Professional Documents
Culture Documents
1
of this representation, we are confronted with the man- generate codes, but does not provide links between dia-
agement of heterogeneous and distributed architecture grams and therefore makes it difficult to use for align-
which calls for a rethinking of the distribution of the se- ment purposes or with other languages (e.g. MOF [3],
curity procedures between both: human and software Dsml4mas[5]). Globally, we observe that these solutions
autonomous entities [21]. Although having been handled aim at modelling the application layer of MAS. CAR-
by human employees for a long time, the organisational BA[15] provides a dynamic architecture for MAS similar
policies of complex systems, nowadays, need to be to the middleware CORBA, which is based on the role
shared with intelligent software items, often perceived as played by the agent. This approach introduces a concept
being more adapted for action in critical situations. These of Interface and Service which is similar to the one in
policies are deployed considering the responsibility [23] ArchiMate that we reused in our proposal.
of the agent for autonomous acting in open, distributed We observed that agent systems for critical infrastructure
and heterogeneous environments, whether in connection (CI) are organized in a way close to the enterprises sys-
or not with an upper authority. Acknowledging this situ- tem, our idea is to analyse how an enterprise architecture
ation, we are forced to admit that software agents are no model may be slightly reworked and adapted to MAS.
longer to be considered only as basic software compo- Therefore, we decided to use ArchiMate which has the
nents deployed to support business activities, but that following advantage of being supported by the Open
they are responsible [17], such as the business actors, for Group 1 which has a large community and proposes a
playing some kind of business role, and for performing uniform structure for modelling enterprise architecture.
business tasks accordingly. In view of this, acquiring Another advantage of ArchiMate is its use of a clear
an innovative enterprise architecture framework that al- link to existing modelling languages like UML. With
low to represent the behavioural policies of such agents regard to this, we think that it is relevant to provide a
appears fully justified and required by the practitioners, lean and simple structure compliant with the new version
especially the ones engaged in the management of those of UML to model any MAS. As a conclusion of our state
critical infrastructures. of the art, we acknowledge the many other models or
In this paper, we propose to explore ArchiMate, an en- frameworks which provide solutions for modelling MAS
terprise Architecture framework, and to redraw its struc- whether they are compliant with other modeling lan-
ture in order to fit in with agent software actors specific- guages or not. As far as we know, no existing approach
ities. The main focus concerns the design and the con- provides a multiple layer view or an integrated view of
sideration of responsibility driven policies (RDP) [16] these layers.
which are centric concepts related to the activation of
agents behaviours. The paper is structured as follows, 3. Policy Concept and Metamodel Core
after having sighted the related works concerning enter-
prise architecture models in Section 2, we review and Our goal in modelling the multi-agent system into an
model the concept of policy that represents the engine of architecture Metamodel is to provide system architects
the agent modelling framework in Section 3. Section 4 and developers with the tools for creating their own mul-
explains layer by layer the entire metamodel and illus- ti-agent system including the notions of Agents Policy.
trates the different components. In Section 5 we present a As explained in Section 2, we have selected the Archi-
case study which illustrates the exploitation of the en- Mate language to gives multiple layered view of a mul-
hanced ArchiMate for Multi-agent System. Finally, ti-agent system using policies.
Section 6 concludes the paper.
4
previous work [8], a MAS architecture was proposed in
4.5.2. Application Policy order to support risk assessment for real time deci-
The Application Policy from the Application sion-making processes. The clearing mechanism associ-
Layer is defined in Section 3 as the realisation of Re- ated to this architecture denotes all activities from the
sponsibilities by the Application domain in a configura- time is a transaction is made until it is settled. This
tion of the Data domain. UML provides support for Section introduces the core components of the reaction
modelling the behaviour performed by the Application mechanism. Agents are disseminated on three layers
domain as Sequence Diagram. Configuration of the Data corresponding to the clearing mechanism (custom-
domain can be expressed as Preconditions of the Se- er/issuer, acquiring/issuing processing, see Figure 8 and
quence Diagram and symbolized by the execution of a Figure 9) and they retrieve information from probes lo-
test-method on the lifeline of the diagram. cated at the network layer and representing different
values: network traffic, DoS attack (denial-of-service
attack, an attempt to make a computer resource unavail-
able to its intended users), suspicious connection at-
tempts, and so forth.
