Defense and attack of complex and dependent systems About This Paper & Paper Agenda Defining the problem and model Introduction About This Paper & Paper Agenda Introduction Defining the problem and model Scenario Conclusion Systems with independent targets Interdependent targets Scenario - Systems with independent targets Scenario - Interdependent targets Conclusion State dependent systems analyzed with Markov analysis Analyzing dependent systems as repeated games: load sharing system Scenario - State dependent systems analyzed with Markov analysis Analyzing dependent systems as repeated games: load sharing system 2018/11/23 NTU IM OPLAB

About this paper and presentation Journal Reliability Engineering and System Safety Author Kjell Hausken Advisor Frank, Yeong-Sung Lin Presenter Chung-Ting Shing 2018/11/23 NTU IM OPLAB 3

Agenda Introduction Defining the problem and model Scenario: Systems with independent targets Interdependent targets State dependent systems analyzed with Markov analysis Analyzing dependent systems as repeated games: load sharing system Conclusion 2018/11/23 NTU IM OPLAB 4

Introduction Crucial strategic decisions for defenders and attackers are resource allocation across targets. The strategic nature, and ever changing dynamic, of multiple attackers interacting with defenders need to be fully accounted for. The defender’s point of view is of interest when defending infrastructures. The attacker’s point of view is of interest when terminating infrastructures or ensuring that these malfunction. 2018/11/23 NTU IM OPLAB 6

Introduction An arbitrarily complex system or infrastructure is considered with targets that are in parallel, series, combined series-parallel, complex, k-out-of-n redundancy, assuming targets that can be independent, interdependent, or dependent. The functionality or successful operation of each target depends on the relative investments in defense versus attack and how the targets are joined together. 2018/11/23 NTU IM OPLAB 7

Nomenclature 2018/11/23 NTU IM OPLAB 9

Defining the problem An infrastructure refers to assets that support an economy, such as roads, power supply, water supply, hospital, and other assets. The defender minimizes the expected damage of the infrastructure, and the attacker maximizes the expected damage. Damage measures the value, including a system’s ability to function reliability according to its stated objective, such as serving a population. 2018/11/23 NTU IM OPLAB 10

Defining the problem The defender makes n investments t1, t2, …, tn, to ensure that the n targets function reliably, and the attacker similarly makes n investment T1, T2, …, Tn, to ensure that the n targets do not function reliably. A common game theoretic method is to assume that the defender and attacker choose their investments simultaneously and independently for each of the n targets. 2018/11/23 NTU IM OPLAB 11

Contest success function Mi expresses the intensity of the contest over target i With infinite defensive investment, and finite offensive investment, the target is 100% reliable and pi=0 With infinite offensive investment, and finite defensive investment, the target is 0% reliable and pi=1 2018/11/23 NTU IM OPLAB 12

Contest success function The contest success function in (1), especially with the intensity parameter mi, provides substantial flexibility for how the reliability of the system depends on the resources expended by the defender and attacker. The attacker faces the dilemma between accepting this increased reliability, or expending more resources to reduce the reliability. 2018/11/23 NTU IM OPLAB 13

System with independent targets Parallel targets Targets in series Combined series-parallel systems Complex systems k-out-of-n redundancy Independent targets Independent subsystems 2018/11/23 NTU IM OPLAB 15

System with independent targets Parallel targets Targets in series Combined series-parallel systems Complex systems k-out-of-n redundancy Independent targets Independent subsystems 2018/11/23 NTU IM OPLAB 16

Parallel targets A parallel system with n targets functions successfully if at least one target functions successfully. Examples are several bridges across a river, and two electricity companies which can both serve the public if the other is disabled. 1 2 2018/11/23 NTU IM OPLAB 17

Parallel targets The expected damage for target i is vipi. The damage or expected damage if the entire system of n parallel targets is disabled is v. The expected damage d and utility u for the defender are The expected damage D and utility U for the attacker are 2018/11/23 NTU IM OPLAB 18

Parallel targets Any additional damage will degrade the utility of the defender and improve that of the attacker. The defender maximizes his utility u, and the attacker maximizes his utility U. 2018/11/23 NTU IM OPLAB 19

Parallel targets The two left hand sides are equal when Vi = vi and V = v which gives Inserting (6) into (2) and (3) gives 2018/11/23 NTU IM OPLAB 20

Parallel targets Differentiating (4) and inserting ti = CiTi/ci, the second order conditions are Which are satisfied when 2018/11/23 NTU IM OPLAB

System with independent targets Parallel targets Targets in series Combined series-parallel systems Complex systems k-out-of-n redundancy Independent targets Independent subsystems 2018/11/23 NTU IM OPLAB

