Individual Security and Network Design with Malicious Nodes

Abstract

Networks are beneficial to those being connected but can also be used as carriers of contagious hostile attacks. These attacks are often facilitated by exploiting corrupt network users. To protect against the attacks, users can resort to costly defense. The decentralized nature of such protection is known to be inefficient, but the inefficiencies can be mitigated by a careful network design. Is network design still effective when not all users can be trusted? We propose a model of network design and defense with byzantine nodes to address this question. We study the optimal defended networks in the case of centralized defense and, for the case of decentralized defense, we show that the inefficiencies due to decentralization can be mitigated arbitrarily well when the number of nodes in the network is sufficiently large, despite the presence of the byzantine nodes.

1. Introduction

Game theoretic models of interdependent security have been used to study security of complex information and physical systems for more than a decade [1]. One of the key findings is that the externalities resulting from security decisions made by selfish agents lead to potentially significant inefficiencies. This motivates research on methods for improving information security, such as insurance [2] and network design [3,4]. We study the problem of network design for interdependent security in the setup where a strategic adversary collaborates with some nodes in order to disrupt the network.

1.1. The Motivation

Our main motivation is computer network security in the face of contagious attack by a strategic adversary. Examples of contagious attacks are stealth worms and viruses that gradually spread over the network, infecting subsequent unprotected nodes. Such attacks are considered among the main threats to cyber security [5]. Moreover, the study of the data from actual attacks demonstrates that the attackers spend time and resources to study the networks and choose the best place to attack [5]. Zou et al. and Chen et al. [6,7] developed models of the spread of internet worms, and Dainotti et al. [8] developed an approach to analyse the network traffic generated by internet worms.

Direct and indirect infection can be prevented by taking security measures that are costly and effective (i.e., provide sufficiently high safety to be considered perfect). Examples include using the right equipment (such as dedicated high quality routers), software (antivirus software, firewall), and following safety practices. All of these measures are costly. In particular, having antivirus software is cheap but using it can be considered to be costly, safety practices may require staff training, staying up to date with possible threats, creating backups, updating software, hiring specialized, well-paid staff. The security decisions are made individually by selfish nodes. Each node derives benefits from the nodes it is connected to (directly or indirectly) in the network. An example is Metcalfe’s law (attributed to Robert Metcalfe [9], a co-inventor of Ethernet) stating that each node’s benefits from the network are equal to the number of nodes it can reach in the network, and the value of a connected network is equal to the square of the number of its nodes. An additional threat faced by the nodes in the network is the existence of malicious nodes whose objectives are aligned with those of the adversary: they aim to disrupt the network [10,11].

1.2. Contribution

We study the effectiveness of network design for improving system security with malicious (or byzantine) players and strategic adversary. To this end, we propose and study a three stage game played by three classes of players: the designer, the adversary, and the nodes. Some of the nodes are malicious and cooperate with the adversary. The identity of the nodes is their private information, known to them and to the adversary only. The designer moves first, choosing the network of links between nodes. Then, costly protection is assigned to the nodes. We consider two methods of protection assignments: the centralized one, where the designer chooses the nodes to receive protection, and the decentralized one, where each node decides individually and independently whether to protect or not. Lastly, the adversary observes the protected network and chooses a single node to infect. The protection is perfect and each non-byzantine node can be infected only if she is unprotected. The byzantine nodes only pretend to use the protection and can be infected regardless of whether they are protected or not. After the initial node is infected, the infection spreads to all the nodes reachable from the origin of infection via a path containing unprotected or byzantine nodes. We show that if the protection decisions are centralized, so that the designer chooses both the network and the protection assignment, then either choosing a disconnected network with unprotected components of equal size or a generalized star with protected core is optimal. When protection decisions are decentralized, then, for a sufficiently large number of nodes, the designer can resort to choosing the generalized star as well. In the case of sufficiently well-behaved returns from the network (including, for example, Metcalfe’s law), the protection chosen by the nodes in equilibrium guarantees outcomes that are asymptotically close to the optimum. Hence, in such cases, the inefficiencies due to defense decentralization can be fully mitigated even in the presence of byzantine nodes.

1.3. Related Work

This work falls into broad research on network security. The majority of research in this area focuses on developing technologies for protecting against, detecting and mitigating malicious attacks on network components that threaten to compromise the whole network. The most recent examples of such technologies are the security solutions for cloud storage and cloud computing systems ([12,13]) and vehicular ad hoc networks ([14,15]). For example, Pooranian et al. [13] addresses the security of data deduplication in cloud storage. The authors propose a random response approach to deduplication allowing for maintaining a reasonable level of gains from deduplication and, at the same time, providing higher privacy by avoiding deterministic responses. Another example is [15], where the authors address the problem of security of vehicular ad hoc networks, considering the scenario of platooning, where a number of vehicles move in a column. They propose methods for mitigating effects of a malicious attack on a vehicle in the platoon. Yet another example is [16], which studies an approach to detection of anomalous network events, particularly denial of service attacks.

A suitable application related to our study are wireless sensory networks. This is due to the inherent power and memory limitations of such networks, which motivates economizing on deployment of security solutions, as well as to the fact that they are often located in hostile environments with intelligent adversaries (see [17] for a survey of wireless sensory networks security, [18] for a classification of security threats to wireless sensory networks, and [19,20] for recent contributions addressing security of such networks when the set of nodes changes dynamically). In line with [18], our work concerns availability, as the primary security goal, and secure localization, as the secondary security goal. Relevant attack types, based on [17], are active attacks that lead to nodes becoming unavailable, which may also prevent communication with other nodes in the network. This includes node outage, node malfunction and worm attacks. Relevant security mechanisms that, in our model, are abstracted as “protection”, are intrusion detection and resilient to node capture. There are two main approaches to provide protection against intrusion and undesirable behaviour of nodes in wireless ad hoc networks: detection and exclusion [21,22,23,24,25], and incentivising the right behaviour. Important examples of the first approach are solutions based on watchdogs ([21,25]) that allow for discovering malicious nodes by equipping network nodes with watchdogs that overhear internet traffic of their neighbours. Malicious nodes are then excluded from the networks. Kargl et al. [24] proposes improved detection methods based on a larger suite of sensors to enhance detection effectiveness. In [22], an exclusion method based on nodes’ reputation is proposed. An approach closer in spirit to the approach we consider in this paper is based on creating incentives for the nodes to behave in a desirable manner. The strength of wireless ad hoc networks comes from nodes sharing their computational power to transfer traffic. This, however, is costly and nodes may be selfish, withholding their resources while free riding on the services of other nodes. Butty et al. and Zhong et al. [26,27] propose an incentivising mechanism based on using virtual currencies or credits.

