Parallel systems under two sequential attacks

Parallel systems under two sequential attacks

ARTICLE IN PRESS Reliability Engineering and System Safety 94 (2009) 763–772 Contents lists available at ScienceDirect Reliability Engineering and S...
Download PDF
396KB Sizes 6 Downloads 28 Views
Report

ARTICLE IN PRESS Reliability Engineering and System Safety 94 (2009) 763–772

Contents lists available at ScienceDirect

Reliability Engineering and System Safety journal homepage: www.elsevier.com/locate/ress

Parallel systems under two sequential attacks Gregory Levitin a,, Kjell Hausken b a b

The Israel Electric Corporation Ltd., P.O. Box 10, Haifa 31000, Israel Faculty of Social Sciences, University of Stavanger, N-4036 Stavanger, Norway

a r t i c l e in fo

abstract

Article history: Received 25 May 2008 Received in revised form 6 August 2008 Accepted 10 August 2008 Available online 14 August 2008

The paper compares the efficiency of single and double attack against a system consisting of identical parallel elements (1-out-of-N system). An attacker tries to maximize the system vulnerability (probability of total destruction). The attacker distributes its constrained resource optimally across two attacks and chooses the number of elements to be attacked in the first attack. The attacker observes which elements are destroyed and not destroyed in the first attack, and applies its remaining resource into attacking the remaining elements in the second attack. First the optimal attack strategy against a system with a fixed number of elements is analyzed. Thereafter a minmax two period game between the attacker and the defender is considered in which the defender distributes its constrained resource between deploying redundant elements and protecting them against the attack. & 2008 Elsevier Ltd. All rights reserved.

Keywords: Attack Defense Elements Protection Redundancy Survivability Optimization Minmax

1. Introduction Classical reliability theory considers providing redundancy and improving reliability of elements as measures of system reliability enhancement [1,2]. When survivability of systems exposed to intentional attacks is concerned, deploying separated redundant elements and protection of these elements against malicious impacts become essential elements of the defense strategy [3–5]. The defender must decide how to distribute system defense resources among different defensive measures. Much of risk analysis has traditionally assumed strategic defenders facing a fixed and immutable threat [3,6,7]. This suggests a need to proceed further and assume that both the defender and attacker are fully strategic optimizing agents with different objectives. The theory of defense against intentional attacks has attracted modest efforts over the last years. It has been common to consider a non-strategic attacker, either by assuming a fixed attack or a fixed attack probability. However, a few contributions have been made, and if we venture outside reliability engineering to economics and political science, accounts of intentional attacks are more common. Starting with the engineering approach, Azaiez and Bier [8] consider the optimal resource allocation for security in reliability systems. They determine closed-form results for moderately general systems, assuming that the cost of an attack

 Corresponding author.

E-mail addresses: [email protected] (G. Levitin), [email protected] (K. Hausken). 0951-8320/$ - see front matter & 2008 Elsevier Ltd. All rights reserved. doi:10.1016/j.ress.2008.08.006

against any given component increases linearly in the amount of defensive investment in that component. Bier et al. [9] and Bier and Abhichandani [10] assume that the defender minimizes the success probability and expected damage of an attack. Bier et al. [9] analyze the protection of series and parallel systems with components of different values. They specify optimal defenses against intentional threats to system reliability, focusing on the tradeoff between investment cost and security. The optimal defense allocation depends on the structure of the system, the cost-effectiveness of infrastructure protection investments, and the adversary’s goals and constraints. Levitin [11] considers the optimal element separation and protection in complex multi-state series-parallel system and suggests an algorithm for determining the expected damage caused by a strategic attacker. Bier et al. [12] assume that a defender allocates defense to a collection of locations while an attacker chooses a location to attack. They show that the defender allocates resources in a centralized, rather than decentralized, manner, and that the optimal allocation of resources can be non-monotonic in the value of the attacker’s outside option. Furthermore, the defender prefers its defense to be public rather than secret. Also, the defender sometimes leaves a location undefended and sometimes prefers a higher vulnerability at a particular location even if a lower risk could be achieved at zero cost. Dighe et al. [13] consider secrecy in defensive allocations as a strategy for achieving more cost-effective attacker deterrence. Zhuang and Bier [14] consider defender resource allocation for countering terrorism and natural disasters. See also [15–20].

ARTICLE IN PRESS 764

G. Levitin, K. Hausken / Reliability Engineering and System Safety 94 (2009) 763–772

Notation

Nomenclature Basic definitions System element lowest-level part of the system characterized by deployment cost y Vulnerability conditional probability of element destruction (or incapacitation) given it is attacked Protection technical or organizational measure aimed at reduction of destruction probability of system elements in the case of attack Effort amount of force aimed at destruction or protection of system element (in this paper it is measured as the amount of attacker’s or defender’s resource allocated to each element)

The first paper [21] devoted to optimal distribution of defense resources between redundancy and protection considered a single attack. The attacker usually has more than one opportunity to attack a system. This paper studies the situation of two consecutive attacks. We consider a parallel system consisting of N identical elements. A successful attack on each element is assumed to totally destroy this element. Only damage caused by the attack is considered without taking into account elements’ failures. The attacker distributes its resource optimally across two attacks. The attacker observes which elements are destroyed and not destroyed in the first attack, and applies its remaining resource into attacking the remaining elements in the second attack. This procedure means that the attacker can observe its success in the first attack before launching an optimal second attack. Such observation of success cannot be made in a single attack. We consider a 1-out-of-N system which means that all elements have to be destroyed to ensure a non-functioning system. Section 2 presents the basic attack model which shows how the attacker can distribute its resource across two attacks. Section 3 analyzes the optimal attacker’s strategy that presumes the choice of the fraction of resource to use, and how many elements to attack, in the first attack. Section 4 lets the defender distribute its resource between protection and deployment of elements, choosing optimally how many elements to deploy. A two period minmax game is analyzed where the defender moves in the first period minimizing the vulnerability, while the attacker moves in the second period maximizing the vulnerability. Section 5 concludes.

