Contract-Theoretic Resource Allocation for Critical Infrastructure Protection
AbdelRahman Eldosouky, Walid Saad, Charles Kamhoua, and Kevin, Kwiat

TL;DR
This paper introduces a contract-theoretic method for allocating resources to critical infrastructures with unknown vulnerability and importance levels, optimizing security investments despite asymmetric information.
Contribution
It develops a novel mechanism for designing optimal contracts that incentivize infrastructures to reveal their true vulnerability and criticality levels under asymmetric information.
Findings
Maximizes the control center's utility
Ensures infrastructures have no incentive to misrepresent
Provides necessary and sufficient conditions for optimal contracts
Abstract
Critical infrastructure protection (CIP) is envisioned to be one of the most challenging security problems in the coming decade. One key challenge in CIP is the ability to allocate resources, either personnel or cyber, to critical infrastructures with different vulnerability and criticality levels. In this work, a contract-theoretic approach is proposed to solve the problem of resource allocation in critical infrastructure with asymmetric information. A control center (CC) is used to design contracts and offer them to infrastructures' owners. A contract can be seen as an agreement between the CC and infrastructures using which the CC allocates resources and gets rewards in return. Contracts are designed in a way to maximize the CC's benefit and motivate each infrastructure to accept a contract and obtain proper resources for its protection. Infrastructures are defined by both…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsSmart Grid Security and Resilience · Infrastructure Resilience and Vulnerability Analysis · Network Security and Intrusion Detection
Contract-Theoretic Resource Allocation
for Critical Infrastructure Protection
AbdelRahman Eldosouky1, Walid Saad1, Charles Kamhoua2, and Kevin Kwiat2 Approved for Public Release; Distribution Unlimited: 88ABW-2015-1367, dated 24 Mar 2015
This research was supported by the U.S. National Science Foundation under Grant NSF CNS-1446621 as well as by AFOSR via SFFP. 1 Electrical and Computer Engineering Department, Virginia Tech, Blacksburg, VA, USA, Emails:{iv727,walids}@vt.edu
2Air Force Research Laboratory, Information Directorate, Cyber Assurance Branch, Rome, NY, USA,
Emails:{charles.kamhoua.1,kevin.kwiat}@us.af.mil
Abstract
Critical infrastructure protection (CIP) is envisioned to be one of the most challenging security problems in the coming decade. One key challenge in CIP is the ability to allocate resources, either personnel or cyber, to critical infrastructures with different vulnerability and criticality levels. In this work, a contract-theoretic approach is proposed to solve the problem of resource allocation in critical infrastructure with asymmetric information. A control center (CC) is used to design contracts and offer them to infrastructures’ owners. A contract can be seen as an agreement between the CC and infrastructures using which the CC allocates resources and gets rewards in return. Contracts are designed in a way to maximize the CC’s benefit and motivate each infrastructure to accept a contract and obtain proper resources for its protection. Infrastructures are defined by both vulnerability levels and criticality levels which are unknown to the CC. Therefore, each infrastructure can claim that it is the most vulnerable or critical to gain more resources. A novel mechanism is developed to handle such an asymmetric information while providing the optimal contract that motivates each infrastructure to reveal its actual type. The necessary and sufficient conditions for such resource allocation contracts under asymmetric information are derived. Simulation results show that the proposed contract-theoretic approach maximizes the CC’s utility while ensuring that no infrastructure has an incentive to ask for another contract, despite the lack of exact information at the CC.
I Introduction
Critical infrastructure (CI) is a term used to describe cyber and networking systems that are considered essential to the functioning of our modern economies and societies. CIs can cut across a variety of domains and applications. For instance, in the United States, the Department of Homeland Security classifies CIs into sixteen sectors that include energy production, financial services, communications, nuclear reactors, transportation systems, water supply, and financial services [1]. However, in general there is no global classification for CIs and each country determines its own critical categories independently.