Our work addresses a similar problem, where nodes in the network contribute to the security of the overall system by making individual protection decisions. Since protection is costly, this creates a danger of selfish behaviour, where some nodes choose no protection and rely on other nodes choosing protection. In contrast to the network traffic problem, described above, the nodes share a common goal in that they all benefit from the network being secure. This allows for creating an incentivising mechanism without money, by choosing the right network topology that makes some of the nodes exposed to attacks in case they do not protect.

There are two, overlapping strands of literature that our work is most related to: the interdependent security games [1] and multidefender security games [28,29,30]. Early research on interdependent security games assumed that the players only care about their own survival and that there are no benefits from being connected [31,32,33,34,35,36,37]. In particular, the authors of [33] study a setting in which the network is fixed beforehand, nodes only care about their own survival, attack is random, protection is perfect, and contagion is perfect: infection spreads between unprotected nodes with probability 1. The focus is on computing Nash equilibria of the game and estimating the inefficiencies caused by defense decentralization. They show that finding one Nash equilibrium is doable in polynomial time, but finding the least or most expensive one is NP-hard. They also point out the high inefficiency of decentralized protection, by showing unboundedness of the price of anarchy. In [34,35], techniques based on local mean field analysis are used to study the problem of incentives and externalities in network security on random networks. In a more recent publication [37], individual investments in protection are considered. The focus is on the strategic structure of the security decisions across individuals and how the network shapes the choices under random versus targeted attacks. The authors show that both under- and overinvestment may be present when protection decisions are decentralized. Slightly different, but related, models are considered in [38,39,40,41,42]. In these models, the defender chooses a spanning tree of a network, while the attacker chooses a link to remove. The defender and the adversary move simultaneously. The attack is successful if the chosen link belongs to the chosen spanning tree. Polynomial time algorithms for computing optimal attack and defense strategies are provided for several variants of this game. For a comprehensive review of interdependent security games, see an excellent survey [1].

Multidefender security games are models of security where two or more defenders make security decisions with regard to nodes, connected in a network, and prior to an attack by a strategic adversary. Each of the defenders is responsible for his own subset of nodes and the responsibilities of different defenders are non-overlapping. The underlying network creates interdependencies between the defenders’ objectives, which result in externalities, like in the interdependent security games. The distinctive feature of multidefender security models is the adopted solution concept: the average case Stackelberg equilibrium. The model is two stage. In the first stage, the defenders commit to mixed strategies assigning different types of security configurations across the nodes. In the second stage, the adversary observes the network and chooses an attack. The research focuses on equilibrium computation and quantification of inefficiencies due to distributed protection decisions.

Papers most related to our work are [3,4,11,43]. The authors of [10] introduce malicious nodes to the model of [33]. The key finding in that paper is that the presence of malicious nodes creates a “fear factor” that reduces the problem of underprotection due to defense decentralization. Inspired by [10,11], we also consider malicious nodes in the context of network defense. We provide a formal model of the game with such nodes as a game with incomplete information. Our contribution, in comparison to [11], lies in placing the players in a richer setup, where nodes care about their connectivity as well as their survival, and where both underprotection (i.e., insufficiently many nodes protect as compared to an optimum) and overprotection (excessively many nodes protect as compared to an optimum) problems are present. This leads to a much more complicated incentives structure. In particular, the presence of malicious nodes may lead to underprotection, as nodes may be unable to secure sufficient returns from choosing protection on their own.

Cerdeiro et al. [3,4] consider the problem of network design and defense prior to the attack by a strategic adversary. In a setting where the nodes care about both their connectivity and their survival, the authors study the inefficiencies caused by defense decentralization and how they can be mitigated by network design. The authors show that both underprotection as well as overprotection may appear, depending on the costs of protection and network topology. Both inefficiencies can be mitigated by network design. In particular, the underprotection problem can be fully mitigated by designing a network that creates a cascade of incentives to protect. Our work builds on [3,4] by introducing malicious nodes to the model. We show how the designer can address the problem of uncertainty about the types of nodes and, at the same time, mitigate the inefficiencies due to defense decentralization. Lastly, in [43], a model of decentralized network formation and defense prior to the attack by adversaries of different profiles is considered. The authors show, in particular, that, despite the decentralized protocol of network formation, the inefficiencies caused by defense decentralization are relatively low.

The rest of the paper is structured as follows. In Section 2, we define the model of the game, which we then analyze in Section 3. In Section 4, we discuss possible modifications of our model. We provide concluding remarks in Section 5. Appendix A contains the proofs of the most technical results.

2. The Model

There are $(n+2)$ players: the designer (D), the nodes (V), and the adversary (A). In addition, each of the nodes is of one of two types: a genuine node (type 1) or a byzantine node (type 0). We assume that there are at least $n=3$ nodes and that there is a fixed amount $n_B\ge 1$ of byzantine nodes. The byzantine nodes cooperate with the adversary and their identity is known to A. All the nodes know their own type only. On the other hand, the adversary has complete information about the game. We suppose that he infects a subset of $n_A\ge 1$ nodes. A network over a set of nodes V is a pair $G=(V,E)$, where $E\subseteq \{ij:i,j\in V\}$ is the set of undirected links of G. Given a set of nodes V, $\mathcal{G}(V)$ denotes the set of all networks over V and $\mathcal{G}={\bigcup }_{U\subseteq V}\mathcal{G}(U)$ is the set of all networks that can be formed over V or any of its subsets. The game proceeds in four rounds (the numbers $n\ge 3,n_B\ge 1,n_A\ge 1$ are fixed before the game):

• The types of the nodes are realized.
• D chooses a network $G\in \mathcal{G}(V)$, where $\mathcal{G}(V)$ is the set of all undirected networks over V.
• Nodes from V observe G and choose, simultaneously and independently, whether to protect (what we denote by 1) or not (denoted by 0). This determines the set of protected nodes $\mathsf{\Delta }$. The protection of the byzantine nodes is fake and, when attacked, such a node gets infected and transmits the infection to all her neighbors.
• $\mathrm{A}$ observes the protected network $(G,\mathsf{\Delta })$ and chooses a subset $I\subseteq V$ consisting of $\left|I\right|=n_A\ge 1$ nodes to infect. The infection spreads and eliminates all unprotected or byzantine nodes reachable from I in G via a path that does not contain a genuine protected node from $\mathsf{\Delta }$. This leads to the residual network obtained from G by removing all the infected nodes.

