Mathematical Problems of Managing the Risks of Complex Systems under Targeted Attacks with Known Structures

This paper deals with the problem of managing the risks of complex systems under targeted attacks. It is usually solved by using Defender–Attacker models or similar ones. However, such models do not consider the influence of the defending system structure on the expected attack outcome. Our goal was to study how the structure of an abstract system affects its integral risk. To achieve this, we considered a situation where the Defender knows the structure of the expected attack and can arrange the elements to achieve a minimum of integral risk. In this paper, we consider a particular case of a simple chain attack structure. We generalized the concept of a local risk function to account for structural effects and found an ordering criterion that ensures the optimal placement of the defending system’s elements inside a given simple chain structure. The obtained result is the first step to formulate the principles of optimally placing system elements within an arbitrarily complex network. Knowledge of these principles, in turn, will allow solving the problems of optimal allocation of resources to minimize the risks of a complex system, considering its structure.


Introduction
One of the most topical problems in studying complex networks is developing mathematical models of various disruptive effects, including targeted attacks on the nodes or edges of a network. Such models assess the risks and the propagation of failures in complex systems of different natures. This approach is widely used in solving the problems of cyber-physical systems [1,2], computing systems [3,4], epidemiology [5,6], as well as other subject areas.
In terms of complex network risk management problems, these percolation models naturally belong to a broader class of Defender-Attacker-Defender (D-A-D) models [24,25]. Such models consider the conflict between two actors. One of them is the Attacker, who brings a negative impact on the network. The other one is the Defender, who tries to resist it. D-A-D models generally assume that the Attacker and the Defender have limited resources to undertake their actions. In this case, the problem is the optimization of resources for both actors. However, the Defender can also act differently, e.g., intentionally changing the complex network's structure to reduce risks. We can mention cascading failure propagation models [26,27] as an example of such models for non-targeted attacks and their implementation in several interconnected networks. For instance, paper [28] describes the model for two interconnected networks.
Models considering the intentional modification (or establishing) of the network structure by the Defender to counter the targeted attacks seem to exist only for interconnected networks [29][30][31].
Networks describing real-world systems mostly have a pre-defined and fixed structure. At the same time, there are practical challenges, e.g., building a layered defense or a multilevel defense, where the Defender can choose the structure of the protected system to restrict the malicious acts. The authors could not find any mathematical models describing this case in the literature. Table 1 shows the classification of the above-mentioned mathematical models. The models describing the influence of a complex network structure on its risk are in cell (4).
The purpose of this study is to examine how the Defender could lower the integral risk to a network by choosing (or changing) its structure. We consider a simple case of a chain structure. The Defender can place elements with different local risks into its nodes. We formulated the optimal placement criteria for such structures. The Defender will use the obtained results when solving the problem of optimal resources allocation with classic Defender-Attacker and Defender-Attacker-Defender models of countering the attacks in complex systems, or models of effective security monitoring and risk management of complex networks, which we have considered in prior studies [32,33]. The obtained results are the step towards deriving the optimal placement criteria for arbitrary structures. (1) Random attack percolation models [13,14] Error tolerance model [7] "Forest fire" (FF) [8] based models: FF with immune trees [9], Demon model [10], Cellular automata-based model [11,12] (2) Attacker-Defender, Defender-Attacker, Defender-Attacker-Defender models [24,25] Targeted attack percolation models [15][16][17][18] Localized attack percolation models [19] k-core percolation [20][21][22][23] Interdependent networks robustness under targeted attacks [34] Intentional (3) Cascading failure propagation models [26,27] Regular allocation strategy of bidirectional interconnections [28] (4) Cascading failure propagation model for networks of networks [29][30][31] The structure of the study is as follows. Section 2 describes the general statement of the problem of managing the risks of the complex system under attack with a known structure. We also prove several supplemental statements. Section 3 considers the problem of finding the optimal mapping of the system elements onto a given simple chain attack structure and solving it.

