Steganographic Routing in Multi Agent System Environment

1 Steganographic Routing i n Multi Agent Syste m Environment Krzysztof Szczy piorski, Ig or Margasi ń ski, Wojci ech Mazurczyk Warsaw U niversity of Te chnolo gy , Faculty of Electronics and Information Technology, Institute of Telecomm unications 15/ 19 Nowowiejska Str. 00-665 Warszaw a, Polan d {k.szczy piorski, i.margasinski, w.m azurczy k}@tele.pw.edu.pl Abstract : In this paper we pres ent an idea of trusted comm unication platform f or Mul ti-Age nt Sy stems (MA S) called TrustMAS. Based on an alysis of r outin g protocols suitable for MAS we have desig ned a new proactive hid den routing. Prop osed steg-agents d iscovery procedur e, as well as furth er ro utes updates and hidden com munication, are c ryptographically independent . Steganographic exchange ca n cover heterogeneous and geographically outlying environments using available cross-laye r covert chann els. Fin ally we have specified rules that agents have to follow to benefit the TrustMAS distribut ed router pl atform . Keywords : Multi Agent Sy stem s, Information Hiding, Steganography, Trust Managem ent, Rout ing Proto cols 1. Introduction Decentralization o f the op erations was rec ognized as a valid paradigm in the early 196 0’s. It was co nfirm ed to be r obust and efficient and it was used as a fundament in creating architecture f or such breaking i deas li ke Internet and g rid computing. Now adays we are witness ing expansion of distributed sy stems and servi ces ahead with for example peer-to-peer overlays [1]. T oda y the most promisin g application o f the distributed op erations are a gents ([19 ], [22]). History of th e agents t racks back to distributed artificial intelligence (DAI) and distributed pr oblem sol ving (DPS) concepts [19] . We can d efine t hem as the inde pendent softw are components that are able to act autonomousl y and w hich can represent another entity (e.g. human). Moreover syst ems th at consist of many agents i nteracting w ith each other form MAS [41]. Combinin g MAS platforms w ith ste ganographic techniques enables secure an d unrestricted hidden commu nication a mong trusted mu lti-agent populatio n and it is a novel contribution of the T rustMAS. In our researc h w e w ere focused on p roviding trusted comm unic ation between chosen agents using steganographic channels. In this way distributed steganographic router is formed. 2. Backgrounds 2.1 Agents and trust in M AS Agents can b e ge nerally classified as stationary or mobile agents. T he main difference between b oth types is t hat stationary agent resides o nly on a single platfor m (host that agent o perates on) and mobile one is able to m igrate from one host to another w hile preserving its data and state. Agents can be c haracterized wit h the fol lowin g properties [8]: • Interaction - by per formin g actions agents influence the environment they operate in, • Flexibility - that can be defined as an ability of the agents to be resp onsive to the changes occ urring in its environment and to interact with other agents (so cial prope rty) to achieve c omm on goal (proa ctive prop erty) [22], • Autono my - no direc t intervention of hum ans (or other entities) is needed for agents to act. The main advantages of the system s that util ize agents include: fault tolerance ( as i t is harder for intruder to interrupt commu nication w hen it is distributed), scalability and flexibility , pe rformance improvements, l ightw eight design and an ability to be assigned to d ifferent tasks to perform. T he most common applications of MAS va ries from netw ork monitoring ( e.g. ID S/IPS system s [21] ) and man agement , information filtering and gathering (e.g. Google), building self healing, high scalab le networks or protection sy stem [42] to transportation, lo gistics and other (e.g. graphic computer games development [43 ]). MAS system s are imple mented b ased on platforms which are the too ls to build multi-agen t systems. Now adays the most popular platforms include: JADE [52 ], A gentBuilder [53], JACK [54], MadKit [55] an d Zeus [56 ]. Such tools simpli fies the im plementation of mul ti-agent sy stem s. Providi ng security for MAS i s c rucial a s nowadays this technology’ s global scale development is still limited by security c onstrains and vulnerabilities ([23 ], [4 ], [1 6], [33], [20]). Classical security model based on central, well secured bastion pa radigm is no lo nger sufficient, because in new distributed network environment agents are ideal attack targets for an y malicious o perations. Moreover the agents, thems elves, a re prefect attack tools. The most important attacks that can b e performed using MAS include: spam min g, DoS (Denial of Service) and spoofing ([16], [ 21]). On the ot her hand mobile a gents create dynam ic environme nt and h ave to be able to est ablish ad-hoc trust relations to perform i ntended tasks collectively and effectiv ely. Particularly challengin g goals are authentication process where an identity of agent may be unknown and authorization decisions where a policy should a ccomm odate to distributed and changing structure. T r usted cooperation in heterogeneous MAS environment requir es not o nly trust establishm ent b ut also monitoring and ad justing existing 2 relations. Main two co ncepts