Protecting shared information in networks: a network security game with strategic attacks
Bram de Witte, Paolo Frasca, Bastiaan Overvest, Judith Timmer

TL;DR
This paper models security investments in networks where agents share sensitive information, revealing that strategic attack types and network structure significantly influence whether agents under-invest or over-invest in security.
Contribution
It introduces a new security game model considering both strategic and random attacks, analyzing how network topology affects security investment behaviors.
Findings
Under-investment occurs at Nash equilibrium under random attacks.
Network topology influences whether agents over-invest or under-invest in security.
Higher information sharing increases the likelihood of under-investment due to elevated attack risks.
Abstract
A digital security breach, by which confidential information is leaked, does not only affect the agent whose system is infiltrated, but is also detrimental to other agents socially connected to the infiltrated system. Although it has been argued that these externalities create incentives to under-invest in security, this presumption is challenged by the possibility of strategic adversaries that attack the least protected agents. In this paper we study a new model of security games in which agents share tokens of sensitive information in a network of contacts. The agents have the opportunity to invest in security to protect against an attack that can be either strategically or randomly targeted. We show that, in the presence of random attack, under-investments always prevail at the Nash equilibrium in comparison with the social optimum. Instead, when the attack is strategic, either…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsInformation and Cyber Security · Network Security and Intrusion Detection · Opinion Dynamics and Social Influence
Protecting shared information in networks: a network security game with strategic attacks
Bram de Witte B. De Witte, P. Frasca and J. Timmer are with Department of Applied Mathematics, University of Twente, 7500 AE Enschede, The Netherlands. [email protected].
Paolo Frasca*∗* P. Frasca is with Univ. Grenoble Alpes, CNRS, Inria, Grenoble INP, GIPSA-lab, F-38000 Grenoble, France. [email protected].
Bastiaan Overvest B. Overvest is with CPB Netherlands Bureau for Economic Policy Analysis, The Hague, The Netherlands. [email protected].
Judith Timmer*∗*
Abstract
A digital security breach, by which confidential information is leaked, does not only affect the agent whose system is infiltrated, but is also detrimental to other agents socially connected to the infiltrated system. Although it has been argued that these externalities create incentives to under-invest in security, this presumption is challenged by the possibility of strategic adversaries that attack the least protected agents. In this paper we study a new model of security games in which agents share tokens of sensitive information in a network of contacts. The agents have the opportunity to invest in security to protect against an attack that can be either strategically or randomly targeted. We show that, in the presence of random attack, under-investments always prevail at the Nash equilibrium in comparison with the social optimum. Instead, when the attack is strategic, either under-investments or over-investments are possible, depending on the network topology and on the characteristics of the process of the spreading of information. Actually, agents invest more in security than socially optimal when dependencies among agents are low (which can happen because the information network is sparsely connected or because the probability that information tokens are shared is small). These over-investments pass on to under-investments when information sharing is more likely (and therefore, when the risk brought by the attack is higher).
1 Introduction
Our society and economy have become largely dependent on sharing information over networks. Although in general computer networks provide benefits, they are also prone to cyber attacks, whose impact increases with our dependence on them. Security breaches can have various origins, such as the spread of malware, compromissions of social network accounts, or exploitations of system vulnerabilities. In this paper, we interested in cyber attacks where, without permission, confidential information is obtained. This information may represent for instance confidential documents, intellectual property or identity information. The impact of having sensitive information stolen can be destructive: bank accounts can be plundered, companies can be threatened that strategic decisions or sensitive information will be released or identities can be stolen for criminal purposes. These forms of cyber attacks where confidential information is obtained are occurring more often and keeping personal information out of the hands of thieves is becoming increasingly difficult [15].
From both the scientific literature and the general media [23], it is apparent that the variety of potential threats is huge. Depending on their purpose, some attacks aim at compromising a whole class of systems or devices, whereas others aim at precise targets. We shall refer to the former type of attacks as random attacks and to the latter type as strategic attacks [1, 20]. An example of a random cyber attack would be WannaCry. This is a ransomware virus that in 2017 infected about 200,000 computers worldwide, including computers of the National Health Service in the UK, Renault in France and Telefonica in Spain: these computers were all vulnerable because their operators failed to install in time a simple software patch - i.e. arguably under-invested in security measures. Examples of strategic cyber attacks are quite common. A well-known attack is the 2016 security breach against the Democratic National Committee, by which thousands of e-mails were stolen and subsequently leaked, including e-mails from Hillary Clinton.
Researchers have soon recognized that network security is not only a matter of devising suitable security measures, but also of making sure that individuals put them into practice [23]. Consequently, the adoption of security measures has been regarded as an economic problem and has been addressed with the tools of game theory. In this perspective, the key observation is that the presence of a network introduces interdependencies between risks and costs incurred by the individuals [14]. Hence, the interesting question becomes understanding the effects of these interdependencies. In order to answer this question, a large literature has been developed not only in the economic science but also in computer science [20] and in engineering, including security problems for wireless communication [19] and interdependent control systems by [2, 25, 24, 12]. These works have addressed an array of questions that are relevant in our own work, including security games featuring strategic attacks [7], multiple targets [20], multiple attackers and defenders [26]. In this Introduction, we will not trying to provide a complete literature survey on interdependent security, for which we can point the reader to sources like [3, 21, 17, 13]. Instead, we will more modestly highlight a few recurring issues that motivate our work on interdependencies in network security.
