Dynamic Defense against Stealth Malware Propagation in Cyber-Physical Systems: A Game-Theoretical Framework

Stealth malware is a representative tool of advanced persistent threat (APT) attacks, which poses an increased threat to cyber-physical systems (CPS) today. Due to the use of stealthy and evasive techniques, stealth malwares usually render conventional heavy-weight countermeasures inapplicable. Light-weight countermeasures, on the other hand, can help retard the spread of stealth malwares, but the ensuing side effects might violate the primary safety requirement of CPS. Hence, defenders need to find a balance between the gain and loss of deploying light-weight countermeasures, which normally is a challenging task. To address this challenge, we model the persistent anti-malware process as a shortest-path tree interdiction (SPTI) Stackelberg game with both static version (SSPTI) and multi-stage dynamic version (DSPTI), and safety requirements of CPS are introduced as constraints in the defender’s decision model. The attacker aims to stealthily penetrate the CPS at the lowest cost (e.g., time, effort) by selecting optimal network links to spread, while the defender aims to retard the malware epidemic as much as possible. Both games are modeled as bi-level integer programs and proved to be NP-hard. We then develop a Benders decomposition algorithm to achieve the Stackelberg equilibrium of SSPTI, and design a Model Predictive Control strategy to solve DSPTI approximately by sequentially solving an 1+δ approximation of SSPTI. Extensive experiments have been conducted by comparing proposed algorithms and strategies with existing ones on both static and dynamic performance metrics. The evaluation results demonstrate the efficiency of proposed algorithms and strategies on both simulated and real-case-based CPS networks. Furthermore, the proposed dynamic defense framework shows its advantage of achieving a balance between fail-secure ability and fail-safe ability while retarding the stealth malware propagation in CPS.


Introduction
Cyber-physical systems (CPS) are integrations of computation, networking, and physical processes, which have tremendously stimulated the development of contemporary critical infrastructures in different domains, such as energy, health care, communication, transportation, and manufacturing [1,2]. However, these integrations have unintentionally entailed new vulnerabilities, threats and challenges in safety of worms whereas some legitimate communication which is necessary for systems' normal operation might be blocked, as well. That is, when we try to maintain the security of a system using light-weight countermeasures, the safety requirements may be violated. This side effect is usually bearable in traditional information systems; however, the blockage of a critical legitimate control signal which is a safety requirement may lead to a catastrophic cascading in CPS [20]. However, very little research has studied the optimal allocating and scheduling strategy of light-weight countermeasures taking the safety requirement into consideration.
Since security and safety are interdependent with the requirements of one having effects on the other, the satisfaction of fail-secure and fail-safe ability requires a collaborative approach [20]. Here, fail-secure means that access or data will not fall into the wrong or malicious hands in a security failure, while fail-safe indicates that devices in a system will not endanger human lives or property when they fail. Hence, there is an urgent need for defenders to find an optimal trade-off between the gain and loss of deploying light-weight countermeasures in CPS, thereby achieving a balance between fail-secure and fail-safe ability. To address this problem, we model the persistent attack-and-defense process between the CPS defender and the attacker as a dynamic Stackelberg game. The attacker aims to stealthily penetrate the CPS at the lowest cost (e.g., time, effort) by selecting optimal network links to spread. On the other hand, the defender who has limited capabilities to detect stealth malwares aims to maximize the fail-secure ability, i.e., retarding the malware epidemic as much as possible by optimally allocating light-weight countermeasures until the development and deployment of heavy-weight countermeasures. Meanwhile, safety requirements of CPS are considered in the form of constraints in the defender's decision model, which reflects the primary importance of fail-safe ability. The main contributions of this paper are: 1) We propose the static shortest-path tree interdiction (SSPTI) game, model it as a bi-level integer program (BLIP), and prove its NP-hardness. A Benders decomposition algorithm (S-BD) is then developed to achieve its Stackelberg equilibrium. 2) We extend the SSPTI to a multi-stage dynamic shortest-path tree interdiction (DSPTI) game to support the of real-time decision-making in the persistent attack-and-defense process, and design a model predictive control (MPC) strategy for the defender. An 1 + δ approximation algorithm is proposed for the defender to achieve local optimality, thereby expanding the solvable scale of the problem. 3) The evaluation results demonstrate that the proposed approximation algorithm can enlarge the solvable scale of problems with an order of magnitude improvement (reporting an increase from less than 100 nodes to more than 3000 nodes) and reduce the resources consumption by 60%. 4) The performance of proposed MPC strategy is better than existing strategies on both simulated and real-case-based CPS networks. A lower steady infection rate and a higher ratio of giant component can be achieved by MPC strategy simultaneously, which means it can help retard the spread of malwares and the cascade of devices failure at the same time.
The reminder of this paper is organized as follows. Section 2 provides the related work, and Section 3 introduces the network model of CPS and the Stackelberg game model between the defender and the attacker aiming to penetrate the CPS. In Section 4, SSPTI game is formulated as a BLIP, and an exact algorithm is designed for it. The game is then extended to a dynamic version in Section 5, and an MPC strategy is designed for DSPTI. Section 6 reveals the performance of proposed algorithms and strategies. Section 7 concludes this paper.

Security Countermeasures
To address the challenge of CPS security, researchers have paid a great attention on the security issues of malwares propagation, such as propagation modeling, prevention, detection, and mitigation [20][21][22]. However, the unprotected exposure is usually neglected and few of them have considered the trade-off between safety and security when using light-weight countermeasures.
Heavy-weight countermeasures have been studied and applied in practice for decades, such as exploits patching [23], nodes or edges removing [24], and anti-malware program updating [20]. Many of those studies use control-theoretic mitigation strategies. Bloem et al. proposed an optimization problem of malware removal or path deployment and they captured the trade-off between the infection speed and patching costs by using an optimal control framework [25]. In Reference [26], a quarantine control method was developed so as to study the propagation and inhibition of virus in time-varying networks. In order to suppress SIS epidemics in networks, Scaman et al. [24] designed a series of control-theoretic resource allocation strategies. In Reference [23], a general framework was developed to achieve optimal patching policies against malware epidemics, in which the issue of disseminating security patches in a large resource-constrained heterogeneous mobile network was taken into account.
On the other hand, there are some researchers that committed to use light-weight countermeasures to secure network systems. For instance, Yau et al. [15] proposed a tolerance mechanism to minimize the damage caused by distributed denial of service (DDoS) attacks. The core of the mechanism is the max-min fair server centric throttling, and the minimization of DDoS damage leads to the loss of legitimate packet. In the defense of selective forwarding attack, by deploying the randomly selected single checkpoint node in the system, the forwarding misbehavior of the malicious vertex can be detected which was a kind of light-weight countermeasure [27]. In order to mitigate TCP SYN flooding attacks, Mohammadi et al. [28] developed an SDN-based light-weight countermeasure in the controller level, in which ongoing TCP connection requests will be checked and malicious hosts will be blocked. In Reference [29], a DoS attacks defense framework for SDN/OpenFlow networks was developed in a protocol-independent manner, where attack traffic is identified by a packet filter.

