1. Introduction
Game theoretic models of interdependent security have been used to study security of complex information and physical systems for more than a decade [LFB15]. One of the key findings is that the externalities resulting from security decisions made by selfish agents lead to, potentially significant, inefficiencies. This motivates research on methods for improving information security, such as insurance [BS10] and network design [CDG14, CDG17]. We study the problem of network design for interdependent security in the setup where a strategic adversary collaborates with some nodes in order to disrupt the network.
The motivation
Our main motivation is computer network security in face of contagious attack by a strategic adversary. Examples of contagious attacks are stealth worms and viruses, that gradually spread over the network, infecting subsequent unprotected nodes. Such attacks are considered among the main threats to cyber security [SPW02]. Moreover, the study of the data from actual attacks demonstrates that the attackers spend time and resources to study the networks and choose the best place to attack [SPW02]. Direct and indirect infection can be prevented by taking security measures that are costly and effective (i.e., provide sufficiently high safety to be considered perfect). Examples include using the right equipment (such as dedicated high quality routers), software (antivirus software, firewall), and following safety practices. All of these measures are costly. In particular, having antivirus software is cheap but using it can be considered to be costly, safety practises may require staff training, staying up to date with possible threats, creating backups, updating software, hiring specialized, wellpaid staff. The security decisions are made individually by selfish nodes. Each node derives benefits from the nodes it is connected to (directly or indirectly) in the network. An example is the Metcalfe’s law (attributed to Robert Metcalfe [SV00], a coinventor of Ethernet) stating that each node’s benefits from the network are equal to the number of nodes it can reach in the network, and the value of a connected network is equal to the square of the number of its nodes. An additional threat faced by the nodes in the network is the existence of malicious nodes whose objectives are aligned with those of the adversary: they aim to disrupt the network [MSW09b, MSW09a].
Contribution
We study the effectiveness of network design for improving system security with malicious (or byzantine) players and strategic adversary. To this end we propose and study a three stage game played by three classes of players: the designer, the adversary, and the nodes. Some of the nodes are malicious and cooperate with the adversary. The identity of the nodes is their private information, known to them and to the adversary only. The designer moves first, choosing the network of links between nodes. Then, costly protection is assigned to the nodes. We consider two methods of protection assignments: the centralized one, where the designer chooses the nodes to receive protection, and the decentralized one, where each node decides individually and independently whether to protect or not. Lastly, the adversary observes the protected network and chooses a single node to infect. The protection is perfect and each nonbyzantine node can be infected only if she is unprotected. The byzantine nodes only pretend to use the protection and can be infected regardless of whether they are protected or not. After the initial node is infected, the infection spreads to all the nodes reachable from the origin of infection via a path containing unprotected or byzantine nodes. We show that if the protection decisions are centralized, so that the designer chooses both the network and the protection assignment, then either choosing a disconnected network with unprotected components of equal size or a generalized star with protected core is optimal. When protection decisions are decentralized, then, for sufficiently large number of nodes, the designer can resort to choosing the generalized star as well. In the case of sufficiently wellbehaved returns from the network (including for example Metcalfe’s law), the protection chosen by the nodes in equilibrium guarantees outcomes that are asymptotically close to the optimum. Hence, in such cases, the inefficiencies due to defense decentralization can be fully mitigated even in the presence of byzantine nodes.
Related work
There are two, overlapping, strands of literature that our work is related to: the interdependent security games [LFB15] and multidefender security games [SVL14, LV15, LSV17]. Early research on interdependent security games assumed that the players only care about their own survival and that there are no benefits from being connected [KH03, Var04, ACY06, LB08b, LB08a, CCO12, AMO16]. In particular, the authors of [ACY06]
study a setting in which the network is fixed beforehand, nodes only care about their own survival, attack is random, protection is perfect, and contagion is perfect: infection spreads between unprotected nodes with probability
. The focus is on computing Nash equilibria of the game and estimating the inefficiencies caused by defense decentralization. They show that finding one Nash equilibrium is doable in polynomial time, but finding the least or most expensive one is NPhard. They also point out the high inefficiency of decentralized protection, by showing unboundedness of the price of anarchy. In