The architecture introduced and adapted from [16] is
composed of a set of agents with coordinated goals for
crisis management. Their roles were created to define the
architecture of agents with the ability to monitor devices
and report warnings to intelligent agents who make deci-
sions. This set of agents is composed of:
The ACE Agents responsibilities are to collect,
aggregate and analyse network information coming from
probes deployed over the network and customer node.
Confirmed alerts are sent to the Policy Instantiation En-
gine (PIE).
The PIE Agents responsibilities are to receive a
confirmed alert from the ACE, set the severity level and
the extent of the network response (depending on the
alert layer). The PIE instantiates high level alert messag-
es which have to be deployed. Finally, the high level
alert messages are transferred to the Reaction Deploy-
ment Point (RDP).
The RDP Agents responsibilities is composed of
two modules. The Cryptography Analysis (CA) is in
charge of analysing the keys previously instantiated by
the PIE. Therefore, the Crypto Status stores required
properties for a secure asymmetric key so that the CA
Figure 6 : ArchiMate metamodel for MAS
module is able to check the eligibility of the newly re-
ceived key which will be deployed. Concretely, the CA
checks the key strength to see if the key has not been
used or revoked and tests if the cryptographic key is not
badly generated (modulus-factorization, etc.). The sec-
ond module, the Component Configuration Mapper, se-
Figure 7 : Active structure connections
lects the appropriate communication channel. In this
Section, we instantiated the metamodel related to an
5. Case study in Financial CI ACE Agent as is it defined in previous work [8].
The case study concerns the reaction mechanism (Fig.
5.1. ACE Organizational layer
8) that aims at adapting the ciphering of the data accord-
ing to the banks interface whenever an alert occurs. This In the Organizational layer of the ACE Agent (Figure 10)
mechanism is judged extremely critical for financial in- we represented the monitoring aspect separately from the
stitutions since the corruption of card payment mecha- transaction aspect.
nisms may paralyze an entire State if fraud happens. In
5
Figure 8 : Acquiring/Issuing process and association with the agents reaction architecture
We called a transaction a communication of infor- For the Application layer of the ACE Agent (Figure 10)
mation from one agent to another (e.g. ACE sends alert we distinguished between the transaction and the moni-
to PIE), and then we considered the monitoring as the toring. Application Services for transactions and moni-
representation of information from an external device. toring are, as in the Organizational Policy, linked to only
one Application Policy. To bring afore the collaboration
between the ACE and the Monitored Device, we created
a Collaboration concept named Monitoring Administra-
tion and show that this collaboration is constituted of the
Components of the ACE and the Components of the De-
vice. Devices components use the Application Monitor-
ing Interface to communicate with the ACEs compo-
nents, and the ACEs components are composed of the
Application Monitoring Interface. We used the same
approach for the transaction part and rapidly pointed out
that the ACEs components are composed of two inter-
faces that serve the two Application Services. Again the
Application layer contains Data Object as Transaction
Messages, and Monitoring Messages used by the differ-
ent Application Components of the layer.
Figure 9 : Detailed agents architecture
Firstly, the Organizational Role of the ACE was rep- 5.3. ACE Technical layer
resented as a Collaboration of the PIE Role and the De-
vice Role. Each Role of the Collaboration communicates We found in the Technical layer of the ACE Agent
with the ACE through a proper Organizational Interface, (Figure 10) another representation of the two collabora-
one for the monitoring and another one for the transac- tors. Transaction and Monitoring Infrastructure are sep-
tion. ACE Role provides two Organizational Services arated from each other. Both of them have Infrastructure
depending on only one Organizational Policy which is Service connected to the ACE agents Node and an In-
dealing with two Events respectively for the monitoring frastructure Interface where the collaborators can inter-
and the transaction. Secondly, the two Organizational act with it. Each Node is respectively connected to a
Services provided by the ACE agent were regrouped into Communication Path (represented by a logical Event
a correlation service symbolized by the Product concept. Queuing) and uses different Artefacts for communica-
This Product has the objective Value to reduce a crisis tion. We have intentionally not instantiated Nodes for
by giving a guarantee of short reaction time represented readability, but it can easily be understand that an ACE
by the Contract concept. Finally the Contract was ap- agent can be deployed on a computer who runs an oper-
plied to the Organizational Object for monitoring infor- ating system. Also, the Network concept is not defined in
mation and transaction information. our instantiation for the same reason. For example, Mon-
itoring Event Queue between the ACE agent and the De-
5.2. ACE Application layer vice can be represented as a Network concept, by an
USB, and for the Transaction Event Queue, by an RJ45.