Targets in series A series system with n targets functions successfully if all targets function successfully. Examples are water supply lines, oil/gas pipelines, and transport of valuables which may be attacked at various points along a route. 1 2 The expected damages and utilities are 2018/11/23 NTU IM OPLAB

Targets in series Solving the first order conditions when Vi = vi and V = v gives The second order conditions are satisfied when (9) is satisfied. 2018/11/23 NTU IM OPLAB

System with independent targets Parallel targets Targets in series Combined series-parallel systems Complex systems k-out-of-n redundancy Independent targets Independent subsystems 2018/11/23 NTU IM OPLAB

Combined series-parallel systems One serial component 1 and two parallel components 2 and 3. The probability of disabling the system is 1 – ( 1 – p1)(1 - p2p3) 2018/11/23 NTU IM OPLAB

Combined series-parallel systems The expected utilities are Solving the first order conditions when mi = 1, Vi = vi = 0 and V = v gives 2018/11/23 NTU IM OPLAB

System with independent targets Parallel targets Targets in series Combined series-parallel systems Complex systems k-out-of-n redundancy Independent targets Independent subsystems 2018/11/23 NTU IM OPLAB

Complex systems Assume attacker contest success pE in (1) for target E. If target E is not destroyed, which occurs with probability 1 – pE If target E is destroyed, which occurs with probability pE 2018/11/23 NTU IM OPLAB

Complex systems Fig. 3b disabled with probability pb is descriptive. Fig. 3c disabled with probability pc is descriptive. The expected utilities are 2018/11/23 NTU IM OPLAB

Complex systems Solving the first order conditions when mi = 1, Vi = vi = 0 and V = v gives 2018/11/23 NTU IM OPLAB

System with independent targets Parallel targets Targets in series Combined series-parallel systems Complex systems k-out-of-n redundancy Independent targets Independent subsystems 2018/11/23 NTU IM OPLAB

K-out-of-n redundancy Assume that a parallel system of n identical targets is attacked successfully if at least k, 1 <= k <= n, targets are attacked successfully, which occurs with probability Where we assume that all parameters for all targets are equivalent. The defender’s and attacker’s expected damage and utility are 2018/11/23 NTU IM OPLAB

System with independent targets Parallel targets Targets in series Combined series-parallel systems Complex systems k-out-of-n redundancy Independent targets Independent subsystems 2018/11/23 NTU IM OPLAB

Independent targets Independent targets have no connection with other targets. Examples are geographically remote targets which are self-sufficient with no external impact, or a country’s interests of various kinds abroad. The expected damage and utility for the defender and attacker are 2018/11/23 NTU IM OPLAB

System with independent targets Parallel targets Targets in series Combined series-parallel systems Complex systems k-out-of-n redundancy Independent targets Independent subsystems 2018/11/23 NTU IM OPLAB

Independent subsystems Assume a system with N subsystems and ni targets in subsystem j which suffer damage δj and Δj as assessed by the defender and attacker, respectively, j = 1, … ,N. The expected damage and utility for the defender and attacker are 2018/11/23 NTU IM OPLAB

Interdependent targets A subclass of dependent systems. For a system to be interdependent, mutual dependence in the sense of two-way causation among at least two components must be present. When the defense and attack of one target impact and are impacted by other targets, the system is interdependent. Examples occur within the airline industry, computer networks, fire protection, etc. 2018/11/23 NTU IM OPLAB

Interdependent targets With increasing interdependence, each defending agent free rides by investing less, and suffers lower profit, while the attacker enjoys higher profit. The expected damage and utility for the defender of a system of n interdependent targets are 2018/11/23 NTU IM OPLAB

Interdependent targets To account for the interdependence, the probability pi of a successful attack on target i has to be changed Where αik is the interdependence between targets i and k. Without interdependence, that is αik = 0 for all i ≠ k, (26) simplifies to (1). 2018/11/23 NTU IM OPLAB

Example 1: two interdependent targets For two interdependent targets 4 and 5, (26) becomes And (24) and (25) become 2018/11/23 NTU IM OPLAB

Example 1: two interdependent targets When α45 = α54 = α and mk = 1 to yield 2018/11/23 NTU IM OPLAB 43

Example 1: two interdependent targets Inserting (29) – (33) into (28) gives Inserting v5=v4, c5=c4, V5=V4, C5=C4 and V4=v4, C4=c4, V5=v5, C5=c5 into (29) – (34) gives 2018/11/23 NTU IM OPLAB

