A risk-security tradeoff in graphical coordination games
Keith Paarporn, Mahnoosh Alizadeh, Jason R. Marden

TL;DR
This paper investigates the inherent trade-offs in protecting networked systems against different types of adversarial attacks within graphical coordination games, emphasizing the benefits of randomized decision strategies.
Contribution
It introduces a framework analyzing the security-vulnerability trade-off in graphical coordination games and demonstrates how randomization enhances system resilience against attacks.
Findings
Randomized decision-making reduces security-vulnerability trade-offs.
Operators face fundamental limits in balancing security and vulnerability.
Distributed algorithms can mitigate adversarial impacts effectively.
Abstract
A system relying on the collective behavior of decision-makers can be vulnerable to a variety of adversarial attacks. How well can a system operator protect performance in the face of these risks? We frame this question in the context of graphical coordination games, where the agents in a network choose among two conventions and derive benefits from coordinating neighbors, and system performance is measured in terms of the agents' welfare. In this paper, we assess an operator's ability to mitigate two types of adversarial attacks - 1) broad attacks, where the adversary incentivizes all agents in the network and 2) focused attacks, where the adversary can force a selected subset of the agents to commit to a prescribed convention. As a mitigation strategy, the system operator can implement a class of distributed algorithms that govern the agents' decision-making process. Our main…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
A risk-security tradeoff in graphical coordination games
Keith Paarporn, Mahnoosh Alizadeh, and Jason R. Marden K. Paarporn ([email protected]), M. Alizadeh ([email protected]), and J. R. Marden ([email protected]) are with the Department of Electrical and Computer Engineering at the University of California, Santa Barbara, CA. A preliminary version of this paper has been submitted for conference publication (CDC 2019) and can be found at https://ece.ucsb.edu/j̃rmarden/files/MardenC9.pdf. The analysis of randomized operator strategies extends the previous results. Complete proofs are also provided here. This work is supported by UCOP Grant LFR-18-548175, ONR grant #N00014-17-1-2060, and NSF grant #ECCS-1638214.
Abstract
A system relying on the collective behavior of decision-makers can be vulnerable to a variety of adversarial attacks. How well can a system operator protect performance in the face of these risks? We frame this question in the context of graphical coordination games, where the agents in a network choose among two conventions and derive benefits from coordinating neighbors, and system performance is measured in terms of the agents’ welfare. In this paper, we assess an operator’s ability to mitigate two types of adversarial attacks - 1) broad attacks, where the adversary incentivizes all agents in the network and 2) focused attacks, where the adversary can force a selected subset of the agents to commit to a prescribed convention. As a mitigation strategy, the system operator can implement a class of distributed algorithms that govern the agents’ decision-making process. Our main contribution characterizes the operator’s fundamental trade-off between security against worst-case broad attacks and vulnerability from focused attacks. We show that this tradeoff significantly improves when the operator selects a decision-making process at random. Our work highlights the design challenges a system operator faces in maintaining resilience of networked distributed systems.
I Introduction
Networked distributed systems typically operate without centralized planning or control, and instead rely on local interactions and communication between the comprising agents. These systems arise in a variety of engineering applications such as teams of mobile robots and sensor networks [1, 2, 3]. They are also prevalent in social dynamics [4, 5] and biological populations [6].
The transition from a centralized to a distributed architecture may leave a system vulnerable to a variety of adversarial attacks. An adversary may be able to manipulate the decision-making processes of the agents. Such dynamical perturbations can potentially lead to unwanted outcomes. For example in social networks, individual opinions can be shaped from external information sources, resulting in a polarized society [7, 8]. When feasible, a system operator takes measures to mitigate adversarial influences. The literature on cyber-physical system security studies many aspects of this interplay. For instance, optimal controllers are designed to mitigate denial-of-service, estimation, and deception attacks [9, 10, 11, 12, 13].
This paper investigates security measures that a system operator can take against adversarial influences when the underlying system is a graphical coordination game [5, 14], where agents in a network decide between two choices, or . One may think of these choices as two competing products, e.g. iPhone vs Android, two conflicting social norms, or two opposing political parties. Each agent derives a positive benefit from interactions with coordinating neighbors, and zero benefits from mis-coordinating ones. The system’s efficiency is defined by the ratio of total benefits of all agents to the maximal attainable benefits over all configurations of choices.
