Formal architectural models for agent-based

Download PDF
0 downloads 0 Views 658KB Size Report
Comment
Reference to this paper should be made as follows: Ding, Z., Dong, J. and Han, W. (2008) ..... bags over A. Extending set operations to Bag(A) we define.
Int. J. Computer Applications in Technology, Vol. 31, Nos. 1/2, 2008

45

Formal architectural models for agent-based service systems Zuohua Ding*, Jianming Dong and Wei Han Center of Mathematical Computing and Software Engineering, Zhejiang Sci-Tech University, Hangzhou, 310018, PR China E-mail: [email protected] E-mail: [email protected] E-mail: [email protected] *Corresponding author Abstract: This paper describes formal architectural models for three types of service systems: static service system, dynamic service system and mobile service system. The system architectures are agent based. For each model, we investigate the properties and give the case study. Keywords: service oriented architecture; SOA; multi-agent system; MAS; Petri net. Reference to this paper should be made as follows: Ding, Z., Dong, J. and Han, W. (2008) ‘Formal architectural models for agent-based service systems’, Int. J. Computer Applications in Technology, Vol. 31, Nos. 1/2, pp.45–63. Biographical notes: Zuohua Ding received his PhD (1996) in Mathematics and MS (1998) in Computer Science from the University of South Florida, USA. He is currently a Professor and the Director of Center of Mathematical Computing and Software Engineering, Zhejiang Sci-Tech University, Hangzhou, China, and he has been a Research Professor at the National Institute for Systems Test and Productivity, USA since 2001. From 1998 to 2001, he was a Senior software engineer in Advanced Fiber Communication, USA. His research interests include formal methods on software design, software testing, reliability modelling and model checking, subjects on which he has authored and coauthored more than 20 papers. Jianming Dong received his MS (2003) in Computer Science from Zhejiang Sci-Tech University, China. He is currently an Assistant Professor at the Center of Mathematical Computing and Software Engineering, Zhejiang Sci-Tech University, China. His research interests include software architectures, agents and Petri nets. Wei Han received her MS (2003) in Mathematics from Zhejiang University, China. She is currently an Assistant Professor at the Center of Mathematical Computing and Software Engineering, Zhejiang Sci-Tech University, China. Her research interests include formal methods and Petri nets.

1

Introduction

Service Oriented Architecture (SOA) is a new paradigm in distributed systems aiming at building loosely-coupled systems that are extendible, flexible, safer and fit well with existing legacy systems. Agents have been considered as next generation components (Griss and Kessler, 2003) that can be used to build models for SOA. It is our attempt to combine these two paradigms together to build agent based architectures for the service systems. The services can be obtained through cooperation among agents. Here the service is defined as a single and coherent block of activity (Wooldridge et al., 2000) in which an agent will

Copyright © 2008 Inderscience Enterprises Ltd.

engage. Based on the agent cooperation style, we will discuss three types of service systems: static service system, dynamic service system and mobile service system. More service systems can be found in Jostad et al. (2005). Static service system. Here the ‘static’ means that the services are determined before the system is running. The services are pre-designed and the software structure is pre-configured, and the agents, located on the local host, communicate to each other to exchange the information to complete the services. An agent usually installs some information to support service computing and service designing; however, it is hardly feasible for a single agent to

46

Z. Ding et al.

be able to install enough resource information to support all kinds of services. Thus an agent should be capable in coordinating various resources and cooperating with other agents. Several operators are defined to reach this goal such as Sequential, Choice, Parallel, Cooperate, and Disable/Resume, which well preserve the software properties. In this way, there is no need to analyse the whole system since the analysis on whole system is equivalent to the analysis on the agents. Dynamic service system. Here the ‘dynamic’ means that services are determined when the system is running. In other words, new services may be created when system is running. Hence, •

the architecture style is usually formed in the running time and is hard to be configured in the design phase



the systems are adaptive and flexible systems where agents may be added or deleted dynamically.

Two kinds of agents are involved in the architecture formation: user agent and server agent. User agent will publish services or ask for services while server agent is responsible to route service information. Due to the architecture style, the service systems face a security problem, namely, (distributed) Denial of Service (DOS) attacks. DOS attacks can crash remote software/services running on a machine by flooding it with large amounts of traffic or sending ‘specially crafted’ messages. To protect the agents, a method is introduced for detecting DOS attacks based on service actions. By training, two normal patterns will be collected: Space Pattern and Time Pattern. The first is to correlate the monitored actions; the second is to calculate the average action and time distribution. By monitoring deviation of the caught pattern to the trained normal pattern, possible attacks can be detected. Mobile service system. Here the ‘mobile’ means that the services are performed when agents (called mobile agents) migrate from one host to host to collect services or perform service computing. Instead of operating from one machine, a mobile agent will operate at the various host machines that it will be visiting. There are two levels in the model: agent level (mobile agent) and system level (system net). In agent level, once the service computing is completed or more information is required, the mobile agent is ready to migrate to other places. In system level, the system must have the ability to transmit agents from one location to another location. In other words, the system must have strong mobility. Accordingly, the system needs to fit a sequence of activities such as suspending execution, transmitting agent, and resuming execution, when agents are in migration. As we can see we capture the services in agent level. Different types of services will lead to different agent-based architectures. For static service and dynamic service, we will obtain Multi-Agent System (MAS) and for mobile service, we will get Mobile Agent System. An agent is used for all service systems. In static service system, it behaves as a component; in dynamic service system, it behaves as a

user agent; in mobile service system, it behaves as a mobile agent. Instead of interacting with multiple interfaces as is usually done in component models, this agent has been designed to possess only one input interface and one out interface to stress the ready in and ready out state (Schuster et al., 2000). With input interface, a service request can come through and with output interface, an agent can request services and communicate with other agents or server agent or system net. Hence, the agent must have at least two processes: one for communicating and the other for self-autonomy task to achieve service computing goal. The rest of this paper is organised as follows. Section 2 is to create agents and the agent behaviour is described by labelled CPN. In Section 3, we describe the architectural model for static service systems. In Section 4, we describe the architectural model for dynamic service systems. In Section 5, we describe the architectural model for mobile service systems. Section 6 is the discussion of related work. The last section, Section 7, is the conclusion of this paper.

2

Architecture of agents

In service oriented engineering, an agent must be capable of providing/requesting service to/from other agents or local hosts and reasoning about its own behaviour towards new service design and computing, thus committing towards service accomplishment. Formally, we have Definition 2.1: An agent is a software object with a knowledge base that contains non-empty sets of self service and public services, external communication primitives, internal service functions and service designing methods. Here service functions include two aspects. One aspect is that an agent has ability to provide services when other agents make service requests. The agent may accept or refuse requests depending on the environment information occupied by the agent. The other aspect is that an agent requests services from other agents in case the knowledge is not rich enough for the agent to compute new selected services. The knowledge base may be updated after the agent accomplishes a service. There is considerable support for an internal organisation of an agent that in some way accommodates the symbolic representation of the beliefs, desires, intentions (the BDI model) (Rao and Georgeff, 1991) of an agent. The BDI module is based on the study of mental attitudes where an agent’s mental attitudes are characterised by the notions of belief, desire, goals, and intensions. Belief represents the information state of an agent that comprises of what the agent knows about itself and the world including all kind of services. Desire represents an agent’s motivational state, i.e., what goal an agent is trying to achieve, in other words, what services an agent is planning. The Intension represents the deliberative state of the agent. In this state an agent choose a goal (service) and becomes committed to achieving it, i.e., service computing.

Formal architectural models for agent-based service systems

47

Motivated by BDI, we give a suggestion to design an agent. An agent may consists of the following modules: Message Communication (MC) module, Event Management (EM) module, Knowledge Base (KB) module, Service Designing (SD) module, and Service Computing (SC) module (see Figure 1).

Let M = {Message, Service} denote the data types from external events (message) and internal events (service), and S denotes all states that come from the above five modules, without confusion, we use the same names to represent the states: •

Knowledge-Updating (KU)

Figure 1



Service-Designing (SD)



Service-Computing (SC)



Message-Communicating (MC)



Event-Managing (EM).

Agent architecture

Message Communication (MC). It contains two parts, one is to handle incoming messages, and the other handles outgoing messages. The module is augmented with two message queues: a message-in-queue where the inward messages are temporarily queued up before they can be processed and a message-out-queue where the outward message are queued up before they can be dispatched. Knowledge Base (KB). It is the information repository of an agent. The knowledge base contains several items, knowledge of own service capabilities, service capabilities of other agents in the society, and the state description in terms of mental attitudes. Event Management (EM). It has two parts. The first part is to store the offered services from other agents to knowledge base or to send the service requests to Service Computing module; The second part is responsible to send out service offering and service requesting. This module must have the ability to send service requesting out again if it cannot receive the required service back in some time period. Service Design (SD). It can design some new services following the given rules. If the current knowledge contained in the Knowledge Base is not enough to create a new service, it will send a service request to message-out-queue. Computing Service (CS). It either retrieves services from the Knowledge Base and sends the services out, or creates new services based on current knowledge and rules, thereafter sends the new services out. An agent’s service planning may change over time because of the priorities (as specified by its user) or as a result of change when knowledge base gets updated. Thus the phase of service planning can be shifted to the phase of service computing when the agent believes that the planned service is achievable. If this is the case, the agent does not need any additional knowledge to achieve the goal only by assuming the existing knowledge it contains. Therefore, in addition to external events, the internal service planning can also make an agent’s state change in the process to accomplish the services.