A number of papers [3, 18] have argued that security investments are not as high as they should be due to externalities in the network. These externalities originate because confidential information can be leaked through other channels than one’s own device. As a consequence, agents face risks whose magnitude depend not only on their own security levels but also on the security levels of others. In this setting, investments act like strategic complements as benefits of security adoption are not exclusively for the one that invested in the security. Consequently, a negligent agent who does not adequately protect his and others’ information due to free-riding, may cause considerable damage to other agents in the network. This leads to situations where benefits of security adoption might fall significantly below the cost of adoption, which causes under-investments.
More recently, the prediction of under-investments in information networks has been challenged. Acemoglu et al. [1] and Bachrach et al. [4] show that investments in security might as well be strategic substitutes when agents face an intelligent threat. In their setting, an attacker can aim at the weakest nodes: in this case, a negligent agent who does not invest in security has a relative higher chance that his information is stolen by a direct attack of the hacker. This eliminates the ability to free-ride on security investments of others and forces an agent to invest. In fact, this framework leads to incentives which correspond to an arms race: agents compete with each other leading to over-investments in security. Bachrach *et al. *even propose that an optimal policy requires taxing security, contrarily to subsidizing security as recommended by models that do not include an intelligent adversary.
Our work provides a tractable model of network security game that can explain both under-investments and over-investments, depending on the strategy of attack and on the amount of shared information, which eventually depends on the topology of the network connecting the agents. Our original framework and our results can be informally described as follows. Inspired by attacks that aim at recovering sensitive information, such as the DNC hack, we define a dissemination model where interconnected agents share confidential information (e-mails ) with each other with a certain probability , resulting in a dissemination of information among peers that depends on the network structure. Agents store information (both their own and that received from others) and invest in security to protect it. A malignant and possibly intelligent attacker, who has the goal to obtain as much information as possible, attacks one of the agents. If the attack is successful, the attacker acquires all the information that was stored by the agent, thus making this agent and possibly also other agents, which have entrusted their information to the attacked agent, victims of the attack. If the attacker is able to optimally choose which agent to attack, the attack will be said to be strategic: otherwise, to be random. In our model, the security investments are the outcome of the resulting two-stage game between the agents and the attacker, where the attacker knows the investments of the agents, who in turn choose their investments anticipating the strategy of the attacker. Under this game structure, we show that when the attack is random, then the equilibrium investments are lower than the socially optimal investments. Instead, if the attack is strategic, then the relation between optimal and equilibrium investments depends on the amount of information shared: when the fraction of shared information is low, equilibrium investments are higher than optimal ones, whereas the opposite happens when the fraction of shared information is high. The fraction of shared information can be high for two distinct reasons: either the diffusion probability is high, or the network is tightly connected. The latter case shows our results to be consistent with those in [7], where the authors adapt interdependent security games to model strategic attacks and find that over-investments prevail in nondense networks.
In order to keep our analysis tractable, some of our results on strategic attacks make an assumption of homogeneity in the network, namely that the network is vertex-transitive. We complement these results with an analysis of the security game on star graphs, which we choose as a natural example of non-homogeneous topology: this case study shows that the essential lines of our findings, as we described them above, remain valid on general graphs.
This paper is structured as follows. Section 2 describes the problem that we want to address, introducing the dissemination model, the attack and the security investments. Subsequently, Section 3 examines the dissemination model that underlies the security game. Sections 4 and 5 are the core of our paper, as they study the security game when the attack is random and when the attack is strategic, respectively. Finally, Section 6 discusses the obtained results and complements them with numerical evaluations on complete, ring, and star graphs that we have selected as fundamental examples. Section 7 summarizes and concludes the paper. The body of the paper is complemented by an Appendix which is devoted to detailed derivations (for the examples of complete and star graphs) and proofs (of the main results about strategic attacks).
2 Information dissemination and network game
Our dynamics of interest take place on a network of agents that can share tokens of information, such as confidential documents, with each other. Let us think of agents in a set . We say that two agents and are linked by an edge when and can share documents directly with each other. These edges create a (undirected) network , where is the adjacency matrix in which if and only if and are linked by an edge. We denote the set of all edges in as . In this graph theoretical context, we need to recall some standard definitions. A path in between agent and is a sequence of distinct edges , where is the length of the path. We assume that is a network in which there exists a path between all pairs of agents, in other words, is a connected network. A subnetwork of is a network such that and . In Figure 1 we illustrate these concepts and show some networks of interest.
Our problem statement requires us to specify three key ingredients: (i) the dissemination of information, (ii) the adversary attack, (iii) the defensive investments.
Information dissemination model.
