ebook img

Power Grid Defense Against Malicious Cascading Failure PDF

1.5 MB·
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Power Grid Defense Against Malicious Cascading Failure

Power Grid Defense Against Malicious Cascading Failure Paulo Shakarian Hansheng Lei Roy Lindelauf Dept. EECSand Dept. EECSand NetherlandsDefence NetworkScienceCenter NetworkScienceCenter Academy U.S.MilitaryAcademy U.S.MilitaryAcademy FacultyofMilitaryScience WestPoint,NY,10996 WestPoint,NY,10996 MilitaryOperationalArtand paulo[at]shakarian.net hansheng.lei[at]usma.edu Science rha.lindelauf.01[at]nlda.nl ABSTRACT 1. INTRODUCTION 4 An adversary looking to disrupt a power grid may look Rapid cascading failure in a power grid caused by a suc- 1 to target certain substations and sources of power genera- cession of overloading lines can lead to very large outages, 0 tiontoinitiateacascadingfailurethatmaximizesthenum- asobservedintheUnitedStatesin2003[1]. Studiesoncas- 2 ber of customers without electricity. This is particularly cading failure [7, 8, 16] have illustrated that such a failure an important concern when the enemy has the capability canbeinitiatedwithonlyasmallnumberofinitialnodefail- n to launch cyber-attacks as practical concerns (i.e. avoid- ures. Further,powergridinfrastructureisoftenparticularly a ing disruption of service, presence of legacy systems, etc.) vulnerablewithrespecttocyber-securityduetoavarietyof J may hinder security. Hence, a defender can harden the se- issues,includingtheuseoflegacyandproprietarycomputer 6 curity posture at certain power stations but may lack the hardware and software [26]. time and resources to do this for the entire power grid. We In this paper, we extend the work on cascading failure ] R model a power grid as a graph and introduce the cascad- modelstoatwo-playergamewhereanattackerattemptsto ing failure game in which both the defender and attacker create a cascade that maximizes the number of customers C chooseasubsetofpowerstationssuchastominimize(max- withoutpowerwhilethedefenderdefendskeynodestoavoid s. imize) the number of consumers having access to producers a major outage. In Section 2, we introduce an extension to c ofpower. Weformalizeproblemsforidentifyingbothmixed thefailuremodelof[8]tonotonlyconsidertheattackerand [ and deterministic strategies for both players, prove com- defender, but also the different types of nodes in the power plexity results under a variety of different scenarios, iden- grid (i.e. power generation vs. power consumers). In Sec- 1 v tify tractable cases, and develop algorithms for these prob- tion 3, we explore the computational complexity of finding 6 lems. We also perform an experimental evaluation of the deterministic best-response strategies for the attacker and 8 model and game on a real-world power grid network. Em- defender under several different scenarios depending on the 0 pirically, we noted that the game favors the attacker as he relative number of resources each player has and whether 1 benefits more from increased resources than the defender. theopponenthasadeterministicormixedstrategy. Herewe . Further, the minimax defense produces roughly the same foundthat,ingeneral,theseproblemsareNP-hard,though 1 expected payoff as an easy-to-compute deterministic load we do identify some tractable cases. In Section 4, we ex- 0 based(DLB)defensewhenplayedagainstaminimaxattack ploreheuristicalgorithmsforfindingdeterminsitic“bestre- 4 strategy. However, DLB performs more poorly than mini- sponses”aswellasminimaxmixedstrategies. Weintroduce 1 maxdefensewhenfacedwiththeattacker’sbestresponseto a “high-load” strategy for defense (based on the observa- : v DLB.Thisislikelyduetothepresenceoflow-loadyethigh- tions of [8]), greedy heuristics for deterministic strategies, i payoffnodes,whichwealsofoundinourempiricalanalysis. and a double-oracle approach based on [15] for finding a X mixed strategy. In Section 5 we perform experiments on a r real-world dataset of a power grid [20] and find that this a CategoriesandSubjectDescriptors game seems to favor the attacker as he benefits more from I.2.11 [Artificial Intelligence]: Distributed Artificial In- increased resources than the defender. Further, our experi- telligence ments revealed that the minimax defense produces roughly the same expected payoff as an easy-to-compute determin- GeneralTerms istic load based (DLB) defense when played against a min- imax attack strategy, though the load based defense does Algorithms Security more poorly than minimax when faced with the attacker’s best response to DLB. This is likely due to the presence Keywords of low-load yet high-payoff nodes, which we also found in ourempiricalanalysisofthemodel. Finally,relatedworkis power grid defense, game theory, complex networks discussed in Section 6. 