Secure and Efficient Mobile Agent Application ... - Semantic Scholar

2 downloads 10 Views 571KB Size Report
work that supports mobile agent application development and reuse with ... computational cost model and a security model, and com- bining patterns so that the ...

Secure and Efficient Mobile Agent Application Reuse Using Patterns Yasuyuki Tahara, Nobukazu Yoshioka, Akihiko Ohsuga

Shinichi Honiden National Institute of Informatics, 2-1-2, Hitotsubashi, Chiyoda-ku, Tokyo, 101-8430, Japan Tel: +81-3-4212-2513 Fax: +81-3-3556-1916

Computer & Network Systems Laboratory, Research and Development Center,. Toshiba Corporation, 1, Komukai Toshiba-cho, Saiwai-ku, Kawasaki, 212-8582, Japan Tel: +81-44-549-2237 Fax: +81-44-520-1841

[email protected]

{yasuyuki.tahara,nobukazu.yoshioka, akihiko.ohsuga}@toshiba.co.jp

ABSTRACT

rapid changes and diverse requirements is getting higher. The agent technology [6], especially the mobile agent technology, is expected to be a basis for the development of such systems. Agents are software units that can deal with environmental changes and diverse requirements with their features such as autonomy, mobility, intelligence, cooperation and reactivity. In addition, some people consider the agent technology as a promising solution to the reuse issue because of the aspect of the agents as highly adaptable software components[18, 5]. Since practical applications of agents are investigated recently, techniques for agent system development and reuse support have appeared. Especially, developers and researchers have begun to apply design patterns [11] to agent system development [2, 17, 23, 24]. Design patterns are explicit formulations of good past software development experiences consisting of proven solutions to recurring problems that arise within some contexts and systems of forces. The security issue is considered as very significant in practical application of the mobile agent technology [8]. As solutions to this issue, many researchers propose various techniques [22, 14, 26, 20, 4, 21, 16, 28]. However, it is still unclear that these techniques can be applied to practical system development and reuse using mobile agents. One of the main concerns for this is that the security mechanisms are often expensive in system performance because there are trade-offs between the computational costs and the improvement on security. Therefore, we need techniques to solve the trade-offs. Especially from the viewpoint of reuse in different organizations, the security policy differences among the organizations significantly influence the trace-off concerns. Therefore we also need techniques to make mobile agent applications flexible to the security policy differences. As we consider that the pattern approach is useful to solve these problems, we propose a formal framework that supports mobile agent application development and reuse with consideration of the trade-offs between the security issues and the performance issues. One of the ways to resolve these trade-offs is to make clear the requirements for appropriate performance and security policies. In our framework, we design a mobile agent application by building a computational cost model and a security model from the re-

As wide-area open networks like the Internet and intranets grow larger, mobile agent technology is attracting more attention. Mobile agents are units of software that can deal with environmental changes and the various requirements of open networks through features such as autonomy, mobility, intelligence, cooperation, and reactivity. In addition, some people consider the agent technology as a promising solution to the reuse issue because of the aspect of the agents as highly adaptable software components. However, since the usual development methods of secure mobile agent applications are not sufficiently investigated, the technology is not yet widespread. In this paper, we propose a formal framework that supports mobile agent application development and reuse with consideration of the trade-offs between the security issues and the performance issues. In our framework, we design a mobile agent application by building a computational cost model and a security model, and combining patterns so that the combination satisfies the models. Therefore we can develop the application considering the security and the performance trade-offs. Since the models and the patterns are presented according to a formal framework, we can make sure that the pattern combination satisfies the models rigorously. In addition, if the security policy of the new environment is different from the old one in reusing the system in a new organization, we can easily modify and adapt the behavior because the pattern application can be figured out automatically by an algorithm.

1.

INTRODUCTION

As wide-spread open networks like the Internet and intranets grow larger, demand for distributed systems with

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. SSR’01, May 18-20, 2001, Toronto, Ontario, Canada. Copyright 2001 ACM 1-58113-358-8/01/0005 ...$5.00.