2. The attack model The vulnerability of an element that is attacked is determined by a contest between the defender and the attacker. The contest is expressed as a contest success function modeled with the common ratio form [22–24] as vðT; tÞ ¼

Tm 1 ¼ , T þ t m 1 þ ðt=TÞm m

(1)

where qv=qT40, qv=qto0, and mX0 is a parameter that expresses the intensity of the contest. If the attacker exerts high effort, it is likely to win the contest which gives high vulnerability. If the defender exerts high effort, it is likely to win the contest which gives low vulnerability. When m ¼ 0, the efforts t and T have equal impact on the vulnerability regardless of their size which gives 50% vulnerability. 0omo1 gives a disproportional advantage of investing less than one’s opponent. When m ¼ 1, the investments

R r T t v(T,t) V y N x Q m

entire attacker’s resource entire defender’s resource attacker’s impact effort per attacked element defender’s protection effort per protected element element vulnerability as function of attacker’s and the defender’s efforts system vulnerability cost of deploying a single element number of elements in the system fraction of attacker’s resource used in the first attack number of elements attacked in the first attack contest intensity

have proportional impact on the vulnerability. m41 gives a disproportional advantage of investing more effort than one’s opponent (economies of scale). Finally, m ¼ N gives a step function where ‘‘winner-takes-all’’. The parameter m is a characteristic of the contest which can be illustrated by the history of warfare. Low intensity occurs for components that are predictable, and where the individual ingredients of each components are dispersed, i.e. physically distant or separated by barriers of various kinds. Neither the defender nor the attacker can get a significant upper hand. An example is the time prior to the emergence of cannons and modern fortifications in the fifteenth century. Another example is entrenchment combined with the machine gun, in multiple dispersed locations, in World War I [25]. High m occurs for components that are less predictable, and where the individual ingredients of each component are concentrated, i.e. close to each other or not separated by particular barriers. This may cause ‘‘winner-take-all’’ battles and dictatorship by the strongest. Either the defender or the attacker may get the upper hand. The combination of airplanes, tanks, and mechanized infantry in World War II allowed both the offense and defense to concentrate firepower more rapidly, which intensified the effect of force superiority. The contest success function was initially used in rent seeking and expresses agents’ success in securing a rent dependent on efforts exerted [23]. Higher effort gives higher success, but is also costly. Traditional reliability theory has focused on how reliable a system is, which depends on internal failure rates, technology, weather conditions, and other factors which have typically been of a non-intentional nature. As an intentional adversary gets introduced to reliability theory, with objectives opposite to that of the system defender, conflict becomes inevitable and it becomes natural to extend reliability theory to model this conflict. In the authors’ view this becomes a question about resource expenditures, i.e. how much effort to exert to ensure, versus not ensure, that the system survives the attack. The contest success function in (1), especially with the intensity parameter m, provides substantial flexibility for how the survivability of the system depends on the resources expended by the defender and attacker. For example, the defender may construct the system protection with more solid material, may insulate the system better, and may design protective shields of multiple kinds to enhance its survivability. If the attacker expends the same amount of resources as before the defender’s improvements, the system will have more chances to survive, contrary to the attacker’s objective. Hence the attacker faces the dilemma between accepting this increased survivability, or expending more resources to reduce the survivability. More resources means to design a more solid attack

ARTICLE IN PRESS G. Levitin, K. Hausken / Reliability Engineering and System Safety 94 (2009) 763–772

with increased probability of being successful even against the more solidly defended system, and increased probability of breaking through the multiple protective shields. The total defender’s resource is r. The defender allocates its protection resource evenly among N elements. Hence the defender’s effort per element is t ¼ r/N. The even distribution of the protection resources, considered in this paper, can be caused by ethical or political reasons (the defender cannot sacrifice some elements leaving them unprotected or protected less than other elements). It can also be shown that the even resource distribution is optimal for both the attacker and the defender in the homogeneous parallel systems in the case when the both agents have full information about resource distributions of each other [26]. Intuitively, if the attacker knows that some element is protected better, it allocates greater attack resource to this element, which compensates the effect of hardening the most robust element.1 When a protection of an element is put in place, it remains operational through two subsequent attacks by the attacker, unless the element is destroyed by the attacker. That is, if an element is not destroyed by the attacker in the first attack, its protection remains for the second attack. Conversely, if an element is destroyed by the attacker in the first attack, neither the element nor its protection remains for the second attack. This is realistic when the protection is for example a defense missile system, an underground bunker, a blockhouse (e.g. of masonry, heavy timbers, or logs), a concrete or regular building, a plastic lodge, or various kinds of shields, insulation, casing, but not realistic when the protection requires various kinds of regeneration efforts over time for sustenance, such as fuel, electricity, guard patrol, and troops. We assume that sufficient time elapses between the first and second attack so that the attacker can determine which elements were destroyed in the first attack. But the time between the two attacks is not sufficient for the defender to reallocate its protection structure. The total attacker’s resource is R. The attacker distributes its resource evenly across the attacked elements in each attack, allocating effort T to each, but can choose to attack a subset of the elements in each attack. Furthermore, elements that are destroyed in the first attack are not attacked in the second attack, since we assume that the attacker can observe the outcome of the first attack. The attacker must decide which option is more beneficial: concentrating all or a majority of its resource in a single attack, or distributing the resource between two consecutive attacks. The preferable option should cause greater system vulnerability (the probability of its total destruction). The optimal choice is not evident and depends on the amount of resources available for each agent, the contest intensity, the number of elements and, in Section 4, the cost of deploying elements.