The goal of the system operator is to design a local decision-making rule for each agent in the system so that the emergent collective behavior optimizes system efficiency. One algorithm that achieves this goal is known as log-linear learning [15, 16, 17]. More formally, the agents follow a “perturbed” best reply dynamics where the agents’ local objectives are precisely equal to their local welfare. We seek to address the question of whether this particular algorithm is robust to adversarial influences. That is, does this algorithm preserve system efficiency when the agents’ decision-making processes are manipulated by an adversary? If not, can the operator alter the agents’ local objectives to mitigate such attacks?
We consider two adversarial attack models - broad and focused attacks. In broad attacks, the adversary incentivizes every agent in the network (hence broad) with a convention, influencing their decision-making process. This could depict distributing political ads with the intention of polarizing voters. In focused attacks, the adversary targets a specific set of agents in the network, forcing them to commit to or . These targeted, or fixed agents consequently do not update their choices over time but still influence the decisions of others. For instance, they could portray loyal consumers of a brand or product, or staunch supporters of a political party. Fixed agents and their effects on system performance have been extensively studied in the context of opinion dynamics and optimization algorithms [18, 19, 13].
The first contribution of this paper is a characterization of worst-case risk metrics from both adversarial attacks as a function of the operator’s algorithm design parameter (Section III). We define risk in this paper as the system’s distance to optimal efficiency. By worst-case here we mean the maximum risk among all connected network topologies subject to any admissible adversarial attack. Hence, our analysis identifies the network topologies on which worst-case risks are attained (Section V). We extend this analysis to randomized operator strategies (Sections IV, VI).
The second contribution of this paper answers the question “if the operator succeeds in protecting the system from one type of attack, how vulnerable does it leave the system to the other?” We identify a fundamental tradeoff between security against broad attacks and risks from focused attacks. We then show randomized operator strategies significantly improves the set of attainable risk levels and their associated tradeoffs (Section IV).
By characterizing this interplay, we contribute to previous work that studied the impact of adversarial influence in graphical coordination games [20, 21, 22]. These works analyze worst-case damages that can be inflicted by varying degrees of adversarial sophistication and intelligence in the absence of a system operator. However, these results were derived only in specific graph structures, namely ring graphs, whereas our analysis considers adversarial influence in any graph topology.
II Preliminaries
II-A Graphical coordination games
A graphical coordination game is played between a set of agents over a connected undirected network with node set and edge set . Agent ’s set of neighbors is written as . Each agent selects a choice from its action set . The choices of all the agents constitutes an action profile , and we denote the set of all action profiles as . The local interaction between two agents is based on a matrix game, described by the payoff matrix ,
[TABLE]
where is the system payoff gain. It indicates that is an inherently superior product over when users coordinate. Here, agents would rather coordinate than not, but prefer to coordinate on . Agent ’s benefit is the sum of payoffs derived from playing the game (1) with each of its network neighbors:
[TABLE]
A measure of system welfare defined over is
[TABLE]
which is simply the sum of all agent benefits. The system efficiency for action profile is defined as
[TABLE]
For , the all- profile maximizes welfare. This does not necessarily hold for arbitrary action spaces.
II-B Log-linear learning algorithm
Log-linear learning is a distributed stochastic algorithm governing how players’ decisions evolve over time [16, 14, 15]. It may be applied to any instance of a game with each player having a well-defined local utility function over a set of action profiles with an underlying interaction graph . That is, agent ’s local utility is a function of its action and actions of its neighbors in .
Agents update their decisions over discrete time steps . Assume is arbitrarily determined. For step , one agent is selected uniformly at random from the population. It updates its action to with probability
[TABLE]
where is the rationality parameter. All other agents repeat their previous actions: . For large values of , selects a best-response to the previous actions of others with high probability, and for values of near zero, randomizes among its actions uniformly at random. This induces an irreducible Markov chain over the action space , with a unique stationary distribution . The stochastically stable states (SSS) are the action profiles contained in the support of the stationary distribution in the high rationality limit: they satisfy . Such a limiting distribution exists and is unique [23, 15, 24]. We write the set of stochastically stable states as
[TABLE]
For graphical coordination games, the log-linear learning algorithm specified by the action set and utilities selects the welfare-maximizing profile as the stochastically stable state irrespective of the graph topology . This can be shown using standard potential game arguments [16] (we provide these details in Section V). That is, for all , where is the set of all connected undirected graphs on nodes.
However, if an adversary is able to manipulate the agents’ local decision-making rules, this statement may no longer hold true. A system operator may be able to alter the agents’ local utility functions with the goal of mitigating the loss of system efficiency in the presence of adversarial influences. In particular, we consider the class of local utility functions parameterized by . Specifically, takes the same form as the benefit function (2) where is replaced with a perceived gain that is under the operator’s control. We next introduce models of adversarial attacks in graphical coordination games. We then evaluate the performance of this class of distributed algorithms in the face of adversarial attacks.