Next we will formalise our agent architecture. Let T denote all those mappings that map one state to another state. If a ∧ b means that conditions a and b must be true at the same time, then agent’s state changes can be represented by the following mappings (t ∈ T): For internal events: Mapping 1: From Knowledge-Updating to ServiceDesigning: t : s1 ∧ m1 → s2 ∧ m2 , s1 ∈ KU , s2 ∈ SD, m1 , m2 ∈ Service.

Mapping 2: From Service-Designing to Service-Computing: t : s1 ∧ m1 → s2 ∧ m2 , s1 ∈ SD, s2 ∈ SC , m1 , m2 ∈ Service.

Mapping 3: From Service-Computing to KnowledgeUpdating: t : s1 ∧ m1 → s2 ∧ m2 , s1 ∈ SC , s2 ∈ KU , m1 , m2 ∈ Service.

Outgoing event control: Mapping 4: From Service-Computing to Event-Managing: t p : s1 ∧ m1 → s2 ∧ m2 , s1 ∈ SC , s2 ∈ EM , m1 , m2 ∈ Service.

Mapping 5: From Service-Designing to Event-Managing: tr : s1 ∧ m1 → s2 ∧ m2 , s1 ∈ SD, s2 ∈ EM , t : s1 ∧ m1 → s2 ∧ m2 , s1 ∈ EM , s2 ∈ MC , m1 , m2 ∈ Service.

Mapping 6: From Communication:

Event-Managing

t : s1 ∧ m1 → s2 ∧ m2 , s1 ∈ EM , s2 ∈ MC , m1 ∈ Service, m2 ∈ Message.

to

Message-

48

Z. Ding et al.

Incoming event control:



M0 is the initial or current marking:

Mapping 7: From Message-Communicating to EventManaging:



M 0 = ∪ p∈P M 0 ( p ),

t : s1 ∧ m1 → s2 ∧ m2 , s1 ∈ MC , s2 ∈ EM , m1 ∈ Message, m2 ∈ Service.

Mapping 8: From Event-Managing to Service-Computing: t : s1 ∧ m1 → s2 ∧ m2 , s1 ∈ EM , s2 ∈ SC , m1 , m2 ∈ Service.

Mapping 9: From Event-Managing to Knowledge-Updating:

where M 0 ( p ) ∈ Bag (cd ( p)) . Definition 2.4: A marking of a labelled CPN N = < P, T , C , cd , A, M 0 >

is a vector M such that M ( p ) ∈ Bag (cd ( p )) for each p ∈ P . A transition relation ( p, t , q ), p, q ∈ P, t ∈ T can ‘fire’ ina a marking M iff M ( p ) ≥ a (t ), a ∈ A (denoted by: M → ). The firing of a transition leads to the next marking:

t : s1 ∧ m1 → s2 ∧ m2 , s1 ∈ EM , s2 ∈ KB,

M ′( p ) = M ( p ) − a (t ), if p ∈ ( p, t , q ),

m1 , m2 ∈ Service.

M ′( p ) = M ( p ) + a (t ), if p ∈ ( q, t , p, )

Mapping 10: If a state has silent moving, we may use ε to denote the state mapping. Naturally, we may use a Coloured Petri net to describe all the state changes of agents. There are a few definitions about Coloured Petri nets (CPN). For our purpose, we choose the definition in Girault and Valk (2003). With a little modification, we get the following labelled CPN which is also an extension of the labelled Petri net (Jong and de Lin, 1994). Definition 2.2: A bag (or multiset) ‘bg’, over a non-empty set A, is a function bg : A → N , sometimes denoted as a formal sum ∑ a∈A bg (a )′a . Bag (A) denotes the set of all bags over A. Extending set operations to Bag(A) we define the Sum(+) and the difference(–)as follows: If bg, bg1 and bg2 are bags over A, then: •

bg1 + bg 2 := ∑ a∈ A (bg1 (a) + bg 2 (a ))′a



bg1 ≤ bg 2 :⇔ ∀a ∈ A, bg1 (a) ≤ bg 2 (a )



bg1 − bg 2 := ∑ a∈A (bg1 (a ) − bg 2 (a ))′a if bg 2 ≤ bg1 and



bg := ∑ a∈A bg (a) is the size of bg and ∅ denotes the

empty bag (with bg = 0 ). Definition 2.3: A labelled CPN is defined by a tuple N = < P, T , C , cd , A, M 0 >

where •

P is a finite set of places



T is a set of transition relations, i.e., ∀t ∈ T , t ⊆ 2 P × 2 P



C is the set of colour classes



cd : P ∪ T → C is the colour domain mapping



A is a set of action label functions on transition relation T, and A : t → Bag (cd (t )),∀t ∈ T

M ′( p ) = M ( p ), otherwise.

Such a state transition is denoted as (M, a, M′). Given a labelled CPN N, the reachability graph of N, denoted as RG(N), is the (reflexive) transitive closure of the above next-state relation. The nodes of the reachability graph represents the reachable state space of the net, whereas the edges (M, M′) are labelled with the action a of the transition (p, t, q) which must be executed in M to reach M′. As Xu et al. (2003), we may modify labelled CPN to define Agent net. We assume that a labelled CPN, which represents the behaviour of an agent, contains one input place (i.e., a place with no incoming transition) and one output place (i.e., a place with no outgoing transition). The input place is used for accepting messages while the output place is used for sending message out. Definition 2.5 (Agent net): Agent net AN for agent A is a tuple AN = ( P, T , C , cd , A, M 0 , pin , pout ),

where ( P, T , C , cd , A, M 0 )

is a labelled CPN, pin ( pin ∈ P ) is the input place for incoming messages, and pout ( pout ∈ P ) is the output place for outgoing messages. Remark 2.6: In Xu et al. (2003), the definition of agent net is based on a simplified PrT net, while in Hamadi and Benattallah (2003), the service net is based on a labelled Place/Transition net. Remark 2.7: Here in our definition, the coloured tokens only represent service data and message data, not a whole service. Wooldridge et al. (2000) mentioned that a service is simply a single and coherent block of activities, thus an agent has to collaborate all actions to perform service processing.

Formal architectural models for agent-based service systems When moving from the definition of Agent to the definition of Agent net, the above 10 state mappings will be transformed to transitions and action labels that are defined on the transitions. Two action labels will be most important to us since they play a key role in the discussion of Section 4. These are the labels corresponding to mapping 1 from Service-Designing to Event-Managing and mapping 2 from Service-Computing to Event-Managing. We use asr and asp to denote them, respectively.

3

Architecture of static services

3.1 Architecture The architecture design is similar to the component-based architecture design except that the components are replaced by agents. Therefore, the design is basically input message (event) driven (Garlan, 2003). We also need to consider agent operations such as sequential, parallel, interleaving, choice, etc. All these operations are well-known process algebra operations, as for instance used in CCS and CSP (Hoare, 1985; Best et al., 2001). Beside all these operations, we need to consider the resource sharing because all agents have knowledge bases. Connector is another basic element to form architecture when two components are communicating. In our case, agents communicate through places pin and pout. Connection actions are involved in the communicating. Formally, we have Definition 3.1: The connection action is defined by ! and ?, where ! models the sending of a message while ? models the reception of a message. Here ! and ? come from CSP (Hoare, 1985) like languages. Thus pin ? pout means pin receives message from pout, and pout ! pin means pout sends a message to pin .So if two agents interact, connection actions ! ? need to be added to the action set. Moreover, each ! and ? is associated with a guard that checks if there exist enough message types and verifies the correctness of the message types. The next definition is presented for agent connector. Definition 3.2: Let I = ∪ Pin , O = ∪ pout and A = {!,?} . An agent connector is a tuple ( I , O, A, →) , such that →⊆ (2O × A × 2 I ) ∪ (2 I × A × 2O ).

This definition will be used implicitly in defining agent operations in the following. To describe agent behaviour in the operations, next we define some operational semantics for agents. A commonly used semantics is the trace semantics, which is defined by all the possible firing-sequences of a labelled net. Thus all paths in the reachability graph are viewed as elements of the trace set. Definition 3.3: For a labelled net N, the set of traces is defined as

49

L( N ) = {a1 , a2 ,… ,| ∃M ′ : ( M 0 , < a1 , a2 ,… >, M ′) ∈ RG ( N )}.