Payoffs to the players are based on the residual network and costs of defense. The returns from a network are measured by a network value function $\mathsf{\Phi }:{\bigcup }_{U\subseteq V}\mathcal{G}(U)\to \mathbb{R}$ that assigns a numerical value to each network that can be formed over a subset U of nodes from V.

A path in G between nodes $i,j\in V$ is a sequence of nodes $i_0,\dots ,i_m\in V$ such that $i=i_0$, $j=i_m$, $m\ge 1$, and $i_{k-1}{i}_k\in E$ for all $k=1,\dots ,m$. Node j is reachable from node i in G if $i=j$ or there is a path between them in G. A component of a network G is a maximal set of nodes $C\subseteq V$ such that for all $i,j\in C$, $i\ne j$, i and j are reachable in G. The set of components of G is denoted by $\mathcal{C}(G)$. Given a network G and a node $i\in V$, $C_i(G)$ denotes the component $C\in \mathcal{C}(G)$ such that $i\in C$. Network G is connected if $|\mathcal{C}(G)|=1$.

We consider the following family of network value functions:

$$\mathsf{\Phi }(G)=\sum _{C\in \mathcal{C}(G)}f(|C|),$$

where the function $f:{\mathbb{R}}_{\ge 0}\to \mathbb{R}$ is increasing, strictly convex, satisfies $f(0)=0$, and, for all $x\ge 1$, satisfies the inequalities

$$\begin{array}{cc}\hfill f(3x)& \ge 2f(2x),\hfill \\ \hfill f(3x+2)& \ge f(2x+2)+f(2x+1).\hfill \end{array}$$

(1)

In other words, the value of a connected network is an increasing and strictly convex function of its size. The value of a disconnected network is equal to the sum of values of its components. These assumptions reflect the idea that each node derives additional utility from every node she can reach in the network. In the last property, we assume that these returns are sufficiently large: the returns from increasing the size of a component by $50\%$ are higher than the returns from adding an additional, separate, component of the same size to the network. Such form of network value function is in line with Metcalfe’s law, where the value of a connected network over x nodes is given by $f(x)=x^2$, as well as with Reed’s law, where the value of a connected network is of exponential order with respect to the number of nodes (e.g., $f(x)=2^x-1$).

Before defining payoff to a node from a given network, defense, and attack, we formally define the residual network. Given a network $G=(V,E)$ and a set of nodes $Z\subseteq V$, let $G-Z$ denote the network obtained from G by removing the nodes from Z and their connections from G. Thus, $G-Z=(V\setminus Z,E[V\setminus Z])$, where $E[V\setminus Z]=\{ij\in E:i,j\in V\setminus Z\}$. Given defense $\mathsf{\Delta }$ and the set of byzantine nodes B, the graph $A(G\mid \mathsf{\Delta },B)=G-\mathsf{\Delta }\setminus B$ is called the attack graph. By infecting a node $i\in V$, the adversary eliminates the component of i in the attack graph, $C_i(A(G\mid \mathsf{\Delta },B))$ (We define $C_i(A(G\mid \mathsf{\Delta },B))=⌀$ for every $i\in \mathsf{\Delta }\setminus B$). Hence, if the adversary infects a subset $I\subseteq V$ of nodes, then the residual network (i.e., the network that remains) after such an attack is $R(G\mid \mathsf{\Delta },B,I)=G-{\bigcup }_{i\in I}{C}_i(A(G\mid \mathsf{\Delta },B))$.

Nodes’ information about whether they are genuine or byzantine is private. Similarly, the adversary’s information about the identity of the byzantine nodes is private. As usual in games with incomplete information, private information of the players is represented by their types. The type of a node $i\in V$ is represented by ${\theta }_i\in \{0,1\}$ (${\theta }_i=1$ means that i is genuine and ${\theta }_i=0$ means that i is byzantine) and the type of the adversary is represented by ${\theta }_{\mathrm{A}}\in \left(\genfrac{}{}{0pt}{}{V}{n_B}\right)$ (Given a finite set X, $\left(\genfrac{}{}{0pt}{}{X}{t}\right)$ denotes the set of subsets of X of cardinality t). A vector $\mathit{\theta }=({\theta }_1,\dots ,{\theta }_n,{\theta }_{\mathrm{A}})$ of players’ types is called a type profile. The type profile must be consistent so that the byzantine nodes are really known to the adversary. The set of consistent type profiles is

$$\mathsf{\Theta }=\{({\theta }_1,\dots ,{\theta }_n,{\theta }_{\mathrm{A}}):{\theta }_{\mathrm{A}}=\{i\in V:{\theta }_i=0\},|{\theta }_{\mathrm{A}}|=n_B\}.$$

Remark 1.

We point out that $B\subseteq V$ is the set of byzantine nodes (i.e., the true state of the world) while ${\theta }_{\mathrm{A}}$ denotes the beliefs of the adversary. The consistency assumption implies that the beliefs of the adversary are correct and ${\theta }_{\mathrm{A}}=B$.

The adversary aims to minimize the gross welfare (i.e., the sum of nodes’ gross payoffs), which is equal to the value of the residual network. Given a network G, the set of protected nodes $\mathsf{\Delta }$, and the type profile $\mathit{\theta }\in \mathsf{\Theta }$, the payoff to the adversary from infecting the set of nodes I is

$$\begin{array}{c}\hfill u^{\mathrm{A}}(G,\mathsf{\Delta },I\mid \mathit{\theta })=-\mathsf{\Phi }(R(G\mid \mathsf{\Delta },B,I))=-\sum _{C\in \mathcal{C}(R(G\mid \mathsf{\Delta },B,I))}f(|C|).\end{array}$$

