CN101115062A

CN101115062A - Distributed intelligent proxy system, login center and login, message routing method

Info

Publication number: CN101115062A
Application number: CNA2007101206707A
Authority: CN
Inventors: 常恒; 王靓伟; 李彦; 毛新军
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2007-08-23
Filing date: 2007-08-23
Publication date: 2008-01-30
Anticipated expiration: 2027-08-23
Also published as: CN101115062B

Abstract

The example of invention discloses a distributing intelligent agent system, a registering center, and a method of registering and message routing. The system comprises one or more than one intelligent agents; one or more than one interconnected agent servers that are used for controlling the message interaction between the intelligent agents, conduct message routing, convert transmission protocols, and provide the intelligent agents with accessing registration; and a registering center that provides the intelligent agents with a registering function and stores the information of every registered intelligent agent and the information of agent servers. The invention has unified control over the communication of the intelligent agents, and by means of agent registering mechanism, the system conducts address resolution of the agent messages, completes the routing, and provides the security guarantee in message routing. Compared with traditional multi agents systems, the system is more controllable, the message routing is more reliable and secure, and needed operation and processing of the agents are easier in communication.

Description

Distributed intelligent proxy system, registration center and registration, message route method

Technical field

The present invention relates to the method for agency plant, registration center and registration, message route, register method, the message route method of especially a kind of distributed intelligent proxy system, registration center and intelligent agent.

Background technology

Intelligent agent (Agent) is an artificial intelligence, the newer notion that fields such as soft project occur, and it is meant and resides under the particular environment, can independently operate, and has the behavior entity of initiative, reactivity and feature such as social.Independence (Autonomous) is meant that Agent has the computational resource that belongs to self and local in the behavior controlling mechanism of self, the work that can continue under the situation that does not have other Agent or human intervention.Initiative (Pro-activity) is meant the action that Agent can take the initiative according to its purpose, is the behavior entity that a purpose drives, and it can produce target on one's own initiative in some cases.Reactive (Reactivity) is meant that Agent can its residing environment of perception (physical world, user or other relevant Agent), and can make suitable reaction to the dependent event that takes place in the environment.Social (Social ability) is meant when Agent is in the environment that a plurality of Agent formations are arranged, its behavior must meet the rule in the Agent colony, and Agent can utilize information and the knowledge of other Agent, undertaken mutual and cooperation by certain high-rise communication language and other Agent.

Setting up by dialogue behavior (Speech Act) theory alternately between the Agent, the SpeechAct theory mainly is that verb is as wordings such as asking, agree or return to the effect that by using the wording of statement behavior (Performative term) to distinguish purpose in oral communication.Distinguish that by the wording of catching such class Agent exchanges the semantic meaning of action, institute be so that Agent can understand the semanteme that interchange that another one Agent sends is moved to a certain extent, thereby makes a response successively.

ACL (Agent communication language agent communication language) is the Agent communication language based on the proxy message mechanism of Speech Act theory that intelligent agent FIPA (Foundation for Intelligent Physical Agents intelligent physical agency fund) normal structure is worked out, acl definition more than 20 actional verb, and give clear and definite implication.

The ACL message transfer comprises two parts, load (payload) and envelope (envelop).Payload partly is the proxy message content of being write by ACL, and envelop then is the information that is used for carrying out the message route.Envelop is made up of series of parameters, and parameter adopts the right mode of key one value, comprises sending agency (from), is the transmit leg agency of ACL message; Target proxy (to) is the recipient agency of ACL message; The recipient of intermediary (intended-receiver), if message is not directly to be transferred to the reception agency from sending the agency, the centre also needs through one or several mediator deputies, and then the ACL message mediator deputy that need pass through will be arranged among the intended-receiver in order; Also will comprise transport behavior transport-behaviour among the envelop in addition, load length payload-length, parameters such as date date.

Prior art has proposed a kind of architectural framework of multi-agent system, and as shown in Figure 1: AFPC (AgentFunction Publication Center) is Agent function issue center.When Agent is desirably in the function of issue oneself in the multi-agent system, at first to register to AFPC, behind identity validation, AFPC signs and issues an IETF (Internet Engineering Task Force can for this Agent, Internet engineering duty group) SPKI (the simple public-key infrastructure of Simple Public Key Infrastructure) certificate, and its functional description is stored in the database of AFPC.Each Agent canned data in the database of AFPC is called one " advertisement " (advertisement).Simple description to Agent, title, address, relevant restrictive contents such as function have been comprised in " advertisement ".Receive the query requests of other user or Agent as AFPC after, just remove to search the database of depositing " advertisement ", therefrom find out a registered Agent who satisfies search request.AFPC itself also can be designed as an Agent.CKDB (Certification Key Database certificate key database) is a database that adopts LDAP (Light Directory Access Protocol simple directory access protocal) agreement, is mainly used to provide the quick search service of certificate.Certificate that all are signed and issued by AFPC and the PKI relevant with it all can be stored in CKDB, inquire about so that offer other user and Agent.CKDB is not a mandatory services, because SPKI certificate or certificate chain can be self-contained by Agent, and has deposited public key information in the certificate.But existing for audit in the future and confirming to inquire about of it provides record.

In this security system, AFPC acts on behalf of the correctness that " advertisement " information based on PKI (Public Key Infrastructure public-key infrastructure) security mechanism, can be guaranteed each " advertisement " information of agency is preserved at the issue center.Agent is by " advertisement " information of inquiry AFPC, obtains Agent that its expectation communicates for information about, and then according to these information, for example the name of target proxy and address communicate with target proxy.In this security system, mainly be to guarantee authenticity of agency's " advertisement " information among the AFPC and the fail safe of obtaining agency's " advertisement ".The process of the ACL message communicating between system does not participate in acting on behalf of, communication is carried out based on mode end to end fully, and the reliability and the safety assurance of proxy message communication are lower.Therefore, system can't intervene and control the communication between the agency, can not provide safety assurance to the message communicating of acting on behalf of from the level of system.

Summary of the invention

The purpose of the embodiment of the invention provides registration, the message route method of a kind of distributed intelligent proxy system and agent unit, to realize unified management and the control to intelligent agent.

For achieving the above object, the embodiment of the invention provides a kind of distributed intelligent proxy system, comprising:

One or more interconnective acting servers are used for message interaction process between the intelligent agent is controlled, and carry out message route and transport protocol conversion, and provide access registration for intelligent agent;

Registration center, be used to intelligent agent that registering functional is provided, and preserve the information of each registered intelligent agent and the proxy server information that described each registered intelligent agent inserts, the information of described each registered intelligent agent comprises title and address information at least.

The embodiment of the invention also provides a kind of registration center of intelligent agent, comprising:

Register control module, be used for extracting the log-on message of login request message, determine whether intelligent agent can be registered.

Registration database is used to preserve the information of each registered intelligent agent and the information of the acting server that each registered intelligent agent inserts, and the information of described each registered intelligent agent comprises title and address information at least;

Proxy database, the information that is used to preserve all acting servers, the information of described acting server comprise at least described acting server title, address information, support the bottom host-host protocol and act on behalf of access strategy;

Interface module is used to accept login request message and/or analysis request message, and sends registration reply message and/or resolution response message.