2. TECHNICALPRELIMINARIES attackerisunabletodestroythem-thoughthesenodescan Consider a power-grid network modeled as an undirected betakenofflineasaresultofthecascadingfailure1. Theat- graphG=(V,E). LetVsrc,Vld ⊆V besource(producersof tacker can destroy ka nodes while the defender can harden power) and load (consumers of power) on the network. We kd nodes. Thus the strategy space of both the attacker and sohfanlolduesseitnheVlndowtahtiicohnadriescnVoldt,Vcsorncn(Gec)tetdotdoenaontyentohdeeniunmVbsercr d(|eVfde|nd≤erkcdonressisptesctoifvaellyl)s.ubWseetsdVena,oVted t⊆heVseosftsriazteeg|Vyas|p≤ackeas in graph G. Let G be the set of all subgraphs of G. For by ATK (DEF respectively), i.e., if we allow the attacker a given node i, let NG(i) be the set of nodes in Vsrc−{i} to consider all strategies of size ka or less we have: that are closest to that node (based on path length in G). ATK ={S ∈2V :|S|≤k } a From this, we define edge load (similar to the idea of edge betweenness [25]). We now have all of the components to define the payoff function. Definition 2.1 (Edge Load). Givenedgeij ∈E,the edge load, loadG(ij) is defined as follows: Definition 2.3 (Payoff Function). Giveninitialnet- loadG(ij)= (cid:88) (cid:88) |NσG(t()s|,σt|i(js),t), wstorarkteGgy=Va((VV,dE),)twheithpaeydogffecfaupnacctiitoinesiscidj(eGfin),edatbtayck(defend) G G t∈Vlds∈NG(t) p (V ,V )=disc (F∗((V −(V −V ),E)). where σ (s,t) is the number of shortest paths between s,t∈ G a d Vld,Vsrc a d G V andσG(s,t|ij)isthesubsetofthesepathsthatpassthrough Now, in reality, the defender will have real-world limi- edge ij ∈E. tations on the number of nodes (i.e. substations) he may harden. Forinstance,withregardtosmartgriddefense,ap- Starting from initial network G =(V ,E ) we use c to 0 0 0 ij plying the most up-to-date patches on all systems may not denote the capacity edge ij ∈ E . In a real-world setting, 0 berealisticasitcouldpotentiallyrequiresystemdown-time- we would expect to have this information. However, in this affecting customer service. Further, it would also likely not paper, we use the following proxy (similar to [8]). make sense for the defender to only harden certain nodes c (G )=(1+α)load (ij) and ignore others. Hence, it is reasonable to consider a sit- ij 0 G0 uation where the defender can only harden certain nodes where α is a non-negative real that specifies the excess ca- against attack (and may do so probabilistically - i.e. ap- pacity available on that line. We shall refer to α as the plying hardware or software updates according to a sched- capacity margin. We assume that an edge ij ∈ E fails in ule). Therefore, we study mixed strategies. Such strate- G = (V,E), with E ⊂ E , if load (ij) > c (G ). Once 0 G ij 0 gies will be specified by probability distributions Pr ,Pr nodes(andadjacentedges)inV areremovedfromG ,this a d 0 0 for the attacker and defender respectively. We shall denote results in a change of shortest paths between sources and the number of strategies assigned a non-zero probability as loads,hencemoreedgeswillpotentiallyfail. Thiscascading |Pr |,|Pr |. We can define expected payoff as follows. powerfailureismodeledbya“failure”operatordenotedwith a d F (based on the failure model of [8] - though we note that Definition 2.4 (Expected Payoff). LetPr ,Pr be ourmodelisanewcontributionduetotheconsiderationof a d probability distributions over all subsets of V of sizes k sourceandloadnodes)thatmapsnetworkstonetworks. We a (resp. k )orless. Theseprobabilitydistributionscorrespond define it as follows. d toamixedstrategyfortheattackeranddefenderrespectively. Definition 2.2 (Failure Operator). Thefailureop- Hence,givensuchprobabilitydistributions,theexpectedpay- erator, F:G→G, is defined as follows: off can be computed as follows: (cid:88) (cid:88) F((V,E))=(V,{ij ∈E|load (ij)≤c (G )}) ExP(Pr ,Pr )= Pr (V ) Pr (V )p (V ,V ) (V,E) ij 0 a d a a d d G a d Intuitively,oneapplicationofthefailureoperatorremoves Va∈2V Vd∈2V all edges that have exceeded their maximum capacity. We In this work our goal is to find the minimax strategy for can define multiple applications of this operator as follows: the defender - that is the mixed strategy for the defender that minimizes the attacker’s maximum expected payoff - (cid:40) G if i=0 as well as deterministic “best responses” for both players Fi(G)= given the other’s strategy. F(Fi−1(G)) otherwise Clearly, there must exist a fixed point that is reached in 3. COMPUTATIONALCOMPLEXITY nomorethan|E|+1applicationsofF. Hence,weshalluse In this section, we analyze the computational complexity the following notation: of determining the best response for each of the agents to a strategy of its opponent. First, we shall discuss the case F∗(G)=Fi(G) s.t. Fi(G)=Fi+1(G) for finding a deterministic strategy for the defender and at- tacker. Thenweshallexplorethecomputationalcomplexity Wenowconsidertwoagents: anattackerandadefender. of finding a mixed strategy. We summarize our complexity The attacker’s strategy is to destroy nodes (and their ad- results in Table 3. jacent edges) in an effort to cause a cascading failure that maximizes the number of load nodes (Vld) that are discon- 1Note that this would likely be the case where the attack nected from all source nodes (Vsrc). Meanwhile, the de- anddefenseoccursincyber-space,whilethecascadeoccurs fender’s strategy is to harden certain nodes such that the in the physical world. Opponent Strategy Attacker Defender instance of GD-DBR. Suppose the defender utilizes this as Mixed w. 1 resource NP-Compl. PTIME astrategy. TheattackertheneffectivelyattacksthesetV − Thm. 3 Prop. 3.2 V −V(cid:48). Notethatasthegraphisbi-bipartite,thisdoesnot ld Det. w. fewer resources NP-Compl. PTIME cause any cascading failure. By the construction, each load Thm. 3 Prop. 3.1 nodemustbeconnectedtoasourcenode,hencethenumber Det. w. greater resources NP-Compl. NP-Compl. of offline load nodes is X. This gives us a contradiction. Thm. 3 Thm. 1 Suppose,BWOC,thatthereisa“yes”answertoGD-DBR Mixed w. fewer resources