in
It is possible to manage, control and monitor peripherals (both hardware and software devices) within a large Intranet without significantly increasing the traffic load of the network topology.
The usual approach to managing a system requires that the management streams be placed onto the network. When the network load has a large number of devices doing handshake requests, just the protocol traffic of the devices may represent a proportionally large overhead to the resources.
Complications begin to cascade, putting more demands on the resources. A system manager attempting to configure a hardware or software device may find that the traffic load is just too high to effectively manage the network topology.
Throughout this paper a hardware and/or software device will be referred to as a peripheral.
There are four competing resources in this scenario.
Each of these resources can have their network load reduced by managing a greater proportion of the resource's command and control needs locally on the processor which they reside.
CIA is a system approach which attempts to localize command and control of peripherals, network resources, security and the GUI.
Agents: This term is not used in the SNMP sense of the word. An agent is a program. Anywhere the term "agent" is used it can be completely replaced by the word "program" without change in meaning or context.(1)
AI: Artificial Intelligence --- generally used when referring to the community of individuals who attempt to model, emulate, simulate or reproduce neuron objects.
Intelligent Agents: Intelligent agents have an additional mission integral to their ability to be an agent. They do "something" else besides acting as agents.
IPC: Inter-process communications. Any of a number of methodologies for communicating between processes (programs).
Lurker Agents: Mobile agents which are capable of moving, but which normally do not. That is they lurk around a specific node. These agents may move if it becomes necessary, but usually do not do so.
Mobile Agents: Mobile agents are agents which can move from their current processor to another processor and continue running and/or begin execution anew. The processor may be within the same physical location (as in computers which have multiple processors) or it may be at a different domain as in a multi-processor machine where the processors can be grouped together.
Mobile-Intelligent Agents: Mobile-Intelligent Agents are Mobile agents which also have some intelligence as part of their mission.
Peripheral: Any hardware and/or software device/program which can be managed, configured or monitored.
Peripheral Interface (π): Any stream interface to a peripheral. A π may perform a multitude of methods, such as filtering, formatting data, etcetera, but it has the primary function of passing a stream to or from a peripheral.
All peripherals need to interface to other peripherals in some way. It does not matter if the interface is a loosely coupled interface (scripting languages) or tightly coupled (as in a SCSI interface), an interface must be established.
One can think of a Peripheral Interface (PI or π) as a software driver. This software driver used to be introduced to the user via floppy disk, or tape or some other storage media. With the advent of languages such as JAVA, many of these software drivers do not have to be supplied on a separate storage media, but can be included on the peripheral as an integral piece of the firmware/software normally included with the peripheral. For software devices the π may be code which is embedded onto an EPROM, FLASH memory, or some alternate form of Writeable Control Store. For either of these devices the π need not be an integral program, running as a separate task. CIA takes this as its central design view when discussing peripheral interfaces. That is, the π is a (usually) embedded software task which is separate from the peripheral, but needs to communicate with the peripheral.
The separation is to allow several peripheral interfaces to be in use for a single peripheral. A disk, for example, may have a configuration and management "driver" as well as a driver which handles streams. This kind of device Federalism will become more apparent in security discussions later in this paper.
All of the command and control methods which are applied to a peripheral are carried out on the CPU where the resource is located. Again it is not important whether the peripheral is a hardware device or a software device, and it is unimportant whether the bus is loosely coupled or tightly coupled, the command and control method will execute on the CPU where the resource is located. The decision to invoke the method may occur on another CPU, but the actual management will be done on the CPU to which the peripheral is most tightly bound.
Time slices are not renewable resources! Once consumed the time slice cannot be retrieved. If a network resource is being consumed, at the lowest level of the network resource, no other object gets to use the resource until the previous transaction is complete. If the network is spending its time passing around handshake information, it is wasting a resource, since the actual method must be carried out on the CPU to which the method is most tightly bound to the resource.