[LB08b, LB08a] techniques based on local mean field analysis are used to study the problem of incentives and externalities in network security on random networks. In a more recent publication [AMO16], individual investments in protection are considered. The focus is on the strategic structure of the security decisions across individuals and how the network shapes the choices under random versus targeted attacks. The authors show that both under and overinvestment may be present when protection decisions are decentralized. A slightly different, but related, models are considered in [GWA10, GWA11, GMW12, LSB12a, LSB12b]. In these models the defender chooses a spanning tree of a network, while the attacker chooses a link to remove. The defender and the adversary move simultaneously. The attack is successful if the chosen link belongs to the chosen spanning tree. Polynomial time algorithms for computing optimal attack and defense strategies are provided for several variants of this game. For a comprehensive review of interdependent security games see an excellent survey [LFB15].Multidefender security games are models of security where two or more defenders make security decisions with regard to nodes, connected in a network, and prior to an attack by a strategic adversary. Each of the defenders is responsible for his own subset of nodes and the responsibilities of different defenders are nonoverlapping. The underlying network creates interdependencies between the defenders’ objectives, which result in externalities, like in the interdependent security games. The distinctive feature of multidefender security models is the adopted solution concept: the average case Stackelberg equilibrium. The model is two stage. In the first stage the defenders commit to mixed strategies assigning different types of security configurations across the nodes. In the second stage the adversary observes the network and chooses an attack. The research focuses on equilibrium computation and quantification of inefficiencies due to distributed protection decisions.
Papers most related to our work are [MSW09a, CDG14, CDG17, GJK16]. The authors of [MSW09b] introduce malicious nodes to the model of [ACY06]. The key finding in that paper is that the presence of malicious nodes creates a “fear factor” that reduces the problem of underprotection due to defense decentralization. Inspired by [MSW09b, MSW09a], we also consider malicious nodes in the context of network defense. We provide a formal model of the game with such nodes as a game with incomplete information. Our contribution, in comparison to [MSW09a], lies in placing the players in a richer setup, where nodes care about their connectivity as well as their survival, and where both underprotection (i.e., insufficiently many nodes protect as compared to an optimum) and overprotection (excessively many nodes protect as compared to an optimum) problems are present. This leads to a much more complicated incentives structure. In particular, the presence of malicious nodes may lead to underprotection, as nodes may be unable to secure sufficient returns from choosing protection on their own.
Works [CDG14, CDG17] consider the problem of network design and defense prior to the attack by a strategic adversary. In a setting where the nodes care about both their connectivity and their survival, the authors study the inefficiencies caused by defense decentralization and how they can be mitigated by network design. The authors show that both underprotection as well as overprotection may appear, depending on the costs of protection and network topology. Both inefficiencies can be mitigated by network design. In particular, the underprotection problem can be fully mitigated by designing a network that creates a cascade of incentives to protect. Our work builds on [CDG14, CDG17] by introducing malicious nodes to the model. We show how the designer can address the problem of uncertainty about the types of nodes and, at the same time, mitigate the inefficiencies due to defense decentralization. Lastly, in [GJK16], a model of decentralized network formation and defense prior to the attack by adversaries of different profiles is considered. The authors show, in particular, that despite the decentralized protocol of network formation, the inefficiencies caused by defense decentralization are relatively low.
The rest of the paper is structured as follows. In Section 2 we define the model of the game, which we then analyze in Section 3. In Section 4 we discuss possible modifications of our model. We provide concluding remarks in Section 5. Appendix A contains the proofs of the most technical results.
2. The model
There are players: the designer (), the nodes (), and the adversary (). In addition, each of the nodes is of one of two types: a genuine node (type ) or a byzantine node (type ). We assume that there are at least nodes and that there is a fixed amount of byzantine nodes. The byzantine nodes cooperate with the adversary and their identity is known to . All the nodes know their own type only. On the other hand, the adversary has complete information about the game. We suppose that he infects a subset of nodes. A network over a set of nodes is a pair , where is the set of undirected links of . Given a set of nodes , denotes the set of all networks over and is the set of all networks that can be formed over or any of its subsets. The game proceeds in four rounds (the numbers are fixed before the game):

