A Dynamic Game Approach to Strategic Design of Secure and Resilient Infrastructure Network

06/17/2019 ∙ by Juntao Chen, et al. ∙ Inria NYU college 0

Infrastructure networks are vulnerable to both cyber and physical attacks. Building a secure and resilient networked system is essential for providing reliable and dependable services. To this end, we establish a two-player three-stage game framework to capture the dynamics in the infrastructure protection and recovery phases. Specifically, the goal of the infrastructure network designer is to keep the network connected before and after the attack, while the adversary aims to disconnect the network by compromising a set of links. With costs for creating and removing links, the two players aim to maximize their utilities while minimizing the costs. In this paper, we use the concept of subgame perfect equilibrium (SPE) to characterize the optimal strategies of the network defender and attacker. We derive the SPE explicitly in terms of system parameters. We further investigate the resilience planning of the defender and the strategic timing of attack of the adversary. Finally, we use case studies of UAV-enabled communication networks for disaster recovery to corroborate the obtained analytical results.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

I Introduction

Infrastructure networks are increasingly connected due to the integration of the information and communications technologies (ICTs). For example, the introduction of smart meters has enabled the communications between the users and the utility companies. Communications with roadside units in vehicular networks can provide safety warnings and traffic information. However, infrastructure networks are vulnerable to not only physical attacks (e.g., terrorism, theft or vandalisms) but also cyber attacks. These attacks can damage the connectivity of the infrastructure system and thus results in the performance degradation and operational dysfunction. For instance, an adversary can attack the road sensor units and create traffic congestion [1]. As a result, the transportation system can break down due to the loss of roads. An adversary can also launch denial-of-service attacks to disconnect communication networks [2], resulting in inaccessibility of relevant database for air travel or financial transactions.

The cyber-physical nature of the infrastructure can also enable the coordinated attacks on the infrastructure systems that allow an adversary to use both cyber and physical approaches to disconnect networks. Therefore, infrastructure protection plays a significant role to maintain the connectivity of the infrastructure networks. One way to protect the network is to create redundant links in the network so that networks can be still connected despite arbitrary removal of links. This approach has been used in traffic networks by creating multiple modes of transportation, in communication networks by adding extra wired or wireless links, and in supply chain networks by making orders from multiple suppliers.

Adding link redundancy is an effective approach when there is no knowledge of the target of the attacker, and thus the objective of the network designer is to secure the network by making the network robust to arbitrary removal of a fixed number of links. However, it becomes expensive and sometimes prohibitive when the cost for creating links is costly, and the attacker is powerful. Therefore, a paradigm shift to emphasize the recovery and response to attacks is critical, and the infrastructure resilience becomes essential for developing post-attack mechanisms to mitigate the impacts. Recovering the network from attack is a top priority for designers especially in the service-oriented critical infrastructures including electric power and communication networks [3]. With a limited budget of resources, it is essential to develop an optimal post-attack healing mechanism as well as a pre-attack secure mechanism holistically and understand the fundamental tradeoffs between security and resilience in the infrastructures.

To this end, we establish a two-player dynamic three-stage network game formation problem in which the infrastructure network designer aims to keep the network connected before and after the attack, while the objective of the adversary is to keep the network disconnected after the attack. Note that each player has a cost on creating or removing links. Specifically, at the first stage of the game, the infrastructure network designer first creates a network with necessary redundancies by anticipating the impact of adversarial behavior. Then, an adversary attacks at the second stage by removing a minimum number of links of the network. At the last stage of the game, the network designer can recover the network after the attack by adding extra links to the attacked network.

The resilience of the network is characterized by the capability of the network to maintain connectivity after the attack and the time it takes to heal the network. The security of the infrastructure is characterized by the capability of the network to withstand the attack before healing. Adding a large number of redundancies to the network can prevent the attack from disconnecting the network, but this approach can be costly. Hence, it is important to make strategic decisions and planning to yield a protection and recovery mechanism for the infrastructure with a minimum cost.

We adopt subgame perfect Nash equilibrium (SPE) as the solution concept of the dynamic game. We observe that with sufficient capabilities of recovery, the infrastructure can mitigate the threats by reducing the incentives of the attackers. We analyze SPE of the game by investigating two different parameter regimes. Further, we develop an optimal post-attack network healing strategy to recover the infrastructure network. When an attacker is powerful (attack cost is low), we observe that the defender needs to allocate more resources in securing the network to reduce the incentives of the attacker. In addition, agile resilience and fast response to attacks are crucial in mitigating the cyber threats in the infrastructures.