Example 2: instantiating and validating the model with the attack on the Tokyo underground Consider the March 20, 1995 sarin gas attack on the Tokyo Underground by Aum Shinrikyo. Let us define reliability as the safety of the population. We consider the Tokyo Underground as our first component, and Tokyo hospitals receiving victims from the attack as our second component. The infrastructure thus matches the interdependent subsystem with two interdependent components 6 and 7, which are the Tokyo Underground and Tokyo hospitals. 2018/11/23 NTU IM OPLAB

Example 2: instantiating and validating the model with the attack on the Tokyo underground Victims were transferred from components 6 to 7, with no influence in the opposite direction, and hence α67 = 0 and α76 > 0 in (26). Because components 6 is geographically dispersed, c6 is high and C6 is low. However, components 7 is less dispersed and hence c7 and C7 are likely intermediate. Because the contest intensity is low for dispersed systems, and hence m6 is low. However, there are few targets with equipment to handle the attack and then m7 is higher. 2018/11/23 NTU IM OPLAB

Example 2: instantiating and validating the model with the attack on the Tokyo underground 8 people died and 275 were seriously injured 2 people died and 231 were seriously injured 2018/11/23 NTU IM OPLAB

Example 2: instantiating and validating the model with the attack on the Tokyo underground 1 death and 358 serious injuries 1 death and 532 serious injuries Over 200 serious injuries 2018/11/23 NTU IM OPLAB

Example 2: instantiating and validating the model with the attack on the Tokyo underground The hospitals were not attacked, T7 = 0, and were defended. After the attack Tokyo hospitals saw 5510 patients, of these 12 died, 50 were severely injured, and 984 were moderately ill with vision problems. The defender has to strike a balance between passenger safety and efficiency. 2018/11/23 NTU IM OPLAB 49

Example 2: instantiating and validating the model with the attack on the Tokyo underground For m6 = m7 = 1, α67 = 0, α76 = ½ we use (24) and (25) to solve ∂u67/ ∂t6 = 0, ∂u67/ ∂t7 = 0, ∂U67/ ∂T6 = 0, ∂U67/ ∂T7 = 0 which gives 2018/11/23 NTU IM OPLAB 50

Example 2: instantiating and validating the model with the attack on the Tokyo underground Which show how all the four strategic choice variables and two utilities. 2018/11/23 NTU IM OPLAB 51

Example 2: instantiating and validating the model with the attack on the Tokyo underground To illustrate the exact impact of c6, inserting v6 = v7 = V6 = V7 =c7 = C6 = C7 =1 into (37) – (42) gives A decrease of the unit cost c6 of implementing a measure causes the defender to invest more to protect the Tokyo Underground, ∂t6/ ∂c6 < 0, invest less to protect the hospitals, ∂t7/ ∂c6 > 0, and earn higher utility, ∂u67/ ∂c6 < 0. 2018/11/23 NTU IM OPLAB 52

State dependent systems analyzed with Markov analysis We add time τ = 0 in (1), and that pi(τ) thereafter varies with time τ. 1 - pi(τ) defined as the reliability, decrease with τ. Where the random variable T is the time to system failure. The conditional probability of failure per time unit is γi(τ) is target i’s attack success rate which can be positive or negative. 2018/11/23 NTU IM OPLAB

State dependent systems analyzed with Markov analysis Qj(τ) is the probability of being in state j at time τ, Σ4i=1Qj(τ) = 1. For a two-target series system 1- Q1(τ) is the attacker’s contest success probability. For a two-target parallel system Q4(τ) is the attacker’s contest success probability. Define γ1(τ) as the transition rate from states 1 to 2, and from states 3 to 4. Define γ2(τ) as the transition rate from states 1 to 3, and from states 2 to 4. 2018/11/23 NTU IM OPLAB

State dependent systems analyzed with Markov analysis The system’s evolution can thus be described with If one target fails in a load sharing system of two parallel targets, then the attack success rate of the other target increases. γ+1(τ) is the transition rates from states 3 to 4. γ+2(τ) is the transition rates from states 2 to 4. 2018/11/23 NTU IM OPLAB 56

State dependent systems analyzed with Markov analysis A two target standby system where the standby target 2 has a decreased attack success rate while in its standby modus γ-2(τ) is the transition rates from states 1 to 3. 2018/11/23 NTU IM OPLAB 57

State dependent systems analyzed with Markov analysis Consider a system which can be fully operational(state 1), degraded(state 2), and failed(state 3). γ2(τ) is the transition rates from states 1 to 3. γ2(τ) is the transition rates from states 1 to 2. γ2(τ) is the transition rates from states 2 to 3. Q3(τ) = 1 - Q1(τ) – Q2(τ) Consider a system which can be in three states. With transition rates γ1(τ) and γ2(τ) from the operational state to the two failure modes. 2018/11/23 NTU IM OPLAB 58