of the trust establishment in a distributed environm ent ([28] , [27] , [31] ) a re a reput ation based ([12], [2 6], [2], [36], [ 34]) and a c redentia l (or rule) based trust managemen t (T M) ([5], [6 ], [11], [39], [ 20], [40]). T he first one utilizes information aggregated by system entities to evaluate r eputation of chosen entity. Basically, decisions are made accor ding to recommendations f rom other entities w here some of them can be b etter than o thers. An example of the reputation computation system can be influenti al PageRank de veloped by Go ogle. T he second solution – the credential based TM – utilizes s ecure (e.g. cryptographically sign ed) statements about a chosen entity . Well known credential based platform is P ublic Key Infrastructure where ro le of credentials fulfill X.509 certificates. Essential in rep utation evaluation is a presence of a risk factor. These flexible so lutions d o not exclude wrong decisions. Credential based decisions are more r eliable but require well defined sema ntics. 2.2 Steganograp hy Information hiding techniques such as network, audio, ima ge and text steganography, can became a powerful t ool that can be used to e stablish secure and stealth commun ication ([18 ], [25], [38], [ 32], [3], [ 24], [3 5]) a mong trusted agents. Most of contemporary, w idely available im plementations of steganographic s ys tems are d edicated to the mult imedia applications – hidde n da ta is distributed in sound files, images and movies. A foc us on a c ontent exchange in application layer of netw ork model (e.g. watermarking as an intellectual p roperty r ights pro tection tool) ca n be o bserved. Steganographic solutions located in network protocols are not relatively w idespread, but they exist – most of them rely on usage of communi cation p rotoco l’s optio nal fields or unty pical values from correction codes sp ace. For MAS en vironment we propo se a d istributed steganographic router w hich will pro vide ability to cre ate the covert channels be twee n chosen agents. Paths between agents can be built with the use of any of the steganographic methods in any OSI RM layer and be ad justed to the heterogeneous c haracteristics of a given netw ork. The concept o f a ste ganographic router, as stated ear lier, is new in the steganography s tate of the a rt and also M AS technology seems to be very acc urate to im plemen t such router in this environmen t. To develop safe and a far-reac hing agent commu nication platform it is required to e nhance routing process wi th anony m ity. T he first c oncept of netw ork anonym ity was introd uced in the s eminal paper of Chaum [10]. System Mixnet pro posed there has become a foundation of modern anonym ity syste ms. The concept of Mixnet chaining w ith encr yption has b een used in a wide range of applications such a s E-mail ([30 ],[13]) , Web brow sing [18 ], ISDN [33], and general IP traffic anonym ization (Fre edom [17], T OR [29]). Other solutions [9] seem to play a less important role or, as Crowds [ 47], c an be conside red a s simplif ications of Mixnet. B y means of forwarding traffic for others it is possible to provide agents’ untraceability. The origin of collab oration intent in this manner ca n be hidden from u ntrusted agents and eavesdroppe rs. 2.3 R outing in TrustM AS Routing pro tocols in IP ne tw orks are changing, as the netw orks evolved, from distance-vector (e.g. Routing Information Protocol (RIP ), Interior Gateway Routing Protoco l ( IGRP)), link-state (e.g. O pen S hortest P ath First (OSPF)) and hybrid ( e.g. Enhanced Interior Gate w ay Routing Protoco l (EI GRP)) protoco ls for wired networks t o p roactive (e.g. Destination-Sequenced Distance Vector (DSDV), Wireless Routing Pr otoco l ( WRP), Glob al State Routing (GSR), Optimized Link State Routing (OLSR)), reactive ( e.g. Ad hoc On-demand Distance Vector (AODV), Dynamic Source Routing (DSR), Light- weigh t Mo bile Ro uting (LMR)) a nd hybrid ( e.g. Zone Routing Pr otoco l (ZRP), Scalable L ocation Update Rout ing P rotocol (SLUR P), Distributed Dy nam ic Routing (DDR)) pro tocols for MANETs [50], [51]. In TrustMAS t he most important component that prop osed distributed steganographic router must posses is routing protocol. T he effective ro uting pr otocol is vital for agents’ comm unication a nd their p erformance. The routing prot ocol that w ill be deve loped for T rustMAS mus t take into acco unt all specific fea tures that are not to find in any other routing environme nt. T hat includes: pr oviding anonym ity with random walk algorithm and usage of steganographic methods. Both those aspects affect performance o f the routing convergence. The first one inf luences updat es: due to provide anonym ity service they mu st be period ic. T he second one affects links ’ available bandwidth. That is why the routing protocol f or TrustMA S will b e designed fro m the scratch, wil l be kept as simple as possible so non of t he existing routing protocol s for MAN ETs a re applicable. It wil l be a distance vector p roactive algorithm (and will be described in d etails in section 4). 