- About this Journal ·
- Aims and Scope ·
- Article Processing Charges ·
- Articles in Press ·
- Author Guidelines ·
- Bibliographic Information ·
- Citations to this Journal ·
- Contact Information ·
- Editorial Board ·
- Editorial Workflow ·
- Free eTOC Alerts ·
- Publication Ethics ·
- Reviewers Acknowledgment ·
- Submit a Manuscript ·
- Subscription Information ·
- Table of Contents
ISRN Communications and Networking
Volume 2012 (2012), Article ID 913294, 8 pages
Approximate Core Allocation for Large Cooperative Security Games
1University of Miami, Coral Gables, FL, USA
2University of Illinois, Champaign, IL, USA
Received 2 September 2012; Accepted 24 September 2012
Academic Editors: S. Cheng, T. Erseghe, W. Jiang, and V. Tralli
Copyright © 2012 Saman Zonouz and Parisa Haghani. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
Coalition games have been recently used for modeling a variety of security problems. From securing the wireless transmissions in decentralized networks to employing effective intrusion detection systems in large organizations, cooperation among interested parties has shown to bring significant benefits. Motivating parties to abide to a solution is, however, a key problem in bridging the gap between theoretical models and practical solutions. Benefits should be distributed among players (wireless nodes in a network, different divisions of an organization in security risk management, or organizations cooperating to fight spam), such that no group of players is motivated to break off and form a new coalition. This problem, referred to as core allocation, grows computationally very expensive with a large number of agents. In this paper, we present a novel approximate core allocation algorithm, called the bounding boxed core (BBC), for large cooperative security games in characteristic form that rely on superadditivity. The proposed algorithm is an anytime (an algorithm is called anytime if it can be interrupted at any time point during execution to return an answer whose value, at least in certain classes of stochastic processes, improves in expectation as a function of the computation time) algorithm based on iterative state space search for better solutions. Experimental results on a 25-player game, with roughly 34 million coalitions, show that BBC shrinks the 25-dimensional bounding-box to times its initial hypervolume.
In the recent years, there has been a growing interest for modeling defenders in different security problems with coalition games. This is mainly due to results which confirm that many security goals can be better reached through cooperation among the interested parties. Millions of connected computers and networks of them have turned security to a problem characterized by interdependence . In this interconnected world of computers, the security of a particular user is not independent of others and it heavily depends on the efforts of other users. As a prominent example in Internet security, in combating spam and unsolicited communications, the Organization for Economic Co-operation and Development recommends international cooperation and promotes cross-border enforcement cooperation on spam-related problems .
With regard to cyber attacks originated from any particular country, a recent study  shows that international cooperation in enforcement as measured by the indicator of joining the convention on cybercrimes, can deter cyber attacks by up to 24%. Cooperative attack and defense for a range of distributed network applications, with an emphasis on phishing, has been examined in  and the results highlight the need for cooperative information sharing.
Building suitable models based on cooperation for a variety of security problems has been the subject of some recent studies. Coalition game theory has been used for security risk management  in divisions of an organization as well as secure wireless transmissions  in ad hoc wireless networks, and against network security attacks . In detecting [12, 19] and mitigating  DDos attacks, cooperation has been affirmed. While many studies advocate the use of coalition games for modeling large scale security problems, the question of revenue allocation, as an important step in turning these game theoretical models to practical robust solutions, has not been studied and warrants greater attention.
Cooperative game theory studies the problem of revenue allocation for a set of participants, called players, in a joint project where a value function is defined for each subset of players, representing the revenue achieved by the players in that subset without assistance of other players. In the context of security, we call these games cooperative security games. In cooperative security games players are the defenders (e.g., organizations cooperating for intrusion detection) and revenue is the security benefit they achieve through cooperation. We will present a formal definition in the next Section. In general, each solution concept defines a set of allocation vectors. Obtaining is usually a nontrivial problem and has always been an important issue in the study of cooperative game theory. A particularly interesting theme to the study of such decision problems is that of the bounded rationality, which argues that decisions made by real-life agents may not spend an unbounded amount of resources to evaluate all the possibilities for optimal outcome . Much effort has been made in the study of the bounded rationality in computational resource for solution concepts of cooperative games.