NP-Compl. NP-Compl. buta“no”answertothecorrespondinginstanceofSetCover. Thm. 3 Thm. 2 LetV(cid:48) bethecertificateforGD-DBR.Wenotethatanyel- Mixed w. greater resources NP-Compl. NP-Compl. ement of Vld ∩V(cid:48) in V(cid:48) can be replaced by a neighboring Thm. 3 Thm. 1 nodefromVsrcwithoutchangingthesizeofthissetandthat such a set would still allow for all load nodes to remain on- Table 1: Complexity Results for Finding a Deter- line, let V(cid:48)(cid:48) be this new set. Consider the set {h|vh ∈V(cid:48)(cid:48)}. ministic Best Response By the contra-positive of the claim, this cannot be a cover of all elements of S. However, this would also imply that there is some element v ∈V that is not connected to V(cid:48)(cid:48) s ld Weframetheformalcombinatorialproblemoffindingthe meaning that it fails (as the attacker successfully destroys best-response for the defender as follows: allitsneighbors). Thismeansthattheadversaryhasapay- off greater than 0 (which is what X was set to) – hence a Grid-DefendDeterministicBestResponse(GD-DBR) contradiction. INPUT: Network G=(V,E), attacker mixed strategy Pr a (where each option is of size no greater than k ), natural Hence, the presence of a more advantageous attacker is a number k , real numbers X,α a source of complexity. The next question would be if the d OUTPUT:“Yes”if there exists a set V ⊆V s.t. |V |≤k attacker’sbehavior,i.e. deterministicvs. non-deterministic, d d d and (cid:80) Pr (V )p (V ,V )≤X and“no”otherwise. also affects the complexity of the problem, even if the de- Va∈ATK a a G a d fender has the advantage. First, let us examine the case We shall study this case under several conditions. The where the attacker has a mixed strategy with ka =1. first, and easiest case is when Pr =1 (the attacker uses a a Proposition 3.2. When k = 1 then GD-DBR is solv- deterministic strategy) and k ≤k . a a d ableinpolynomialtime(w.r.t. |Pr |),evenwhen|Pr |≥0. a a Proposition 3.1. When ka ≤ kd and |Pra| = 1 then Proof. In this case, we can re-write the payoff function GD-DBR is solvable in polynomial time. as p ({v},V ) = 0 if v ∈ V and p ({v},V ) = p ({v},∅) G d d G d G Proof. As the attacker plays only one strategy and the otherwise. Let V(cid:48) = ∪{Va ∈ ATK|Pra(Va) > 0}. Note defender can defend at least as many nodes as are being thateachelementofV(cid:48) isalsoastrategytheattackerplays attacked, the defender simply defends all the nodes in the with a non-zero probability (as the attacker only plays sin- attacker’s strategy. gletons). Hence, the expected payoff can be re-written as (cid:80) Pr ({v})p ({v},∅). Therefore, the best a de- v∈V(cid:48)−Vd a G However, even with |Pra|=1, the problem becomes NP- fender can do is defend the top kd nodes in V(cid:48) where hard in the case where ka >kd. Pra({v})pG({v},∅)isthegreatest-whichcanbeeasilycom- puted in polynomial time and allows us to determine the Theorem 1. Whenka >kdthenGD-DBRisNP-complete, answer to GD-DBR. even when |Pr |=1 and X is an integer. a However,ifthedefenderisplayingamixedstrategywith Proof. Clearly,checkingifagivendeterministicdefender k >1, then the problem again becomes NP-complete. strategy V meets the requirements of the“output”of GD- a d DBRcanbecompletedinpolynomial-time,providingmem- Theorem 2. When |Pr | > 1 and k > 1, GD-DBR is a a bership in the class NP. NP-complete, even when k >k and X is an integer. d a ForNP-hardnessconsidertheknownNP-hard“setcover” Proof. NP-completenessmirrorsthatofTheorem1. For problem [11] that takes as input a natural number k, set NP-hardness, we again consider a reduction from set-cover of elements S = {s1,...,sn}, family of subsets of S, H = (defined in the proof of Theorem 1. The embedding can {h ,...,h }andreturns“yes”ifthereisak-sized(orsmaller) 1 m again be performed in polynomial time as follows: set k = subset of H s.t. their union is equal to S. We can embed a max |{h|s ∈ h}|, set k = k, X = 0, α = |H|+|S|, Set Cover into an instance of GD-DBR in polynomial time s∈S d withthefollowingembedding: setka =|H|,kd =k,X =0, create G = (V,E), Vsrc, and Vld as per the construction in α=|H|+|S|, create G=(V,E) as follows: Theorem 1. We then set up the mixed strategy as follows: for each s∈S, let Vs ={h|s∈h} and Pr (Vs)=1/|S|. • Foreachh∈H createanodevh andforeachs∈S create a a a nodevs Suppose,BWOC,thatthereisa“yes”answertosetcover and a “no” answer to the instance of GD-DBR. Consider • Ifs∈h,createedge(vh,vs),foreachij∈E set cover solution H∗ and set V = {v |h ∈ H∗}. Note d h • SetVsrc={vh|h∈H},Vld={vs|s∈S},Va=V −Vld that V meets the cardinality requirement. Note that by d Suppose, by way of contradiction (BWOC), that there is the construction, a source node becomes disconnected only a“yes”answertoSetCoverbuta“no”answertoGD-DBR. if all of the load nodes connected to it are attacked, hence Consider set H(cid:48) a subset of H that is the certificate for Set thereissomenodeinthesetV thatistotallydisconnected ld Cover and the corresponding set V(cid:48) = {v |h ∈ H(cid:48)} in the under at least one attacker strategy - let v be this node. h s However,assetH∗ coversS,thenregardlessoftheattacker Suppose, BWOC, the above problem instance provides a strategy,thereisalwayssomenodev thatisconnectedand “yes”answer to GA-DBR but a“no”answer to the vertex h neverattacked(givingtheattackerapayoffofzero)-hence cover problem. Let V be the set of nodes the attacker at- a a contradiction. tacks in GA-DBR. As α=|E| and as V =V, nodes only src Suppose,BWOC,thatthereisa“yes”answertoGD-DBR fail in a cascade if they are either targeted by the attacker anda“no”answertotheinstanceofsetcover. ConsiderGD- or become totally disconnected. Further, as X = |V|, all DBR solution V(cid:48). We note that any element of V ∩V(cid:48) in nodes in G are either in V or disconnected - meaning that ld a V(cid:48) canbereplacedbyaneighboringnodefromV without V must be a vertex cover of size k or less. As k = k we src a a a changing the size of this set and that such a set would still have a contradiction. allow for all load nodes to remain online, let V(cid:48)(cid:48) be this new set. Consider the set H∗ = {h|v ∈ V(cid:48)(cid:48)}. Note that Due to the use of covering problems for the complexity h |H∗| ≤ k. By the contra-positive, there must be at least results in Theorems 1, 2, and 3, it may seem reasonable to oneelementofS notcoveredbyH∗. Letnodev beanode frametheproblemasasub-orsuper-modularityoptimiza- s associatedwithuncoveredelements. AsGD-DBRreturned tion where the objective function is monotonic. However, “yes”then there is no attacker strategy where v becomes here we show (unfortunately) that these properties do not s disconnected from some node in V . As attack strategy hold for either player. First, we shall make statements re- src Vs includesallnodesthatareconnectedtov ,thenatleast garding the monotonicity of the payoff function. a s one of these nodes must be included in V(cid:48)(cid:48). Therefore, for everynodevs ∈Vld thereissomenodevh ∈Vld∩V(cid:48)(cid:48) thatis Proposition 3.3. Iff∀Vd∗,Va ⊆Va(cid:48): pG(Va,Vd∗)≤pG(Va(cid:48),Vd∗) connected to it, which means, by the construction, that H∗ then ∀Va∗, Vd ⊆Vd(cid:48): pG(Va∗,Vd)≥pG(Va∗,Vd(cid:48)). must cover all elements of S - a contradiction. The idea of submodularity can be thought of as“dimin- Wenowframetheformalproblemforfindingadetermin- ishing returns.” Given a set of elements S and a function istic best-response for the attacker below. f : 2S → (cid:60)+, we say a f is submodular if for any sets S ⊆S andelements∈/ S ,wehavethefollowingrelation- 1 2 2 Grid-AttackDeterministicBestResponse(GA-DBR) ship: INPUT: Network G=(V,E), defender mixed strategy Pr d f(S ∪{s})−F(S )≥f(S ∪{s})−F(S ) (where each option is of size no greater than k ), natural 1 1 2 2 d number ka, real numbers X,α A complementary idea of supermodularity is also often OUTPUT:“Yes”if there exists a set Va ⊆V s.t. |Va|≤ka studied - in this case the inequality is reversed. Unfortu- (cid:80) and Vd∈DEF Prd(Vd)pG(Va,Vd)≥X and“no”otherwise. nately, when we fix the strategy for the defender, the at- tacker strategy is neither submodular nor supermodular - In the case of ka = 1, this problem is solvable in poly- making the dynamics of this model significantly different nomial time: simply consider each v ∈ V. The attacker from others (i.e. [24]). Let consider strategies V ,V where (cid:80) a d computes Vd∈DEF Prd(Vd)pG({v},Vd) until one is found Va causes some load node v ∈/ (Va∪Vd)∩Vld to disconnect thatcausesthepayofftoexceedorbeequaltoX. However, andanynodethestrategy{v}causestodisconnectwillalso for strategies of larger size, the problem becomes NP-hard, becomedisconnectedwithstrategyV (suchacaseiseasyto a regardless of the size of the defender strategy. contrive,particularlywithabi-partitenetwork). Therefore, we get the following relationship: Fact 3.1. When k =1, GA-DBR is solvable in polyno- a mial time (w.r.t. |Prd|). pG(Va∪{v},Vd)−pG(Va,Vd)<pG({v},Vd)−pG(∅,Vd) Thisarisesfromthefactthattheleft-handsideoftheabove Theorem 3. GA-DBR is NP-complete. equation becomes zero and the right hand side of the equa- Proof. Clearly, a certificate consisting of a set Va ⊆ V tionisequaltopG({v},Vd)whichmustbeatleastone. Now canbeverifiedinpolynomialtime,givingusmembershipin consider another example. Suppose we have a simple V- NP. For NP-hardness consider the known NP-hard“vertex shapednetworkofthreenodes. TheangleoftheVisaload cover”problem[11]thattakesasinputagraphG(cid:48) =(V(cid:48),E(cid:48)) node, while the other two nodes are source nodes. With (withnoself-loops)andnaturalnumberk andreturns“yes” α = 1, the load node receives power if at least one of the iff there is a set of k or fewer vertices that are adjacent sourcenodesisconnectedtoit. However,itdoesnotrequire to each edge in E. We can embed vertex cover into an both. LetVabeastrategyconsistingofonesourcenodeand instance of GD-DBR in polynomial time with the following v betheothersourcenode,andVd consistoftheloadnode. embedding: set k =k, k =0, V =∅, X =|V(cid:48)|, α=|E|, From this, we have the following relationship: a d d G=G(cid:48), and V =V =V(cid:48). src ld p (V ∪{v},V )−p (V ,V )>p ({v},V )−p (∅,V ) Suppose, BWOC, the above problem instance provides a G a d G a d G d G d “yes”answer to the vertex cover problem but a“no”answer Inthiscase,theright-handsidebecomeszerowhiletheleft toGA-DBR.LetV(cid:48)(cid:48)beavertexcoverofsizekorlessforG(cid:48). hand side becomes one. This leads us to the following fact: ConsiderthecorrespondingsetofverticesinG(weshallcall thisV∗). Notethat|V∗|≤ka. AsanattackerattackingV∗ Fact 3.2. WhenVdisfixed,pGisneithersubmodularnor disconnectsthosenodesfromthenetwork,alledgesadjacent supermodular. to V∗ fail. As V∗ is a vertex cover for G, this means that therearenoedgesinthegraphonceV∗ isremoved. Hence, Now let us consider when we fix the attacker’s strategy. no