The designer aims to maximize the value of the residual network minus the cost of defense. Notice that this cost includes the cost of defense of the byzantine nodes. Formally, a designer’s payoff from network G under defense $\mathsf{\Delta }$, the set of infected nodes I, and the type profile $\mathit{\theta }$ is equal to

$$\begin{array}{c}\hfill u^{\mathrm{D}}(G,\mathsf{\Delta },I\mid \mathit{\theta })=\mathsf{\Phi }(R(G\mid \mathsf{\Delta },I,B))-\left|\mathsf{\Delta }\right|c=\left(\sum _{C\in \mathcal{C}(R(G\mid \mathsf{\Delta },I,B))}f(|C|)\right)-\left|\mathsf{\Delta }\right|c.\end{array}$$

The gross payoff to a genuine (i.e., not a byzantine) node $j\in V$ in a network G is equal to $f(|C_j(G)|)/|C_j(G)|$. In other words, each genuine node gets the equal share of the value of her component. The net payoff of a node is equal to the gross payoff minus the cost of protection. A genuine node gets payoff 0 when removed. Defense has cost $c\in {\mathbb{R}}_{>0}$. The byzantine nodes have the same objectives as the adversary and their payoff is the same as that of $\mathrm{A}$. Formally, payoff to node $j\in V$ given network G with defended nodes $\mathsf{\Delta }$, set of infected nodes I, and type profile $\mathit{\theta }\in \mathsf{\Theta }$ is equal to

$$\begin{array}{cc}\hfill u^j& (G,\mathsf{\Delta },I\mid \mathit{\theta })=\left\{\begin{array}{cc}{u}^{\mathrm{A}}(G,\mathsf{\Delta },I\mid \mathit{\theta })\hfill & \mathrm{if}{\theta }_{\mathrm{j}}=0,\hfill \\ \frac{f(|C_j(R(G\mid \mathsf{\Delta },B,I))|)}{|C_j(R(G\mid \mathsf{\Delta },B,I))|}\hfill & \mathrm{if}{\theta }_{\mathrm{j}}=1,\mathrm{j}\notin \mathsf{\Delta },\mathrm{and}\mathrm{j}\notin {\bigcup }_{\mathrm{i}\in \mathrm{I}}{\mathrm{C}}_{\mathrm{i}}(\mathrm{A}(\mathrm{G}\mid \mathsf{\Delta },\mathrm{B})),\hfill \\ \frac{f(|C_j(R(G\mid \mathsf{\Delta },B,I))|)}{|C_j(R(G\mid \mathsf{\Delta },B,I))|}-c\hfill & \mathrm{if}{\theta }_{\mathrm{j}}=1\mathrm{and}\mathrm{j}\in \mathsf{\Delta },\hfill \\ 0\hfill & \mathrm{if}{\theta }_{\mathrm{j}}=1,\mathrm{j}\notin \mathsf{\Delta },\mathrm{and}\mathrm{j}\in {\bigcup }_{\mathrm{i}\in \mathrm{I}}{\mathrm{C}}_{\mathrm{i}}(\mathrm{A}(\mathrm{G}\mid \mathsf{\Delta },\mathrm{B})).\hfill \end{array}\right.\hfill \end{array}$$

The adversary and the byzantine nodes make choices that maximize their utility. The designer and the nodes have incomplete information about the game and we assume that they are pessimistic, making choices that maximize the worst possible type realization [44]. Formally, the pessimistic utility of genuine (i.e., of type ${\theta }_j=1$) node j from network G, set of protected nodes $\mathsf{\Delta }$, and set of infected nodes I, is

$${\widehat{U}}^j(G,\mathsf{\Delta },I)=\underset{({\mathit{\theta }}_{-j},1)\in \mathsf{\Theta }}{inf}{u}^j(G,\mathsf{\Delta },I\mid ({\mathit{\theta }}_{-j},1)).$$

Similarly, the pessimistic utility of the designer from network G, a set of protected nodes $\mathsf{\Delta }$, and a set of infected nodes I, is

$${\widehat{U}}^{\mathrm{D}}(G,\mathsf{\Delta },I)=\underset{\mathit{\theta }\in \mathsf{\Theta }}{inf}{u}^{\mathrm{D}}(G,\mathsf{\Delta },I\mid \mathit{\theta }).$$

To summarize, the set of players is $P=V\cup \{\mathrm{D},\mathrm{A}\}$. The set of strategies of player $\mathrm{D}$ is $S^{\mathrm{D}}=\mathcal{G}(V)$. A strategy of each node j is a function ${\delta }_j:\mathcal{G}(V)\times \{0,1\}\to \{0,1\}$ that, given network $G\in \mathcal{G}(V)$ and node’s type ${\theta }_j\in \{0,1\}$, provides the defense decision ${\delta }_j(G,{\theta }_j)$ of the node. The individual strategies of the nodes determine function $\mathsf{\Delta }:\mathcal{G}(V)\times {\{0,1\}}^V\to 2^V$ providing, given network $G\in \mathcal{G}(V)$ and nodes’ types profile ${\mathit{\theta }}_{-\mathrm{A}}\in {\{0,1\}}^V$, the set of defended nodes $\mathsf{\Delta }(G\mid {\mathit{\theta }}_{-\mathrm{A}})=\{j\in V:{\delta }_j(G,{\theta }_j)=1\}$. The set of strategies of each node $j\in V$ is $S^j=2^{\mathcal{G}(V)\times \{0,1\}}$. A strategy of player $\mathrm{A}$ is a function $x:\mathcal{G}(V)\times 2^V\times \left(\genfrac{}{}{0pt}{}{V}{n_B}\right)\to \left(\genfrac{}{}{0pt}{}{V}{n_A}\right)$ that, given network $G\in \mathcal{G}(V)$, set of protected nodes $\mathsf{\Delta }\subseteq V$, and adversary’s type ${\theta }_{\mathrm{A}}\in \left(\genfrac{}{}{0pt}{}{V}{n_B}\right)$, provides the set of nodes to infect $x(G,\mathsf{\Delta },{\theta }_{\mathrm{A}})$. The set of strategies of player $\mathrm{A}$ is $S^{\mathrm{A}}={\left(\genfrac{}{}{0pt}{}{V}{n_A}\right)}^{\mathcal{G}(V)\times 2^V\times \left(\genfrac{}{}{0pt}{}{V}{n_B}\right)}$.