78

quirements, and combining patterns so that the combination satisfies the models. Therefore we can develop the application considering the security and the performance trade-offs. Since the models and the patterns are presented according to a formal framework, we can make sure that the pattern combination satisfies the models rigorously. In addition, if the security policy of the new environment is different from the old one in reusing the system in a new organization, we can easily modify and adapt the behavior because the pattern application can be figured out automatically by an algorithm. This paper is organized as follows. In Section 2, we explain the development method in our technique. In Section 3, we evaluate our technique using an example. In Section 4, we compare our technique with related work. Section 5 gives some concluding remarks and future work.

2.

Figure 1: Network Model

DEVELOPMENT METHOD

In this section, we explain our development method. The method is divided into the following processes.

2.2.2 1. Four kinds of models are specified. The models include the network model, the agent computation and data model, the security model, and the computational cost model.

The agent computation and data model describes the process flow of the interactions among the agent and the other programs and the amounts of data transmitted in the computation. The process flow is represented by a collaboration diagrams including the agent, the programs and the interactions. Formally the diagrams are directed graphs. In addition, this model specifies the node in which the mobile agent is created at the beginning. This node is usually the one controlled by the agent user. The data whose amounts are specified include the program code of the mobile agent because the program code is transmitted through the network when the agent migrates. Figure 2 shows an example. The face symbol represents the mobile agent that interacts with the non-agent applications. This figure indicates that the agent is created in the node N2 at the beginning. The interactions are denoted by the arrows between the agent and a node or between two nodes. The arrows represent that data are handed from the starting point to the end point. Because our technique does not consider how many applications are operating in one node, the applications in one nodes are represented by the node circle.

2. The concrete behaviors of the mobile agent and other applications are designed by applying the patterns. The patterns represent abstract behavior fragments of the agent and the other applications. Applying the patterns means that a pattern is instantiated for each collaboration between the agent and an application or between two non-agent applications, and the instantiated patterns are composed.

2.1

Assumptions

We assume the following conditions in our technique. • We use only one mobile agent in a system. Therefore we consider neither agent clones nor inter-agent interactions. • The computational costs can be evaluated. We assume that we can evaluate how much time each application and the agent consume in each node during their operation and how much time is needed when a fixed amount of data is transmitted through each network link. These costs may be evaluated only statistically, which means that only the probabilistic distributions of the costs are known.

2.2

Agent Computation and Data Model

Models

The four kinds of models are explained as follows.

2.2.1

Network Model

Figure 1 shows our model of the network. In this figure, the network nodes are denoted by Ni (i = 1, 2, 3, . . . ) and some pairs of them, for example, Ni and Nj (i ≤ j) are connected by network links denoted by Lij . Thus our network model forms an undirected graph. Although the all nodes are connected with each other in this example, there may be a pair of nodes without a link between them. In the general cases, some nodes should mediate the communication between the unconnected nodes.

Figure 2: Agent Computation and Data Model

79

2.2.4

Figure 3 shows the order constraint of the interactions. This figure represents that the interactions should occur in the order from the upper end to the lower end of the edges. In this example, the three sequences of the interactions (1, 2, 3, 7), (1, 2, 4, 5) and (1, 2, 4, 6) should occur in order.

Computational Cost Model

The computational cost model is explained as follows. For each node Ni , the model provides the following computational costs of the node. The proper computational costs denote the times consumed by the computation proper to the applications. This kind of costs of the non-agent applications are fixed for each node Ni and represented by pcci . Therefore the total of these costs is the fixed value Σn i=1 pcci . For the agent, the cost changes according to the computational power of each node and is represented by pccai . The authentication costs denote the times consumed by the the signing and authentication procedures. The costs of the signing procedures and the authentication procedures are fixed for each node Ni and represented by sci and aci respectively. The cryptographic costs denote the times consumed by the cryptographic processes including the encryption and decryption procedures. These costs are in proportion to the amount of the encrypted data. The encrypted and decryption costs of data whose amount is a in the node Ni are represented by eci a and dci a respectively.

Figure 3: Order Constraint The amount of data transmitted in the interaction i is written as adi and the amount of the program code of the mobile agent is written as aa.

2.2.3

The communication costs denote the times consumed in transmitting data through the network links. These costs are in proportion to the amount of transmitted data. The communication costs of data whose amount is a transmitted through the link Lij is represented by cocij a.