1 If the attacker cannot adopt its strategy to the strategy of the defender (for example, the attacker has no information about the defender’s resource distribution among the elements), even allocation of defensive resources need not be optimal. For a parallel system, Azaiez and Bier [8] suggest starting by hardening the most robust component. The interpretation is that the attacker will be deterred if the attack fails to disable the most robust one, as a necessary condition for disabling the entire system. For a series system, however, Azaiez and Bier’s [8] optimal strategy suggests starting by strengthening the weakest components (for systems where components need not be identical). Once, all components have reached the same survivability (i.e. became identical), then the optimal strategy suggests allocating resources among components evenly. The interpretation is that any disabled component will result in system failure and therefore, one should protect first those that have higher chance not to resist to an attack. If all components are identical, then equal share of allocation becomes optimal. We thank an anonymous referee of this journal for pointing out this linkage to Azaiez and Bier [8].

765

2.1. Even resource distribution between two attacks To compare the efficiency of single and double attacks consider a simple example of a system consisting of two identical separated parallel elements (minimal redundancy), meaning that N ¼ 2. The attacker succeeds if it destroys both elements. The total attacker’s resource equals the total defender’s resource: r ¼ R. The defender allocates the same resource r/2 to protection of each element. If the attacker attacks several elements, it distributes its resource evenly among the elements. Consider two scenarios. In the first scenario the attacker uses all its resources in the single attack. The attacker’s resource per element is R/2. The element vulnerability is v¼

ðR=2Þm 1 ¼ ¼ 0:5. ðR=2Þm þ ðr=2Þm 1 þ ðr=RÞm

(2)

The probability that both elements are destroyed is v2 ¼ 0.25. In the second scenario the attacker distributes its resources evenly between two attacks. In the first attack it uses total resource R/2 and distributes it between two elements. Thus, the resource per element is R/4. The element vulnerability is w¼

ðR=4Þm 1 1 ¼ ¼ . ðR=4Þm þ ðr=2Þm 1 þ 2m ðr=RÞm 1 þ 2m

(3)

There are three possible outcomes of the first attack: A. Two elements are destroyed with probability w2 (no need for second attack). B. One element is destroyed with probability 2(1w)w (in the second attack the attacker attacks the remaining single element with all its remaining resource R/2, which gives the vulnerability v of the remaining element). The probability of total system destruction in both attacks is 2(1w)wv ¼ (1w)w. C. Zero elements are destroyed with probability (1w)2 (in the second attack the attacker attacks both remaining elements allocating resource R/4 to each element, which gives the vulnerability w of each element). The probability of total system destruction in both attacks is (1w)2w2. Since A, B and C are mutually exclusive scenarios, the overall probability of system destruction in a double attack is w2 þ ð1  wÞw þ ð1  wÞ2 w2 ¼ w þ ð1  wÞ2 w2 .

(4)

The double attack with even resource distribution is beneficial if the system vulnerability (destruction probability) in double attack exceeds this probability in single attack: w þ ð1  wÞ2 w2 4v2 ¼ 0:25.

(5)

The system vulnerabilities as functions of the contest intensity m are presented in Fig. 1. It can be seen that the double attack with even resource distribution is beneficial for mp1.82. The reason is that high m makes the contest outcome more sensitive to the defender’s effort (r/2) superiority over the attacker’s effort (R/4) in a double attack. So, in the case of equal resources and even attacker resource distribution among the attacks, the double attack is preferable for the attacker for non-intensive contests, whereas the single attack is preferable when the contest is highly intensive. 2.2. Uneven resource distribution between two attacks The distribution of the attacker’s resources between two consecutive attacks can be a free strategic variable depending

ARTICLE IN PRESS 766

G. Levitin, K. Hausken / Reliability Engineering and System Safety 94 (2009) 763–772

0.6

Double attack

0.5

Single attack

0.45

0.5

0.4 0.4 0.3

0.2

0.25

V

V

0.35 0.3

0.2

0.1

0.2

0

0.4

0.6

0.8

1

x

0.15 0 0

0.5

1

1.5

2 m

2.5

3

3.5

0.1

4

0.05

Fig. 1. System vulnerabilities as functions of the contest intensity m.

0

on the attacker’s decision. The attacker allocates a part xR of its resource in the first attack, and the remaining part (1x)R in the second attack. We define 0oxp1, where x ¼ 0 is excluded since x ¼ 0 and 1 have the same meaning of excluding one of attacks. Consider the case when the attacker distributes its resource evenly among the two attacked elements, but not between the two attacks. The attacker attacks all the elements with resource xR in the first attack. The element vulnerability in the first attack is q¼

ðxR=2Þm 1 ¼ . ðxR=2Þm þ ðr=2Þm 1 þ xm ðr=RÞm

(6)

If one element is destroyed in the first attack, the remaining attacker’s resource per element is (1x)R, which produces element vulnerability p¼

½ð1  xÞRm 1 ¼ . ½ð1  xÞRm þ ðr=2Þm 1 þ ð2  2xÞm ðr=RÞm

(7)

If both elements survive the first attack, the remaining attacker’s resource per element is (1x)R/2, which produces element vulnerability h¼

½ð1  xÞR=2m 1 ¼ . ½ð1  xÞR=2m þ ðr=2Þm 1 þ ð1  xÞm ðr=RÞm

(8)

The overall system vulnerability is 2

V ¼ q2 þ 2qð1  qÞp þ ð1  qÞ2 h .