Critical infrastructure protection (CIP) has recently attracted significant attention [2, 3, 4, 5], particularly following recent terrorist and malicious attacks that targeted CIs across various countries. One main challenge in CIP is the fact that governmental agencies have only a limited amount of resources, such as personnel or even cyber resources, that can be used for CIP. Under such resource constraints and given the complex nature of CIs, it is imperative to develop practical resource management mechanisms that can optimally allocate such resources, given the criticality levels and vulnerabilities of the various CIs. Such resource deployment strategies are particularly critical for protecting CIs that are based in foreign countries or remote sites. In such scenarios, government agencies who want to protect local and foreign CIs will often own a control center (CC) that is responsible for monitoring these CIs and distributing resources among them. One major challenge for resource deployment here, is the fact that the CIs are often owned by different entities that consider their own CIs to be the most critical. Indeed, every CI owner will report to the CC that its own infrastructure is the most vulnerable and most critical. Determining real levels of vulnerability and criticality of each individual infrastructure is very challenging for the CC. However, intuitively, the CC should design a proper mechanism to allocate resources based on the vulnerability and criticality levels of each CI. For example, highly vulnerable CIs should get higher resources than less vulnerable ones. Similarly, highly critical CIs must be properly prioritized in the CIP process. However, as each CI will attempt to get as much resources as possible by claiming that it is the most vulnerable or critical, the CC may not be able to properly distribute its limited resources.
The problem of CIP has attracted recent attention in the literature such as in [3, 2, 4, 5]. The work in [2] focused on CI control systems by presenting a system to secure their functions and management tasks. Similarly, the authors in [3] dealt with CI control systems by exposing and analyzing the vulnerabilities of these systems. In [4], the authors proposed a risk-aware robotic sensor network and applied it to CIP. The work in [5] studied the vulnerabilities and protection challenges that face CIs and proposed a collaborative game theoretic solution for CIP. Although these works proposed solutions to CIP problem, they did not address resource allocation problem, as studied here.
The problem of resource allocation for CIP has been studied in recent works such as [6] and [7]. The work in [6] studied an optimal resource allocation scenario in which resources were allocated to CIs depending on the likelihood of these CIs to be attacked according to their valuation on possible attackers. The authors in [7] studied the problem of allocating resources where resources were supposed to protect an area and the objective was to maximize the area protected by these resources. Despite their importance, these existing works did not address the problem of asymmetric information in resource allocation which was first studied in [8]. The problem discussed in [8] cannot be generalized to a large-scale CIP system as it addresses an isolated problem and it does not take into account the impact of information availability on resource allocation.
In contrast to these works, here, we propose a contract-theoretic model to allocate resources for CIP under asymmetric information. Contract theory is a powerful framework from microeconomics that provides a useful set of tools for modeling mechanisms under information asymmetry [9]. The key idea is that the CC should offer right contracts to CIs so that they have the incentive to truthfully reveal their information. In our model, the CC is seen as the principal that offers contracts to agents which are the CIs. While contract theory has been studied in the context of wireless networks [10, 11], such works do not apply directly to CIP and their results cannot be generalized for accounting for criticality and vulnerability levels of the CIs.
The main contribution of this paper is to propose a resource allocation mechanism for CIP that can optimally allocate resources between a number of CIs without knowing their exact types. The problem is formulated using a contract-theoretic model in which the CC calculates the amount of resources that will be given to each CI and offer contracts to CIs with these values and the rewards they should reciprocate. In particular, we proposed a novel approach to define a CI by accounting for two different CI types according to the vulnerability and criticality levels. Both types are used in the process of resource allocation and the criticality level is also used to prioritize CIs that will be protected. For the formulated problem, we analyzed the necessary and sufficient conditions for deriving the optimal contracts. We studied the optimal contract and we proved that the problem has an optimal solution for the case of two CIs. The model was also shown to motivate each CI to reveal its actual type and accept the contract designed for its type, therefore allowing resource allocation in the absence of exact information at the CC on the criticality and vulnerability levels of the CIs. Simulation results show that the proposed approach will yield a higher CC utility when compared with a baseline resource allocation algorithm.
The rest of the paper is organized as follows. Section II provides the system model and defines the vulnerability and criticality levels of the CIs. In Section III, the problem is formulated as a contract-theoretic mechanism and several properties are derived and analyzed. Simulation results are discussed in Section IV. Finally, conclusions are drawn in Section V.