We assume that initially every agent owns a unique document which we will denote as for agent . All the documents spread, independently of each other, over the network . Although the documents are confidential, it is not detrimental for an agent when his document is obtained by other agents. We assume that an agent obtains a document from another agent with probability when they are connected. This leads to a so-called transmission network for each document. A generic transmission network is a random subnetwork of and formally defined as , where
[TABLE]
where are independent random variables identically distributed according to a Bernoulli distribution with parameter . We are thus assuming that the probability of transmission between two neighboring nodes is identical for every document. Let and be instances of transmission networks and transmission probabilities for a dissemination starting from any . Then with . Now, an agent obtains document when she is connected to agent in the transmission network . The spread of the documents then is described by the transmission networks.
The network structure determines the probability that a document spreads from its owner to another agent. We define the matrix with elements representing the probability that agent owns document after dissemination
[TABLE]
where is the set of all paths between agent and in network . Note that the matrix is symmetric and only depends on and on . Since we assumed that is connected, contains only strictly positive elements. Although , the event that obtains is independent of obtaining , because they are respectively taking place on the transmission networks and . Denote the expected number of documents obtained by agent as and note that
[TABLE]
We additionally denote .
Attack model.
After the documents have spread through the network, the adversary attacks one agent. We model this attack by a random variable from a distribution over the agents. This distribution is conveniently represented by the probability vector which we call the attack vector. When an attack on an agent is successful the attacker will steal all the documents stored at the target. This always includes an agent’s own document, but may additionally include documents of other agents. We assume that the attack vector is established before the documents spread through the network.
Defense model.
Before the attack vector is chosen, agents have the opportunity to precautionary invest in security. We denote these investments as the security vector. These security investments are such that an attack on agent is successful with probability . Let denote the event that the attacker obtains document , and otherwise. Consequently, by conditioning and exploiting independence we establish that
[TABLE]
Recognize that the security of an agent , that is, the privacy of his information , does not only depend on his own investment, but also depends on the investments by the other agents. Furthermore, let . Observe that the expected number of stolen documents is
[TABLE]
because the attacker affects only one node directly.
Problem summary.
The timing in our problem is as follows. Firstly, the agents invest in security by selecting the security vector . Secondly, the attacker chooses the attack vector , possibly in order to maximize his reward. Hereafter, the documents spread through the network. Finally, one agent is attacked by the attacker. Since in our model the attacker observes the security levels of all the agents, the relevant equilibrium concept is that of the Stackelberg equilibrium of the resulting two-stage game [22]: the agents first select their security levels anticipating the decision of the attacker (as they know his strategy) and the attacker optimizes his attack strategy while having knowledge of the security choices. Let us note that the proposed sequence of players actions in the Stackelberg game (first defender, then attacker) is the interesting one to study. On the contrary, the reverse sequence would be unrealistic and would trivialize the game. Should the attacker go first, then the agents would just know who is to be attacked and would simply be able to optimally protect the target node.
More on the relation with literature on contagion and security games.
The two-stage scheme of the strategic security game that we study in this paper is adopted from the work [1] on cascading failures and contagion. However, our problem statement is different because the underlying diffusion/contagion model is different. In [1], each agents is susceptible to the attack with probability and the infection spreads from the attacked node to all nodes that are connected to it in the sub-network spanned by the susceptible nodes. Therefore, an investment in security prevents both contagion from a direct attack and contagion through the network. Instead, in our model the susceptibility is only realized at the attacked node, whereas the dissemination of information independently takes place across all edges for all pieces of information. Therefore, nodes cannot be safe from damage even if they invest maximally in security, since their private information is shared with other nodes. Another difference is the explicit presence of the variable , the probability of diffusion: in our results the amount of over- or under-investments is dependent on the level of interdependence in the network, which is directly influenced by the network topology and by the probability .
3 Information dissemination
The next proposition provides more insight about the value of , the expected number of documents obtained by agent . Its proof is straightforward and therefore omitted. In order to emphasize the dependence of on and we shall use the notation . The result is illustrated in Figure 3.
Proposition 1** (Monotonicities).**
Given a network , is strictly increasing in for all . Given two networks , , provided node belongs to both networks.
Example 1** (Star graph).**
Consider a star graph with nodes: node is the center and the remaining nodes are the leaves. Note that (with and )
[TABLE]
Hence,
[TABLE]
which implies that .
In order to make our analysis tractable, we will often assume the networks to be vertex-transitive. Although this choice limits the scope of our results, we conjecture that economic forces in vertex-transitive networks extend to a broader class of networks. Informally, a vertex-transitive network is a network which ‘looks the same’ at every node. More precisely, we adopt the following definition.
Definition 1** (Vertex transitivity).**
A network is vertex-transitive if and only if for any two nodes and there exists a mapping such that while the structure of is preserved: for all .
The two leftmost networks in figure 2 are examples of vertex-transitive networks. While every agent in a vertex-transitive network has the same number of other agents whom she is linked to (regular network), the converse is not necessarily true. As an example, the last network in figure 2 is regular but not vertex-transitive.
It is no surprise that every agent in a vertex-transitive networks obtains — in expectation — the same number of documents. We state this formally in the next proposition.
Proposition 2** (Shared documents in vertex-transitive networks).**
In any vertex-transitive network, for all .
Proof.