The embodiment of the invention also provides a kind of register method of intelligent agent, comprising:

After the login request message of acting server forwarding is received by registration center, from described login request message, extract the title and address information and the described title that is registered the acting server of intelligent agent access that are registered intelligent agent, and be saved in the registration database;

After described registration center receives the login request message of acting server forwarding, generate first authorization information, this authorization information is calculated digest value, and generate digital signature with the private key of registration center, again this digital signature is joined in first authorization information, this first authorization information is not included in returns to described acting server in the authentication response information then;

After described register requirement intelligent agent is received the not authentication response information that described acting server transmits, calculate the digest value of first authorization information, the PKI that uses registration center is simultaneously resolved digital signature and is obtained the digest value of being signed.These two values are compared, if it is identical then generate second authorization information, and generate digital signature with the private key of register requirement intelligent agent, again this digital signature is joined in second authorization information, then this second authorization information is included in the new registration request message, sends to described acting server;

After the new registration request message of described acting server forwarding is received by described registration center, calculate the digest value of described second authorization information, the PKI that uses the register requirement intelligent agent is simultaneously resolved digital signature and is obtained the digest value of being signed, two values are compared, if it is identical, extract the title and address information and the described title that is registered the access acting server of intelligent agent that are registered intelligent agent, and be saved in the database.

After registration center receives login request message, generate first authorization information, this authorization information is calculated digest value, and generate digital signature with the private key of registration center, again this digital signature is joined in first authorization information, this first authorization information is not included in returns to acting server in the authentication response information then;

After described new registration request message is received by described registration center, calculate the digest value that removes the digital signature part in described second authorization information, the PKI that uses the register requirement intelligent agent is simultaneously resolved digital signature and is obtained the digest value of being signed, two values are compared, if it is identical, carry out the registration operation, extract the title and address information and the described title that is registered the access acting server of intelligent agent that are registered intelligent agent, and be saved in the database, return the response message that succeeds in registration to described acting server then.

The embodiment of the invention also provides a kind of message route method of intelligent agent, comprising:

First inserts acting server receives the message that first intelligent agent sends, and described message is the interaction message of first intelligent agent and second intelligent agent;

First inserts the second access acting server ground that acting server determines that second intelligent agent is belonged to

Location information inserts proxy server address information according to described second described message is sent to the described second access acting server.

After the analysis request message of first intelligent proxy server transmission is received by registration center, please according to resolving

Ask the information of second intelligent agent that carries in the message, inquire about the information of second acting server corresponding with described second intelligent agent, if inquire the information of described second acting server, then the information of this second acting server is write resolve in the successful response message and return to first acting server.

Described first acting server sends the analysis request message of second acting server of resolving described second intelligent agent access to described registration center;

After the analysis request message of first intelligent proxy server transmission is received by registration center, information according to second intelligent agent that carries in the analysis request message, inquire about the information of second acting server corresponding with described second intelligent agent, if inquire the information of described second acting server, then the information of this second acting server is write resolve in the successful response message and return to first acting server;

Described first acting server according to the information of second acting server that comprises in this response message, sends to described second acting server with described interaction message after receiving the successful response message of described parsing.

As shown from the above technical solution, the embodiment of the invention has following beneficial effect:

The intelligent proxy system of the embodiment of the invention is carried out unified control to the communication of intelligent agent, by agency of trademark registration mechanism, registered agency only need know the title of target proxy, need not to know its mailing address, proxy message is directly sent to distributed intelligent proxy system get final product, proxy message is carried out address resolution, finish route by system, send to target proxy, and the safety assurance in the routing procedure that gives information.Traditional relatively multi-agent system, this system has stronger controllability, the reliability and the fail safe of message route are higher, and the agency this in communication process, need the operational processes of carrying out also more simple.

Below by drawings and Examples, technical scheme of the present invention is described in further detail.

Description of drawings

Fig. 1 is the structural representation of the multi-agent system of prior art;

Fig. 2 is the structural representation of distributed intelligent proxy system embodiment of the present invention;

Fig. 3 is registration center's structural representation one of the distributed intelligent proxy system of the embodiment of the invention;

Fig. 4 is registration center's structural representation two of the distributed intelligent proxy system of the embodiment of the invention;

Fig. 5 is the signaling process figure of embodiment of the register method of intelligent agent of the present invention;

Fig. 6 is the signaling process figure of embodiment of the message route method of intelligent agent of the present invention;

Fig. 7 is the signaling process figure of the embodiment of the register method of the intelligent agent that has a security authentication mechanism of the present invention.

Embodiment

Referring to shown in Figure 2, its structural representation for the distributed intelligent proxy system of the embodiment of the invention comprises:

One or more intelligent agent (Agent) 3;

One or more interconnective acting servers (Proxy) 2 are connected with described intelligent agent, are used for message interaction process between the intelligent agent is controlled, and carry out message route and transport protocol conversion, and provide access registration for intelligent agent;

Registration center (Register Center) 1, be connected with described acting server, be used to intelligent agent that registering functional is provided, and preserve the information of each registered intelligent agent and the information of the acting server that described each registered intelligent agent inserts, the information of described each registered intelligent agent comprises title and address information at least.

Agent adopts agent communication language ACL to carry out the intelligent agent of interacting message, can move independently, neatly to realize specific function; Acting server Proxy provides between the intelligent agent control in the message interaction process each other, safeguard protection, message route, functions such as transport protocol conversion.The Register Center of registration center preserves the name of each registered intelligent agent for intelligent agent provides the dynamic registration function, address, and the Proxy of pairing access.These information will offer functional entitys such as Proxy and inquire about.Register Center can also carry out bi-directional verification in the intelligent agent registration process, for the intelligent agent that inserts distributed intelligent proxy system carries out authentication, provide checking to Register Center for intelligent agent simultaneously.

Wherein said registration center can adopt structure as shown in Figure 3, comprising:

Registration control module (Register Function) 11, extract the log-on message in the login request message, determine whether intelligent agent (for example can be registered, whether the address of judging intelligent agent is illegal address, if be the illegal address, does not then allow registration), and processing analysis request message, this analysis request is in the intelligent agent message process, is sent by the intelligent agent of the transmit leg of message, is used to obtain the recipient's of message the request message of address information of intelligent agent.

Registration database (Register Database) 12, be connected with described registration control module, be used to preserve the information of each registered intelligent agent and the information of the acting server that each registered intelligent agent inserts, the information of described each registered intelligent agent comprises title and address information at least;

Proxy database (Proxy Database) 13, be connected with described registration control module, be used to preserve the information of all acting servers, the information of described acting server can comprise described acting server title, address information, support the bottom host-host protocol and act on behalf of access strategy etc.;

Interface module (Interface Function) 14 is connected with described registration control module, is used to accept login request message and/or analysis request message, and sends registration reply message and/or resolution response message.It is mutual that Interface Function mainly handles the external ACL information of Register Center.

As shown in Figure 4, described registration center can further include:

Authentication module (Authentication Function) 15, be connected with described registration control module, be used to carry out the authentication verification operation, generate the authorization information (Sau of distributed intelligent proxy system, Systemauthorization), and with this authorization information Sau offer intelligent agent, the authorization information (Aau of parsing intelligent agent, Agent authorization), and the checking intelligent agent identity;

Key production module (Key Generation Function) 16, be connected with described registration control module, be used to intelligent agent with and the acting server branch that inserts be used in the shared key that foundation safe transmission between the two connects, comprise Integrity Key (IK, Integrity Key) and encryption key (CK, Cipher Key).

In the distributed intelligent proxy system of inventive embodiments, its message passing mechanism can adopt the ACL mode, and the ACL message transfer comprises two parts, and wherein payload is the particular content of message, and envelop partly is the message routing iinformation.In order to realize registration, address resolution, systemic-functions such as authentication, the embodiment of the invention is partly expanded the envelop of ACL message, for the ACL message in these processes, in envelop, carry relevant extend information, make these ACL message can be different from common ACL message, intelligent agent and each functional entity will be handled accordingly according to the information of expansion, thereby realize registration, address resolution, systemic-functions such as authentication.Extend information can be carried in the field that envelop increases newly, also can be carried in the field that has defined.Because undefined its concrete purposes of the transport behavior among the current envelop (transport-behaviour), in embodiments of the present invention, the relevant extend information of these systemic-functions will be placed among the transport-behaviour.In addition, the envelop part can adopt the XML form to represent.