Sequential (A; B): Agent A executes first, then passes a message to agent B, and then Agent B starts to execute. i Definition 3.4: Let N i = ( Pi , Ti , Ci , cdi , Ai , M 0i , pini , pout ), i = 1, 2 be two agent nets with P1 ∩ P2 = φ . The sequential of nets is defined as:

2 N1 ; N 2 = ( P1 ∪ P2 , T1 ∪ T2 , C1 ∪ C2 , cd1 ∪ cd 2 , A, pin1 , pout , M 01 ),

where A = A1 ∪ A2 ∪ {(⋅)!(⋅)}or } A = A1 ∪ A2 ∪ {(⋅)?(⋅)}.

Here ! or ? has a guard that checks one incoming message type and one outgoing message type. This is illustrated in Figure 2. Figure 2

Sequential composing

Definition 3.5: Let t1 and t2 be traces defined on alphabets A1 and A2, respectively. t1 ; t2 = {t ∈ ( A1 ∪ A2 )∗ | t = t1t2 , ti ∈ L( N i ), i = 1, 2}.

Definition 3.6: For two trace languages L1 and L2, their sequential is defined as L1 ; L2 = {t1 ; t2 | t1 ∈ L1 ∧ t2 ∈ L2 }.

Proposition 3.7: L( N1 ; N 2 ) = L( N1 ); L( N 2 ) . Choice (A | B): Either agent A or agent B is executable, but they cannot be executed at the same time. Definition 3.8: Let

i N i = ( Pi , Ti , Ci , cdi , Ai , M 0i , pini , pout ),

i = 1, 2 be two agent nets with P1 ∩ P2 = φ . The choice of nets is defined as: 2 N1 | N 2 = ( P1 ∪ P2 , T1 ∪ T2 , C1 ∪ C2 , cd1 ∪ cd 2 , A, pin1 , pout , M 01 ), where

A = A1 ∪ A2 .

This is illustrated in Figure 3. Figure 3

Choice composing

50

Z. Ding et al.

Definition 3.9: L( N1 | N 2 ) = L( N1 ) ∪ L( N 2 ) .

where

Parallel (A || B): Agent A and agent B have to execute at the same time, however, they do not have message exchanging. The only common part is that their messages come from the same output place pout at the same time. i ), Definition 3.10: Let N i = ( Pi , Ti , Ci , cdi , Ai , M 0i , pini , pout i = 1, 2 be two agent nets with P1 ∩ P2 = φ . The parallel of nets is defined as:

L = L1 ∪ L2 ∪ {(⋅,⋅)!(⋅)}. }

Here ! has a guard checking one incoming message type and two outgoing message types. This is illustrated in Figure 5. Figure 5

Corporate composing

N1 || N 2 = ( P1 ∪ P2 ∪ { pout }, 2 T1 ∪ T2 , C1 ∪ C2 , cd1 ∪ cd 2 , A, pin1 , pout , M 01 ),

where A = A1 ∪ A2 ∪ {(⋅,⋅)?(⋅)}.

Here ? has a guard checking two incoming message types and one outgoing message type. This is illustrated in Figure 4. Figure 4

Definition 3.15: Let t1 and t2 be traces defined on alphabets A1 and A2, respectively. t1 t2 = {t ∈ ( A1 ∪ A2 )∗ | ∀i ∈ {1, 2} : project (t , Ai ) = ti ∈ L( N i )}.

Parallel composing

Definition 3.16: For two trace languages L1 and L2, their corporate is defined as L1

L2 = {t1

t2 | t1 ∈ L1 ∧ t2 ∈ L2 }.

Proposition 3.17: L( N1 ) ∩ L( N 2 ) = { pin }. Definition 3.11: Let t1 and t2 be traces defined on alphabets A1 and A2, respectively. t1 || t2 = {t ∈ ( A1 ∪ A2 )∗ | ∀i ∈ {1, 2} : project (t , Ai ) = ti ∈ L( N i )}.

Definition 3.12: For two trace languages L1 and L2, their parallel is defined as L1 || L2 = {t1 || t2 | t1 ∈ L1 ∧ t2 ∈ L2 }.

Proposition 3.13: ∩ L( N 2 ) = { pout }

L( N1 || N 2 ) = L( N1 ) || L( N 2 ), L( N1 ) .

Corporate ( A B ) : Agent A and agent B are not necessarily to execute at the same time, however, they need to combine together to send the message to the same place pin. i ), Definition 3.14: Let N i = ( Pi , Ti , Ci , cdi , Ai , M 0i , pini , pout

i = 1, 2 be two agent nets with P1 ∩ P2 = φ . The corporate of nets is defined as: N1

N 2 = ( P1 ∪ P2 ∪ { pin }, 2 out

1 0

T1 ∪ T2 , C1 ∪ C2 , cd1 ∪ cd 2 , A, p , p , M ),

N 2 ) = L( N1 )

L( N 2 ),

Disable/Resume ( A E B ) : An action in agent A makes agent B not executable, however, after the activity is finished, agent B will resume its execution. It is possible that both agents N1 and N2 has the ability to disable each other. i ), Definition 3.18: Let N i = ( Pi , Ti , Ci , cdi , Ai , M 0i , pini , pout

i = 1, 2 be two agent nets with Disable/Resume of nets is defined as:

P1 ∩ P2 = φ . The

2 N1 E N 2 = ( P, T1 ∪ T2 , C1 ∪ C2 , cd1 ∪ cd 2 , A, pin1 , pout , M 01 ),

where P = P1 ∪ P2 ∪ { pc }, A = A1 ∪ A2 ∪ {a1 , a2 },

and a1 and a2 are hiding actions for agents A and B, respectively, that make each other disabled, and pc is a hiding control place that contains a token to control disable/resume activity. This is illustrated in Figure 6. If two service actions a1sc and asc2 are involved in the Disable/Resume process, then we have: Proposition

1 in

L( N1

L( N1 E N 2 ) = L( N1 ) ∪ L( N 2 ),

3.19: 1 sc

2 sc

L( N1 ) ∩ L( N 2 ) = {a } ∪ {a }.

Formal architectural models for agent-based service systems Figure 6

Disable/resume

51

(… a1sr …)1 (… asr2 …) 2 … (… asrn …) n

(I)

(… a1sp …)1 (… asp2 …) 2 … (… aspn …) n

(II)

or

and it happens that each of these traces forms a circle, then we say that N has circled traces. To continue the discussion, we need the following assumption for the system:

(H): Once an agent receives a service request, it will restart the processing of this request if it in the middle of processing the same service request. Under this assumption, a system may reach the following two states.

3.2 Architecture analysis and case study Based on the operations defined in the above section, an agent based architectural model can be formed. We will give a simple investigation to this architecture in this section.

Property preserving. Since our agent has a unique entry place, a unique exit place, and modelled with Petri net, we say that this agent is modelled with Petri Net Process (PNP). Based on Mak’s thesis (Mak, 2001), a PNP is a Petri net with unique entry place, a unique exit place and a set of places for handling resource sharing (Note: multi-entry-multi-exit processes can be transformed into PNP without changing the system properties). Several operators are defined for PNP in Mak (2001), that can preserve about 20 Petri net related properties such as: Liveness, Boundedness, Reversibility, Traps, Siphons, Proper termination and Coverability. Among the operators, the following operators are most important to us. They are Enable, Choice, Interleave, Disable, Disable/Resume. Comparing these operators with our operators, we find that Sequential matches Enable, Choice matches Choice, Parallel is the first half of Interleave, Corporate is the second half of Interleave, and Disable/Resume matches Disable-Resume. Therefore, the MAS linked by agents can well preserve the properties of agents. Because of this, the analysis of the system is equivalent to the analysis of agents. Property preserving has also been studied in Huang et al. (2005). Design issue. The architecture can be used to re-model and update legacy system as long as the system needs to collaborate with all static services. However, some new issues will come out when designing such service driven architecture. When system is running, each agent contributes to the formation of the set of traces. Let N be the system that has n agents: I1 , I 2 ,… , I n and each agent has Service Providing action ( aspi ) and Service Requesting action ( asri ), i = 1, 2,… , n . Assume the set of traces contains following types of traces:

Definition 3.20 (Hungry state): If a system N contains a circled trace with type (I), then this system is hungry. Definition 3.21 (Full state): If a system N contains a circled trace with type (II), then this system is full. If the system reaches the hungry state, the system is not able to do any thing. If the system reaches full state, the system is busy with assuming resources, however, it cannot complete anything. There are two cases for us to fix the above problems:



case 1: the requesting service is an existing service;



case 2: the requesting service is a new service.