(9)

Fig. 2 presents V as a function of x for several different values of m and r ¼ R. It can be seen that for great m the double attack is never beneficial as it cannot result in V40.25. Observe the inverse U curve for low m, a mixture of inverse U curve and U curve for intermediate m, and U curve for high m. This means that the attacker prefers an intermediate x for low m, allocating resources to both attacks. The reason is that low contest intensity allows both attacks to be effective despite of defender’s resource superiority in each attack. Conversely, for high m the attacker prefers either high or low x, concentrating its resource in one of two attacks. The reason is that, when the attacker has no resource superiority in each attack, high contest intensity prevents each of two separate attacks from being sufficiently effective by itself, and the attacker should channel its resources into either a maximum first attack (x-1), or a maximum second attack (x-0). These results get changed as R increases above r and the attacker can gain resource superiority over the defender in both attacks. Fig. 3 presents optimal values of x and corresponding system vulnerabilities V as functions of m for different r/R. It can be seen that with growth of m up to certain value m* the optimal value of x increases (for example, for r/R ¼ 0.5, m* ¼ 3.06; for r/R ¼ 1, m* ¼ 1.87; and for r/R ¼ 2, m* ¼ 1.6). When m4m* the double

m = 0.5 m = 2.5

m=1 m=4

m = 1.8 m = 10

Fig. 2. System vulnerability as function of x and m for R ¼ r.

attack cannot provide greater system vulnerability than single attack for any attacker’s resource distribution x. When the double attack is beneficial x grows with m. Fig. 4 presents m* (the maximal value of m when double attack remains beneficial) as a function of r/R. One can see that when the attacker’s advantage over the defender grows (r/R decreases) the double attack becomes advantageous for a wider range of contest intensities m. When the defender has greater resource than the attacker the double attack is advantageous only for relatively nonintensive contests (mo1.5). 2.3. Uneven resource distribution between two attacks and between elements The attacker can decide to attack a subset of QpN randomly chosen elements in the first attack concentrating greater effort on each attacked element. In the second attack the attacker must attack all the remaining elements in order to destroy the entire system and eliminate the supplied demand. Consider the case when the attacker attacks only one out of two elements in the first attack allocating the resource xR to this element. The element vulnerability in the first attack is a¼

ðxRÞm 1 ¼ . ðxRÞm þ ðr=2Þm 1 þ ð2xÞm ðr=RÞm

(10)

If the attacked element is destroyed in the first attack, the remaining attacker’s resource per element is (1x)R, which produces element vulnerability p determined in (7). If the attacked element survives the first attack, the attacker attacks both elements in the second attack. The remaining attacker’s resource per element is (1x)R/2, which produces element vulnerability h determined in (8). The overall system vulnerability is 2

V ¼ ap þ ð1  aÞh .

(11)

Fig. 5 presents the comparison of system vulnerability obtained when both elements are attacked in the first attack (Eq. (9) and when a single element is attacked in the first attack (Eq. (11)). For both cases the optimal values of the resource distribution x and the corresponding vulnerabilities are presented as functions of m for r/R ¼ 1. It can be seen that whereas attacking both elements in the first attack is preferable when the contest intensity is relatively small, with the growth of m above m ¼ 1.55 the attacker should prefer to attack a single element in the first attack. When

ARTICLE IN PRESS G. Levitin, K. Hausken / Reliability Engineering and System Safety 94 (2009) 763–772

767

1

1

0.8

0.9

0.6

x

V

0.8 0.7

0.4

0.6

0.2 m*

0.5 1

0

0 3

2 m

r/R = 0.5

4

r/R = 1

1

0

r/R = 2

2 m

r/R = 0.5

3 r/R =1

4 r/R = 2

Fig. 3. Optimal x and corresponding system vulnerability V as functions of m for different r/R.

even without budget constraints, logistical factors such as availability of attack equipment and personnel, weather, terrain, distances involved, and political factors may prevent a single attack from exceeding or falling short of certain thresholds. Such factors can also urge the attacker to attack all of the targets in the first attack. Later in the paper we consider the case of unconstrained Q and x and analyze the attacker’s optimal choice of these variables. We show that for the unconstrained case a single attack x ¼ 1 is never optimal.

7 6

m*

5 4 3

3. General model of the optimal attack

2

This section assumes that the attacker chooses x and the number Q of elements to attack in the first attack optimally. Assume that the attacker can distribute its resource unevenly across the two attacks, and evenly across those elements it chooses to attack in each of the two attacks. The defender has N identical parallel elements. The defender allocates its protection resource evenly among N elements, with effort t ¼ r/N on each. To destroy the system the attacker must destroy all its N elements. In the first attack the attacker attacks QpN elements evenly. These elements are jointly allocated a part xR of the attacker’s resource. The attacker’s resource per attacked element is T ¼ xR/Q. The element vulnerability in the first attack is

1 0.9

0.4

1.9

1.4 r/R

Fig. 4. m* as function of r/R.

0.6 1 x (both) V (both) x (single) V (single)

0.5

0.4

0.6

V

x

0.8

vðxR=Q ; r=NÞ ¼ 0.3

0.4 0.2

0.2 0

1

2 m

3

4

Fig. 5. Optimal x and V as functions of m for r/R ¼ 1 for the first attack on both elements and on single element.

only one element is attacked in the single attack the relative resource allocated to the first attack increases monotonically and approaches 0.5 asymptotically. In the examples presented above we considered the cases when the choice of strategic parameters Q and x is constrained (Section 2.1 considers the case with Q ¼ N and x ¼ 1 or 0.5; Section 2.2 considers the case when Q always equals N though x is a free choice). A variety of reasons may prevent the attacker from distributing its resources freely. First, budget constraints may not only regulate but sometimes dictate that a specified amount of resources has to be applied within a certain time period. Using too little may be unacceptable for those responsible, and using too much may not be possible before the next budget arrives. Second,