By vertex-transitivity there exists a such that while the structure is preserved, which means that . Consequently by (3), yielding the result. ∎
Since on vertex-transitive networks all elements in are identical (for all values of ), we will adopt the notation . Complete graphs and ring graphs are both examples of vertex-transitive networks.
Example 2** (Ring graph).**
Consider a ring graph with nodes (see Figure 1). Let be the distance between nodes and . By a simple inclusion-exclusion reasoning, observe that if then
[TABLE]
Hence, by summing over the nodes
[TABLE]
Note that as . In contrast, recall from Example 1 that is unbounded in on star graphs.
Ring and star graphs are simple to deal with because the number of possible paths between two nodes is small. On the contrary, the complete graph has a very large number of possible connecting paths. Nevertheless, some quantities can be explicitly computed.
Example 3** (Complete graph).**
For the sake of clarity, we denote by and the expected number of documents and the generic transmission probability on the complete graph , respectively. Due to transitivity,
[TABLE]
and for small we easily see that and . To obtain some more general expressions, let denote the probability that any document reaches all nodes in . Then, and
[TABLE]
In turn,
[TABLE]
These formulas, proved in the Appendix, allow for the numerical evaluation of on graphs of moderate size, as shown in Figure 3. For large , it is useful to consider the bounds
[TABLE]
The lower bound can be obtained by considering only propagation across paths of length at most two. The upper bound can be obtained by considering that the document from cannot reach vertex unless at least one edge reaches in graph . These two bounds together imply that is asymptotically linear in .
4 Security under random attacks
Security investments are conveniently modeled as the outcome of a game between agents. In this section, we look at the social optimum and the equilibria of this security game in the presence of a random attack. The game with a strategic attack is considered in Section 5.
The security game with random attacks is defined as follows. A random attack is defined by the uniform attack vector
[TABLE]
which is known to all agents.The player set is the set of agents or nodes . The strategy set of agent is . The reward of each agent is defined as the probability that her own document is safe minus the incurred cost, that is,
[TABLE]
where is given in (4) and is the cost agent incurs for choosing . We assume that
[TABLE]
for some . The choice of a quadratic cost is made for simplicity: the analysis can be extended to other smooth convex increasing functions. The choice of , instead, is meant to make the cost “large”, so to rule out trivial game outcomes with maximal investments. Also this assumption can be relaxed at the price of more involved analysis.
In this setting each agent attempts to maximize his/her reward while disregarding the utilities of the others. This is described by a noncooperative game with player set . Any player has strategy set and payoff function . For these games, the classical definition of Nash equilibrium is of interest: an investment level is a pure strategy Nash equilibrium if for any player and any investment level unilateral deviation does not pay,
[TABLE]
Here denotes the vector where component is replaced by . In security games under random attack, the Nash equilibrium has a simple structure.
Theorem 1** (Equilibrium against random attack).**
In a security game facing a random attack, the pure strategy Nash equilibrium is unique and is equal to
[TABLE]
Proof.
The utility of agent reads We easily see that and . Since and , we conclude that the largest utility is obtained with investment , the unique only Nash equilibrium. ∎
Some remarks are in order. Firstly, the Nash equilibrium does not depend on or on the network. The economic motivation for this result is intuitive. As an agent cannot control a possible external loss in a random attack, an increase in investments does not lead to a reduced risk that his document is stolen through another agent. This forces an agent — in a non-cooperative setting — to ignore the external risk and to find the optimal trade-off between investment costs and protection against a direct loss. Secondly, the investment levels at the Nash equilibrium go to zero as the number of nodes goes to infinity. This is because the risk of being attacked is diluted in large networks.
In contrast with the above non-cooperative setting, we may consider a cooperative setting where all agents cooperate to maximize the social utility, which equals the sum of the agents’ utilities:
[TABLE]
By the continuity of on its compact domain , the function must attain a maximum. That maximum is said to be the social optimum.
Theorem 2** (Social optimum against random attack).**
In a network facing a random attack, the social optimum is unique and is equal to
[TABLE]
Proof.
By (2) the global utility reads We easily see that and
[TABLE]
implying that is a concave function of . Since and because and , we conclude that with is the unique maximizer. ∎
Comparing these results shows that the Nash equilibrium features under-investments relative to the social optimum. This happens because in the cooperative setting an agent also invests to protect documents of others. This additional effort leads to higher investments in security, which depend on the network and the probability . The following examples illustrate these observations.
Example 4** (Ring network, cont’d).**
Consider the ring network studied in Example 2 and assume . Then, the socially optimal investments are
[TABLE]
and the Nash equilibrium investments remain . Both these quantities decrease to zero as goes to infinity.
Example 5** (Star network, cont’d).**
Consider the star network studied in Example 1 and assume . Then, the socially optimal investments are
[TABLE]
Observe that all investments are non-vanishing for and that the central node 1 supports the highest investment. On the contrary, the Nash equilibrium investments go to zero for .
Example 6** (Complete network, cont’d).**
Consider the complete network studied in Example 3 and assume . Then, the socially optimal investments converge (exponentially fast in ) to the maximum investment:
[TABLE]
while the equilibrium investments go to zero for .