Registration (Register): this message of register element representation is a login request message among the transport-behaviour, id is the identification number of register requirement, comprise the title (name) and URL address that are registered the agency among the agent-identifier, comprise name and address (address) of the access proxy that is registered the agency among the access-proxy.

Above-mentioned data structure can be represented by following XML form:

<transport-behaviour>

<agent-identifier>

</agent-identifier>

<access-proxy>

</access-proxy>

</register>

</transport-behaviour>

Registration response (register-result): this message of register-result element representation is a registration reply message among the transport-behaviour, id is the identification number of register requirement, comprise the name and the URL address that are registered the agency among the agent-identifier, comprise name and the address of the access proxy that is registered the agency among the access-proxy, result represents the result of register requirement.

Above-mentioned data structure can be represented by following XML form:

<transport-behaviour>

<agent-identifier>

</agent-identifier>

<access-proxy>

</access-proxy>

</register-result>

</transport-behaviour>

Resolve (resolve): this message of resolve element representation is an analysis request message among the transport-behaviour, and id is the identification number of analysis request, comprises resolved agency's name among the agent-identifier.

Above-mentioned data structure can be represented by following XML form:

<transport-behaviour>

<agent-identifier>

</agent-identifier>

</resolve>

</transport-behaviour>

Resolution response (resolve-result): this message of resolve-result element representation is a resolution response message among the transport-behaviour, id is the identification number of analysis request, the name and the URL address that comprise resolved agency among the agent-identifier, comprise name and the address of resolved agency's access proxy among the access-proxy, result represents the result of analysis request.

Above-mentioned data structure can be represented by following XML form:

<transport-behaviour>

<resolve-result>

<agent-identifier>

</agent-identifier>

<access-proxy>

</access-proxy>

</resolve-result>

</transport-behaviour>

Safety (security): the security element comprises information security-related in the registration process among the transport-behaviour; system-authentication is the authentication of distributed intelligent proxy system; agent-authentication is the authentication of intelligent agent; ik and ck are integrality and encryption key, and integrity-protected represents whether provide integrity protection.

Above-mentioned data structure can be represented by following XML form:

<system-authentication></system-authentication>

<agent-authentication></agent-authentication>

<integrity-protected></integrity-protected>

</security>

Intelligent agent Agent in the distributed intelligent proxy system of the embodiment of the invention, they each other can not be directly mutual, at first must be connected in the system by inserting Proxy.The access Proxy that each Agent connected and the physical location at its place, the host-host protocol that ACL message is adopted is relevant.It may be pre-configured, or selected according to certain strategy at the beginning of connecting.With insert after Proxy connects, in order to carry out interacting message normally, and can be found by other intelligent agent, Agent at first needs to register.

Referring to Fig. 5, it is the signaling process figure of embodiment of the register method of intelligent agent of the present invention, comprises the steps:

Steps A 1, register requirement intelligent agent send registration (Register) request message to connected acting server.

Specifically: register requirement intelligent agent Agent sends the access Proxy of Register request message to its connection, and the to part of request message will be placed the name of Register Center.The to part also can be left empty, and then inserts Proxy and will select Register Center for being registered agent.The from part of request message is then placed the name that acts on behalf of of Agent.Insert Proxy because Register message must at first send to, and Agent knows that it inserts the information of Proxy, the name and the address that therefore insert Proxy are placed to the intended-recievier part.This ACL message of register element representation of transport-behaviour part is proxy registration request message.Be registered agency's name and address and then be placed among the agent-identifier among the register, and the identifier of this time of unique identification Register request is set to the value of id element.Agent is itself when registration, and the agency of register part is identical with from agency partly, all is it oneself.If Agent is registered, then it can also be for the unregistered agent of third party registers, and then the agency of the agency of register part and from part is inequality, and also setting is registered the access Proxy of agent among the register.The payload of Register message does not partly have content, and it is 0 that payload-length then is set; Above-mentioned data structure can be represented by following XML form:

<？xml?version＝″1.0″encoding＝″UTF-8″？>

<to>

<agent-identifier>

<name>RegisterCenter@huawei.com</name>

</agent-identifier>

</to>

<from>

<agent-identifier>

<name>palmer@huawei.com</name>

</agent-identifier>

</from>

<intended-receiver>

<agent-identifier>

<name>proxyl@huawei.com</name>

<url>http://proxyl.huawei.com/proxyl<url>

</addresses>

</agent-identifier>

</intended-receiver>

<transport-behaviour>

<id>registerID</id>

<agent-identifier>

<name>palmer@huawei.com</name>

<url>http://palmer.huawei.com/test<url>

</addresses>

</agent-identifier>

</register>

</transport-behaviour>

<payload-length>0</payload-length>

</envelope>

After steps A 2, described acting server receive described login request message, described login request message is sent to registration center;

Specifically: the Proxy of access receives Register message, and it knows that by the register element among the transport-behaviour this is a login request message.Insert the information of preserving Register Center among the Proxy, comprise its URL address etc.According to corresponding strategies and the agent that is registered, insert Proxy and check that at first whether effectively whether the to part be sky or Register Center (for example: may have Register Center address is the situation of invalid address), if to partly is that sky or Register Center are invalid, then it will select effective Register Center for being registered agent, and name and the address of Register Center are set in the to part.If to part Register Center is effective, the URL address of access Proxy inquiry Register Center also is set among the address of to part.If register is not provided with access-proxy, insert Proxy can also increase the access-proxy element and oneself is set in register the name that acts on behalf of.Insert among the Proxy deletion intended-receiver its agent-identifier then, the Register request message is forwarded to Register Center; Above-mentioned data structure can be represented by following XML form:

<？xml?version＝″1.0″encoding＝″UTF-8″？>

<to>

<agent-identifier>

<name>RegisterCenter@huawei.com</name>

<url>http://registercenter.huawei.com/register<url>

</addresses>

</agent-identifier>

</to>

<from>

<agent-identifier>

<name>palmer@huawei.com</name>

</agent-identifier>

</from>

<transport-behaviour>

<id>registerID</id>

<agent-identifier>

<name>palmer@huawei.com</name>

<url>http://palmer.huawei.com/test<url>

</addresses>

</agent-identifier>

<access-proxy>

<name>proxyl@huawei.com</name>

</access-proxy>

</register>

</transport-behaviour>

<payload-length>0</payload-length>

</envelope>

After steps A 3, described registration center receive described login request message, therefrom extract the title and address information and the described title that is registered the acting server of intelligent agent access that are registered intelligent agent, and be saved in the registration database, return the response message that succeeds in registration to described acting server then;

Specifically: Register Center receives Register message, know that from the register element of transport-behaviour this is a registration message, from agent-identifier, obtain then be registered agent act on behalf of name and address, from access-proxy, obtain the name that inserts Proxy, with these information as a recorded and stored in registration database Register Database, finish registration process.Sending response message then succeeds in registration to the Agent notice.In response message, the name of Register Center is placed to the from part, and the name of Agent is placed on the to part.Comprise the register-result element among the Register response message transport-behaviour, it duplicates the content of register in the former Register message, increases the result element and the value of setting simultaneously and represents to succeed in registration for success.If certain not success of reason registration then is provided with the result value and represents not success of registration for corresponding failure cause.The payload part of response message does not have content yet, and it is 0 that payload-length then can be set.Register Center is with the sender of Register message then, and the name and the address that promptly insert Proxy are placed into the intended-recievier part, this response message are sent to the access Proxy of Agent.Above-mentioned data structure can be represented by following XML form:

