1 Introduction
Networked distributed systems typically operate without centralized planning or control, and instead rely on local interactions and communication between the comprising agents. These systems arise in a variety of engineering applications such as teams of mobile robots and sensor networks [1, 2, 3]. They are also prevalent in social dynamics [4, 5] and biological populations [6].
The transition from a centralized to a distributed architecture may leave a system vulnerable to a variety of adversarial attacks. An adversary may be able to manipulate the decisionmaking processes of the agents. Such dynamical perturbations can potentially lead to unwanted outcomes. For example in social networks, individual opinions can be shaped from external information sources, resulting in a polarized society [7, 8]
. When feasible, a system operator takes measures to mitigate adversarial influences. The literature on cyberphysical system security studies many aspects of this interplay. For instance, optimal controllers are designed to mitigate denialofservice, estimation, and deception attacks
[9, 10, 11, 12, 13].This paper investigates security measures that a system operator can take against adversarial influences when the underlying system is a graphical coordination game [5, 14], where agents in a network decide between two choices, or . One may think of these choices as two competing products, e.g. iPhone vs Android, two conflicting social norms, or two opposing political parties. Each agent derives a positive benefit from interactions with coordinating neighbors, and zero benefits from miscoordinating ones. The system’s efficiency is defined by the ratio of total benefits of all agents to the maximal attainable benefits over all configurations of choices.
The goal of the system operator is to design a local decisionmaking rule for each agent in the system so that the emergent collective behavior optimizes system efficiency. One algorithm that achieves this goal is known as loglinear learning [15, 16, 17]. More formally, the agents follow a “perturbed” best reply dynamics where the agents’ local objectives are precisely equal to their local welfare. We seek to address the question of whether this particular algorithm is robust to adversarial influences. That is, does this algorithm preserve system efficiency when the agents’ decisionmaking processes are manipulated by an adversary? If not, can the operator alter the agents’ local objectives to mitigate such attacks?
We consider two adversarial attack models  broad and focused attacks. In broad attacks, the adversary incentivizes every agent in the network (hence broad) with a convention, influencing their decisionmaking process. This could depict distributing political ads with the intention of polarizing voters. In focused attacks, the adversary targets a specific set of agents in the network, forcing them to commit to or . These targeted, or fixed agents consequently do not update their choices over time but still influence the decisions of others. For instance, they could portray loyal consumers of a brand or product, or staunch supporters of a political party. Fixed agents and their effects on system performance have been extensively studied in the context of opinion dynamics and optimization algorithms [18, 19, 13].
The first contribution of this paper is a characterization of worstcase risk metrics from both adversarial attacks as a function of the operator’s algorithm design parameter (Section 3). We define risk in this paper as the system’s distance to optimal efficiency. By worstcase here we mean the maximum risk among all connected network topologies subject to any admissible adversarial attack. Hence, our analysis identifies the network topologies on which worstcase risks are attained (Section 5). We extend this analysis to randomized operator strategies (Sections 4, 6).
The second contribution of this paper answers the question “if the operator succeeds in protecting the system from one type of attack, how vulnerable does it leave the system to the other?” We identify a fundamental tradeoff between security against broad attacks and risks from focused attacks. We then show randomized operator strategies significantly improves the set of attainable risk levels and their associated tradeoffs (Section 4).
By characterizing this interplay, we contribute to previous work that studied the impact of adversarial influence in graphical coordination games [20, 21, 22]. These works analyze worstcase damages that can be inflicted by varying degrees of adversarial sophistication and intelligence in the absence of a system operator. However, these results were derived only in specific graph structures, namely ring graphs, whereas our analysis considers adversarial influence in any graph topology.
2 Preliminaries
2.1 Graphical coordination games
A graphical coordination game is played between a set of agents over a connected undirected network with node set and edge set . Agent ’s set of neighbors is written as . Each agent selects a choice from its action set . The choices of all the agents constitutes an action profile , and we denote the set of all action profiles as . The local interaction between two agents is based on a matrix game, described by the payoff matrix ,

(1) 
where is the system payoff gain. It indicates that is an inherently superior product over when users coordinate. Here, agents would rather coordinate than not, but prefer to coordinate on . Agent ’s benefit is the sum of payoffs derived from playing the game (1) with each of its network neighbors:
(2) 
A measure of system welfare defined over is
(3) 
which is simply the sum of all agent benefits. The system efficiency for action profile is defined as
(4) 
For , the all profile maximizes welfare. This does not necessarily hold for arbitrary action spaces.
2.2 Loglinear learning algorithm
Loglinear learning is a distributed stochastic algorithm governing how players’ decisions evolve over time [16, 14, 15]. It may be applied to any instance of a game with each player having a welldefined local utility function over a set of action profiles with an underlying interaction graph . That is, agent ’s local utility is a function of its action and actions of its neighbors in .
