This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE Globecom 2011 proceedings.

Intentional Attack and Fusion-based Defense Strategy in Complex Networks Pin-Yu Chen and Kwang-Cheng Chen, Fellow, IEEE Graduate Institute of Communication Engineering, National Taiwan University, Taipei, Taiwan Email : [email protected] and [email protected] Abstract—Intentional attack incurs fatal threats on modern networks by paralyzing a small fraction of nodes with highest degrees to disrupt the network. To enhance the network robustness, in this paper we propose a fusion-based defense mechanism where each node performs local detection and feedbacks minimum (one-bit) information to the fusion center in order to infer the presence of attack. By formulating the attack and defense strategy as a zero-sum game, we leverage the expected payoff as a benchmark to evaluate the effectiveness of the fusion-based defense mechanism. Both analytic results and empirical data support that fusion-based defense is able to prevent the network from disruption, even under poor detection capability and fragile nature of complex networks.

Fusion Center

Network Level Defense

Node Level Defense

I. I NTRODUCTION With the increasing computational capability, an explosive growth of interests in analyzing the topological features of real-world networks has been witnessed in the last decade [1], [2]. Stemming from statistical physics, the term complex network denotes a large-scale network which is composed of complicated node interactions including physical connections and social relationships [3]–[7]. Distinct from the totally random nature, the degree distribution P (d) of many modern networks follows a power-law distribution with exponent α, i.e., P (d) ∼ d−α . The Internet router topology [2], [8], the links of world-wide web (WWW) [2] and the e-mail network [9] have been shown to be power-law distributed, and such complex networks are also renowned as scale-free networks [10] when 2 ≤ α ≤ 3 since their second and higherorder moments of degree distribution are usually divergent. An essential feature of scale-free networks is that there exists a small fraction of nodes as hubs in the network with much higher degrees than ordinary nodes, which render complex networks quite fragile when the hubs are out of order. Due to the existence of hubs in complex networks, Albert et al. [11] have shown that a power-law distributed network is quite tolerant to random node failures (removals) while it is very sensitive to selective removals, where paralyzing a small fraction of nodes with highest degrees leads to network disruption, known as an intentional attack. Cohen et al. [12] proposed an analytical model to evaluate the critical point for network breakdown under intentional attack in percolation sense, and Xiao et al. [13] verified that intentional attack is the most fatal attack to disrupt the network when the network topology is known to the attacker. The disruption of a complex network thereby incurs disastrous threats to the networking reliability, especially for routing in communication networks.

Attacker Fig. 1. System model. Each node feedbacks minimum (one-bit) information to the fusion center for attack inference. Dashed lines represent delocalized relationships such as e-mail contacts or links of WWW in complex networks.

To the best of our knowledge, currently there is no effective defense mechanism to deal with such fatal attack. To tackle the vulnerability of a complex network under intentional attack, in this paper we firstly propose a fusionbased defense to enhance the network robustness. As illustrated in Fig. 1, since the impacts of node quarantine on the network are not visible at node level, each node performs local detection via intrusion detection or anomaly detection on suspicious activities [14]–[17] and then feedbacks minimum (one-bit) decision to the fusion center due to limited capacity and finite energy constraint. At the network level, the fusion center fuses the feedbacks to infer the presence of attack. By evaluating the network resilience, the fusion center launches immediate defense reactions if an attack at the network level is detected, otherwise it keeps surveillance on the network to mitigate the potential cost from false alarms. Since an attacker manages to disrupt the network by sabotaging as many nodes as possible without being detected and the defender (fusion-center) aims to target the attack with less feedbacks, we formulate the attacker-defender interaction as a two-player, zero-sum game [18] and investigate the expected

978-1-4244-9268-8/11/$26.00 ©2011 IEEE

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE Globecom 2011 proceedings.

