Advisor: Yeong-Sung Lin Presented by Chi-Hsiang Chan 2011/3/281

+ Introduction + Problem formulation + Multi-dimensional D-spectrum + F>3 clusters in the network + Illustrative example: attack and defense of a network + Conclusion 2011/3/282

+ Introduction + Problem formulation + Multi-dimensional D-spectrum + F>3 clusters in the network + Illustrative example: attack and defense of a network + Conclusion 2011/3/283

+ Defense against external impacts, and especially against intentional external impacts, becomes increasingly important due to the increasing threats of malicious attacks. + The defender’s objective for a system is that it survives and functions reliably under all circumstances. + In order to evaluate the efficiency of defensive measures the defender should evaluate the effect of these measures on the expected damage that can be caused by attacks. 2011/3/284

+ Research in network reliability and risk analysis must help understand how to prevent or mitigate the damage caused by intentional attacks on the networks. + Usually assumed: – An interdictor is interested in reducing the flow through the network by interdicting network elements, usually the links. – The interdictor has limited resources to interdict network elements and as suck it faces a resource allocation problem, where the objective is to maximize the damage inflicted to the network. 2011/3/285

+ In the case when the network provides connection among different terminal nodes corresponding to users or critical facilities, the damage caused by an attack can be different depending on the amount of terminals that become isolated from any other terminal because of link interdiction. + It is important to find a way that evaluates the probability of network disintegration into disconnected sub-networks and estimates the associated damage in order to compare different options of network defense. 2011/3/286

+ This work considers the expected damage caused by the network disintegration into separated clusters (with at least one terminal node) and presents a novel multi- dimensional spectra technique for evaluating this damage. + We assume that the damage caused by disintegration is proportional to the number of clusters and does not depend on their size. + The assumption is relevant for information networks, where the information can freely flow within each cluster and the damage is proportional to the effort needed to restore the inter-cluster connectivity. 2011/3/287

+ A network has a node set N, edge (link) set E and a subset of special nodes called terminals. + All nodes are absolutely reliable while the edges are subject to failure. + Edge(link) failure means its elimination from the network. + The attacker strikes the network links trying to cause damage by disintegrating the network into clusters. 2011/3/288

+ Both the attacker and the defender have limited and fixed resources. + The attacker does not know the network structure and arracks a randomly chosen subset of links distributing its attack resources evenly among these links. + The defender has no information about the subset of links chosen for the attack. All links are equally protected. 2011/3/289

+ The model presented in this paper is based on a multi- dimensional destruction spectra approach that allows evaluating the probability of network disintegration into a given number of clusters when a fixed number of randomly chosen links is eliminated. + It uses the contest success function that evaluates vulnerability of individual links as a function of per-link attack and defense efforts. 2011/3/2810

+ Introduction + Problem formulation + Multi-dimensional D-spectrum + F>3 clusters in the network + Illustrative example: attack and defense of a network + Conclusion 2011/3/2811

LNumber of links in the networkfnumber of disconnected clusters FNumber of terminals in the networkd(f)damage associated with network disintegration into f disconnected clusters kNumber of attacked linksD(k)expected damage caused by an attack on k randomly chosen links REntire attacker’s resourceΔexpected damage for uniformly distributed number of attacked links yAttacker’s impact effort per attacked link mcontest intensity zDefender’s protection effort per linkp(j,f)the probability that the network falls apart into f clusters if j links re destroyed v(y,z)link vulnerability as a function of attacker’s and defender’s efforts P(x)probability of event x probability that exactly j links are destroyed after attack on k links 2011/3/2812

+ A network with a given topology contains L protected links. Each link is protected with effort z. + The attacker strikes k randomly chosen links evenly with resource R. The per-link attack effort is y=R/k. + The vulnerability of attacked link is determined by a contest between the defender and the attacker, form as (1) 2011/3/2813

+ Skaperdas offered three axioms for contest success functions: – 1≥v≥0 and the contest success for the defender and the attacker sum to one. – ∂v/ ∂y>0 and ∂v/ ∂z<0. – Each agent’s contest success depends on its effort and not on the identity of agent or opponent. 2011/3/2814