Agents update their decisions over discrete time steps . Assume is arbitrarily determined. For step , one agent is selected uniformly at random from the population. It updates its action to
with probability
(5) 
where is the rationality parameter. All other agents repeat their previous actions: . For large values of , selects a bestresponse to the previous actions of others with high probability, and for values of near zero, randomizes among its actions
uniformly at random. This induces an irreducible Markov chain over the action space
, with a unique stationary distribution . The stochastically stable states (SSS) are the action profiles contained in the support of the stationary distribution in the high rationality limit: they satisfy . Such a limiting distribution exists and is unique [23, 15, 24]. We write the set of stochastically stable states as(6) 
For graphical coordination games, the loglinear learning algorithm specified by the action set and utilities selects the welfaremaximizing profile as the stochastically stable state irrespective of the graph topology . This can be shown using standard potential game arguments [16] (we provide these details in Section 5). That is, for all , where is the set of all connected undirected graphs on nodes.
However, if an adversary is able to manipulate the agents’ local decisionmaking rules, this statement may no longer hold true. A system operator may be able to alter the agents’ local utility functions with the goal of mitigating the loss of system efficiency in the presence of adversarial influences. In particular, we consider the class of local utility functions parameterized by . Specifically, takes the same form as the benefit function (2) where is replaced with a perceived gain that is under the operator’s control. We next introduce models of adversarial attacks in graphical coordination games. We then evaluate the performance of this class of distributed algorithms in the face of adversarial attacks.
3 Models of adversarial influence
In this section, we outline two models of adversarial attacks in graphical coordination games  broad and focused attacks. The system operator specifies the local utility functions that govern the loglinear learning algorithm by selecting the perceived payoff gain . Our goal is to assess the performance of this range of algorithms on two corresponding worstcase risk metrics, which we define and characterize. We then identify fundamental tradeoff relations between these two risk metrics.
3.1 Broad attacks and worstcase risk metric
We consider a scenario where the system is subject to broad adversarial attacks. For each agent in the network, the adversary attaches a single imposter node that acts as a neighbor that always plays or . These nodes are not members of the network but affect the decision making of agents that are. Let () be the set of agents targeted with an imposter () node. We call the target set . Any target set satisfies and . We call the set of all possible target sets on the graph . Given , the agents’ perceived utilities are
(7) 
In the notation of (6), the set of stochastically stable states is written . However for more specificity, we will refer to it in this context as . The induced network efficiency is defined as
(8)  
which is the ratio of the welfare induced by the welfareminimizing SSS to the optimal welfare. The second equality above is due to the fact that optimal welfare is attained at (all play ). We reiterate that the imposter nodes serve only to modify the stochastically stable states, and do not contribute to the system welfare (3). The risk from broad attacks faced by the system operator in choosing gain is defined as
(9) 
Risk measures the distance from optimal efficiency under operating gain . Fig. 0(a) illustrates an example of a threenode network subject to a broad adversarial attack. The extent to which systems are susceptible to broad attacks is captured by the following definition of worstcase risk.
Definition 1.
The worstcase risk to broad attacks is given by
(10) 
The quantity is the cost metric that the system operator wishes to reduce given uncertainty of the network structure and target set.
Theorem 1.
Let . The worstcase broad risk is
(11) 
where
(12) 
It is a piecewise constant function on halfopen intervals that is monotonically decreasing in . An illustration is given in Figure 1(a), along with the graphs and target sets that achieve the worstcase risks. For sufficiently high gains , the system is safeguarded from any broad adversarial attack, i.e. the worstcase risk is zero. By inflating the value of the convention, the adversary is unable to induce any miscoordinating links or agents to play . The technical results needed for the proof are given in Section 5.
3.2 Focused attacks and worstcase risk metric
An adversary is able to choose a strict subset of agents and force them to commit to prescribed choices. This causes them to act as fixed agents, or agents that do not update their choices over time. One could consider this as allowing the adversary an unlimited number of imposter nodes (instead of one) at its dispatch to attach to each agent in the subset, thereby solidifying their choices. This focused influence on a single agent is stronger than the influence a broad attack has on a single agent in the sense that the latter type does not require the agent to commit to a choice  it merely incentivizes the agent towards one particular choice.
Let be the set of fixed () agents. We call the fixed set , which satisfies and . We call the set of all feasible fixed sets on a graph . A fixed set restricts the action space to , where () () and . We assume the adversary selects at least one fixed agent. The strict subset assumption avoids pathological cases (e.g. alternating and fixed nodes for an entire line network yields an efficiency of zero).