The definition of a cooperative game involves an exponential number (in the number of players) of values, one for each subset of players. Moreover, the definitions of many solution concepts, for example, the core , would involve an exponential number of constraints. Therefore, it becomes infeasible to get the set of fair allocation vectors for a large cooperative game using traditional approaches, such as linear programming. Megiddo  observed that, for many games, the game value is calculated through succinctly defined structures and for such games, he suggested that finding a solution should be done by a good algorithm (following Edmonds ), that is, within time polynomial in the number of players. Deng and Papadimitriou  suggested computational complexities be taken into consideration as another measure of fairness for evaluating and comparing different solution concepts.
In this paper, we present bounding-boxed core (BBC), an approximate revenue allocation algorithm for large cooperative security games that are intractable to be solved using traditional algorithms such as linear programming. Previous work in security revenue allocation investigate all coalitions and their corresponding values before computing the core. This is not feasible with large number of players, that is, organizations that attempt to protect security of their assets, because increasing number of players result in exponential growth of the coalition space. Our algorithm, to the best of our knowledge, is the first algorithm to provide an approximate solution to this problem. In addition, we utilize the special characteristics of the core, namely, its convexity, to analyze the approximation error and provide bounds on the worst case errors.
This paper is organized as follows. In Section 2, we describe the security game model and the revenue allocation problem. In Section 3 we present an overview of related background literature. The BBC algorithm is briefly explained in Section 4. Section 5 is devoted to the bounding box shrinking algorithm. Approximate core allocation approach is discussed in Section 6. Finally, experimental results for a case study cooperative game with 25 players is presented in Section 7 and Section 8 concludes the paper.
2. Security Model and Basic Definitions
We start by describing a simplified security problem and subsequently formally define a cooperative security game. Assume a finite set of organizations denoted by . Each organization has its own security resources and valuable assets which it protects against security attacks. Any subset is called a coalition. The security profit function is a function with , where denotes the power set of . For each coalition , is the value of that is interpreted as the security profit achieved by the collective action of organizations in without any assistance of organizations in . A security cooperative game is given by specifying the security profit function, that is, a value for every coalition. The security profit can be defined based on different measures, such as security resources of a coalition, the type and probability of successful attacks against these security measures, and the expected cost of such attacks. Instead of a security profit function, a security cost function can be used. In this paper we only deal with profit games, however, symmetric statement holds for cost games. Security profit functions are assumed to be superadditive, that is, the value of a union of disjoint coalitions is no less than the sum of the coalitions’ separate values:
Given a pair , the focus is how to fairly distribute the collective income. We denote the income distributed to individual organizations by a payoff vector satisfying , called an allocation. An allocation vector is called an imputation of the game if it also satisfies the individual rationality condition:
As an illustrative example, consider a set of online shopping sites which are willing to cooperate against intrusion detection attacks by sharing worm and virus signatures identified by their antivirus systems. The valuable assets in this scenario consists of a database of credit-card information. We consider a dollar value as the security profit associated with an attack. Let us consider two of these shopping sites . Let the expected security profit of site be , while this value is for site . If they cooperate by sharing their signatures, the expected security profit of their coalition would be . The allocation problem involves assigning and in a fair manner, which also motivates the formation of a coalition.
Additional requirements for fairness, stability, and rationality lead to different sets of allocations, which are generally referred to as solution concepts. Here, we shall discuss the most important one that is the core.
Sum of the coalitions' separate values.
The concept of the core was first introduced by Gillies  based on the concept of subgroup rationality.
Definition 1. The core of a game is defined by
The constraints imposed on ensure that no coalition would have an incentive to split from the grand coalition and do better on its own. The core is a subset of the hyperplanes defined by the equation , and since the inequalities are included in (3), the core is bounded. Thus, is a compact convex polyhedron, and possibly empty, of dimension at most . The definition of the core, involves an exponential number of constraints, therefore, exact computation of the core is infeasible in large scale games. In this paper, we present an approximate algorithm for core allocation.