Optimal investments are larger on networks that are well connected. Indeed, they are vanishing in the limit for large for the cycle graph, which is poorly connected, whereas investments are non-vanishing in the limit for large on well-connected networks such as stars and complete graphs. Consistently, the complete graph requires the highest security investments.
5 Security under strategic attacks
In the previous section we analysed the security game in the presence of a random attack. As of this section we allow for a strategic attack by the adversary. As such, the adversary and agents are involved in a two-stage game, the so-called Stackelberg game [22]. In the first stage, the agents determine their investments in security. Thereafter, in the second stage, the adversary selects an attack strategy. Such a game is solved by a Stackelberg equilibrium.
5.1 Definition of strategic attack
We start the analysis with the strategy of the attacker. The vector is chosen by the attacker in an optimal way, based on the knowledge of the network and of the vector . More precisely, we assume that the strategy of the attacker is an optimal trade-off between the expected number of stolen documents and the cost of this attack, solving the following optimization problem
[TABLE]
Here the expected number of stolen documents is and the function defines the cost the attacker incurs for choosing . Note that this framework is consistent with the attacker playing the Stackelberg game after the defending agents. In this paper we assume quadratic costs
[TABLE]
with . Note that this definition implies that a more precise attack is more costly than a more random one. Similarly to what was discussed for the agent’s cost , extensions to other convex increasing functions are possible. By using the expression for in (2), the problem becomes
[TABLE]
The Karush-Kuhn-Tucker (KKT) conditions can be used to solve (13). As the objective function is strictly concave, these conditions are necessary and sufficient to obtain the optimal solution. The KKT conditions read
[TABLE]
where and for all are the Lagrange multipliers corresponding to the constraints (14b) and (14c) respectively. Solving these conditions results in the following characterization of the optimal attack strategy.
Proposition 3** (Optimal attack vector).**
The optimal attack vector chosen by the attacker, solving (13), is given by the unique solution to the equations
[TABLE]
Consequently, is a function of and (and in turn of and of the topology of the network).
Proof.
By substituting (14a) into (14b) and noting that by (14e) if , the multiplier must solve
[TABLE]
To show that is unique, suppose that there are two solutions of (15a): and . Without loss of generality, assume that and set for . Obviously, . Also note that
[TABLE]
which gives us a contradiction. So, is unique. Next, (14a) directly leads to (15b) and is a well-defined function of by the uniqueness of . ∎
The example below illustrates the optimal strategic attack probabilities for star networks.
Example 7** (Star network, cont’d).**
*Consider the star network studied in Example 1 and, by symmetry, assume that . We begin by looking for solutions to (LABEL:eq:findattack) such that for all . In this case, equations (15a) and (15b) become *
[TABLE]
and for . Solving the first equation for and substituting that in the other two equations yields
[TABLE]
Let and observe that can be either negative or positive and its magnitude is approximately linear in . Since , we observe that when
[TABLE]
Let us refer to as the “risk” taken by agent . Since when , we may say that on large star networks, the center is more likely to be attacked than the leaves when the center takes more than times the risk taken by the leaves.
When grows larger, the gap between the two attack probabilities increases, until and (if ) or until and (if ). The former vector is indeed the optimal solution when , whereas the latter is optimal when
Since finding explicit solutions to (15) quickly becomes unfeasible on more complex graphs, we instead set to investigate qualitative properties of the optimal attack vector. In the next result, we derive how the optimal attack probabilities depend on the investment levels . The formulas confirm the intuition that the optimal attack probability is decreasing in the investments of agent , and increasing in the investments of agents .
Proposition 4** (How attacks depend on investments).**
The marginal changes of the optimal attack probability to and to for agent with , are respectively given by
[TABLE]
where is the number of agents with strict positive probability of being attacked. In particular, is nonincreasing in and nondecreasing in .
Proof.
The marginal changes follow from the KKT-conditions in (14). First note that when . Consequently when we differentiate KKT-condition (14a) with respect to we get
[TABLE]
and — similarly — when we differentiate with respect to
[TABLE]
Next we combine KKT-condition (14b) with the observations above. First recognize that the equation is equivalent to . These equations imply
[TABLE]
By combining (5.1), (5.1) and (19b), it follows that
[TABLE]
where is the number of agents with strict positive probability of being attacked. By solving this expression for and substituting the result in (5.1) and (5.1), we establish the statement. ∎
Proposition 4 bears further consequences for vertex-transitive networks, where each agent obtains the same number of documents in expectation, . For this reason, more precise results can be obtained, including the following monotonicity property: if an agent invests more in security than another agent, then his attack probability is lower (and vice versa).
Proposition 5** (Attacks to vertex-transitive networks).**
If the network is vertex-transitive then if and only if .
Proof.
Firstly, we rewrite (15a) to obtain
[TABLE]
Next if then
[TABLE]
It is then clear that, provided , if and only if . If instead , then we derive the following equivalent inequalities.
[TABLE]
At the same time, is equivalent to
[TABLE]
Thus, is equivalent to . ∎
This result immediately leads to the following implications: (a) maximal investments in security guarantee an upper bound on the attack probability; and (b) if all agents invest the same amount, then the attack vector is uniform.
Corollary 1**.**
For vertex-transitive networks, there hold true that:
- (a)
if for some , then ; 2. (b)
if for all , then for all .