The importance of the location of the actual work must not be missed. If the command and all associated handshaking is carried on over the network resource then valuable and non-renewable resources are consumed.
It is not possible to allow remote command and control of an object and not have some information consume a network resource. Information must be transmitted. However, the need to transport the responses to the management methods is not usually a requirement. Command and control information can be gathered at one place, remotely passed to another node and then executed on the target node without further impact to the network resource. All that is necessary is the means to transport the information and the program which must use the information to the target node and the ability to begin execution on the remote node.
This is the very nature of Mobile Agents and the structure of CIA. Re-examine the concept of the π which was previously mentioned in light of a software driver for a peripheral. The peripheral to which the π is coupled could be an API or a hardware device, as an object it is abstracted enough that it is unimportant.
With the concept of a mobile agent built into the π, communications can take on a form which should be quite familiar. The π can spawn other agents at will, and communicate with other agents via any IPC mechanism which is supplied as a method to the π. Even a rather generic IPC, such as "mailboxes" could be easily implemented for these agents.(2) Moving the functionality of the network down to the level of the program/thread/light weight process/task has the advantage that the work can be performed quickly and effectively on the processor where the work should be done. This node, as it turns out is also where most of the required resources which are external to the program happen to be kept.
The π can also act as a security filter and if designed correctly it can behave as a pro-active security component. More on this in the section on security.
The GUI is for all practical purposes a JAVA applet engine (peripheral interface). In many ways it is a browser, but without some of the overhead usually associated with a browser, and with added overhead specifically for agents. Additionally there are two specific requirements designed to restrict a browser from being used as the user GUI.
Why the avoidance of a browser? The nature of browser writers, seems to be, to force version upgrades on the user. With a lack of consistent agreed upon standards in the HTML world and without enforcement capabilities for those standards, the only choice was to use a product which actually had an enforceable suite in place. JAVA meets that requirement. There was also a need to be able to rely on the owner of the enforcement suite to actually enforce the suite and to make realistic, and honest statements about what was in the suite and what the capabilities of the language engine would actually be. Sun Microsystems meets those requirements. JAVA then satisfies all of the necessary requirements to give it a broad based, reliable platform from which to develop the applets and agent license code for CIA.
Deliberately limiting the capability of the engine and restricting it to JAVA "standard" gadgets, broadens the platform availability of the GUI. Specifically, it enforces a kind of Frank Lloyd Wright view of GUI programming. Functionality is the art of the GUI to a System Manager.
With the broad spectrum of packages available via JAVA, this restriction of gadgets is seen more as a narrowing of scope than a limitation of CIA.
CIA separates the maintenance of integrity, of the system from system security. System security will be discussed in section 8. System integrity is the process of determining that CIA is functioning as designed.
To monitor the individual systems which are located on varying targets throughout the system, CIA implements, again, intelligent transportable agents. In fact, only two agents are necessary.
The first agent to meet, has an unusual name, which hopefully describes what the agent does in a single word. Within CIA there is only one Wanda and she is a transportable intelligent agent which wanders throughout the structure of the topology, which Wanda has been informed about(3), gathering system statistics. Wanda's job is to test the integrity of CIA with as little overhead as possible.
The second agent is unusual in construct. It is the agent which performs the function of interfacing security and integrity to the rest of CIA. This agent is replicated at each node where the System Manager is interested in controlling and managing via CIA. This agent also has an unusual name which has its own design history. For now just accept the agent description as MenInBlack (MIB).
A quick discussion of the responsibility which MenInBlack have is necessary to understanding how Wanda functions. The security responsibilities are still postponed until section 8, but the "agent" nature of the MIB is to be a "lurker agent". Normally the MIB contains a π registry of information.
The information which Wanda gathers is carried with Wanda and grows as Wanda increases her knowledge about the system. In this respect Wanda is "fishing" for her information. Trolling the backwaters of the Intranet looking for changes in the network and in nodes in general. Hence the name for the agent Wanda--the fish.(4)
Wanda's typical scenario goes something like the following: Wanda wakes up and is configured to either discover the node topology, or to traverse a certain segment of the topology.