  1  ðxR=Q Þm rQ m . m m ¼ 1þ xRN ðxR=Q Þ þ ðr=NÞ

(12)

The probability that exactly j (0pjpQ) elements are destroyed by the first attack is ! Q qj ¼ (13) vðxR=Q ; r=NÞj ½1  vðxR=Q ; r=NÞQj . j We analyze a 1-out-of-N system. Hence in the second attack the attacker must attack all of Nj remaining elements to destroy the system. The attacker distributes its resource remaining for the second attack, (1x)R, evenly across these Nj elements. The attacker’s effort per element is T ¼ (1x)R/(Nj), whereas the defender’s effort per element remains T ¼ r/N. The vulnerability of any system element in the second attack is v[(1x)R/(Nj), r/N]. The probability that all the remaining elements are destroyed is v[(1x)R/(Nj), r/N]Nj. The probability of system destruction is Vðx; Q Þ ¼

Q X

 Nj qj v ð1  xÞR=ðN  jÞ; r=N

j¼0

¼

Q Q X j¼0

j

! vðxR=Q ; r=NÞj ½1  vðxR=Q ; r=NÞQj v

 Nj .  ð1  xÞR=ðN  jÞ; r=N

(14)

ARTICLE IN PRESS 768

G. Levitin, K. Hausken / Reliability Engineering and System Safety 94 (2009) 763–772

The attacker seeks for x and Q that maximize V(x,Q). When the number N of elements is fixed the defender has no strategic choice. The optimal values x* and Q* are determined by the following enumerative maximization procedure, where D is a small increment, 0oD51 (D ¼ 0.01 used in the optimization procedure)U 1. Assign Vmax ¼ 0; 2. for each x ¼ D,2D,y,1 2.1. for each Q ¼ 0,1,y,N 2.1.1. use (14) to determine V(x,Q) 2.1.2. if V(x,Q)4Vmax, assign Vmax ¼ V(x,Q), x* ¼ x, Q* ¼ Q. Fig. 6 plots x*, Q*, and Vmax as functions of r/R, for N ¼ 4 and various m. For low and intermediate contest intensities m ¼ 0.2 and 1, the attacker attacks all Q* ¼ N ¼ 4 elements in the first attack. The attacker accomplishes this by choosing x* slightly above 0.5 for m ¼ 0.2, and x* slightly above 0.55 for m ¼ 1. When the contest intensity is very low (m ¼ 0.2) the outcome of the attack is not sensitive to the effort ratio r/R and, as a result, the attacker has no reason to change x*. When the contest intensity increases (m ¼ 1) the attacker has to increase x* with the growth of the r/R ratio to maintain superiority in the first attack. A highly intensive contest (m ¼ 5) preserves the attacker’s ability to attack all four elements only when it is advantaged with a superior resource r/Ro0.45. As the attacker becomes disadvantaged, it attacks three elements, then two elements when r/R40.55. As r/R increases above 1.17, system vulnerability becomes less than 0.01. Each time Q* drops, x* also drops because less resource is needed to achieve superiority in attacking fewer elements in the first attack. When Q* remains constant, x* increases with r/R to maintain the attacker’s superiority in the first attack. Figs. 6 and 7 do not plot the variables when Vmax is negligibly small (below 0.01). For that case the attacker’s decision matters less and it gradually becomes indifferent between choices of x* and Q*.

m = 0.2 m=5

m=1 m = 5, x = 0.5

m = 0.2 m=5

5

0.7

In Fig. 6 the maximum vulnerability Vmax decreases convexly for m ¼ 0.2 and m ¼ 1. This reflects that the defender gains substantially but decreasingly as r/R increases. For m ¼ 5, Vmax decreases logistically. The attacker enjoys Vmax close to 1 for small r/R, while the defender enjoys Vmax close to 0 for large r/R. As m increases toward infinity, Vmax approaches a step function, where the step occurs at r/R ¼ 1: in the ‘‘winner-takes-all’’ situation (m ¼ N) the attacker cannot achieve effort superiority in the contest over all N elements if r/R41, therefore at least one element survives and V ¼ 0; on the contrary, when r/Ro1 the attacker distributes its resource evenly among N elements in the single attack and achieves superiority in all N contests, which guarantees destruction of the system and produces V ¼ 1. Fig. 6 shows that for a highly intensive contest and constant N the choice of x plays no important role. The plot V(r/R) for optimal x and Q almost coincide with the plot V(r/R) for fixed x ¼ 0.5 and optimal Q. This can be explained by the fact that for the highly intensive contests the fact of superiority of one of the players plays a much greater role than the extent of this superiority. Fig. 7 plots x*, Q*, and Vmax as functions of N for r/R ¼ 1 and various m. The optimal number Q* of elements attacked in the first attack naturally increases as more elements become available for attack. For small and intermediate m, the attacker attacks all of the elements in the first attack (Q* ¼ N) and x* increases moderately as Q* and N increase. This reflects that increasing N benefits the defender, and the attacker increases x* to cover more elements in the first attack. For large m, the attacker prefers to attack a subset of the elements in the first attack (Q*oN) when r/R is above a certain value, which allows it to concentrate greater per element effort. x* increases moderately with Q*. When Q* does not change, as shown with the plateaus when m ¼ 5, x* decreases with N. That is, the attacker’s effort decreases as N increases, but decreasing x* when Q* is constant means that the attacker increases its per element effort in the second attack. Naturally, Vmax decreases convexly as N increases which benefits the

m=1 m = 5, x = 0.5

1

Vmax

Q*

x*

3 2

0.4 0.5

1 r/R

1.5

2

0.6 0.4 0.2

1 0

m=1 m = 5, x = 0.5

0.8

4 0.6 0.5

m = 0.2 m=5

0 0

0.5

1 r/R

1.5

2

0

0.5

1 r/R

1.5

2

Fig. 6. x*, Q*, and Vmax as functions of r/R, for N ¼ 4 and various m.

m = 0.2 m=5

m=1 m = 5, x = 0.5

m = 0.2 m=5

m=1 m = 5, x = 0.5

m = 0.2 m=5

m=1 m = 5, x = 0.5

16

0.5

11

0.4

0.4 Vmax

0.6 Q*

x*

0.7

0.2

6

0.3

1 0

5

10 N

15

20

0 0

5

10 N

15

20

0

Fig. 7. x*, Q*, and Vmax as functions of N for r/R ¼ 1 and various m.