The types of the nodes are realized.

chooses a network , where is the set of all undirected networks over .

Nodes from observe and choose, simultaneously and independently, whether to protect (what we denote by ) or not (denoted by ). This determines the set of protected nodes . The protection of the byzantine nodes is fake and, when attacked, such node gets infected and transmits the infection to all her neighbors.

observes the protected network and chooses a subset consisting of nodes to infect. The infection spreads and eliminates all unprotected or byzantine nodes reachable from in via a path that does not contain a genuine protected node from . This leads to the residual network obtained from by removing all the infected nodes.
Payoffs to the players are based on the residual network and costs of defense. The returns from a network are measured by a network value function that assigns a numerical value to each network that can be formed over a subset of nodes from .
A path in between nodes is a sequence of nodes such that , , , and for all . Node is reachable from node in if or there is a path between them in . A component of a network is a maximal set of nodes such that for all , , and are reachable in . The set of components of is denoted by . Given a network and a node , denotes the component such that . Network is connected if .
We consider the following family of network value functions:
where the function is increasing, strictly convex, satisfies , and, for all , verifies the inequalities
(1)  
In other words, the value of a connected network is an increasing and strictly convex function of its size. The value of a disconnected network is equal to the sum of values of its components. These assumptions reflect the idea that each node derives additional utility from every node she can reach in the network. In the last property we assume that these returns are sufficiently large: the returns from increasing the size of a component by are higher than the returns from adding an additional, separate, component of the same size to the network. Such form of network value function is in line with Metcalfe’s law, where the value of a connected network over nodes is given by , as well as with Reed’s law, where the value of a connected network is of exponential order with respect to the number of nodes (e.g., ).
Before defining payoff to a node from a given network, defense, and attack, we formally define the residual network. Given a network and a set of nodes , let denote the network obtained from by removing the nodes from and their connections from . Thus , where . Given defense and the set of byzantine nodes , the graph is called the attack graph. By infecting a node , the adversary eliminates the component of in the attack graph, .^{1}^{1}1We define for every . Hence, if the adversary infects a subset of nodes, then the residual network (i.e., the network that remains) after such an attack is .
Nodes’ information about whether they are genuine or byzantine is private. Similarly, the adversary’s information about the identity of the byzantine nodes is private. As usual in games with incomplete information, private information of the players is represented by their types. The type of a node is represented by ( means that is genuine and means that is byzantine) and the type of the adversary is represented by . (If is a finite set, then we denote by the set of subsets of of cardinality
.) A vector
of players’ types is called a type profile. The type profiles must be consistent so that the byzantine nodes are really known to the adversary. The set of consistent type profiles is .Remark 1.
We point out that is the set of byzantine nodes (i.e., the true state of the world) while denotes the beliefs of the adversary. The consistency assumption implies that the beliefs of the adversary are correct and .
The adversary aims to minimize the gross welfare (i.e., the sum of nodes’ gross payoffs), which is equal to the value of the residual network. Given a network , the set of protected nodes , and the type profile , the payoff to the adversary from infecting the set of nodes is
The designer aims to maximize the value of the residual network minus the cost of defense. Notice that this cost includes the cost of defense of the byzantine nodes. Formally, the designer’s payoff from network under defense , the set of infected nodes , and the type profile is equal to
The gross payoff to a genuine (i.e., not a byzantine) node in a network is equal to . In other words, each genuine node gets the equal share of the value of her component. The net payoff of a node is equal to the gross payoff minus the cost of protection. A genuine node gets payoff when removed. Defense has cost . The byzantine nodes have the same objectives as the adversary and their payoff is the same as that of . Formally, a payoff to the node given a network with defended nodes , the set of infected nodes , and the type profile is equal to
The adversary and the byzantine nodes make choices that maximize their utility. The designer and the nodes have incomplete information about the game and we assume that they are pessimistic, making choices that maximize the worst possible type realization (cf. [AB06]). Formally, the pessimistic utility of a genuine (i.e., of type ) node from network , the set of protected nodes , and the set of infected nodes , is
Similarly, the pessimistic utility of the designer from network , the set of protected nodes , and the set of infected nodes , is
To summarize, the set of players is . The set of strategies of player is . A strategy of each node is a function that, given a network and a node’s type , provides the defense decision of the node. The individual strategies of the nodes determine a function providing, given a network and nodes’ types profile , the set of defended nodes . The set of strategies of each node is . A strategy of player is a function that, given a network , the set of protected nodes , and adversary’s type , provides the set of nodes to infect . The set of strategies of player is .
Abusing the notation slightly, we use the same notation for utilities of the players from the strategy profiles in the game. Thus, given a strategy profile and a type profile , the payoff to player is , the pessimistic payoff to player is
(2) 
and the pessimistic payoff to the designer is given by
(3) 
By convention, we say that the pessimistic payoff of the byzantine node is the same as her payoff. We are interested in subgame perfect mixed strategy equilibria of the game with the preferences of the players defined by the pessimistic payoffs. We call them the equilibria, for short. We make the usual assumption that when evaluating a mixed strategy profile, the players consider an expected value of their payoffs from the pure strategies. In the case of the designer and the genuine nodes, these are expected pessimistic payoffs.
Throughout the paper we will also refer to the subgames ensuing after a network is chosen. We will denote such subgames by and call the network subgames. We will abuse the notation by using the same letters to denote the strategies in and in . The set of strategies of each node in game is . Given the type profile , the individual strategies of the nodes determine a function that provides the set of defended nodes . The set of strategies of the adversary in is .
All the key notations are summarized in Table 1.
number of nodes 