First consider the restricted mode, Wanda has a list of IP addresses on which to gather information.
Wanda after awakening attempts to register (via tightly bound licensable code) with another member of the CIA integrity objects, mentioned earlier, and known as MenInBlack (MIB).
When Wanda registers with the MIB, she requests the registry information. She receives this information as a bundle and merely checks the integrity of the transferred information, not the content. However, wanda also makes a request to the MIB to find out if a GUI Display agent is located on this node.
If there is no GUI agent registered, Wanda then moves on to her next node. If there is a GUI agent registered, Wanda will also make a request for connection to the GUI agent. Remember that the connections here are local and do not happen on the network. These are IPC connections. The GUI actually spawns an agent known as Richelieu, which connects to Wanda and receives Wanda's entire package of registry information stored from the MIB which Wanda has visited. Richelieu sifts the registry information provided to see if there are any peripherals which this GUI has interest in monitoring. If there are peripherals of interest the information is passed on to the GUI and Richelieu commits suicide.
Wanda then continues with her registry information still intact to the next node, which may or may not have a GUI.
In the unrestricted Wanda the same scenario takes place, but Wanda's intelligence is increased to know about topologies. She attempts jumps to nodes looking for MIB until she finds one or she completes here transit of the topology. The difference is that the unrestricted Wanda understands a little more about how to move from place to place.
The architectural goal of CIA has been to localize the data necessary to perform a function to the local resource where the function information is required. Deal with the information locally with intelligent agents which can transport the information wherever it is needed. Which may mean the information goes absolutely nowhere.
The knowledge and information is distributed and but each node is allowed to deal with the knowledge in the way it does best. The result of this is that functions tend to cluster together on resources which are doing that "kind" of work. In CIA these clusters of information and agents which know how to deal with the information are little bevies of agents and knowledge. In may cases the bevies are specialists, but as with societies many of the bevies are generalists, sifting through knowledge to discover hints and trends.
CIA takes the view that System Managers are most interested in these hints and trends, that is, in the Knowledge Generalized Bevies. The Knowledge Generalized Bevies become the most interesting when monitoring systems. Knowledge Specialized Bevies become important when a specific failure or problem arises, but during monitoring it is the Knowledge Generalized Bevies which are of most interest to the system manager.
CIA also takes this point of view when concentrating agent intelligence. If agents are assumed to be able to do everything, then we are back to the promise of AI. The HAL which falsely reports the device responsible for aligning the Earth Antennae(5) because he is "worried" about lying about the mission, is a humorous (and stretched) example of AI trying to do too much. Some systems are just handled better when viewed as independent tasks.
CIA is using Knowledge Generalized Bevies and agents to attempt to avoid "arbitrary complexity"(6) To make the intelligence more manageable so that agents can actually spot system trends and errors. This is a well understood problem but is hardly ever implemented because it is almost always seen from the view of the system and not from the view of the peripheral.
The MIB agents have already been discussed in brief, but without the detail of security. Only the registry nature has been examined.
Security is generally an attempt to keep honest people honest and to keep less than honest people out! Programs are written by Programmers, which for the most part are people...so...security is an attempt to keep honest programs honest and to keep those programs which are less than honest, out!