III Models of adversarial influence
In this section, we outline two models of adversarial attacks in graphical coordination games - broad and focused attacks. The system operator specifies the local utility functions that govern the log-linear learning algorithm by selecting the perceived payoff gain . Our goal is to assess the performance of this range of algorithms on two corresponding worst-case risk metrics, which we define and characterize. We then identify fundamental tradeoff relations between these two risk metrics.
III-A Broad attacks and worst-case risk metric
We consider a scenario where the system is subject to broad adversarial attacks. For each agent in the network, the adversary attaches a single imposter node that acts as a neighbor that always plays or . These nodes are not members of the network but affect the decision making of agents that are. Let () be the set of agents targeted with an imposter () node. We call the target set . Any target set satisfies and . We call the set of all possible target sets on the graph . Given , the agents’ perceived utilities are
[TABLE]
In the notation of (6), the set of stochastically stable states is written . However for more specificity, we will refer to it in this context as . The induced network efficiency is defined as
[TABLE]
which is the ratio of the welfare induced by the welfare-minimizing SSS to the optimal welfare. The second equality above is due to the fact that optimal welfare is attained at (all play ). We re-iterate that the imposter nodes serve only to modify the stochastically stable states, and do not contribute to the system welfare (3). The risk from broad attacks faced by the system operator in choosing gain is defined as
[TABLE]
Risk measures the distance from optimal efficiency under operating gain . Fig. 1(a) illustrates an example of a three-node network subject to a broad adversarial attack. The extent to which systems are susceptible to broad attacks is captured by the following definition of worst-case risk.
Definition 1**.**
The worst-case risk to broad attacks is given by
[TABLE]
The quantity is the cost metric that the system operator wishes to reduce given uncertainty of the network structure and target set.
Theorem 1**.**
Let . The worst-case broad risk is
[TABLE]
where
[TABLE]
It is a piecewise constant function on half-open intervals that is monotonically decreasing in . An illustration is given in Figure 2(a), along with the graphs and target sets that achieve the worst-case risks. For sufficiently high gains , the system is safeguarded from any broad adversarial attack, i.e. the worst-case risk is zero. By inflating the value of the -convention, the adversary is unable to induce any mis-coordinating links or agents to play . The technical results needed for the proof are given in Section V.
III-B Focused attacks and worst-case risk metric
An adversary is able to choose a strict subset of agents and force them to commit to prescribed choices. This causes them to act as fixed agents, or agents that do not update their choices over time. One could consider this as allowing the adversary an unlimited number of imposter nodes (instead of one) at its dispatch to attach to each agent in the subset, thereby solidifying their choices. This focused influence on a single agent is stronger than the influence a broad attack has on a single agent in the sense that the latter type does not require the agent to commit to a choice - it merely incentivizes the agent towards one particular choice.
Let be the set of fixed () agents. We call the fixed set , which satisfies and . We call the set of all feasible fixed sets on a graph . A fixed set restricts the action space to , where () () and . We assume the adversary selects at least one fixed agent. The strict subset assumption avoids pathological cases (e.g. alternating and fixed nodes for an entire line network yields an efficiency of zero).
The set of stochastically stable states given a fixed set is written as . However for brevity, we will refer to it as . The induced efficiency is
[TABLE]
which is the ratio of the welfare induced by the worst-case stable state to the optimal welfare given the fixed set . The risk faced by the system operator in choosing is defined as
[TABLE]
Again, risk measures the distance from optimal efficiency when choosing . The fixed nodes here differ from the imposter nodes in that they contribute to the true measured welfare (3) in addition to modifying the SSS by restricting the action set and influencing the decisions of their non-fixed neighbors. Figure 1(b) provides an illustrative example of a network with three fixed agents and one unfixed agent. The extent to which the system is susceptible to focused attacks is defined by the following worst-case risk metric.
Definition 2**.**
The worst-case risk from focused attacks is given by
[TABLE]
The quantity is the cost metric that a system operator wishes to reduce given uncertainty on the graph structure and composition of fixed agents in the network.