Network Interdiction
Network interdiction problems are usually modeled as games involve two players who commonly have opposite utility functions, which have been wildly applied in traditional security problems, such as nuclear smuggling interdiction [30], terrorist attack defense [31], facilities fortification [32], and illegal products detection [33]. Shortest path network interdiction is a typical interdiction game, which was introduced in 1977 by Fulkerson and Harding [34]. In this problem, the interdictor wishes to maximize the shortest path the evader can achieve using limited resources, and the length of arc was assumed to increase linearly with the amount of resource allocated. In the model of mixed integer version proposed by Wood [35], the decision variable became binary and Benders decomposition method was proposed to solve it. After that, variants of network interdiction games with new features were developed. For instance, Bayrak and Bailey proposed a shortest path network interdiction game with information asymmetry, in which the interdictor and the evader have different levels of network information [36]. In Reference [37], the vulnerability of multiple-commodity system to multiple disruptions was studied, where the formulation of finding defense strategies at minimal cost that maintain a high level of demand satisfaction across all commodities was proposed. Borrero et al. investigated sequential interdiction problem in which the interdictor has incomplete initial information about the network, including its structure and arc costs [38]. In their work, learning method was used so that the interdictor can learn about the network structure and arc costs by observing the evader's actions. A dynamic shortest path network interdiction without goal information was proposed in Reference [39], where goal recognition methodology was introduced to help the inerdictor make a flexible resource assignment.
Recently, some researchers have payed more attention to the development of security strategies of information systems or computer networks within the framework of game theory. In Reference [40], a resilient control problem in CPS was modeled as a two-level receding-horizon dynamic Stackelberg game between the system operator and human adversaries. Panaousis et al. [41] proposed a decision support approach for cyber-security issues in the framework of game theory, in which they modeled non-cooperative cyber-security control games between the network defender and the attacker who can exploit different vulnerabilities in the computer network. An attack graph interdiction game was developed by Nandi et al. in [42] aiming to protect organizations from cyber attacks. In this game, the defender aims to find an optimal affordable subset of links to deploy countermeasures, while the attacker aims to penetrate the network through the feasible path in attack graph. In order to take attackers reaction into account, Durkota et al. [43] studied the optimal strategy making of placement of honeypots in a network using a game-theoretic approach. Using the Bayesian Stackelberg Game, Zeng, et al. [22] studied the problem of infrastructure network protection under asymmetry information in which multiple attackers types were considered and Bayesian Stackelberg game was introduced to model this problem.

Network Model and Stackelberg Game
In this section, we introduce the network model of CPS and the Stackelberg game model under the threat of stealth malware epidemic. Basic assumptions about CPS and settings of the game are presented. Table 1 presents the notations of main parameters and variables in this paper.

Network Model
A CPS network usually includes three layers, i.e., a corporate network, a control network and a field network [44]. As shown in Figure 1, in field network, field devices are instrumented by means of sensors and actuators. The remote terminal unit (RTU) provides a communication interface for field devices, and its role is played by a programmable logic controller (PLC) in many scenarios. The communication link connects the control and filed networks based on various communication techniques, e.g., wire, fiber optic, radio, microwave [45]. The control network contains several servers with various purposes, such as the master terminal unit (MTU) for data collection and periodically RTU polling. Operators access recorded data, check reported alarms and issue commands via a human-machine interfaces (HMI) in this layer. The corporate network usually includes workstations for engineers and system administrators which are generally connected to the Internet and sometimes to the control network via a router. Although the CPS network is full-connected physically, strict access control and designed communication patterns let the actual network structure not fully connected under operating conditions. Figure 2 gives an abridged view on the topology of an operating CPS network, where links present the permitted or designed communication patterns between CPS devices rather than all possible connections. It is worth noting that any traffic violating the those communication patterns will be treated as abnormal or illegitimate in CPS [45], which is a significant difference between CPS and traditional information systems. In general, we present the topology of CPS as an undirected graph G = (V, E), where V is the set of CPS devices and E is the set of links connecting devices in V. Each link e ∈ E has a weight w e ≥ 0 which presents its significance to CPS safety (vector form w). The cost for an attacker to propagate a malware through the link e is denoted by c e ≥ 0 (vector form c). The allocation of light-weight countermeasures on a link e is assumed to make a delay of d e > 0 (vector form d) to the malware propagation on this link, while resulting a loss of w e in CPS safety. These parameters can be determined by security and safety maintenance personnel of CPS.

