Advisor: Yeong-Sung Lin Presented by Chi-Hsiang Chan Separation in Homogeneous Systems with Independent Identical Elements G Levitin, K Hausken Advisor: Yeong-Sung Lin Presented by Chi-Hsiang Chan 2018/12/3
Agenda Introduction The Model The defender protects each element equally, no performance redundancy The defender protects a subset of the elements, no performance redundancy The defender protects a subset of the elements, the attacker attack a subset of elements, no performance redundancy Systems with performance redundancy Conclusion 2018/12/3
Introduction 2018/12/3
Introduction Researchers use reliability theory to develop risk-reduction strategies have typically assumed a static threat. Bier and Abhichandani(2002) and Bier et al.(2005) assume that the defender minimizes the success probability and expected damage of an attack. Levitin(2007) determines the expected damage for any distribution of the attacker's and the defender's effort in complex multi-state systems. 2018/12/3
Introduction The September 11, 2001 attack illustrated that major threats today involve strategic attackers. There is a need to proceed beyond earlier research and assume that both the defender and attacker of a system are fully strategic optimizing agents. 2018/12/3
Introduction O’Hanlon(2002) et al. applied game theory to analyze components in isolation. Hausken(2002) for an analysis where one agent defends each component in a system. Kunreuther and Heal(2003) and Hausken(2006) for interdependence between components. Hausken(2008) for defense and attack of series and parallel system. 2018/12/3
Introduction Two main actions available to the defender for reducing the expected risk associated with an attack are separation of system elements and their protection. Separation is a rightfully acknowledged and standard practice for reducing system risk in the face of intentional and non-intentional impacts. The protection is a technical of organizational measure aimed at the reduction of the destruction probability of system elements in the case of attack. 2018/12/3
Introduction There exist two methodological approached in studying the system defense problem. First one develops computational tools and techniques for optimizing any specific system defense based on system structure, resources and features of the threats. The second one considers the simplest models in order to analyze the most universal effects and obtain the general insights. 2018/12/3
Introduction This article considers a simplest homogeneous system which van be separated into independent identical parallel elements. Assumes: Each element can either work with nominal performance or be completely destroyed. The elements are so simple that their structure cannot affect their vulnerability. The sake of simplicity that vulnerability of any elements is the same if as the protection and attack efforts are the same. 2018/12/3
The Model 2018/12/3
Nomenclature R,r attacker’s and defender’s resources T,t attacker’s and defender’s effort per single element m contest intensity s separation cost G cumulative system performance N number of identical separated system elements M number of protected elements v element vulnerability F system demand D expected damage Q number of attacked elements 2018/12/3
The Model The model is a system with total cumulative performance G. The system can be separated into N independent elements with the same functionality having performance G/N each. A single successful attack on the separated system can destroy only one element, and cause system cumulative performance reduction from G to G(N-1)/N. 2018/12/3
The Model The total attacker’s resource is R, the total defender’s resource is r. Defender distributed one’s resource between separation s and protection (r-s). The connection between effort and resource is T=R/N and t=(r-s)/N. The vulnerability of any element is determined by a contest between the defender and the attacker. (1) 2018/12/3
Contest Intensity m m ≥0 is a parameter that expresses the intensity of the contest. A benchmark intermediate value is m=1, where the investment have proportional impact on the vulnerability. 0 < m < 1gives a disproportional advantage of investing less than one’s opponent. m>1 gives a disproportional advantage of investing more effort than one’s opponent. m=0 , vulnerability = 50% m=∞ gives a step function where “ winner-takes-all”. The parameter m is a characteristic of the contest which can be illustrated by the history of warfare. 2018/12/3
The Model Having the vulnerabilities of system elements as functions of the attacker’s and the defender’s efforts both agents can estimate the expected damage D caused by the attack for any possible distribution of these efforts. The defender builds the system over time. The attacker takes it as given when he chooses his attack strategy. Therefore, we have to analyze a two period minmax game where the defender moves first and then the attacker moves. 2018/12/3