load node is connected to any source node - giving the If the payoff is submodular when the attacker’s strategy is attacker a payoff of at least X – hence a contradiction. fixed, then we have the following for V ⊆V(cid:48) and v ∈/ V(cid:48) if d d d thepayoffsubtractedfromthenumberofnodesissubmod- analogousheuristicfortheattackerisnotshownduetospace ular: constraints, but we shall refer to it as GREEDY ATTACKER RESP. We note that while we do not p (V ,V(cid:48)∪{v})−p (V ,V(cid:48))≥p (V ,V ∪{v})−p (V ,V ) G a d G a d G a d G a d make general approximation guarantees (due to the results This is equivalent to the following: in Section 3), we note that by Proposition 3.3, that nodes addedinstep18willalwayscauseanincreaseinpayofftothe p (V −(V(cid:48)∪{v}),∅)−p (V −V(cid:48),∅)≥ G a d G a d defender (and in the analogous greedy approach for the at- p (V −(V ∪{v}),∅)−p (V −V ,∅) tacker,thisholdstrueaswell). Further,byProposition3.2, G a d G a d whenk =1,wecanbesurethatGREEDY DEFENDER RESP Now let V(cid:48) = V −(V(cid:48) ∪{v}) and V(cid:48)(cid:48) = V(cid:48) ∪(V(cid:48) −V ). a a a d a a d d returns an exact solution, even when the attacker has a Clearly V(cid:48)(cid:48) ⊇V(cid:48) and v∈/ V(cid:48)(cid:48). Now we get the following: a a a mixedstrategy. Unfortunately,byTheorem3,thesamecan- p (V(cid:48),∅)−p (V(cid:48)∪{v},∅) ≥ p (V(cid:48)(cid:48),∅)−p (V(cid:48)(cid:48)∪{v},∅) not be said if the greedy heuristic is used for the attacker’s G a G a G a G a p (V(cid:48)∪{v},∅)−p (V(cid:48),∅) ≤ p (V(cid:48)(cid:48)∪{v},∅)−p (V(cid:48)(cid:48),∅) best response. G a G a G a G a Hence, submodualrity of the payoff function when the at- tacker’s strategy is fixed would give us supermodualrity of the payoff function when the defender’s strategy is fixed at Algorithm 1 GREEDY DEFENDER RESP the empty set. However, this clearly violates Fact 3.2 and gives rise to the following: Require: MixedstrategyPra,Naturalnumberkd Ensure: SetofnodesV d Fact 3.3. When V is fixed, p is neither submodular 1: V =∅ a G d nor supermodular. 2: LetATK bethesetofstrategiesassociatedwithPra 3: Setflag=True,p∗=−∞ 4: while |V |≤k andflag andp∗<0do 4. ALGORITHMS 5: p∗=−d(cid:80)Va∈dATKPrd(Va)pG(Va,Vd) Inthissection,wepresentheuristicalgorithmsforfinding 6: curBest = null, curBestScore = 0, haveValidScore = thedeterministicbestresponseofeachplayerastheresults False 7: for i∈V −V do oaflgtohreitphrmevfiooruasnseecxtaiocntsgoelnuetrioanll.yWpreecfilrusdteinatproodlyuncoemaivaelrtsiimone 8: curScore=dp∗−(cid:80)Va∈ATKPrd(Va)pG(Va,Vd∪{i}) 9: if curScore≥curBestScorethen ofa“highload”strategyforthedefenderbasedontheideas 10: curBest=i of[8]. Thenweintroduceagreedyheuristicforeachplayer. 11: curBestScore=curScore Thisisfollowedbyourapproachforfindingmixedstrategies 12: haveValidScore=True based on the double-oracle algorithm of [15]. 13: endif 14: endfor 15: if haveValidScore=Falsethen Hi-LoadNodeApproach. In[8],theauthorsstudy“high 16: flag=False load”nodes: nodes through which the greatest number of 17: else shortestpathspass. Theyshowthatattacksonthesenodes 18: V =V ∪{curBest} d d tend to initiate cascading failures – suggesting that they 19: endif shouldbeapriorityfordefense. Weformalizethedefinition 20: endwhile ofnodalloadinourframework(essentiallyanextendeddef- 21: return Vd. inition of node betweenness [25]) by extending our function load for nodes as follows. G Definition 4.1 (Nodal Load). Foragivennode,the Finding Mixed Strategies. If the attacker uses a mixed nodal load is defined as the sum of the fraction of shortest strategy that consists of uniformly attacking elements of paths for each pair that pass through that node. Formally: {S ⊂V :|S|=k } then the best any pure defender strat- ld a egycandoisdefendingV ⊂V . Theattacker’sstrategyim- load (i)= (cid:88) σG(s,t|i), pliesthatanynodeinVd isatldtackedwithprobability ka . G s∈Vsrc,t∈Vld σG(s,t) Eachofthe|Vld|−ka remldainingnodesinVld isthendis|Vcoldn|- whereσG(s,t|i)isthenumberofshortestpathsbetweens,t∈ nectedwithprobability |Vklad|,i.e.,x≥ka(1−|Vkldd|). Clearly V that pass through node i. due to the cascading the value of the game will probably be higher, illustrating the disadvantage the defender has in Hence, we shall refer to the Deterministic Load-Based or this game. To determine both player’s optimal strategies DLBstrategyforthedefenderasoneinwhichhedetermin- and the value of the game we resort to an algorithmic ap- istically protects the k nodes with the greatest load. We proach. We find the defender’s optimal strategy with the d notethatthisisnotnecessarilya“bestresponse”butthein- followinglinearprogram. Wecanfindminimaxstrategyfor tuitionisthatdefensewilloccuratnodesthatareperceived the defender with the following linear program. It simply to be critical to the adversary. This intuition is similar to assignsaprobabilitytoeachofthedefendersstrategiesina that of the“most vital arc”idea seen in other failure model manner that minimizes the maximum payoff for the adver- games [2, 21]. sary. As a consequence, the solution to the following linear program, DEF LP can provide the mixed minimax strategy Greedy Heuristics for Finding Deterministic Strate- forthedefender. Ananalogouslinearprogram,ATK LP(not gies. Here we present a simple greedy heuristic to find the shown), which mirrors DEF LP, will provide that result for defender’sbest-response(GREEDY DEFENDER RESP).The the attacker. Definition 4.2 (DEF LP). 