Stackelberg Game Model
In a typical defense scenario against stealth malware propagation in CPS, the attacker initially selects a set of devices to infect, while the CPS defender usually operates a malware detection system providing with an incomplete infection distribution. When the information of newly-detected threats is reported, the defender must implement countermeasures accordingly; however, heavy-weight countermeasures cannot be implemented immediately due to the existence of unprotected exposure. Then, the issue of how to use light-weight countermeasures to retard the epidemic tends to be crucial to CPS defenders. It is clear that containment techniques can block illegal communication thereby stopping the spread of malwares through certain links, but may put the system at risk due to the blockage of some crucial control signals for safety concerns. In practice, CPS defenders can be classified according to their preference; that is, the one who gives the priority to security is called fail-secure defender, and a fail-safe defender refers to the one who has preference for safety.
To exemplify this, an instance of the defense scenario is given in Figure 2, where workstation 2 has been infected with a kind of malware from an attacker and two copies of this malware has been stealthily spread to mobile workstation and MTU 2. The defender is supposed to know the abnormal condition of workstation 2 based on its detection system, but more time is needed to analyze the malware sample, develop exploits patching, and deploy anti-malware programs. Hence, the defender should firstly implement light-weight countermeasures. A fail-safe defender is likely to isolate the detected infectious device, though its neighbors (i.e., mobile workstation, MTU 1, and MTU 2) may have been infected, as well. That is, no light-weight countermeasures will be taken on those neighbors such that all control signals deriving from them can be transmitted to the remained network, i.e., fail-safe ability can be maintained as much as possible. Apparently, the undetected copies of this malware on mobile workstation and MTU 1 will pose a long-term threat to the security of this CPS. On the other hand, if the defender gives the priority to security, the initially infected workstation 2 and its neighbors who have the risk of infection should be isolated at the same time so as to avoid further infections deriving from possible infected neighbors. In this way, the defender tries its best to prevent illegal access and data leakage; however, the remained network becomes too fragmented to function normally and the blockage of certain control signals (e.g., emergency cut-off signal, load balancing signal, etc.) may increase the risk of safety. Therefore, it is urgent for the defender to achieve a balance between fail-secure and fail-safe ability when adopting light-weight countermeasures to retard the malware propagation.
To this end, we consider a Stackelberg game in the CPS under the threat of stealth malware propagation, named Shortest-path Tree Interdiction Game. There are two players in this game, i.e., a defender and an attacker. That is, The defender takes action first to allocate defense resources to a set of links, and then the attacker starts to implement its malicious propagation plan based on the observation of defender's action. The strategy sets of the defender and attacker are defined as S D and S A as follows: which denotes by X the feasible set of x for the defender, and we let Y be the feasible set of y for the attacker. The defender acts as the leader in this game and can observe a distribution of malware instances in the system based on the detected results, though this observation is usually incomplete. The attacker, on the other hand, acts as a follower and is assumed to know the actions of the defender.
Here, the follower knows the whole information of its opponent, and this kind of worst-case analysis is proper for defenders who need robust defense strategies.

Utility Function for Attacker and Defender
The target of the attacker is to stealthily penetrate the CPS at the lowest cost (e.g., time, effort) by selecting optimal network links to spread. According to the nature of tree-structure spreading pattern, the propagation problem is modeled as a shortest-path tree problem with a root vertex v s , i.e., the initial infectious device. That is, the aim of the attacker is to minimize the sum of the path lengths (i.e., penetrating time) from v s to each vertex v i ∈ V. For multiple initially infected devices, we can introduce an equivalent root vertex and then connect the initial infectious devices to it by links given c e = 0, w e = +∞. By contrast, the defender aims to optimally allocate light-weight countermeasures to several links thereby maximizing the attacker's total penetrating time. In this game, the utility function of the defender is just the opposite of the attacker's payoff and they are both linear; hence, this is a typical two-player zero-sum game.

Functional Assurance Constraints
To ensure the safety of CPS, some functional assurance constraints are introduced during the defender's decision-making process of pursuing fail-secure ability. Since allocation of light-weight countermeasures can cause the loss of safety weight on links, the defender can make an upper bound of total loss R on weight such that the defender can assure the whole system's safety according to the weight vector w and safety requirements. In some cases, the safety of CPS includes the special safety needs of some certain components, such as a data server or workstation with higher safety needs level. As to these cases, each critical component can be similarly assigned an individual upper bound of weight loss r i relating to vertex v i .

Static and Dynamic Version of the Game
A typical Stackelberg game is usually static, i.e., both players adopt a once-and-for-all decision at the beginning of the game. In the SPTI game, if the attacker makes an entire spread plan and does not change it during the spreading process, the interdiction action of the defender can be designed as a static one. This game is defined as static SPTI game, and the equilibrium result provides the defender with a static allocation decision which is optimal when the attacker does not change its spread plan. Furthermore, when the defender face a cunning attacker who takes adaptive actions according to its observation of the countermeasure implementation, dynamic defending in an observe-and-response manner becomes indispensable to a defender dedicating to an efficient defense. This dynamic SPTI game is a kind of extensive game, which provides defenders with a more practical and operational approach to optimal interdiction compared with the static one.

Static Shortest-Path Tree Interdiction Game
We first study the static version of the SPTI game, where both players take once-and-for-all strategies during the game. That is, the defender observes the distribution of malware and allocates defense resources all at once, while the attacker implements its designed propagation plan consistently. Hence, this static game is a typical two-player zero-sum Stackelberg game.

Bi-Level Integer Program Formulation
In order to obtain the equilibrium of players, we first need to formulate the game mathematically. Since the sets of strategies of players deriving from the constraints in the decision models are implicit in the proposed Stackelberg game, it is usually formulated as a BLIP so as to achieve the Stackelberg equilibrium [35]. Let x e be the decision variable of the defender (vector form x), where x e = 1 if the link e is interdicted by the defender using light-weight countermeasures; otherwise x e = 0. Similarly, the attacker's decision variable y e = 1 if the link e is chosen by the attacker as an edge in the propagation tree of malwares; otherwise y e = 0; hence, each y denotes a spanning tree from v s . NS(v i ) denotes the set of links connected to vertex v i . Let U (x, y) denote the utility function of this game under the network setting (i.e., c and d). Let Y denote the set of all y vectors, i.e., the set of all spanning trees from v s in G. Hence, we can formulate the game as follows: where x, y ∈ {0, 1} |E| , u * is the Stackelberg equilibrium of this game. Constraint (4) shows that the propagation of malwares should follow a tree-structure pattern. Constraints (5) and (6) are functional assurance constraints, which mean that the allocation of light-weight countermeasures on the whole CPS and each CPS device should not exceed the upper bound R and r i , respectively. SSPTI is a BLIP, where the inner-level problem of the attacker is a shortest-path tree problem and the outer-level problem of the defender introduces knapsack Constraints (5) and (6), which adds to its complexity. Without surprise, SSPTI is a NP-hard problem, and the NP-hardness of it is analyzed in Theorem 1.
Proof of Theorem 1. Firstly, we introduce a problem of finding a subset K of links such that ∑ e∈K w e ≤ R and whose removal from G results in the largest increase in the length of the shortest-path tree from root v s to each vertex, called k-most-vital-links problem (KMVP). It is clear that KMVP is a special case of SSPTI problem. Note that we omit the Constraint (6) in the proof because that SSPTI problem without Constraint (6) is equivalent to setting r i ≥ R, ∀i ∈ V; thus is a special case of SSPTI problem.
We then prove that KMVP is NP-hard by showing that a k-most-vital-links recognition problem (KRP) related to it is NP-complete. The KRP is: OUTPUT: Yes, if there exists a set K ⊆ E such that ∑ e∈K w e ≤ R and the total length of the shortest-path tree from v s in G(V, E\K) is ≥ U; no, otherwise.
The existence of a polynomial algorithm for KMVP would imply the existence of a polynomial algorithm for KRP. Hence, we then demonstrate that KRP is NP-complete by reducing the following knapsack problem (KNAP) to it. The KNAP as follows is known to be NP-complete [46].
The reduction process is as follows. We construct an undirected graph with 2n + 1 vertexes labeled as 0, 1, 2, · · · , 2n. As shown in Figure 3, there is a link between vertex 0 and j (for j = 1, 2, · · · , n) with length a j and removal cost B + 1. Vertex n + j (for j = 1, 2, · · · , n) is only adjacent to vertexes 0 and j, where the lengths of link (0, n + j) and (j, n + j) are both 0, and the removal costs are b j and B + 1, respectively.
Finally, we consider the problem KRP defined on this graph with R = B, U = A, and v s = 0. It is observed that none of links (0, j) and (j, n + j) for j = 1, 2, · · · , n can be members of K. Therefore, we may assume that only links (0, n + j) for j = 1, 2, · · · , n are removed. For convenience, link (0, n + j) is simply denoted by index j, and let K be any set of removed links that does not violate the budget constraint ∑ e∈K w e ≤ R. Then, ∑ j∈K b j ≤ B, and the total length of the shortest-path tree from vertex 0 becomes ∑ j∈K a j . That is, there is a one to one correspondence between solutions of KRP and solutions of KNAP.