The defender protects each element equally, no performance redundancy 2018/12/3
The defender protects each element equally, no performance redundancy No performance redundancy means that any reduction in performance causes damage. The probability that k out of N elements are destroyed by the attacker is The damage caused by destruction is kG/N. The expected damage can be obtained as (2) 2018/12/3
The defender protects each element equally, no performance redundancy Proposition 1. Separation with even allocation of the defender’s effort is not beneficial for the defender. Without separation N=1 and s=0, therefore T=R/N and t=r/N. The expected damage is (3) With separation N>1, s>0 and T=R/N, t=(r-s)/N. (4) 2018/12/3
The defender protects a subset of the elements, no performance redundancy 2018/12/3
The defender protects a subset of the elements, no performance redundancy The defender separates the parallel system into N identical elements, but only M elements are protected. The attacker does not know which elements are protected and attacks all of the elements. The effort per elements of attacker and defender is T=R/N and t=(r-s)/M. We assume that this even allocation of the attacker’s resource is known by the defender. 2018/12/3
The defender protects a subset of the elements, no performance redundancy The vulnerability of each one of M protected elements is (5) The expected damage associated with unprotected elements is (6) The expected damage associated with protected elements is (7) The total expected damage is (8) 2018/12/3
The defender protects a subset of the elements, no performance redundancy The optimal number of protected elements can be obtained from the equation: (9) For m>1 (10) (10) can be rewritten in the form T/t=w(m). M obtained from (10) should be rounded upwards of downwards to the closest integer dependent on which of these two integers gives the lowest D as determined by (8) 2018/12/3
The defender protects a subset of the elements, no performance redundancy Inserting (10) into (8) gives the minimal expected damage (11) where the function u(m) also can be written as g(w(m),m)= 2018/12/3
The defender protects a subset of the elements, no performance redundancy 2018/12/3
The defender protects a subset of the elements, no performance redundancy Proposition 2. When the contest intensity m>1 and rioe n <1, the defender protects M out of N elements as specified by (10). When m≤1, or m>1 and ≥1 the defender protects all N elements and the expected damage D is given by (4) When m ≤1, ∂D/ ∂M is always negative. When ≥1, M obtained from (10)is greater than N. M ≤ N. Inserting M=N into (8) gives(4) 2018/12/3
The defender protects a subset of the elements, no performance redundancy Low contest intensity requires fewer resources. This explains that when m is low, the defender can more easily afford to defend all elements. 2018/12/3
The defender protects a subset of the elements, no performance redundancy When m decrease from 2 to 1, W(m) grows rapidly to infinity which violates the condition <1. For m>1 the separation is beneficial if the expected damage is less than in the case without separation. The condition of the separation efficiency is (12) Which can be written as (13) 2018/12/3
The defender protects a subset of the elements, no performance redundancy From (10) and (11) follow that (14) Rewrite (12) as (15) Which can find out M/N (16) 2018/12/3
The defender protects a subset of the elements, no performance redundancy M/N should not exceed 1 (17) From which (18) The combination of (13) and (18) constitutes the condition of separation efficiency. 2018/12/3
The defender protects a subset of the elements, no performance redundancy If the separation cost is negligible (s<<r) inequality (13) takes the form (19) Proposition 3. If the separation cost is negligible, the separation with protecting a subset of the elements is beneficial when (18) hold non-negative for any m>1. H(r/R,m)=0 when R/r=w(m)= , otherwise, H(r/R,m) > 0 2018/12/3
The defender protects a subset of the elements, no performance redundancy In practice the exact value of the contest intensity is not known. Therefore it would be useful to suggest a practical way to choose M for a certain interval of contest intensities m. Assume that instead of (10)one uses the following equation (20) which replace w(m) = x 2018/12/3
The defender protects a subset of the elements, no performance redundancy Substituting M with N(r-s)x/R in (8) we obtain the expected damage (21) For any m the expected damage obtain for (20) exceeds the expected damage obtain for (10)by (22) 2018/12/3