In the infrastructure network, agile resilience requires more effort of the network designer. Thus, when taking the resilience cost into account, the designer selects a mechanism including the defense and recovery strategies as well as the resilience ability jointly that yields the best net payoff. The attacker can also be strategic in choosing its attacking time. We find that when the defender does not recover the network, the attacker prefers to attack in an early phase and receives the total rewards afterward. In contrast, the attacker chooses to compromise the network at a later phase (though he does not really attack since the network is not connected initially), extracting all the utility from the initial time until the attacking phase. We finally use case studies on communication networks recovery based on unmanned aerial vehicles (UAVs) to illustrate our obtained theoretical results.

The contributions of this paper are summarized as follows.

  1. We establish a two-player three-stage dynamic game framework to study the secure and resilient infrastructure network design. By considering the costs for creating and removing links, the network defender aims to keep the network connected while otherwise for the attacker.

  2. We provide a complete analysis of the subgame perfect Nash equilibrium of the dynamic game which includes the defense and recovery strategies of the network defender and the attacking strategy of the adversary.

  3. We derive constructive results on the resilience planning which specifies the optimal response time to attacks for the defender as well as the strategic timing of attack that determines when to compromise for the adversary.

I-a Related Work

Communication network connectivity plays an important role in information exchange in various scenarios including civilian and military applications. To enhance the network connectivity against attacks, a number of methods have been proposed including two-way cooperative network formation [4], secrecy graph approach [5], and -composite scheme [6]. Our work aims to improve the network connectivity by strategically investing link resources.

Security is a critical concern for infrastructure networks [7, 8, 9]. In [10], the authors have used bilevel and trilevel optimization models to design secure critical infrastructure against terrorist attacks. [11] has provided a comprehensive survey on cyber security of critical infrastructures and evaluated the adversarial impact using an attack-tree-based methodology. In [12]

, the authors have investigated secure state estimation of interdependent critical infrastructures through proposing a Colonel Blotto game framework and captured the dynamics of various components holistically using a novel integrated state-space model. A cross-layer design approach has been proposed in

[13, 14] to optimize the performance of cyber-physical control systems where the security is modeled using a game-theoretic framework. To further enhance the system performance, the strategy designed by the network operator should take the cascading failure effects into account due to the couplings between distinct network components [15, 16, 17]. Cascading failures over networks have been widely studied in the literature. The authors in [18] have shown that topological changes are needed to increase cascading robustness, and improvements in network component tolerance alone do not ensure system robustness against cascading failures. In [19]

, the authors have proposed an evolutionary algorithm to improve the network performance to cascading failures, and showed that clustering, modularity, and long path lengths are critical in designing robust large-scale infrastructure. Furthermore,

[20] has proposed a dynamic game-theoretic approach to investigate the coupling between cyber security policy and robust control design of industrial control systems under cascading failures. In addition, [21] and [22] have designed protective strategies using stochastic games for energy systems under cascading failures due to attacks. The authors in [23] have developed strategic security investment strategies in IoT networks by capturing bounded rationality of players due to cognitive constraints. Different with previous literature on analyzing network failures using game approaches, our work captures the sequential move of attacker and defender and models the network structure explicitly. Furthermore, by leveraging dynamic games, graph theory and optimization, we provide a complete equilibrium analysis of the problem by considering network security and resilience jointly which is not a focus in previous works.

In addition to the system security, resilience is another crucial property that needs to be considered by infrastructure network designers [24]. In [25], the authors have proposed a hybrid framework for robust and resilient control design with applications to power systems by considering both the unanticipated events and deterministic uncertainties. The authors in [26] have studied the resilience aspect of routing problem in parallel link communication networks using a two-player game and designed stable algorithms to compute the equilibrium strategies. [27] has studied the critical infrastructure resilience by focusing on two metrics, optimal repair time and resilience reduction worth, to measure the criticality of various components in the system. The network resilience in our framework is quantified by the recovery time after the attack which needs to be strategically designed.