Theorem 2**.**
The worst-case risk from focused attacks is
[TABLE]
The technical results needed for the proof are given in Section V. An illustration of this quantity as well as the graphs that induce worst-case risk are portrayed in Figure 2(b). We observe the choice recovers optimal efficiency for any and . In other words, by operating at the system gain , the system operator safeguards efficiency from any focused attack. Furthermore, monotonically increases for , approaching 1 in the limit . Intuitively, the risk in this regime comes from inflating the benefit of the convention, which can be harmful to system efficiency when there are predominantly fixed nodes in the network. For , monotonically decreases. The risk here stems from de-valuing the convention, which hurts efficiency when coordinating with fixed nodes is more valuable than coordinating with fixed nodes.
III-C Fundamental tradeoffs between risk and security
We describe the operator’s tradeoffs between the two worst-case risk metrics. That is, given a level of security is ensured on one worst-case risk, what is the minimum achievable risk level of the other? These relations are direct consequences of Theorems 1 and 2.
Remark 1**.**
Before presenting the tradeoff relations, we first observe that since is decreasing on and is decreasing in , the operator should not select any gain , as it worsens both risk levels. Hence for the rest of this paper, we only consider gains greater than .
Corollary 1**.**
Fix . Suppose for some . Then
[TABLE]
Proof.
From (16), implies . Since is a decreasing function in , we obtain the result. ∎
In words, as the security from worst-case focused attacks improves ( lowered), the risk from worst-case broad attacks increases. A tradeoff relation also holds in the opposite direction.
Corollary 2**.**
Fix . Suppose for some . Suppose for some . Then
[TABLE]
If ,
[TABLE]
If , then for any .
Proof.
All bounds are computed by finding s.t. . The relations and follow from the fact that is increasing in , and depending on whether can attain the resulting value. ∎
Here, as the security from worst-case broad attacks improves ( lowered), the risk from worst-case focused attacks increases. Each of the broad risk levels can be attained for a range of focused risks. An illustration of the attainable worst-case risk levels is given in Fig. 3 (blue).
IV Randomized operator strategies
In this section, we consider the scenario where the operator randomizes over multiple gains. We present a definition and a characterization of worst-case expected risks. We then identify the risk-security tradeoffs available in the randomized gain setting. We observe they significantly improve upon the deterministic gain setting (Fig. 3). We then identify ways to further improve these tradeoffs through different randomizations.
IV-A Worst-case expected risks
Suppose the operator selects a gain from the distinct values satisfying with the probability distribution . Here we denote as the set of all -dimensional probability vectors. In other words, the operator employs the payoff gain with probability .
We consider the following natural definitions of expected risks. Given a graph and target set , let be the expected adversarial risk of the operator’s strategy . The worst-case expected risk from broad attacks is defined as
[TABLE]
Similarly, given a fixed set , let be the expected risk from focused attacks. The worst-case expected risk from focused attacks is defined as
[TABLE]
Theorem 3**.**
Suppose the operator randomizes with gains according to . Then the worst-case expected broad risk is
[TABLE]
The worst-case expected focused risk is
[TABLE]
The proofs are given in Section VI. The characterization of worst-case expected risk is a discounted weighting of a deterministic worst-case risk level. This suggests that the risk levels achievable by randomization can improve upon the risks induced from a deterministic gain.
IV-B Risk tradeoffs under randomized operator strategies
Given a level of security is ensured on one expected worst-case metric, what is the the minimum achievable risk level on the other? We find this can be calculated through a linear program. We formalize these tradeoffs in the following two statements, which are analogous to Corollaries 1 and 2.
Corollary 3**.**
Fix and a set of gains . Suppose for some . Then
[TABLE]
where is the value of the following linear program.
[TABLE]
where denotes elementwise , and are column -vectors of zeros and ones respectively, and is the matrix
[TABLE]
Moreover, is decreasing in .
Proof.
We need to show equivalence between the linear program (25) and the optimization problem
[TABLE]
Let be the matrix defined by the upper left block of (26) and by the bottom left block. From Theorem 3, we can express as the maximum element of the -vector , and similarly as the maximum element of . Hence, is the linear constraint for all . The objective itself can be cast as a linear objective with linear constraints, i.e. . Combining these two, we obtain (25). The claim is decreasing in follows as a consequence of the linear program (25). ∎
We note that a worst-case expected focused risk is not attainable because is the smallest gain it mixes with. Hence, the linear program (25) is infeasible for . The following tradeoff relation holds in the opposite direction.
Corollary 4**.**
Fix and a set of gains . Suppose for some . Then
[TABLE]
where is the value of the following linear program.
[TABLE]
where and are defined as the bottom and top left blocks of (26), respectively. Furthermore, is decreasing in .