In case 1, one solution is to arrange different time schedule for each agent to compute the service. For example, in Figure 7, four agents A, B, C, and D concatenate to form a circle. Agent A asks a service from agent B, agent B asks a service from C, agent C asks service from D and finally D asks service from A. If four service requesting occurs at the same time, under our assumption (H), the system will hit Hungry State. Based on the Event Management module of each agent, if no response back, the agent will wait a time period, and then submits the request again. Assume the waiting time for agent A, B, C, and D are tA(w), tB(w), tC(w), tD(w), also assume the service computing time for them are tA(c), tB(c), tC(c), tD(c). If, for example, t A ( w) > t B ( w) + t B (c),

then agent B has enough time to finish service computing before agent A sends the same request the second time. Thus the circle is broken. This phenomenon is quite similar to the deadlock in component based design when components interact to each other by resource sharing. In case 2, there are no solutions. Since the requested services do not exist in the agents, each agent has to obtain additional information from other agent to compute the new service, thus no matter how to design the time interval, we can not break the circle. This phenomenon is quite similar to the synchronous deadlock in component based design when a component passes a synchronous message to another component.

Z. Ding et al.

52 Figure 7

Service circle

Figure 8 is the design of the Server Agent. pin is the place to receive service requests or service publishing from other User Agents; pout is the place to send service links to User Agents; pIN is the place to receive service publishing/ requesting links from Server Agents; and pOUT is the place to send service publishing/requesting links to other Server Agents. For the double circle places pk and ps, pk is the knowledge base while ps is the User Agent link switch. Figure 8

4

Server agent

Architecture of dynamic services

4.1 Architecture Three elements are involved to modelling dynamic service of architecture: User Agent, Connector and Server Agent. User Agent has been investigated in the Section 2. Next we define Connector and Server Agent. The connector is responsible to pass messages between places pin and pout and is defined as following. Definition 4.1: A connection action is an action defined by ! or ?, where ! models the sending of a message while ? models the reception of a message. Here ! and ? come from CSP (Hoare, 1985) like languages. Thus pin ? pout means pin receives message from pout, and pout ! pin means pout sends a message to pin. So if two agents interact, connection actions !? need to be added to the action set. Definition 4.2: Let I = ∪ Pin , O = ∪ pout and A = {!,? } . An agent connector is a tuple ( I , O, A, →) , such that →⊆ O × A × I . A Server Agent is used to route service information among User Agents. It is supposed to have the following function:

Formally, we have a definition for Server Agent net: Definition 4.3 (Server Agent net): A Server Agent net SAN is a tuple SAN = ( P, T , C , cd , A, M 0 , pin , pout , pIN , pOUT )

where ( P, T , C , cd , A, M 0 )

is a labelled CPN, pin (∈ P) is the input place to receive messages from User Agents, pIN (∈ P) is the input place to receive messages from other Server Agent nets; pout (∈ P) is the output place to send out messages to User Agents; and pOUT (∈ P) is the output place to send out messages to other Server Agents. To form an architecture, the Agent Connectors, which do not introduce new properties to the system, will connect all User Agents and Server Agents together. The architecture looks like Figure 9, where SERVER represents Server Agents, USER represents User Agents and black box represents Agent Connectors. All agents will keep their properties.

4.2 Architecture analysis and case study Because of the architecture style, this architecture will face a security problem. Suppose a user keeps sending different service requests, then the server agent will be busy with routing the service information, and eventually resulted in traffic congestion, CPU exhaustion, and no more services for other agents, so called DOS. In next section we will build a process to handle such issue.

Formal architectural models for agent-based service systems Figure 9

53

Dynamic service architecture

An Intrusion Detection System (IDS) (Mukherjee et al., 1994) is a system that attempts to identify intrusions, which are unauthorised uses, misuses, or abuses of computer systems by either authorised users or external perpetrators. The earliest version is by Jim Anderson in the early 1980s (Anderson, 1980). Anderson defines an intrusion as any unauthorised attempt to access, manipulate, modify, or destroy information, or to render a system unreliable or unusable. One of the approaches that are used by Intrusive Detection System is called Anomaly Detection. Anomaly detection assumes that misuses or intrusions are highly correlated to abnormal behaviour exhibited by either a user or a system. Anomaly detection approaches must first determine the normal behaviour of the object being monitored, and then use deviations from this baseline to detect possible intrusions. The initial impetus for anomaly detection was suggested by Anderson in his 1980 technical report (Anderson, 1980) when he noted that intruders can be detected by observing departures from established patterns of use for individual users. Most of the current ways to build normal pattern are based on a mechanism provided by operating systems, known as kernel audicting, for recording the behaviour in terms of programs’ interaction with the operating system (Denning 1987; Michael and Ghosh, 2002). A measure, Hamming Distance (Hofmeyr et al., 1998), has been used to

measure how much a new sequence actually differs from existing normal pattern. Obviously, there are two issues we have to solve if we want to detect intrusion by analysing agent behaviour:



How to build normal pattern?



How to detect anomalies?

In this section we are going to establish normal patterns based on evoked actions. Depending on the performance type, we classify the collected patterns as Space Pattern and Time Pattern. The first one is to define the correlation between the monitored actions. The second one is to measure how normal of a caught pattern. Moreover, we study the deviation degree of a new caught pattern differing from the trained (normal) pattern. Let A be the set containing L actions to be monitored. M is the total number of actions needed to be trained and T is the total time used in the pattern training.

Space pattern We need to set a window for actions to be monitored. Let the window size be m. Among the first m actions a11 , a22 , … , a1m , only a11 , a12 , … , a1k1 are different and the others are the repeat of these actions. The repeat times are n11 , n12 , … , n1k1 , k1 ≤ L , respectively, and n11 + n12 + … + n1k1 = m . So we can calculate evoked action ratios as:

Z. Ding et al.

54 w11 =

n1k n11 1 n12 , w2 = ,… , w1k1 = 1 . m m m

Now move the window further to include a new action and the new evoked m actions are a12 , a22 , … , am2 . Among them, a12 , a22 ,… , ak22 are different and the others are the repeat of these actions. The repeat times are n12 , n22 , … , nk22 , k2 ≤ L . Moreover, n12 + n22 + … + nk22 = m . The new action ratios would be w12 =

nk2 n12 2 n22 , w2 = ,… , wk22 = 2 . m m m

We can continue this process until all L actions will be covered if m < L and the amount of actions reaches M. Consequently, each action will be associated with a set that contains all its ratios. We use I1s , I 2s ,… , I Ls to denote all these sets. Now for each set I is , i = 1, 2,… , L, we define a variable wis that takes the values from I is . We call the pattern of variables w1s /w2s / … /wLs the Space Pattern of the monitored actions. Space pattern is usually used when the monitored actions appear not necessary in an order.

Time pattern Pattern I. Let t be a given time interval. In the first t, there are m1 actions evoked: a11 , a12 , … , a1m1 . Among them, only k1 , k1 ≤ L, actions are different and the others are the repeat

of these k1 actions. Let n11 , n12 , … , n1k1 be the repeat times, where n11 + n12 + … + n1k1 = m1 . Thus the evoked action ratios are: w11 =

n1k n11 1 n12 , w2 = ,… , w1k1 = 1 . m1 m1 m1

For the second t, there are m2 actions evoked: a12 , a22 ,… , am2 2 . Among them, only k2 , k2 ≤ L , actions are different and the others are the repeat of these k2 actions. Let n12 , n22 ,… , nk22 be the repeat numbers, where n12 + n22 + … + nk22 = m2 . Thus the evoked action ratios are: nk2 n2 n2 w = 1 , w22 = 2 ,… , wk22 = 2 . m2 m2 m2 2 1

Keep this processing until the amount of time t reaches T and all actions will be covered. Similar to Space Pattern we will obtain sets for each evoked action, denoted as I1t , I 2t ,… , I Lt . Let wit , i = 1, 2,… , L be the variables that take values in I it , respectively. Finally, we get a pattern of variables w1t /w2t / … /wLt , called Time Pattern I.

Pattern II Assume that in the monitored L actions, there are l actions that appear in an order. Let ai1 , ai2 ,… , ail be the l actions and their appearing order is as the list order. In this case, the window size is m = L. We will compute the time intervals between these l actions to form a time pattern. Assume that

in the first L actions, the total time is T1 , the time between ai1 and ai2 is t11 , the time between ai2 and ai2 is t21 , and so on until the time between ail −1 and ail is tl1−1 . Thus, we can compute the time interval ratios as: w11 =

t1 t11 1 t21 , w2 = ,… , wi1l −1 = l −1 . T1 T1 T1

Similarly, for the second L actions, we have time interval ratios: w12 =

t2 t12 2 t22 , w2 = ,…, wi2l −1 = l −1 . T2 T2 T2

Keep this processing until total action number reaches M. Like space pattern, we will get time sets I1t , I 2t , … , I lt−1 formed by w11 , w12 ,… Let wit , i = 1, 2,… , l − 1 be the variables that take values in I it and we get a new pattern of variables w1t /w2t / … /wlt−1 , called Time Pattern II.