Algorithm Design of SSPTI
Solving the BLIP is commonly recognized as a difficult task, and has attracted many efforts from researchers [47]. The common base of existing resolution methods for BLIP is the single-level reformulation process (including linear dual approach, Benders decomposition method, etc.), which transforms bi-level programming to the single-level one. Since SSPTI is a BLIP which cannot be solved directly without proper reformulation, we propose a decomposition algorithm for it by applying Benders decomposition approach [35] and then prove its correctness. Before introducing the algorithm S-BD, some additional denotations are given as follows.
Letŷ ∈ {0, 1} |E| denote the incidence vector corresponding to a certain spanning tree from root v s in G. LetŶ denote a collection ofŷ. For simplicity, we refer toŷ as a spanning tree and toŶ as a set of spanning trees. For a certain spanning treeŷ, we introduce a hierarchy vector h to reflect the weight of each link when accumulating the length of path from v s to each vertex. The hierarchy of link e = (i, j) is defined as the number of descendants of vertex i, where i is defined as the parent of j without loss of generality. That is, ifŷ e = 0 then h e = 0, and ifŷ e = 1, the value of h e is the hierarchy of link e. Hence, for a certain spanning treeŷ, we can explicitly express the utility function as: where D = diag(d), and H = diag(h).
Based on this explicit expression of utility function, we can reformulate program [SSPTI] as the following decomposed Master-Sub programs: For fixed x =x, there is always a solutionŷ ∈ Y to [Sub(x)], which is equivalent to a solution to the inner minimization problem of [SSPTI]. Besides, [Sub(x)] is a shortest-path tree problem which can be solved in polynomial time [48]. Problem [Master(Ŷ)], on the other hand, is an equivalent reformulation of [SSPTI] whenŶ = Y. Therefore, if one could enumerate all shortest-path spanning treesŷ ∈ Y under eachx by solving [Sub(x)], the optimal solution of [SSPTI] could be obtained by The direct idea of enumerating all shortest-path trees is still time-consuming; however, we can solve [SSPTI] optimally by sequentially generating only a small fraction of the trees in Y in a decomposition manner thereby increasing the efficiency. Given an allowable optimality gap , the S-BD algorithm is described in Algorithm 1. After that, Theorem 2 demonstrates the correctness of S-BD algorithm.

Theorem 2. Algorithm 1 correctly solves SSPTI.
Proof of Theorem 2. Firstly, let X be the feasible region of x in SSPTI. SinceŶ ⊆ Y the following is valid for any x ∈ X: min y∈Ŷ U (x, y) ≥ min y∈Y U (x, y). Hence, it is clear that max x∈X min y∈Ŷ U (x, y) ≥ max x∈X min y∈Y U (x, y) is valid, i.e., [Master(Ŷ)] provides an upper bound to [SSPTI].
Secondly, max x∈X min y∈Y U (x, y) ≥ min y∈Y U (x, y) is apparently satisfied for any specificx, which means the solution to [Sub(x)] is a lower bound of [SSPTI].

Dynamic Shortest-Path Tree Interdiction Game
In the model setting of SSPTI game, both players adopt stationary strategies which sometimes violate the fact that a cunning attacker is likely to adjust its propagation plan according to the dynamic environment thereby achieving a better payoff. The defender, on the other hand, needs to take actions in an observe-and-react loop rather than take an one-shot defense because of the exist of unprotected exposure and forthcoming malicious events. The model of SSPTI obviously cannot meet those dynamic and adaptive needs of the interdictor. In order to meet the fact of real-time defense-and-attack decision-making, this section extends SSPTI to a multi-stage dynamic shortest-path tree interdiction (DSPTI) game, which can be modeled as an extensive-form game.

Extending SSPTI to the Dynamic Game
In contrast to the SSPTI game, both players can adopt an observe-and-response action rather than an once-and-for-all decision in real cyber-combat. That is, once newly infectious devices are detected, the defender will allocate certain light-weight countermeasures to certain links. Similarly, the attacker can redesign its propagating tree based on the observation of its opponent's actions. Based on this practical realization, we propose the following DSPTI game.
The DSPTI game in extensive form is an ordered vector, where N p is a finite set of players (i.e., defender and attacker). (V g , E g , s g ) denotes a tree called the game tree from root s g , which is determined by the initial infected vertex v s , the graph G and the functional assurance Constraints (5) and (6). (V gi ) i∈N p is a partition of the set of vertexes that are not leaves, denoting the decision vertex of player i, and in this game the attacker and the defender make decisions in an alternating manner. Let τ be the number of decisions that each player has to make during this game. O denotes the set of possible game outcomes and u is a function associating every leaf of the tree with a game outcome in the set O, i.e., the utility function that accumulates all path lengths from infected root v s to all each vertex for each game outcome. We can also demonstrate that the DSPTI game is NP-hard shown in Theorem 3.

