such as CreateAgent and CreateAgentGroup, are responsible
for creating, suspending or destroying agents in the JADE platform. Almost all actions have their *Group
counterpart that allow the same action on a set of agents. The range of their agent identifiers are declared in
the <Parameters> tag. World model actions manipulate non agent objects in the system. This way, the
test script is capable of indirectly stimulating the agents to engage in the desired interaction. The action
declares a Java class, a method to invoke and a set of parameters to pass in the <ActionDescription>
tag. The assertions are encapsulated in a method of a java class; which is also described in the
<ActionDescription> tag. As short hand, some of the standard state queries in JADE are encoded in
special action types; such as AMSQuery which invokes a standard AMS state query to the hosting platform.
The parameters needed for such queries are declared in the optional <Parameters> tag. The results of
these queries are also passed to the Java class declared in the <ActionDescription> tag.
3.2 The Test Execution Engine
The test execution engine consists of an event, condition, action (ECA) processing engine. A simple
dispatcher implements a partial order serialized invocation of actions. The standard topological sort algorithm
is slightly modified in order to incorporate temporal conditions (such as start after 100 ms). Time is simply
23

mapped into a sequence of discrete events taking place every x milliseconds. The time interval is defined by
each test script individually based on the time resolution of the test scenario. Typical time interval varies
between 100 milliseconds and 60 seconds. The engine can run in a test blocking or unblocking mode.
Blocking means that the test is aborted and the normal shutdown sequence of the multi agent container is
started as soon as one test fails. The default behavior is the unblocking mode which terminates the tests only
at the end of the execution of the test script.
Since the test script defines the java classes to be used in a declarative manner, the test execution agent
depends on Java reflection to invoke the right class. The class loader of the engine keeps all instantiated
classes alive during the whole run. In case of multiple invocations of actions, the action class must contain a
static part that holds the information across the multiple invocations. Typically, such actions follow the
singleton design pattern.
3.3 Structure of the Test Result Report
We choose to generate a detailed test result report that has a verbose log character. We use the XML format
to be layout neutral; which enables easy integration in commercial or open source regression testing
environments such as anthill, bamboo, etc. Using simple XSLT transformation, the desired HTML view is
generated. A basic extract of a typical test result report is illustrated in Figure 4. Each log entry
corresponding to one execution of the method of the class defined in the <ActionDescription> tag.
The time is recorded in the <At> tag and the outcome of the assertion is stated in the <Outcome> tag and
the possible assertion text or exception is dumped in the <OutcomeDescription>.
Figure 4. One entry in the test result XML file
Using a simple XSLT, the above mentioned verbose format is transformed to the summarized HTML
view, illustrated in Figure 5a. By clicking one of the actions, a detailed HTML view is opened as illustrated
in Figure 5b. The table contains the same information as the verbose XML format <LogEntry> of the
XML test report. It is only filtered on the desired action.
Figure 5. (a) Summarized HTML view (b) Detailed HTML view
ISBN: 978-972-8924-60-7 © 2008 IADIS
24