Space Pattern and Time Pattern I are two different patterns. The former is to describe the correlation among monitored actions, while the latter is to calculate an average action distribution. To see their difference, check a simple example. Let A = {a1 , a2 , a3 } . Assume m = 100 in Space Pattern. For Time Pattern I, assume each time interval will cover 200 actions. The action distributions for both pattern are assumed as the following: in the first 100 actions there are 30 actions for a1, 30 actions for a2, and 40 actions for a3. In the second 100 actions, there are 29 actions for a1, 31 actions for a2, and 40 actions for a3, and so on until the final 100 actions which has 20 actions for a1, 40 actions for a2, and 40 actions for a3 Thus for Space Pattern, we have 2 3 3 4 4 4 w1s ∈  ,  , w2s ∈  ,  , w3s ∈  ,  . 10 10  10 10  10 10 

For Time Pattern, we have  2.05 2.95   3.05 3.95  4 4 t t w1t ∈  ,  , w2 ∈  10 , 10  , w3 ∈ 10 , 10  . 10 10      

Easy to know that the more ‘close’ of the sets wis and wit , the more predictable the pattern will be. In other words, the Time Pattern I can be used to measure how normal is the Space Pattern. In order to better measure the closeness between these two patterns, we need the following definitions. Let C and D be two nonempty subsets of real line R1. The distance between C and D is defined by the Hausdorff metric d H (C , D) = max{sup c∈C inf d ∈D || c, d ||,sup d ∈D inf c∈C || c, d ||}

where || . || denotes the distance in R1. Then we have Definition 4.4: Let w1s w2s … wks and w1t w2t … wkt be the Space Pattern and Time Pattern I for an action set A, respectively, where

Formal architectural models for agent-based service systems wis ∈ I is , wit ∈ I it , i = 1, 2,…, k .

then we say that the pattern for A is predictable if the sum of the Hausdorff distance

mi′ = wi′ . m

mi′ − mi >

i =1

is small enough. Let the set C in Hausdorff metric be a single point c, then the Hausdorff distance between c and D will be d H (c, D) = max{inf c∈D || c, d ||,sup d ∈D || c, d ||}.

Next definition is for both Space Pattern and Time Pattern. Definition 4.5: We say that a pattern of an action set A is changed if the sum of the Hausdorff distance between a new caught pattern and the trained normal pattern is bigger than a given number δ, i.e., k

d ( A) = ∑ d H ( wi , I i ) > δ , i =1

where {wi } is the new caught pattern while {I i } are the normal(Space and Time) pattern sets. The sum d ( A) is called Deviation Degree of the abnormality. Theorem 4.6: Let m be the window size for Space Pattern or the maximum of all the evoked actions in every time interval t for Time Pattern. A is the monitored action set which has k actions ai , i = 1, 2, … , k . For a given number δ, if d ( A) > δ , then ∃ai and consecutive actions such that the pattern formed by these consecutive actions is beyond the normal pattern and the their evocation times is at least δk m .

Proof: We only consider Space Pattern here. The proof for Time Pattern is similar. Let a new pattern be w1′ /w2′ / … /wk ′ . The normal pattern sets are I1 , I 2 , … , I k . Since d ( A) > δ , , there exists i such that d H ( wi , I i ) >

δ k

(3)

Combining equations (1)–(3), we obtain

k

d ( A) = ∑ d H ( I is , I it )

55

δ k

m,

which tells us that starting from ai , anomaly action evocation follow, and the number of evocation times is at least δk m . Based on this Theorem, we may infer that if a normal pattern is changed, and the deviation degree is surpassed a given number, then there might be an attack to an action set or, equivalently, an agent. In practice, we usually combine these two patterns together for a monitored process. We scan traces of actions generated by a particular process in an agent, and build up a pattern of all unique sequences of a given length, that occurred during the trace. Each process of interest has a different pattern. Once patterns are constructed for a given agent, the patterns can be used to monitor the ongoing behaviour of the processes invoked by that agent.

Case study. Tribe Flood Network, or TFN (Dittrich, 1999), is made up of client and daemon programs, which implement a distributed network denial of service tool capable of waging ICMP flood, SYN flood, UDP flood, and Smurf style attacks. In this example, we will show how to detect ICMP Smurf attack. To make the illustration easy, we simplify the problem to the following. Figure 10 describes a simple ICMP smurf attack. Attacker is located at Host A. The victim is located at Host B with IP address: 128.100.100.2. The attacker will send ICMP Echo requests with source address 128.100.100.2 to the subnet 191.168.1.255. As the return, Host B will receive ICMP echo replies from every machine in the subnet. Figure 10 Smurf attack

.

From the definition of Hausdorff distance, we get supwi ∈Ii d ( wi′ , wi ) >

δ k

or

wi′ > wi +

δ k

.

(1)

To get the ratio wi , assume that there are mi times evocation for action ai , i.e., mi = wi . m

(2)

Since wi′ > wi , starting from mi + 1, there are more evocations to ai . Let mi′ be the total evocation times for ai to reach wi′ , then

Now look at a sample software code to process ICMP replies and generate ICMP requests (Wright and Stevens, 1995). When IP gets input data, it will decide either to forward the data or process the data in the local. Since ICMP reply is a local message, it will be sent to IP task to be processed. Function ipDoLocal is the

56

Z. Ding et al.

one being called in IP task to process the local message. It has 8 sub-functions. One of them is ipProcLocal which has sub-functions IcmpRx to process ICMP message and P2SendMsg for other types of messages. Sub-function IcmpRx handles ICMP request, ICMP reply and other three ICMP messages. The simplified code is in the following.

to form ICMP request messages. Finally all these requests will be sent out by iptx. Now we have two setups to detect ICMP Smurf attack.

Setup 1: The detection is in the user agent (Host). In this set up, we need to consider the inside actions. The call dependence or action dependence of ICMP reply and ICMP request can be pictured in Figure 11. Figure 11 ICMP action dependence: (a) ICMP Echo reply and (b) ICMP Echo request

(a)

The outgoing ICMP message can be generated in several ways. One of them is that an application sends message to ICMP and the ICMP message will be sent out by Raw IP. The following is a sample code to generate ICMP requests.

(b)

In the running time, the host itself can generate ECHO requests and needs replies back, or the host does not generate ECHO requests but is still allowed to receive Replies. In both cases, action ImcpProcResp will be evoked. By training (we use same denotation for Space Pattern and Time Pattern I), the normal pattern for ICMP reply is: (∗) ( w1 ; w2 ; w3 ; w4 ; w5 ; w6 ; w7 ; w8 ) / ( w9 ; w10 ; w11 ; w12 ) / ( w13 ; w14 ; w15 ; w16 ; w17 ),

and the pattern for ICMP ECHO request is (∗∗) ( w1 ; w2 ) / ( w3 ; w4 ) /w5 .

In this code, the timer routine ip_pingProcessTimer will be updated by IP task, which calls sub-function SendPing to send Ping messages out. Then SendPing calls ipPingSend

Here the symbols ‘;’ is used when two variables have same chance to form a pattern or the corresponded actions have the chance to be evoked. For example, in (**) the possible patterns are:

Formal architectural models for agent-based service systems w1 /w3 /w5 , w1 /w4 /w5 , w2 /w3 /w5 , w2 /w4 /w5 .

Now we assume that a new caught ECHO request pattern is normal and the new caught reply pattern is ( w2 )′/ ( w10 )′/ ( w14 )′

and satisfies d H (( w2 )′, I 2 ) + d H (( w10 )′, I10 ) + d H (( w14 )′, I14 ) > δ

for some given δ > 0 . Let m be the window size and the monitored action number is 17, then at least 17δ m consecutive calls to IcmpProcEchoResp are beyond the normal pattern by using Theorem 4.6. Therefore, we may get an attack. Since w2 , w10 , w14 appear in an order, we also can apply Time Pattern II to the detection.

Setup 2: The detection is in the server agent (Gateway). In this set up, we only care about the output actions and input actions from hosts without considering the inside action details. Let aq denote the ECHO request action and ap denote the ECHO reply action. Assume that there are k hosts to be monitored and the ECHO request actions and ECHO reply actions are denoted as aqi and a ip , i = 1, 2,… , k . Due to the network traffic and computer processing ability, the action patterns are rarely in the regular form such as a1q a1p aq2 a 2p aq3 a 3p ....