Abusing the notation slightly, we use the same notation for utilities of the players from the strategy profiles in the game. Thus, given strategy profile $(G,\mathsf{\Delta },x)$ and type profile $\mathit{\theta }$, the payoff to player $j\in V\cup \{\mathrm{D},\mathrm{A}\}$ is $u^j(G,\mathsf{\Delta },x\mid \mathit{\theta })=u^j(G,\mathsf{\Delta }(G),x(G,\mathsf{\Delta }(G))\mid \mathit{\theta })$, the pessimistic payoff to player $j\in V\setminus B$ is

$${\widehat{U}}^j(G,\mathsf{\Delta },x)=\underset{({\mathit{\theta }}_{-j},1)\in \mathsf{\Theta }}{inf}{u}^j(G,\mathsf{\Delta }(G),x(G,\mathsf{\Delta }(G))\mid ({\mathit{\theta }}_{-j},1)),$$

(2)

and the pessimistic payoff to the designer is given by

$${\widehat{U}}^{\mathrm{D}}(G,\mathsf{\Delta },x)=\underset{\mathit{\theta }\in \mathsf{\Theta }}{inf}{u}^{\mathrm{D}}(G,\mathsf{\Delta }(G),x(G,\mathsf{\Delta }(G))\mid \mathit{\theta }).$$

(3)

By convention, we say that the pessimistic payoff of a byzantine node is the same as her payoff. We are interested in subgame perfect mixed strategy equilibria of the game with the preferences of the players defined by the pessimistic payoffs. We call them the equilibria, for short. We make the usual assumption that, when evaluating a mixed strategy profile, the players consider the expected value of their payoffs from the pure strategies. In the case of the designer and the genuine nodes, these are expected pessimistic payoffs.

Throughout the paper, we will also refer to the subgames ensuing after network G is chosen. We will denote such subgames by $\mathsf{\Gamma }(G)$ and call them network subgames. We will abuse the notation by using the same letters to denote the strategies in $\mathsf{\Gamma }(G)$ and in $\mathsf{\Gamma }$. The set of strategies of each node $i\in V$ in game $\mathsf{\Gamma }(G)$ is ${\{0,1\}}^{\{0,1\}}$. Given type profile ${\mathit{\theta }}_{-\mathrm{A}}\in {\{0,1\}}^V$, individual strategies of the nodes determine function $\mathsf{\Delta }:{\{0,1\}}^V\to 2^V$ that provides the set of defended nodes $\mathsf{\Delta }({\mathit{\theta }}_{-\mathrm{A}})=\{j\in V:{\delta }_j({\theta }_j)=1\}$. The set of strategies of the adversary in $\mathsf{\Gamma }(G)$ is ${\left(\genfrac{}{}{0pt}{}{V}{n_A}\right)}^{2^V\times \left(\genfrac{}{}{0pt}{}{V}{n_B}\right)}$.

All the key notations are summarized in

Table 1. Summary of the notation.

Notation	Definition
n	number of nodes
$n_B$	number of byzantine nodes
$n_A$	number of nodes infected by the adversary
f	component value function
G	network
$\mathsf{\Delta }$	set of protected nodes
$u^{\mathrm{D}},u^{\mathrm{A}},u^j$	payoff to the designer, the adversary, and a node
${\widehat{U}}^{\mathrm{D}},{\widehat{U}}^j$	pessimistic payoff to the designer and a node

.

2.1. Remarks on the Model

We make a number of assumptions that, although common for interdependent security games, are worth commenting on. Firstly, we assume that protection is perfect. This assumption is reasonable when available means of protection are considered sufficiently reliable and, in particular, deter the adversary towards the unprotected nodes. Arguably, this is the case for protection means used in cybersecurity. Secondly, we assume that the designer and genuine nodes are pessimistic and maximize their worst-case payoff. Such an approach is common in computer science and is in line with trying to provide the worst-case guarantees on system performance. One can also take the probabilistic approach (by supposing that the distribution of the byzantine nodes is given by a random variable). In Section 4, we discuss how our results carry over to such model.

3. The Analysis

We start the analysis by characterizing the centralized defense model, where the designer chooses both the network and the defense assignment to the nodes. After that, the adversary observes the protected network and nodes’ types and chooses the nodes to infect. We focus on the first nontrivial case $n_B=n_A=1$. In this case, we are able to characterize networks that are optimal to the designer. The topology of these networks is based on the generalized k-stars. We then turn to the decentralized defense and study the cost of decentralization. It turns out that the topology of k-star gives an asymptotically low cost of decentralization not only for the simple case studied earlier but for all possible values of parameters $n_B$ and $n_A$. This is enough to prove our main result, Theorem 1, providing bounds on the price of anarchy.

3.1. Centralized Defense

Fix the parameters $n_B$ and $n_A$ and suppose that the designer chooses both the network and the protection assignment. This leads to a two stage game where, in the first round, the designer chooses a protected network $(G,\mathsf{\Delta })$ and in the second round the adversary observes the protected network and nodes’ types (recognizing the byzantine nodes) and chooses the nodes to attack. Payoffs to the designer and to the adversary are as described in Section 2 and we are interested in subgame perfect mixed strategy equilibria of the game with pessimistic preferences of the designer. We call them equilibria, for short. Notice that, since the decisions are made sequentially, there is always a pure strategy equilibrium of this game. In this section, we focus only on such equilibria. Furthermore, the equilibrium payoff to the designer is the same for all equilibria. We denote this payoff by ${\widehat{U}}_{★}^{\mathrm{D}}(n,c)$.

In the rest of this subsection we focus on the case $n_B=n_A=1$. In this case, when the protection is chosen by the designer, two types of protected networks can be chosen in an equilibrium (depending on the value function and the cost of defense): a disconnected network with no defense or a generalized star with protected core and, possibly, one or two unprotected components. Before stating the result characterizing equilibrium defended networks and equilibrium payoffs to the designer, we need to define the key concept of a generalized star and some auxiliary quantities. We start with the definition of a generalized star. If $G=(V,E)$ is a network and $V^{\prime }\subseteq V$ is a subset of nodes, then we denote by $G\left[V^{\prime }\right]$ the subnetwork of G induced by $V^{\prime }$, i.e., the network $G\left[V^{\prime }\right]=(V^{\prime },\{ij\in E:i,j\in V^{\prime }\})$.

Definition 1 

(Generalized k-star). Given $k\ge 1$ and a set of nodes, V, a generalized k-star over V is a network $G=(V,E)$ such that the set of nodes V can be partitioned into two sets, C (the core) of size $\left|C\right|=k$ and P (the periphery), in such a way that $G\left[C\right]$ is a clique, every node in P is connected to exactly one node in C, and every node in C is connected to $\lfloor n/k\rfloor -1$ or $\lceil n/k\rceil -1$ nodes in P.