Theorem 3.
The DSPTI game is NP-hard.
Proof of Theorem 3. Firstly, we introduce a problem of finding a sequence of subsets K t (for t = 1, 2, · · · , τ) of links such that ∑ τ t=1 ∑ e∈K t w e ≤ R and whose removal from G sequentially results in the largest increase in the length of the shortest-path tree from root v s to each vertex, called dynamic k-most-vital-links problem (DKMVP). It is clear that DKMVP is a special case of DSPTI problem.
We then prove that DKMVP is NP-hard by showing that a dynamic k-most-vital-links recognition problem (DKRP) related to it is NP-complete. The DKRP is: OUTPUT: Yes, if there exists a sequence of subsets K t ∈ E (for t = 1, 2, · · · , τ) such that ∑ τ t=1 ∑ e∈K t w e ≤ R and the accumulated traversing length of the shortest-path tree from v t in G(V, E\{K 1 , K 2 , · · · , K t }) for t = 1, 2, · · · , τ is ≥ U; no, otherwise.
Hence, we then demonstrate that DKRP is NP-complete by reducing the knapsack problem (KNAP) in Theorem 1 to it. The reduction process is as follows.
We reuse the graph shown in Figure 3. Similarly, we consider the problem DKRP defined on this graph with R = B, U = A, and v s = 0. It is observed that none of links (0, j) and (j, n + j) for j = 1, 2, · · · , n can be members of any K t for t = 1, 2, · · · , τ. Therefore, we may assume that only links (0, n + j) for j = 1, 2, · · · , n are removed. For convenience, link (0, n + j) is simply denoted by index j, and let {K 1 , K 2 , · · · , K τ } be any sequence of sets of removed links in the time period from 1 to τ that does not violate the budget constraint ∑ τ t=1 ∑ e∈K t w e ≤ R. It is obvious that K t = ∅, ∀ t ∈ {2, 3, · · · , τ}; hence, ∑ τ t=1 ∑ e∈K t w e = ∑ j∈K 1 b j ≤ B, and the total length of the shortest-path tree from vertex 0 becomes ∑ j∈K 1 a j . That is, there is a one to one correspondence between solutions of DKRP and solutions of KNAP.

A Model Predictive Control Strategy for DSPTI
In addition to its NP-hardness, it is impossible to achieve the Stackelberg equilibrium for the defender before the end of the game due to the uncertainty from incomplete malware detection and the lack of future data. Traditional exponential-state backward recursion approaches to other kinds of multi-stage interdiction games, such as the dynamic-programming algorithm for dynamic shortest-path interdiction game [49], are not capable of tackling the real-time problem in which no future observation information could be obtained in advance and then used in the backward recursion procedure. To address this, drawing on ideas of modern control theory and methodology, we propose a MPC strategy for DSPTI game with respect to the requirement of real-time decision-making. The idea of MPC strategy derive from the advanced approach of process control, i.e., Model Predictive Control, which allows the current stage to be optimized while keeping the future stages in account [50]. The detection system of malwares serves as the system model in this MPC strategy, and the optimizer is defined to solve a local-greedy SSPTI problem (LG-SSPTI) in a rolling horizon manner.
Once newly infectious devices are detected, a new decision round t will be started by the defender and its opponent. According to the idea of MPC, we need to optimally solve the SSPTI at this round t, and only implements decisions on the neighbor links of v s . However, this simple idea is wasteful in the use of computing resource since useless decisions on non-neighbor links of v s are made and SSPTI itself is NP-hard. Therefore, we introduce the local-greedy SSPTI problem first. The approximate decision of the defender at stage t is made by solving the following LG-SSPTI problem: ∑ e∈E w e x t e ≤ R t , x t e = 0 ∀ e / ∈ NS(v s ), where x t , y t ∈ {0, 1} |E| , u * (t) is the Stackelberg equilibrium of this game, and NS(v s ) is the set of links directly connected to v s . Constraint (14) denotes that the propagation of malwares should follow a tree-structure pattern. Constraints (15) and (16) are functional assurance constraints at stage t, where R t and r t i denotes the available total and individual resources left after stage t − 1. Constraint (17) denotes a local-greedy allocation constraint that only links connected to vertex v s can be selected to allocate light-weight countermeasures at stage t.
Proof of Theorem 4. Different from the SSPTI problem, Constraint (17) introduces new features. Hence, we first introduce a problem of finding a subset K of links which connected to v s such that ∑ e∈K w e ≤ R and whose removal from G results in the largest increase in the length of the shortest-path tree from root v s to each vertex, called local greedy k-most-vital-links problem (LG-KMVP). It is clear that LG-KMVP is a special case of LG-SSPTI problem. Due to the reason in the proof of Theorem 1, we omit the Constraint (16) in the proof.
We then prove that LG-KMVP is NP-hard by showing that a local greedy k-most-vital-links recognition problem (LG-KRP) related to it is NP-complete. The LG-KRP is: OUTPUT: Yes, if there exists a set K ⊆ NS(v s ) such that ∑ e∈K w e ≤ R and the total length of the shortest-path tree from v s in G(V, E\K) is ≥ U; no, otherwise.
The existence of a polynomial algorithm for LG-KMVP would imply the existence of a polynomial algorithm for LG-KRP. Hence, we then demonstrate that LG-KRP is NP-complete by reducing the above-mentioned NP-complete problem, i.e., knapsack problem (KNAP) in Theorem (1), to it.
The reduction process is as follows. Since links (j, n + j) / ∈ NS(v s ) for j = 1, 2, · · · , n, they cannot belong to K. Thus, we can still reuse the graph shown in Figure 3 though the removal cost of links (j, n + j) for j = 1, 2, · · · , n can be set as any value Then, we consider the problem LG-KRP defined on this graph with R = B, U = A, and v s = 0. It is observed that none of links (0, j) for j = 1, 2, · · · , n can be members of K. Therefore, we may assume that only links (0, n + j) for j = 1, 2, · · · , n are removed. For convenience, link (0, n + j) is simply denoted by index j, and let K be any set of removed links that does not violate the budget constraint ∑ e∈K w e ≤ R. Then, ∑ j∈K b j ≤ B and the total length of the shortest-path tree from vertex 0 becomes ∑ j∈K a j . That is, there is a one to one correspondence between solutions of LG-KRP and solutions of KNAP.
Let V s (t) be the set of infected vertexes at stage t, and V d (t) denote the newly detected set of infected vertexes at t. The MPC strategy for DSPTI problem is shown in Algorithm 2, named as MPC-DSPTI strategy.