payoff of this game as a benchmark for our proposed fusionbased defense mechanism. Both analytic results and empirical data support that fusion-based defense is quite efficacious against intentional attack with complete network information, even under poor detection capability of local nodes and fragile nature of complex networks. The rest of this paper is organized as follows. The attack strategy, defense mechanism and network resilience are introduced in Sec. II. In Sec. III we formulate the fusionbased defense mechanism and solve the detection threshold for robust network defense. Due to the competing nature of attacker and defender, we model the interactions as a zero-sum game to evaluate the effectiveness of the proposed fusionbased defense in Sec. IV. The performance of the fusionbased defense is presented in Sec. V with analytic results and empirical data. Finally, Sec. VI concludes this paper. II. S YSTEM M ODEL Suppose there are N nodes in the network with one fusion center for defense decision, where the N nodes are sorted in degree order, i.e., d1 ≥ d2 ≥ . . . ≥ dN . Every node feedbacks a local decision to the fusion center for attack inference. Upon the validation of the attack at network level, the fusion center takes immediate action on quarantining the suspicious nodes under surveillance. A. Intentional Attack We consider the worst-case scenario where the attacker knows the complete information (degree of every node) of the network and it is capable of sabotaging all the nodes simultaneously. The attack strategy of an attacker is to sabotage T ∈ {1, 2, . . . , N } nodes in descending degree order, where T = N refers to indifferent attack or uniform attack, and smaller T contributes to intentional attack on T nodes with highest degrees. The attack on ith node is in vain if the ith node is quarantined by the fusion center. Intuitively, uniform attack is an inappropriate strategy for the attacker at the risk of exposed activity, whereas intentional attack is more effective since it is difficult to be detected by the fusion center. B. Node Level Defense: Local Detection Since the a priori probability of attack and the cost of quarantine for network robustness is unknown at node level, each node employs Neyman-Pearson criterion for hypothesis testing with detection probability PDi and false alarm probability PFi . Hi = 1 denotes the hypothesis that ith node is under attack, otherwise Hi = 0. For simplicity we assume the nodes are homogeneous for identical detection capability, i.e., PDi = PD and PFi = PF . Based on the local detection, every node feedbacks one-bit information ui to the fusion center, where ui = 1 if ith node declares that it is under attack, otherwise ui = −1. C. Network Level Defense: Surveillance and Quarantine For the defense strategy at network level, the fusion center selects S ∈ {1, 2, . . . , N } nodes under surveillance in descending degree order. Since the cost of quarantine for network

robustness is known at the network level while the a priori probability of attack is still unknown, a binary hypothesis testing based on minimax criterion is employed at the fusion center to minimize the potential cost, where HC = 1 if attack occurs in the network, otherwise HC = 0. The fusion center quarantines the nodes which feedbacks the information ui = 1 when HC = 1, or it keeps surveillance for potential attacks. D. Network Resilience Since a complex network holds certain resilience that the network is still connected in percolation sense when some nodes are removed [11], [19], we define the cost at network level to be  1, if q ≤ qc , (1) Cq = −1, if q > qc , where q is the fraction of removed nodes and qc is the critical point for network breakdown, i.e, the network transitions from the connected phase to the disconnected phase at certain point qc . Note that the cost of erroneous node quarantine is identical to the role of node removal. Let d denote a random variable of the degree in the complex network with degree distribution function P (d). For a power-law distributed network, P (d = d) = c · d−α , d = dN , dN −1 , . . . , d1

(2)

and c is a normalization coefficient. In [12], via percolation theory the critical point qc can be evaluated as 1−α  ˜ K , (3) qc = dN ˜ is the cutoff degree after node removal and it can be where K obtained by solving the following equation ⎡ ⎤ 2−α    ˜ 3−α  ˜ 2−α ⎣ K K − dN − 1⎦ − 2 = 0.(4) dN 3−α dN Consequently, the network cost can be realized by analyzing the critical point qc . III. F USION - BASED D EFENSE A NALYSIS Leveraging optimal fusion rule [20], S[21] for attack inference at network level, let u = i=1 ai ui denote the observation obtained at the fusion center, where ⎧   ⎨ log PD , if ui = 1,  PF  (5) ai = ⎩ log 1−PF , if u = −1, i 1−PD is the optimal coefficient for data fusion. The likelihood ratio test (LRT) at the fusion center is u