3. Architecture an d main components of TrustMAS 3.1 A gents in TrustM AS: Steganogr aphic Agents (SAs) and Ordinary Agents (OAs) Two types o f agents are present in T rustMAS platform. There are Or dinary Agents (OAs) that uses this platform to benefit from two securi ty services t hat i t provides: trust and anonym ity . The s econd type of ag ents are Steganographic Agents (StegAgent s, SAs) that use T rustMAS to p erform hidden comm unication. T he OAs are not aware of the presence of SAs. And even if malicious agents exist a nd try to uncover SAs and thei r comm unication, ther e are certain mechan isms available in TrustMAS (described later) to limit potential r isk of d isclosure. E ach StegAgent is char acterized w ith its address a nd st eg-capabilities that describe the steganographic techni ques that SA c an use to create hidden channel to comm unicate w ith other SAs. In Tr ustMAS, StegAg ents may perform steganographic comm unication in vario us ways , espec ially by using methods in different layers of T CP/IP model. In particular, SAs may utilize other than appl ication layer methods by using 3 specialized middleware e nabling steganography t hrough all layers in this model. In some cases there is a possibility to use only applica tion layer steganography i.e. image or a udio hiding methods. Hidden comm unication via middleware in different layers gives opportunity for SAs to establish links outside MAS platform. Examples of techniques in different layers of TCP/IP model that enable covert channels includes: • Application layer e.g. audio, video, still images, text hiding m ethods, • Tra nsport and network layer: protocol ( netw ork) steganography, • Data link layer methods de pend o n available medium e.g. HICCUPS [38] sy stem can be utilized on WLAN links. Using such cross-layer ste ganography has cert ain advantages as it gives more possibilities of exchanging hidden d ata and it is h arder to uncover. However, building the path w ith many different steganographic methods m ay introduce delays, therefore som e hi dden data m ethods, know n from the state o f the ar t, may be not sufficient to carry netw ork traffic (reminding that in some steganographic applications de lay is not best measure, because the best one is just to be hidd en). STEG ROUTING MAS PLA TFORMS NETWORK L1 L2 L3 L4 Figure 1 . Architecture of TrustMAS 3.2 TrustMAS archit ecture The propo sed architecture of TrustMAS c an be de scribed on three planes (Fig. 1) . In MAS PLATFORMS plane, t he gray areas repre sent homogenous M AS platforms, black dots represent StegAgen ts and white ones Ordinary Agents involved i n T rustMAS. StegAgent s act as a d istributed steganographic router (Steg-Router) a s show n on STE G ROUTING plane. Conne ctions are possible between StegAgen ts with use of hidden channels, located in various netw ork layers (NE TWORK plane), and a t the platform level. As mentioned ear lier, what steganographic met hods w ill b e used to commun icate between each StegAg ents depend o n their steg-capabilities. The main components that form T rustMAS architecture, that will be d escribed, include: SAs and OAs ( section 3.1), trust and anonym ity services (section 3.3) a nd distributed steganographic router (section 3. 4). 3.3 S ecurity services in TrustMAS: trust and anonymity Multi-agent sys tems give oppo rtunity to build an agents’ comm unity . I n such environments, like in human soci ety, trust and anony m ity become important issues as they help agents to b uild and man age their relationships. That i s why w e assum e that: • There are no typical beha viors of the agents involved in the particular MAS commun ity, • All agents may exist and live their lives in their own way - this assumption results i n lack of de fining agents’ interests and gives no information about characteristics of exchanged mess ages, • Because o ur work is focused on information hiding in MAS, we don’t ass ume that any background traffic exists. These assum ptions a re rather generic and d o help to describe T rustMAS in theor etical w ay o f b uilding steganographic system . In r eal environm ent such as IP netw orks background tr affic will exist and will aggravate detecting of the sy stem. Agents must po sses cert ain level of trust for each other, in order to minim ize the uncertainty of the interactions they perform. More over agents interactions often have to happen in uncertain, dynamically changing and distri buted environme nt. T rust, as it is usually descri bing reliab ility or trustw orthiness of the o ther communi cation side s, supports agents in makin g right de cisions. When trust value is high the party w ith w hich agent is operating gives more chances t o succeed e .g. a gents need less time t o find and achieve their goals. On the contrary, w hen tr ust value i s low, the choice of the opera ting party is more d ifficult , ti me- consumi ng and provides less chances for success. In a proposed T rustMAS platform we provide trust and anonym ity for each agent that w ishes to join i t. Mai n trust m odel o f TrustMAS platform is based o n specific b ehavior of agents – waiting for expected scenario and f ollowing dialog process mean that agents are trusted. Other, not included in this work trust m odels dep end mainl y o n ap plication of T rustMAS a nd can b e changed accordingly. TrustMAS includes anonym ous technique based on random-w alk algorithm [46 ] for providing general purpose anonym ous co mm unication for agents. To send a message anonym ousl y the agent sends the