Algorithm 2 MPC-DSPTI: MPC Strategy for DSPTI
Malware Detection: obtain a set V d (t) 4: if V d (t) = ∅ then 5: Defender's Decision: solve LG-SSPTI(t) for x t 6: Malware Interdiction: allocate countermeasures according to x t 7: Attacker's Decision: solve [Sub(x t )] for y t 8: Malware propagation: penetrate the CPS based on y t 9: t ← t + 1 Although LG-SSPTI problem is still NP-hard, two benefits are brought by introducing the local-greedy allocation constraint. (1) The number of decision variables x is reduced a lot and will not increase directly as the growth of graph G, thereby expanding the solvable scale of the problem.
(2) Since only urgent interdiction demands at current stage (i.e., the needs to allocate countermeasures to links that may be penetrated immediately by the attacker) are satisfied, and most resources remain available for future interdiction actions. That is, using this MPC strategy the defender can adopt an observe-and-response decision adaptively. This helps the defender reduce the decision-making risk due to the uncertainty of the distribution of malwares which is essential for avoiding countermeasures resources waste and achieving more robust decisions.
Due to the similarity between LG-SSPTI and SSPTI, the proposed algorithm S-BD can be used to solve LG-SSPTI optimally by adding the Constraint (17) to the the [Master(Ŷ)] in Section 4. In this MPC strategy, the solution of any instance of LG-SSPTI can be viewed as a kind of approximate solution of the SSPTI with the same constraints except the Constraint (17). Let δ = max e∈E d e c e , and the approximate performance analysis is shown in Theorem 5, which proves that LG-SSPTI holds an 1 + δ approximation for SSPTI.

Theorem 5. The solution of
LG-SSPTI can achieve the 1 + δ approximation for the corresponding SSPTI problem.
Proof of Theorem 5. Without loss of generality, we omit the superscript "t" in [LG-SSPTI(t)] during this proof. Let X L and Y L be the feasible region of x and y determined by Constraints (14)- (17) in LG-SSPTI, respectively. The optimal solution of SSPTI is u * = max x∈X min y∈Y U (x, y) = U (x * , y * ), and let u * L = max x∈X L min y∈Y L U (x, y) = U (x * L , y * L ) be the optimal solution of LG-SSPTI. Firstly, it is clear that Y L = Y, and X L ⊆ X; thus, Then, we define u L = U (x * , y * L ). For the fixed x * , u * = min y∈Y U (x * , y); hence, for the specific Let x * = x a * + x b * , where x a * e = x * e , ∀ e ∈ NS(v s ), else x a * e = 0. For the fixed y * L , we have the explicit expression of u L as follows: = c T Hy * L + x a * T DHy * L + x b * T DHy * L . Since On the other hand, item x b * T DHy * L in Equation (22) is the sum of added path lengths on tree y * L except the added path length of links e ∈ NS(v s ). Since each link can only be interdicted once at most, by assuming that all the links on tree y * L could be interdicted by the defender, we could obtain a upper bound: Meanwhile, it is clear that Finally, we conclude that (1 + δ)u * L > u L ≥ u * , i.e.,

Performance Evaluation
This section first introduces several defense strategies, including existing strategies and the proposed strategy. Then, we introduce the performance metrics for both static and dynamic strategies, and the evaluation settings in the experiment are given including simulation methods of networks and information of the real-case CPS network. After that, we evaluate our proposed algorithms and strategies through extensive experiments with static and dynamic settings.

Defense Strategies
We first evaluate two static defense strategies, i.e., SSPTI and LG-SSPTI. The defender who adopts static strategies allocates all available defense resources in an once-and-for-all manner, once infected devices are detected. Then, three different dynamic strategies are considered as follows for evaluation with respect to the pay-off between CPS security and safety.

1) We propose the static shortest-path tree interdiction (SSPTI) game, model it as a bi-level integer
p A fail-safe strategy (FSA): when a device is infected and detected during the unprotected exposure, it will be isolated from the CPS. Although its neighbors may have been infected, as well, no light-weight countermeasures will be taken on them such that fail-safe ability can be maintained as much as possible. 2) A fail-secure strategy (FSE): when a device is infected and detected during the unprotected exposure, the device itself and its neighbors will be isolated at the same time so as to avoid further infections deriving from possible infected neighbors. Hence, fail-secure ability is the first priority for the defender.
3) The MPC strategy (MPC): as mentioned in Section 5, when a device is infected and detected during the unprotected exposure, it will be isolated and then light-weight countermeasures will be allocated optimally to its neighbors by solving a LG-SSPTI problem. In fact, this strategy intends to achieve a balance between fail-safe ability and fail-secure ability in CPS defense.