Dynamic game approaches have been widely used to investigate the network security and resilience. For example, [28] has used a differential game to model the malware defense in wireless sensor networks where the system designer chooses strategies to minimize the overall cost. A stochastic repeated game and an iterative learning mechanism have been adopted for moving target defense in networks [29]. In [30], a multistage Stackelberg game has been studied for developing deceptive routing strategies for nodes in a multihop wireless communication network. Furthermore, [31] has proposed a three-player three-stage game-theoretic framework including two network operators and one attacker to enable the secure design of multi-layer infrastructure networks. Our framework is also a three-stage game but differs from [31] since we have one central network designer and take the system resilience into account.

The adopted method and framework in our infrastructure network design are relevant to the recent advances in adversarial networks [32, 33, 34, 35] and strategic network formation games [36, 37, 38]. Furthermore, the current work extends our previous one [39] in multiple aspects. First, our goal in this work is to design the optimal protection, resilience planning and recovery strategies for infrastructure networks in a holistic manner which differs from [39] in which the critical resilience planning factor is not considered. Second, we investigate the new topic of network resilience and the strategic behavior of attacker in Section V. Third, we provide the detailed proofs of all theoretical results which were omitted in [39]. Fourth, we extensively expand the introduction and related work sections as well as the case studies section with more examples to explicitly illustrate the newly obtained analytical results.

I-B Organization of the Paper

The rest of the paper is organized as follows. Section II formulates the problem. Dynamic game analysis are presented in Section III. Section IV derives the SPE of the dynamic game. Network resilience and strategic timing of attack are investigated in Section V. Case studies are given in Section VI, and Section VII concludes the paper.

Ii Dynamic Game Formulation

In this section, we consider an infrastructure system represented by a set of nodes. The infrastructure designer can design a network with redundant links before the attack for protection and adding new links after the attack for recovery. Note that the attack action of the adversary can be enabled through cyber and physical approaches due to the integration of modern infrastructures with information and communication technologies. The sequence of the actions taken by the designer and the attacker is described as follows:

  • A Designer () aims to create a network between these nodes and protect it against a malicious attack;

  • After some time of operation, an Adversary () puts an attack on the network by removing a subset of its links;

  • Once the realizes that an attack has been conducted, it has the opportunity to heal its network by constructing new links (or reconstructing some destroyed ones).

In addition, the timing of the actions also play a significant role in determining the optimal strategies of both players. We normalize the horizon of the event from the start of the preparation of infrastructure protection to a time point of interest as the time internal . This normalization is motivated by the observation made in [3] where the consequences of fifteen major storms occurring between 2004 and 2012 are plotted over a normalized duration of the event. We let and represent, respectively, the fraction of time spent before the attack (system is fully operational) and between the attack and the healing phase. This is illustrated in Fig. 1.

Attack

Recovery

Fig. 1: Attack and defense time fractions. The attacker compromises the network at time , and the defender recovers it after amount of time.

The goal of the designer or the defender is to create protection and recovery mechanisms to keep its network operational, i.e., connected in this case. Let be the set of links created by the defender initially (i.e., at time ). is the set of links removed (attacked) by the adversary and is the set of links created by the defender after the attack (at fraction of the time horizon). Regardless of the time stamp, creating (resp. removing) links has a unitary cost (resp. ). The adversary aims to disconnect the network. Thus, for any set , we define which equals if the graph is connected and otherwise. Values of , , and are assumed as common knowledge to both and first, and later we investigate the strategic selections of and . As a tie-breaker rule, if the output/utility is the same for , then chooses to attack the network with the largest number of link removals. Similarly, chooses not to create links if its utility is the same.

Remark: The link creation cost is treated as identical in the framework. Here, can capture various application scenarios. For example, in a large complex network with heterogeneous link costs, analyzing the strategy of becomes intractable. A viable choice for is to consider the mean link creation cost captured by which gives an approximation of the network. Another case is that considers the largest single link creation cost denoted by , and thus it captures the worst case in which is conservative in designing the strategies. In sum, considering an identical is reasonable, and also it makes the technical analysis of the problem tractable.

The utility for the designer (resp. adversary) is equal to the fraction of time the network is connected (resp. disconnected) minus the costs of creating (resp. removing) the links. Hence, the payoff functions of the designer and the adversary are represented by and , respectively, as follows:

where denotes the cardinality of a set. In addition, means that a network including nodes contains a set of links. Note that if the fraction of time and the cost of links metrics cannot be directly added up in the utility functions, we can use a conversion factor to transform one metric to the other. Therefore, the formulated utility functions for and are still valid.