Roughly speaking, a generalized k-star is a core-periphery network with the core consisting of k nodes and the periphery consisting of the remaining $n-k$ nodes. The core is a clique, each periphery node is connected to exactly one core node and they are distributed evenly across the core nodes. An example of a generalized star is depicted in Figure 1.

Now, we turn to defining some auxiliary quantities. For any $n\ge 3$ such that $nmod6\ne 3$, we define

$$w_0(n)=w_1(n)=f\left(⌊\frac{n}{2}⌋\right)+f(1){\mathbb{1}}_{\{nmod2=1\}},$$

and, for every n such that $nmod6=3$, we define

$$w_0(n)=w_1(n)=max\left(2f\left(\frac{n}{3}\right),f\left(\frac{n-1}{2}\right)+f(1)\right).$$

(4)

Given n nodes, $w_0(n)$ is the maximal network value the designer can secure against a strategic adversary by choosing an unprotected network composed of three components of equal size or two components of equal size and possibly one disconnected node. This is also the maximal network value the designer can secure by choosing such a network with one protected node because, in the worst case scenario, the protected node is byzantine and may be infected.

For every $k\in \{3,\dots ,n\}$, let

$$w_k(n)=\left\{\begin{array}{cc}f\left(n-1-\frac{n-1}{k}\right)+f(1),\hfill & \mathrm{if} n mod k=1,\hfill \\ f\left(n-\lceil \frac{n}{k}\rceil \right),\hfill & \mathrm{otherwise}.\hfill \end{array}\right.$$

Given n nodes and $k\ge 3$, $w_k(n)$ is the network value that the designer can secure by choosing a generalized k-star, with one node disconnected in the case of k dividing $n-1$, having all core nodes protected and all periphery nodes unprotected.

We also define the following quantities:

$$\begin{array}{c}{A}_q=min\left(f(n-q),f\left(⌊\frac{n-q}{2}⌋\right)+f(q)\right),\hfill \\ B_q=min\left(f(n-q-1),f\left(⌊\frac{n-q-1}{2}⌋\right)+f(q)\right),\hfill \end{array}$$

$$h_q(n)=max\left(A_q,B_q+f(1)\right),$$

(5)

$$w_2(n)=\underset{q\in \{0,\dots ,n-2\}}{max}{h}_q(n).$$

(6)

Given n nodes, $w_2(n)$ is the network value that the designer can secure by choosing a network composed of a generalized 2-star with a protected core and unprotected periphery, an unprotected component (of size $q\in \{0,\dots ,n-2\}$), and possibly one node disconnected from both of these components.

Finally, we define

$$K^{*}(n,c)={argmax}_{k\in \{0,\dots ,n\}}{w}_k(n)-kc.$$

We point out that $K^{*}(n,c)$ never contains 1 (because $c>0$). We are now ready to state the result characterizing equilibrium defended network and pessimistic equilibrium payoffs to the designer.

Proposition 1.

Let $n_B=n_A=1$, $n\ge 3$, $c>0$, and $k\in K^{*}(n,c)$. Then, the pessimistic equilibrium payoff to the designer is equal to ${\widehat{U}}_{★}^{\mathrm{D}}(n,c)=w_k-kc$. Moreover, there exists an equilibrium network $(G,\mathsf{\Delta })$ that has $\left|\mathsf{\Delta }\right|=k$ protected nodes and the following structure:

(i) 

G has at most three connected components.

(ii) 

If $k\ge 3$ and $nmodk\ne 1$, then G is a generalized k-star with protected core and unprotected periphery.

(iii) 

If $k\ge 3$ and $nmodk=1$, then G is composed of a generalized k-star of size $(n-1)$ with protected core and unprotected periphery and a single unprotected node.

(iv) 

If $k=0$ and $nmod6\ne 3$, then G has two connected components of size $\lfloor n/2\rfloor$ and, if $nmod2=1$, a single unprotected node.

(v) 

If $k=0$ and $nmod6=3$, then G either has the structure described in Proposition 1 or G is composed of three components of size $n/3$, depending on the term achieving the maximum in Equation (4).

(vi) 

If $k=2$, then G is composed of a generalized 2-star with protected core and unprotected periphery, an unprotected component of size $q\in \{0,\dots ,n-2\}$ and, possibly, a single unprotected node. The size q is the number achieving maximum in Equation (6). The existence of a single unprotected node depends on the term achieving maximum in Equation (5).

The intuition behind this result is as follows. When the cost of defense is high, the designer is better off by not using any defense and partitioning the network into several components. Since the strategic adversary will always eliminate a maximal such component, the designer has to make sure that all the components are equally large. Due to the divisibility problems, one component may be of lower size. Thanks to our assumptions on the component value function f, the number of such components is at most three. Moreover, if there are exactly three components, then they are of equal size or the smallest one has size 1.

When the cost of defense is sufficiently low, it is profitable to the designer to protect some nodes. If the number of protected nodes is not smaller than 3 then, by choosing a generalized k-star with a fully protected core (of optimal size $k\ge 3$ depending on the cost) and unprotected periphery, the designer knows that the strategic adversary is going to attack either the byzantine node (if she is among the core nodes) or any unprotected node (otherwise). An attack on the byzantine core node destroys that node and all periphery nodes attached to her. Thus, in the worst case, a core node with the largest number of periphery nodes connected to her is byzantine. By distributing the core nodes evenly, the designer minimizes the impact of this worst case scenario. Due to the divisibility problems, it may happen that some of the core nodes are connected to a higher number of periphery nodes. If this is the case for one core node only, then it is better to the designer to disconnect this one node from the generalized star. By doing so, the designer spares this node from destruction.

The case when there are exactly two protected nodes is special. Indeed, in this case, choosing a generalized 2-star with a protected core is not better than using no protection at all. This is because, in the worst case, the byzantine node is among the two protected ones. Therefore, it would be better to the designer to split the network into two unprotected components—this would result in the same network value after the attack without the need to pay the cost of protection. On the other hand, if the network consists of a generalized 2-star with protected core and an unprotected component, then the argument above ceases to be valid: even if the byzantine node is among the protected ones, splitting them may give the adversary an incentive to destroy the unprotected component. Therefore, a protection of two nodes may be used as a resource that ensures that one component survives the attack.