Security Model

Our security model provides a configuration of protection domains. The protection domains consists of nodes and the network is completely divided into the protection domains. A security model represents that communications inside a protection domain can be securely performed and communications between different protection domains are not secure and therefore should be authenticated and the transmitted data should be encrypted. Figure 4 shows an example of the security model. In this example, the network is divided into the two protection domains D1 and D2 . Communications through the links L12 , L14 and L24 are secure and communications through the links L13 , L23 and L34 are not secure.

The total computational costs during a computational process are figured out as the summation of the times that are consumed by the steps of the process and calculated by the above formulas.

2.3

Patterns

Patterns consists of the following basic behaviors of mobile agents and other applications. Send data represents transmission of data between the mobile agent and an application or between two non-agent applications. The transmission may occur through a network link or inside a node. Migrate represents a migration of the mobile agent between two nodes. Security procedures represent the procedures needed for the security issues. These procedures include Encrypt, Sign, Authenticate and Decrypt. Each pattern is described by a fragment of an extended collaboration diagram. The pattern can include an arrow indicating Migrate in addition to usual collaboration arrows indicating Send Data and represented by bold arrows. In addition, the pattern may include the security procedures or not. Figure 5 to 10 show the list of the patterns without the security procedures and Figure 11 shows the security procedures that may be included in a pattern. The details of the patterns are as follows.

Figure 4: Security Model

80

• The pattern P1 (Figure 5) means that data are transmitted between two applications other than the mobile agent through a network link.

• P6 (Figure 9) and P7 (Figure 10) mean that the mobile agent migrate between two nodes first and communicate data with the application operating in the node in which the agent exists at this moment. The agent sends the data in P6 and receives the data in P7 .

Figure 5: Pattern P1 Figure 9: Pattern P6 • P2 and P3 (Figure 6) mean that data are transmitted between the mobile agent and an application other than the agent inside a node. The agent sends the data in P2 and receives the data in P3 .

Figure 10: Pattern P7

Figure 6: Patterns P2 and P3

• The patterns P1 , P4 , P5 , P6 , P7 may include the security procedures that consists of Encrypt, Sign, Authenticate and Decrypt executed in this order (Figure 11). The patterns including the security procedures for these patterns are denoted as Psi (i = 1, 4, 5, 6, 7).

• P4 (Figure 7) and P5 (Figure 8) are similar as P2 and P3 respectively except that the data are transmitted through a network link.

Figure 11: Security Procedures

Figure 7: Pattern P4

Table 1 shows the computational costs of each pattern. If the pattern includes the security procedures, the value in the row of “Costs of Security” is added to the “Costs without Security”. In this table, we suppose that the amount of the transmitted data is ad and the constant communication costs ratio is coc, that is, the least summation of the communication cost ratios of the links that connect the nodes Ni and Nj . Each pattern is applied to one of the interactions of the agent computation and data model and instantiated to a fragment of the concrete agent behavior. In the instantiation, Ni s (i = 1, 2) are changed into the concrete node names between which the interaction occurs. The pattern

Figure 8: Pattern P5

81

Patterns P1 , P4 , P5 P2 , P3 P6 P7

Costs without Security coc·ad 0 coc(aa+ad) coc·aa

Costs of Security

execute nondeterministically { apply P4 } or { apply P6 ; the current mobile agent position = the node to which the data are sent } } else { execute nondeterministically { apply P5 } or { apply P7 ; the current mobile agent position = the node from which the data are sent } }; if (this interaction is performed over the boundaries of different protection domains ) { add the security procedures }

sci +acj +(eci +dcj )ad 0 sci +acj +(eci +dcj )(aa+ad) sci +acj +(eci +dcj )aa

Table 1: Computational Costs of Patterns

application is possible only if the situation of the pattern is consistent with the interaction and the context in which the pattern application is considered. By the context, we mean that the patterns are applied in sequence in the procedure of the pattern application algorithm explained afterwards and therefore a pattern application has its context in the procedure. For example, the pattern P5 can be applied only if the interaction is initiated by the node assigned to N1 and performed against the node assigned to N2 and the agent is operating in N2 in the context of the current pattern application. The goal of our technique is to apply these patterns and compose the system behavior that satisfies the four models and makes the total computational costs the lowest. In our example, the solution is the behavior represented by the following pattern sequence.

Finally, we calculate the computational costs of each behavior and select the behavior with the least computational costs.