We omit the proof as it is similar to that of Corollary 3. Note a worst-case expected broad risk is not attainable since is the highest gain it mixes with - (29) is infeasible for . Fig. 3 plots the best achievable risk levels of three randomized operator strategies (red, green, and black).
IV-C Improvement of risk tradeoffs
The tradeoff relations describe the best achievable level on one risk metric given the other is subject to a security constraint when the gains are fixed. One way to improve the achievable risks is to decrease the available gains.
Claim 1**.**
Let . Suppose (recall (12)), for some non-decreasing subsequence . Let satisfy with . Then for all , . Similarly, for all , .
Randomizing over additional gains can also improve the achievable risks.
Claim 2**.**
Suppose and with , and assume contains the elements of . Then the assertion of Claim 1 holds.
The proofs of the above two Claims follow directly from the formulation of the LPs (25), (29), and hence we omit them.
Fig. 3 depicts the best achievable risk levels of three randomized operator strategies of increasing improvement due to Claims 1 and 2 (red, green, and black curves). In particular, these plots constitute the Pareto frontier of all attainable expected risks among distributions given a fixed set of gains. That is, for any , we say a risk level belongs to the frontier Par() if there does not exist a such that . Within Par(), the operator can only improve upon one worst-case risk metric by sacrificing performance on the other.
From Corollary 4, the frontier given gains is the set of points
[TABLE]
The parameter is upper bounded here by since any risk level with is unattainable under . Hence, the values and are equivalent for . The frontiers in Fig. 3 are generated by numerically solving the linear program (29) for a finite grid of points .
As we have seen, the transition from deterministic to randomized gains ensures a reduction of risk levels. Randomizing over only a few different gains substantially improves upon the attainable deterministic worst-case risks. However, a detailed quantification of such improvements remains a challenge due to the high dimensionality of the model. In particular, we have yet identified a “limit” frontier that could be obtained by repeated modifications to the gain vector detailed by Claims 1 and 2.
V Proof of Theorems 1 and 2: Deterministic worst-case risks
In this section, we develop the technical results that characterize the worst-case risk metrics and (Theorems 1 and 2). Before presenting the proofs, we first present some preliminaries on potential games [25], which are essential to calculating stochastically stable states. We then define relevant notations for the forthcoming analysis.
V-A Potential games
Graphical coordination games fall under the class of potential games - games where individual utilities are aligned with a global objective, or potential function. A game is a potential game if there exists a potential function which satisfies
[TABLE]
for all , , and [25]. In potential games, the set of stochastically stable states (6) are precisely the action profiles that maximize the potential function [15, 16]. Specifically, . Our analysis relies on characterizing a potential function for the graphical coordination game in the presence of adversarial influences. This allows us to compute stochastically stable states in a straightforward manner.
V-B Relevant notations for analysis
Any action profile on a graph decomposes into and -partitions. A node that belongs to a -partition (-partition) has (). The partitions are enumerated and , are mutually disjoint, and cover the graph. Each partition is a connected subgraph of . It is possible that with (when ), with (when ), or .
For any subset of nodes , let us denote
[TABLE]
as the set of edges between and . We write as the complement of . We extensively use the notation
[TABLE]
as the welfare due to edge set in action profile , where is of the form (1) with replaced by . For compactness, we will denote as for the local system welfare generated by the edges . Our analysis will also rely on the following mediant inequality.
Fact 1**.**
Suppose and for each . Then
[TABLE]
We refer to the LHS above as the mediant sum of the .
V-C Characterization of : worst-case broad risk
To prove Theorem 1, we seek a pair with of any size and , that minimizes efficiency (maximizes risk ). Our method to find the minimizer is to show any can be transformed into a star network with a particular target set that has lower efficiency, when . Thus, in this regime the search for the worst-case graph reduces to the class of star networks of arbitrary size. For , structural properties allow us to deduce the minimal efficiency.
The graphical coordination game defined by , perceived utilities (7), target set , and graph falls under the class of potential games [25]. A potential function is given by
[TABLE]
where
[TABLE]
Hence, the stochastically stable states are maximizers of (35). Suppose is the welfare-minimizing SSS inducing the partitions , . We can express its efficiency from (8) as
[TABLE]
Note the denominator is simply the number of edges in multiplied by . From (35), each -partition in satisfies111Since we are seeking worst-case pairs , we may consider any -partition as only having imposters placed among its nodes. This is because any imposters that were placed in a resulting -partition can be replaced by -imposters and retain stability. We reflect this generalization in (V-C) and (V-C), where influence from only () imposters is considered.