Performance Metrics and Evaluation Settings
We first use the following metrics for performance comparison in the evaluation of static strategies on different types of networks: 1) The achieved objective u under different static strategies. That is, the shortest-path three length which the attacker can achieved under the situation of defenders' countermeasure implementation. The larger u the attacker gains, the more effectively the defender defends in the malware propagation. We mainly compare the achieved u of SSPTI and LG-SSPTI, and analyze the impact of δ on the actual approximate ratio. 2) The algorithm running time. We compare the running time of SSPTI and LG-SSPTI by changing the scale of the problem.
In the experiments, we select three representative types of CPS networks for evaluation, i.e., square-lattice networks, standard Erdös-Rényi (ER) networks [51] and scale-free networks [52]. Lattice networks, where each vertex has the same number of links, have been used to model physical systems [2], such as water supply systems, power grid systems, etc. ER network is the original model of networks based on random graph theory, which has a Poisson degree distribution. Many more real-life networks obey a power-law form in degree distribution, such as the Internet [53], mobile communication networks [54], and airline networks [55]. These systems can be approximately modeled as scale-free networks.
For evaluation, 100 instances of square-lattice networks, ER networks and scale-free networks with 50 vertexes, 85, 178 (in average), and 144 links are generated, respectively, in the evaluation of static strategies. An initial infectious device is randomly generated to evaluate the performance of static strategies. In each instance, link attributes c, w are randomly generated and uniformly distributed on [1,5]. Node attributes r is uniformly distributed on [1,10]. Let interdiction delay d = δ · c so as to analyse the impact of δ. Then, a set of square-lattice networks, ER networks and scale-free networks of different size (from 50 vertexes to 1600 vertexes) are generated with the same link attributes setting to compare the running time. Here, the upper bound of total loss R is set as 0.5 · ∑ e∈E w e , and δ is set as 0.6 to consider the impact of network size on static strategies.
Additionally, the followings metrics are used to evaluate the performance of different dynamic defense strategies, which cares for the gain and loss of deploying light-weight countermeasures against stealth malware propagation in CPS.
1) The speed and scale of malware propagation, which represents the security situation of the CPS during the defense process.
2) The size of giant component of the CPS during the defense process, which is a major indicator of safety situation for networked systems.
According to the features of stealth malware detection [12], we can simply assume that the probability that an infected vertex can be detected by the defender grows linearly as the increase of its infection duration, and after a given duration T d it can be certainly detected. The initial ratio of infection is set to be 2% in the experiments that obtain the metrics versus time curves, and then varies from 1% to 100% in order to test the difference of steady infection state (i.e., the final scope of infection) under different initial infection ratios. Here, 100 instances of square-lattice networks, ER networks and scale-free networks with 300 vertexes are generated, respectively, with the same link attributes setting (e.g., c, w, r), and let δ = 1. We set the upper bound of total loss R = 0.5 · ∑ e∈E w e , and the individual upper bound of loss r i = 0.8 · ∑ e∈NS(i) w e so as to meet the safety requirement of CPS. Moreover, a practical CPS case is used to evaluate the dynamic strategies, i.e., Italian coupled communication and power grid network [56]. There are 39 vertexes and 102 links in the control and communication network, 310 vertexes and 361 links in the power grid network, and 169 coupled links between them. We execute the evaluation 100 times adopting the above link attributes setting and average the numerical results.
We program our algorithms using YALMIP toolbox [57] and Gurobi version 7.0.2 callable library for exact solution for master problems. Computation is performed on a Windows10 (64) computer with 2.40 GHz Intel(R) Core i5 CPU and 4.0G RAM.

Comparison of Achieved Objective u
The performance comparison of static strategies SSPTI and LG-SSPTI on 100 instances of three types of networks with 50 vertexes is shown in Table 2. It is obvious that as the increase of δ from 0.2 to 1.0 the average actual approximation ratioū * u * L on square-lattice networks rises from 1.08 to 1.33, whereas that on ER networks and scale-free networks grows slightly from 1.03 to 1.13 and 1.11, respectively. That is, LG-SSPTI strategy can actually achieve a better approximation ratio, though the approximation ratio given by Theorem 5 is 1 + δ, especially on scale-free networks. The length of shortest-path tree for malware propagation on square-lattice networks is noticeably larger than that on ER and scale-free networks with the same nodes scale. Besides, the consumed resources R u when adopting SSPTI strategy is nearly 3 times of that when adopting LG-SSPTI strategy on ER and scale-free networks, and around 7 times of that on square-lattice networks. The result demonstrates that LG-SSPTI strategy can save interdiction resources in a large amount compared with SSPTI, and these saved resources can be used in the future shots of defense thereby bringing extra payoffs. Superscript "¯" denotes the average of related parameters; σ denotes the standard deviation of u * and u * L ; R u denotes the consumed resources; R is set to be 200.
In summary, the defender who adopts LG-SSPTI strategy can achieve at most 1 + δ approximation of SSPTI strategy and consume quite fewer resources compared with SSPTI strategy in the meantime on square-lattice networks, ER networks and scale-free networks. Additionally, a malware can be spread faster in the manner of shortest-path tree on ER and scale-free networks compared with square-lattice networks, deriving from the structure difference between them.

Comparison of Algorithm Running Time
In Table 3, we compare the algorithm running time of SSPTI and LG-SSPTI on three types of networks. For each number of vertexes |V|, 10 instances are generated for evaluation. With the enlargement of the scale of a problem especially the number of links |E|, the average running time of both strategies increases by various extents. When the scale of networks increase to over 200 links, SSPTI cannot solve all instances optimally in the given time (1800 CPU seconds) on three kinds of networks. However, compared with SSPTI, the solvable scale of LG-SSPTI has increased to 6268, 1479, and 4794 links on square-lattice, ER, and scale-free networks, respectively, and LG-SSPTI is faster than SSPTI by a wide margin. The superiority of LG-SSPTI is rooted in the fact that its decision variables will not increase directly as the growth of network. Since the number of an infected node's neighbors on square-lattice network is a constant except that of edge nodes, the running time increases slowly as the rise of network size, and the average number of iterations in the decomposition procedure keeps nearly the same. The degree distribution of scale-free networks follows a power low asymptotically, and randomly selected initial infectious nodes usually have a low degree in statistical; hence, the LG-SSPTI running time on scale-free networks is lower than its counterpart on ER networks, which approximately holds Poisson degree distributions.
Therefore, we conclude that LG-SSPTI expands the solvable scale of the problem to a large extent on three kinds of generated networks. Besides, the running time of LG-SSPTI on square-lattice networks and scale-free networks is lower than it counterpart on ER networks. Nos. in the square brackets presents the number of solvable problems under 1800 CPU second from 10 instances. "-" indicates "not applicable", i.e., at least one of the 10 instances cannot be solved optimally in the allotted time. T, average running time for 10 instances, in CPU seconds; σ, standard deviation of T in CPU seconds; I, average number of iterations for decomposition algorithms.

Performance on Generated Networks
The propagation performances of three dynamic defense strategies on square-lattice networks, ER networks and scale-free networks are shown in Figures 4-6. From the security situation results in subplot (a), our proposed strategy MPC and the fail-secure strategy FSE can effectively retard and mitigate the propagation of malwares and all the ratios of infected vertexes are suppressed fewer than 20%, while the fail-safe strategy FSA cannot prevent malware penetration effectively resulting a higher propagation speed and a larger scope of infection. Meanwhile, scale-free networks tend to be more fragile towards malware propagation no matter which defense strategies the defender adopts. From the safety situation results in subplot (b), the proposed MPC strategy slows the collapse of giant component ratio r gc down and maintains the highest ratio of giant component among three dynamic strategies. At the beginning of the infection, FSA holds a lower collapse rate of r gc compared with that of FSE; however, due to the challenge of stealth malware quick detection, the propagation cannot be controlled in the short term resulting the outbreak of newly infected vertexes in the medium term. Hence, safety cannot be guaranteed as expected without active actions on system security, due to the interdependence between safety and security in CPS. The FSE strategy, on the other hand, can control the propagation of malware, while it gives rise to a sharp drop in r gc at early stages (lower than 60% in Figure 6b). Althougfh, FSE outperforms in maintaining the security situation of CPS before the implementation of heavy-weight countermeasures, the high collapse rate of r gc of FSE at the beginning of infection is likely to make a large loss on safety assurance. Therefore, among these three strategies, our proposed MPC strategy can align CPS security and safety properly. Although the FSA strategy aims to maintain safety and reduce the loss on system functionalities as much as possible, more vertexes will be infected in the future due to the undetected threats and the unprotected exposure, resulting worse performance on both safety and security maintenance. FSE, on the other hand, can achieve a low infected ratio but fail to maintain the connectivity and safety of CPS.