+ m ≥0 is a parameter that expresses the intensity of the contest. + A benchmark intermediate value is m=1, where the investment have proportional impact on the vulnerability. 0 1 gives a disproportional advantage of investing more effort than one’s opponent. + m=0, vulnerability = 50% + m=∞ gives a step function where “ winner-takes-all”. + The parameter m is a characteristic of the contest which can be illustrated by the history of warfare. 2011/3/2815

+ In the case when the attacker distributes its resource R among k links the link vulnerability takes the form (2) + If the attacker attacks k links, it succeeds to destroy exactly j links with probability (3) 2011/3/2816

+ The probability that the network falls apart into f disconnected clusters as a result of destruction of j randomly chosen links be p(j,f), and the damage associated with the network falling apart into f disconnected clusters be d(f). + The expected damage D(k) in the case of attack against k randomly chosen links is (4) where F is the maximal number of clusters, which is equal to the number of terminals. 2011/3/2817

+ If the defender knows the distribution of k, ε(i)=P(k=i), It can evaluate the total expected damage as (5) + When the defender has no information about the distribution of k, it assumes that the attacker acts completely at random and can choose k from 1 to L with equal probability. The expected damage is (6) 2011/3/2818

+ Introduction + Problem formulation + Multi-dimensional D-spectrum + F>3 clusters in the network + Illustrative example: attack and defense of a network + Conclusion 2011/3/2819

+ By network N=(V,E,T) we denote an undirected graph with a node-set V, |V|=n, an edge-set E,|E|=L, and a set of special nodes called terminals, |T|=F. + If all nodes of the network are connected to each other directly or indirectly, the network N is called connected. 2011/3/2820

+ For example, N has 4 nodes V=(a,b,s,t), two terminals t=(s,t), 2 edges E={(a,s),(b,t)}. Obviously, N is not connected, it has two components, and each of them is a cluster. s a b t 2011/3/2821

+ The network can be only in two states UP and DOWN, where the UP state takes place if and only if all terminals of the network are connected to each other by the elements which are in the UP state. Otherwise, the network is DOWN. + In this paper we split the DOWN state into several sub- states according to the number of disconnected clusters in the network. When F=|T|=3. – UP => number of cluster=1 – DOWN2 => number of cluster=2 – DOWN3 => number of cluster=3 2011/3/2822

+ Definition 1. Let be a permutation of network links. Suppose initially that they all are UP. Start turning them from UP to DOWN by moving π from left to right. + Fixed the first element when the network state become DOWN 2 =>,called the second anchor. + Fixed the first element when the network state become DOWN 3 =>,called the third anchor. + Define the probability the probability of the event A(i,j) = {r 2 =i, r 3 =j} as (7) 2011/3/2823

+ Definition 2. The two-dimensional discrete density function d ={w i,j }, i,j = 1,2,….,L, is called network two- dimensional destruction spectrum(D-spectrum). + Definition 3. The marginal distribution of the first component of the D-spectrum is called the second spectrum, and is called the third spectrum. + and for k=1,…,L are called the second and the third cumulative spectra of the network. + U 2 (L) = U 3 (L) = /3/2824

+ The total number of permutations of L=4 links is 4!=24. + u 1 =0,u 2 =5/6,u 3 =1/6,u 4 =0 + g 1 =0,g 2 =0,g 3 =3/6,g 4 =3/6 + U 2 (1)=0,U 2 (2)=5/6, U 2 (3)=U 2 (4)=1 + U 3 (1)=U 3 (2)=0, U 3 (3)=1/2,U 3 (4)=1 (3,4) 4 permutations(2,4) 8 permutations(2,3) 12 permutations 1,4,2,31,2,4,31,2,3,4 w 3,4 = 1/6w 2,4 = 2/6w 2,3 = 3/6 2011/3/2825