General Problem Statement
We use the general risk model described in [34] adopted to consider the influence of a system structure. Consider a complex system consisting of a finite set of elements (objects, so far of an arbitrary nature): S = {s 1 , . . . , s i , . . . , s n }, i ∈ N = {1, . . . , n}. We assume that the elements s i ∈ S, i ∈ N of the system are autonomous so that they cannot influence each other's states.
Suppose that there are two subjects (also of an arbitrary nature for the time being), which we will call player A (otherwise, the Attacker) and player D (otherwise, the Defender). These two subjects have different intentions towards the state of system S.
We assume that player D has a certain resource quantity X ≥ 0, which he can arbitrarily distribute among the elements of the system S: x = (x 1 , . . . , x n ), x i ≥ 0, i ∈ N, ∑ n i=1 x i ≤ X. Similarly, we assume that player A also has a certain quantity of resource Y ≥ 0, which he can arbitrarily distribute among the elements of the system S: y = (y 1 , . . . , y n ), y i ≥ 0, i ∈ N, ∑ n i=1 y i ≤ Y. In the framework of the considered model, we will consider the "resource" as any measurable and arbitrarily divisible asset represented by a non-negative real number. It could be financial, labour, time, production, and other resources/costs depending on the context. We will call the local risk some local characteristic of an element s i ∈ S, depending on the quantity of resources allocated by players D and A. The local risk characteristic represents possible losses (damage) due to changing the element's state.
In turn, we will call the integral risk some overall characteristic of the entire system S, depending on the quantity of resources allocated by players D and A to all its elements, and associated with possible losses (damage) because of a state change of each element.
If the system's elements are autonomous, the local risk of any element will depend on the quantity of resources allocated to it by players D and A. We define the local risk function for each element as Considering the described model, we will further assume that the local risk functions ρ i (·, ·), i ∈ N, have the following properties: 1.
Risk monotonicity: 3. Risk finiteness: The risk non-negativity property means that the potential damage associated with a local risk occurrence for any element s i ∈ S cannot be negative. We assume that there is always a positive residual risk in the common case, regardless of the measures taken to reduce it. There are only separate, exceptional cases when risk can be lower to zero.
The risk monotony property means that the additional allocation of resources to any element s i ∈ S by the Defender should not increase the local risk for any element of system S. On the other hand, the additional resource allocation by the Attacker should not decrease the local risk for any element of system S.
The risk finiteness property means that the Defender cannot reduce the residual risk for any element s i ∈ S to a zero value, and, on the other hand, there is a final positive marginal risk for any element s i ∈ S (regardless of the quantity of resources spent by the Attacker).
Let the structure W = G (S, E), T be a graph with a set of elements S as its vertices, a set of edges E, and a specific subset of vertices T ⊆ S, which we will call the perimeter of the system S.
We assume that player A attacks the elements of the system for the selected path c = (v, . . . , w), v, w ∈ S and transits from some vertex s i ∈ c to an adjacent vertex s j ∈ c only if his attack on the element s i was successful. If the element s i ∈ S is in state e i = 1, we assume it operates in its normal mode. If e i = 0, then the element s i is not operational, which means player A has successfully disabled it. Let x = (x 1 , . . . , x n ), y = (y 1 , . . . , y n ) be some valid resource distributions among the vertices (elements) of the system S for players D and A, respectively. Consider the local risk functions for each vertex s i ∈ S as follows: where u i (x, y) : R + n × R + n → R + 0 is a function describing the dependence of the expected damage in the case of a successful attack depending on the resource distributions x and y, and p i (x, y): R + n × R + n → (0, 1] is the probability of a successful attack depending on the distributions x and y.
The following tuple defines the basic risk management model for complex systems with the structure and the perimeter: If the structure is W = G (S, E), T is defined, then: • The Defender's goal is to allocate the available resource X among the elements of the system S to reduce the value of the integral risk function ρ (x, y) to a minimum.