number of byzantine nodes 

number of nodes infected by the adversary 

component value function 

network 

set of protected nodes 

payoff to the designer, the adversary, and a node 

pessimistic payoff to the designer and a node 
2.1. Remarks on the model
We make a number of assumptions that, although common for interdependent security games, are worth commenting on. Firstly, we assume that protection is perfect. This assumption is reasonable when available means of protection are considered sufficiently reliable and, in particular, deter the adversary towards the unprotected nodes. Arguably, this is the case for the protection means used in cybersecurity. Secondly, we assume that the designer and genuine nodes are pessimistic and maximize their worstcase payoff. Such an approach is common in computer science and is in line with trying to provide the worstcase guarantees on system performance. One can also take the probabilistic approach (by supposing that the distribution of the byzantine nodes is given by a random variable). In
Section 4 we discuss how our results carry over to such model.3. The analysis
We start the analysis by characterizing the centralized defense model, where the designer chooses both the network and the defense assignment to the nodes. After that the adversary observes the protected network and nodes’ types and chooses the nodes to infect. We focus on the first nontrivial case . In this case, we are able to characterize networks that are optimal to the designer. The topology of these networks is based on the generalized stars. We then turn to the decentralized defense and study the cost of decentralization. It turns out that the topology of star gives asymptotically low cost of decentralization not only for the simple case studied earlier but for all possible values of parameters and . This is enough to prove our main result, Theorem 9, providing bounds on the price of anarchy.
3.1. Centralized defense
Fix the parameters and suppose that the designer chooses both the network and the protection assignment. This leads to a two stage game where, in the first round, the designer chooses a protected network and in the second round the adversary observes the protected network and nodes’ types (recognizing the byzantine nodes) and chooses the nodes to attack. Payoffs to the designer and to the adversary are as described in Section 2 and we are interested in subgame perfect mixed strategy equilibria of the game with pessimistic preferences of the designer. We call them equilibria, for short. Notice that, since the decisions are made sequentially, there is always a pure strategy equilibrium of this game. In this section, we focus only on such equilibria. Furthermore, the equilibrium payoff to the designer is the same for all equilibria. We denote this payoff by .
In the rest of this subsection we focus on the case . In this case, when the protection is chosen by the designer, two types of protected networks can be chosen in an equilibrium (depending on the value function and the cost of defense): a disconnected network with no defense or a generalized star with protected core and, possibly, one or two unprotected components. Before stating the result characterizing equilibrium defended networks and equilibrium payoffs to the designer, we need to define the key concept of a generalized star and some auxiliary quantities. We start with the definition of a generalized star. If is a network and is a subset of nodes, then we denote by the subnetwork of induced by , i.e., the network .
Definition 2 (Generalized star).
Given a set of nodes and , a generalized star over is a network such that the set of nodes can be partitioned into two sets, (the core) of size and (the periphery), in such a way that is a clique, every node in is connected to exactly one node in , and every node in is connected to or nodes in .
Roughly speaking, a generalized star is a coreperiphery network with the core consisting of nodes and the periphery consisting of the remaining nodes. The core is a clique, each periphery node is connected to exactly one core node and they are distributed evenly across the core nodes. An example of a generalized star is depicted in Fig. 1.
Now we turn to defining some auxiliary quantities. For any such that we define
and for every such that we define
(4) 
Given nodes, is the maximal network value the designer can secure against a strategic adversary by choosing an unprotected network composed of three components of equal size or two components of equal size and possibly one disconnected node. This is also the maximal network value the designer can secure by choosing such a network with one protected node, because, in the worst case scenario, the protected node is byzantine and may be infected.
For every , let
Given nodes and , is the network value that the designer can secure by choosing a generalized star, with one node disconnected in the case of dividing , having all core nodes protected and all periphery nodes unprotected.
We also define the following quantities:
(5)  
(6) 
Given nodes, is the network value that the designer can secure by choosing a network composed of a generalized star with a protected core and unprotected periphery, an unprotected component (of size ), and possibly one node disconnected from both of these components.
Finally, we define
We point out that never contains (because ). We are now ready to state the result characterizing equilibrium defended network and pessimistic equilibrium payoffs to the designer.
Proposition 3.
Let , , , and . Then, the pessimistic equilibrium payoff to the designer is equal to . Moreover, there exists an equilibrium network that has protected nodes and the following structure:

has at most three connected components.

If and , then is a generalized star with protected core and unprotected periphery.

If and , then is composed of a generalized star of size with protected core and unprotected periphery and a single unprotected node.

If and , then has two connected components of size and, if , a single unprotected node.