Figure 11 : ACE Monitoring Organizational Policies Use Case
6. Conclusions
Figure 10 : ACE agent model Aligning crisis management business processes with the
supportive application and technical layers is a crucial
5.4. ACE Organizational Policy governing activity. Despite the arising need for an inte-
grated alignment between enterprise layers, to date,
To illustrate the Organizational Policies of the ACE we SCADA are supported by increasingly used multi-agent
chose to represent the monitoring part of the ACE Role which are particularly appropriate in the context of criti-
as an UML Use Case (Figure 11). Monitoring Events are cal architecture. Indeed, MAS technology allows en-
illustrated in the Use Case as Extension Points and show hancing the connections between heterogeneous, open
their impacts on the responsibilities realized in the Per- and distributed components which are distributed around
form Monitoring Policy. Roles are presented as Actors, the globe in infrastructure networks. In the state of the
and Collaborations are highlighted by the different links art, we observed a lack of global architecture for model-
between the behaviours. ling these MAS. Therefore, our work focused on adapt-
ing ArchiMate for a MAS usage. This ArchiMate ad-
5.5. ACE Application Policy aptation allowed the structuring of the policy concept
and, thereby, allowed synchronizi the behaviour between
Sequences Diagrams were used to represent the respon- many types of agents, spread over different types of crit-
sibilities performed by the Application Domain of the ical architecture management components such as the
alert correlation engine, the intrusion detection tools, and
ACE Agent for the Application Policy: Perform Detec-
so forth. In order to illustrate the possibility of modelling
tion (Figure 12).
7
one of these architectures with this enhanced ArchiMate IEEE/WIC/ACM International Conferences on Web Intelli-
for MAS, we modelled a critical architecture for the gence and Intelligent Agent Technology - Volume 02 (WI-IAT
management of financial infrastructures dedicated to '11), Vol. 2. IEEE Computer Society, Washington, DC, USA,
credit card management. The modelling brought forth a 272-275. DOI=10.1109/WI-IAT.2011.194
[10] Christophe Feltus, Eric Dubois, Erik Proper, Iver Band,
clarification of the connection between the synchroniza- and Michal Petit. 2012. Enhancing the ArchiMate standard
tion of the event that is generated at the level of one with a responsibility modeling language for access rights man-
component policy and the one that triggers policies to agement. In Proceedings of the Fifth International Conference
another component. Associations between modelling on Security of Information and Networks (SIN '12). ACM, New
policies and UML language were also illustrated by the York, NY, USA, 12-19. DOI=10.1145/2388576.2388577
representation of the Organizational Policy as Use Case [11] Gustaf Neumann and Mark Strembeck. 2002. A scenar-
and the representation of Application Policy as Sequence io-driven role engineering process for functional RBAC roles. In
Diagram. Proceedings of the seventh ACM symposium on Access control
models and technologies (SACMAT '02). ACM, New York,
NY, USA, 33-42. DOI=10.1145/507711.507717 M.
7. Acknowledgements [12] Lankhorst. ArchiMate language primer, 2004.
The research described in this paper is funded by the [13] Zachman, John A. 2003. The Zachman Framework For
Enterprise Architecture : Primer for Enterprise Engineering and
CockpitCI research project within the 7th framework Manufacturing By. Engineering, no. July: 1-11.
Programme (FP7) of the European Union (EU) (topic [14] UML 2 ( http://www.uml.org/)
SEC-2011.2.5-1 Cyber-attacks against critical infra- [15] W. Jiao, Z. Shi, A dynamic architecture for multi-agent
structures Capability Project). systems, Technology of Object-Oriented Languages and Sys-
tems, 1999. TOOLS 31. pp.253-260, 1999
[16] Cedric Bonhomme, Christophe Feltus, and Michal Petit.
REFERENCES 2011. Dynamic Responsibilities Assignment in Critical Elec-
tronic Institutions - A Context-Aware Solution for in Crisis
[1] Franco Zambonelli, Nicholas R. Jennings, and Michael
Access Right Management. In Proceedings of the 2011 Sixth
Wooldridge. 2003. Developing multiagent systems: The Gaia
International Conference on Availability, Reliability and Secu-
methodology. ACM Trans. Softw. Eng. Methodol. 12, 3 (July
rity (ARES '11). IEEE Computer Society, Washington, DC,
2003), 317-370. DOI=10.1145/958961.958963
USA, 248-253. DOI=10.1109/ARES.2011.43
[2] Viviane Torres da Silva, Ricardo Choren, and Carlos J. P.