Ps4 → Ps5 → P4 → P4 → P1 → P5 → P1

2.5

which means that the agent stays inside the node N2 . Since it is not trivial that this behavior is the solution, we need the method to find it.

2.4

Correctness Proof of the Algorithm

In our technique, the correctness of the above algorithm can be proven. The correctness of the algorithm means that we can build the correct system behaviors by the algorithm. The correctness of the system behaviors means the following assertions.

Pattern Application Algorithm

Our method to find the system behavior includes the following two steps. 1. The candidate behaviors are created by a non-deterministic pattern application algorithm. It can be proven that the created behaviors satisfy the constraints specified by the given models as explained afterwards. 2. The behavior with the lowest computational costs is selected from the candidates. The costs are figured out by adding the costs of the pattern instances and the proper computational costs in the behaviors.

• The agent migration should be continuous. This means that the agent should migrate from the node in which the agent is operating in the beginning of the migration. • The behaviors should implement the process flow of the agent computation and data model correctly. If the mobile agent migrates through the network with carrying data, the flow of the data should be consistent with the process flow. • The behaviors should satisfy the security constraints represented by the security model. This means that the data transmission including the agent migration across the protection domain boundaries should be encrypted and authenticated.

The pattern application algorithm is to repeat the nondeterministic procedure expressed by the following pseudocode for each interaction in the agent computation and data model in the order of the interaction number. As the initial procedure, set the current mobile agent position as that specified in the agent computation and data model.

The agent migration continuity is proven as follows. For the proof, we only need to check if in each step of the algorithm, the agent always starts to operate in the node in which the agent completed its operation in the previous pattern or was created at the beginning if the algorithm step is the first one. This can be easily checked by examining each case of the pattern application in the algorithm step. The correctness of the process flow implementation is proven by checking that in each pattern application in the algorithm the data flows of the pattern and the model coincide. This check is straightforward. The security constraint satisfaction is clear because the security procedures are always added to the interactions performed over the boundaries of different protection domains.

if (this interaction is not involved with the mobile agent ) { apply P1 } else if (this interaction is performed inside a node ) { apply P2 or P3 according to the direction of the interaction } else if (the agent sends data ) {

82

3.

EVALUATION OF OUR TECHNIQUE

Sequence 1 Sequence 2 Sequence 3

In this section, we evaluate our technique by examining the example. In detail, we evaluate the following aspects. • How much does our technique resolve the trade-offs between computational costs and the security?

Case 1 13 14 15

Case 2 53 34 41

Case 3 53 60 57

Table 2: Evaluation of the Trade-Off Resolution

• How flexibly can our technique handle the security policy differences? In this evaluation, we fix the computational cost parameters as follows. • pcci = pccai = sci = aci = eci = dci = 1 (i = 1, . . . , 7) Note that we can omit the proper computational costs in the following comparisons because the above specifications shows that all computation includes the same proper computation costs. • cocij = 1 (i, j = 1, . . . , 7) • aa = ad1 = ad3 = ad4 = ad5 = ad7 = 2 • ad2 = 3 Figure 12: Graph for the Evaluation of the TradeOff Resolution

• ad6 = 1

3.1

Trade-off Resolution

First, we show some examples of the results of the algorithm as follows.

3.2

• Sequence 1:

Handling Security Policy Differences

Next, we evaluate the flexibility of our technique with security policy differences. For example, we assume that the security model differs from that shown before (called Security Model 1 hereafter) to the one shown in Figure 13 (called Security Model 2 hereafter).

P6 → P3 → P4 → P4 → P1 → P5 → P1 • Sequence 2: P4 → P5 → P4 → P4 → P1 → P5 → P1 • Sequence 3: P6 → P3 → P6 → P4 → P1 → P5 → P1 In order to look how much our technique resolves the trade-offs, we compare the computational costs of these sequences with the following three cases. • First, we do not consider security at all. This means that we apply the patterns as if the whole network spreads within one protection domain and therefore we do not need to apply any security procedures. • Second, we apply the security model described before in a usual way. • Third, we incorporate the security procedures in all of the data transmission through the links. This means that we apply the patterns as if each node forms one protection domain and therefore the all links cross over the boundaries of the protection domains.