message to a r andomly chosen agent. The message contains a destination addr ess. Then, t he selected agent flips an asym m etric coin to decide w hether to forward the mas sage to the next random age nt. The coin asy m metry is described by a pro bability p f . T he proxy a gent for ward the message to the next rando m proxy agent with the p robabi lity p f a nd skip forwarding with a probab ility 1 – p f . T his probabilistic forwarding assu res anonym ity because any agent can not conclude if mess ages received in this manner are originated from their direct sender. If man y agents jo in T rustMAS it will be easier to hi de covert comm unication exchanged b etween SAs. All agents that t ake part in propo sed MAS platform benefit from trust and anonym ity that is provided for their int eractions. But ability of using T rustMAS dictates some conditions: a ll agents that w ant to use it are ob ligated to fol low certain rules 4 like e. g. for w ard discovery s teganographic messages according to random-w alk a lgorithm. T his is the “cost” that agents have to “pay” in order to be nefit from t rusted environmen t. Figure 2. Agents Random Walk 3.4 Distributed steganogra phic router ( Steg-router) As describe d in sect ion 3.2 all the StegAgents in T rustMAS and th eir ability to exchan ge information by us ing hidde n channels form distributed ste ganographic router (Ste g- router). P roposed Steg-router is a new concept of building distributed router to carry/convert di fferent covert channels, w here typically covert channel is end-to -end c onnection. Conversion of hidden channels i s performed in heterogeneous environm ent (exp. : hidd en information in an image converted into hidden information in WLAN) and the MAS platform i s used here a s environment to implement this concept. This giv es opportunity to evaluate a new commu nication method and explore new po tential threats in MAS environm ent. The main compo nent of prop osed Steg-router is steganographic routing pro tocol (S teg-routing pro tocol) that is described in section 4. It is a distance vector protocol and it uses random walk algorithm (mentioned earlier) to perform discovery of new StegAgen ts t hat j oin T rustMAS (new SAs also perform this algorithm in orde r to joi n T rustMAS, to be able to find existing SAs). It a lso utilizes hello m echanism to build neighbors’ r elations with o ther SAs and to detect changes in their p resence. We chose a distance vector routing protoco l without triggered updates f or security reasons - to avoid potential attacks connected w ith monitoring a gents behavior. We can imagine a situation in which the ai m of the malicious attack is to o bserve agents b ehavior after re movin g random a gent from the TrustMAS. If the removed agent was StegAgen t and if t he Steg-routing protoco l uses triggered updates then sudd enly there will be vast activity in the TrustMAS, because t riggered updates wi ll be send to announce changes in the network topo logy. From the same reason distance vector protocol was utilized over the lin k state or hybrid one. Anoth er drawback of the link state protoco l (or hybrid) for our purpo ses is that it has greater requirements on proce ssing tim e and memory then distance vector and agents may be lacking in both those aspects. 4. Steg-routing protocol A t ypical distance vector routing p rotocol operates generally in the following w ay: each node sends period ical routing updates (its e ntire r oute table) to all their neighbors . Tha t is w hy proposed steg-routing prot ocol will b e characteriz ed b y describing three mechanism s: • Discovery and maint enance of the neighbors (section 4.1), • Exchanging routing tables (section 4.2 ), • Creating steg-lin ks and steg-paths (section 4.3). 4.1 D iscovery of new SAs and maintaining neighbors table As stated a bove, all t he agents involved in T rustMAS perform a nonym ous exchange ba sed o n random-walk algorithm . In t his p rocedure each a gent uses asym m etric coin to decid e if it pa sses data or not to randomly c hosen a gent (StegAgen ts or other involved in TrustMAS). S tegAg ents uses this procedure to send anonym ous m essage w ith embedded stegmessag e that consists of: • StegAgent’ s address, • StegAgent’ s steg-capabilities (available steganographic methods to use for covert commun ication). Such m echanism is analogous to sending hello packets to the neighbors in classical di stance vector pro tocols, where it is responsible f or discovery and m aintenance of the neighbors table. In pr oposed proto col rando m walk algorithm performs only disco very role. So the disco very pha se is performed by SAs that are a lready involved in TrustMAS and by new SAs th at want to join it. Moreover, each StegAg ent w ill maintain two tables: neighbors and ro uting table. Neighbors table is created ba sed on the information obtained from random-w alk algorithm operations. The neighbor rel ation is formed bet w een two StegAgen ts if there is a steg-link that connects them. Maintenance of the actual informa tion in neighbors t able is achieved by sending, p eriodically, hello packets through formed steg-links ( covert c hannels – connection using steganography to next h op SA). Such a solution helps to identify the situation when one of the StegA gents becomes unavailable. So the discovery