It is interesting to compare this result to an analogous result obtained in [3,4] for a model without byzantine nodes. There, depending on the cost of protection, three equilibrium protected networks are possible: an unprotected disconnected network (like in the case with a byzantine node), a centrally protected star, and a fully protected connected network. The existence of a byzantine node leads to a range of core-protected networks between the centrally protected star and the fully protected clique (which is a generalized n-star). Notice that a pessimistic attitude towards incomplete information results in the star network never being optimal: if only one node is protected then, in the worst case, the designer expects this node to be byzantine, which leads to losing all nodes after the attack by the adversary. Therefore, at least two nodes must be protected if protection is used in an equilibrium. Proof of Proposition 1 is given in Appendix A.

Example 1.

Fix a network value function f and suppose that $n_B=n_A=1$. Then, for a given $(n,c)$, Proposition 1 leads to a pseudopolynomial-time algorithm for finding an equilibrium network $(G,\mathsf{\Delta })$. More precisely, one can simply enumerate all possible networks discussed in Proposition 1 and choose the one with maximal payoff to the Designer.

Table 2. Optimal networks for $n\in \{12,30,50\}$.

					$n=50$
			$n=30$	$c<3.88$	50-star
		$c<3.80$	30-star	$c\in (3.88,11.875)$	25-star
	$n=12$	$c\in (3.80,11)$	15-star	$c\in (11.875,23.25)$	17-star
$c<3.50$	12-star	$c\in (11,26)$	10-star	$c\in (23.25,30.(3))$	13-star
$c\in (3.50,9.50)$	6-star	$c\in (26,49)$	6-star	$c\in (30.(3),85)$	10-star
$c\in (9.50,11.25)$	4-star	$c\in (49,70.20)$	5-star	$c\in (85,195)$	5-star
$c>11.25$	two disconnected components of equal size	$c>70.20$	two disconnected components of equal size	$c>195$	two disconnected components of equal size

presents how the optimal network changes for different cost values when $f(x)=x^2$ and $n\in \{12,30,50\}$. For these values of n, it is never optimal to have one node that is disconnected from the rest of the network. Moreover, as we can see, for a given number n of nodes, not all possible generalized k-stars arise as optima. It is interesting to note that 3-stars have never appeared in our experiments as optimal networks for the value function $f(x)=x^2$. Similarly, we have not found an example where it is optimal to defend exactly 2 nodes. The case where there is no defense but the network is split into 3 equal parts arises when $n=9$ and the cost is high enough (i.e., $c>6.2$), as already established in [3].

Remark 2.

In this section, we have characterized the optimal networks for the case $n_B=n_A=1$. Nevertheless, we have not found a network that has a substantially different structure than the ones described here and performs better for general values of $n_B$ and $n_A$. We therefore suspect that the characterization for the general case is similar to the case $n_B=n_A=1$.

3.2. Decentralized Defense

Now, we turn attention to the variant of the model where defense decisions are decentralized. Our goal is to characterize the inefficiencies caused by decentralized protection decisions for general values of $n_B$ and $n_A$. To this end, we need to compare equilibrium payoffs to the designer under centralized and decentralized defense. We start by establishing two results about the existence of equilibria in the decentralized defense game.

Firstly, since the game is finite, we get equilibrium existence by the Nash theorem. Notice that our use of the pessimistic aggregation of the incomplete information about types of nodes determines a game where the utilities of the nodes and the designer are defined by the corresponding pessimistic utilities. This game is finite and, by Nash theorem, it has a Nash equilibrium in mixed strategies. This leads to the following existence result.

Proposition 2.

There exists an equilibrium of Γ.

Proof. 

It can be shown that a stronger statement holds. More precisely, one can prove that, for any $n,c$, there exists an equilibrium $\mathit{e}$ such that the strategies of the nodes do not depend on their types. Let us sketch the proof. We consider a modified model in which the nodes do not know their types (i.e., every node thinks that she is genuine, but some of them are byzantine). In this model, the (mixed) strategies of nodes are functions ${\tilde{\delta }}_j:\mathcal{G}(V)\to \mathsf{\Sigma }(\{0,1\})$ (If X is a finite set, then by $\mathsf{\Sigma }(X)$ we denote the set of all probability measures on X),

and every node receives a pessimistic utility of a genuine node, as defined in Equation (2). The strategies and payoffs to the adversary and the designer are as in the original model. Let $\overline{x}:\mathcal{G}(V)\times 2^V\times \left(\genfrac{}{}{0pt}{}{V}{n_B}\right)\to \left(\genfrac{}{}{0pt}{}{V}{n_A}\right)$ denote any optimal strategy of the adversary (i.e., a function that, given a defended network and the position of the byzantine nodes B, returns a subset of nodes that is optimal to infect in this situation). If we fix $\overline{x}$, then the game turns into a two-stage game (the designer makes his action first and then the nodes make their actions) with complete information. Therefore, this game has a subgame perfect equilibrium in mixed strategies. This equilibrium, together with $\overline{x}$, forms an equilibrium $\mathit{e}$ in the original model because, in the original model, a byzantine node cannot improve her payoff by a unilateral deviation. ☐

Fix the parameters $n_B,n_A$ and let $\epsilon (n,c)$ denote the set of all equilibria of $\mathsf{\Gamma }$ with n nodes and the cost of protection $c>0$. Let ${\widehat{U}}_{★}^{\mathrm{D}}(n,c)$ denote the best payoff the designer can obtain in the centralized defense game (as discussed in Section 3.1). The price of anarchy is the fraction of this payoff over the minimal payoff to the designer that can be attained in equilibrium of $\mathsf{\Gamma }$ (for the given cost of protection c),

$$\mathrm{PoA}(n,c)=\frac{{\widehat{U}}_{★}^{\mathrm{D}}(n,c)}{{min}_{\mathit{e}\in \epsilon (n,c)}\mathbf{E}{\widehat{U}}^{\mathrm{D}}(\mathit{e})}.$$

Although pure strategy equilibria may not exist for some networks, they always exist on generalized stars. Moreover, when these stars are large enough, by choosing such a star, the designer can ensure that all genuine core nodes are protected. This is enough to characterize the price of anarchy as n goes to infinity (with a fixed cost c). The next proposition characterizes equilibria on generalized stars.

Proposition 3.