Since both players are strategic, we study the SPE and analyze the strategies of the players to the sets . Thus, we seek triplets such that is a best response to and that given , is also a SPE. In other words, the SPE involves the analysis of the following three sequentially nested problems starting from the last stage of the designer’s recovery problem to the first stage of the designer’s protection problem:

  • Given the strategies and , player chooses
    ;

  • Given , the adversary chooses
    ;

  • Player chooses
    .

The equilibrium solution that solves the above three problems consistently is an SPE of the two-player dynamic game.

Comments on the game formulation: In the established model, the attacking time and attacker’s cost are assumed to be known by . More practically, may have no perfect information on the attacker’s parameters, and only the distributions of and are available. Then, can calculate the expected values of and . The analysis in the paper is still valid to design the defensive strategy of at time 0. However, ’s behavior may not be the same as expected by which leads to a random network after the attack. Thus, needs to determine the healing strategy again at time . This creates another layer of decision-making problem for which is an optimization problem itself instead of a game as ’s behavior has been revealed. Other than capturing the unknown parameters and through their expected values, we can also model the game by considering the incomplete information directly. This yields a formulation of dynamic Bayesian game with a random type parameter including and which is nontrivial to solve.

Iii Dynamic Game Analysis

In this section, we analyze the possible configurations of the infrastructure network at SPE.

We first note that should be not too large, since otherwise cannot be a threat to . Similarly, should be sufficiently small so that the can create a connected network:

Lemma 1.

If , then has no incentive to attack any link. In addition, if , then has no incentive to create a connected network.

Proof.

Suppose that . Let be given and . If decides not to remove any link, then its payoff is . Otherwise, and . Thus, it is a best response for to play . Similarly, if , then if plays , its utility is . Otherwise, its utility is bounded above by which corresponds to a connected tree network with the minimum number of links. ∎

In the following, we thus suppose that and .

Note that the SPE can correspond only to a set of situations summarized as follows.

Lemma 2.

Suppose that is an SPE. Then, we are necessarily in one of the situations given in Table I.

TABLE I: Different potential combinations of values of , and at the SPE.
Proof.

Note that, in total, situations should be possible. However, if , then it is impossible that . Therefore, the situations where equaling to and are not possible. Further, if , then it is impossible that . Thus, the situation is impossible. All other combinations are summarized in Table I. ∎

In Situations 4 and 5, does not create a connected network in the beginning, and thus has no incentive to attack the network at phase . The structure of the SPE depends on the values of the parameters of the game. In particular, it depends on whether has incentive to fully reconstruct (heal) the system after the attack of . More precisely, if , then prefers to heal the network even if all links have been compromised by the attacker. Otherwise, there should be a minimum number of links remained after the attack for the to heal the network at the SPE. We sequentially analyze these two cases in Sections IV-A and IV-B, respectively.

Iv SPE Analysis of the Dynamic Game

Depending on the parameters, we derive SPE of the dynamic game in two regimes: and the otherwise in this section.

Before presenting the results, we first present the definition of Harary network [40] which plays an essential role in the SPE analysis. For a network containing nodes being resistant to link attacks, one necessary condition is that each node should have a degree of at least , yielding the total number of links more than , where denotes the ceiling operator. Harary network presented below can achieve this lower bound on the number of required links.

Definition 1 (Harary Network [40]).

In a network containing nodes, Harary network is the optimal design that uses the minimum number of links equaling for the network still being connected after removing any links.

The constructive method of general Harary network can be described with cycles as follows. It first creates the links between node and node such that , and then

, etc. When the number of nodes is odd, then the last cycle of link creation is slightly different since

is not an integer. However, the bound can be still be achieved. For clarity, we illustrate three cases in Fig. 2 with under different security levels .

Fig. 2: Illustration of Harary networks with different number of nodes and security levels.

Another critical network topology used in the analysis is the tree network defined as follows.

Definition 2 (Tree network [41]).

A tree is an undirected graph in which any two nodes are connected by exactly one path. Equivalently, the network is a tree if and only if it is connected and acyclic (contains no cycles).