and m aintenance p rocedure from the new StegAgen t poi nt of view, that w ishes to join Tr ustMAS, ca n be described in the followi ng steps: • Each SA ( joining or already involved) uses rando m walk algorithm t o discover other SAs in T rustMAS. Fig. 3 presents the situation, for the case, wh en new SA tries to connect to existing, already interconnected StegAgen ts, • Each a gent (SA or O A) passes or d rops the discove ry stegmes sage sent b ased o n the random walk algorithm . In this w ay new or existing SA s are learned, • Based o n the information collected from the first two steps, steg- links are formed between new StegAgent and found ones if their steg-capabilities mat ch, • Two SAs become neighbors if the steg-link exists bet w een them. The corresponding e ntry is ad ded in new SA neighbors table, • Each SA sends perio dically hello packets through available steg-links ( Fig. 4 ) to check if the neighbor is still 5 available, • If a hello packet is received by SA i t refreshes corresponding entry in i ts neighbors table. If the hello packet is not received during set pe riod of time it is removed from the neighbors table. Figure 3. D iscovery m echanism w ith random w alk algorithm in TrustMAS for new SA Outside the p latforms connections are l earned from fixed relations. Collected information helps to form routing tables. Figure 4. Forming steg-links between StegAg ents and creating neighbors table 4.2 Exchanging routing info rm ation TrustMAS uses stegan ographic channels to exchange routing tables b etw een StegAgents. These routing updates are sent also at regular interv als to finally achieve proac tive hidden routing. Ro uting proactivity p rovides unlinkability of the steganographic connections and discovery pro cess. This procedure as w el l as further hidden co mm unication is cryptographically independent. To show how the ro uting information is exchanged we will continue the scenario from t he section 4 .1, where the new SA joins T rustMAS. After the d iscovery phase, w hen the new SA’s neighbors table possesses actual information it re ceives entire routing tables from its neighboring Steg Agents ( Fig. 5). Figure 5. Exchanging routing informat ion between SAs Then the ro uting information is exchanged p eriodically between SAs. When new SA receives the ro uting tables from its neighbors it is able to learn abo ut o ther distance S As and how t o reach them. Based on t his inform ation it can also form n ew steg-l inks w ith other SAs (Fig. 6). Figure 6. New StegAgent learns about other S As n TrustMAS If one of the SAs beco mes unavailable, the cha nge is detected with the he llo mechanism . T hen routing table is updated and the change is sent to all the neighbors in the neighbors table, w hen there is time (period ic) to send the entire routing table. Each ro uting e ntry in t he rout ing table r epresents be st available ste g-path to distance StegAgen t with its metric. The metric is based on: • Available capa city of t he steg-links along the end-to-end steg-path, • Introduced delays along th e steg-path, • Available steganographic met hods – for security r easons some steganography methods may b e p referred then others (e.g. because they are more imm une to steganalisy s). The algorithm of StegAgent hidden routing pro tocol (Ste g- routing) can be also expressed i n the follow ing pseudo code: 6 Algorithm 1 (1) (2) (3) (4) (5) (6) (7) (8) (9) (10) (11) (12) (13) (14) (15) (16) (17) (18) (19) (20) (21) (22) (23) (24) (25) (26) (27) (28) (29) (30) (31) (32) (33) (34) (35) (36) (37) (38) (39) (40) (41) (42) (43) (44) (45) (46) (47) (48) (49) (50) (51) (52) (53) (54) (55) (56) (57) (58) (59) (60) (61) (62) (63) (64) (65) (66) randomWalkReque st ← listen MAS() routingUpdateRe quest ← lis tenNETWORK() hello ← listenN ETWORK() do { if (random WalkPeriod + random(fl uctuationRW) exceeded) sendR andomWalk(m yAddress, my CovertChann els) if (routin gUpdatePeri od + random (fluctuation RU) exceeded) sendR outingUpdat e(myRoutingT able) if (helloP eriod + ran dom(fluctua tionH) excee ded) sendH ello(myNeig hboursTable) if (random WalkRequest ) { if (f indStegMsg( randomWalkRe quest)) { foundAddres s, foundCov ertChannels ← uncover(randomW alkRequest) if (isNewEn try(foundAd dress, foundCovertChan nels)) { myRout ingTable ← u pdateMyRout es(foundAddr ess, foundCovertChan nels) sendRo utingUpdate (myRoutingTa ble) } } forwa rdRandomWal k(randomWalk Request) } if (routin gUpdateRequ est and findChanges(rou tingUpdateR equest)) { myRou tingTable ← updateMyRou tes(routing UpdateReque st) sendR outingUpdat e(myRoutingT able) } if (hello) { myRou tingTable ← updateNeigh borLastHell oTime(hello ) } for each n eighbor ← e ntry(myNeighbor Table) if(helloTi meout(neigh bor) exceed ed) { myNei ghborTable ← removeEntry (neighbor) sendR outingUpdat e(myRoutingT able) } }while ( ∞ ) subroutine send RandomWalk( address, ch annels) { destinatio n ← selectR andomAgent(myPl atform) sendViaMAS (destinatio n, cover(ad dress, channels)) } subroutine forw ardRandomWa lk(message) { if (coinFl ip(pf) = he ads) { desti nation ← sel ectRandomAgent (myPlatform) sendV iaMAS(desti nation, mess age) } } (67) (68) (69) (70) (71) (72) subroutine sendRoutingU pdate(table ) { for ea ch destinati on ← entry(myNe ighborTable ) s endViaNETWOR K(destinati on, cover(t