[TABLE]
In words, no subset of agents in can deviate from to improve the collective perceived welfare of . A similar stability condition holds for each -partition .
[TABLE]
The following result characterizes the threshold on above which any network is safeguarded from any imposter attack.
Lemma 1**.**
Let . Then if and only if
[TABLE]
Proof.
Let . Suppose there is a pair with . Then there must exist a -partition . From (V-C),
[TABLE]
Since is connected, and there is at least one outgoing link from , i.e. . Consequently, , from which we obtain
[TABLE]
which is impossible.
Assume . Then no -partition can exist for any graph. In particular, (V-C) is violated for .
[TABLE]
Since , we obtain . ∎
We also deduce the following minimal efficiencies for any graph when .
Lemma 2**.**
Suppose . Then if and only if
[TABLE]
Proof.
The () direction follows the same argument as Lemma 1.
() The assumption implies the only -partition that is stabilizable is . Then for any , (V-C) is violated, i.e.
[TABLE]
Since is connected and there is at least one outgoing edge from , we obtain
[TABLE]
The above holds for any graph and subset of nodes . From the facts that and , we have for any . Consequently, and Lemma 1 establishes that . ∎
The class of star graphs is central to the worst-case analysis in the interval .
Definition 3**.**
Let be the set of all where is the star graph with nodes, contains the center node, and .
An immediate consequence of this definition is the leaf nodes satisfy (V-C). The efficiency is then proportional to the fraction of leaf nodes that are stable to , if any. Furthermore, the stability condition (V-C) of for members of simplifies to
[TABLE]
In other words, stability of the target set as a -partition hinges on (V-C) being satisfied for the selection . The following result reduces the search space for efficiency minimizers to when .
Lemma 3**.**
Suppose and . Consider any with , . Then there is a such that for some .
The idea of the proof is to construct a member of by re-casting the and -partitions of as star subgraphs while preserving the same number and type of edges, thus preserving efficiency. Further efficiency reduction can be achieved by converting excess links into links in this star configuration. We provide the proof detailing the constructive procedure in the Appendix. We now characterize the minimal efficiency for the star graph of size , for .
Lemma 4**.**
Suppose and fix . Then
[TABLE]
Proof.
The goal is to find the smallest -partition of the star that is still stabilizable under a gain . This is written
[TABLE]
The smallest integer that satisfies the constraints is for .
∎
Proof of Theorem 1.
For , by Lemma 3, the worst-case efficiency is
[TABLE]
Using the formula of Lemma 4, we obtain the first entry in (11). Lemma 2 asserts the minimal efficiency is for because the upper bound is maximized at (for ). This gives the second entry in (11). Lastly, Lemma 1 asserts the minimal efficiency is 1 for . ∎
V-D Characterization of : worst-case focused risk
Our approach for the proof of Theorem 2 differs from that of . Instead of reducing the search of worst-case graphs, we simply provide an upper bound on for any and fixed set , and show one can construct a graph with fixed nodes that achieves it. .
We observe serves as a potential function (recall (36)) for the game with restricted action set and utilities . Hence, the stochastically stable states are maximizers of . Suppose decomposes the graph into the and -partitions , . We express its efficiency (13) as
[TABLE]
where is the welfare-maximizing action profile. Similar to (V-C), each -partition formed from satisfies the stability condition
[TABLE]
To reduce cumbersome notation, it is understood the max is taken over actions of unfixed nodes, . Likewise, each -partition satisfies
[TABLE]
The following lemma asserts that agents playing in the SSS under the gain remain playing under a lower gain . The result is crucial for establishing a lower bound on efficiency for any graph with arbitrary fixed set .
Lemma 5**.**
Suppose . Denote as the welfare-minimizing SSS under . Then for any -partition induced from , for all .
Proof.
Condition (CYE) asserts for all that
[TABLE]
It also holds for all and for any that
[TABLE]
because any -links garnered in the RHS above by changing to also contribute to the LHS. In particular, the above holds for . Lowering the gain to preserves the above inequality as well, as it de-values -links garnered on the RHS. ∎
A dual statement holds - agents playing in the SSS under remain so under a higher gain .
Lemma 6**.**
Suppose . Then for any -partition induced from , for all .
We omit the proof for brevity, as it is analogous to the proof of Lemma 5. We are now ready to prove Theorem 2.
Proof of Theorem 2.