Iv-a Regime 1:

In the case where , always reconstructs the network to be connected after the attack. The potential SPE can occur in only three of the Situations in Table I, and we summarize them in the following proposition.

Proposition 1.

Suppose that and let , where denotes the floor operator (resp. to the ceiling operator ). Note that is the largest number of links that can compromise to have a nonnegative payoff. Then, the SPE of the game is unique and satisfies:

  • If , then and (Situation ).

  • Otherwise, i.e., , and

    • if and or if and , then the SPE satisfies
      (Situation ).

    • If and , then the SPE satisfies (Situation ).

    • If and , then the SPE satisfies
      (Situation ).

Proposition 1 is a direct consequence of the following lemma. Note that the conditions in Proposition 1 are obtained via comparing ’s utility at various SPEs in Table II.

Lemma 3.

Suppose that . The potential SPEs have the properties given in Table II.

TABLE II: Different potential SPEs when (Note: ).
Proof.

First note that any connected network contains at least links. Conversely, any set of nodes can be made connected by using exactly links (any spanning tree is a solution). We consider a situation where . Then, either decides not to heal the network and receives a utility of , or it decides to heal it (by using at most links) and receives a utility of at least . The difference is . Thus, always prefers to heal the network after the attack of . Therefore, Situations and contain no SPE.

Next we consider Situation . Since , then needs to create in total at least links: . Therefore, an optimal strategy is and . Since , the optimal strategy of is .

In Situation , is connected, and thus . Further, and , and thus . Since , then should remove the minimum number of links to disconnect the network, and we obtain the result.

Finally, in Situation , since , then does not need to create any link during the healing phase: . Since , then attacks at most links if and only if it obtains a nonnegative reward, i.e., is the largest integer such that which yields . Thus, designs a network that is resistant to an attack compromising up to links. Such solution network is the ()-Harary network [40]. ∎

Examples: For clarify, we depict the strategies of and at various SPEs using examples shown in Fig. 3. The network contains 5 nodes. Depending on the relationship between parameters shown in Proposition 1, the game admits various SPEs. Four possible SPEs with specific actions taken by and are presented. For example, when the SPE lies in Situation 1 with , then at least 10 links are necessary for the network being resistant to 3 attacks. Therefore, creates a 4-Harary network initially in which each node has at least a degree of 4. In comparison, when and the SPE is in Situation 1, then creating a connected tree network is sufficient for since is not capable to compromise any link. The SPEs corresponding to Situations 2 and 4 are shown in Figs. 3(c) and 3(d), respectively.

(a) Situation 1 and
(b) Situation 1 and
(c) Situation 2
(d) Situation 4
Fig. 3: Strategies of and at different SPEs in regime 1. The network contains 5 nodes. In (a), the SPE is in Situation 1 and . Thus, at least 10 links are necessary for it being resistant to 3 attacks. In (b), when and the SPE lies in Situation 1, a tree network is created by the defender following no actions of and . In (c), the SPE is in Situation 2, and will compromise any one link at time and will heal one link to reconnect the network. In (d), will not protect the network at time 0 but will connect the network at time which shows SPE in Situation 4.

Based on Lemma 3, the stragies of two players at SPE in regime 1 are summarized as follows. Under Situation 1 and , does not attack and creates a connected ()-Harary network at phase 0. Under Situation 1 and , simply creates a connected network with the minimum number of links which can be achieved by any tree-structured network, and admits a null strategy. In Situation 2, initially constructs a tree network using links, and attacks any one link at phase followed by recovering the network at phase . Finally, for Situation 4, does not attack, and constructs a connected tree network only at phase .

Iv-B Regime 2:

We now consider the case where has an incentive, at phase , to heal the network if at most links are required to reconnect it, where and

(1)

We sequentially study the potential SPE in Situations , and in Lemma 4, Situation in Lemma 5, and Situation in Lemma 6.

Lemma 4.

If , we have the following results:

  • Any SPE in Situation satisfies , and , leading to utilities and (occurs only if );

  • There exists no SPE in Situation ;

  • The only potential SPE in Situation is the null strategy: , leading to utilities and .

Proof.

Suppose that an SPE occurs in Situation . Since the network is always disconnected, then . The maximum utility is obtained when . Thus, .

In Situation , since any connected network contains at least links, then the maximum utility of is . Thus, is better off with a null strategy (occurring in Situation ).