Most likely the pattern is a random arrange of aqi and a ip . As the time lasts or the monitored actions increase, two kinds of sets will be obtained for a ip and aqi : Time Pattern (I) and Space Pattern, denoted as the following: Sets For Time Pattern (I): I tp (i ), I qt (i ), i = 1, 2, … , k ; Sets For Space Pattern: I ps (i ), I qs (i ), i = 1, 2, … , k . Let the variables wqt (i ), wtp (i ) be used to form Time Pattern and the variables wqs (i ), wsp (i ) be used to form Space Pattern for aqi and a ip , respectively. In a new caught pattern, if either k

d ((∪i aqi ) ∪ (∪i a ip )) = ∑ d H ( wqt (i ), I qt (i )) i =1

k

+ ∑ d H ( wtp (i ), I pt (i )) > δ i =1

or

5

In the architecture to be built, agents collect/offer services from/to different locations. If the user task is accomplished by a single agent, then this agent sequentially visits each host where the required resources/services are located. On each host, the agent carries out some computations (or assumes some services) with the local resources, and then moves to the next host to continue its work. If a team of mobile agents cooperate to accomplish a task, then these agents go to different hosts involved in the computation, compute with local resources and communicate with each other (Ma et al., 2002). All the local resource hosts will form an environment which has ability to make agents migrate from one place to another place, meanwhile supports activities such as transmitting agent, issuing a request, suspending agent execution, and resuming execution. Thus, environment needs to be considered in the mobile system design (Fuggetta et al., 1998). Following component-based (Garlan, 2003) design skill, the architecture model of the system can be described by a Coloured Petri net, which has agents as its tokens. Since our agents are also Coloured Petri nets, the whole system can be represented by a Coloured Petri net that has other Coloured Petri nets as its tokens. To distinguish the two-level Petri nets, the base Coloured Petri nets are called System nets (upper level), while the tokens in net form are called Token nets(lower level). These kind of models have be described before such as Coloured Petri net (CPN) (Jenson, 1992, 1995, 1997), Objected Petri net (OPN) (Valk, 2001), and multi-agent nets, PN 2 (Hiraishi, 2000). Here is the idea to construct our model: each token changes its state by occurrences of a transition. A token is available for a transition in the upper-level net if there is at least a service action (requiring/providing) happened in the corresponding lower-level net. Let AN be an agent net and A be a finite set of actions, and ANA denotes the set of all agent nets whose action set is a subset of A, i.e., AN A = { AN = ( P, T , C , cd , A, M 0 , pin , pout ) | A ⊆ A}

Let AN Ain (⊂ AN A ) denote the set of agents that has marking only at place pin , and AN Aout (⊂ AN A ) denote the set of agents that has marking only at place pout. Definition 5.1 (System net): A System net is a Labelled Coloured Petri net (CPN) defined by a tuple

k

k

+ ∑ d H ( wsp (i ), I ps (i )) > δ i =1

is true for some δ > 0, then we may get an attack.

Architecture of mobile services

5.1 Architecture

N = < P, T , C , cd , A, s, s0 , init >,

d ((∪i aqi ) ∪ (∪i a ip )) = ∑ d H ( wqs (i ), I qs (i )) i =1

57

where



P is a finite set of places,



T is a set of transition relations, i.e., ∀t ∈ T , t ⊆ 2 P × 2 P ,

58



Z. Ding et al. C is the set of colour classes,



cd : T → C is the colour domain mapping,



A is a set of action label functions on transition relation T, and A : (t , cd (t )) → Bag ( AN A ),∀t ∈ T ,



s : P → Bag ( AN A ) is a configuration mapping and s0 is the initial configuration:



s0 = ∪ p∈P s0 ( p),



where s0 ( p ) ∈ Bag ( AN A )) .



init : ( p, AnA ) → AN Ain is an initialisation mapping if a place p has an agent ANA coming in.

Let • t = { p | ( p, t , q)}} and t • = {q | ( p, t , q)}} . Denote s (• t ) = {s ( p) | ( p, t , q )}}.

Definition 5.2: A transition t of N is enabled if for ∀s ( p) ∈ s (• t ) , there exists an agent AN ∈ s ( p) such that it has either service requesting action or service providing action happened. t can be fired if it is enabled and there is an agent AN ∈ AN Aout ∩ s ( p ) . The firing of a transition leads to a new configuration of the system net. Let s be the current configuration and s ′ be the new configuration being transferred. Since the configurationsa are the marked agent nets, if we use δ : ( AN , M ) → ( AN , M ′) to represent an agent AN changing configuration from marking M to M ′ under action a, then the configuration change for a set of agents ∪in=1 AN i at the same time by actions a1 , a2 ,… , an would be: ∪ ai

δ : (∪ ANi , M i ) → (∪ ANi , M i′ ). Thus, we have configuration transfer equations as s ′( p ) = δ ( s ( p)) − ∪ AN Aout ,

δ −1 ( AN Aout ) ∈ s ( p ), if p ∈ ( p, t , q); s ′( p ) = δ ( s ( p)) + a(cd (t )), if p ∈ (q, t , p ), a ∈ A; s ′( p ) = s ( p ), otherwise.

To give an explicit expression, for each agent AN, we use ANi to represent the current state and use ANi+1 to represent the next state. For each place of the system net, since s : P → Bag ( AN A ) and a(cd (t )) ∈ Bag ( AN Ain ) there exists a bg p ∈ Bag ( AN A ) and a bgt ∈ Bag ( AN Ain ) , such that s ( p ) = bg p =



bg p ( AN i )′ AN i ,

i

AN ∈ AN A

a(cd (t )) = bgt =



bgt ( AN in )′ AN in ,

AN in ∈ AN Ain

then the above configuration transfer equations can be rewritten as

s( p) = AN



i +1

bg p ( AN i +1 )′ AN i +1 ,

∈ AN A





bg p ( AN out )′ AN out ,

AN out ∈ AN Aout

+ AN



in

bgt ( AN in )′ AN in , ( p ∈ ( p,⋅,⋅), t ∈ (⋅, t , p ).

∈ AN Ain

Next we consider possible migration cases for agents. Here is a mobile service model we can build: at very beginning, an agent sits in a local place with an input from this place, which is the initial marking to the agent. Two cases will be involved in the agent execution. In the first case, the agent has enough resource, then it will finish service computing without any new other information, and a service providing action will be performed. In this case, this agent offers a service to the local place. In the second case, the agent does not have enough resource to finish the service, then it needs some additional information from other places, and the agent will issue a service requesting action. In this case, the agent is collecting services. In both cases, the agent will move to other places. We call this moving Sequential Migration (see Figure 12). Figure 12 Sequential migration

When arriving to the new places, the agent will get input information from the new place. In Figure 12, the input is c . In the first case, this agent starts a new service, and in the second case, the agent continues the previous service with the new information received from the new place. After an agent moves from one place to another place, several agent copies may be generated depending on the input message types (colours) attached to the transition. This moving is called Sequential Migration With Copying. For example, in Figure 13, two message types c1 and c2 are attached to the transition which generates inputs to two agent copies from the same agent. In this case, both copies are performing service computing for the local host. Figure 13 Sequential migration with copying

Formal architectural models for agent-based service systems One place may receive several agents from different places. The moving is called Multi-agent Migration (Figure 14). There are three cases here: 1

All agents are collecting service at the same time

2

All agents are performing service computing for local host

3

The mixture of (1) and (2).

In all the cases, the agents will experience a resource sharing problem. Hiding actions will be used to assist the service accomplishment. Figure 14 Multi-agent migration

An agent may also has a chance to make a choice where to go. Generally speaking, it is nondeterministic unless some priority is assigned to the transition. This moving is called Choice Migration. Figure 15 is a description. Figure 15 Choice migration

The last but not the least is Clone Migration. An agent may move to different places at the same time, and if this situation occurs, the agent migrates with its clones. For an example, see Figure 16. Figure 16 Clone migration

59

5.2 Architecture analysis and case study Our architecture module shows some typical features for mobile service systems.

Agent location. As Xu et al. (2003), we can prove that it is impossible for an agent to be located at more than one place when it is in service. This is a basic requirement for mobile agent system. In service we mean that this agent is doing service computing or service planning based on current resources, in both cases, the agent has to stay in the same place. Strong mobility. An agent is active and its state is preserved during migration. We have two cases here. In the first case, an agent needs additional information to complete its service computing. Before migration, the agent state is SD. After migration, since the new information is joining, the state will visit EM, KB and SD sequentially, which means the state can be resumed before the agent continues to execute. In the second case, an agent finishes a service, and sends message out through pout before migration. Because the agent has only one output and one input place, the only event that will happen is that an input will come to pin from local host if the agent is still in the same place. However, in our system, this agent has to move to a new place after accomplishing service, and gets an input to pin from the new place. In other words, agent’s state is preserved after migration. Case study. To demonstrate the service architecture model, we describe the modelling of a mobile agent system, called Concordia (Mitsubishi Electric ITA, 1998). Concordia is a full-featured framework for the development and management of network-efficient mobile agent applications which extend to any devices supporting Java. A Concordia System, at its simplest, is made up of a Java Virtual Machine, a Concordia Server, and Concordia Agents (at least one). The Java Virtual Machine, which is a standard environment, can be on any machine. The Concordia Server is a Java program which runs there, and at any other nodes on the network where agents may need to travel. The agent is also a Java program which the Concordia Server manages. Agents migrate among different nodes on the network offering or collecting service. Figure 17 shows the architecture of Concordia. Concordia Server is the name of the complete Concordia component installed and running on a machine in the Concordia network. It includes several components such as agent manager, queue manager, service bridge, event manager, directory manager, and so on. Concordia Server serves as a communication server which is responsible for Concordia agent transferring among the networks. It also provides an environment in which the mobile agent executes, and supports activities such as issuing a request, suspending agent execution, resuming execution, and so on. Agents arrive and departure through queue manager, while service requests and other messages go out/come in through service bridge.