HC =1

≷

HC =0

η

(6)

for some threshold η. Since the fusion center makes a decision based on the feedbacks of S nodes with highest degrees, adopting the k-out-of-n decision rule as consistent with [20],

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE Globecom 2011 proceedings.

is the regularized incomplete beta where Ix (a, b) = B(x;a,b) B(a,b) x function, B(x; a, b) = 0 ta−1 (1 − t)b−1 dt  x is the incomplete beta function and B(a, b) = B(1, a, b) = 0 ta−1 (1 − t)b−1 dt is the complete beta function. With (10), we rewrite (9) as

140 (PD , PF ) = (0.9, 0.1) (PD , PF ) = (0.9, 0.05)

120

(PD , PF ) = (0.9, 0.01) 100

F (η   − 1; S, PD ) + (1 − )P (k = η   | HC = 1) (11) = P (k = η   | HC = 0) + 1 − F (η  ; S, PF ).

η 

80

60

40

20

0

0

200

400

600

800

1000

S

Fig. 2. Threshold η   with respect to S for network level defense with different (PD , PF ) configurations. N = 1000 and  = 0.5.

[21], (6) can be written as      HC =1 PD (1 − PF ) 1 − PF , (7) k log ≷ η + S log PF (1 − PD ) 1 − PD HC =0 where k out of S nodes report attack. Without loss of generality we assume PD > PF so that (7) becomes −1      HC =1 PD (1 − PF ) 1 − PF log η + S log k ≷ PF (1 − PD ) 1 − PD HC =0 

η ,

η  −1

P (k = k | HC = 1) + (1 − )P (k = η   | HC = 1)

k=0

= P (k = η   | HC = 0) +

0

As shown in Fig. 2, the threshold η   has a linear scalability with respect to the number of nodes under surveillance (S), and higher false alarm probability contributes to larger η   in order to minimize the potential cost introduced by erroneous node quarantine. A direct observation from Fig. 2 is that higher false alarm probability tends to nurture the attacker since the attacker is prone to disrupt the network without being detected at the fusion center if the threshold is too high.

(8)

and k therefore has a binomial distribution BIN(S, PD ) when HC = 1 and BIN(S, PF ) when HC = 0. We denote Cxy as the cost when the event is HC = x while the decision is HC = y at the fusion center. For the defense cost at network level, we set C00 = C11 = 0 and C01 = CF = C10 = CM = Cq since erroneous node quarantine may also lead to network disruption. Adopting minimax criterion and randomized decision rule with probability , η  can be solved C C = PFC , where PM (PFC ) is the probability of by setting PM miss detection (false alarm) at the fusion center. We have 

Consequently, given S and (10), the threshold η   can be obtained by solving the following equation   1−PD    S  (S − η  + 1) tS−η  (1 − t)η −1 dt η   − 1 0    S η   PD (1 − PD )S−η  + (1 − )  η      S S η   S−η    P = (1 − P ) + 1 − (S − η ) F η   F η    1−PF   × tS−η −1 (1 − t)η  dt. (12)

S 

P (k = k | HC = 0),

k=η  +1

(9) 

where η  is the greatest integer which is smaller or equal to η  since k is a discrete random variable. Let F (k; n, p) denote the cumulation distribution function (CDF) of k ∼ BIN(n, p), we have F (k; n, p) = P (k ≤ k) = I1−p (n − k, k + 1)    1−p n tn−k−1 (1 − t)k dt, (10) = (n − k) k 0