<？xml?version＝″1.0″encoding＝″UTF-8″？>

<to>

<agent-identifier>

<name>palmer@huawei.com</name>

</agent-identifier>

</to>

<from>

<agent-identifier>

<name>RegisterCenter@huawei.com</name>

</agent-identifier>

</from>

<intended-receiver>

<agent-identifier>

<name>proxyl@huawei.com</name>

<url>http://proxyl.huawei.com/proxyl<url>

</addresses>

</agent-identifier>

</intended-receiver>

<transport-behaviour>

<register-result>

<id>registerID</id>

<agent-identifier>

<name>palmer@huawei.com</name>

<url>http://palmer.huawei.com/test<url>

</addresses>

</agent-identifier>

<access-proxy>

<name>proxyl@huawei.com</name>

</access-proxy>

<result>success</result>

</register-result>

</transport-behaviour>

<payload-length>0</payload-length>

</envelope>

After steps A 4, described acting server are received described response message, described response message is returned to described register requirement intelligent agent.

Specifically: the Proxy of access receives the Register response message, and it knows that by the register-result element among the transport-behaviour this is a Register response message.The Proxy that inserts checks register-result, if finding result is that success and access-proxy are it oneself, then it from agent-identifier, obtain be registered agent act on behalf of name and address, be among the proxy database AgentsDatabase with these information as a recorded and stored.The Proxy that inserts is with the sender of former Register message, and promptly the address of Agent is placed among the address of to part.Insert among the Proxy deletion intended-receiver its agent-identifier then, forwarding Register response message is to Agent.Agent can know that according to the register-result information of response message agency of trademark registration completes successfully.Above-mentioned data structure can be represented by following XML form:

<？xml?version＝″1.0″encoding＝″UTF-8″？>

<to>

<agent-identifier>

<name>palmer@huawei.com</name>

<url>http://palmer.huawei.com/test<url>

</addresses>

</agent-identifier>

</to>

<from>

<agent-identifier>

<name>RegisterCenter@huawei.com</name>

</agent-identifier>

</from>

<transport-behaviour>

<register-result>

<id>registerID</id>

<agent-identifier>

<name>palmer@huawei.com</name>

<url>http://palmer.huawei.com/test<url>

</addresses>

</agent-identifier>

<access-proxy>

<name>proxyl@huawei.com</name>

</access-proxy>

<result>success</result>

</register-result>

</transport-behaviour>

<payload-length>0</payload-length>

</envelope>

In order to unify control to the information interaction of intelligent agent, can not directly carry out interacting message between the agency in the distributed intelligent proxy system, ACL message at first will be sent to and insert Proxy, finish the address resolution of message by the functional entity of system, transmit route etc., finally be sent to the intelligent agent that receives ACL message.Referring to shown in Figure 6, it is the signaling process figure of embodiment of the message route method of intelligent agent of the present invention, comprises the steps:

Step B1, first intelligent agent will send to first acting server that first intelligent agent inserts with the interaction message of second intelligent agent;

Specifically: first intelligent agent sends access first acting server of ACL message to its connection, and the to part will be placed the name of second intelligent agent of message receiver.The from part is then placed the name of first intelligent agent.Because ACL message need at first send to first acting server of access, and first intelligent agent is known the information of first acting server of its access, and therefore the name and the address of first acting server that inserts are placed to the intended-recievier part.The payload part is then carried the particular content of ACL message; Above-mentioned data structure can be represented by following XML form:

<？xml?version＝″1.0″encoding＝″UTF-8″？>

<to>

<agent-identifier>

<name>B@huawei.com</name>

</agent-identifier>

</to>

<from>

<agent-identifier>

<name>A@huawei.com</name>

</agent-identifier>

</from>

<intended-receiver>

<agent-identifier>

<name>proxyl@huawei.com</name>

<url>http://proxyl.huawei.com/proxyl<url>

</addresses>

</agent-identifier>

</intended-receiver>

</envelope>

……

</payload>

Step B2, described first acting server judge whether described second intelligent agent is identical with the acting server that described first intelligent agent inserts, if, then directly this interaction message is transmitted to described second intelligent agent, finish, otherwise, execution in step B3;

Specifically: first acting server receives the ACL message that first intelligent agent sends over, and does not find the relevant information of transport-behaviour in envelop, and it will carry out route to it according to common ACL message and handle.First acting server is at first inquired about Agents Database and is checked that the message of from part sends agency's first intelligent agent and whether registers, if first intelligent agent is also unregistered, first acting server will be abandoned this message is carried out route, and notify first intelligent agent because unregistered and can not transmit message.Registered as if first intelligent agent, then first acting server attempts resolving the message of to part, i.e. the information of second acting server of second intelligent agent access is obtained in trial.First acting server is at first inquired about Agents Database, serves as to insert Proxy with it also if find second intelligent agent, and then the URL with second intelligent agent adds among the address of to part, directly sends ACL message to second intelligent agent.Otherwise first acts on behalf of second proxy server information of whether preserving the access of second intelligent agent among the server lookup Routing Cache.If do not find yet, then execution in step B3 sends second proxy server information of query requests with the access of resolving second intelligent agent to Register Center:

Step B3, described first acting server send the analysis request message of second acting server of resolving described second intelligent agent access to described registration center;

Specifically: first acting server sends resolves (Resolve) request message to RegisterCenter, the to part will be placed the agent-identifier of Register Center, and the from part is then placed the agent-identifier of first acting server.This ACL message of resolve element representation of transport-behaviour part is analysis request message.The name of resolved agency's second intelligent agent then is placed among the agent-identifier among the resolve, and the identifier of this time of unique identification Resolve request is set to the value of id element.The payload of Resolve message does not partly have content, and it is 0 that payload-length then is set;

Above-mentioned data structure can be represented by following XML form:

<？xml?version＝″1.0″encoding＝″UTF-8″？>

<to>

<agent-identifier>

<name>RegisterCenter@huawei.com</name>

<url>http://registercenter.huawei.com/register<url>

</addresses>

</agent-identifier>

</to>

<from>

<agent-identifier>

<name>proxyl@huawei.com</name>

<url>http://proxyl.huawei.com/proxyl<url>

</addresses>

</agent-identifier>

</from>

<transport-behaviour>

<id>resolveID</id>

<agent-identifier>

<name>B@huawei.com</name>

</agent-identifier>

</resolve>

</transport-behaviour>

<payload-length>0</payload-length>

</envelope>

After described analysis request message is received by step B4, registration center, according to the information of second intelligent agent that carries in the analysis request message, the information of inquiring about described second acting server, if the inquiry less than, then return the response message of resolving failure, finish to described first acting server; If inquire the information of described second acting server, then the information of this second acting server is write resolve in the successful response message and return to described first acting server, execution in step B5 then, the information of described second acting server comprises the title and the address information of described second acting server at least;