3. Related Work
In the security community, there has been considerable effort in introducing models based on cooperation for defenders of a security attack, see for example [12, 19, 21, 23]. Here, we review the ones which explicitly use coalition games as their models. The authors in  define a coalition game for modeling risk management. In their model, divisions of an organization are the players of the game. They use an influence graph to specify the positive and negative effects that each division of the organization can have on other divisions. The security benefit of each coalition is then defined as a function involving the influence graph, the security resources of each division, and threats against vulnerabilities. They further enrich their model by introducing a friction graph which denotes the costs associated with cooperation. They analyze the formation of coalitions based on this model. Coalition game theory has also been used in modeling secure transmissions in a wireless network . In this problem a set of wireless transmitters try to transmit a message to a set of destinations in presence of eavesdroppers. The goal is to avoid the overhead of cryptography and self-organize the wireless transmitter such that secure wireless communication can be achieved. Coalition of transmitters can decode-and-forward (DF) or amplify-and-forward (AF) a signal, and in this way, completely null the signal at the eavesdroppers. In another recent study,  models defenders of a network security attack with coalition games. They analyze coalition formation in three canonical security games described previously in  for non-cooperative games.
The above mentioned papers mostly consider the problem of coalition formation. In this paper, we consider another important problem, namely, revenue allocation. Much of cooperative game theory is built around the question of distributing the collective income in fair and rational manners. Different philosophies result in different solution concepts that constitute the bargaining set family, that is, the various bargaining sets [15, 24], the Kernel  and the Nucleolus ; in effect, these notions are defined separately for each coalition structure. By contrast, the Shapley value , Core , and Von Neumann-Morgenstern solutions  are not a priori defined with reference to a coalition structure. In this part, we review related literature on determining the core.
One of the most important problems regarding the core is testing nonemptiness that is determining whether a given instance of the game has a nonempty core. Generally, determining core nonemptiness is NP-complete for cooperative games both with and without transferable utility . However, recently there has been increasing interest in investigating this problem in more specific games with a description polynomial in (number of players). As a case in point, the core nonemptiness testing problem is solvable in polynomial time for weighted graph games ; for minimum base game with no all-negative circuits can be solved in oracle-polynomial time .
Since the core is usually empty, some related solution concepts arise from the core via relaxing its constraints. Shapley and Shubik  recommended the concepts of (strong) -core and weak -core for a cooperative game. Their main idea is to relax the requirements of subgroup rationality by and for each proper subset of , respectively.
Later, Tijs and Driesssen  introduced the concept of multiplicative -tax core by using instead. Faigle and Kern  modified the requirement of Tijs and Driessen as to define another approximate core, called multiplicative -core. One explanation of these concepts is that cooperation may not be as hopeless even when the core is empty. Cooperation may be possible with the subsidies of the central authority.
All of the above mentioned algorithms need to investigate all coalitions and their corresponding values before computing the core; however, this is not feasible in cooperative games with large number of players due to the exponential growth of the coalition space.
4. The Bounding Boxed Core
The bounding-boxed Core (BBC) algorithm is a practical best-effort approach to distribute the collective security profit in an approximately fair manner among the involved organizations (players) in a given large cooperative security game .
More specifically, BBC consists of two main stages: tightening bounding box, and approximate core allocation. The former is an iterative global search algorithm to solve an axis-aligned smallest enclosing box problem. It finds the minimum-hypervolume -dimensional bounding box enclosing the core, that is, closed and convex set, subject to the constraint that the edges of the box are parallel to the (Cartesian) coordinate axes. Starting from some initial large bounding box, BBC iteratively tries to tighten the bounding box, obtained at the previous iteration, by heuristically considering some useful subset of constraints by the core (3). Consequently, a bounding box is generated once a given deadline is passed or some convergences condition is met. In the approximate core allocation step, BBC computes a unique payoff vector in the generated bounding box . The allocation values for individual players are determined by calculating the gravity center of the resulting bounding box .
5. Bounding Box Tightening
In this section, the iterative bounding box tightening algorithm is explained in details. The goal is to find the minimum-hypervolume bounding box enclosing the core using an iterative search algorithm. We use to denote the bounding box, obtained at -th iteration step. Initially, we know that player gets a payoff of in the core . The lower bound denotes individual rationality, that is, no player receives less than what it could get on its own; and the upper bound is obtained using one of the core constraints: along with the efficiency condition:
Therefore, we assign as shown in (13) to be the initial, that is, , bounding box enclosing the core. Throughout this paper, we will use notations and to denote the lower and upper bounds for the th player in the th bounding box.