IV. G AME - THEORETIC A NALYSIS Considering the network resilience as described in Sec. II-D, an intentional attack is regarded as effective if the attacker sabotages at least N qc  nodes with highest degrees to disrupt the network without being detected (i.e., HC = 0). As derived in Sec. III, the fusion center determines a null attack (HC = 0) if less than η   nodes with highest degrees report that they are under attack simultaneously. More interestingly, since the threshold η   increases linearly with the increase of S as shown in Fig. 2, if the fusion center knows the attacker’s strategy T , the fusion center manages to choose its defense strategy with smaller S in order to detect the attack. On the other hand, if the attacker knows the defender’s strategy S and the detection capability PD of local nodes, the attacker tends to sabotage as many nodes as possible provided that the fusion center considers the abnormal feedbacks as a null attack (local false alarms). There is clearly a tradeoff between the attack strategy and the defense strategy, and it is of great importance to analyze the network resilience at the stable stage where both attacker and defender chooses its optimal strategy against each other to maximize their own payoffs. Via game theory, the interactions between attacker and defender in a complex network can be formulated as a twoplayer, zero-sum, matrix game, where the attacker’s strategy is to attack T nodes with highest degrees and the defender’s strategy is to keep S nodes under surveillance in descending degree order. The matrix game is specified by a payoff

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE Globecom 2011 proceedings.

minimize the defender’s payoff, which is the solution of the optimization problem in nonnegative orthant

1 0.8

minimize

0.6

subject to t 0, 1T r t = 1,

0.4

(16)

where (·)T r denotes matrix transpose and denotes componentwise inequality. As proved in [22], the optimization problem in (16) is equivalent to the linear programming problem

v∗

0.2 0 −0.2 −0.4

(PD , PF ) = (0.9, 0.01)

minimize v

(PD , PF ) = (0.3, 0.01)

−0.6

subject to t 0, 1T r t = 1,

(PD , PF ) = (0.1, 0.01) −0.8

max (P T r t)s

s=1,...,N

0

0.01

0.02

0.03

qc

0.04

0.05

0.06

0.07

P T r t v1,

Fig. 3. Optimal expected payoff of the zero-sum game with respect to qc with different (PD , PF ) configurations. N = 300 and  = 0.5.

matrix P ∈ RN ×N , where the entry PT S denotes the payoff of the defender when the attacker’s strategy is T and the defender’s strategy is S. With the network cost function in (1) and the detection capability of every node (PD ), we denote TD ∼ BIN(T, PD ) as the number of nodes which detect the attack when T nodes are under attack. An attack is in vain if the attacker sabotages less than N qc  nodes, while the attack is effective if N qc  ≤ T ≤ η   − 1, where the fusion center fails to detect the attack prior to the network disruption. Regarding the randomized decision rule, when T ≥ N qc  and TD = η  , with (1) the payoff is 1 · P (TD = η  ) − 1 · (1 − )P (TD = η  )    T η   PD (1 − PD )T −η  = (2 − 1)  η  ˜ C

(13)



Moreover, given T ≥ max{N qc , η }, the payoff becomes 1 · P (TD ≥ η   + 1) − 1 · P (TD ≤ η   − 1) + C˜ = 1 − F (η  ; T, PD ) − F (η   − 1; T, PD ) + C˜ = 1 − I1−p (T − η  , η   + 1) − I1−p (T − η   + 1, η  ) + C˜  Cˆ Consequently. we have the payoff matrix P as ⎧ if T < N qc , ∀ S, ⎨ 1, −1, if N qc  ≤ T ≤ η   − 1, ∀ S, PT S = ⎩ ˆ C, if T ≥ max{N qc , η  }, ∀ S.

(14)

(15)

Due to the facts that there exists at least one (mixed strategy) Nash equilibrium in a finite matrix game such that no players can be better off by an unilateral change of their strategies, and the Nash equilibria are equivalent in the sense that the payoffs are identical. Denoting t = (t1 , . . . , tN ) and s = (s1 , . . . , sN ) as the probability distribution on the strategy of attacker and defender, respectively, the attacker manages to choose t to

(17)