The defender protects a subset of the elements, no performance redundancy In the interval one has to choose such x that minimizes the maximal increase of the expected damage above the value (23) For 2 ≤m ≤20, x=0.83; for 21 ≤m ≤50, x=0.9. When the contest is highly intensive( m →∞,“winner-takes-all”), x→1 2018/12/3
The defender protects a subset of the elements, no performance redundancy The separation is not beneficial when the contest intensity is low (m<2). For 2 ≤m ≤20, M should be as close as possible to For 21 ≤m ≤50, M should be as close as possible to In the “winner-takes-all” situation(m →∞), M should be as close as possible, but less than 2018/12/3
The defender protects a subset of the elements, no performance redundancy 2018/12/3
The defender protects a subset of the elements, the attacker attack a subset of elements, no performance redundancy 2018/12/3
The defender protects a subset of the elements, the attacker attack a subset of elements, no performance redundancy The defender protects M elements, and the attacker attacks Q elements. T=R/Q , t=(r-s)/M The probability that the attacker attacks exactly q protected elements is (24) Vulnerability of each element is (25) 2018/12/3
The defender protects a subset of the elements, the attacker attack a subset of elements, no performance redundancy The probability that exactly k elements are destroyed out of q protected elements that are attacked is (26) Total destroyed elements s=k+Q-q. The probability of destruction of exactly s elements can be obtained as (27) 2018/12/3
The defender protects a subset of the elements, the attacker attack a subset of elements, no performance redundancy We can obtain the expected damage caused by the attack as (28) The optimal values of M and Q can be obtained by the following enumerative procedure. 2018/12/3
The defender protects a subset of the elements, the attacker attack a subset of elements, no performance redundancy 2018/12/3
The defender protects a subset of the elements, the attacker attack a subset of elements, no performance redundancy 2018/12/3
Systems with performance redundancy 2018/12/3
Systems with performance redundancy Assume that the system must meet a demand F<G. If the number of destroyed elements is k, the damage is (29) The expected damage can be obtained as (30) (here we assume that M=N=Q) 2018/12/3
Systems with performance redundancy Without separation the expected damage is vF. The condition of the separation efficiency takes the form (31) or 2018/12/3
Systems with performance redundancy 2018/12/3
Systems with performance redundancy As a special case consider a widely used redundant parallel system(1-out of N)which meets the demand if at least one of its elements survives. This corresponds to the case when 0<F<G/N and α = N in (30). Condition (31) takes the form (33) which gives (34) 2018/12/3
Systems with performance redundancy s* is independent of F when 0<F<G/N =0.1 as determined by (34), and decreases towards zero as F increases above G/N towards G. s* is lower when the contest intensity is high or the attacker’s resource is high. 2018/12/3
Systems with performance redundancy In the general case when both the attacker and the defender choose Q elements to attack and M elements to defend. The expected damage caused by the attack for any demand F as (35) use the procedure remind before to find out the optimal value of M and Q 2018/12/3
Systems with performance redundancy 2018/12/3
Systems with performance redundancy 2018/12/3
Systems with performance redundancy In order to check the sensitivity of separation efficiency to the chosen value of M, we replace the optimal values of M with constants.(fixed M and optimal Q) 2018/12/3
Systems with performance redundancy In order to make the managerial decisions about the number of protected elements when the exact balue of the contest intensity m is not known, one can use the following iterative approach: Obtain the optimal values of m in the supposed range of m using the suggested algorithm. Evaluate the expected damage D*(M) in the given range of m for several fixed values of M The comparison of the obtained results helps in making the decision. 2018/12/3
Systems with performance redundancy 2018/12/3
Conclusion 2018/12/3
Conclusion Systems without performance redundancy separation with even allocation of the defender’s effort among all the elements is not beneficial for the defender. Separation with protecting a subset of the elements, when the attacker attacks all elements, is not beneficial for the defender if the contest intensity m ≤1 The separation efficiency depends on the defender’s and attacker’s budgets, separation costs, contest intensity and system demand. Further research can be devoted to incorporating the inherent values of destroyed elements into the model. 2018/12/3
Thanks for listening 2018/12/3