The initial bounding box is further tightened during several iterations. First, we describe the single iteration of the tightening procedure given a permutation on the set of players: where, is in fact a one-to-one function from onto . Moreover, as a shorthand notation, we use () to denote .
5.1. Recursive Tree Construction
At each iteration , tightening algorithm starts with constructing a full binary tree on a given permutation of players , in a top-down manner. The root node, which covers all players , has two children nodes denoting two disjoint subsets of : and (). Breaking point is optimally determined in a way that the bounding box is tightened the most (discussed later). Recursively, children nodes are further partitioned into two disjoint subsets of their corresponding players: , , and , . Leaf nodes of the tree represent individual players, for example, .
To determine the optimal breaking point, let us consider an arbitrary parent node which covers a subset of players . Suppose () is the breaking point so that is partitioned into children nodes . Using the core constraints (3), and the bounding box , obtained at the previous iteration , we know where in the root node both bounds are equal to , but in lower level nodes
Similar conditions hold for children nodes, that is, . Furthermore, each child node can make use of its sibling's bounds to update, that is, tighten, its own bounds. As a case in point, we update bounds on the left child, that is, : where,
The right child also updates her bounds using the same justification. Consequently, the optimal breaking point is determined using where, and is defined similarly. Once the optimal breaking point is determined: players in the parent node are partitioned into two children coalitions ; upper and lower bounds on children are updated. As a result, recursive tree construction procedure is terminated when it gets to leaf nodes, that is, the players' payoffs, and updates their upper and lower bounds.
Figure 1 shows how the recursive tree construction algorithm updates the initial bounding box for a sample 3-player game, that is, . Characteristic values for different coalitions of the game are given in the Figure 1. The initial bounding box enclosing the core is obtained as that results in as shown in Figure 1. The updated values are illustrated in red font.
5.2. Iterative Search
In the previous section, we described how a given permutation of players is used in constructing a binary tree for tightening the bounding box. The permutation used, can be chosen at random, or as we describe in this section, it can be produced by an evolutionary algorithm which tends to generated permutations which result in larger reductions of the bounding box volume. During each iteration of the algorithm, we have a population , for example, , of permutations , which are used for tightening the bounding box as explained in Section 5.1. Once the bounding box around feasible point in the core is updated, the fitness function is calculated as follows for each permutation in current population and measures its quality, that is, how helpful it was in tightness improvement: where () denote bounds, at iteration , just before (after) they are updated using recursive tree construction on permutation . Once we have the population and the fitness function defined, iterative search algorithm proceeds to initialize a population of permutations randomly, then improves tightness of the bounding box through repetitive application of mutation, crossover, inversion and selection operators (discussed later).
Initially, permutations are randomly generated from the search space to form an initial population.
During each iteration , a proportion ( ) of the existing population is selected to breed a new generation of permutations . Individual permutations are selected through a fitness-based process, where top fittest permutations, as measured by (14), are selected.
The next step is to generate the next generation population of permutations from those selected. For each new permutation to be produced, a pair of parent permutations, that is, and , is selected for breeding from the pool selected previously. By producing a child permutation using function composition, that is, , a new permutation is created. New parents are selected for each child, that is, children permutations. Furthermore, new permutations are randomly generated. These processes ultimately result in the next generation population of permutations. Generally, the average fitness will have increased by this procedure for the population, since only the most useful permutation from the previous generation are selected.
This iterative search process is repeated until a termination condition has been reached. Terminating conditions can be defined regarding various criteria, such as: all possible permutations are investigated; a predefined deadline is passed ; tightness improvement in the last iteration was less than some nonnegative threshold , that is, .
6. Approximate Core Allocation
Once the bounding box around feasible points in the core is generated (see Section 5) , the candidate approximate core is computed as follows:
However, may not be in the actual core; therefore, here we analyze the worst case error, that is, distance between the core and the approximate . First, we need to define the distance between the point and the core , that is, a convex set of points:
In other words, the distance between a point and a set is the infimum of the distances between the point and those in the set.
Here, we exploit the convexity of the core in analyzing the worst case error of the the approximate core, , that is defined as follows where is the convex set space in ; and denotes the minimum-volume axis-aligned bounding box around the set .