60

Z. Ding et al.

Figure 17 Concordia

The Concordia system can be modelled by System Net N (according to Definition 5.1), and the Concordia agent can be modelled by Agent Net AN (according to Definition 2.5). In the scenario we are going to demo, a Concordia agent E migrates to Concordia nodes C1, C2, and C3 in the network, and offers Service1, Service2, Service3, respectively. Figure 18 shows the agent net AN for Concordia agent E. It outputs two types of messages: service requesting from transitions (t7, t8) and service offering from transition (t9). Place pin is the input place for incoming messages. The message type may be two types: Service Request (SQ), Service Data (SD). Thus, for some actions a1 , a2 ∈ A , we have a1 (t1 ) = sd , a2 (t2 ) = sq . Transition t1 receives service data and save the data to place pk where the Knowledge Base is located, and transition t2 receives the service requests from the current location and then sends to place pc where service computing occurs. The knowledge base pk provides resource to design new services. If the current knowledge contained in pk is not enough to create a new service, then a service request will be issued to place pout by firing transition t7. Place pout is the place for outgoing messages. Figure 18 Agent net

New service design will be sent to pc for computing by firing t6 once the design is formed in pd. Correspondingly, the new resulting services will be saved to pk by firing the transition t3. When doing service computing, pc will ask for information from pk by firing transition t3. If pk has enough knowledge, the requested information will be sent to pc by firing transition t4. If pk does not have enough knowledge to accomplish the service, a request for additional information will be sent to other locations through place pout by firing transition t8, and eventually the requested information will be received at pin. After the agent accomplishes the service computing, the service data will be sent to place pout by firing transition t9, and finally it comes to the current location. Meanwhile, the agent starts to migrate to other locations to offer new services. Figure 19 shows the system net N for Concordia network. To make it simple, only some places and arcs are shown. The net consists of four places: N .P1 , N .P2 , N .P3 and N .P4 , which represent four locations C1, C2, C3 and C4, respectively. Among them, NP4 is the location to store information data such as function classes. Agent net AN of Concordia agent E is packed up as a token in system net N. The dashed bidirectional arc r1 is used to transfer messages, and the other solid arcs are used to transfer agents. Figure 19 System net

Suppose the Concordia agent E is going to visit locations C1, C2, C3. As soon as E arrives at N .P1 , the agent manager of N .P1 assigns a service request to E by N .init ( N .P1 , AN A ) = { AN Ain } , then AN and N get a initial state: AN .M 0 ( Pin ) = {sq}, N .s0 ( P1 ) = { AN Ain }.

At the agent level, since AN .a(t2 ) = {sq}}, transition AN .t2 is fired and the service computing begins at AN .Pc to accomplish Service1. When computing Service1, there are no enough function classes for E to accomplish Service1, so transition AN .t3 is fired and a request for additional

Formal architectural models for agent-based service systems classes is sent to AN .Pk . In our scenario, the requested classes are not in AN .Pk , so a response of NULL is sent back to AN .Pc by firing AN .t4 . Then a request for required classes will be sent out to AN .Pout and then to other Concordia nodes from AN .Pc by firing AN .t8 . Consequently, a request message will arrive at service bridge of N .P1 . Thereafter, the request and response messages will be transferred between N .P1 and N .P4 through N .r1 (in Concordia system such kind of transfer is called ‘Pull’, and in general, the request is HTTP request). As soon as N .P1 gets the required classes, the server bridge of s1( p1 ) = { AN Aout } sends the classes data to agent E, and AN .M 1( Pin ) = {sd } . Since AN . A(t1 ) = {sd } , AN .t1 is fired and the classes data is saved to AN . pk , and then moved to AN .Pc by AN .t4 . When agent E gets enough classes, service computing for Service1 resumes. As soon as Service1 is done, the service data of Service1 will be sent to AN .Pout . It follows that s1( p1 ) = { AN Aout } , and thus N .t2 is enabled and can be fired (according to Definition 5.2). Finally, agent E sends the service data to the current location and migrates to N .P2 . The services will continue as the above. In summary, while computing Service1, a sequence of transition are needed to reach the marking s1( p1 ) = { AN Aout } , and their firing order is AN .t2 → AN .t3 → AN .t4 → AN .t8 → N .r1 → AN .t1 → AN .t4 → AN .t9 → N .t3 .

6

Related work

The ideas presented in this paper are most closely related to the following research topics: Petri net related multi-agent architectures, formal modelling of agent systems and SOA.

6.1 Petri net related multi-agent architecture MAS defines relations between agents. To form the behaviour of agent and the system, a few works have employed Petri net as the specification language mainly because it can well display concurrency state when agent interact to each other and is efficiency in reachability analysis. For examples, Kohler et al. (2003) uses nets within nets to model mobile agents and the system, Xu et al. (2003) uses PrT net to model mobile agents and the system, Xu and Shatz (2003) uses G-nets to model agents and the system, Djenidi et al. (2002) uses Timed Colored Petri nets to model agents and the system, Huang et al. (2005) uses Petri net process to model agents and the system. However, Petri net is unsuitable to be used as an independent Architecture Design Language itself because it does not support hierarchy and composition explicitly, so most of the time it is associated with other high level formalisms (Giovanni, 1992; Diagne and Kordon, 1996). To overcome the drawback of Petri net, in our work, we defined algebraic operations for the agents such as in static service and mobile system systems,

61

6.2 Formal modelling of agent system Previous work on formal modelling agent systems includes:



using formal languages, such as Z (Luck and D’Inverno, 1995) and pi-calculus (Jiao and Shi, 1999) to provide a framework for describing the agent architecture at different levels of abstractions



using temporal logics and multi-modal logics to represent individual agent behaviours where the representations can be executed directly (Fisher, 1995)



designing formal languages, such as DESIRE and SLABS, for specifying agent-based systems (Brazier et al., 1997; Zhu, 2001).

Although these formalisms are claimed to be agent specifications, they are not oriented for software engineering in terms of providing a modelling notation that directly supports software development. For instance, as stated in D’Inverno et al. (1997), formalisms such as temporal logics and multi-modal logics are often abstract and quite distant from agents that have actually been implemented. It is still hard to apply these formal methods directly to agent implementation. In contrast, our approach is explicitly oriented for specifying and defining the design architecture of agent based software systems. Some software frameworks of agent modelling are beginning to appear, such as ZEUS (Azarmi and Thompson, 2000) by British Telecom Laboratories, JADE (Vitaglione et al., 2002) by Telecom Italia Group Company and NZDIS (Purvis et al., 2000) by New Zealand.

SOA A Service-Oriented Architecture (SOA) is a collection of services that communicate with each other. Based on the agent corporation style, we consider three types of service systems: static service, dynamic service and mobile service systems. Other service systems based on service collaborative ways can be found in Jostad et al. (2005). SOA can be modelled by UML (Baresi et al., 2003) and Petri Net (Hamadi and Benattallah, 2003) and can be implemented on top of Jini (Furmento et al., 2004). Examples of service-oriented architectures include HP’s E-Speak (Hewlett-Packard), Sun’s Jini (Amold et al., 1999) and One technologies (Sun Microsystems, Inc., 2001), SOAP/UDDI (Box et al., 2000), and IBM’s Vinci (Agrawal et al. (2001).

7

Conclusion

Based on the characteristics of agents, we have studied the architectures for service oriented systems, especially we considered three types of systems: mobile service system, dynamic service system and static service system. For each model, we investigated the properties and gave the case study. Coloured Petri nets were used to model agents. The services were provided at agent level while the agents were interacting. There are still some issues not being

62

Z. Ding et al.

covered, such as if an agent refuses to provide the service. We will leave this to the future work.

Acknowledgements The authors would like to thank the anonymous reviewers for their comments. The work was supported in part by National High-Tech Research and Development Plan of China under Grant No. 2006AA01Z165.