The solution of (17), v ∗ , is therefore the optimal expected payoff of the defender for the attack and defense zero-sum game, and the optimal expected payoff of the attacker is −v ∗ . As shown in Fig. 3, the optimal expected payoff v ∗ of the defender increases with the critical point qc , which is quite reasonable since the attacker needs to pay more efforts to disrupt the network if the complex network holds stronger resilience. Moreover, the attacker benefits from poor detection capability (low PD ) if the local detection fails to distinguish the occurrence of attack. V. P ERFORMANCE E VALUATION Incorporating the concepts of network resilience in Sec. II-D and the fusion-based defense in Sec. III, in this section we investigate the outcome of the attack and defense game as discussed in Sec. IV, where both attacker and defender aim to maximize their own payoffs. By formulating the intentional attack and fusion-based defense as a zero-sum game, the attack incurs severe threats on the complex network if the optimal expected payoff v ∗ is less than 0, otherwise the defense is regarded as efficacious since v ∗ > 0 implies that the defender has higher chance to win the game. Since most of the real-world complex networks have the degree exponent 2 ≤ α ≤ 3 [3], [4], in Fig. 4 we demonstrate the effectiveness of the fusion-based defense when α = 2.5 with respect to the detection capability of local node, where the critical point qc is obtained from (3) and (4) given the minimum degree dN . The payoff of the defender increases with the detection capability for better decision at network level, and it asymptotically approaches to 1 when PD = 1, suggesting that the attack is destined to be in vain with high detection probability of local node. On the other hand, lower dN contributes to smaller qC and v ∗ since the network is more vulnerable to intentional attack. Nonetheless, the fusion-based defense still takes advantage (v ∗ > 0) of such fragile network even with low detection capability and small critical point. Following the empirical data collected in [11], we analyze the optimal expected payoff of the the fusion-based defense on the Internet and WWW as shown in Fig. 5. WWW is shown to be more robust than the Internet with larger critical point, and the defender is able to prevent the network from

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE Globecom 2011 proceedings.

network resilience and critical point for network disruption in percolation sense are introduced to account for network robustness. Since both attacker and defender manage to counter the opponent’s strategy and maximize their own payoffs, we formulate the interactions as a zero sum game and evaluate the performance of fusion-based defense by analyzing the optimal expected outcome. Through analytic results and empirical data collected from Internet and WWW, our fusion-based defense is shown to be reliable and effective against intentional attack, even under poor detection capability of local node and fragile nature of complex network. This paper therefore provides novel defense mechanism against fatal attacks.

1

0.8

v∗

0.6

0.4

0.2 (α, qc ) = (2.5, 0.52) 0

(α, qc ) = (2.5, 0.2) (α, qc ) = (2.5, 0.02)

−0.2 0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

PD

Fig. 4. Optimal expected payoff of the zero-sum game with respect to PD under different qc of scale-free networks. N = 400, PF = 0.01,  = 0.5 and dN = 5, 2 and 1.

1 0.9 0.8 0.7

v∗

0.6 0.5 0.4 0.3 0.2 WWW, (α, qc ) = (2.1, 0.067) 0.1 0 0.1

Internet, (α, qc ) = (2.5, 0.03) 0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

PD

Fig. 5. Optimal expected payoff of the zero-sum game with respect to PD and empirical data. The topological map of the Internet contains 6209 nodes and 12200 links with E[d] = 3.4. WWW contains 325729 nodes and 1698353 links with E[d] = 4.6. PF = 0.01 and  = 0.5.

disruption even under poor detection capability. On the other hand, the attacker benefits from poor detection capability when PD < 0.1 for the Internet due to the relatively small critical point, which suggests that the attacker may disrupt the network if the local defense mechanism is inherently awkward. Consequently, fusion-based defense provides reliable and efficient protection against intentional attack by acquiring limited feedbacks from local nodes, which thereby enhances the robustness of complex networks. VI. CONCLUSION To tackle the intentional attack in complex networks, we propose a fusion-based defense mechanism where the defender fuses the feedbacks from local nodes for attack inference via optimal data fusion. We have shown that the decision threshold increases with false alarm probability of local node and number of nodes under surveillance. The concepts of