5

10 N

15

20

ARTICLE IN PRESS G. Levitin, K. Hausken / Reliability Engineering and System Safety 94 (2009) 763–772

defender, and is lower for higher m. When N410 and m ¼ 5, the advantaged defender enjoys negligibly low vulnerability. Unlike the function V(r/R) for fixed N in Fig. 6, the function V(N) is sensitive to x in highly intensive contests, because the change of N can cause drastic changes of per element effort ratio. Hence for m ¼ 5 the function V(N) for optimal x and Q does not coincide with function V(N) for fixed x ¼ 0.5 and optimal Q. From the system vulnerability model (14) we can elicit the following important proposition. Proposition. For any finite m, if the attacker can choose how many elements to attack in the first attack, 0pQpN, and can choose how to distribute its effort between the two attacks, 0oxp1, then a single attack is never preferable. Proof. Concentrating all its resource on a single attack, the attacker achieves the per element effort R/N and the system vulnerability V ¼ vðR=N; r=NÞN .

(15)

If the attacker decides to attack QoN elements in the first attack and chooses x ¼ Q/N, it achieves the same per element effort xR/Q ¼ R/N in the first attack (as when attacking all N elements in the single attack), per element effort (1x)R/(Nj) ¼ (NQ)R/[N(Nj)] in the second attack (given j out of N elements are destroyed in the first attack) and the system vulnerability ! Q Q X Vðx; Q Þ ¼ vðR=N; r=NÞj ½1  vðR=N; r=NÞQ j j j¼0  Nj v ðN  Q ÞR=½NðN  jÞ; r=N . (16) Extracting in expression (16) the term with j ¼ Q (corresponding to the full success in the first attack) from the summation, we get ! Q 1 Q X Vðx; Q Þ ¼ vðR=N; r=NÞj ½1  vðR=N; r=NÞQ j j j¼0 Nj

 v½ðN  Q ÞR=½NðN  jÞ; r=N

þ vðR=N; r=NÞQ v½ðN  Q ÞR=½NðN  Q Þ; r=NNQ ! Q 1 Q X vðR=N; r=NÞj ½1  vðR=N; r=NÞQ j ¼ j j¼0  v½ðN  Q ÞR=½NðN  jÞ; r=NNj þ vðR=N; r=NÞN , N

(17)

which is always greater than V ¼ v(R/N,r/N) achieved in the single attack. In other words, for any choice QoN, the choice x ¼ Q/N guarantees higher system vulnerability than the choice x ¼ 1. The intuitive explanation of this proposition is as follows. When x ¼ 1 and Q ¼ N the attacker destroys the system only if it wins all N contests with per element effort T ¼ R/N. If at least one element survives the entire system survives. If the attacker distributes its effort between two attacks such that QoN and x ¼ Q/N it achieves the per element effort T ¼ R/N in the first attack, and, if the first attack destroys all of the attacked elements, it achieves the same per element effort in the second attack. Hence, the probability of system destruction in the case of two fully successful attacks is the same as in the case of single attack. However, in the case of two attacks, if some elements survive the first attack, the attacker still has a chance to destroy the entire system by attacking all of the survived elements in the second attack (with per element effort ToR/N). This opportunity makes the two attack option beneficial for the attacker. Observe that x ¼ Q/N is preferable to x ¼ 1, but not necessarily optimal. In the example presented in Fig. 5 the solution with Q ¼ N ¼ 2 and x ¼ 1 is always out-

769

performed by the solutions with Q ¼ 1, xo1. The optimal value of x depends on m. When m increases x approaches Q/N ¼ 0.5. & The next section determines the defender’s optimal N.

4. Defender’s minmax strategy: redundancy vs. protection This section lets the defender choose the number of elements N and distribute its resource r between deploying N elements and protecting these N elements. Since the N elements are identical and placed in parallel, adding or removing elements are conceptually straightforward, but have substantial impact on the system redundancy. This means that N is a free choice variable for the defender. The cost of deploying one single element is y. Deployment includes producing or purchasing, installing, and maintenance of elements. Observe that 1pNpbr/yc, where br/yc is the greatest integer that does not exceed r/y. Indeed N ¼ 0 implies that the system does not exist and N4br/yc is impossible since the defender does not have enough resources to deploy more than br/yc elements. The resource remaining for protection is rNy which is distributed evenly across each element, which gives a protection resource (rNy)/N for each element, and which gets determined when N has been determined. This means that the defender has to strike a balance (tradeoff) between deploying a sufficiently high number N of elements, and distributing sufficient protection for each element, which is a balance between redundancy and protection. Replacing r/N with (rNy)/N in the second argument of the contest function v in (14) one obtains the system vulnerability as a function of the three decision variables x, Q and N: ! Q Q X vðxR=Q ; ðr  NyÞ=NÞj ½1  vðxR=Q ; ðr  NyÞ=NÞQ j Vðx; Q ; NÞ ¼ j j¼0  v½ð1  xÞR=ðN  jÞ; ðr  NyÞ=NNj .