+ Remark 1. The standard reliability theory deals mostly with binary systems consisting of binary components. The system has only one DOWN state, its D-spectrum becomes a one-dimensional distribution. + Gertsbakh and Shpungin and Samaniego considered the case of i.i.d. continuous component lifetimes X i, i=1,…,k and defined the r-th element of the signature as the probability that system failure coincides with the r-th order statistic in a sample of X 1,X 2,…,X k. + The considered two-dimensional signature is an extension of the one-dimensional situation. 2011/3/2826

+ Denote by p(j,f) the probability that elimination of exactly j links causes network disintegration into f clusters. The principal probabilities which we need in the context of the present paper take the following form: (8) 2011/3/2827

+ Remark 2. Suppose that all network links have i.i.d. continuous lifetime τ with cumulative distribution function (CDF) Q(t). Let τ net be the random network lifetime, Denote by Q net (t) its CDF. The probability that a link is UP at time t 0. We can get: (9) where Q (j) (t 0 ) is the CDF of the j-th order statistic from the random sample of link lifetimes τ 1, τ 2,…, τ L. 2011/3/2828

+ Substituting into(9) the well-known expression for Q (j) (t 0 ) and rearranging the terms in the sum, can get: (10) where (11) + From (10) it follows that C(j) is the number of network failure sets with exactly j links being down. Therefore, (11) implies that the ratio of the number of all j-link failures sets to the total number of randomly chosen sets of j links out of L, equals U 3 (j). 2011/3/2829

+ Introduction + Problem formulation + Multi-dimensional D-spectrum + F>3 clusters in the network + Illustrative example: attack and defense of a network + Conclusion 2011/3/2830

+ When F>3, the system has states UP and DOWN J, J=2,3,…,F, where DOWN J is the state with J clusters, having J-th anchor r J (π). + We can get the J-th cumulative spectrum of the network + It is easy to derive that (12) 2011/3/2831

+ The calculation of he spectrum is an NP-hard combinatorial problem. We suggest using a Mont Carlo procedure for its numerical estimation. + The most time consuming step of the procedure is checking the number of clusters in the network after a link is being erased. To do it efficiently, the so-called disjoint set structure is used. 2011/3/2832

+ Using DSS takes O(L*logL)on each step, so the algorithm complexity as O(M*L*logL). 2011/3/2833

+ Introduction + Problem formulation + Multi-dimensional D-spectrum + F>3 clusters in the network + Illustrative example: attack and defense of a network + Conclusion 2011/3/2834

+ 17nodes, 3terminals, 34links + Two and three clusters caused defender damage d(2)=1000, d(3)= Defender can add four additional links to enhance the network connectivity. 2011/3/2835

2011/3/2836

z/R= /3/2837

+ Assume that the defender can spend the same budget that is needed for adding four links on enhancing protection of all the links. + The cost of the protection effort unit is c and the defense budget B can be use d for increasing the protection effort. The defender’s per-link protection effort z increases from z 0 to z 0 +B/c, which causes the increase of effort ratio from z 0 /R to z 0 /R+B/cr=z 0 /r+1/c*, where c*=cr/B is the normalized cost of protection effort unit. 2011/3/2838

+ With increase of the contest intensity the influence of the protection on the link vulnerability and damage increase, which makes the link protection option more beneficial for greater values of the protection cost. + Bold lines- protection enhancement + Thin lines- addition of four links. 2011/3/2839

+ To evaluate the effectiveness of a mixed defense strategy with both links addition and protection enhancement, considering the case when the defender splits its budget evenly between the two types. + F (3,11) (7,10) + G (3,11) (2,15) + H (5,8) (7,10) 2011/3/2840

+ The protection effort increases from z 0 to z 0 +B/(2c). 2011/3/2841

+ Introduction + Problem formulation + Multi-dimensional D-spectrum + F>3 clusters in the network + Illustrative example: attack and defense of a network + Conclusion 2011/3/2842

+ The paper suggests a computationally effective algorithm for evaluating the damage inflicted to interconnected networks by intentional attack on randomly chosen links. + The suggested algorithm is based on a multi-dimensional spectra approach. + The presented method allows analysts to evaluate and compare different options. + The presented example of a network with three terminals illustrates the practical methodology of choosing the most effective defense strategy. 2011/3/2843

2011/3/2844