50 100 subj.to p∗≥(cid:80)1=VdX∈(cid:80)DVVmdEdiF∈∈nDXp[0E∗V,Fd1p]XGV(dVa,Vd) ∀∀VVad∈∈DATEKF ((((1234)))) )sedoN detcen( nffoocysaiDP112233440550050505 )sedoN detcennocsiD( ffoyaP1234567890000000000 kkkkkkaaaaaa======123456 0 2 4 6 8 10 12 1 2 3 4 5 6 Note that the above linear program requires one variable Nodal Load Capacity Margin for each of the defender’s strategies and one constraint for each of the attacker’s strategies. However, as there are a combinatorialnumberofstrategies,evenwritingdownsuch Figure1: Left: Nodalloadvs. payoff(notehi-payoff, alinearprogramisnotpracticalexceptforverysmallprob- low-load nodes in the dashed box), Right: Capacity lem instances. To address this issue of intractability, we margin (α) vs. payoff employthedouble-oracleframeworkforzero-sumgamesin- troduced in [15] and has been applied in more recent work aswell[5,12]. WepresentthealgorithmDOUBLE ORACLE Only one core was used for experiments. All algorithms as follows: were coded using Python 2.7 and leveraged the NetworkX library2aswellasthePuLPlibraryforlinearprogramming3. Algorithm 2 DOUBLE ORACLE Allstatisticspresentedinthissectionwerecalculatedusing Require: NetworkG=(V,E),naturalnumbermaxIters the R statistics software. Ensure: MixeddefenderstrategyPr Inourexperiments,weutilizedadatasetofanItalian380 d kV power transmission grid [20]. This power grid network 1: InitializenumIters=0,flag=True consisted of 310 nodes of which 113 were source, 96 were 2: InitializethesetsofstrategiesATK,DEF tobothbe{∅} 3: whileflag andnumIters≤maxItersdo load,andtheremainderweretransmissionnodes. Thenodes 4: Create Pra,Prd based on the solutions to ATK LP and wereconnectedwith361edgesrepresentingthepowerlines. DEF LPrespectively. In our initial experiments, we examined the properties 5: IFnumIters<maxItersTHENletVabetheattacker’s of the model when no defense is employed. In Figure 1 best response to Pr and V be the defender’s best re- d d (left) we show results concerning nodal load vs. the payoff sponsetoPra achieved by the adversary if that node is attacked (and no 6: IFVa∈ATKandVd∈DEF THENflag=FalseELSE ATK=ATK∪{Va},DEF =DEF ∪{Vd} others). Interestingly, we noticed a significant number of 7: numIters+=1 nodes with low nodal load yet high-payoff if attacked (see 8: endwhile nodesindashedbox). ThismaysuggestthattheDLBstrat- 9: return Pra. egymaybeinsufficientinsomecases. LaterweseehowDLB fails to provide adequate in a defense against the attacker best response to DLB. This is likely due to these hi-payoff, The intuitionbehind the above algorithmis that it itera- low-load nodes. In Figure 1 (right) we examine α (capacity tivelycreatesmixedstrategiesforboththeattackerandde- margin) vs. attacker payoff for various settings of k (using fenderbasedonasolutiontoalinearprogramoverthesets a the GREEDY ATTACKER RESP heuristic). Here we found ofcurrentpossiblestrategiesforbothplayers(ATK,DEF). that,ingeneral,payoffdecreaseslinearlywithcapacitymar- This is followed by finding (for each player) the best deter- gin (R2 ≥0.84 for each trial). ministic response to it’s opponent’s strategy. If these new Next, we examined the relative performance of the min- strategies are both already in the set of possible strategies imax (mixed) defense strategy and the DLB strategy un- fortherespectiveplayers,thealgorithmterminates. Other- der different resource constraints and against the minimax wise, they are added to ATK,DEF respectively. We note (mixed)attackstrategyas wellasthe attacker’s (determin- thatbyTheorem1of[15]thattheabovealgorithmwillguar- istic) greedy response to the DLB defense. In these experi- antee an exact solution if maxIters is set to the number of ments,weconsideredthecasewherebothplayershaveequal possible strategies. In practice, [15] demonstrates that the resources, the attacker has one resource (which by Propo- algorithm converges much faster. sition 3.2 and Fact 3.1 we are guaranteed an optimal solu- InDOUBLE ORACLE,thefindingthesolutionstoDEF LP, tion), and the defender has one resource. These results are ATK LP will be tractable provided that the algorithm con- displayed in Figure 2. In these trials we set the capacity vergesinapolynomialnumberofsteps(eitherthroughcon- margin α = 0.5, meaning that all edges had an excess ca- vergence or after the specified maxIters). However, as we pacity of 50%. We did not use the maxIters parameter of have shown, computing the best responses is usually com- the DOUBLE ORACLE algorithm, but instead allowed it to putationally difficult. Although, we note in the case where run until convergence. k =1,thatbyProposition3.2andFact3.1,thedoubleora- a With regard to the comparison between DLB and mini- clealgorithmwillreturnanoptimalsolution,evenifgreedy max defense, both performed comparably against the mini- approximations are used for the oracles (provided it runs maxattackstrategy. Infact,ananalysisofvariance(ANOVA) until convergence). indicatedlittlevariancebetweenthetwowhenfacedwiththe minimaxattacker(p≥0.74forthesetrials). Yet,adefender 5. EXPERIMENTALEVALUATION known to be playing a single strategy would likely not face All experiments were run on a computer equipped with anattackerwhoplaystheminimaxstrategy,butratherthe an Intel X5677 Xeon Processor operating at 3.46 GHz with a 12 MB Cache and 288 GB of physical memory. The ma- 2http://networkx.lanl.gov/ chine was running Red Hat Enterprise Linux version 6.1. 