•
On the contrary, the Attacker's goal is to distribute the available resource Y among the system elements S to increase the value of the integral risk function ρ (x, y) to a maximum.
be a function describing the relationship between of the probability of a successful attack on the vertex s i and the quantity of resources x i and y i allocated to it by players D and A, respectively, in an isolated case, i.e., without considering the structure V. Then, the value will be called the eigen local risk. For simplicity, we consider a special case when expected damage is independent of x, y, i.e., u i (x, y) = u i > 0 ∀i ∈ N.
The following propositions are correct.

Proposition 1.
If the graph G (S, E) is connected, then ∀i ∈ N: s i ∈ S\T, there is a simple path, including vertices s i = s i m , s i m−1 , . . . , s i 1 , s i 0 ; s i 1 , . . . , s i m ∈ S\T, s i 0 ∈ T that where S i ⊆ S is the set of vertices adjacent to s i .
Proof. The existence of a simple path directly follows from the connectivity of the graph. Let us prove the equality. Partition S 0 , S 1 , . . . of the vertex set S is as follows. We include all the vertices of the perimeter T ⊆ S in the set S 0 . All the vertices s i ∈ S\S 0 adjacent to the vertices of set S 0 are included in the set S 1 . We continue this until we distribute all the vertices of S over the sets S 0 , S 1 , . . . , S l , i.e., ∀i ∈ N ∃j ∈ {0, 1, . . . , l}: s i ∈ S j . Note that under n < ∞, this process is finite, and l ≤ n − 1. The equality will have place if the graph G (S, E) is the chain on n vertices. Let us consider an arbitrary vertex s i = s i m ∈ S 1 . If there is only one vertex in the set S 1 , then ∃s i 0 ∈ S 0 : p i (x, y) = p 0 i m x i m , y i m · max where S i ⊆ S is the set of vertices adjacent to s i . We provide a proof by contradiction when the set S 1 contains more than one vertex. Suppose that ∀s i 0 ∈ S 0 p 0 i m x i m , y i m · max s j ∈ S i p j (x, y) > p 0 i m x i m , y i m p 0 i 0 x i 0 , y i 0 .
Then, ∃s i m−1 ∈ S 1 ∪ S 2 : p i m−1 (x, y) =max s j ∈ S i p j (x, y). Due to the vertex attack order defined above and the definition of the local risk function ρ i m−1 (x, y), the notation of the latter necessarily includes the multipliers p 0 i m−1 x i m−1 , y i m−1 and p 0 k 0 x k 0 , y k 0 , where p 0 k 0 x k 0 , y k 0 is the probability of a successful attack of some vertex s k 0 ∈ S 0 , for which there is a chain s i m−1 , . . . , s k 0 of length m − 1 connecting s k 0 with s i m−1 ∈ S 1 ∪ S 2 .
That is, max all multipliers not exceeding the value of 1. However, then p 0 k 0 x k 0 , y k 0 , since (according to the above assumption) this inequality holds for all S 0 vertices, including s i m . Since the values in both sides of the inequality are strictly positive, and all the multipliers in the left side do not exceed 1, our assumption is incorrect. The above-described considerations are valid for any pair of sets S k , S k+1 of the S partition. Proof. First, we prove the boundedness. From the definition of the functions p i (x, y), p 0 i (x i , y i ) and the proposition 1, it follows that ρ i (x, y) = u i p i (x, y) ≤ u max , and the equality will have place only when p i (x, y) = 1 and u i = u max . We show that ∃ρ x > 0: ∀x, y ρ i (x, y) ≥ ρ x .
According to proposition 1, ρ i (x, y) could be represented as follows: where s i 0 ∈ T, s i 1 , . . . , s i m = s i ∈ S\T, p 0 i m x i m , y i m = p 0 i (x i , y i ). By definition, p 0 i (x i , y i ) ∈ [p min , 1], p min > 0 − hence, the desired ρ x = u min p min m+1 , where u min =min i ∈ N u i . The equality ρ i (x, y) = ρ x will have place when u i = u min , and p 0 i 0 x i 0 , y i 0 = p 0 i 1 x i 1 , y i 1 = . . . = p 0 i m x i m , y i m = p min . Note that the boundedness p i (x, y) also implies that it is positively defined. Proposition 3. Adding structure W = G (S, E), T to the system does not increase the risk, i.e., ∀S = {s 1 , . . . , s n } ∀V = ∅, T ⊆ S ρ W (x, y) ≤ ρ (x, y), where ρ W (x, y) = ∑ n i=1 ρ i (x, y), and ρ(x, y) = ∑ n i=1 ρ 0 i (x, y).
Proof. First, we note that the perimeter T ⊆ S must include vertices from each connected component of the graph G (S, E). Indeed, if it does not, then there is a vertex s i ∈ S in the graph for which there is no simple path ending with a vertex from the perimeter T ⊆ S. Such a vertex is unattainable for the Attacker, which means p i (x, y) = 0, and contradicts the property (3). Consider the case when the set of edges is empty, i.e., G (S, E) = G (S, ∅). Then, T = S and, according to the definition of the local risk functions, ρ G (S, ∅), S (x, y) = ∑ n i=1 u i p i (x, y) = ∑ n i=1 u i p 0 i (x i , y i ). Now, we assume that E = ∅. If the perimeter T coincides with the set of all vertices S, then ρ G (S, E), S (x, y) = ∑ n i=1 u i p 0 i (x i , y i ) = ρ G (S, ∅), S (x, y). If T ⊂ S, then, according to the proposition 1, for each vertex s j ∈ S\T, there is the following local risk function: where s j 0 ∈ T, s j 1 , . . . , s j m = s j ∈ S\T, p 0 j m x j m , y j m = p 0 j x j , y j . Since all the multipliers in the right part of the expression, except the first one, do not exceed 1, then ρ j (x, y) ≤ u i p 0 j x j , y j ∀j ∈ N : s j ∈ S\T, and therefore, The proof is complete.