able)) } 4.3 A dditional improvem ents t o limit conve rgence time If the steg-routing proto col opera tes like d escribed i n sections 4.1 and 4.2 the following scenario may occur: new StegAgen t uses random walk algorithm and discovers two existing SAs (SA1 and SA2 - Fig. 7). Figure 7 . Scenario: new StegAg ent discovers two SAs but can not commun icate wit h them due to steg-capabilities incompatibility Figure 8. Mechanism f or improving convergence that enables other SAs to form a steg-lin k wit h new SA that shares the same steg- capabilities Unfortunately both StegAgents: SA1 and SA2 p osses ste g- capabilities that are not compatible with new StegAg ent ones. That means that it is unable to exchange either hello p ackets nor routing tables, because the steg- links are not formed. In this c ase the following mechanism c an be utilized to i mprove 7 convergence as showed in Fi g 8. The main idea of this mechanism is as follows: if existing SA is discovere d by new SA that w as not yet known and their steg-capabilities are incom patible (like New SA and SA1 in Fig. 8) it sends “form steg-link” messa ge (marked as 1, F messag e in Fig. 8) to one of its neighbors that shares the same steganographic methods as new SA (it can c hoose this neighbor by inspecting its r outing tab le wh ere the steg- capabilities are also stored). Such m essage (form steg-link ) must contain an addre ss of new SA (SA_address) an d its steg-capabilities (SA_steg_capabilities) and can be formed as: form steg-link SA_address SA_steg_capabilit ies In Fig. 8 SA1 sen ds “ form steg-link” mess age to S A3, because it kn ows that SA3 possess compatible steg- capabilities with j oining SA. When Ste gAg ent SA3 receives this message it send the hello pa cket to t he new SA to form a neighbor rel ation a nd to form a steg-link. Then the ro uting table is e xchange d and new SA learns abo ut o ther SAs in the TrustMAS. 4.4 Creating steg-l inks and steg-paths The end-to-end connection bet w een two distant StegAgents is called steg- path. E very steg-path is cr eated b ased on available steg-link s. The algorithm of form ing a steg-path uses metrics that are set for each steg-link. Routing me trics in TrustMAS are c alculated based on the stegan ography methods, its capacity and introduced delays. If two hops ar e available, the steg-link is chosen to the path, if it p ossesses higher capa city value, introd uce less delay and uses more preferred stegan ographic method. Also there is a situation possible that on one steg-link two or more steganographic methods are available. In this case metrics are calculated for each steganographic method and t he b est i s chosen (Fig. 9). Each SA is also responsible, if it is necessary, for converting steganographic channels a ccording to the next hop SA steg-capabilities. In this way a steganographic router functionality is provided. The a lgorithm that each StegAgent uses to choo se steg- path can be expressed i n the followi ng pseudo code: Algorithm 2 (1) (2) (3) (4) (5) (6) (7) (8) (9) (10) (11) (12) (13) (14) (15) if (newDat aToSend) { paths ← findPathsMatc h(myRoutingT able, destination ) if (co unt(paths) > 1) { calc MetricsForPa ths(paths, capacity, delay , steg_method ) BPat h ← chooseBestP ath(paths) send Data(BPath) } else if ( count(paths) = 1) sendD ata(paths) else noPathFound () } Figure 9. Example of SAs with their available steg-links and calculated metrics Created and maintained rout ing table enables StegAgent to send da ta via hidden c hannels, where metrics are calculated based on the available steganographic methods. Figure 10 . Example of forming steg-path based on available steg-links Fig. 10 shows how an e xample end-t o-end steg-path i s formed based on exem plary steganographic methods. As men tioned earl ier each steg-path consist of cert ain number of the steg-l inks (c onnection t o next hop SA; steg-l ink is e.g. between SA A and SA B in Fig. 10). 5. Conclusion and future work We hav e p resented concept o f a distributed stega nographic router that provid es ability to create the c overt channels between chosen agents. Paths between agents can be built w ith the use o f a ny of the steganographic methods in any netw ork lay er and be adjusted to the heterogeneous characteristics of a given netw ork. Future work will co ver perfor mance analysis of the pr oposed steganographic routing, its convergence time, a vailable range, and potential limitations. Acknowledgment This material i s ba sed upon work support ed by the Europe an Research Office of the US Army under Contract No. 8 N62558 -07-P-0042. A ny opinions, findings and conclusions or recomm endations expressed in this material are t hose of the authors and do not necessarily reflect the views o f the European Research Office of the US Army . References [1] K. Aberer, L. O. A lima, A. Ghodsi, S. G irdzija uskas, M. H ausw irth, S. Hari di: The e ssence of P 2P: A reference architecture for o verlay networks. In: 5 th IEEE In ternational Conference on Peer-to-Peer Computin g, 200 5. [2] K. Aberer, Z. Despo tovic. M anaging trust in a peer -2- peer information syst em. In CIK M ’01: Pr oceedings of the tenth i nternational co nference o n Information and know ledge managemen t, pa ges 310–3 17. ACM Press, 2001. Atlanta, Georgia, USA. [3] K. Ahsan, D. K undur: P ractical D ata Hiding in T CP/IP. In pro ceedings of: ACM Workshop on Multimedia a nd Security. 