II System Model
We consider a system in which one control center (CC), that can represent a government agency is interested in sending missions to secure CIs in a set that can be owned by different entities (e.g., foreign agencies, different department of defense agencies, etc.). The missions are viewed as resources owned by the CC and that must be allotted to different CIs. Such resources can be personnel or cyber resources. Each CI has some vulnerable points that need to be protected. As the number of vulnerable points of a CI increases, the amount of resources needed to protect it will also increase. Infrastructures are classified into groups according to their vulnerability levels. The vulnerability level can be represented by an integer number where there are different levels in the set and ; thus yielding different vulnerability levels. Infrastructures are grouped by an increasing order of vulnerability levels:
[TABLE]
A higher implies that the CI has a higher vulnerability level. The CC does not have exact information on the individual of every CI . Instead, the CC can know with which probability a certain CI can belong to a certain type . Therefore, we let be the probability with which CI belongs to a certain type .
Each CI has also a criticality level that can be represented by a number where there are different levels in the set and . Thus there exists criticality levels to which various CIs can belong. The criticality level is determined by factors such as the service performed by this CI and its relation to other CIs. The CIs are grouped by an increasing order of criticality levels:
[TABLE]
A higher implies that the CI has a higher criticality level and thus it is more critical for the CC to protect it. Similar to the vulnerability levels here, we assume that the CC does not have exact information on the individual of CI . Instead, the CC can only know with which probability a certain CI can belong to type . Therefore, we let be the probability with which CI belongs to a certain type . The criticality level is used mainly to help the CC decide which CIs will be protected in case not enough resources are available for all CIs.
The values of and are selected in a way that makes the resource allocation depends primarily on the vulnerability level. The criticality level affects the resource allocation but without superseding the vulnerability level, i.e., the criticality level will help the CI to get more resources than a less critical infrastructure but not more than a highly vulnerable one. Therefore, the values of when combined with ; should satisfy the following property:
[TABLE]
In this case, can be seen as a sub-type under type in the process of allocation, although they are really independent.
To address the resource allocation problem, we explore the analogy between allocating resources to CIs and forming contractual agreements between firms and employees. We propose to use contract theory – a powerful framework from microeconomics [9, 12], that allows to analyze the process of creating contracts between firms and employees. Here, we note that, although some recent works [10, 11] have looked at contract theory for wireless communication; however, these works do not handle the challenges of CI resource allocation.
We cast the CIP problem as a contractual situation with asymmetric hidden information between a firm, here being the CC, and a number of employees, here being the CIs (or their owners). The asymmetric hidden information property stems from the fact that the CC does not know the exact vulnerability and criticality levels of every CI. To overcome this information asymmetry, the CC must properly specify a contract defined as a pair where is the amount of resources allocated to the CI, which can be viewed as the reward/payment made by the firm to the employee and is the reward that the CC reaps when protecting this CI. We will assume in this model that the reward is an increasing linear function in resources that takes the form where is determined by the vulnerability type such that is higher with higher ’s. This implies that, for a higher vulnerability level, the CI is required to pay a higher reward than a less vulnerable one, if they take the same amount of resources. Actually, this reward function design is very important in order for the contract to be binding. By using this design, the CI that claims that has a higher vulnerability level to get more resources than it needs, will be required to pay a higher reward for the needed resources. The signing of a contract between the CC and a certain CI is thus an agreement by the CC to send certain resources to protect the CI which in return will pay a reward to the CC.
In this system, instead of offering the same contract to all of the CIs and wasting resources, the CC will attempt to offer different contract bundles that are designed in accordance with different types of and for the available CIs. For the CC, when it decides to protect a certain CI of type , its utility function can simply be defined as the difference between reward and resources allocated multiplied by the CI type, i.e.,
[TABLE]
Since there are types of CIs according to type with probability and types according to with probability , the total utility of the CC can be given by:
[TABLE]
From the CI side, the utility function of a certain CI :
[TABLE]
where is a positive unit cost parameter that is less than 1 and is the evaluation function regarding the rewards (how much does this CI value the resources allocated) which is a strictly increasing function of that takes the form where is the numerical value for the evaluation function. Here, we assume that, to reward the CC, the CI has to pay some cost, such as a negotiation or implementation cost. The contract offered by the CC needs to be feasible for the CI, i.e., it needs to be persuading for the CI to accept. To this end, next, we discuss the conditions for the feasibility of a contract in the studied model.