The Problem of the Optimal Placement of System Elements within a Given Structure
Consider a complex system consisting of a finite set of elements S = {s 1 , . . . , s i , . . . , s n }, i ∈ N = {1, . . . , n}. Let us introduce some unilaterally connected graph G (V, E), where V is a set of n vertices, and a subset of k ≤ n vertices T ⊆ V, which we will consider as a perimeter. The problem is to construct such a mapping S → T that the integral risk ρ (x, y) is minimal. Note that such mapping will be one-to-one.
Let us consider the solution for the simplest chain structure. In the future, if n and m are equal, we will omit the lower index of the structure's notation, except in cases when we need to emphasize the length of the specified structure.

Definition 1. Given the graph G
For an arbitrary given placement M −1 : S → V\{v n+1 , . . . , v m }, we can calculate the value of the integral risk: where ρ M (v i ) is the local risk value for the element M (v i ). Now, let us state the problem of minimizing the integral risk. The problem consists in finding a set of placements that achieve the integral risk minimum value ρ min : Definition 3. Given simple chain structure W. Suppose that for any placements M −1 , K −1 and any such indices p, q, k, l, p < q, k > l, that s i = M (v p ) = K (v k ), s j = M (v q ) = K (v l ), there is inequality p (S, W, M −1 ) ≤ p (S, W, K −1 ) (p (S, W, M −1 ) ≥ p (S, W, K −1 )). Then, we will say that the nodes s i , s j ∈ S, i, j ∈ N, and i = j are non-strictly ordered in the local risk ascending (descending) order and write s i s j (s i s j ).
First, let us assume that all elements S = {s 1 , s 2 , . . . , s n } of the considered system are equivalent, i.e., u 1 = u 2 = . . . = u n = u max , and their probabilities of a successful attack do not depend on the quantity of resources allocated by the players, i.e., ∀i, p 0 i (x i , y i ) = p 0 i , 0 < p 0 i ≤ 1.
Given a simple chain structure W n , for an arbitrary given placement M −1 : S → V, the value of the integral risk should be calculated as follows: Consider that n = 2, S = {s 1 , s 2 }, p 0 1 < p 0 2 , and a simple chain structure W 2 is given. Note that the local risk function value for the element corresponding to the vertex v 2 will be equal to ρ 2 = u max · p 0 1 p 0 2 , regardless of the selected placement. Thus, it is enough to select a node to map to v 1 . Since p 0 1 < p 0 2 , u max p 0 1 + p 0 1 p 0 2 < u max p 0 2 +p 0 1 p 0 2 , the element s 1 must be mapped at the vertex v 1 .
Proof. Note that the expressions for the integral risk have the same number of summands, and the first one includes 1 multiplier, the second one has 2 of them, and the n-th has n multipliers. Since all the multipliers are the probabilities of a successful attack, they cannot exceed 1. Note that the summands in the same positions in the expressions should be in ascending order, and under the selected numbering, this ordering sets the lexicographic order.