Analyzing dependent systems as repeated games: load sharing system A load sharing system of two parallel targets A and B as a two period game. In the first period, both agents make their strategic choices simultaneously and independently, expecting future choices in the second period. There are four states in the former table, and these occur with probabilities (1 – pA1)(1 – pB1), pA1(1 – pB1), (1 – pA1) pB1, and pA1 pB1, respectively. 2018/11/23 NTU IM OPLAB

Analyzing dependent systems as repeated games: load sharing system In the second period, the agents know the outcome and choices in the first period. If the system is in state 1, the costs remain unchanged, and the agents make strategic choices tA2, tB2, TA2, TB2. If the system is in state 2, the unit cost of defending target B increases to c+B, the unit cost of attacking it decreases to C-B, and its contest intensity increases to m+B. The defender protects with tloadB2, the attacker attacks with TloadB2, and there are no investments for target A. 2018/11/23 NTU IM OPLAB

Analyzing dependent systems as repeated games: load sharing system Analogously, if the system is in state 3, the changes are to c+A, C-A, and m+A, with investments tloadA2 and TloadA2, and no investments for target B. Which shows how the second period contest successes depend on the outcome of the first period if at least one target fails in the first period. 2018/11/23 NTU IM OPLAB 62

Analyzing dependent systems as repeated games: load sharing system If the system is in the state 4, we assume contest success 1 for both targets in period 2, both agents refrain from period 2 investments, the defender suffers a loss v, and the attacker enjoys a gain V. Where δ and Δ are discount factors. 2018/11/23 NTU IM OPLAB 63

Analyzing dependent systems as repeated games: load sharing system We solve the game with backward induction starting with the second period. ∂u/∂tA2 = ∂u/∂tB2 = ∂u/∂tloadA2 = ∂u/∂tloadB2 = 0 ∂U/∂tA2 = ∂U/∂tB2 = ∂U/∂tloadA2 = ∂U/∂tloadB2 = 0 2018/11/23 NTU IM OPLAB 64

Analyzing dependent systems as repeated games: load sharing system Setting all parameters equal to 1 except c+A = c+B = 2 and V = v, and inserting into (54) – (56) gives Where the utilities depend only on the first period choice variable. Differentiating the utilities gives the first order conditions 2018/11/23 NTU IM OPLAB 65

Analyzing dependent systems as repeated games: load sharing system Which are solved to yield Both agents suffer negative first period utilities, which the attacker accepts since an overall positive utility is obtained. 2018/11/23 NTU IM OPLAB 66

Analyzing dependent systems as repeated games: load sharing system As comparison standard, setting all parameters equal to 1, and V = v, gives 2018/11/23 NTU IM OPLAB 67

Analyzing dependent systems as repeated games: load sharing system Which are solved to yield Hence the defender enjoys a higher utility, and the attacker suffers a lower utility, when the second period unit defense cost for one remaining operating target decreases from 2 to 1. 2018/11/23 NTU IM OPLAB 68

Analyzing dependent systems as repeated games: load sharing system As a final comparison standard, the solution of a one period system of two parallel targets where all parameters equal to 1, determined by inserting into (6) and (7) and setting vi = 0, is The attacker thus prefers the two period dependent system where the failures inflicted in the first period are enjoyed in the second period. 2018/11/23 NTU IM OPLAB 69

Analyzing dependent systems as repeated games: load sharing system The defender prefers each period to start with two operational targets. The attacker earns only 0 utility in the one period game in (63) follows since parallel systems are challenging to attack since both targets have to be disabled. With more than two targets, the attacker can earn negative utility and then refrains from attacking. The attacker can earn positive utility in a one period parallel target if the contest intensity is low and there are few targets. 2018/11/23 NTU IM OPLAB 70

Conclusion The article develops a framework for how to defend and attack complex and dependent systems. The strategic decision for each agent is how much to invest each target within the system, and how to allocate investments across targets. A target can have economic, human, and symbolic values, which may differ for the defender and attacker. A complex system is analyzed with decomposition. 2018/11/23 NTU IM OPLAB

Conclusion The contest intensity can be defined as fuzzy variables and fuzzy logic models can be studied. The range of possible variation of contest intensity can be determined and the most conservative “worst case” defense strategy can be obtained under the assumption that contest intensity takes the value that are most favorable for the attacker. 2018/11/23 NTU IM OPLAB 73

Thanks for your listening! 2018/11/23 NTU IM OPLAB