II-A Feasibility of a Contract
To ensure that both CC and CI owners have an incentive to work together for CIP, the contracts represented by the pairs must satisfy two key properties:
Individual Rationality (IR): The contract that an infrastructure selects should guarantee that the utility of this infrastructure is nonnegative, i.e.,
[TABLE] 2. 2.
Incentive Compatibility (IC): Each infrastructure must always prefer the contract designed for its type, over all other contracts, i.e., :
[TABLE]
The IR constraint ensures that, when a CI signs a certain contract, the received reward must compensate the effort that the CI owner has exerted for the CC. The IC constraint allows to overcome the information asymmetry as it allows to satisfy the revelation principle [9]: A certain CI of type will always prefer the contract that the CC designed for its type over all other possible contracts. In other words, a CI receives the maximum utility when selecting the contract designed for its own type and, thus, this CI will have an incentive to reveal its true vulnerability and criticality levels. A contract is therefore said to be feasible if both IR and IC are satisfied. We can state the following lemma from the previous conditions:
Lemma 1**.**
For any feasible contract ; if and only if .
Proof.
We prove this lemma by using the IC constraint. we have:
[TABLE]
By adding the two inequalities, we get:
[TABLE]
∎
Since and this implies that , we obtain . By definition, we know that is an increasing function of , and therefore, since we have .
Lemma 1 simply proves that the CC must provide more resources to the CI with higher number of vulnerability points, i.e., the one that belongs to a higher type. This essentially corroborates mathematically our intuition that more resources must be dedicated to more vulnerable CI. Using this lemma, we can state the following monotonicity property:
[TABLE]
Another lemma that can be derived from the IR and IC constraints pertains to the utility of the CI:
Lemma 2**.**
For any feasible contract , the utility of each infrastructure must satisfy:
[TABLE]
Proof.
This result can be shown as follows. We know that an infrastructure which asks for more resources should provide larger rewards to the CC, i.e., if then and also . Then, if , we have:
[TABLE]
∎
Thus, a CI with a higher vulnerability level will receive more utility than one with a lower vulnerability level. From the IC constraint and the two shown lemmas, we can easily deduce the following. If a higher type CI selects a contract designed for a lower type, the less received resources will jeopardize this CI’s utility. Moreover, if a lower type CI selects a contract intended for a higher type, the gain in terms of resources acquired cannot compensate the cost that this CI must reciprocate to the CC. A CI can thus receive its maximum utility if and only if it selects the contract that can best fit its type.
Finally two more constraints must be imposed. First, the CC should take into account that the summation of all allocated resources should be equal to the maximum resources available at the control center: .
Second, that every CI should get sufficient amount of resources to overcome its vulnerable points. That means every type should be associated with a minimum amount of resources. Therefore, each CI will have a minimum required resources according to its type. This can be expressed as: .
III Optimal Contracts
In this section, we first investigate how the CC can actually find its optimal contracts. In essence, given the hidden information, the only information available at the CC is and . The goal of the CC is to design contracts that allow it to maximize the use of its resources and, thus, to maximize its utility by solving the following optimization problem:
[TABLE]
[TABLE]
The problem contains a large number of constraints. For instance, the IC constraints correspond to equations. To overcome this, next, we develop a way to relax the problem and reduce the number of constraints to get a more simple problem that could be solved. The problem can be relaxed using a technique inspired from the work in [12].
III-A Relaxed Problem
The incentive compatibility must to be relaxed because for every one of the CIs we need to define conditions. Therefore, we will now study the local IC constraints, which are, the downward local IC (DLIC) which corresponds to the relation between CIs and . The other local IC is the upward local IC (ULIC) which corresponds to the relation between CIs and . We can now prove the following:
Theorem 1**.**
With the IR satisfied, the local incentive constraints
[TABLE]
[TABLE]
for all are sufficient for global incentive compatibility.
Proof.