Let $\mathit{e}\in \epsilon$ be any equilibrium of Γ. Let $G=(V,E)$ be a generalized k-star. Denote $\left|V\right|=n$, $x=⌊\frac{n}{k}⌋-n_A+1$, and $y=n-n_B⌊\frac{n}{k}⌋$. Furthermore, suppose that $n\ge k\ge n_B+1$ and $x\ge 2$. If the cost value c belongs to one of the intervals $(0,f(1))$, $(f(1),\frac{f(x)}{x})$, $(\frac{f(y)}{y},+\infty )$, then the following statements about $\mathit{e}$ restricted to $\mathsf{\Gamma }(G)$ hold:

• all genuine nodes use pure strategies,
• if $c<f(1)$, then all genuine nodes are protected,
• if $f(1)<c<\frac{f(x)}{x}$, then all genuine core nodes are protected and all genuine periphery nodes are not protected,
• if $\frac{f(y)}{y}<c$, then all genuine nodes are not protected.

Our main result estimates the price of anarchy using Proposition 3.

Theorem 1.

Suppose that, for all $t\ge 0,$ the function f satisfies

$$\underset{n\to +\infty }{lim}f(n)/f(n-t)=1.$$

Then, for any cost level $c>0$ and any fixed parameters $n_B\ge 1$, $n_A\ge 1$ we have

$$\underset{n\to +\infty }{lim}\mathrm{PoA}(n,c)=1.$$

Proof. 

We start by noting that function f is superadditive (c.f. Lemma A1 in Appendix A). By superadditivity of f, the pessimistic payoff to the designer can be trivially bounded by ${\widehat{U}}_{★}^{\mathrm{D}}(n,c)\le f(n)$. We now want to give a lower bound on the quantity ${min}_{\mathit{e}\in \epsilon (n,c)}\mathbf{E}{\widehat{U}}^{\mathrm{D}}(\mathit{e})$. As we show in Appendix B (Lemma A5), ${lim}_{x\to +\infty }\frac{f(x)}{x}=+\infty$. Let $N\ge 1+n_A$ be a natural number such that $\frac{f(x)}{x}>c$ for all $x\ge N-n_A+1$. For any $n\ge (n_B+1)(N+1),$ we define $k=\lfloor \frac{n}{N+1}\rfloor \ge n_B+1$. Observe that, if we denote $x=\lfloor \frac{n}{k}\rfloor -n_A+1$, then we have $x\ge \frac{n}{k}-n_A\ge N-n_A+1$. Hence, if the designer chooses a generalized k-star, then Proposition 3 shows that all genuine core nodes are protected in any equilibrium. In particular, we have ${min}_{\mathit{e}\in \epsilon (n,c)}\mathbf{E}{\widehat{U}}^{\mathrm{D}}(\mathit{e})\ge f(n-n_B⌈\frac{n}{k}⌉-n_A+1)-nc$. Moreover, we can estimate

$$\begin{array}{c}\hfill ⌈\frac{n}{k}⌉\le \frac{n}{k}+1\le \frac{n}{\frac{n}{N+1}-1}+1\le \frac{n}{\frac{n}{N+1}-\frac{n}{2(N+1)}}+1=2N+3.\end{array}$$

(7)

Hence, using Lemma A5, we get

$$\begin{array}{cc}\hfill \underset{n\to +\infty }{lim}\mathrm{PoA}(n,c)& \le \underset{n\to +\infty }{lim}\frac{f(n)}{f(n-n_B(2N+3)-n_A+1)-nc}\hfill \\ & =\underset{n\to +\infty }{lim}\frac{1}{\frac{f(n-n_B(2N+3)-n_A+1)}{f(n)}-\frac{nc}{f(n)}}=1.\hfill \end{array}$$

 ☐

Remark 3.

Notice that the condition of Theorem 1 is verified for $f(x)=x^a$ with $a\ge 2$. Hence, in the case of such functions f, the price of anarchy is 1, so the inefficiencies due to decentralization are fully mitigated by the network design. This is true, in particular, for Metcalfe’s law.

4. Extensions of the Model

In the previous section, we have shown that the topology of generalized k-star mitigates the costs of decentralization in our model. Nevertheless, our approach can be used to show similar results in a number of modified models. For instance, one could consider a probabilistic model, in which $n_B$ byzantine nodes are randomly picked from the set of nodes V (and the distribution of this random variable is known to all players). Then, the designer and nodes optimize their expected utilities, not the pessimistic ones (where the expectation is taken over the possible positions of the byzantine nodes). In this case, we still can give a partial characterization of Nash equilibria on generalized k-stars. More precisely, one can show that, if the assumptions of Proposition 3 are fulfilled and $f(1)<c<\frac{f(x)}{x}$, then all genuine core nodes are protected. This is exactly what we need in the proof of Theorem 1. Therefore, the price of anarchy in the probabilistic model also converges to 1 as the size of the network increases.

5. Conclusions

We studied a model of network defense and design in the presence of an intelligent adversary and byzantine nodes that cooperate with the adversary. We characterized optimal defended networks in the case where defense decisions are centralized, assuming that the number of byzantine nodes and the number of attacked nodes are equal to one. We have also shown (for any number of byzantine and attacked nodes) that, in the case of sufficiently well-behaved functions f (including f in line with Metcalfe’s law), careful network design allows for mitigating the inefficiencies due to decentralized protection decisions arbitrarily well when the number of nodes in the network is sufficiently large, despite the presence of the byzantine nodes. In terms of network design, we showed that a generalized star is a topology that can be used to achieve this goal. This topology creates incentives for protection by two means. Firstly, it is sufficiently redundant, so that the protected nodes are connected to several other protected nodes. This secures adequate network value even if some of these nodes are malicious. Secondly, it gives sufficient exposure to the nodes, encouraging the nodes that would benefit from protection to choose to protect through fear of being infected (either directly or indirectly). These results could be valuable, in particular, to policy-makers and regulators, showing that such regulations can have a strong effect and provide hints for which network structures are better and why.

An interesting avenue for future research is to consider a setup where not only the identities but also the number of byzantine nodes are unknown. How would the optimal networks look if the protection decisions are centralized? Can we still mitigate the inefficiencies caused by decentralization? Another interesting problem is the optimal networks under centralized protection when the number of byzantine nodes or the budget of the adversary are greater than 1. Based on our experiments, we suspect that the topology of these networks is very similar to the case considered here. Nevertheless, a formal result remains elusive.