(18)

The attacker seeks for x and Q that maximize V(x,Q,N), while the defender seeks for N that minimizes the system vulnerability. The defender builds the system over time. The attacker takes it as given when it chooses its attack strategy. Therefore, we analyze a two period minmax game where the defender moves in the first period, and the attacker moves in the second period. This means that the defender chooses a strategy in the first period that minimizes the maximum system vulnerability that the attacker can earn in the second period. The optimal values x*, Q*, and N* are determined by the following enumerative minmax procedure. 1. Assign Vminmax ¼ N; 2. For each N ¼ 1,y, br/yc 2.1. Assign Vmax ¼ 0 2.2. for each x ¼ D,2D,y,1 2.2.1. for each Q ¼ 0,1,y,N 2.2.1.1. use (18) to determine V(x,Q,N) 2.2.1.2. if V(x,Q,N)4Vmax, assign Vmax ¼ V(x,Q,N), xopt ¼ x, Qopt ¼ Q. 2.3. if VmaxoVminmax, assign Vminmax ¼ Vmax, x* ¼ xopt, Q* ¼ Qopt and N* ¼ N. Fig. 8 plots x*, Q*, N*, and Vminmax as functions of r/R when y/R ¼ 0.2 for various m. Increasing r/R provides a higher resource to the defender which means that the defender can afford to deploy more elements, and hence N* increases in a stepwise manner. The defender can afford to deploy more elements for lower contest intensity. For low and

ARTICLE IN PRESS 770

G. Levitin, K. Hausken / Reliability Engineering and System Safety 94 (2009) 763–772

m = 0.2

m=1

m=5

14

14

12

12

10

10

8

m=1

m=5

8

6

6

4

4

2

2

0 0.5

m = 0.2

16

Q*

N*

16

0 1

1.5

2

2.5

3

3.5

0.5

4

1

1.5

2

r/R m = 0.2

2.5

3

3.5

4

r/R m=1

m=5

m = 0.2

1

m=1

m=5

1 0.8 Vminmax

x*

0.8

0.6

0.4

0.2 0.5

0.6 0.4 0.2 0

1

1.5

2

2.5

3

3.5

r/R

4

0.5

1

1.5

2

2.5

3

3.5

4

r/R

Fig. 8. x*, Q*, N*, and Vminmax as functions of r/R for y/R ¼ 0.2 and various m.

intermediate contest intensities m ¼ 0.2 and 1, the attacker always attacks all elements in the first attack. For the highly intensive contest (m ¼ 5) the attacker concentrates all its resource x*R on attacking a single element in the first attack to achieve effort superiority for this element. The optimal x increases insignificantly for m ¼ 0.2 and more significantly for m ¼ 1 which means that the attacker needs a greater resource to attack the growing number of targets Q* in the first attack. For m ¼ 5, when Q* is constant, the attacker distributes its resource evenly among the elements (x* ¼ 13 when N* ¼ 3 and x* ¼ 12 when N* ¼ 2). When r/Ro1.33 the defender deploys a single element and the attacker prefers a single attack (x* ¼ 1). Fig. 9 plots x*, Q*, N*, and Vminmax as functions of y/R when r/R ¼ 2 for various m. With increase of the element cost y/R the defender can afford to deploy fewer elements, and hence N* decreases in a stepwise manner. The defender can afford to deploy fewer elements for higher contest intensity because it must spend more on protection. For low and intermediate contest intensities m ¼ 0.2 and 1, the attacker always attacks all elements in the first attack. For the highly intensive contest (m ¼ 5) the attacker concentrates all its resource x*R on attacking a single element in the first attack to achieve effort superiority for this element. The optimal x decreases insignificantly for m ¼ 0.2 and more significantly for m ¼ 1 which means that the attacker needs less resource to attack the fewer elements Q* that get less protection as y/R increases. For m ¼ 5, when Q* is constant the attacker distributes its resource evenly among the elements (x* ¼ 13 when N* ¼ 3 and x* ¼ 12 when N* ¼ 2). When y/R40.4 the defender deploys a single element and the attacker prefers a single attack (x* ¼ 1).

5. Conclusions and further research This paper analyzes a parallel system which the defender builds and protects to survive two sequential attacks. The attacker can decide whether to concentrate its limited resource on a single attack or distribute it among two attacks. It can also decide how many parallel elements to attack in the first attack. These decisions determine the attacker’s strategy. We analyze a 1-outof-N system and hence the attacker attacks all surviving elements in the second attack with its remaining resource. Regardless of the intensity of the contest between the defender and attacker, if the attacker can choose how many elements to attack in the first attack, and can choose how to distribute its effort between the two attacks, then a single attack is never preferable. The optimal attack strategy is analyzed for different ratios of the attacker and the defender’s resources and for different contest intensities. The optimal defender and attacker strategies are studied as a solution of minmax game in which the defender distributes its limited resource among deploying redundant elements and protecting them against attacks. The defender chooses the strategy that minimizes the maximal system vulnerability that the attacker can achieve using its optimal strategy. The analytical model of the system vulnerability as a function of the attacker and defender strategies is derived, and analyzed and illustrated with several examples. It is shown that even for this rather simple model the interrelation among the strategic choice variables is complicated. For example, the variation of the contest intensity can change the direction of the changes in resource distribution parameter x* with the growth of the defense budget or element cost. Therefore, the intuitive decisions about the optimal strategies can be

ARTICLE IN PRESS G. Levitin, K. Hausken / Reliability Engineering and System Safety 94 (2009) 763–772