Note (12) is called and (13) is called . We begin by expressing and as follows:
[TABLE]
Then by adding and we get:
[TABLE]
and as we can replace it in the previous equation to yield:
[TABLE]
However, (14) is the IC constraint for CIs and which can be written as . This means that and imply . With the same principle we can show that and imply , etc. Therefore, starting at and proceeding inductively downward until , implies that holds for all . A similar argument in the reverse direction establishes that implies for . ∎
We can also reduce the IR constraints. There are a total of IR constraints must be satisfied. Assume, without loss of generality, that the CI is from type . By using the IC constraints and the IR constraint of the first CI, referred to by , we have:
[TABLE]
Thus, if the first IR constraint of type-1 user is satisfied, all the other IR constraints will automatically hold. Therefore, we only need to keep the first IR constraints and reduce the others.
After reducing the constraints, we have a new problem which is the same as the problem in equation (11) but with the new relaxed constraints in equations (12) and (15) instead of the complete IR and IC constraints.
Note that design parameters such as the reward function , , , and should be adjusted by the CC to ensure that is satisfied.
III-B Solution of the Relaxed Problem
To solve the relaxed problem, we first observe that there are now only inequality constraints and one equality constraint. We can use Lagrangian analysis along with KKT conditions to solve the problem. The Lagrangian of the problem is:
[TABLE]
We need to solve this Lagrangian with KKT conditions to find all values along with values and . The solution of this problem is not straightforward as the complexity increases with the number of CIs. Therefore, we will show the solution for only two CIs, to show that the problem has a feasible solution. For two CIs, the Lagrangian will be:
[TABLE]
The KKT conditions for this Lagrangian are the relaxed problem constraints along with:
[TABLE]
This problem gives only one optimal solution which is and . Actually this solution is only feasible if the following condition is satisfied . This implies that low vulnerability type CI will take its minimum required resources and the rest goes to the higher type CI. This result is not surprising as it is aligned with contract-theoretic results that study the contractual situation between a firm and two agencies (of two different types). [9]. For the case of more than two CIs, the lower type CI will get its lower limit and the rest of resources will be allocated to higher types according to their probabilities in a way to maximize the CC’s utility.
III-C Practical Implementation
Beside designing contracts, the CC needs to communicate with CIs, determine which CIs to protect, and sign contracts with them. We give the actual steps taken by the CC in this regard in Algorithm 1. The CC begins by having the initial information such as the set of vulnerability levels , the probability of that a CI will belong to each of the levels, the set of criticality levels and the probability of that a CI will belong to each of the levels. The CC also knows the minimum amount of resources required to protect a CI in each of the vulnerability levels as well as the total amount of available resources. The CC, hence, declares that it will offer resources to protect some CIs and begins to receive requests from CIs that are willing to be protected and designs optimal contracts for them.
Algorithm 1 shows the importance of the criticality level. When the CC is not able to protect all the CIs, it will discard some CIs depending on their criticality levels as the CC is more interested in protecting higher critical CIs. This is done by removing the least critical infrastructures from the process of designing contracts. However, as the CC only knows the probabilities of criticality levels, it will remove the one that belongs to the lower criticality level with a higher probability. The CC repeats this process until there is enough resources for the rest of CIs. When CIs receive contracts, they will evaluate them and inform the CC whether they are willing to accept a contract, i.e., receive resources and return reward. If not all CIs accept a contract, the CC will reconsider any CIs that were excluded due to lack of resources. After this process is finished, the CC will sign contracts with CIs and allocate resources.
IV Simulation Results and Analysis
Simulations are used to evaluate the designed mechanism. For our simulations, we choose vulnerability levels and criticality levels. The number of available resources is set to . The reward function increases by for each type. The evaluation function was assumed to be two times the resources. The lower bounds associated with types are set to 20, 60, and 100 respectively. First, we check the feasibility of our contract. We assume that all CIs ask for protection and all of them accept contracts offered by the CC. We calculate the CC’s utility in case of using the proposed mechanism and in case of allocating resources equally between CIs.