R EFERENCES [1] D. J. Watts and S. H. Strogatz, “Collective dynamics of ‘small-world’ networks,” Nature, vol. 393, no. 6684, pp. 440–442, June 1998. [2] A.-L. Barab´asi and R. Albert, “Emergence of scaling in random networks,” Science, vol. 286, no. 5439, pp. 509–512, Oct. 1999. [3] R. Albert and A.-L. Barab´asi, “Statistical mechanics of complex networks,” Reviews of Modern Physics, vol. 74, no. 1, pp. 47–97, Jan. 2002. [4] M. E. J. Newman, “The structure and function of complex networks,” SIAM Review, vol. 45, no. 2, pp. 167–256, Mar. 2003. [5] A.-L. Barab´asi, “The architecture of complexity,” IEEE Control Syst. Mag., vol. 27, no. 4, pp. 33–42, Aug. 2007. [6] L. Cui, S. Kumara, and R. Albert, “Complex networks: An engineering view,” IEEE Circuits Syst. Mag., vol. 10, no. 3, pp. 10–25, third quarter 2010. [7] P.-Y. Chen and K.-C. Chen, “Information epidemics in complex networks with opportunistic links and dynamic topology,” in IEEE GLOBECOM, Dec. 2010, pp. 1–6. [8] M. Faloutsos, P. Faloutsos, and C. Faloutsos, “On power-law relationships of the Internet topology,” in ACM SIGCOMM, Oct. 1999, pp. 251–262. [9] H. Ebel, L.-I. Mielsch, and S. Bornholdt, “Scale-free topology of e-mail networks,” Phys. Rev. E, vol. 66, no. 3, p. 035103, Sept. 2002. [10] A.-L. Barab´asi, “Scale-free networks: A decade and beyond,” Science, vol. 325, no. 5939, pp. 412–413, July 2009. [11] R. Albert, H. Jeong, and A.-L. Barab´asi, “Error and attack tolerance of complex networks,” Nature, vol. 406, no. 6794, pp. 378–382, July 2000. [12] R. Cohen, K. Erez, D. ben Avraham, and S. Havlin, “Breakdown of the Internet under intentional attack,” Phys. Rev. Lett., vol. 86, no. 16, pp. 3682–3685, Apr. 2001. [13] S. Xiao, G. Xiao, and T. H. Cheng, “Tolerance of intentional attacks in complex communication networks,” IEEE Commun. Mag., vol. 46, no. 1, pp. 146–152, Jan. 2008. [14] B. Mukherjee, L. Heberlein, and K. Levitt, “Network intrusion detection,” IEEE Netw., vol. 8, no. 3, pp. 26–41, May-Jun. 1994. [15] T. Bass, “Intrusion detection systems and multisensor data fusion,” Commun. ACM, vol. 43, pp. 99–105, Apr. 2000. [16] A. Patcha and J.-M. Park, “An overview of anomaly detection techniques: Existing solutions and latest technological trends,” Comput. Netw., vol. 51, pp. 3448–3470, Aug. 2007. [17] G. Androulidakis, V. Chatzigiannakis, and S. Papavassiliou, “Network anomaly detection and classification via opportunistic sampling,” IEEE Netw., vol. 23, no. 1, pp. 6–12, Jan.-Feb. 2009. [18] M. Osborne and A. Rubinstein, A Course in Game Theory. MIT press, Cambridge, MA, 1999. [19] R. Cohen, K. Erez, D. ben Avraham, and S. Havlin, “Resilience of the Internet to random breakdowns,” Phys. Rev. Lett., vol. 85, no. 21, pp. 4626–4628, Nov. 2000. [20] Z. Chair and P. Varshney, “Optimal data fusion in multiple sensor detection systems,” IEEE Trans. Aerosp. Electron. Syst., vol. 22, no. 1, pp. 98–101, Jan. 1986. [21] S. Thomopoulos, R. Viswanathan, and D. Bougoulias, “Optimal decision fusion in multiple sensor systems,” IEEE Trans. Aerosp. Electron. Syst., vol. 23, no. 5, pp. 644–653, Sept. 1987. [22] S. Boyd and L. Vandenberghe, Convex Optimization. Cambridge University Press, Mar. 2004.