Specifically: Register Center receives Resolve message, knows that from the resolve element of transport-behaviour this is an analysis request message, obtains the name of resolved second intelligent agent then from agent-identifier.Register Center inquiry Register Database is with the information of the access Proxy that obtains second intelligent agent, if inquiry is less than then resolving failure, for example second intelligent agent is also unregistered.Register Center constructs the Resolve response message then, comprise the resolve-result element among the transport-behaviour, it duplicates the content of resolve in the former Resolve message, if resolve successfully, increasing the access-proxy element and the value of setting is the agent-identifier of the access proxy of second intelligent agent, increases the result element and the value of setting and represents to resolve successfully for success.Register Center can also inquire about the URL address that Register Database resolves second intelligent agent, is placed into the agent-identifier among the resolve-result, and then second acting server does not need again second intelligent agent to be carried out address resolution.If resolve not success, the result value then only is set represents to resolve not success for corresponding failure cause.The payload part of response message does not have content yet, and it is 0 that payload-length then is set.In response message, the agent-identifier of Register Center is placed to the from part, and the agent-identifier of first acting server is placed on the to part, and Register Center sends the Resolve response message and returns first acting server then;

Above-mentioned data structure can be represented by following XML form:

<？xml?version＝″1.0″encoding＝″UTF-8″？>

<to>

<agent-identifier>

<name>proxyl@huawei.com</name>

<url>http://proxyl.huawei.com/proxyl<url>

</addresses>

</agent-identifier>

</to>

<from>

<agent-identifier>

<name>RegisterCenter@huawei.com</name>

<url>http://registercenter.huawei.com/register<url>

</addresses>

</agent-identifier>

</from>

<transport-behaviour>

<resolve-result>

<id>resolveID</id>

<agent-identifier>

<name>B@huawei.com</name>

</agent-identifier>

<access-proxy>

<name>proxy2@huawei.com</name>

<url>http://proxyl.huawei.com/proxyl<url>

</addresses>

</access-proxy>

<result>success</result>

</resolve-result>

</transport-behaviour>

<payload-length>0</payload-length>

</envelope>

Step B5, described first acting server according to the information of second acting server that comprises in this response message, send to described second acting server with described interaction message after receiving the successful response message of described parsing;

Specifically: its agent-identifier among first acting server deletion intended-receiver, the name and the address of second acting server are set among the intended-receiver, then with the ACL forwards to second acting server;

Above-mentioned data structure can be represented by following XML form:

<？xml?version＝″1.0″encoding＝″UTF-8″？>

<to>

<agent-identifier>

<name>B@huawei.com</name>

</agent-identifier>

</to>

<from>

<agent-identifier>

<name>A@huawei.com</name>

</agent-identifier>

</from>

<intended-receiver>

<agent-identifier>

<name>proxy2@huawei.com</name>

<url>http://proxy2.huawei.com/proxyl<url>

</addresses>

</agent-identifier>

</intended-receiver>

</envelope>

……

</payload>

After step B6, described second acting server are received described interaction message, this interaction message is sent to described second intelligent agent.

Specifically: second acting server receives the ACL message that first acting server sends over, and it will carry out route to it according to common ACL message and handle.If the to part does not comprise the URL address, second acts on behalf of the URL address that server lookup Agents Database resolves second intelligent agent, adds to then among the address of to part.Its agent-identifier among second acting server deletion intended-receiver is then with final receiver second intelligent agent of ACL forwards to message; Above-mentioned data structure can be represented by following XML form:

<？xml?version＝″1.0″encoding＝″UTF-8″？>

<to>

<agent-identifier>

<name>B@huawei.com</name>

<url>http://b.huawei.com/test<url>

</addresses>

</agent-identifier>

</to>

<from>

<agent-identifier>

<name>A@huawei.com</name>

</agent-identifier>

</from>

</envelope>

……

</payload>

Guarantee the normal operation of distributed intelligent proxy system, the safety assurance of system also is crucial problem.One of them important problem prevents that exactly intelligent agent from being pretended to be, and promptly an agency moves in system with another one agency's identity.In order to address this problem, system should carry out authentication in the process that intelligent agent is registered, just checking is by being registered.Same, distributed intelligent proxy system itself also may be pretended to be, for the agency plant that prevents to be forged is swindled, the identity of the distributed intelligent proxy system that intelligent agent itself also needs to verify that it inserts, in registration process, the representative that RegisterCenter can be used as system participates in authentication.Require the registration process of authentication as follows, referring to shown in Figure 7, it comprises the steps: for the signaling process figure of the embodiment of the register method of the intelligent agent that has a security authentication mechanism of the present invention

Step C1, intelligent agent send login request message to connected acting server; This step is identical with steps A 1 in the register flow path that does not require authentication; The data structure that relates in this step can be represented by following XML form:

<？xml?version＝″1.0″encoding＝″UTF-8″？>

<to>

<agent-identifier>

<name>RegisterCenter@huawei.com</name>

</agent-identifier>

</to>

<from>

<agent-identifier>

<name>palmer@huawei.com</name>

</agent-identifier>

</from>

<intended-receiver>

<agent-identifier>

<name>proxyl@huawei.com</name>

<url>http://proxyl.huawei.com/proxyl<url>

</addresses>

</agent-identifier>

</intended-receiver>

<transport-behaviour>

<id>registerID1</id>

<agent-identifier>

<name>palmer@huawei.com</name>

<url>http://palmer.huawei.com/test<url>

</addresses>

</agent-identifier>

</register>

</transport-behaviour>

<payload-length>0</payload-length>

</envelope>

After step C2, described acting server receive described login request message, described login request message is sent to registration center;

Specifically: insert Proxy and receive Register message, it knows that by the register element among the transport-behaviour this is a login request message.

The acting server that inserts can at first be checked and identify Register message and whether be subjected to integrity protection; if Agent has set up between the Proxy that IP Sec (IP safety) is safe to be connected with inserting before registration; then insert Proxy and check message integrity; if do not pass through integrity checking; then abandon this Register message; and notice Agent message is distorted the end register flow path.If it is yes that the value of the integrity-protected element of security part among the transport-behaviour then is set by integrity checking.If Agent does not set up IP sec safety with access between the Proxy and is connected before registration, the value that the integrity-protected element then is set is no.

Insert Proxy and check then whether the to part is whether sky or Register Center be effective, if to partly is that sky or Register Center are invalid, then it will select effective Register Center for being registered agent, and name and the address of Register Center are set in the to part.If to part Register Center is effective, the URL address of access Proxy inquiry Register Center also is set among the address of to part.If register is not provided with access-proxy, insert Proxy also can increase the access-proxy element and oneself is set in register the name that acts on behalf of.Insert among the Proxy deletion intended-receiver its agent-identifier then, the Register request message is forwarded to Register Center.

Above-mentioned data structure can be represented by following XML form:

<？xml?version＝″1.0″encoding＝″UTF-8″？>

<to>

<agent-identifier>

<name>RegisterCenter@huawei.com</name>

<url>http://registercenter.huawei.com/register<url>

</addresses>

</agent-identifier>

</to>

<from>

<agent-identifier>

<name>palmer@huawei.com</name>

</agent-identifier>

</from>

<transport-behaviour>

<id>registerID1</id>

<agent-identifier>

<name>palmer@huawei.com</name>

<url>http://palmer.huawei.com/test<url>

</addresses>

</agent-identifier>

<access-proxy>

<name>proxyl@huawei.com</name>

</access-proxy>

</register>

<integrity-protected>no</integrity-protected>

</security>

</transport-behaviour>

<payload-length>0</payload-length>

</envelope>

After step C3, described registration center receive described login request message, generate first authorization information, this authorization information is calculated digest value, and generate digital signature with the private key of registration center, again this digital signature is joined in first authorization information, this first authorization information is not included in returns to described acting server in the authentication response information then;

Specifically: Register Center receives Register message, know that from the register element of transport-behaviour this is a registration message, because system requirements is verified Agent, and Register message does not provide Agent authorization information, therefore RegisterCenter can not be by the registration of Agent, will send authentication response information to success of Agent notice registration.As the identity representative of distributed intelligent proxy system, Register Center can also be by the authorization information Sau of Authentication Function generation system.If the Register request message does not have integrity protection, Key Generation Function can also be Agent and the shared key of its access Proxy distribution, Integrity Key IK and encryption key CK.Sau or also comprise shares key IK and CK and is set among the security among the response message transport-behaviour, sends to described acting server then.