5.2 Investments under strategic attacks
In stage 1 of the security game, the security investments are conveniently modeled as the outcome of a game between the agents. In this game, they take the best response of the adversary into account. The reward of agent equals (cf. (8))
[TABLE]
First we analyse the cooperative case, where the social utility
[TABLE]
is maximized. The proof of the following result is postponed to the Appendix.
Theorem 3** (Social optimum against strategic attacks).**
In a vertex-transitive network facing a strategic attack, the social optimum is unique and equal to
[TABLE]
Remark 1** (Uniform investments, uniform attacks and sacrificial lambs).**
Theorem 3 indicates that it is socially optimal for an agent to invest the same as the others. As a consequence, one may immediately verify that , that is, the socially optimal uniform investments imply uniform attack probability. In other words, we may say that the socially optimal investments make the strategic advantage of the adversary void.
This recommendation is in contrast with some previous studies, for instance [6] [16], suggesting that it might be optimal to leave some agents unprotected and make them sacrificing lambs. Our setting differs from theirs mainly in the definition of the cost function, which is quadratic in our case (as opposed to linear). We want to stress that the ineffectiveness of sacrificing lambs is not an artefact of our homogeneity assumption. Certainly, the homogeneity of the investments as predicted by Theorem 3 is indeed a consequence of the homogeneity of the networks. However, the indication that optimal investments make the attack probabilities uniform appear to be valid beyond this scenario. Indeed, detailed calculations on the star graphs (reported in the Appendix) show that also in that non-homogeneous network an investments strategy that makes the attack probability uniform outperforms a sacrificial lamb strategy.
Instead, if each agent optimizes his individual reward, the following equilibrium investment levels are attained.
Theorem 4** (Equilibrium against strategic attacks).**
In a vertex-transitive network facing a strategic attack, there is a unique pure strategy equilibrium vector of investment levels , which is symmetric and given by
[TABLE]
Theorem 4, whose proof is also postponed to the Appendix, shows that the first stage of the security game results in a unique and symmetric vector of investment levels. Combining this equilibrium with the outcome of the second stage, results in the Stackelberg equilibrium of our game.
Corollary 2** (Stackelberg equilibrium).**
The security game under strategic attack has a unique Stackelberg equilibrium with investment levels and attack vector given by (15a), (15b) and (21).
The equilibrium investments in stage 1 are a function of , the expected number of documents obtained, which in turn depends on the transmission probability .
Remark 2** (Dependence on ).**
The equilibrium investments (21) are increasing in for small , till the point where , after which they are decreasing in . Indeed,
[TABLE]
and thus
[TABLE]
In view of Proposition 1, the only root of (22) is given by such that . Further, when and when .
Example 8** (Ring, cont’d).**
For ring networks we derive from Example 2 that, after neglecting exponential terms, : hence, as diverges, converges to 1. Moreover,
[TABLE]
This value is strictly larger than the limit social optimum as seen in Example 4. We conclude that in large rings (which are sparse networks) strategic attacks lead to over-investments, .
Example 9** (Complete, cont’d).**
For complete networks we derive from Example 3 that, after neglecting exponential terms, as diverges. This implies that
[TABLE]
Comparing this value with the limit social optimum , we conclude that in large complete graphs strategic attacks lead to under-investments.
6 Discussion
The investment levels derived in the previous sections can easily be compared. A summary of the most relevant comparisons is given in the following statement.
Theorem 5** (Investments in vertex-transitive networks).**
Assume the graph to be vertex-transitive.
Socially optimal investments do not depend on the type of attack, that is, . 2. 2.
Equilibrium investments are smaller in case of random attacks than in case of strategic attacks, that is, and the inequality is strict unless . 3. 3.
Random attacks lead to under-investments at equilibrium, that is, and the inequality is strict unless . 4. 4.
Strategic attacks can lead to either under- or over-investments. The level of investment depends on the probability : for smaller , over-investments occur, and for larger , it leads to under-investments occur, . Moreover, the condition
[TABLE]
is sufficient to guarantee a unique transmission probability at which the equilibrium investments are socially optimal, .
Proof.
The first three items may be verified immediately by inspection. For the fourth item, denote the investments by to stress the dependence on . Observe that that , and . This implies that the graphs of and intersect at least once.
Applying the chain rule of differentiation and the fact that increases with lead to the following inequalities:
[TABLE]
A sufficient condition for the latter inequality to be true is given by (23). ∎
A few comments about this statement are in order. Regarding social optima, the reader may find surprising that optimal investments against random and strategic attacks coincide. Indeed, the optimal investments against strategic attacks trivialize the strategy of the attacker, that is, make the attack probabilities uniform. This observation is confirmed by the star graph example, described in the Appendix, where the investments that make the attack uniform yield higher reward than sacrificing lamb investments. In the special case of vertex-transitive networks, the uniformity in the attack probability is reflected in the uniformity of the investments.