[17] Christophe Feltus and Michal Petit, Building a Respon-
de Lucena. 2004. A UML Based Approach for Modeling and
sibility Model Including Accountability, Capability and Com-
Implementing Multi-Agent Systems. In Proceedings of the
mitment, Fourth International Conference on Availability, Re-
Third International Joint Conference on Autonomous Agents
liability and Security (ARES 2009 The International De-
and Multiagent Systems - Volume 2 (AAMAS '04), Vol. 2.
pendability Conference), DOI=10.1109/ARES.2009.45
IEEE Computer Society, Washington, DC, USA, 914-921.
[18] John D. Fernandez and Andres E. Fernandez. 2005.
DOI=10.1109/AAMAS.2004.36.
SCADA systems: vulnerabilities and remediation. J. Comput.
[3] J. J. Gomez-Sanz, J. Pavon, and F. Garijo. 2002. Meta-
Sci. Coll. 20, 4 (April 2005), 160-168.
models for building multi-agent systems. In Proceedings of the
[19] B. Miller and D. Rowe. 2012. A survey SCADA of and
2002 ACM symposium on Applied computing (SAC '02). ACM,
critical infrastructure incidents. In Proceedings of the 1st Annual
New York, NY, USA, 37-41.
conference on Research in information technology (RIIT '12).
[4] G. Beydoun, C. Gonzalez-Perez, G. Low, B. Hender-
ACM, New York, NY, USA, 51-56.
son-Sellers. 2005. Synthesis of a generic MAS metamodel.
[20] J. Lloyd Hieb. 2008. Security Hardened Remote Terminal
SIGSOFT Softw. Eng. Notes 30, 4 (May 2005), 1-5.
Units for Scada Networks. Ph.D. Dissertation. University of
[5] C. Hahn. 2008. A domain specific modeling language for
Louisville, Louisville, USA. AAI3308346.
multiagent systems. In Proceedings of the 7th international joint
[21] H.-M. Kim, D.-J. Kang, and T.-H. Kim. 2007. Flexible
conference on Autonomous agents and multiagent systems
Key Distribution for SCADA Network using Multi-Agent Sys-
Vol. 1 International Foundation for Autonomous Agents and
tem. ECSIS Symposium on Bio-inspired, Learning, and Intel-
Multiagent Systems, Richland, SC, 233-240.
ligent Systems for Security, IEEE, Washington, USA, 29-34.
[6] AUML (Agent UML), http://www.auml.org/
[22] Tomomichi Seki, Hideaki Sato, Toshibumi Seki, Tatsuji
[7] Prometheus Methodology. http://www.cs.rmit.edu.au/
Tanaka, and Hadime. Watanabe. 1997. Decentralized Autono-
agents/SAC2/methodology.html
mous Object-Oriented EMS/SCADA System. In Proceedings of
[8] Guy Guemkam, Christophe Feltus, Cdric Bonhomme,
the 3rd International Symposium on Autonomous Decentralized
Pierre Schmitt, Benjamin Gteau, Djamel. Khadraoui, Zahia.
Systems (ISADS '97). IEEE Computer Society, Washington,
Guessoum, Financial Critical Infrastructure: A MAS Trusted
DC, USA.
Architecture for Alert Detection and Authenticated Transac-
[23] Christophe Feltus, Michal Petit, and Eric Dubois. 2009.
tions, Sixth IEEE Conference on Network Architecture and
Strengthening employee's responsibility to enhance governance
Information System Security, La Rochelle, France
of IT: COBIT RACI chart case study. In Proceedings of the first
[9] Guy Guemkam, Christophe Feltus, Pierre Schmitt, Cedric
ACM workshop on Information security governance (WISG
Bonhomme, Djamel Khadraoui, and Zahia Guessoum. 2011.
'09). ACM, New York, NY, USA, 23-32.
Reputation Based Dynamic Responsibility to Agent As-
DOI=10.1145/1655168.1655174
signement for Critical Infrastructure. In Proceedings of the 2011