Choose an arbitrary index value 1 < j ≤ n. We then map the (n + 1)-th element to vertex v j and show that the value of the integral risk is greater than if we had mapped the above element to vertex v n+1 . Let us write the expression of integral risk ρ j for the case when (n + 1)-th element is mapped to the j-th vertex: ρ j = u max · p 0 1 + p 0 1 p 0 2 + . . . + p 0 1 p 0 2 · . . . · p 0 j−1 + p 0 1 · . . . · p 0 j−1 p 0 n+1 + . . . + p 0 1 · . . . · p 0 j−1 p 0 n+1 p 0 j p 0 j+1 · . . . · p 0 n (12) Now, we write the expression of the integral risk p n+1 for the case when the (n + 1)-th element is mapped to the (n + 1)-th vertex: ρ n+1 = u max · p 0 1 + p 0 1 p 0 2 + . . . + p 0 1 p 0 2 · . . . · p 0 j−1 + p 0 1 · . . . · p 0 j−1 p 0 j + . . . + p 0 1 · . . . · p 0 j−1 p 0 j p 0 j+1 · . . . · p 0 n p 0 n+1 (13) Both expressions have the same number of summands. Let us compare them in pairs. The first (j − 1) summands in both expressions are the same. Let us write in general form the expressions for the summands with the number j ≤ i ≤ n for the first and second cases, respectively: The number of multipliers in the form of both summands is the same, the multipliers themselves are also the same, except for p 0 n+1 and p 0 i , which are only in (14) and (15), respectively. However, p 0 i < p 0 n+1 , and therefore, each summand in the expression for the integral risk ρ n+1 with the number i ≥ j will be less than the summand with the same number in the expression for the integral risk ρ j .
Since we chose N arbitrarily, the statement is proved by mathematical induction.
Now, let us assume that the expected damage and the probability of a successful attack could be different for the non-matching elements of the considered system but still do not depend on the quantity of resources distributed by the Defender and the Attacker. Given n = 2, S = {s 1 , s 2 } and a simple chain structure W 2 . The integral risk expressions for two possible placements of system elements at the W 2 vertices are shown in Table 2. Subtract the expression of the integral risk in the second line from the expression in the first line and give similar summands. We then obtain: , then D < 0, and the optimal placement is in the first line of the , then D > 0, and the optimal placement is specified in the second line of the table. Finally, at u 1 both placements give the same integral risk value.

Proposition 5 (ordering criterion
Proof. The criterion validity directly follows from the above example.
For the second option, when i < j, the proof is very similar.

Conclusions
This paper considers the problem of optimal placement of elements of the protected system within a given structure of the expected attack. We generalized the concept of a local risk function to account for structural effects and solved the problem for a simple chain attack structure.
The key feature of this approach is that the local risks of the system elements are functionally independent. In other words, when considering each element of the protected system in isolation, its local risk does not depend on the quantity of resources allocated to its elements by the Defender and Attacker. Simultaneously, the integral risk of the system varies with the mapping of its elements to the attack structure.
In real-world tasks, the Defender rarely can choose the placement of elements in the structure. Nevertheless, it can apply the proposed approach to consider the information about the structure of a possible attack when solving the problem of allocating resources within the classic Defender-Attacker and Defender-Attacker-Defender models.
We plan to further expand the proposed approach in order to examine more complex structures, such as trees or cycles.