In Situation , since then . can achieves utility value by playing a tree network. Since then and . The bound is achieved by attacking any one link created by . We further can show that needs to attack links such that will not heal the network. ∎

Example: In regime 2, for SPEs in Situation 5, the network remains empty since does not protect nor heal. An illustration of SPE in Situation 3 with is depicted in Fig. 4. Specifically, creates a connected network with tree structure initially. Then, compromises any links to disconnect the network. Since is willing to recover at most link, does not heal the network at time .

Fig. 4: The SPE lies in Situation 3 with . Thus, will only create a tree network followed by compromising any 2 links to disconnect the network, and does not recover at time .

In the following, we focus on the SPEs in Situations and . In both cases, . Thus, creates a connected network initially. For each node , let be its degree. To facilitate the analysis, we focus on the potential best response strategies of to which are summarized in the following three distinct cases:

  1. [label=()]

  2. does not attack and obtains a utility of ;

  3. attacks sufficiently many links so that the network admits components, i.e., attacks exactly links to disconnect a node of minimal degree. Then, heals the network by constructing link, and receives utility

    (2)
  4. attacks sufficiently many links so that the network admits components, for some sufficiently large (whose exact value is discussed in the following two lemmas). Then, does not heal the network, and receives utility

    (3)

    Note that any intermediate value of components in the range cannot happen at SPE since it amounts to a lower utility for . The current case (iii) belongs to Situation 3 which eases the analysis in Lemmas 5 and 6.

The next lemma characterizes the SPEs for Situation 2.

Lemma 5.

The only SPEs in Situation are such that , , , , and . Furthermore, it occurs only if and .

Proof.

At an SPE in Situation , the utility of is of the form . Then, it is a best strategy for to heal the network at time , i.e., Thus, , and is the maximum number of links that can create at time at an SPE. In addition, at this SPE, receives a higher reward than by using its best strategy in Situation , i.e., Thus, Since , then altogether can create at most links.

For any SPE in Situation , note that . Thus, we can write and , for some . For Situation , we obtain which yields . If , then no SPE exists in Situation . Further, based on , we obtain . Since at , can create at most links, then the goal of in case (iii) is to create at least components in the network (i.e., to create a cut). Hence, constructs in a way that at least links need to be removed so that the network consists of components, where .

Recall that is the maximal number of links that can recover at phase . Suppose that (i.e., ). Then, for any , consider the following attack: first remove links so that the resulting network is a tree and then remove links. Then, the resulting network has exactly links, i.e., it has components and is obtained using links. Thus, if , no SPE in Situation exists. If (i.e., ), then we consider the strategy that creates a line network at time . Then to induce components, needs to remove links. However, due to , it is not of the best interest to . Instead, the best response for is to attack exactly one link (one being adjacent to one of the nodes with degree ). Then, the best strategy for is to re-create this compromised link at time which is an SPE. It is strategic as it minimizes the number of created links. ∎

In Lemma 5, the condition ensures that has an incentive to compromise the network, and the condition guarantees that is capable to heal the network after the attack. Note that when these two conditions are satisfied, all other strategies that creates a tree network at phase 0 and attacks one link which is further reconnected by also constitute SPEs of Situation 2.

To study the SPE in Situation 1, for convenience, we denote

where (resp. ) corresponds to the maximal number of attacks that is willing to deploy to disconnect the network during the phase interval (resp. ) so that (resp. ) achieves a positive value.

The following lemma characterizes the possible SPEs in Situation 1.

Lemma 6.

If or , then no SPE exists in Situation . Otherwise, let

(4)

If or if , then no SPE in Situation exists. Otherwise, the unique SPE is such that and .

Proof.

See Appendix A. ∎

Example: For clarity, an illustration of SPE in Situation 1 with is depicted in Fig. 5. There are 5 nodes in the network and the parameters are and . Specifically, creates a 2-Harary network with the ring topology initially. Then, is not capable to attack. The network remains connected over the entire time period.

Fig. 5: The SPE lies in Situation 1 with ( and ). Thus, creates a 2-Harary network with the ring topology. will not attack and thus does not heal the network.

For convenience, the results of Lemmas 4, 5 and 6 are summarized in Table III.

TABLE III: Different potential SPEs when (Note: is given by Eq. (4), and ).