Security has most generally been approached from the centralized, large system overview of "lets handle security for everyone and everything from right here!" CIA takes a much more localized view of security. If you will a Federalist view of security; a kind of System -- Neighborhood Watch.(7) On each node where CIA is allowed to run, there is a security agent called MenInBlack. The MIB is specialized for that node type of system and CIA. The MenInBlack know how to spawn agents which go to investigate the local security haunts of the system. Again, without the impact of loading the network. It also knows about the structure and nature of CIA. When agents (whether π agents or Wanda, or the Feds (a more federalized MenInBlack) show up on a node they must register with the local MIB. To do so requires a proprietary exchange of tightly licensed agent code between the MIB and the agent. Most of the time the exchange will succeed and registry will happen. Sometimes that exchange will fail! There are very few reasons (from the point of view of CIA) why the exchange might fail. The biggest reason is probably an attempt at intrusion. MIB utilizes some fuzzy constraints to determine when such an attempt or attempts should be considered intrusions. At this level the intrusion is local and perhaps the system should be notified of the attempt, and perhaps a higher authority should be contacted. Using fuzzy constraints, CIA determines whether to handle the intrusion attempt(s) itself, sluff off the problem to the system security and/or notify the System Manager with various levels of alerts.
If the MenInBlack determine that the intrusion is something which warrants greater authority (again a fuzzy constraint which can be determined and controlled by the System Manager). It notifies the Feds. The Feds is a wandering MenInBlack agent, similar to Wanda, except that it is specialized to accept security information only from each MIB lurker agent it finds on a system. The security information collected from each site is eventually delivered to a GUI just as Wanda delivered her information. Another difference between Wanda and the Fed, is that the Fed can make a determination as to whether multiple attacks are happening, whether localized attacks are happening on specific platforms and can even spawn agents on each platform to track and pursue the header information on offending agents attempting to intrude on CIA ports.
The Fed can also quiet down suspecisions from the local MenInBlack. If the System Manager Chooses, or if certain fuzzy constraints trigger a condition, called, RELAX, then the Feds have the ability to inform the local MIB to FORGET certain elements of their intrusion constraints by issuing a RED_FLASH exchange during registration between the Feds and the local MIB.
Thus local security is maintained by a local agent who can specialize in the information of a particular platform/system while overall security is maintained by a more centralized control when necessary. But the bulk of the work is done by exchanging information locally on a node and NOT done by exchanging information across the network. Information which is transmitted is encoded and secured via private key.
Finally each local security node may be up dated via the Feds. This allows for continuing growth of the agents information and action/reaction.
The reader should note here that the CIA concept of Knowledge Generalized Bevies has just been extended to the concept of security. Localize and generalize where possible. Specialize when necessary.
Knowledge Generalized Bevies offer a flexible architecture which is easily augmented with the additions of specialized agents.
Controlling Intelligent Agents in Knowledge Generalized Bevies represents a cooperative effort at "semi-intelligent" control of the generalized concept of System Management.
The reader may have noticed for instance that the overall architecture is completely scalable. And can be applied to a plethora of situations, from System Management/Command and Control, to internal maintenance of the integrity of board components, where each component is viewed as a node and firmware imbedded agents work to verify and specify system integrity.
The application of this technology is perhaps most visible when viewed in the light of the following scenario:
A vendor decides that they would like to have the ability for the System manager to monitor, and manage their peripheral (again, software or hardware, it does not matter). The vendor licenses a piece of agent code and imbeds in their product the agent code, a JAVA applet for display and management, and an applet for updating the product as well (different license, in case you are wondering). Once the vendor packages the EPROM/code segment into their product, the product is automatically configured and manageable on any CIA enabled system on the face of the planet.
When a user purchases the vendor's product, the following scenario may begin: A system manager receives a note that a user would like to have a specific new vendor product installed on their system. The product is attached to a system and the unit spawns an agent which attempts to register with MenInBlack. The MIB responds and the unit registers as an unconfigured device. The information travels via Wanda to a GUI, and is displayed to a System Manager who authorizes the installation. The peripheral sends the configuration agent to the GUI and the system peripheral and customer have a fully functioning, security rich environment encased around the device. Two other System Managers may also have their GUI displays updated at the same time. Perhaps, During installation, Wanda which has been collecting system information, discovers that it cannot jump to a specific node. Before the users can call Wanda has delivered the information to the GUI and an alarm has been raised to the System Manager. The System manager on duty is new to the job and eventually requires some help diagnosing the problem. The sleeping "responsible" System Manager gets a call at home, dials in and sees exactly the same GUI as the "new" system manager. The experienced System Manager can guide the new system manager through the steps to fix the problem while viewing the effort, step-by-step, as they go.
