Networked computer systems provide convenient sharing of files by multiple users located in different locations. Because of increased connection to such networks, such systems are increasingly vulnerable to attack or corruption by viruses or unauthorized users (e.g., hackers). Protective measures may be taken by installing and operating security monitoring tools which continually monitor and report network statistics. To effectively operate, a security monitoring tool is supplied with a definition of the type of activity that constitutes an intrusion. The security monitoring tool keeps aggregate statistics, including CPU usage, disk I/O and memory usage, and user activity. If the security monitoring tool identifies an intrusion, based on the intrusion definitions, it alerts a system administrator. Accordingly, the security monitoring tool typically does not proactively attempt to stop the security violation. In addition, security monitoring tools are typically quite complex in terms of functionality and size, and thus carry a proportional price tag and performance penalty.
Another approach to providing network security is to provide and invoke protective software agents. A software agent is an autonomous or semi-autonomous, semi-intelligent software program that is situated within a system and senses and acts on its environment over time to pursue an agenda independent of other software agents and to effect what it senses in the future. Additionally, software agents, sometimes called intelligent agents, have attributes of artificial intelligence. Agents are, in fact, often made up of objects. Agents may exhibit weak or strong characteristics.
Weak agents have the properties of autonomy, socialization, reaction, and motivation. Autonomy refers to an agent that operates with little direct intervention and is able to migrate to different platforms. Socialization means that the agent interacts or communicates with other agents. Reaction means that the agent senses changes in its environment and adjust to the changes. Motivation means that the agent affects its environment instead of passively allowing the environment to affect it. Examples of weak software agents include conmercially-available World Wide Web-based agents which act on behalf of the user to search the Web according to user preferences. Some researchers avoid referring to these processes as agents because of their limited perceived intelligence.
Strong agents exhibit one or more of the following properties: mentality, rationality, adaptability. Mentality means that the agent has knowledge, desires, and intentions. Rationality means that the agent performs actions which further its goals. Adaptability means that the agent is capable of learning.
The use of software agents provides, among other things, advantages over the conventional security monitoring tool in that a separate independent agent may be created to monitor a small aspect of the overall network system. Several agents which monitor different aspects of the overall system may then cooperate with one another to provide, in combination, the functionality of a security monitoring tool. Because agents are independent of one another, the implementation is less cumbersome and preferably requires less overall code space. Furthermore, different agents may be added, removed, or modified as necessary to fulfill the requirements of network security. The software agent approach to network security is particularly advantageous because each software agent is independently trainable, efficient in terms of interfacing cleanly with the aspect of the system it is created to monitor, and easily tailored to the network system configuration and functionality. Accordingly, the software agent approach provides a clean, easy to maintain, scalable, and adaptive method for providing network security. One description of this approach is described in a paper titled "Defending a Computer System Using Autonomous Agents" by Mark Crosbie and Eugene H. Spafford, of COAST Laboratory, Department of Computer Sciences, Purdue University, dated Jun. 16, 1995, the contents of which are incorporated herein by reference.
One problem associated with the software agent approach is that although the agents in a multiple-agent security system are more immune to virus or hacker attack since they tend to be distributed across the network system, the independent agents are still vulnerable to attack. Accordingly, a need exists for a method and mechanism for protecting the software agents themselves from unauthorized modification. A need also exists for a method and mechanism for identifying the software agents themselves from unauthorized modification.
Distributed processing systems use the processing power of many connected nodes within a network to process information in parallel and to allow autonomous agents created in one node to migrate to other nodes for processing, often without the knowledge of the human operator. The security risk increases even more when objects are permitted to migrate from one node to another across heterogeneous platforms. Two primary types of distributed processing systems are distributed objects systems and distributed agent systems.
Distributed object systems are software systems using classical object-oriented software, distributed across a network of machines. Objects are software programs which have a type which defines the task the object can do and how it is invoked to perform the task. In a distributed object system, objects can either be local or remote. Local objects reside on one network node, whereas remote objects reside usually on another network node. Design of distributed object systems not only provide scalable computational resources, but also applications which operate robustly over many heterogeneous architectures. Distributed object systems are often developed in compliance with a standard developed by Object Management Group (OMG) called the Common Object Request Broker Architecture (CORBA). OMG is one of the world's largest software consortiums, with over 700 member companies. The core of most distributed object systems is the object request broker (ORB). The ORB facilitates communication between local and remote objects and eliminates many tedious steps when designing distributed applications. Under the CORBA architecture, applications within a distributed heterogeneous environment (i.e., a network having different network nodes with diverse machine, operating system, and programming languages) are easily integrated using the OMG Interface Definition Language (IDL) to define interfaces to objects. IDL allows objects to be written in any language, reside on any platform, and communicate with objects written in other languages, residing on other platforms.
Distributed agent systems are similar to distributed object systems in that they accomplish goals by initiating processes across many nodes on a network. Objects in distributed object systems and agents in distributed agent systems are also vulnerable to attack by viruses or hackers. Accordingly, a need also exists for a method and mechanism for protecting the software objects and agents from unauthorized modification.