We next comment on the strategies of and at SPEs. Specifically, the players’ strategies in Situation 2 under regime 2 are the same as the corresponding ones under regime 1. In Situation 3, creates a tree network at time 0 and does not heal it after compromising any links at phase . Depending on the system parameters, in Situation 1, creates a connected network using links either in a tree, ring or Harary network topology, and does not attack.

Remark: In the previous two Sections IV-A and IV-B, we have not explicitly determined those SPEs satisfying the boundary conditions. Note that at boundaries where multiple SPEs could be feasible, the defender playing a leader role will first choose the one that yields the highest utility. Then, after fixing the defender’s strategy, the attacker selects the SPE that maximizes its payoff.

Iv-C Discussions on Constrained Action Set of

In some scenarios, may not be capable to attack a particular set of links due to constraints. Thus, some links initially created by cannot be compromised by , and they can be regarded as secure links. The major SPE analysis of this paper is still valid for this constrained scenario with extra considerations on ’s feasible action set. We present the results for this extension in regime 1 briefly as follows, and the results in regime 2 can be obtained using similar arguments.

First, we consider the case that every node can create at least one secure link with other nodes. Then the SPE in Situation 1 under becomes as , , and . In this subcase, can create a connected network with all secure links using a tree topology and thus Harary network, , is not optimal to . Furthermore, Situation 2 is not possible as the network created by cannot be attacked. In addition, Situation 4 remains the same in this case. We next investigate cases in Situation 2. Indeed, SPE in Situation 2 occurs if there exists at least a single link in the tree network created by at phase 0 which is insecure. Then, disconnects the network by compromising this vulnerable link. Finally, we analyze the case when a subset of nodes in the network can form secure links with others. In this scenario, the results of Situation 1 , Situation 2, and Situation 4 in Table II still hold. For Situation 1 , does not need to create a Harary network at phase 0 as some created links are secure. To this end, we can leverage network contraction [35] to derive the SPE. Network contraction refers to the principle that if there is a secure link between two nodes, we can aggregate them together and see them as a single super node. In Situation 1 , depending on the places where secure links can be formed, it leads to different policies for at phase 0. We illustrate the design principle for Situation 1 in Fig. 6. In this example, is sufficient in the constrained scenario for to construct a secure network at time , while it requires links in the unconstrained counterpart.

Fig. 6: Illustration of network contraction for designing ’s optimal strategy when a subset of nodes can form secure links with others. In the example, 6 links are required for the network being resistant to 2 link removals if can compromise any link. When links (1,2) and (1,3) cannot be attacked, nodes 1, 2, and 3 can be aggregrated as a super node by network contraction. Then, node 4 connects with the super node using 3 links. In sum, 5 links are sufficient for this constrained scenario which is different from the unconstrained case.

V Network Resilience and Strategic Attack

In this section, we investigate the impact of network resilience on the SPE of the dynamic game and the attacker’s behavior on the timing of attack.

V-a Resilience Planning

The infrastructure network resilience is measured by the response and recovery time after the cyber attack which is in our scenario. Thus, instead of merely maximizing , the network operator should also take resilience metric into account. Thus, the aggregated objective function of can be formulated as follows:

(5)

where quantifies the normalized system resilience cost. Specifically, is a monotonically decreasing function with respect to . By considering the SPE of the dynamic game, chooses the best that results in an optimal utility .

Based on Section IV, we obtain the following results. In regime 1 with agile resilience, i.e., , the utilities of under various SPE are summarized in Table IV.

TABLE IV: Utilities of under different potential SPE when (Note: ).

Similarly, in regime 2 with , ’s utilities with different scenarios are presented in Table V.

TABLE V: Utilities of under different potential SPE when (Note: is given by Eq. (4)).

Remark: Under different regimes and situations, the aggregated payoff of admits various forms. Comparing the values of in Tables IV and V, the designer selects a that yields the largest , and the corresponding SPE strategies can be determined based on Tables II and III.

V-B Strategic Timing of Attack

The attacker’s behavior depends on the recovery ability of the network. When decides to compromise the network, then choosing the attacking phase also becomes a critical issue. Specifically, for a given , needs to decide the value of . As shown in Lemma 2, compromises the network only if creates a connected network initially. Thus, we focus on two Situations: 2 and 3. Proposition 1 indicates that when Situation 2 is an SPE, the corresponding utility of is which does not depend on the attacking phase . In an SPE of Situation 3, does not heal the network after attack, and the utility of is . Hence, the timing of attack has an influence on ’s payoff. In another case when SPE takes a form of Situation 4, ’s utility is which is also influenced by the attacking phase. Despite that does not attack, its action induces a threat to the network. We summarize the results in the following Lemma.