Consider any graph with fixed set . Recall that efficiency is one for . Thus, we first consider . Observe that
[TABLE]
where the inequality is due to (CYE). The equality results from Lemma 6 - the agents () that neighbor any member of remain playing in . We then obtain
[TABLE]
The inequality results since the expressions of the numerator and denominator garner the same edges for welfare. It occurs with equality if and only if . Applying the mediant inequality (34) to (49), . The case when follows analogous arguments. From Lemma 5, . For -partitions,
[TABLE]
where the first inequality is from (CXE) and the second occurs with equality if . From (34) and (49), . ∎
We have just shown fundamental lower bounds on efficiency for any graph with fixed agents. The bounds are tight as they can be achieved for any gain by arranging fixed and fixed leaf nodes that influence a single unfixed agent in the center of a star graph. If , choosing gives the minimal efficiency . If , choosing gives the minimal efficiency . Note that if is rational, one could choose finite integers that achieve such ratios. Recall Figure 2(b) for illustrative examples. However if it is irrational, they must be taken arbitrarily large to better approximate the ratio.
VI Proof of Theorem 3: worst-case risks under randomized operator designs
Recall a randomized strategy consists of gains with distribution . The gains are ordered . To prove Theorem 3, we outline a few technical Lemmas. The key insight is the expected efficiency of any graph can be expressed in the form , where the coefficient is a mediant sum over local efficiencies of partitions in when gain is used. The following two mathematical facts are the basis of this insight.
Fact 2**.**
Let with and for all . Then for all ,
[TABLE]
where .
We provide a proof in the Appendix. The following dual result follows directly.
Fact 3**.**
For all ,
[TABLE]
where .
Proof.
The proof follows similarly to Fact 2, where the indices of the coefficients are reversed. ∎
We will show for any that can be expressed in the form from the LHS of (55). The lower bounds establish worst-case expected efficiencies - and hence risks. The correspond to the worst-case deterministic efficiencies of the gains and to local efficiencies of selected partitions in the graph. Fact 2 will be used to establish (22), and Fact 3 for (23) (Theorem 3). We now identify a structural property required of worst-case graphs.
Lemma 7**.**
A worst-case graph, i.e. a member of , has no active -links in .
Proof.
Any active -links in remain so for all . The efficiency corresponding to each gain can be reduced in the following manner. Delete all such -links and associated agents. For each mis-coordinating link between an and agent that existed, replace with a single link to a newly created isolated agent with an -imposter attached. This preserves the stochastically stable states of all other nodes while reducing efficiency in each gain. ∎
Intuitively, a graph that has coordinating nodes in each gain can be modified by removing these links, resulting in a lower efficiency. We are now ready to prove (22) (Theorem 3).
Proof of (22) (Theorem 3).
Consider any graph and . Let us denote the (worst-case) stochastically stable states that correspond to each gain with . Define for each
[TABLE]
as the set of nodes that play in the SSS in and play in . Note that is possibly composed of multiple -partitions. Also note it is possible that for all for some - that is, for all . We first consider the case when for every .
Let . Denote as the set of nodes stable to for all . Consider the gain with . Then the local efficiency of is
[TABLE]
The inequality is due to Proposition 1. For gains with , the local efficiency of is
[TABLE]
Hence, the overall system efficiency under gain is the mediant sum of the local efficiencies of the . An application of Fact 2 gives the result. The case when for also follows directly from Fact 2. From the notation of Fact 2, for . ∎
The details for the proof of (22) (Theorem 3) follow analogous arguments pertaining to focused attacks. Recall for a graph and restricted action set , we denote as its set of fixed nodes. Additionally, we restrict attention to gains , as these are not strictly dominated in the risk curve. The following structural property holds in a worst-case graph for focused risk.
Lemma 8**.**
A worst-case graph, i.e., a member of , has no active -links in . Additionally, .
Proof.
A graph that has active -links in remain active for all . The efficiency corresponding to each gain can be reduced by removing all such links and keeping the border nodes as fixed agents. This preserves the stability properties of all other nodes. The claim follows from Lemma 5. ∎
We are now ready to prove (23) in Theorem 3.
Proof of (23) (Theorem 3).
Consider any graph and fixed nodes . The stochastically stable states that correspond to each gain are denoted . Define for each
[TABLE]
as the set of unfixed nodes that play in the SSS for and play in . Note that it is possible for all for some . That is, for . We first consider the case when for every .