We first obtain when , and then, generalize the result to higher dimensional spaces. Given , w.l.o.g. we transfer to the origin using the linear transformation ; therefore, we get the bounding box that consists of planes: and , where . As discussed earlier (Section 2), the core is a convex subset of the hyperplanes. It can be shown that the worst case error (see (17)) is caused by whose closest hyperplane to the point includes those vertices of , any pair of which have exactly one of the bounding box planes in common: therefore,
Hence, is obtained as the distance between the point and :
As a case in point, let . Without considering convexity of the core, we know that is the distance between any of the vertices of and its gravity center . But, exploiting the convexity of the core (21) yields a better result .
For higher dimensional spaces, that is, games with more than players, discussions remain exactly the same and the worst case error is obtained as:
In this section, we present the results from our prototype implementation of BBC on a case study large cooperative game. The system we used for implementation was a 2.20 GHz AMD Athlon 64 processor 3700+ with 2.00 GB of memory and Windows XP SP3 operating system. Because of large number of coalitions the bottleneck is usually the memory that caused our first prototype to crash; hence, we reimplemented the whole algorithm in C++ from scratch using more sophisticated data structures to speed up the iterative search and reduce memory consumption.
Here, we present the evaluation results of the BBC algorithm for a cooperative game with 25 players in which there are about 34 million coalitions of players.
Figure 2 shows the number of coalitions in each coalition class that is defined based on its size, that is, number of players. As discussed earlier, every cooperative game is determined by its characteristic function for each coalition. Figure 3 shows the maximum characteristic value for each coalition class. As shown in the figure, value for grand coalition is 1604. Furthermore, coalition values satisfy supperadditivity property.
Given the characteristic values for the cooperative game, we start iterative tightening of the 25-dimensional bounding box. Figure 4 illustrates the initial lower and upper bounds for individual dimensions, that is, players' payoffs, of the initial bounding box, as in (13), and their corresponding updated bounds. In this experiment, we assigned and .
Finally, bounding box volume reduction, during the iterative tightening algorithm, is shown in Figure 5 with scale. As illustrated in the logarithmic-scale graph, although the bounding box volume has shrank more than units during only a few seconds, tightening speed significantly decreases afterwards. Consequently, after about 25 minutes, bounding-box volume is times its initial value.
In this paper, we present an approximate core allocation algorithm, called the bounding-boxed core (BBC), for cooperative security games with large number of organizations (players). Since the definition of core involves an exponential number of constraints in terms of the number of organizations, it is infeasible to solve this problem for exact solutions. We present an analysis of the maximum approximation error incurred by BBC. We also proposed a heuristic search algorithm based on Genetic algorithms to search the input space. Experimental results show that BBC significantly speeds up core allocation. In modeling cooperation among large number of organizations, this is an important step in achieving a practical solution in limited time.
- D. B. Gillies, “Solutions to general non-zero-sum games,” in Contributions to the Theory of Games 4, R. D. Luce and A. W. Tucker, Eds., Annals of Mathematics Studies, pp. 47–85, Princeton, 1959.
- L. S. Shapley, “Cores of convex games,” International Journal of Game Theory, vol. 1, no. 1, pp. 11–26, 1971.
- L. S. Shapley, “A value for n-person games,” in Contributions to the Theory of Games 2, H. W. Kuhn and A. W. Tucker, Eds., Annals of Mathematics Studies, pp. 307–317, Princeton, 1953.
- H. Kunreuther and G. Heal, “Interdependent Security,” Journal of Risk and Uncertainty, vol. 26, no. 2-3, pp. 231–249, 2003.
- H. Narasimhan, V. Varadarajan, and U. Rangan, “Towards a cooperative defense model against network security attacks,” in Proceeding of the 9th Workshop on the Economics of Information Security (WEIS '10).
- J. V. Neumann and O. Morgenstern, Theory of Games and Economic Behaviour, Princeton, 1944.
- S. H. Tijs and T. S. H. Driessen, “Extensions of solution concepts by means of multiplicative ε-tax games,” Mathematical Social Sciences, vol. 12, no. 1, pp. 9–20, 1986.