Figure 13: Different Security Model

The results are shown in Table 2 and Figure 12. We can see the following facts from these results.

The comparison of the computational costs for these security models are shown in Table 3 and Figure 14. Table 3 shows that Sequence 3 should be selected for Security Model 2. Thus we can see that we can appropriately change the system behaviors automatically and easily handle with the security policy differences, while finding such alternative behavior is difficult in an ad hoc manner. “Appropriately” means that we can make the computational costs the lowest without violating the new security policy.

• The Sequence 1 is better in Case 1 and 3, while the Sequence 2 is better in Case 2. Thus, the behaviors we should select may differ according to the security consideration. • It is usually very expensive to consider security too much like in Case 3.

83

Sequence 1 Sequence 2 Sequence 3

Security Model 1 53 34 41

Security Model 2 53 60 41

technology is important and therefore we have made use of the formal framework proposed in this paper.

5.

Table 3: Evaluation of the Flexibility for Security Policy Differences

• We only considered the computational time as the performance issue and the concept of the protection domains as the security issue. However, there are many issues for performance and security. We would like to examine more practical models for these issues.

Figure 14: Graph for the Evaluation of the Flexibility for Security Policy Differences

4.

CONCLUSIONS

We proposed a formal framework that supports mobile agent application development with consideration of the tradeoffs between the security issues and the performance issues. In our framework, we design a mobile agent application by building a computational cost model and a security model, and combining patterns so that the combination satisfies the models. Therefore we can develop the application considering the security and the performance trade-offs. Since the models and the patterns are presented according to a formal framework, we can make sure that the pattern combination satisfies the models rigorously. In addition, if the security policies differ, we can easily modify the behavior because the pattern application can be figured out automatically by an algorithm. We are planning to apply our technique to practical applications and examine the advantage of our technique. In detail, we have the following future works.

• Our assumptions on our technique are not so practical. Therefore, for example, we would like to consider interagent interactions. It will be also important to investigate in which kinds of application domains the computational costs can be appropriately evaluated and thus our technique can be applied to those domains.

RELATED WORK

In this section, we compare our technique with related work. There are several other researches [24, 2, 17, 23, 1, 25, 13] of agent design patterns. However, most of these researches does not consider the security issues. Although [24] proposes some security patterns, it does not consider the trade-offs between the security and the performance issues. In addition, these researches does not have formal backgrounds. There are many researches of mobile agent security [22, 14, 26, 20, 4, 21, 16, 28]. Some of them are investigating the issue in formal frameworks. However, they seldom consider the performance issue because the mobile agent security issue itself is rather difficult. On the other hand, we treat only the simple security model with the concept of protection domains and the encryption/authentication mechanisms. We can consider the security and performance trade-offs by this restriction. Many researchers have been investigating software engineering for security in general contexts [9]. However, as the summary paper describes (pp. 228–229), there are few works on security consideration in software design phase with solving the trade-offs between the security and the other issues, especially for mobile codes or agents. Our paper proposes one direction for the solution of this problem. On the other hand, some researchers are working on consideration of computational costs of mobile agents [7, 3, 15]. However, these researches little consider the security issues. We succeed in considering both the security issues and the computational costs by making a simple formal model and using patterns. We can also find some researches of formal software patterns [19, 10, 12]. However, these researches do not treat the mobile agents nor the security issues. We consider that formal treatment of the security issues of the mobile agent

Acknowledgments We would like to thank Dr. Yoshio Masubuchi, the Leader of Computer and Network Systems Laboratory, who gave us the opportunity of this research.

6.

REFERENCES

[1] Amund Aarsten, Davide Brugali, and Giuseppe Menga. Patterns for cooperation. In Proceedings of PLOP’96, number AI98-40, pages 55–62, 1996. [2] Yariv Aridor and Danny B. Lange. Agent design patterns: Elements of agent application design. In Proceedings of Agents’98, 1998. [3] M. Baldi and G.P. Picco. Evaluating the tradeoffs of mobile code design paradigms in network management applications. In Proceedings of the 20 th International Conference on Software Engineering, pages 146–155. IEEE, 1998. [4] Shimshon Berkovits, Joshua D. Guttman, and Vipin Swarup. Authentication for mobile agents. In Vigna [27], pages 114–136. [5] M. Bogner. Realizing “Consciousness” in Software Agents. PhD thesis, The University of Memphis, 1999. Available on http://www.rhodesalumni.org/~myles/memphis/ RealizingConsciousnessInSoftwareAgents.pdf. [6] Jeffrey Bradshaw. Software Agents. AAAI Press/The MIT Press, 1997.