Let . Consider the gain with . Then the local efficiency of is
[TABLE]
Here, we use the convention . For gains with , the local efficiency of is
[TABLE]
Hence the overall system efficiency under is the mediant sum of the local efficiencies of the . An application of Fact 3 gives the result. The case when for also follows directly from Fact 3. ∎
VII Summary
In this paper, we framed graphical coordination games as a distributed system subject to two types of adversarial influences. The focus of our study concerned the performance of a class of distributed algorithms against the associated worst-case risks. We identified fundamental tradeoffs between ensuring security against one type of risk and vulnerability to the other, and vice versa. Furthermore, our analysis shows randomized algorithmic designs significantly improves the available tradeoffs. Our work highlights the design challenges a system operator faces in maintaining the efficiency of networked, distributed systems.
Proof of Lemma 3:.
This proof outlines a procedure to transform any into a star graph with lower efficiency if . We split into two cases - either induces a single -partition or more than one. First, assume induces a single -partition . An illustration of the constructive process is shown in Figure 4.
Construct a star subgraph that has nodes, each having a imposter attached. Call the center node . Construct similar star configurations for each -partition . Call their center nodes . Connect to each with a link between and . If there are multiple edges between and (), create new isolated nodes with a single imposter attached, and connect each to with a single link. At this point, and are stable and -partitions, and the isolated nodes are stable playing . We have obtained a graph of nodes with identical efficiency to since the number and type of edges are preserved.
We can further reduce efficiency if there are active links, i.e. if for at least one . If there are none, then the graph belongs to and we are done. Otherwise for each leaf node , redirect the edge to , and replace ’s imposter with a imposter. Call the total number of such converted nodes. The resulting graph-target pair belongs to . We claim the resulting (larger) -partition is stable. For this claim to hold, (45) requires that
[TABLE]
From the original , it holds that
[TABLE]
due to and . All -partitions in , now just a collection of single nodes connected to with an -imposter, are stable. The efficiency is less than the original because active -links increase efficiency more than active -links do. Hence,
[TABLE]
Now, we consider the remaining case when induces -partitions and -partitions . Consider such star subgraphs with center nodes . Recast the -partitions into similar star subgraphs with center nodes . We first connect each to some with a single link in any manner as long as a link between the original and exists. For each excess outgoing edge, we create an isolated node with an -imposter attached. Each isolated node is attached to a corresponding such that the original number of outgoing edges for each is satisfied. At this point, there are connected components in the construction, and the efficiency of this construction is identical to the original. Lastly, we apply the efficiency reduction procedure from before for each to obtain . From (37) and (34), we have
[TABLE]
∎
Proof of Lemma 2: Technical result for expected risks.
Let us define and . The set of probability vectors such that can be written as the set
[TABLE]
Define for each . With some algebra, we can express each as
[TABLE]
Using the identities and for , we obtain (omitting the algebraic steps)
[TABLE]
Now, suppose for . Using (67) and , we then have
[TABLE]
∎
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] J. Cortes, S. Martinez, and F. Bullo, “Robust rendezvous for mobile autonomous agents via proximity graphs in arbitrary dimensions,” IEEE Transactions on Automatic Control , vol. 51, no. 8, pp. 1289–1298, Aug 2006.
- 2[2] M. Mesbahi and M. Egerstedt, Graph theoretic methods in multiagent networks . Princeton University Press, 2010, vol. 33.
- 3[3] I. Akyildiz, W. Su, Y. Sankarasubramaniam, and E. Cayirci, “Wireless sensor networks: a survey,” Computer Networks , vol. 38, no. 4, pp. 393 – 422, 2002.
- 4[4] H. P. Young, Individual strategy and social structure: An evolutionary theory of institutions . Princeton University Press, 2001.
- 5[5] A. Montanari and A. Saberi, “The spread of innovations in social networks,” Proceedings of the National Academy of Sciences , vol. 107, no. 47, pp. 20 196–20 201, 2010.
- 6[6] S. A. West, S. P. Diggle, A. Buckling, A. Gardner, and A. S. Griffin, “The social lives of microbes,” Annual Review of Ecology, Evolution, and Systematics , vol. 38, no. 1, pp. 53–77, 2007.
- 7[7] M. Del Vicario, A. Bessi, F. Zollo, F. Petroni, A. Scala, G. Caldarelli, H. E. Stanley, and W. Quattrociocchi, “The spreading of misinformation online,” Proceedings of the National Academy of Sciences , vol. 113, no. 3, pp. 554–559, 2016.
- 8[8] Y. Mao, S. Bouloki, and E. Akyol, “Spread of information with confirmation bias in cyber-social networks,” IEEE Transactions on Network Science and Engineering , 2018.