2002 [4] J. Alg esheimer, C. Cac hin, J . Cam enisch, G . Karjoth: Cryptographic security for m obile code. Secu rity and Privacy, 20 01. S&P 2 001. P roceedi ngs. 2001 IEEE Sym posium, pp. 2-11, 14 -16 May 2001. [5] M. Blaze, J. Fe igenbaum , J . Lacy: Decentralized trust managem ent. In I EEE 17th Sym posium o n Research in Security and Privacy, pages 164–17 3, 19 96. [6] M. Blaze, J. Feigenbaum, and A.D. Keromytis. KeyNote: Tr ust m anagemen t for public-key infrastructures. Lecture Notes in Computer Science, 1550: 59–63, 1999 . [7] N. Bo risov: Anonym ous Rout ing in Struc tured Peer-to- Peer Overl ays. PhD Thesis, UC Berkeley, 2005. [8] J. M. Bradshaw, An Introduction to Software Agents, In Jeffrey M. Bradshaw, edi tor, Softw are Agent s, chapter 1. AAAI Press/The MIT Pr ess, 1997. [9] D. Chaum : The Dining Cryptograp hers P roblem: Unconditional Sender and Recipient Untraceability. Journal of Cryptology 1/1 (19 88). 65-75 . [10] D. Chaum : Untrac eable Electronic Mail, Return Addresses, and Digit al Pseudonym s. C omm unications of the ACM , v. 24, n. 2, Feb. 1981 , pp. 84-88. [11] Y. H. Chu, J. Feigenbaum, B. LaMacchia, P. Resnick, and M. S trauss. REFEREE: T rust management for Web applications. Com puter N etworks and ISDN System s, 29(8–1 3):953 –964 , 199 7. [12] E. Dam iani, D. Vim ercati, S. Parabo schi, P. Samarati, F. V iolante. A reputation-based appr oach for choosing reliable resources in peer -to-peer networks. In CCS ’02: Proce edings of the 9th ACM co nference on Com puter and commu nications security, pages 20 7–216. ACM Press, 2 002. W ashington, DC, USA. [13] G. Danezis, R. Din gledine, N. Mathew son: Mixm inion: Design o f a Type III anonym ous remailer protocol. In Proce edings of the IEEE Sym posium on Security and Privacy, May 2003. [14] C. Díaz, B. Preneel: Taxonomy of Mixes and Dumm y Traffic. In pro ceedings of I-NetSec04: 3rd Wor king Conference on Privacy and A nony mity in Networked and Distributed System s, T oulouse, Fr ance, August 2004. [15] R. Dingledine, N. Mathewson, P. Syv erson: Tor: The secondgeneration onion router. In Proceedings of t he 13th USENIX Security Sym posium, A ugust 2004. [16] W. M. Farmer, J. D. Guttman, V. Swarup: Security for mobile agents: Authentication and sta te appraisal. In Proceed ings of the Fourth Europ ean Sym posium o n Research in Comput er Security, 1996. [17] B. I . Goldberg and A. Shostack: Freedo m systems 2. 1 security issues and analysis. White paper , Zero Knowl edge System s, Inc., May 2001. [18] T . H andel, M. Sandfor d: Hiding Data in the OSI Network M odel. In p roceedings: First International Workshop on I nforma tion H iding 1 996. L NCS 11 74. pp. 23-38 [19] C. Hewitt, J. Inm an. DAI Betwixt and Between : From "Intelligent Agents" to O pen Sy stems Science I EEE Transactions on System s, Man, and Cybernetics. 1991 . [20] M. N. Huhns and D. A. Buell. T rusted autonomy . Internet Computin g, IEEE, 6( 3):92– 95, 2 002. [21] W. Jansen and T. K arygiann is: NIST special publication 800 -19 – mobile agent security, 2000. [22] N. R. J enning s and M. Wool dridge, Intelligent agents: Theory and pr actice, T he Knowledge E nginee ring Review , vol. 10, no. 2, pp. 115 – 152 , 1995. [23] G. Karjo th, J. P osegga: M obile agents and Telcos' nightm ares. Annales des T élécommun ications, 55( 7/8), pp. 29-41 , 200 0. [24] S. Katzenbeisser, F. Petitco las: Information Hiding Techniques for Steganography and Digital Watermarking. Artech Hous e Boo ks, January 2000 [25] C. Krätzer, J. Dittm ann, A. Lang, T . Kühne: WLAN Steganography: a First P ractical Review . In pro ceedings of 8th ACM Multimedia and Security Workshop, Geneve, Swit zerland, September 2 006. [26] S. Lee, R. Sherw ood, B. Bhattacharj ee. Coo perative peer groups in nice. In INFOCOM 20 03. Twenty - Second Annual Joint Conference of t he IE EE Computer and Comm unications Societies. IEEE, volume 2, pa ges 1272–1 282 vol.2, 200 3. T Y - CONF. [27] H. Li, M. Singhal. T rust Managemen t in Distributed Syst ems, Computer, vol . 40, no. 2, pp. 45-53, Feb., 2007. [28] S. Mars h. Formalising trust as a computational concept. Phd thesis, University of St erling, 199 4. [29] D. N. Ma thew son and P. Syv erson: Tor: T he secondgeneration onion router. in Pro ceedings of the 13th USENIX Security Sym posium, A ugust 2004. [30] U. Möller, L. Cott rell, P . P alfrader, L. Sassaman: Mixmast er Pr otocol — Ver sion 2. Draft, J uly 2003. [31] J. J . Ordille: W hen agents roam, who can you trust? In First Conference on Emerging T echnologies and Applications in Comm uni cations (etaCOM), 1 996. [32] F. Pe titcolas, R. Ander son, M. Kuhn: Information Hiding – A Survey. IEEE S pecial I ssue on P rotection of Multim edia Content. July 1999 [33] A. Pfitzmann, B. P fitzmann , M. Waidner: ISDN-mi xes: Untraceable commun ication with very small bandwidth overhead. In P roceed ings of the GI/ITG Conference on Comm unication in Distributed System s, pages 451 –463, 1991. [34] J. M. Pujol, R. Sang, e sa, and J. D elgado. Extracting reputation in multi age nt system s by means of social netw ork topology. In AAMAS ’02: P roceedings of the 9 first international joint c onference on Autonomous agents and multiagent sys tems, pages 467–474. ACM Press, 2 002. Bo logna, Italy. [35] C. Rowland: Covert Channels i n the TCP/IP Protocol Suite. Te ch. Rep. 5. FirstMonday, Pe er-Reviewe d Journal on the Internet. Lipiec 19 97 [36] M. Schillo, M. Rovatsos, and P. Funk. Using trust for detecting d eceitful agents in artificial societies. A pplied Artificial Intelligence J ournal, Special Issue edited by Castelfranchi, C., Tan, Y. , Falcone, R. and Firoza badi, B. on Decept ion, Fraud and Trust in Agent Societies., 14(8): 825–84 8, 20 00. [37] C. E. Shann on, A Mathematical T heory Of Comm unication, the Bell System Technical Journal, Vol. 27, pp. 3 79–4 23 and pp . 