10

10

m = 0.2 m=1 m=5

8

771

m = 0.2 m=1 m=5

8

6 Q*

N*

6

4

4

2

2

0

0.2

0.4

0.6

0.8

1

1.2

1.4

1.6

1.8

0 0.2

2

0.4

0.6

0.8

1

y/R

1.2

1.4

1.6

1.8

2

1.4

1.6

1.8

2

y/R 1 m = 0.2 m=1 m=5

0.9

m = 0.2 m=1 m=5

0.8

x*

Vminmax

0.7

0.6 0.4

0.5 0.2 0.3

0.2

0.4

0.6

0.8

1

1.2

1.4

1.6

1.8

y/R

2

0 0.2

0.4

0.6

0.8

1

1.2 y/R

Fig. 9. x*, Q*, N*, and Vminmax as functions of y/R for r/R ¼ 2 and various m.

misleading and the use of the suggested model can be very helpful for supporting the decisions. The presented model uses the contest intensity parameter m that cannot be exactly evaluated in practice. Therefore the study of the influence of this parameter on the optimal and minmax strategies has a qualitative nature. Two ways of handling the uncertainty of the contest intensity can be outlined: first, m can be defined as a fuzzy variable and fuzzy logic model can be studied; second, the range of possible variation of m can be determined and the most conservative ‘‘worst case’’ defense strategy can be obtained under the assumption that m takes the values that are most favorable for the attacker (in this case m can be considered as an additional strategic variable that the attacker can choose within the specified range). The two suggested approaches could be recommended as a direction of further research. Another extension of the suggested model should consider the case when the defender allocates defense across the two attacks. References [1] Modarres Mohammad, Kaminskiy Mark, Krivtsov Vasiliy. Reliability engineering and risk analysis: a practical guide. CRC Press; 1999. [2] O’Connor Patrick DT. Practical reliability engineering. 4th ed. New York: Wiley; 2002. [3] Levitin G, Lisnianski A. Optimal separation of elements in vulnerable multistate systems. Reliab Eng Syst Saf 2001;73:55–66. [4] Malakhoff A, Klinkhamer D, McKesson C. Analysis of the impact of reliability, availability and maintainability on ship survivability. Sixth international conference on high speed marine craft, Norwegian Society of Chartered Engineers, 1998. [5] Westmark VR. A definition for information system survivability. In: Proceedings of the 37th annual Hawaii international conference on system sciences, 2004.

[6] Levitin G, Lisnianski A. Optimizing survivability of vulnerable series-parallel multi-state systems. Reliab Eng Syst Saf 2003;79:319–31. [7] Gordon LA, Loeb M. The economics of information security investment. ACM Trans Inform Syst Secur 2002;5(4):438–57. [8] Azaiez N, Bier VM. Optimal resource allocation for security in reliability systems. Eur J Oper Res 2007;181:773–86. [9] Bier VM, Nagaraj A, Abhichandani V. Optimal allocation of resources for defense of simple series and parallel systems from determined adversaries. Reliab Eng Syst Saf 2005;87:313–23. [10] Bier VM, Abhichandani V. Optimal allocation of resources for defense of simple series and parallel systems from determined adversaries. In: Proceedings of the engineering foundation conference on risk-based decision making in water resources X. Santa Barbara, CA: American Society of Civil Engineers; 2002. [11] Levitin G. Optimal defense strategy against intentional attacks. IEEE Trans Reliab 2007;56(1):148–56. [12] Bier VM, Oliveros S, Samuelson L. Choosing what to protect: strategic defense allocation against an unknown attacker. J Public Econ Theory 2006;9(4): 563–87. [13] Dighe N, Zhuang J, Bier VM. Secrecy in defensive allocations as a strategy for achieving more cost-effective attacker deterrence. Int J Performability Eng (special issue on System Survivability and Defense against External Impacts) accepted for publication. [14] Zhuang J, Bier VM. Balancing terrorism and natural disasters— defensive strategy with endogenous attacker effort. Oper Res 2007;55(5): 976–91. [15] Bier VM. Game-theoretic and reliability methods in counter-terrorism and security. In: Wilson, et al., editors. Mathematical and statistical methods in reliability. Series on quality, reliability and engineering statistics. Singapore: World Scientific; 2005. p. 17–28. [16] Carayon P, Kraemer S, Bier VM. Human factors issues in computer and e-business security. In: Labbi A, editor. Handbook of integrated risk management for E-business: measuring, modeling and managing risk. J. Ross Publishing; 2005. [17] Phimister JR, Bier VM, Kunreuther HC, editors. Accident precursor analysis and management: reducing technological risk through diligence. Washington, DC: National Academies Press; 2004. [18] Azaiez N, Bier VM. Perfect aggregation for a class of general reliability models with Bayesian updating. Appl Math Comput 1995;73:281–302.

ARTICLE IN PRESS 772

G. Levitin, K. Hausken / Reliability Engineering and System Safety 94 (2009) 763–772

[19] Bier VM. Challenges to the acceptance of probabilistic risk analysis. Risk Anal 1999;19:703–10. [20] Bier VM. On the state of the art: risk communication to the public. Reliab Eng Syst Saf 2001;71:139–50. [21] Levitin G, Hausken K. Protection vs. redundancy in homogeneous parallel systems. Reliab Eng Syst Saf 2008;93(10):1444–51. [22] Hausken K. Production and conflict models versus rent seeking models. Public Choice 2005;123:59–93.

[23] Tullock G. Efficient rent-seeking. In: Buchanan JM, Tollison RD, Tullock G, editors. Toward a theory of the rent-seeking society. College Station: Texas A. & M. University Press; 1980. p. 97–112. [24] Skaperdas S. Contest success functions. Econ Theory 1996;7:283–90. [25] Hirshleifer J. Anarchy and its breakdown. J Pol Econ 1995;103(1):26–52. [26] Hausken K. Strategic defense and attack for series and parallel reliability systems. Eur J Oper Res 2008;186(2):856–81.