Regarding equilibria, we observe that equilibrium investments against strategic attacks are always higher than against random attacks, which feature under-investment in comparison with the social optimum. In other words, players that are aware of the strategic nature of the attack shall invest more than against a random attack. This difference is consistent with intuition, since players facing a strategic attacker can be expected to invest more to divert attacks away from themselves. However, the theorem also shows that the awareness of strategic attacks is not sufficient to prevent under-investments (even though strategic investments remain larger than investments in the random setting). Actually, under-investments against strategic attacks appear precisely when the risk is higher, that is, in the presence of a larger transmission probability and a more tightly connected networks. Indeed, the turning point from over- to under-investments is lower in denser networks.
These general facts can be numerically verified in our running examples. We report in Figures 4, 5 and 6 the optimal and equilibrium investments as functions of the diffusion probability , computed for complete, ring, and star topologies with nodes. Several observations can be made about the similarities and differences between these three very different networks (we remind that the star graph is not vertex-transitive, therefore not covered by Theorem 5).
On all these networks, strategic attacks make the agents invest more at equilibrium than random attacks. 2. 2.
On all these networks, the optimal strategic investments are increasing and become equal to when and equal to when : at that point they coincide with the equilibrium investments against random attack. Instead, equilibrium investments become equal to when . The extreme values for do not depend on the topology. 3. 3.
On all these networks, the equilibrium results in over-investments for small transmission probabilities and in under-investments for large transmission probabilities. 4. 4.
For each node, there is a unique probability where over-investments pass on to under-investments and equilibrium investments are socially optimal. 5. 5.
The transition from over-investments to under-investments takes place at smaller transition probabilities where connectivity is stronger. Consistently, the probability with the largest equilibrium investment level is smaller where connectivity is stronger.
These observations are consistent with our theoretical results, even if some of them were proved for vertex-transitive networks only, thereby showing that their insights are valid on general networks.
7 Conclusion
In this paper, we studied in detail a model of strategic defensive allocation to elucidate the economic forces at play. We have shown how the type of attack by the adversary influences the investments by the agents. Equilibrium investments are larger under strategic attacks than under random attacks. Furthermore, in case of random attacks the equilibrium investments are always lower than socially optimal, which represents under-investments in security. Finally, in case of strategic attacks, there are over-investments for small transmission probabilities and under-investments for large probabilities. This transition takes place at lower probabilities in more dense networks. Indeed, those networks where the stakes are higher, because the number of shared documents is larger, are precisely those that are prone to under-investments.
In a large part of this work, the assumption of vertex-transitivity postulates a homogeneity in the network, which greatly simplifies the analysis. Another simplifying assumption is the choice of quadratic costs. Even though extending the scope of our analysis would certainly be of interest, we believe that our contribution already exemplifies the fundamental issues of these network privacy games and the key role of the network topology therein.
The importance of the network topology is reflected by the fact that optimal investments in random and strategic attacks and equilibrium investments in strategic attacks depend explicitly on the expected number of received documents and, therefore, on the topology. Therefore, the players need to know about the topology to implement their strategies. Since such a knowledge may be hard to obtain in practice, a relevant open question is defining a version of this security game that takes into account suitable limitations of such knowledge.
Appendix A Information dissemination on the complete graph
We begin by proving111The result in Proposition 6 is probably well known. For instance it can be found stated in slide 4 of http://keithbriggs.info/documents/connectivity-Manchester2004Nov19.pdf. Here we provide a proof for completeness. formula (6).
Proposition 6**.**
Let be the probability that any document reaches all nodes in . Then, for any , it holds that and
[TABLE]
Proof.
Let be a transmission network in and observe that is equal to the probability that is connected. Let be the component in which lies in the transmission network and compute
[TABLE]
where is the number of nodes in . To evaluate , let be the set of the subsets of that include node and have cardinality : recognize that there are such subsets. Next, by conditioning on all and exploiting the assumptions of independence between the edges, we can compute
[TABLE]
so concluding the proof. ∎
Next, we prove Equation (7).
Proposition 7**.**
In a complete network on nodes, for every and all
[TABLE]
Proof.
By conditioning on the size of the component in which lies
[TABLE]
where we have used the fact that all nodes are equally likely to be in . The result follows by using (24). ∎
Appendix B Sacrificial vs uniform strategies on the star graph
Let us first consider the strategy that ensures uniform attack probabilities. From the derivations in Example 7, we observe that when , necessarily and . Therefore,
[TABLE]
Its derivative is
[TABLE]
showing that the reward is optimal for
[TABLE]
Since the expression for the resulting optimal reward is cumbersome, we prefer to present an approximation for large . In that limit, we find
[TABLE]
Moreover, notice that and , where the latter quantity is larger than the former: the center has to invest more than the leaves to ensure uniform attacks.
Let us then compare this reward with that of a sacrificial lamb. In this strategy we assume that one of the leaves is left unprotected, . In this case, equations (15) imply that as long as and are large enough: more precisely, as long as
[TABLE]
Note that the first quantity goes to zero in the limit of large networks, whereas the second one is approximated by : therefore, the lamb strategy is feasible. Under conditions (25), we can calculate
[TABLE]
This quantity is smaller that , thereby showing that the uniform strategy gives higher reward, at least for large enough networks.