3http://pythonhosted.org/PuLP/ MinimaxAttack Strategy Greedy Attacker Response to DLB 350 14 8900 10900 300 12 ka=kd=6 ffoyaP detcepxE)sedoN detcennocsiD(1234567000000001 2Resou3rces (k4a=kd)5 6 MDDeLiBnfe iDmnesaefxense ffoyaP detcepxE)sedoN detcennocsiD(123456780000000001 2Resou3rces (k4a=kd)5 6 )sruoh( enmuiRt-1122505500000001 2 m3ax(ka,kk4kddka=)=a1=k1d 5 6 EAdAAqeddttufvvaeaaacnlnnk drtteeeaarsrggoeeuooruucsses )sruoh( enmuiRt-1002468147101I3te16rka1at9=i2ok2dn=2 k15Na2=u8kmd3=1b23e4kkr3aa=7=kk4dd0==k434a3=4k6d=5 30 50 45 ffoyaP detcepxE)sedoN detcennocsiD(112205055 MDDeLiBnfe iDmnesaefxense ffoyaP detcepxE)sedoN detcennocsiD(11223345050500 Famniegdnutrtsehwe3h:reuSrnter-takitame=geykodsfizeeacvhs.itreurna-ttiiomnefoinr hthoeuresx(pleefrti)- 5 0 0 1 3 4 5 6 1 2 3 4 5 6 Resources (kd) Resources (kd) each iteration, not a cumulative time). This increase is 100 100 likely the combined result of the growing linear program ffoyaP detcepxE)sedoN detcennocsiD(2345678900000000 MDDeLiBnfe iDmnesaefxense ffoyaP detcepxE)sedoN detcennocsiD(2345678900000000 atewhxnhepdilloegtrrhmieeneagdgiynrroetwaaliipainnpbignrleogsxmidizmeeetfaehotnfoidodtnehsretspoumablyii-xmoreoffidut.ttsihtnreeasnt.eugmWiebseecraoronefsiictdueerrrareetdinotbnlyys 10 10 0 0 1 2 3 4 5 6 1 2 3 4 5 6 Resources (ka) Resources (ka) 6. RELATEDWORK Networksecurityhasreceivedmuchattentionfromthere- Figure 2: Minimax and DLB defense strategies vs. searchcommunityinthepasttwodecades. Recentincidents minimax attack strategy (left) and the attacker’s have shown that due to their internet connectedness such greedy best response to DLB (right). Examined are networkscancomeundercyberattack,causingsevereprob- the cases where k =k (top), k =1, k varies (mid- lems4. See[26]foradiscussionofcyber-securityissuesrele- a d a d dle) and k =1, k varies (bottom). vant to smart grid grids. The utilization of game theory in d a designing defense solutions seems ubiquitous. For instance [13] model the interaction between a DDoS attacker and thenetworkadministratorwhile[14]considersagametheo- best response to the DLB. In this case, DLB play resulted reticformulationforintrusiondetection. Otherformulations in significantly greater payoff to the attacker than the de- consist include stochastic games [17], signaling games [19], fender (p≤0.29 for these trials, the DLB defense results in allocation games [4] and repeated games [3]. Game the- 15.6 more disconnected nodes on average). This failure of ory is also being used in monitoring and decision making theDLBstrategytoperformwellagainstadeterministicat- in smart grids, see for instance [9] or the survey by Fadlul- tackerbestresponseislikelyduetothepresenceoflow-load lahetal.[10]. Howevertodatenogametheoreticapproach yet high-payoff nodes as shown in Figure 1. has been given for the specific problem where the attacker Wealsonoticedthatanincreaseinresourcesseemstofa- explicitly sets of a cascading power failure to maximize the vor the attacker more than the defender. When both play- damage to the defender. ers played their respective minimax strategy, the expected Cascadingfailuremodelsappliedtopowergridinfrastruc- payofffortheattackerincreasedmonotonicallywiththecar- ture have been studied in the past [7, 8, 16]. The model of dinality of the strategies. Further, when k =1 and k was d a [8] introduces the idea of edge failure based on excessive greater, the attacker’s payoff tripled when his resources in- loads. The goal of the research presented in these papers creased from 1 to 6. However, when k = 1 and k was a d was to illustrate properties of the cascade, rather than ex- greater, the defender’s payoff only increased by a factor of plore strategies for attack and defense as this work does. 1.7. Hence, the attacker can cause more damage than the There has been work on attack and defense of a power-grid defender can mitigate with the same amount of extra re- networkundertheDCpower-flowmode[2,21,20,6]. How- sources. We suspect that this is likely because a defended ever,theDCpowerflowmodelisnotdesignedtomodelthe node can still fail during a cascade - which would likely be morerapidcascadingfailures(i.e. the2003cascadingfailure thecaseiftheattackanddefenseoperationsarerestrictedto in the eastern United States [1]). cyber-space,wherephysicalsystemfailuremaystillbepos- Theapplicationofgametheorytosecuritysituationswas sible as the result of a cascade initiated by virtual means. made popular by [18] where it used for airport security pa- We also examined the run-time of our approach, as dis- trolscheduling. Sincethen,otherapplicationshaveemerged playedinFigure3(left). Thoughrun-timedidseemtoscale linearly with strategy size (R2 =0.90±0.2 for each experi- including port protection [23], finding weapons caches [22], andsecuritycheckpointplacement[12]. Onethatbearssim- ment), it appears that run-time will in general prohibit the ilarity to this work is [24] - studying games for controlling study of larger strategies or networks (our longest experi- contagions on a network. However, as previously discussed, ment ran for 12 days). In examining the iterations of the that model operates under very different dynamics. DOUBLE ORACLE algorithm, Figure 3 (left), we find that run-time of an iteration of the algorithm progressively in- creases (note that this figure is showing the run-time for 4http://www.wired.com/threatlevel/2009/10/smartgrid/ 7. CONCLUSION NP-Completeness. W. H. Freeman & Co., New York, In