Lemma 7.

When SPE of the game admits a form of Situation 3, then the best timing of attack for is to choose the smallest in the set . When SPE takes a form of Situation 4, then the best for is choosing the largest value in the set . When SPE of the game is of another form except for Situations 3 and 4, then does not affect the utility of .

Proof.

The attacker chooses a to maximize its utility while satisfying the conditions and . The objective function indicates that a smaller yields a higher payoff of . Thus, the best timing of attack is the smallest resulting in an SPE of Situation 3. We relax the strict inequality constraint by including the boundary, since when , does not heal the network and Situation 3 is still an SPE. Similarly, in Situation 4, those boundary values of at the inequality constraint are feasible since chooses not to create a connected network if the payoffs are the same. ∎

In Situation 3, prefers to attack the network in an early phase which aligns with the fact that does not recover the network, and hence receives the total rewards after . In contrast, chooses to compromise the network at a larger phase in Situation 4 (though he does not really attack since the network is not connected), which extracts all the utility from time 0 to .

Vi Case Studies

In this section, we use case studies of UAV-enabled communication networks to corroborate the obtained results. UAVs become an emerging technology to serve as communication relays, especially in disaster recovery scenarios in which the existing communication infrastructures are out of service [42]. In the following, we consider a team of UAVs. The normalized unitary costs of creating and compromising a communication link between UAVs for the operator/defender and adversary are and , respectively.

Fig. 7: UAV-enabled communication networks for disaster recovery. The UAVs form a tree network at SPE (, ).

Vi-a Illustrations of SPEs (Results in Section Iv)

First, we illustrate SPE of the game when network resilience cost and timing of attack are not considered (results in Section IV). Specifically, the adversary attacks the network at phase , and the defender heals it after . The UAV-enabled communication network configuration at SPE is shown in Fig. 7 which admits a tree structure, and does not attack the network at SPE. In addition, the utilities for and at SPE with are shown in Fig. 8. The SPE encounters switching with different . As increases, the UAV network operator needs to allocate more link resources to secure the network. Otherwise, the attacker has an incentive to compromise the communication links with a positive payoff. Specifically, when , does not attack the UAV network, and obtains a positive utility by constructing a securely connected network. The secure network admits various structures depending on . As shown in Fig. 8, it can be in a tree network or a Harary network and the SPEs are in Situation 1. When , the defender creates a connected network with the minimum effort, i.e., links, at phase . In this interval, the attacker will successfully compromise the system during phase , and the defender heals the network afterward. The initially connected network in this regime admits a tree structure, and it may not be the same as the one created in the regime of . When exceeds , the defender does not either protect or heal the network. The reason is that a larger provides more incentives for the attacker to compromise the links and receive a higher payoff. Furthermore, the aggregated utility for the defender from two intervals, i.e., from the initial phase to the attacking phase and from the recovery phase to the terminal phase, is small, and hence it does not provide sufficient incentive for the defender to protect and recover the network. This also indicates that agile resilience is critical in mitigating cyber threats in the infrastructure networks.

Fig. 8: Utilities for and at SPE with varying . The SPEs and the strategies of and are different with the increase of .

Vi-B Strategic Resilience Planning

Next, we take into account the cost of network resilience and study its impact on the SPE. The cost function of resilience is . The convexity of indicates that the marginal cost of resilience increases as decreases. The timing of attack is fixed to in this case study. The equilibrium strategies of both players under costly network resilience are illustrated in Fig. 9. Based on the analysis in Section V-A, chooses a that maximizes the net utility . Though is larger in a regime with smaller values of , the cost of agile network resilience is much higher for it being the best strategy of designer. In addition, the defender will not choose a in the intervals since is negative. Hence, the optimal resilience planning of is which yields the optimal payoff . At this SPE, which falls into Situation 1, creates a -Harary network using 10 links initially and does not attack.

Fig. 9: Defender’s utility with varying by considering the resilience cost. The optimal resilience planning is achieved at . Values of