The set of stochastically stable states given a fixed set is written as . However for brevity, we will refer to it as . The induced efficiency is
(13) 
which is the ratio of the welfare induced by the worstcase stable state to the optimal welfare given the fixed set . The risk faced by the system operator in choosing is defined as
(14) 
Again, risk measures the distance from optimal efficiency when choosing . The fixed nodes here differ from the imposter nodes in that they contribute to the true measured welfare (3) in addition to modifying the SSS by restricting the action set and influencing the decisions of their nonfixed neighbors. Figure 0(b) provides an illustrative example of a network with three fixed agents and one unfixed agent. The extent to which the system is susceptible to focused attacks is defined by the following worstcase risk metric.
Definition 2.
The worstcase risk from focused attacks is given by
(15) 
The quantity is the cost metric that a system operator wishes to reduce given uncertainty on the graph structure and composition of fixed agents in the network.
Theorem 2.
The worstcase risk from focused attacks is
(16) 
The technical results needed for the proof are given in Section 5. An illustration of this quantity as well as the graphs that induce worstcase risk are portrayed in Figure 1(b). We observe the choice recovers optimal efficiency for any and . In other words, by operating at the system gain , the system operator safeguards efficiency from any focused attack. Furthermore, monotonically increases for , approaching 1 in the limit . Intuitively, the risk in this regime comes from inflating the benefit of the convention, which can be harmful to system efficiency when there are predominantly fixed nodes in the network. For , monotonically decreases. The risk here stems from devaluing the convention, which hurts efficiency when coordinating with fixed nodes is more valuable than coordinating with fixed nodes.
3.3 Fundamental tradeoffs between risk and security
We describe the operator’s tradeoffs between the two worstcase risk metrics. That is, given a level of security is ensured on one worstcase risk, what is the minimum achievable risk level of the other? These relations are direct consequences of Theorems 1 and 2.
Remark 1.
Before presenting the tradeoff relations, we first observe that since is decreasing on and is decreasing in , the operator should not select any gain , as it worsens both risk levels. Hence for the rest of this paper, we only consider gains greater than .
Corollary 1.
Fix . Suppose for some . Then
(17) 
Proof.
From (16), implies . Since is a decreasing function in , we obtain the result. ∎
In words, as the security from worstcase focused attacks improves ( lowered), the risk from worstcase broad attacks increases. A tradeoff relation also holds in the opposite direction.
Corollary 2.
Fix . Suppose for some . Suppose for some . Then
(18) 
If ,
(19) 
If , then for any .
Proof.
All bounds are computed by finding s.t. . The relations and follow from the fact that is increasing in , and depending on whether can attain the resulting value. ∎
Here, as the security from worstcase broad attacks improves ( lowered), the risk from worstcase focused attacks increases. Each of the broad risk levels can be attained for a range of focused risks. An illustration of the attainable worstcase risk levels is given in Fig. 3 (blue).
4 Randomized operator strategies
In this section, we consider the scenario where the operator randomizes over multiple gains. We present a definition and a characterization of worstcase expected risks. We then identify the risksecurity tradeoffs available in the randomized gain setting. We observe they significantly improve upon the deterministic gain setting (Fig. 3). We then identify ways to further improve these tradeoffs through different randomizations.
4.1 Worstcase expected risks
Suppose the operator selects a gain from the distinct values satisfying
with the probability distribution
. Here we denote as the set of alldimensional probability vectors. In other words, the operator employs the payoff gain
with probability .We consider the following natural definitions of expected risks. Given a graph and target set , let be the expected adversarial risk of the operator’s strategy . The worstcase expected risk from broad attacks is defined as
(20) 
Similarly, given a fixed set , let be the expected risk from focused attacks. The worstcase expected risk from focused attacks is defined as
(21) 
Theorem 3.
Suppose the operator randomizes with gains according to . Then the worstcase expected broad risk is
(22) 
The worstcase expected focused risk is
(23) 
The proofs are given in Section 6. The characterization of worstcase expected risk is a discounted weighting of a deterministic worstcase risk level. This suggests that the risk levels achievable by randomization can improve upon the risks induced from a deterministic gain.
4.2 Risk tradeoffs under randomized operator strategies
Given a level of security
is ensured on one expected worstcase metric, what is the the minimum achievable risk level on the other? We find this can be calculated through a linear program. We formalize these tradeoffs in the following two statements, which are analogous to Corollaries
1 and 2.Corollary 3.
Fix and a set of gains . Suppose for some . Then
(24) 
where is the value of the following linear program.
(25)  
where denotes elementwise , and are column vectors of zeros and ones respectively, and is the matrix
(26) 
Moreover, is decreasing in .
Proof.
We need to show equivalence between the linear program (25) and the optimization problem
(27) 
Let be the matrix defined by the upper left block of (26) and by the bottom left block. From Theorem 3, we can express as the maximum element of the vector , and similarly as the maximum element of . Hence, is the linear constraint for all . The objective itself can be cast as a linear objective with linear constraints, i.e. . Combining these two, we obtain (25). The claim is decreasing in follows as a consequence of the linear program (25). ∎
We note that a worstcase expected focused risk is not attainable because is the smallest gain it mixes with. Hence, the linear program (25) is infeasible for . The following tradeoff relation holds in the opposite direction.