Appendix C Proof of Theorem 3
The proof takes four steps. (i) We show that no component of is either [math] or . (ii) We deduce the first order conditions (FOC) for optimality of the social optima. (iii) We show that there is no asymmetric investment level which solves this FOC. (iv) We find a symmetric social optimum and prove that this (symmetric) optimum is unique.
(i) Preliminary, we compute the gradient of as
[TABLE]
By the assumption of vertex-transitivity this reduces to
[TABLE]
Next, we show that the gradient of , , does not point outward at the boundary of . First,
[TABLE]
where the final equality follows from (19a). Second,
[TABLE]
where the weak inequality follows from due to , due to Corollary 1.(a), and .
(ii) The social optimum thus belongs to . From (26) and the social optimum solves for each agent
[TABLE]
(iii) In order to prove that all components of are equal, without loss of generality let and and assume that . We derive a contradiction. Observe that by (27)
[TABLE]
where the last equality is due to (19a) for . Similarly
[TABLE]
with the last equality due to (19a) for . Observe that , the definition of implies and that for all by (16). Then
[TABLE]
with the final equality due to (27) and the inequality follows from for at least one . By a similar line of arguments
[TABLE]
These two inequalities prove that the right-hand side of (C) is larger than the right-hand side of (C), which contradicts . Therefore, and all components of are equal.
(iv) Now we have established that is a symmetric social optimal investment level, we elaborate (27) to derive by (19). By summing over all and using symmetry we obtain (20).
Appendix D Proof of Theorem 4
Notice that the agents play a strategic game amongst themselves in stage 1. We refer to the outcome of that stage as an equilibrium. The proof is divided into three intermediate steps.
We prove that there exists at least one pure strategy equilibrium. 2. 2.
We prove that the equilibrium is unique and symmetric. 3. 3.
We exhibit a symmetric equilibrium.
Let us preliminary recall the reward of agent ,
[TABLE]
and that the equilibrium solves . The derivative of (30) is given by
[TABLE]
Step 1. We prove that is quasi-concave in . The derivative of (31) is given by
[TABLE]
where the second equality follows from (16) and . As the second derivative of the utility of agent is negative, we conclude that is actually concave. We are now in the position to apply the result by Debreu, Fan, Glicksberg [8, 9, 11] who showed that a pure strategy Nash equilibrium exists in the strategic form game of stage 1 when the strategy sets are compact and convex, and the utility of each agent is quasi-concave in the agent’s own strategy and continuous in the strategy of other agents.
Step 2. We start by finding the second order derivatives of . In (D) we already computed this derivative to . Additionally note that the derivative of (31) to for is given by
[TABLE]
where is used in the second equality.
Secondly, we determine the number of agents having a positive probability of being attacked, . For any agent
[TABLE]
This implies that : that is, it is not optimal not to investment, since slightly increasing the investment level will result in larger rewards. Now assume that . By (30), the rewards of agent will be
[TABLE]
Since the equilibrium investments maximize these rewards, we should have . But this contradicts our conclusion from (33). Therefore, our assumption was false and we must have for all agents . This implies , all agents have a positive probability of being attacked.
Combining these results, the negated Jacobian with becomes
[TABLE]
Next we show that the matrix is diagonally dominant.
[TABLE]
Because the matrix is also symmetric, all principal minors in the negated Jacobian are positive [5]. Because of this, the Nash equilibrium in a symmetric game is unique [10]. As we already concluded that a pure Nash equilibrium always exists, we are able to conclude that this equilibrium is unique and symmetric.
Step 3. Finally, we exhibit the symmetric equilibrium . Because of this symmetry, by Corollary 1. Starting from (31) we obtain
[TABLE]
Since the equilibrium solves , the expression (21) follows immediately.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] D. Acemoglu, A. Malekian, and A. Ozdaglar. Network security and contagion. Journal of Economic Theory , 166:536–585, 2016.
- 2[2] S. Amin, G. A. Schwartz, and S. S. Sastry. Security of interdependent and identical networked control systems. Automatica , 49(1):186–192, 2013.
- 3[3] R. Anderson and T. Moore. The economics of information security. Science , 314(5799):610–613, 2006.
- 4[4] Y. Bachrach, M. Draief, and S. Goyal. Contagion and observability in security domains. In 2013 51st Annual Allerton Conference on Communication, Control, and Computing (Allerton) , pages 1364–1371, Oct 2013.
- 5[5] R. B. Bapat and T. E. S. Raghavan. Nonnegative Matrices and Applications . Encyclopedia of Mathematics and its Applications. Cambridge University Press, 1997.
- 6[6] V. Bier, S. Oliveros, and L. Samuelson. Choosing what to protect: Strategic defensive allocation against an unknown attacker. Journal of Public Economic Theory , 9(4):563–587, 2007.
- 7[7] H. Chan, M. Ceyko, and L.E. Ortiz. Interdependent defense games: Modeling interdependent security under deliberate attacks. In Proceedings of the Twenty-Eighth Conference on Uncertainty in Artificial Intelligence , UAI’12, pages 152–162, Arlington, Virginia, United States, 2012. AUAI Press.
- 8[8] G. Debreu. A social equilibrium existence theorem. Proceedings of the National Academy of Sciences , 38(10):886–893, 1952.