Performance on Real CPS Cases
The simulation results on Italian coupled communication and power grid network are shown in Figures 7-9. From the results in Figure 7, the performances of three strategies are similar to the above conclusions on generated networks, and MPC strategy performs better than the other two strategies in both security and safety assurance. When T d = 5, the practical CPS network tends to be less fragile than the generated networks due to the difference in network structures. However, as the increase of T d , i.e., the rise of detection difficulty, the performance of all strategies degenerates (see in Figures 8 and 9). Both MPC and FSE strategy have a slight rise in the ratio of infected vertexes, while the spread of malwares cannot be effectively controlled by FSA strategy. The r gc when adopting MPC strategy decreases at the lowest speed and can be controlled in a relatively higher level among three strategies. As a result, the performance of all strategies degenerates as the increase of detection difficulty. However, the proposed MPC strategy still outperforms other strategies, and it can help retard the spread of malwares and the cascade of devices failure during the time-span of unprotected exposure, thereby achieving a balance between security and safety.

Discussion of Steady Infection State
We then consider the extreme case that no heavy-weight countermeasures are developed and deployed until the steady infection state, i.e., the unprotected exposure is relatively large and only light-weight countermeasures work. This situation is not very common, but considering the cunning techniques of attackers in reality CPS defenders need to take actions in case of emergency. As shown in Figures 10-12, the performance of dynamic strategies on the final scope of infection with various initial infection ratios are considered on three types of networks. Here, the detection time threshold T d is set to be 5. As the increase of initial infection ratio, the average steady scope of infection grows to 100% with different rate and the average steady r gc falls to 0%. More specifically, it is clear that FSE and MPC outperform FSA on the steady state of both security and safety situation among three kinds of networks. When the initial infection ratio is 1%, the average final ratio of infected vertexes of FSA is around 38%, 64%, and 78% on square-lattice networks, ER networks and scale-free networks, respectively, while that of MPC and FSE is below 10% and 20%. The performance on r gc assurance of FSA is much worse than MPC and FSE, reporting around 51%, 20%, and 3%, respectively, when the initial infection ratio is 1%, whereas that of MPC and FSE is more than 90% and 70%.
The performance of FSE is slightly better than that of MPC in reducing the scope of infection, but FSE is intrinsically inferior to MPC in safety assurance of CPS. The superiority of FSE in final ratio of infection over MPC is not more than 15% on square-lattice networks and ER networks and 25% on scare-free networks, but MPC can sometimes exceed FES around 45% in the steady r gc . More significantly, even though more vertexes are immune to malwares when using FSE rather than MPC, the CPS is not likely to function well at all because of the extremely fragmented condition. For instance, in Figure 12 when initial infected ratio is 10%, FSE outperforms MPC in final ratio of infection reporting nearly 25% versus 46%; however, the corresponding r gc of FSE and MPC is about 5% and 38%. That is, the CPS adopting FSE becomes a combination of isolated vertexes and network fragments which cannot supports most of the function requirements, although around 75% of these components are not infected. On the other hand, the CPS adopting MPC still has 54% of vertexes which are not infected; meanwhile, 38% vertexes are in the same giant component and belong to the set of 54% uninfected vertexes, i.e., this giant component is protected to be secure and safety at the same time. Similar results on Italian coupled communication and power grid network can be obtained when the extreme case is taking account, shown in Figure 13. MPC is still the best choice when considering the balance between fail-secure ability and fail-safe ability among those three dynamic defense strategies. The performance of FSE is slightly better than that of MPC in reducing the scope of infection where the gap between is not more than 10%. MPC is intrinsically superior to FSE in safety assurance of CPS, reporting 52% versus 14% in final r gc . Besides, the inferiority of FSA to the other strategies on Italian coupled network is not very large compared to that on generated networks. However, based on the results in Figures 7-9, we can conclude that the performance difference between different strategies will become more distinctive as the increase of detection difficulty. To summarize, considering the extreme case that the unprotected exposure is relatively large and only light-weight countermeasures work, MPC is the best choice when both fail-secure and fail-safe ability is essential among those dynamic strategies on both generated and real-case CPS networks. The reason lies on the fact that a defender who adopts MPC can reduce the scope of final infection and maintain the communication and other normal functions of the giant component to a large extent. Therefore, when the defender faces a stealth APT attack with fewer heavy-weight countermeasures to defense the CPS in an emergency, the proposed MPC strategy can provide a option of using light-weight countermeasures so as to achieve a balance between fail-secure ability and fail-safe ability while retarding the stealth malware propagation in CPS.

Conclusions
In this work, we focus on the static and dynamic defense against stealth malware propagation in Cyber-Physical Systems. We first modeled the attack-and-defense process between the CPS defender and attacker as a static shortest-path tree interdiction game, and formulated it as a bi-level linear integer programming. To meet the real-time decision-making requirement, we extended SSPTI game to an extensive-form game, i.e., DSPTI. The NP-hardness of SSPTI and DSPTI was systematically analyzed, and optimal algorithms were designed, as well. In order to find an optimal trade-off between the gain and loss of deploying light-weight countermeasures, we proposed a dynamic defense strategy, i.e., MPC strategy. Extensive experiments have been conducted on both simulated and real-case based CPS networks, which demonstrates the efficiency of the proposed algorithms. Furthermore, those evaluation results illustrated that the defender can achieve a balance between fail-secure ability and fail-safe ability while retarding the stealth malware propagation in CPS. Although, the application of this framework in the practice of CPS defense still needs a lot meticulous research and work, we believe that it will provide valuable enlightenment for subsequent research in the future.