Of course Wanda also collects network information as she goes and individual transit times and more are displayed at the GUI, giving network timing and trends. Additional data, such as actual attempts before connection, actual transit times, via what protocol and more are also collected by Wanda.(8)
There are several things which are not addressed in this descriptive paper; such as what happens when a Wanda or a Fed dies. However for the most part these questions are ones of detail and not overview and therefore do not belong specifically in an abstract. The author trusts that the reader will accept the rather poor excuse that these things are proprietary.
Licensing has also not been discussed in depth and again, the author pleads proprietary.
The names and agent identities which were picked in CIA while sounding playful, may leave the reader with the notion that CIA is not a serious design architecture. While the author might agree that the names are playful, CIA has a working prototype and is a powerful, flexible, scalable and dynamic Command and Control architecture for System Management. It is an affordable and maintainable architecture which System Managers can either add to their existing repertory of management tools, or use as a stand alone tool in an effort to regain the control of their systems and still be able to utilize the dynamic nature of their hardware and software.
The original prototype for CIA was done in 14 days of two person effort. It had three π's, two for software peripherals and one hardware peripheral. It ran on Solaris 2.5 running on an Ultra1, one Win-NT based system utilizing dual Pentium Pro Processors, and one OS/2 based system utilizing dual Pentium Pro Processors. They were all running JAVA by Sun Microsystems, and the BitPix library from Bits and Pixels, Inc.
For more information, please contact Clark Williams, Software Industry & General Hardware, at S.I.G.H.@ix.netcom.com.
JAVA is copyright Sun Microsystems, Inc.
bitpix and BitPix are copyright Bits & Pixels, Inc.
1. 1.There has been some use of the word "agent" in the Artificial Intelligence community in regards to promises which have not, usually, been kept. The agents referred to in CIA are of a practical nature and bear little if any resemblance to the "emotional" agents bandied about in the halls of those attempting to create HAL/SAL type computers. (continue from footnote)
2. 1.In the Agent Community there are currently no end of discussions as to which Agent communication language is "best". KQML and others are touted as the "required" communications standard for agents which must be used in agent projects. It is the author's opinion that any IPC is fine if the communication is left off the network resource, and a non-standard method may even be preferable when security is considered. (continue from footnote)
3. 1.Actually Wanda may be configured with a multitude of capabilities. Wanda can be configured by a separate software program which is called the FishBowl, or she may be configured to be more inquisitive and actually investigate the network topology to discover newly added nodes, peripherals, etcetera. This is a functionality which is sold separately. (continue from footnote)
4. 1 In the implementation the class was designed as a fish class and Wanda is an instantiating of the fish class. (continue from footnote)
5. 1.AE-35 unit if you must know! (continue from footnote)
6. 1.See Object Oriented Analysis and Design, second edition, by Grady Booch, page 4 for a reference to "arbitrary complexity." (continue from footnote)
7. 1.The author wishes he could take the credit for coining the term "Neighborhood Watch Security", but alas the description was first suggested by Thomas John of Bits & Pixels (thomas@bitpix.com). If you ever get the chance to talk with Thomas, postpone all other recreational activities to participate! It will be time well spent; very instructive, informative and delightful! (continue from footnote)
8. 1.Wanda can be configured to attempt different Protocol jumps between nodes. Cataloging each jump and associated anomalies. (continue from footnote)
23125 Crooked Arrow Drive
Wildomar, CA USA 92595
RETURN TO S.I.G.H. HOME PAGE
RETURN TO CLARK'S COMPUTER SCIENCE PAGE
RETURN TO CLARK'S BIOGRAPHY PAGE