- V. Conitzer and T. Sandholm, “Complexity of determining nonemptiness of the core,” in Proceedings of the 4th ACM Conference on Electronic Commerce, pp. 230–231, June 2003.
- U. Faigle and W. Kern, “On some approximately balanced combinatorial cooperative games,” Methods and Models of Operations Research, vol. 38, no. 2, pp. 141–152, 1993.
- H. Nagamochi, D. Z. Zeng, N. Kabutoya, and T. Ibaraki, “Complexity of the minimum base game on matroids,” Mathematics of Operations Research, vol. 22, no. 1, pp. 146–164, 1997.
- D. Schmeidler, “The nucleolus of a characteristic function game,” SIAM Journal of Applied Mathematics, vol. 17, no. 1163, 1170 pages, 1969.
- D. Frincke, D. Tobin, J. Mcconnell, J. Marconi, and D. and Polla, “A framework for cooperative intrusion detection,” in Proceedings of the 21st NIST-NCSC National Information Systems Security Conference, pp. 361–373, 1998.
- Q. Hong Wang and S. Hyun Kim, “Cyber attacks: Cross-country interdependence and enforcement,” in Proceeding of the 8th Work shop on the Economics of Information Security (WEIS 2009).
- X. Deng and C. Papadimitriou, “On the complexity of cooperative game solution concepts,” Mathematics of Operations Research, vol. 19, pp. 257–266, 1994.
- M. Davis and M. Maschler, “Existence of stable payoff configurations for cooperative games,” in Essays in Mathematical Economics in Honor of Oskar Morgenstern, M. Shubik, Ed., pp. 39–52, Princeton, 1967.
- W. Saad, Z. Han, T. Başar, M. Debbah, and A. Hjørungnes, “Distributed coalition formation games for secure wireless transmission,” Mobile Networks and Applications, vol. 16, no. 2, pp. 231–245, 2011.
- H. A. Simon, “Theories of bounded rationality,” in Decision and Organization, C. Radner and R. Radner, Eds., pp. 161–176, 1972.
- Report of the OECD task force on spam, “Antispam toolkit of recommended policies and measures,” Tech. Rep., Directorate for Science, Technology and Industry, Committee on Consumer Policy Committee for Information, Computer and Communications Policy, 2006.
- F. Cuppens and A. Miège, “Alert correlation in a cooperative intrusion detection framework,” in Proceedings of the Symposium on Security and Privacy, pp. 202–215, IEEE Computer Society, Washington, DC, USA, May 2002.
- M. Davis and M. Maschler, “The kernel of a cooperative game,” Naval Research Logistics, vol. 12, pp. 223–259, 1965.
- D. Nojiri, J. Rowe, and K. Levitt, “Cooperative response strategies for large scale attack mitigation,” in Proceedings of the 3rd DARPA Information Survivability Conference and Exposition (DISCEX '03), pp. 293–302, 2003.
- W. Saad, T. Alpcan, T. Başar, and A. Hjørungnes, “Coalitional game theory for security risk management,” in Proceedings of the 5th International Conference on Internet Monitoring and Protection (ICIMP '10), pp. 35–40, Washington, DC, USA, May 2010.
- T. Moore, “Cooperative attack and defense in distributed networks,” Tech. Rep. UCAM-CL-TR-718, Computer Laboratory, University of Cambridge, 2008.
- R. J. Aumann and M. Maschler, “The bargaining set for cooperative games,” in Advances in Game Theory, M. Dresher, L. S. Shapley, and A. W. Tucker, Eds., Annals of Mathematics Studies, pp. 443–476, Princeton, 1964.
- N. Megiddo, “Computational complexity and the game theory approach to cost allocation for a tree,” Mathematics of Operations Research, vol. 3, pp. 189–196, 1978.
- J. Grossklags, N. Christin, and J. Chuang, “Secure or insure? a game-theoretic analysis of information security games,” in Proceedings of the 17th International Conference on World Wide Web (WWW '08), pp. 209–218, New York, NY, USA, April 2008.
- L. Shapley and M. Shubik, “Quasi-cores in a monetary economy with nonconvex preference,” Econometrica, vol. 34, pp. 805–827, 1966.
- J. Edmonds, “Path, tree, and flowers,” Canadian Journal of Mathematics, vol. 17, pp. 449–469, 1965.