If , then is composed of a generalized star with protected core and unprotected periphery, an unprotected component of size and, possibly, a single unprotected node. The size is the number achieving maximum in Eq. 6. The existence of a single unprotected node depends on the term achieving maximum in Eq. 5.
The intuitions behind this result are as follows. When the cost of defense is high, then the designer is better off by not using any defense and partitioning the network into several components. Since the strategic adversary will always eliminate a maximal such component, the designer has to make sure that all the components are equally large. Due to the divisibility problems, one component may be of lower size. Thanks to our assumptions on the component value function , the number of such components is at most three. Moreover, if there are exactly three components, then they are of equal size or the smallest one has size .
When the cost of defense is sufficiently low, then it is profitable for the designer to protect some nodes. If the number of protected nodes is not smaller than , then, by choosing a generalized star with fully protected core (of optimal size depending on the cost) and unprotected periphery, the designer knows that the strategic adversary is going to attack either the byzantine node (if she is among the core nodes) or any unprotected node (otherwise). An attack on the byzantine core node destroys that node and all periphery nodes attached to her. Thus, in the worst case, a core node with the largest number of periphery nodes connected to her is byzantine. By distributing the core nodes evenly, the designer minimizes the impact of this worst case scenario. Due to the divisibility problems, it may happen that some of the core nodes are connected to a higher number of periphery nodes. If this is the case for one core node only, then it is better for the designer to disconnect this one node from the generalized star. By doing so, the designer spares this node from destruction.
The case when there are exactly protected nodes is special. Indeed, in this case, choosing a generalized star with protected core is not better than using no protection at all. This is because, in the worst case, the byzantine node is among the two protected ones. Therefore, it would be better for the designer to split the network into two unprotected components – this would result in the same network value after the attack without the need to pay the cost of protection. On the other hand, if the network consists of a generalized star with protected core and an unprotected component, then the argument above ceases to be valid: even if the byzantine node is among the protected ones, splitting them may give the adversary an incentive to destroy the unprotected component. Therefore, a protection of nodes may be used as a resource that ensures that one component survives the attack.
It is interesting to compare this result to an analogous result obtained in [CDG14, CDG17] for a model without byzantine nodes. There, depending on the cost of protection, three equilibrium protected networks are possible: an unprotected disconnected network (like in the case with a byzantine node), a centrally protected star, and a fully protected connected network. The existence of a byzantine node leads to a range of coreprotected networks between the centrally protected star and the fully protected clique (which is a generalized star). Notice that pessimistic attitude towards incomplete information results in the star network never being optimal: if only one node is protected, then, in the worst case, the designer expects this node to be byzantine, which leads to loosing all nodes after the attack by the adversary. Therefore, at least two nodes must be protected if protection is used in an equilibrium. The proof of Proposition 3 is given in Appendix A.
Example 4.
Table 2 presents how the optimal network changes for different cost values when and . For these values of , it is never optimal to have one node that is disconnected from the rest of the network. Moreover, as we can see, for a given number of nodes, not all possible generalized stars arise as optima. It is interesting to note that stars have never appeared in our experiments as optimal networks for the value function . Similarly, we have not found an example where it is optimal to defend exactly nodes. The case where there is no defense but the network is split into equal parts arises when and the cost is high enough (i.e., ), as already established in [CDG14].
Remark 5.
In this section, we have characterized the optimal networks for the case . Nevertheless, we have not found a network that has a substantially different structure than the ones described here and performs better for general values of and . We therefore suspect that the characterization for the general case is similar to the case .
star  
star  star  
star  star  
star  star  star  
star  star  star  
star  star  star  
two disconnected components of equal size  two disconnected components of equal size  two disconnected components of equal size 
3.2. Decentralized defense
Now we turn attention to the variant of the model where defense decisions are decentralized. Our goal is to characterize the inefficiencies caused by decentralized protection decisions for general values of and . To this end, we need to compare equilibrium payoffs to the designer under centralized and decentralized defense. We start by establishing two results about the existence of equilibria in the decentralized defense game.
Firstly, since the game is finite, we get equilibrium existence by Nash theorem. Notice that our use of the pessimistic aggregation of the incomplete information about types of nodes determines a game where the utilities of the nodes and the designer are defined by the corresponding pessimistic utilities. This game is finite and, by Nash theorem, it has a Nash equilibrium in mixed strategies. This leads to the following existence result.
Proposition 6.
There exists an equilibrium of .
Proof.
It can be shown that a stronger statement holds. More precisely, one can prove that for any there exists an equilibrium such that the strategies of the nodes do not depend on their types. Let us sketch the proof. We consider a modified model in which the nodes do not know their types (i.e., every node thinks that she is genuine, but some of them are byzantine). In this model, the (mixed) strategies of nodes are functions ,^{2}^{2}2 If is a finite set, then by we denote the set of all probability measures on . and every node receives a pessimistic utility of a genuine node, as defined in Eq. 2. The strategies and payoffs to the adversary and the designer are as in the original model. Let denote any optimal strategy of the adversary (i.e., a function that, given a defended network and the position of the byzantine nodes , returns a subset of nodes that is optimal to infect in this situation). If we fix , then the game turns into a two stage game (the designer makes his action first and then the nodes make their actions) with complete information. Therefore, this game has a subgame perfect equilibrium in mixed strategies. This equilibrium, together with , forms an equilibrium in the original model, because, in the original model, a byzantine node cannot improve her payoff by a unilateral deviation. ∎
Fix the parameters and let denote the set of all equilibria of with nodes and the cost of protection . Let denote the best payoff the designer can obtain in the centralized defense game (as discussed in Section 3.1). The price of anarchy is the fraction of this payoff over the minimal payoff to the designer that can be attained in equilibrium of (for the given cost of protection ),
Although pure strategy equilibria may not exist for some networks, they always exist on generalized stars. Moreover, when these stars are large enough, by choosing such a star, the designer can ensure that all genuine core nodes are protected. This is enough to characterize the price of anarchy as goes to infinity (with a fixed cost ). The next proposition characterizes equilibria on generalized stars.
Proposition 7.
Let be any equilibrium of . Let be a generalized star. Denote , , and . Furthermore, suppose that and . If the cost value belongs to one of the intervals , , , then the following statements about restricted to hold:

all genuine nodes use pure strategies

if , then all genuine nodes are protected

if , then all genuine core nodes are protected and all genuine periphery nodes are not protected