Corollary 4.
Fix and a set of gains . Suppose for some . Then
(28) 
where is the value of the following linear program.
(29)  
where and are defined as the bottom and top left blocks of (26), respectively. Furthermore, is decreasing in .
4.3 Improvement of risk tradeoffs
The tradeoff relations describe the best achievable level on one risk metric given the other is subject to a security constraint when the gains are fixed. One way to improve the achievable risks is to decrease the available gains.
Claim 1.
Let . Suppose (recall (12)), for some nondecreasing subsequence . Let satisfy with . Then for all , . Similarly, for all , .
Randomizing over additional gains can also improve the achievable risks.
Claim 2.
Suppose and with , and assume contains the elements of . Then the assertion of Claim 1 holds.
The proofs of the above two Claims follow directly from the formulation of the LPs (25), (29), and hence we omit them.
Fig. 3 depicts the best achievable risk levels of three randomized operator strategies of increasing improvement due to Claims 1 and 2 (red, green, and black curves). In particular, these plots constitute the Pareto frontier of all attainable expected risks among distributions given a fixed set of gains. That is, for any , we say a risk level belongs to the frontier Par() if there does not exist a such that . Within Par(), the operator can only improve upon one worstcase risk metric by sacrificing performance on the other.
From Corollary 4, the frontier given gains is the set of points
(30) 
The parameter is upper bounded here by since any risk level with is unattainable under . Hence, the values and are equivalent for . The frontiers in Fig. 3 are generated by numerically solving the linear program (29) for a finite grid of points .
As we have seen, the transition from deterministic to randomized gains ensures a reduction of risk levels. Randomizing over only a few different gains substantially improves upon the attainable deterministic worstcase risks. However, a detailed quantification of such improvements remains a challenge due to the high dimensionality of the model. In particular, we have yet identified a “limit” frontier that could be obtained by repeated modifications to the gain vector detailed by Claims 1 and 2.
5 Proof of Theorems 1 and 2: Deterministic worstcase risks
In this section, we develop the technical results that characterize the worstcase risk metrics and (Theorems 1 and 2). Before presenting the proofs, we first present some preliminaries on potential games [25], which are essential to calculating stochastically stable states. We then define relevant notations for the forthcoming analysis.
5.1 Potential games
Graphical coordination games fall under the class of potential games  games where individual utilities are aligned with a global objective, or potential function. A game is a potential game if there exists a potential function which satisfies
(31) 
for all , , and [25]. In potential games, the set of stochastically stable states (6) are precisely the action profiles that maximize the potential function [15, 16]. Specifically, . Our analysis relies on characterizing a potential function for the graphical coordination game in the presence of adversarial influences. This allows us to compute stochastically stable states in a straightforward manner.
5.2 Relevant notations for analysis
Any action profile on a graph decomposes into and partitions. A node that belongs to a partition (partition) has (). The partitions are enumerated and , are mutually disjoint, and cover the graph. Each partition is a connected subgraph of . It is possible that with (when ), with (when ), or .
For any subset of nodes , let us denote
(32) 
as the set of edges between and . We write as the complement of . We extensively use the notation
(33) 
as the welfare due to edge set in action profile , where is of the form (1) with replaced by . For compactness, we will denote as for the local system welfare generated by the edges . Our analysis will also rely on the following mediant inequality.
Fact 1.
Suppose and for each . Then
(34) 
We refer to the LHS above as the mediant sum of the .
5.3 Characterization of : worstcase broad risk
To prove Theorem 1, we seek a pair with of any size and , that minimizes efficiency (maximizes risk ). Our method to find the minimizer is to show any can be transformed into a star network with a particular target set that has lower efficiency, when . Thus, in this regime the search for the worstcase graph reduces to the class of star networks of arbitrary size. For , structural properties allow us to deduce the minimal efficiency.
The graphical coordination game defined by , perceived utilities (7), target set , and graph falls under the class of potential games [25]. A potential function is given by
(35) 
where
(36) 
Hence, the stochastically stable states are maximizers of (35). Suppose is the welfareminimizing SSS inducing the partitions , . We can express its efficiency from (8) as
(37) 
Note the denominator is simply the number of edges in multiplied by . From (35), each partition in satisfies^{1}^{1}1Since we are seeking worstcase pairs , we may consider any partition as only having imposters placed among its nodes. This is because any imposters that were placed in a resulting partition can be replaced by imposters and retain stability. We reflect this generalization in (5.3) and (5.3), where influence from only () imposters is considered.