References Agrawal, R., Bayardo, R.J., Gruhl, D. and Papadimitriou, S. (2001) Vinci: A Srevice-oriented Architecture for Rapid Development of Web Application, http://www10.org/cdrom/ papers/506/ Amold, K., O’Sullivan, R., Scheifler W. and Wollrath, A. (1999) The Jini Specification, Addison-Wesley, Reading, Mass. Anderson, J. (1980) Computer Security Threat Monitoring and Surveillance, Tech. Rep., James P. Anderson Co, Fort Washington, Pa. Azarmi, N. and Thompson, S. (2000) ‘ZRUS: A toolkit for building muliti-agent systems’, Proceedings of Fifth Annual Embracing Complexity Conference, Paris, April, pp.1–39. Baresi, L., Heckel, R., Thone, S. and Varro, D. (2003) ‘Modeling and validation of service-oriented architectures: application vs. style’, ESEC/FSE’03, September, Helsinki, Finland. Best, E., Devillers, R. and Koutny, M. (2001) Petri Net Algebra, Springer-Verlag, Berlin, Heidelberg, New York. Box, D., Ehnebuske, D., Kakivaya, G., Layman, A., Mendelsohn N., Nielsen, H.F., Thatte, S. and Winder, D. (2000) Simple Object Access Protocol, http://www.w3.org/ TR/SOAP/ Brazier, F.M.T., Keplicz, B.D., Jennings, N.R. and Treur, J. (1997) ‘DESIRE: Modelling multi-agent systems in a compositional formal framework’, in Huhns, M. and Singh, M. (Eds.): Int’l J. Cooperative Information Systems, Vol. 6, pp.67–94. D’Inverno, M., Fisher, M., Lomuscio, A., Luck, M., Rijke, M.D., Ryan, M. and Wooldridge, M. (1997) ‘Formalisms for multi-agent systems’, The Knowledge Engineering Review, Vol. 12, No. 3, pp.315–321. Denning, D.E. (1987) ‘An intrusion detection model’, IEEE Trans. Software Eng.,Vol. 13, No. 2, pp.222–232. Diagne, A. and Kordon, F. (1996) ‘A multi formalisms prototyping approach from formal description to implementation of distributed systems’, 7th IEEE International Workshop on Rapid System Prototyping, IEEE Comp. Soc. Press, Thessaloniki, Greece, pp.102–107. Dittrich, D. (1999) http://staff.washington.edu/dittrich/misc/tfn. analysis. Djenidi, H., Tadj, C., Ramdane-Cherif, A. and Levy, N. (2002) ‘Dynamic based multi-agent architecture for multimedia mutimodel dialogs’, Proceedings of the IEEE Workshop on Knowledge Media Networking(KMN’02), Kyoto, Japan, pp.107–113. Fisher, M. (1995) ‘Representing and executing agent-based systems’, in Wooldridge, M. and Jennings, N. (Eds.): Proc. Int’l Workshop Agent Theories, Architectures and Languages, pp.307–323.

Fuggetta, F., Picco, G. and Vigna, G. (1998) ‘Understanding code mobility’, IEEE Transactions of Software Engineering, Vol. 24, No. 5, pp.342–361. Furmento, N., Hau, J., Lee, W., Newhouse, S. and Darlington, J. (2004) ‘Implementationds of a service-oriented architecture on top of Jini, JXTA and OGSI’, LNCS, Vol. 3165, pp.90–99. Garlan, D. (2003) ‘Formal modeling and analysis of software architecture: components, connectors, and events’, LNCS, Vol. 2804, pp.1–24. Giovanni, R.D. (1992) ‘Petri nets and software engineering: HOOD nets’, LNCS, Vol. 616, pp.134–153. Girault, C. and Valk, R. (2003) Petri Nets for Systems Engineering, A Guide to Modeling, Verification and Applications, Springer-Verlag, Berlin. Griss, M.L. and Kessler, P.R. (2003) ‘Archieving the promise of reuse with agent component’, LNCS, Vol. 2603, pp.139–147. Hamadi, R. and Benattallah, B. (2003) ‘A Petri net-based model for web service composition’, Proceedings of 14th Australasian Database Conference, Adelaide, Australia, pp.191–200. Hiraishi, K. (2000) ‘A Petri-net-based model for the mathematical analysis of multi-agent system’, Proceeding of IEEE International Conference on Systems, Man and Cybernetics, Nashville, TN, USA, pp.3009–3014. Hoare, C.A.R. (1985) Communicating Sequential Processes, Prentice-Hall, Englewood Cliffs, New Jersey, USA. Hofmeyr, S.A., Forrest, S. and Somayaji, A. (1998) Intrusion Detection Using Sequence of System Calls, http://citeseer.ist. psu.edu/298897.html Huang, H.J., Wang, X., Chen, Q.C and Wang, X.L. (2005) ‘Specification and verification of multi-agent systems with a property-preserving component-based methodology’, Proceedings of the Fourth International Conference on Machine Learning and Cybernetics, Guangzhou, August, pp.90–95. Jensen, K. (1992, 1995, 1997) Coloured Petri Nets: Basic Concepts, Analysis Methods And Practical Use, Vol. I, II, III, Springer-Verlag, Berlin, Germany. Jiao, W. and Shi, Z. (1999) ‘A dynamic architecture for multi-agent systems’, Proceedings of TOOLS-31-Asia’99, IEEE Press, Nanjing, China, September, pp.253–260. Jong, G.G. and de Lin, B. (1994) ‘A communicating Petri net model for the design of concurrent asynchronous modules’, Proceedings of the 31th ACM/IEEE Design Automation Conference, San Diego, California, USA, June 6–10, pp.49–55. Jostad, I., Dustdar, S. and Thanh, D.V. (2005) ‘A service oriented architecture framework for collaborative’, Proceedings of the 14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise (WETICE’05), Linkoping, Sweden, pp.121–125. Kohler, M., Moldt, D. and Rolke, H. (2003) ‘Modeling mobility and mobile agents using nets within nets’, LNCS, Vol. 2679, pp.121–139. Luck, M. and D’Inverno, M. (1995) ‘A formal framework for agency and autonomy’, Proc. First Int’l Conf. Multi-Agent Systems(ICMAS-95), San Francisco, CA, USA, pp.254–260. Ma, X., Lu, J., Tao, X., Li, Y. and Hu, H. (2002) ‘A mobile-agentbased approach to software coordination in the HOOPE system’, Science in China (Series F), Vol. 45, No. 3, pp.203–219.

Formal architectural models for agent-based service systems Mak, W.M. (2001) Verifying Property Preservation for Component-Based Software Systems (A Petri-net based methodology), PhD Thesis, Department of Computer Science, City University of Hong Kong, June. Michael, C.C. and Ghosh, A. (2002) ‘Simple, State-based approaches to program-based detection’, ACM Transaction on Information and System Security, Vol. 5, No. 3, pp.203–237. Mitsubishi Electric ITA (1998) Mobile Agent Computing, A White Paper, Horizon Systems Laboratory, January. Mukherjee, B., Heberlein, L.T. and Levitt, K.N. (1994) ‘Network intrusion detection’, IEEE Network, Vol. 8, No. 3, pp.26–41. Purvis, M., Cranefild, S., Bush, G., Carter, D., McKinlay, B., Nowostawski, M. and Ward, R. (2000) ‘The NZDIS project: an agent-based distributed information systems architecture’, Proceedings of the Hawaii International Conference on System Sciences (HICSS-33), IEEE Computer Socieity Press, pp.35–40. Rao, A.S. and Georgeff, M.P. (1991) ‘Modeling rational agents within a BDI architecture’, Proceedings of the Second Conference on Knowledge Representation and Reasoning, Morgan Kaufman, San Mateo, CA, USA, pp.473–484. Schuster, H., Georgakopoulos, D., Cichocki, A. and Baker, D. (2000) ‘Modeling and composing service-based and reference process-based multi-enterprise processes’, Proceedings of the 12th Conference on Advanced Information Systems Engineering (CAiSE’00), Stockholm, Sweden. Sun Microsystems, Inc. (2001) Sun Open Net Environment (Sun One) Software Architecture.

63

Valk, R. (2001) ‘Concurrency in communicating object Petri nets’, Concurrent Object-Oriebted Programming and Petri Nets, LNCS, pp.164–195. Vitaglione, G., Quarta, F. and Cortese, E. (2002) ‘Scalability and performance of JADE message transfort system’, Proceedings of AAAMAS Workshop on AgentCities, Bologna, July, pp.1–6. Wooldridge, M., Jennings, N.R. and Kinny, D. (2000) ‘The GAIA methodology for agent-oriented analysis and design’, Journal of Autonomous Agents and Multi-Agent Systems, Vol. 3, No. 3, pp.285–312. Wright, G.R. and Stevens, W.R. (1995) TCP/IP Illustrated, Volume 2: The Implementation, Addison-Wesley, Boston, MA, USA. Xu, D., Yin, J., Deng, Y. and Ding, J. (2003) ‘A formal architecture model for logial agent mobility’, IEEE Transaction on Software Engineering, Vol. 29, No. 1, pp.31–45. Xu, H. and Shatz, S.M. (2003) ‘A framework for model-based design of agent-oriented software’, IEEE Transaction on Software Engineering, Vol. 29, No. 1, pp.15–30. Zhu, H. (2001) ‘SLABS: A formal specification language for agent- based systems’, Int’l J. Software Eng. and Knowledge Eng., Vol. 11, No. 5, pp.529–558.

Website Hewlett-Packard Corp, E-Speak, http://www.e-speak.net