if , then all genuine nodes are not protected.
The proof of Proposition 7 requires an auxiliary lemma.
Lemma 8.
Let be any equilibrium of and denote the (possibly mixed) strategy of the adversary in this equilibrium. Let be a network such that is a generalized star. Furthermore, suppose that , , and that the set of byzantine nodes contains a core node. Then, infects this node with probability one.
Proof.
Since is an equilibrium and the adversary has complete information about the network before making his decision, his strategy
is a probability distribution over the set of subsets of nodes that are optimal to attack. Let
denote any byzantine node that is also a core node. We will show that any optimal attack infects .To do so, fix any set of attacked nodes and suppose that attacking does not infect . Given the structure of generalized star, we see that consists of genuine protected nodes and periphery nodes that are connected to genuine protected core nodes. To finish the proof, fix any node and observe it is strictly better for the adversary to attack the set . Indeed, if is a genuine protected node, then attacking it does nothing, while attacking destroys at least one more node. Moreover, if is a periphery node connected to a genuine core protected node, then attacking not only destroys one node but also disconnects the network ( is connected to at least one periphery node because ). ∎
We are now ready to present the proof of Proposition 7.
Proof of Proposition 7.
Let denote the strategy of the adversary in and let be any choice of protected nodes on , . Let be a genuine node.
First, suppose that . We will show that the pessimistic payoff of is equal to . On the one hand, this payoff is nonnegative for every possible choice of the infected node. On the other hand, we can bound it from above by supposing that there exists a byzantine node that is a core node and a neighbor of . Then, Lemma 8 shows that infects , and the pessimistic payoff of is not greater than .
Second, suppose that . Then, we have two possibilities. If is a periphery node, then the same argument as above shows that the pessimistic payoff of is equal to . If is a core node, then her payoff is bounded from below by (where ) for every possible choice of the set of infected nodes. Moreover, by supposing that every byzantine node is a core node, we see that the pessimistic payoff of is bounded from above by (where ).
Since the estimates presented above are valid for any choice of , we get the desired characterization of equilibria. ∎
Our main result estimates the price of anarchy using Proposition 7.
Theorem 9.
Suppose that for all the function satisfies
Then, for any cost level and any fixed parameters , we have
The proof requires an auxiliary lemma concerning the asymptotic behavior of the function .
Lemma 10.
We have .
Proof.
Since is strictly convex, for any we have (cf. [HUL93, Sect. I.1.1])
(7) 
As a result, the function is strictly increasing for all (to see that, let and use the left inequality from Eq. 7 on the tuple ). Since is convex and increasing, it is also continuous on (cf. [HUL93, Sect. I.3.1]). By fixing and taking we get that the function is nondecreasing. Suppose that . Then, by the assumption that for all , we have
Hence and for all , which contradicts the assumption that is strictly convex. ∎
We also need the fact that is superadditive.
Lemma 11.
For all we have .
Proof.
From the strict convexity of we have . Analogously, . Hence . ∎
We now give the proof of Theorem 9.
Proof of Theorem 9.
The function is superadditive by Lemma 11. As a result, the pessimistic payoff to the designer can be trivially bounded by . We now want to give a lower bound for the quantity . By Lemma 10 we have . Let be a natural number such that for all . For any we define . Observe that if we denote , then we have . Hence, if the designer chooses a generalized star, then Proposition 7 shows that all genuine core nodes are protected in any equilibrium. In particular, we have . Moreover, we can estimate
(8)  
Hence, using Lemma 10, we get
Remark 12.
Notice that the condition of Theorem 9 is verified for with . Hence, in the case of such functions , the price of anarchy is , so the inefficiencies due to decentralization are fully mitigated by the network design. This is true, in particular, for Metcalfe’s law.
4. Extensions of the model
In the previous section, we have shown that the topology of generalized star mitigates the costs of decentralization in our model. Nevertheless, our approach can be used to show similar results in a number of modified models. For instance, one could consider a probabilistic model, in which byzantine nodes are randomly picked from the set of nodes (and the distribution of this random variable is known to all players). Then, the designer and nodes optimize their expected utilities, not the pessimistic ones (where the expectation is taken over the possible positions of the byzantine nodes). In this case, we still can give a partial characterization of Nash equilibria on generalized stars. More precisely, one can show that if the assumptions of Proposition 7 are fulfilled and , then all genuine core nodes are protected. This is exactly what we need in the proof of Theorem 9. Therefore, the price of anarchy in the probabilistic model also converges to as the size of the network increases.
5. Conclusions
We studied a model of network defense and design in the presence of an intelligent adversary and byzantines nodes that cooperate with the adversary. We characterized optimal defended networks in the case where defense decisions are centralized, assuming that the number of byzantine nodes and the number of attacked nodes are equal to one. We have also shown that, in the case of sufficiently wellbehaved functions (including in line with Metcalfe’s law), careful network design allows to fully mitigate the inefficiencies due to decentralized protection decisions, despite the presence of the byzantine nodes. In terms of network design, we showed that a generalized star is a topology that can be used to achieve this goal. This topology creates incentives for protection by two means. Firstly, it is sufficiently redundant, so that the protected nodes are connected to several other protected nodes. This secures adequate network value even if some of these nodes are malicious. Secondly, it gives sufficient exposure to the nodes, encouraging the nodes that would benefit from protection to choose to protect through fear of being infected (either directly or indirectly). These results could be valuable, in particular, to policymakers and regulators, showing that such regulations can have strong effect and providing hints for which network structures are better and why.
An interesting avenue for future research is to consider a setup where not only the identities but also the number of byzantine nodes are unknown. How would the optimal networks look like if the protection decisions are centralized? Can we still mitigate the inefficiencies caused by decentralization? Another interesting problem are the optimal networks under centralized protection when the number of byzantine nodes or the budget of the adversary are greater than . Based on our experiments, we suspect that the topology of these networks is very similar to the case considered here. Nevertheless, a formal result remains elusive.
References

[AB06]
M. Aghassi and D. Bertsimas.
Robust game theory.
Math. Program., 107(1):231–273, 2006.  [ACY06] J. Aspnes, K. Chang, and A. Yampolskiy. Inoculation strategies for victims of viruses and the sumofsquares partition problem. J. Comput. System Sci., 72(6):1077–1093, 2006.
 [AMO16] D. Acemoglu, A. Malekian, and A. Ozdaglar. Network security and contagion. J. Econom. Theory, 166:536–585, 2016.
 [BS10] R. Böhme and G. Schwartz. Modeling cyberinsurance: Towards a unifying framework. In Proceedings of the 9th Workshop on the Economics of Information Security (WEIS 2010), 2010.