4. VALIDATION
In order to validate our proposed framework, we implement three simple multi agent applications and use the
framework to define and perform integration tests. In the first scenario, we test the macro behavior of a large
group of agents. We make assertion on both the world model and the internal states of the agents. The second
scenario consists of only two agents. Its purpose is to assert on their internal state after a longer set of
interactions which implies testing the micro behavior of the system. In the third scenario, we assert on the
state of the MAS platform.
4.1 Testing the Macro Behavior: The Ant Colony
In this multi agent application scenario, the standard ant colony is implemented. Each ant is an agent. Agents
have a home zone and they search for food to bring in back home as illustrated in Figure 6a. If an agent has
no clue where to find food, it just performs a random walk in equal probably to move to front (Pf), to the
right (Pr), to the back (Pb), or to the left (Pl) as illustrated in Figure 6b. However, if it finds food, it deploys a
pheromone, which is a hormone that can be smelled by other ants. The strength of the pheromone decreases
with time till it vanishes. If there are pheromones in the neighborhood of an agent, its probability to move (Pf,
Pr, Pb, Pl) is changed to be proportional to the density of the pheromone in the corresponding direction. To
find the way back home, the ants produce another type of pheromone whose strength is inversely
proportional to the distance they walk away from home. Again, the strength of this pheromone decreases with
time until it vanishes. The ants should be able to transport food back home even if an obstacle is placed
between them as illustrated in Figure 6c.
Figure 6. (a) Ant colony looking for food. (b) Probabilistic model for ant movement (c) Placing an obstacle between
home and food
A typical Agent unit test would be to take one ant, distribute pheromones around it and assert that on
average, the ant moves in the right direction. If the pheromone is implemented as an agent too, a valid test for
this agent would to assert that the strength of the pheromone decreases with time. Having done these tests
however does need assert that the ants will find food and bring it home. An integration test is needed. We use
our framework to create the MAS platform, deploy 100 ants, and assert that after a certain setup time, the
quantity of the food is decreasing which requires an assertion on the world model. Another valid assertion on
the state of the agents is to assert that the majority if the agents are around the imaginary line connecting
home with food. Then, the scenario introduces an obstacle between home and food, and then asserts that food
is still decreasing after waiting for a certain time needed by the agents to readapt. On a later phase, the run-
time monitoring tests aim at fine tuning the probabilities Pf, Pr, Pb, Pl and the rate of decay of pheromone to
get the food transported as fast and efficient as possible to home.
Figure 7 illustrates the test script file used in our validation case. Lines 2-10 start the JADE platform. The
optional parameters cover all startup parameters of JADE and lines 11-14 start one agent container. The
event Start Agent Group (line 15-20) creates 100 agents all from the same base class AntAgent.
They all have the same prefix ant_ and they are numbered from 0 to 99. The class getAgentLocation
(lines 21-34) asserts that the majority of the ants are on the right track. The measurement repeated 10 times
with 10 seconds between each measurement, while the class getFoodLevel (lines 35-46) checks that the
25

level of food is continuously decreasing. The obstacle is introduced through a change in the world model
(lines 47-55) and the check for the decreasing food level is repeated.
Figure 7. The test script for the ant colony scenario.
4.2 Testing the Micro Behavior: The Betting Agents
In this scenario, we have two agents betting on the results of flipping a coin. Each time a coin is flipped and
both agents place their bets. If one fails to bet or both agents bet on the same result, the round is cancelled.
Both begin with the same amount of money. Agent1 implements a simple betting strategy. It simply bets
according to the result of the last coin flip. Agent2 keeps history of the last x bets and tries to find a way to
anticipate the next result according to some heuristics. The goal of this game is to win the money of the other
agent. Certainly, we know that both strategies have the same result if we believe in the randomness of
flipping a coin. Independent of the strategy, both agents implement a random walk on their money amount.
The chance of winning each other’s money is reaching the terminal state of having twice the original amount
of money.
A unit test of Agent1 is simply to assert that the next bet is the same as the outcome of the previous run.
The unit test of Agent2 is more complicated and depends on the algorithm it implements. The integration test
is simple. We use our framework to create the MAS platform, deploy the two agents and stimulate lots of
coin flips (changes in the world model). The assertion is that the difference between the amount of money of
both agents remains within a reasonable range. Here, the assertion is placed on the internal state of the agents
and we are not interested in their internal algorithms used for betting. Run-time monitoring is to determine
the initial amount of money that statistically guarantees that the game would last more than x runs.
Figure 8 illustrates the test script file used. The platform, the container and both agents are started by lines
2-27. Lines 28-40 inject 100 rounds of coin flipping. Simultaneously, lines 41-54 checks that the difference
between both money levels remains within 80% of the starting value. The test inspects the internal state of
both agents by reading their amount of money and the test is repeated also 100 times.
ISBN: 978-972-8924-60-7 © 2008 IADIS
26

Figure 8. The test script for the betting agents’ scenario.
4.3 Testing the State of the Platform: The Mobile Agent
In this scenario, there is only one mobile agent that hops between four agent containers according to a
transition probability matrix. The steady state distribution of the presence of the agent on each of the
containers can be mathematically calculated easily.
The unit test is to test a single agent transition from one container to the other. The assertion is one by
querying the AMS on the location of the agent before and after the transition. An integration test as defined
and executed using our framework is to test that the average stay in the agent in one container is almost equal
to the corresponding mathematical value. The run-time monitoring is interested in measuring the number of
bytes that are sent through the transportation layer, the latency during the migration, etc.
Figure 9 illustrates the test script file used in our validation case. Lines 2-32 create the platform, the four
containers and the hopping agent. Lines 33-45 periodically query the AMS to find out the location of the
agent and ensure that the average stay in each location is almost the same as the mathematical steady state
value.
Figure 9. The test script for the mobile agent’s scenario
27

ISA2008

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Ähnlich wie ISA2008

Ähnlich wie ISA2008 (20)

ISA2008