In Fig. 1, we show the variation in the CC utility as the number of infrastructures increases; the utility is normalized to the case of equal resource allocation. The figure studies two cases: fixing the amount of resources for all CIs and increasing the amount of resources each time a CI is added. When the number of resources is fixed to , in Fig. 1, we can see that, with CIs there is about increase in the CC utility, relative to equal allocation. When more CIs are added, the percentage increase in CC utility is between and . This is due to the fact that, when the number of CIs is small, the CC has more resources than needed and, thus, it will give them to higher types and to get higher rewards for the same resources. In the second case, the amount of resources increases by of the original amount each time we add a new CI. The CC utility in this case keeps increasing as the CC allocates the more available resources to higher types to get higher rewards.
Next, we add a new vulnerability level with associated lower bound of 140 and we increase the number of available resources to 650. We have CIs, they are assumed to be within different types in ascending order, i.e. CI is within and so on. However, the CC still knows their probabilities not their actual types. Fig. 2 shows the utility of CIs in case of using optimal contracts and in case of equal resource allocation. The figure proves the monotonicity property of the proposed contract as higher types CIs get higher utilities. We can also see in Fig. 2 that, in case of optimal contracts, higher types CIs get higher utilities and lower types CIs get lower utilities compared to equal resource allocation. However, these lower utilities is not a problem as these CIs get much more resources than needed for protection.
In Fig. 3, while maintaining the parameters of Fig. 2, we show the utility of the infrastructure as the contract type varies. Here, we measure the utility of each CI if it used the contract designed for its type and contracts designed for other types. In Fig. 3, we can clearly see that it is better for every CI to use the contract designed for its type as this maximizes its utility. Actually, CIs can get more resources from choosing higher types contracts but will be required to pay higher rewards which is reflected in decreasing their utility.
V Conclusions
In this paper, we have studied the problem of resource allocation for protecting CIs. We have formulated the problem using a contract-theoretic model in which a CC offers contracts to a number of CIs and each one selects its best contract. For each CI, we have defined two different types that correspond to the vulnerability and the criticality levels. In the model, the CC does not know these exact levels but only knows with which probability a CI will belong to a certain level. We have provided the necessary and sufficient conditions for such resource allocation contracts under asymmetric information. The problem was then relaxed and solved to show that it has an optimal solution and motivates each CI to accept the contract designed for each type. Simulation results have shown that this model helps the CC to get higher utility than the case of equal resource allocation. In addition, our results show that each CI will not gain from selecting other contracts as its utility will not increase.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] D. of Homeland Security. (2014) Critical infrastructure sectors. [Online]. Available: http://www.dhs.gov/critical-infrastructure-sectors
- 2[2] B. A. Baalbaki, Y. Al-Nashif, S. Hariri, and D. Kelly, “Autonomic critical infrastructure protection (acip) system,” in ACS International Conference on Computer Systems and Applications (AICCSA) , 2013, pp. 1–4.
- 3[3] G. Sandaruwan, P. Ranaweera, and V. Oleshchuk, “Plc security and critical infrastructure protection,” in IEEE International Conference on Industrial and Information Systems (ICIIS) , Peradeniya, Sri Lanka, Dec. 2013, pp. 81–85.
- 4[4] J. Mc Causland, G. D. Nardo, R. Falcon, R. Abielmona, V. Groza, and E. Petriu, “A proactive risk-aware robotic sensor network for critical infrastructure protection,” in IEEE International Conference on Computational Intelligence and Virtual Environments for Measurement Systems and Applications (CIVEMSA) , 2013, pp. 132–137.
- 5[5] L. P. Beltran, M. Merabti, and Q. Shi, “Multiplayer game technology to manage critical infrastructure protection,” in IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications (Trust Com) , 2012, pp. 549–556.
- 6[6] V. M. Bier, N. Haphuriwat, J. Menoyo, R. Zimmerman, and A. M. Culpen, “Optimal resource allocation for defense of targets based on differing measures of attractiveness,” Risk Analysis , vol. 28, no. 3, pp. 763–770.
- 7[7] Y. Huang, Y. Fan, and R. L. Cheu, “Optimal allocation of multiple emergency service resources for protection of critical transportation infrastructure,” Transportation Research Record: Journal of the Transportation Research Board , vol. 2022, no. 1, pp. 1–8, 2007.
- 8[8] M. Harris and R. M. Townsend, “Resource allocation under asymmetric information,” Econometrica: Journal of the Econometric Society , pp. 33–64, 1981.