[CCO12]
H. Chan, M. Ceyko, and L. Ortiz.
Interdependent defense games: Modeling interdependent security under
deliberate attacks.
In N. de Freitas and K. Murphy, editors,
Proceedings of the 28th Conference on Uncertainty in Artificial Intelligence (UAI 2012)
, pages 152–162. AUAI Press, 2012.  [CDG14] D. Cerdeiro, M. Dziubiński, and S. Goyal. Individual security and network design. In Proceedings of the 15th ACM Conference on Economics and Computation (EC’14), pages 205–206, New York, NY, 2014. ACM.
 [CDG17] D. Cerdeiro, M. Dziubiński, and S. Goyal. Individual security, contagion, and network design. J. Econom. Theory, 170:182–226, 2017.
 [GJK16] S. Goyal, S. Jabbari, M. Kearns, S. Khanna, and J. Morgenstern. Strategic network formation with attack and immunization. In Y. Cai and A. Vetta, editors, Proceedings of the 12th Conference on Web and Internet Economics (WINE 2016), volume 10123 of Lecture Notes in Comput. Sci., pages 429–443, Berlin, Heidelberg, 2016. Springer.
 [GMW12] A. Gueye, V. Marbukh, and J. Walrand. Towards a metric for communication network vulnerability to attacks: A game theoretic approach. In V. Krishnamurthy, Q. Zhao, M. Huang, and Y. Wen, editors, Proceedings of the 3rd International Conference on Game Theory for Networks (GameNets 2012), volume 105 of Lect. Notes ICST, pages 259–274, Berlin, Heidelberg, 2012. SpringerVerlag.
 [GWA10] A. Gueye, J. Walrand, and V. Anantharam. Design of network topology in an adversarial environment. In T. Alpcan, L. Buttyán, and J. S. Baras, editors, Proceedings of the 2010 Conference on Decision and Game Theory for Security (GameSec 2010), volume 6442 of Lecture Notes in Comput. Sci., pages 1–20, Berlin, Heidelberg, 2010. SpringerVerlag.
 [GWA11] A. Gueye, J. C. Walrand, and V. Anantharam. How to choose communication links in an adversarial environment? In R. Jain and R. Kannan, editors, Proceedings of the 2nd International Conference on Game Theory for Networks (GameNets 2011), volume 75 of Lect. Notes ICST, pages 233–248, Berlin, Heidelberg, 2011. SpringerVerlag.
 [HUL93] J.B. HiriartUrruty and C. Lemaréchal. Convex Analysis and Minimization Algorithms I, volume 305 of Grundlehren Math. Wiss. SpringerVerlag, Berlin, Heidelberg, 1993.
 [KH03] H. Kunreuther and G. Heal. Interdependent security. J. Risk Uncertain., 26(2–3):231–249, 2003.
 [LB08a] M. Lelarge and J. Bolot. A local mean field analysis of security investments in networks. In Proceedings of the 3rd International Workshop on Economics of Networked Systems (NetEcon’08), pages 25–30. ACM, 2008.
 [LB08b] M. Lelarge and J. Bolot. Network externalities and the deployment of security features and protocols in the Internet. ACM SIGMETRICS Perform. Eval. Rev., 36(1):37–48, 2008.
 [LFB15] A. Laszka, M. Felegyhazi, and L. Buttyán. A survey of interdependent information security games. ACM Comput. Surveys, 47(2):23:1–23:38, 2015.
 [LSB12a] A. Laszka, D. Szeszlér, and L. Buttyán. Gametheoretic robustness of manytoone networks. In V. Krishnamurthy, Q. Zhao, M. Huang, and Y. Wen, editors, Proceedings of the 3rd International Conference on Game Theory for Networks (GameNets 2012), volume 105 of Lect. Notes ICST, pages 88–98, Berlin, Heidelberg, 2012. SpringerVerlag.