623–6 56, 19 48. [38] K. Szczypiorski: HICCUPS: Hidde n Commun ication System for Coruppted Networks. In pr oceedings of The Tenth Internatio nal Multi-Conf erence on Advanced Computer System s ACS'2003. Miedz yzdroje. P oland. October 2003. [39] G. Suryanarayan a, J.R. Erenkrantz, S.A. Hendri ckson, and R.N. Taylor. Pace: an architectural sty le for trus t managem ent in decentralized applications. In Softw are Architecture, 2 004. W ICSA 2004. P roceedings. Fourth Working IEEE/IFIP Conference on, pages 221–23 0, 2004. TY - CONF. [40] W. H. Winsborough, K. E. Seamons, and et al. Automa ted tr ust negotiatio n. I n Proceed ings of DARPA Information Survivability Conferen ce and Exposition, 2000. [41] G. Weiss (Editor) , Multiagent System s: A Modern Approach to Distributed Arti ficial Intelligence, Chap. 12, pp 505 -534, MIT Pre ss, 1999. [42] Su Sheng; Li, K.K.; Chan, W .L.; Zeng Xiangjun; Duan Xianzhong: Agen t-based self-healing protection system ,s IEEE Transactions on Volume 21, Issue 2, April 2006 Page(s):61 0 – 618 [43] Pat rick Doyle: Believability through Context: Using Knowledge in the Wor ld to Create Intelligent Characters, In Pr oceedings of the International J oint Conference on Autonomous Agents and Multi-Agent System s (AAM AS 2002), 2002. [44] Borselius, Security i n multi-agent systems, in: Y. Mun and H. R. Arabnia (eds.) Proce edings of the 20 02 International Conference on Security and Managemen t (SAM'02), Las Vegas, Nevada, USA, June 2 002, CSREA Press, pp. 3 1-36 [45] C. Diaz, S. Seys, J. Claessens, and B. Preneel. Towards measuring anonym ity. In Designing Pri vacy Enhancing Technologies, P rocee dings of P ET’02 , pp. 54 –68. Springer-Verlag, LNCS 2482, 20 03. [46] S. D. Ramchurn, D. Huynh a nd N. R. Jennings (2004) "T rust in mul tiagent sy stems " T he Know ledge Engineering Revi ew 19 (1) 1-25 [47] M. Reiter and A. Rubin. Crowds: Anonym ity for W eb Transactions. ACM Tra nsactions on I nformation and System Security (TISSEC), 1(1) :66–92 , 199 8. [48] A. Ser jantov and G . Danezis. Towards an information theoretic metric for anony m ity. In Designi ng Privacy Enhancing Technologies, Pr oceedings o f P ET’02, pp. 41–53. Springer-Verlag, LNCS 2482, 2002. [49] C. Shannon. A mathematical theory of co mm unication. The Bell System Technical Journal, 27:379–423 :623– 656, 19 48. [50] M. Abolhasan, T . Wysocki, E. Dutkiew icz. A review of routing pro tocols for mobile ad hoc network. In Ad Hoc Networks 2 (2004) 1–22, Elsevier, June 200 3 [51] Z Chang, G . N. Gaydadj iev, S. Vassiliadis, Ro uting Protoc ols for Mob ile Ad-hoc Networks: Current Development and Evaluation, Pr oceedings of the 16th Ann ual Workshop on Circuits, System s and Signal Processing, ProRisc 2 005, pp. 489-494 , Vel dhoven, the Netherlands, November 200 5 [52] JADE ( Java Agent DEvelopment Framew ork) - http://jade.tilab.c om [53] Agent Builder - http://ww w.a gentbuilder.com [54] JACK - http://w w w .agent-softw are.com.au [55] MADKIT - http://ww w .madkit.org [56] Zeus http://w w w .labs.bt.co m/projects/agents/zeus [57] S. J. Murdoch, S. Le wis: Embedding Covert Channels into TCP/I P. Information Hiding 2005: 247 -26. [58] W. Bender , D. Gruhl, N. Morimoto, A. Lu. Techniques for data hiding, IBM. System Journal,. vol. 3 5, Nos. 3&4. pp 3 13-336, 1996 . Authors’ Biographies Krzysztof Szczypi orski received M.Sc. (1997) a nd Ph.D. (2007) in telecommunicati ons both with honors fro m F aculty of Electronics a nd Inf ormation Techn ology , Warsaw Univers ity of Technology (WUT, Poland); a ssis tan t p rofessor at WUT; main research i nteres ts: network s ecurity a nd steganography, wireless networks, privacy in virtua l society; a uthor of over 40 scie ntific p apers and over 30 invited talks on infor mation securi ty, telecommunicati ons and electronic commerce; leader of Network S ecurity Group (s ecgroup.pl). Igor M argasi ń ski is a research as sis tant at Instit ute of Telecommunications, Faculty of Electronics and Inf ormation Technology, Warsa w University of Technology . Recei ved B.Sc. (200 2) and M .Sc. (2003 ) in telecommunica tions at WUT; rese arch interests : network secu rity, privacy en hancin g techn ologies, anonymous networks – in particular peer-to-peer overl ays an d mobile agent systems , an onymity modeling and metrics , a nd traff ic performance modeling for anonymo us s ystems. Wojciech Mazurczy k received the B.Sc. (2003) and M. Sc. (2004 ) in telecommun ication both from Faculty of Electronics and Inf ormation, WUT; research assis tant at WUT ; h e is now purs uing a PhD d egree in network security; main resea rch interes ts: information hiding techn iques , network secu rity and multime dia services; member of Network Security Group (secgroup.pl).