Sau comprises that registration Agent's acts on behalf of name, time stamp T s and present value Rs.Act on behalf of name and represent it is the system verification that this Agent is provided, time stamp T s can prevent that message is delayed transmission, and present value Rs then is used to detect Replay Attack.If distributed shared key, IK and CK can be that (IK CK), also can be included among the Sau Ea by the public key encryption of Agent.To these information calculations summaries, the private key signature with Register Center joins this digital signature among the Sau more then.

In response message, the name of Register Center is placed to the from part, and the name of Agent is placed on the to part.Comprise the register-result element among the Register response message transport-behaviour, it duplicates the content of register in the former Register message, increases the result element and the value of setting simultaneously and represents that for unauthenticated checking is not unsuccessful by registering.The payload part of response message does not have content yet, and it is 0 that payload-length then is set.Register Center is with the sender of Register message then, and the name and the address that promptly insert Proxy are placed into the intended-recievier part, and this response message is sent to the acting server that Agent inserts.

Above-mentioned data structure can be represented by following XML form:

<？xml?version＝″1.0″encoding＝″UTF-8″？>

<to>

<agent-identifier>

<name>palmer@huawei.com</name>

</agent-identifier>

</to>

<from>

<agent-identifier>

<name>RegisterCenter@huawei.com</name>

</agent-identifier>

</from>

<intended-receiver>

<agent-identifier>

<name>proxyl@huawei.com</name>

<url>http://proxyl.huawei.com/proxyl<url>

</addresses>

</agent-identifier>

</intended-receiver>

<transport-behaviour>

<register-result>

<id>registerID1</id>

<agent-identifier>

<name>palmer@huawei.com</name>

<url>http://palmer.huawei.com/test<url>

</addresses>

</agent-identifier>

<access-proxy>

<name>proxyl@huawei.com</name>

</access-proxy>

<result>unauthenticated</result>

</register-result>

<system-authentication>Sau</system-authentication>

</security>

</transport-behaviour>

<payload-length>0</payload-length>

</envelope>

Step C4, acting server return to described intelligent agent with this response message after receiving described not authentication response information;

Specifically: insert Proxy and receive this not after the authentication response information, know that by the register-result element among the transport-behaviour this is a Register response message.Insert Proxy and check register-result, discovery result is unauthenticated.Share key information IK and CK if comprise among the security, then insert Proxy and preserve IK and CK and they are deleted from security.Insert the sender of Proxy with former Register message, promptly the address of Agent is placed among the address of to part, deletes among the intended-receiver its agent-identifier then, and forwarding Register response message is to Agent.

Above-mentioned data structure can be represented by following XML form:

<？xml?version＝″1.0″encoding＝″UTF-8″？>

<to>

<agent-identifier>

<name>palmer@huawei.com</name>

<url>http://palmer.huawei.com/test<url>

</addresses>

</agent-identifier>

</to>

<from>

<agent-identifier>

<name>RegisterCenter@huawei.com</name>

</agent-identifier>

</from>

<transport-behaviour>

<register-result>

<id>registerID1</id>

<agent-identifier>

<name>palmer@huawei.com</name>

<url>http://palmer.huawei.com/test<url>

</addresses>

</agent-identifier>

<access-proxy>

<name>proxyl@huawei.com</name>

</access-proxy>

<result>unauthenticated</result>

</register-result>

<system-authentication>Sau</system-authentication>

</security>

</transport-behaviour>

<payload-length>0</payload-length>

</envelope>

After step C5, described intelligent agent are received described not authentication response information, calculate the digest value that removes digital signature part in first authorization information, the PKI that uses registration center is simultaneously resolved digital signature and is obtained the digest value of being signed.These two values are compared, if it is identical then generate second authorization information, and generate digital signature with the private key of intelligent agent, again this digital signature is joined in second authorization information, then this second authorization information is included in the new registration request message, send to described acting server, execution in step C6 then, otherwise authentication failed finishes;

Specifically: Agent receives this not after the authentication response information, and it knows that by the register-result element among the transport-behaviour this is a Register response message.Agent checks register-result, and discovery result is unauthenticated.It obtains Sau from security then, calculates the digest value that removes the digital signature part among the Sau, and the PKI that uses Register Center is simultaneously resolved digital signature and obtained the digest value of being signed.These two values are compared, then the checking of Register Center is passed through as if identical, otherwise authentication failed, the Agent registration process finishes.

If (IK, CK), then Agent is decrypted with private key, based on IK and CK, sets up the IPsec safe transmission between Agent and the access Proxy and is connected to comprise the shared key information Ea of encryption among the Sau.

If the checking of Register Center is passed through, then Agent generates Agent authorization information Aau.Similarly, Aau comprises the name that acts on behalf of of Register Center, time stamp T a, and present value Ra, and the present value Rs among the Sau adds by the digital signature of Agent private key to above-mentioned these information then with related Aau and Sau before.

Agent produces new Register request message then, Aau is placed among the security of Register message, and the setting of message other parts is consistent with a last Register message, this Register message is sent to insert Proxy then;

Above-mentioned data structure can be represented by following XML form:

<？xml?version＝″1.0″encoding＝″UTF-8″？>

<to>

<agent-identifier>

<name>RegisterCenter@huawei.com</name>

</agent-identifier>

</to>

<from>

<agent-identifier>

<name>palmer@huawei.com</name>

</agent-identifier>

</from>

<intended-receiver>

<agent-identifier>

<name>proxyl@huawei.com</name>

<url>http://proxyl.huawei.com/proxyl<url>

</addresses>

</agent-identifier>

</intended-receiver>

<transport-behaviour>

<id>registerID2</id>

<agent-identifier>

<name>palmer@huawei.com</name>

<url>http://palmer.huawei.com/test<url>

</addresses>

</agent-identifier>

</register>

<agent-authentication>Aau</agent-authentication>

</security>

</transport-behaviour>

<payload-length>0</payload-length>

</envelope>

After step C6, described acting server are received described new registration request message, this new registration request message is sent to described registration center;

Specifically: after access Proxy received new Register message, it knew that by the register element among the transport-behaviour this is a login request message.Insert Proxy and at first check message integrity, if not by integrity checking, then abandon this Register message, and notice Agent message is distorted the end register flow path.If it is yes that the value of the integrity-protected element of security part among the transport-behaviour then is set by integrity checking.Insert name and address that Proxy replaced or filled to part Register Center.If register is not provided with access-proxy, insert Proxy also can increase the access-proxy element and oneself is set in register the name that acts on behalf of.Insert among the Proxy deletion intended-receiver its agent-identifier then, the Register request message is forwarded to Register Center.