[LSB12b]
A. Laszka, D. Szeszlér, and L. Buttyán.
Linear loss function for the network blocking game: An efficient model for measuring network robustness and link criticality.
In J. Grossklags and J. Walrand, editors, Proceedings of the 2012 Conference on Decision and Game Theory for Security (GameSec 2012), volume 7638 of Lecture Notes in Comput. Sci., pages 152–170, Berlin, Heidelberg, 2012. SpringerVerlag.  [LSV17] J. Lou, A. Smith, and Y. Vorobeychik. Multidefender security games. IEEE Intelligent Systems, 32(1):50–60, 2017.
 [LV15] J. Lou and Y. Vorobeychik. Equilibrium analysis of multidefender security games. In Proceedings of the 24th International Conference on Artificial Intelligence (IJCAI’15), pages 596–602. AAAI Press, 2015.
 [MSW09a] T. Moscibroda, S. Schmid, and R. Wattenhofer. The price of malice: A gametheoretic framework for malicious behavior. Internet Math., 6(2):125–156, 2009.
 [MSW09b] T. Moscibroda, S. Schmid, and R. Wattenhofer. When selfish meets evil: Byzantine players in a virus inoculation game. In Proceedings of the 25th ACM Symposium on Principles of Distributed Computing (PODC 2006), pages 35–44. ACM, 2009.
 [SPW02] S. Staniford, V. Paxson, and N. Weaver. How to 0wn the internet in your spare time. In Proceedings of the 11th USENIX Security Symposium, pages 149–167. USENIX Association, 2002.
 [SV00] C. Shapiro and H. Varian. Information Rules: A Strategic Guide to the Network Economy. Harvard Business School Press, Boston, MA, USA, 2000.
 [SVL14] A. Smith, Y. Vorobeychik, and J. Letchford. Multidefender security games on networks. ACM SIGMETRICS Perform. Eval. Rev., 41(4):4–7, 2014.
 [Var04] H. Varian. System reliability and free riding. In L. J. Camp and S. Lewis, editors, Economics of Information Security, volume 12 of Adv. Inf. Secur., pages 1–15. Springer, Boston, MA, 2004.
Appendix A Characterization of equilibria in the centralized defense model
In this section we prove the characterization of equilibira given in Proposition 3. We start with some auxiliary lemmas.
Lemma 13.
For every , the function defined as is strictly increasing.
Proof.
Let . First use the left inequality from Eq. 7 on the tuple and then use the right inequality on the tuple . ∎
Corollary 14.
For all and we have . For all and we have .
Lemma 15.
Suppose that is an equilibrium network and that . Then, there is a network such that is also an equilibrium network, , all nodes from belong to the same connected component, this component is a generalized star, and is the core of this star. Furthermore, the component of that contains is strictly larger than other components of .
Proof.
We will show how to transform into without diminishing the pessimistic payoff to the designer. First, if two nodes are protected, then we add an edge between them. This does not decrease the designer’s payoff, because there is only one byzantine node; hence, any attack infects at most one of the nodes and the residual network after the attack is not smaller that before the addition of the edge. Therefore, we can suppose that the subnetwork is a clique. We focus on the connected component of that contains this clique. We will show that the remaining nodes of can be distributed in such a way that they form a periphery of a generalized star.
Let . For any , let denote the set of nodes that get infected if is byzantine and gets infected. In other words, contains and all unprotected nodes such that there is a path from to that passes only through unprotected nodes. We refer to Fig. 2 for an example. Observe that any optimal attack of the adversary that infects a node from infects in fact a set of nodes . Indeed, if this attack infects the byzantine node , then the set of infected nodes is equal to . If, instead, this attack infects an unprotected genuine node , then the set of infected nodes is equal to .
We do the following operation. We fix , we take all unprotected nodes that belong to , we delete all of their outgoing edges and, for every such node , add the edge . An example of this operation is depicted in Fig. 2. We will show that this operation does not decrease the pessimistic payoff to the designer. Denote the new network by , and the corresponding sets by for . By the discussion in the preceding paragraph, it is enough to prove that for every , the connected components of the network do not get smaller after our operation. Suppose that is an edge in for some . We will prove that the node is still reachable from in the network . First, we need to prove that do not belong . Indeed, if , then the claim is obvious because . Otherwise, a path from to (for ) that goes through unprotected nodes in cannot contain a node from , because unprotected nodes in have degree and are connected to a protected node . Thus, any such path does not contain a node from , and hence it is also a path in . Therefore . We can now prove that is reachable from in . If , then is an edge in and the claim is true. Otherwise, we have two possibilities. If both nodes belong to , then is a path in . If only one of them belongs to , then the second one must belong to , and hence is still a path in (because protected nodes form a clique in ). Moreover, the node does not belong to because . Therefore, the path belongs to . We can repeat this reasoning for every edge in . As a consequence, if two nodes are connected by a path in , then they are still connected by a path in . Therefore, our operation does not decrease the pessimistic payoff of the designer.
We can repeat the operation presented above for every protected node . As a result, we get a network such is a clique and every unprotected node that belongs to the component containing this clique has degree . It remains to prove that these nodes can be distributed evenly among the core protected nodes. Suppose that there are two protected nodes such that (where the sets are defined as previously). We take an unprotected node , delete the edge and add the edge . This operation does not decrease the pessimistic payoff to the designer. Indeed, if the adversary infects a node in a component different than , then the payoff to the designer does not change. Otherwise, the pessimistic utility to the designer is achieved when the adversary infects a byzantine node such that the set has maximal cardinality. Hence, this payoff does not decrease after our operation.
Finally, if the component of that contains is smaller than or equal to a component that does not contain any protected node, then it is more profitable to the adversary to infect this unprotected component. Hence, the designer can strictly improve his payoff by not using any protection at all, , which gives a contradiction with our assumptions. ∎
Proof of Proposition 3.
Let be an equilibrium network. Let denote its connected components, for all , and assume that . We will show how to transform into an equilibrium network with the topology described in the claim. Let and observe that . Indeed, if , then the pessimistic payoff to the designer is strictly larger if he stops protecting the one protected node (because, in the worst case scenario, this node is byzantine). First, suppose that . By Lemma 15, we can assume that is a generalized star with protected core and that . We want to find an equilibrium in which . If , then we consider the following transformation of the network : we take the unprotected component and move all of its nodes to , spreading them in a regular fashion as depicted in Fig. 3. More formally, we consider a network such that consists of a connected component having a topology of a generalized star of size with protected core and unprotected components . We will show that the network gives a payoff to the designer that is no smaller than the payoff obtained from choosing . First, observe that if the adversary infects the component in , then the pessimistic payoff to the designer is equal to . Moreover, if the adversary infects the component in , then the pessimistic payoff to the designer is equal to
Hence, the pessimistic payoff to the designer from playing is equal to . On the other hand, his payoff from playing is equal to , where and
Comments
There are no comments yet.