this paper, we explored complexity, algorithmic, and NY, USA, 1979. implementation issues in a two-player security game where [12] M. Jain, V. Conitzer, and M. Tambe. Security theattacker/defenderlooktocreate/mitigatecascadingfail- scheduling for real-world networks. In International ure on a power grid. Future work includes an examination Conference on Autonomous Agents and Multiagent ofscalabilityissues(largernetworksandstrategies),adding Systems (AAMAS), 2013. uncertaintytothemodel,andtheconsiderationofmorereal- [13] P.Liu,W.Zang,andM.Yu.Incentive-basedmodeling worldinformationaboutthepowergridnetwork(i.e. actual and inference of attacker intent, objectives, and line capacities, etc.) in order to create a richer model. strategies. ACM Trans. Inf. Syst. Secur., 8(1):78–118, Feb. 2005. [14] Y. Liu, C. Comaniciu, and H. Man. A bayesian game 8. ACKNOWLEDGMENTS approach for intrusion detection in wireless ad hoc networks. In Proceeding from the 2006 workshop on We would like to thank D. Alderson for his input on re- Game theory for communications and networks, lated work and V. Rosato for providing us the power grid GameNets ’06, New York, NY, USA, 2006. ACM. dataset. SomeoftheauthorsaresupportedbyAROproject 2GDATXR042. The opinions in this paper are those of the [15] H. B. McMahan, G. J. Gordon, and A. Blum. authors and do not necessarily reflect the opinions of the Planning in the presence of cost functions controlled funders, the U.S. Military Academy, or the U.S. Army. byanadversary.InT.FawcettandN.Mishra,editors, ICML, pages 536–543. AAAI Press, 2003. 9. REFERENCES [16] A. E. Motter and Y. C. Lai. Cascade-based attacks on [1] Final Report on the August 14, 2003 Blackout in the complex networks. Phys. Rev. E, 66(6), Dec. 2002. United States and Canada: Causes and [17] K. C. Nguyen, T. Alpcan, and T. Basar. Security Recommendations. U.S.-Canada Power System games with incomplete information. In ICC, pages Outage Task Force, April 2004. 1–6. IEEE, 2009. [2] D. L. Alderson, G. G. Brown, M. W. Carlyle, and [18] P. Paruchuri, J. P. Pearce, J. Marecki, M. Tambe, L. Anthony Cox. Sometimes there is no ”most-vital” F. Ordonez, and S. Kraus. Playing games for security: arc: Assessing and improving the operational an efficient exact algorithm for solving bayesian resilience of systems. Military Operations Research, stackelberg games. In AAMAS, pages 895–902, 18(1):21–37, 2013-03-01T00:00:00. Richland, SC, 2008. [3] T. Alpcan and T. Basar. A game theoretic analysis of [19] A. Patcha and J.-M. Park. A game theoretic approach intrusion detection in access control systems. In to modeling intrusion detection in mobile ad hoc Decision and Control, 2004. CDC. 43rd IEEE networks. In Information Assurance Workshop, 2004. Conference on,volume2,pages1568–1573Vol.2,2004. Proc. from the Fifth Annual IEEE SMC, pages [4] M. Bloem, T. Alpcan, and T. Ba¸sar. Intrusion 280–284, 2004. Response as a Resource Allocation Problem. Decision [20] V. Rosato, L.Issacharoff, F. Tiriticco, S. Meloni, S.D. and Control, 2006 45th IEEE Conference on, pages Porcellinis, and R. Setola. Modelling interdependent 6283–6288, Dec. 2006. infrastructures using interacting dynamical models. [5] B. Bosansky´, C. Kiekintveld, V. Lisy´, J. Cermak, and IJCIS, 4(1/2):63–79, 2008. M. Pechoucek. Double-oracle algorithm for computing [21] J. Salmeron, K. Wood, and R. Baldick. Analysis of an exact nash equilibrium in zero-sum extensive-form electric grid security under terrorist threat. Power games. In AAMAS, pages 335–342, 2013. Systems, IEEE Transactions on, 19(2):905–912, May [6] G. Brown, M. Carlyle, J. Salmeron, and K. Wood. 2004. Defending critical infrastructure. Interfaces, [22] P. Shakarian, J. P. Dickerson, and V. S. 36(6):530–544, Nov. 2006. Subrahmanian. Adversarial geospatial abduction [7] S. V. Buldyrev, R. Parshani, G. Paul, H. E. Stanley, problems. ACM Trans. Intell. Syst. Technol., and S. Havlin. Catastrophic cascade of failures in 3(2):34:1–34:35, Feb. 2012. interdependent networks. Nature, [23] E. Shieh, B. An, R. Yang, M. Tambe, C. Baldwin, 464(7291):1025–1028, Apr. 2010. J. DiRenzo, B. Maule, and G. Meyer. Protect: a [8] P. Crucitti, V. Latora, and M. Marchiori. Model for deployedgametheoreticsystemtoprotecttheportsof cascading failures in complex networks. Phys. Rev. E, the united states. In AAMAS, pages 13–20, Richland, 69(4):45104, 2004. SC, 2012. [9] M. Esmalifalak, G. Shi, Z. Han, and L. Song. Bad [24] J. Tsai, T. H. Nguyen, and M. Tambe. Security games data injection attack and defense in electricity market for controlling contagion. In J. Hoffmann and using game theory study. IEEE Trans. Smart Grid, B. Selman, editors, AAAI. AAAI Press, 2012. 4(1):160–169, 2013. [25] S. Wasserman and K. Faust. Social Network Analysis: [10] Z. Fadlullah, Y. Nozaki, A. Takeuchi, and N. Kato. A Methods and Applications. Number 8 in Structural survey of game theoretic approaches in smart grid. In analysis in the social sciences. Cambridge University Wireless Communications and Signal Processing Press, 1 edition, 1994. (WCSP), 2011 International Conference on, pages [26] D. Wei, Y. Lu, M. Jafari, P. Skare, and K. Rohde. 1–4, 2011. Protecting smart grid automation systems against [11] M. R. Garey and D. S. Johnson. Computers and cyberattacks. Smart Grid, IEEE Transactions on, Intractability; A Guide to the Theory of 2(4):782–795, 2011.

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.