84

[20] George C. Necula and Peter Lee. Safe, untrusted agents using proof-carrying code. In Vigna [27], pages 61–91. [21] John K. Ousterhout, Jacob Y. Levy, and Brent B. Welch. The Safe-Tcl security model. In Vigna [27], pages 217–234. [22] Tomas Sander and Christian F. Tschudin. Protecting mobile agents against malicious hosts. In Vigna [27], pages 44–60. [23] Alberto Silva and Jos´e Delgado. The agent pattern: A design pattern for dynamic and distributed applications. In Third European Conference on Pattern Languages of Programming and Computing, 1998. [24] Yasuyuki Tahara, Akihiko Ohsuga, and Shinichi Honiden. Agent system development method based on agent patterns. In Proceedings of the 21st International Conference on Software Engineering, pages 356–367. IEEE, 1999. [25] Robert Tolksdorf. Coordination patterns of mobile information agents. In Matthias Klusch and Gerhard Weiß, editors, Cooperative Information Agents II, number AI98-40, pages 246–261, 1998. [26] Giovanni Vigna. Cryptographic traces for mobile agents. In Moblie Agents and Security [27], pages 137–153. [27] Giovanni Vigna, editor. Moblie Agents and Security, LNCS 1419. Springer Verlag, 1998. [28] N. Yoshioka, Y. Tahara, A. Ohsuga, and S. Honiden. Safety and security in mobile agents. In P. Ciancarini and M. Wooldridge, editors, Draft Proceedings of AOSE2000, pages 107–126, 2000.

[7] Antonio Carzaniga, Gian Pietro Picco, and Giovanni Vigna. Designing distributed applications with mobile code paradigms. In Proceedings of the 19th International Conference on Software Engineering, pages 22–33. ACM Press, May 1997. [8] David M. Chess. Security issues in mobile code systems. In Vigna [27], pages 1–14. [9] P. Devanbu and S. Stubblebine. Software engineering for security: A roadmap. In A. Finkelstein, editor, The future of Software Engineering, pages 225–240. ACM, 2000. [10] A. H. Eden, Y. Hirshfeld, and A. Yehudai. Multicast − observer = typed message. C++ Report, October 1998. [11] Erich Gamma, Richard Helm, Ralph Johnson, and John Vlissides. Design Patterns. Addison-Wesley, 1995. [12] B. Geppert and F. R¨ oßler. Generic engineering of communication protocols – current experince and future issues. In Proceedings of the ICFEM’97. IEEE, 1997. [13] Steven Y. Goldsmith, Shanon V. Spires, and Laurence R. Phillips. Object framework for agent system development. In Matthias Klusch and Gerhard Weiß, editors, Proceedings of AAAI-98 Workshop on Software Tools for Developing Agents, number AI98-40, pages 246–261, 1998. [14] Fritz Hohl. Time limited blackbox security; protecting mobile agents from malicious hosts. In Vigna [27], pages 92–113. [15] L. Ismail and D. Hagimont. A performance evaluation of the mobile agent paradigm. In Proceedings of OOPSLA’99, pages 306–313. ACM Press, 1999. [16] G¨ unter Karjoth, Danny B. Lange, and Mitsuru Oshima. A security model for aglets. IEEE Internet Computing, 1(4):68–77, July/August 1998. [17] Elizabeth A. Kendall, Chirag V. Pathak, P. V. Murali Krishna, and C. B. Suresh. The layered agent pattern language. In Proceedings of PLoP’97, 1997. [18] F. Kumeno, Y. Tahara, A. Ohsuga, and S. Honiden. Flage: Field-oriented language for agents model. In W. B. Frakes, editor, Third International Conference on Software Reuse, pages 198–199, Los Alamitos, 1994. IEEE Computer Society Press. [19] T. Mikkonen. Formalizing design patterns. In Proceedings of the 20 th International Conference on Software Engineering, pages 115–124. IEEE Computer Society, 1998.

85

Suggest Documents