Above-mentioned data structure can be represented by following XML form:

<？xml?version＝″1.0″encoding＝″UTF-8″？>

<to>

<agent-identifier>

<name>RegisterCenter@huawei.com</name>

<url>http://registercenter.huawei.com/register<url>

</addresses>

</agent-identifier>

</to>

<from>

<agent-identifier>

<name>palmer@huawei.com</name>

</agent-identifier>

</from>

<transport-behaviour>

<id>registerID2</id>

<agent-identifier>

<name>palmer@huawei.com</name>

<url>http://palmer.huawei.com/test<url>

</addresses>

</agent-identifier>

<access-proxy>

<name>proxyl@huawei.com</name>

</access-proxy>

</register>

<agent-authentication>Aau</agent-authentication>

<integrity-protected>yes</integrity-protected>

</security>

</transport-behaviour>

<payload-length>0</payload-length>

</envelope>

Step C7, after described new registration request message is received by described registration center, calculate the digest value that removes the digital signature part in described second authorization information, the PKI that uses the register requirement intelligent agent is simultaneously resolved digital signature and is obtained the digest value of being signed, two values are compared, if it is identical, carry out the registration operation, extract the title and address information and the described title that is registered the access acting server of intelligent agent that are registered intelligent agent, and be saved in the database, return the response message that succeeds in registration to described acting server then, otherwise, then return the response message of registration failure to described acting server;

Specifically: after Register Center receives new Register message, know that from the register element of transport-behaviour this is a registration message, it obtains Aau from security.Authentication Function calculates the digest value that removes the digital signature part among the Aau, the PKI that uses Agent is resolved digital signature and is obtained the digest value of being signed, two values are compared, then the checking of Agent is passed through as if identical, otherwise authentication failed.

If checking is passed through, Register Function from agent-identifier, obtain be registered agent act on behalf of name and address, from access-proxy, obtain the name that inserts Proxy, with these information as a recorded and stored in registration database Register Database.

In response message, the name of Register Center is placed to the from part, and the name of Agent is placed on the to part.Comprise the register-result element among the Register response message transport-behaviour, it duplicates the content of register in the former Register message, increases the result element and the value of setting simultaneously and represents to succeed in registration for success.If certain not success of reason registration then is provided with the result value and represents not success of registration for corresponding failure cause.The payload part of response message does not have content yet, and it is 0 that payload-length then is set.Register Center is with the sender of Register message then, and the name and the address that promptly insert Proxy are placed into the intended-recievier part, this response message are sent to the access Proxy of Agent;

Above-mentioned data structure can be represented by following XML form:

<？xml?version＝″1.0″encoding＝″UTF-8″？>

<to>

<agent-identifier>

<name>palmer@huawei.com</name>

</agent-identifier>

</to>

<from>

<agent-identifier>

<name>RegisterCenter@huawei.com</name>

</agent-identifier>

</from>

<intended-receiver>

<agent-identifier>

<name>proxyl@huawei.com</name>

<url>http://proxyl.huawei.com/proxyl<url>

</addresses>

</agent-identifier>

</intended-receiver>

<transport-behaviour>

<register-result>

<id>registerID2</id>

<agent-identifier>

<name>palmer@huawei.com</name>

<url>http://palmer.huawei.com/test<url>

</addresses>

</agent-identifier>

<access-proxy>

<name>proxyl@huawei.com</name>

</access-proxy>

<result>success</result>

</register-result>

</transport-behaviour>

<payload-length>0</payload-length>

</envelope>

After step C8, described acting server are received described response message, described response message is returned to described intelligent agent.

Specifically: insert Proxy receive succeed in registration or the response message of registration failure after, it knows that by the register-result element among the transport-behaviour this is a Register response message.Insert Proxy and check register-result, find that result is that success and access-proxy are it oneself, then it from agent-identifier, obtain be registered agent act on behalf of name and address, with these information as a recorded and stored in proxy database AgentsDatabase.Insert the sender of Proxy with former Register message, promptly the address of Agent is placed among the address of to part, deletes among the intended-receiver its agent-identifier then, transmits this Register response message to Agent.Agent can know that according to the register-result information of response message the intelligent agent registration completes successfully.

Above-mentioned data structure can be represented by following XML form:

<？xml?version＝″1.0″encoding＝″UTF-8″？>

<to>

<agent-identifier>

<name>palmer@huawei.com</name>

<url>http://palmer.huawei.com/test<url>

</addresses>

</agent-identifier>

</to>

<from>

<agent-identifier>

<name>RegisterCenter@huawei.com</name>

</agent-identifier>

</from>

<transport-behaviour>

<register-result>

<id>registerID2</id>

<agent-identifier>

<name>palmer@huawei.com</name>

<url>http://palmer.huawei.com/test<url>

</addresses>

</agent-identifier>

<access-proxy>

<name>proxyl@huawei.com</name>

</access-proxy>

<result>success</result>

</register-result>

</transport-behaviour>

<payload-length>0</payload-length>

</envelope>

Intelligent proxy system and corresponding message route method based on inventive embodiments, and authentication registration mechanism, for any intelligent agent in the system, all must insert Proxy by certain is connected in the system, and can not carry out between the intelligent agent need transmitting route to proxy message by system directly alternately.Between intelligent agent and the access Proxy, and between each functional entity of internal system, all be based on safe transmission connection and carry out interacting message, so the interacting message between the intelligent agent can obtain safety assurance.Generally; the network protocol layer of intelligent agent and each functional entity of system all is to use the IP agreement; then the safe transmission connection can be that IPSec ESP (Encapsulating SecurityPayload encapsulates safe bearing load) connects; integrality, confidentiality and message source checking protection can give information.

For internal system, can obtain safeguard protection by setting up point-to-point IPsec ESP transmission between functional entity connected to one another.Mutual checking between the functional entity, default mode can be shared key mode based on safety when system deployment and be configured for based on pre-configured shared key, and periodically updating maintenance.The certification authentication mode is then as the verification mode of another replacement.Session key agreement mechanism is then used IKE (Internet Key Exchange the Internet Key Exchange) agreement, is used for setting up, consult, and the security association SA between the maintenance function entity (Security Association security association) set.

Be connected with IPsec ESP safety between its access Proxy for intelligent agent, have two kinds to set up mode.

A kind of mode is when intelligent agent is initially connected to access Proxy, at first verifies mutually with inserting Proxy certificate separately based on intelligent agent, adopts the IKE agreement then, sets up the security association SA between intelligent agent and the access Proxy.

Another mode then is in the proof procedure in intelligent agent is registered, be intelligent agent and insert Proxy and distribute shared key by RegisterCenter, at first based on the checking mutually between intelligent agent and access Proxy of this shared key, adopt the IKE agreement then, i.e. the IKE session key agreement of wildcard mode.Set up the security association SA between intelligent agent and the access Proxy.For this mode, the security mechanism of intelligent proxy system is controlled by Register Center is unified fully, the management that helps concentrating, and do not need configuration and handle digital certificate between intelligent agent and the access Proxy.

Embodiments of the invention provide good system's supportability based on the intelligent agent information interaction of ACL message.Designed a kind of distributed intelligent proxy system, pass through proxy gateway, registration center and relevant technology mechanism, realization is to the unified management and the control of intelligent agent, comprise registration, access control, address resolution to intelligent agent, message routes etc. further comprise authentication and safety assurance etc.Traditional relatively multi-agent system, this system has stronger controllability, the reliability and the fail safe of message route are higher, and the agency this in communication process, need the operational processes of carrying out also more simple.

It should be noted that at last: above embodiment is only in order to technical scheme of the present invention to be described but not limit it, although the present invention is had been described in detail with reference to preferred embodiment, those of ordinary skill in the art is to be understood that: it still can make amendment or be equal to replacement technical scheme of the present invention, and these modifications or be equal to replacement and also can not make amended technical scheme break away from the spirit and scope of technical solution of the present invention.

Claims

1. a distributed intelligent proxy system comprises one or more intelligent agent, it is characterized in that, also comprises:

Registration center, be used to intelligent agent that registering functional is provided, and preserve the information of each registered intelligent agent and the information of the acting server that described each registered intelligent agent inserts, the information of described each registered intelligent agent comprises title and address information at least.

2. system according to claim 1 is characterized in that, described registration center comprises:

Register control module, be used for extracting the log-on message of login request message, determine whether intelligent agent can be registered;

Proxy database, be connected with described registration control module, be used to preserve the information of all acting servers, the information of described acting server comprise at least described acting server title, address information, support the bottom host-host protocol and act on behalf of access strategy;

Interface module is connected with described registration control module, is used to accept login request message and/or analysis request message, and sends registration reply message and/or resolution response message.

3. system according to claim 2 is characterized in that, described registration control module also is used to handle the analysis request message of the address information of obtaining intelligent agent that intelligent proxy server sends.

4. system according to claim 2 is characterized in that, described registration center also comprises:

Authentication module is connected with described registration control module, is used to carry out the authentication verification operation, generate the authorization information of distributed intelligent proxy system, and this authorization information offered intelligent agent, resolve the authorization information of intelligent agent, and the identity of checking intelligent agent;

Key production module is connected with described registration control module, be used to intelligent agent with and the acting server branch that inserts be used in shared key that foundation safe transmission between the two connects, comprise Integrity Key and encryption key.

5. system according to claim 1 is characterized in that, adopts the agent communication verbal messages to communicate between described intelligent agent, acting server and the registration center.

6. 4 described systems as requested is characterized in that, the systemic-function information that signal post needs between described intelligent agent, acting server and the registration center is carried in the envelope in described agent communication verbal messages.

7. the registration center of a distributed intelligent proxy is characterized in that, comprising:

8. registration center according to claim 7 is characterized in that, described registration control module also is used to handle the analysis request message of the address information of obtaining intelligent agent that intelligent proxy server sends.

9. registration center according to claim 8 is characterized in that, described registration center also comprises:

Authentication module is used to carry out the authentication verification operation, generates the authorization information of distributed intelligent proxy system, and this authorization information is offered intelligent agent, resolves the authorization information of intelligent agent, and the identity of checking intelligent agent;

Key production module, be used to intelligent agent with and the acting server branch that inserts be used in shared key that foundation safe transmission between the two connects, comprise Integrity Key and encryption key.

10. the register method of an intelligent agent is characterized in that, comprises the steps:

After the login request message of acting server forwarding is received by registration center, from described login request message, extract the title and address information and the described title that is registered the acting server of intelligent agent access that are registered intelligent agent, and be saved in the registration database.

11. method according to claim 10 is characterized in that, describedly is registered intelligent agent or the unregistered intelligent agent of third party that intelligent agent is described transmission login request message.

12. method according to claim 10, it is characterized in that, after described acting server receives described login request message, also comprise: detect the information that whether comprises effective registration center in the described login request message, if, then transmit this message to described registration center, otherwise acting server is that the described intelligent agent that is registered is selected registration center and transmitted this message to described registration center according to the information of this registration center.

13. method according to claim 10, it is characterized in that, described acting server also comprises after receiving described login request message, if the access proxy server information is not set in the described request message, then described acting server writes its oneself information in the described login request message as the access acting server that is registered intelligent agent.

14. method according to claim 10, it is characterized in that, after described acting server is received described response message, also comprise: judge that this response message is that the response message that succeeds in registration still is the response message of registration failure, if the response message that succeeds in registration, and described acting server is the described access acting server that is registered intelligent agent, then extract the described information that is registered intelligent agent in this response message, this information comprises described title and the address information that is registered intelligent agent at least, and with this information stores in the database of described acting server.

15. method according to claim 10 is characterized in that, described login request message, response message are the agent communication verbal messages.

16. method according to claim 15 is characterized in that, the systemic-function information-bearing of described login request message, response message is in the envelope of agent communication verbal messages.

17. the message route method of an intelligent agent is characterized in that, comprises the steps:

First inserts the second access proxy server address information that acting server determines that second intelligent agent is belonged to, and inserts proxy server address information according to described second described message is sent to the described second access acting server.

18. method according to claim 17, it is characterized in that, the described message of the described first access acting server is sent to the described second access acting server and is specially: after the first access acting server receives the message of first intelligent agent transmission, if described second intelligent agent is identical with the acting server that described first intelligent agent inserts, this interaction message is transmitted to described second intelligent agent.

19. method according to claim 17 is characterized in that, the described message of the described first access acting server is sent to the described second access acting server and is specially:

After the first access acting server receives the message of first intelligent agent transmission, if the acting server that described second intelligent agent and described first intelligent agent insert is inequality, described first acting server sends the analysis request message of second acting server of resolving described second intelligent agent access to described registration center;

Described first acting server according to the information of second acting server that comprises in this response message, passes through second acting server with described interaction message after receiving the successful response message of described parsing.

20. method according to claim 17 is characterized in that, described interaction message, analysis request message and response message are the agent communication verbal messages.

21. method according to claim 20 is characterized in that, the systemic-function information-bearing in described interaction message, analysis request message and the response message is in the envelope of described agent communication verbal messages.

22. the message route method of an intelligent agent is characterized in that, comprising:

After the analysis request message of first intelligent proxy server transmission is received by registration center, information according to second intelligent agent that carries in the analysis request message, inquire about the information of second acting server corresponding with described second intelligent agent, if inquire the information of described second acting server, then the information of this second acting server is write resolve in the successful response message and return to first acting server.

23. method according to claim 22 is characterized in that, the information of described second acting server comprises the title and the address information of described second acting server at least.

24. method according to claim 23 is characterized in that, also comprises:

Registration center's inquiry and registration database writes the address information of described second intelligent agent operation of resolving in the successful response message.

25. the message route method of an intelligent agent is characterized in that, comprising:

26. method according to claim 25, it is characterized in that, after the first access acting server receives the message of first intelligent agent transmission, if described second intelligent agent is identical with the acting server that described first intelligent agent inserts, this interaction message is transmitted to described second intelligent agent.A kind of register method of intelligent agent is characterized in that, comprises the steps:

27. method according to claim 26 is characterized in that, after described registration center receives described login request message, also comprises:

After described registration center receives described login request message; sign according to the integrity protection checking of carrying in the message; judge whether this login request message has passed through the integrity protection checking; if do not verify by integrity protection; then generate Integrity Key and encryption key; and be included in the described not authentication response information, send to described acting server.

28. method according to claim 27; it is characterized in that; after acting server receives login request message; also comprise: carry out the integrity protection checking; judge that whether having set up IP safety between described register requirement intelligent agent and the described acting server is connected; if having set up IP safety connects; then further login request message is carried out integrity checking; if by described integrity checking, then in described login request message, write sign by the integrity protection checking.

29. method according to claim 27, it is characterized in that, after described register requirement intelligent agent is received described not authentication response information, also comprise: after described register requirement intelligent agent is received described not authentication response information, set up IP safety based on described Integrity Key and encryption key and acting server and be connected.

30. method according to claim 26, it is characterized in that, after described acting server receives login request message, also comprise: described acting server detects the information that whether comprises effective registration center in the described login request message, if, then transmit this message to described registration center, otherwise acting server is that the described intelligent agent that is registered is selected registration center and transmitted this message to described registration center according to the information of this registration center.

31. method according to claim 26, it is characterized in that, after described acting server receives login request message, also comprise, if the access proxy server information is not set in the described request message, then described acting server writes its oneself information in the described login request message as the access acting server that is registered intelligent agent.

32. the register method of an intelligent agent is characterized in that, comprises the steps:

33. register method according to claim 32 is characterized in that, after described registration center receives described login request message, also comprises: