Optimal defense strategy against intentional attacks
Gregory Levitin, Senior Member IEEE
The Israel Electric Corporation Ltd., Haifa
E-mail: [email protected]
Abstract - This paper presents a generalized model of damage caused to a complex multi-state
series-parallel system by intentional attack. The model takes into account the defense strategy
that presumes separation and protection of system elements. The defense strategy optimization
methodology is suggested, based on the assumption that the attacker tries to maximize the
expected damage of an attack. An optimization algorithm is presented that uses a universal
generating function technique for evaluating the losses caused by system performance
reduction, and a genetic algorithm for determining the optimal defense strategy. Illustrative
examples of defense strategy optimization are presented.
Index Terms – Survivability, optimization, multi-state system, separation, protection, attacker's
strategy, defense strategy, universal generating function, genetic algorithm.
Acronyms1
PG
protection group
pmf
probability mass function
GA
genetic algorithm
u-function
universal generating function
1
The singular and plural of an acronym are always spelled the same.
1
Definitions
Element
lowest-level part of the system, which is characterized by its inherent value,
availability, and nominal performance rate; and can have two states: normal
operation, and total failure
Component
collection of elements with the same functionality connected in parallel in
the reliability logic-diagram sense
Protection
technical or organizational measure aimed at the reduction of the destruction
probability of a group of system elements in the case of attack
Separation
action aimed at preventing the simultaneous destruction of several elements
in the case of a single attack (can be performed by spatial dispersion, by
encapsulating different elements into different protective casings, by using
different power sources, etc.)
Protection group group of system elements separated from other elements, and possibly
protected, so that a single external impact destroying elements belonging to
a certain group cannot destroy elements from other groups
Performance rate quantitative measure of task performing intensity of element or system
(capacity, productivity, processing speed, task completion time etc.)
Nomenclature
Pr(e)
probability of event e
1()
unity function: 1(TRUE) = 1, 1(FALSE) = 0
N
total number of system components
Jn
number of elements in system component n
xnk
nominal performance of element k in component n
pnk
availability of element k in component n
2
Mn
number of PG in component n
n
set of elements belonging to component n
nm
set of elements of component n belonging to the m-th PG
|nm|
number of elements in the m-th PG from component n

matrix representing the distribution of system elements among PG:
={nj, | 1nN, 1jJn}, where nj is the number of the PG to which element j
in component n belongs
Bn
number of different types of protections available for component n
vn(k)
expected vulnerability of the protection of type k in component n (vn(0)=1 by
definition). Depending on the problem formulation, vn(k) can be interpreted as
the probability of protection destruction in a single attack, or in a series of
attacks
on(k,x)
cost of protection of type k for the group of x elements in component n
o~nm
cost of attack on PG m in component n
~
O
budget of the attacker

matrix of protection types chosen for different PG: ={nm, | 1nN, 1mMn},
where nm is the number of the type of protection chosen for PG m in
component n
O(, )
cost of defense strategy
O*
maximum allowable cost of the defense strategy
 (O ( β,γ ))
penalized cost of the defense strategy (with respect to the budget constraint)

penalty coefficient
nm
probability of an attack on the m-th PG of component n
3

matrix of the attack probability distribution (attacker's strategy): ={nm, |
1nN, 1mMn}
(n,m)
matrix representing predetermined attack on PG m in component n:
(n,m)={nm =1, kl=0 for any kn or lm}
hnk
inherent value of element k in component n (the loss incurred by the defender if
element k is destroyed, irrespective of the loss caused by reduced system
performance)
Hnm
inherent value of the m-th PG infrastructure in component n (the loss incurred
by the defender if the PG is destroyed, irrespective of the loss of elements
belonging to the PG, and the loss caused by reduced system performance)
W
system demand (desired level of system performance)
c(g,W)
cost of losses associated with the system performance reduction below the
demand
G
random performance rate of the entire system
gs
system performance rate at state s
qs
probability that the system is in state s
S
number of system states
D(α,β,γ )
expected damage caused by the attack strategy  given the defense strategy , 
unk(z)
u-function representing the pmf of the random performance of element k in
component n
U nm (z)
u-function representing the conditional pmf of the performance of PG m in
component n
~
U nm (z)
u-function representing the pmf of performance of component n
4
I. INTRODUCTION
Protecting against intentional attacks is fundamentally different from protecting against
accidents or natural cataclysms. Adaptive strategy allows the attacker to target the most
sensitive parts of a system. Choosing the time, place, and means of attacks, the attacker has
always an advantage over the defender. Therefore, the optimal policy for allocating resources
among possible defensive investments should take into account the attacker's strategy.
In pioneering works [1] & [2], the models of optimal defense investment were suggested,
and studied under the assumption that the attacker maximizes either the success probability of
an attack, or expected damage of an attack on the system. While demonstrating a general
approach, and suggesting some useful recommendations, these models cannot be directly
applied to minimizing the expected damage in systems of realistic size & complexity. The
models do not consider some important aspects:
- the limited availability of system elements,
- the possibility of the destruction of several elements by a single attack,
- the damage caused by partial system incapacitation,
- the discrete nature of protection alternatives.
A survivable system is one that is able to "complete its mission in a timely manner, even if
significant portions are incapacitated by attack or accident" [3]. This definition presumes two
important things.
1. First, both the impact of external factors (attacks), and internal causes (failures), affect
system survivability. Therefore it is important to take into account the influence of the
availability of system elements on the entire system survivability.
2. Second, a system can have different states corresponding to different combinations of
failed or damaged elements composing the system. Each state can be characterized by a
system performance rate, which is the quantitative measure of a system’s ability to
5
perform its task [4]. For example, the performance rates of a power generating unit,
production line, and communication channel represent
generating capacity,
productivity, and bandwidth respectively. The system success is defined as its ability to
meet a demand (desired performance rate).
When applied to multi-state systems, the damage caused by the destruction of elements
with different performance rates will be different. Therefore, the performance rates of system
elements should be taken into account when the damage caused by the attack is estimated.
Numerous studies were devoted to estimating the impact of external factors on the system
survivability based on a common cause failure approach [5]-[14]. All these studies consider
systems with identical elements (k-out-of-n formulation), and do not take into account element
performance rates. The models of multi-state system survivability were presented in [15]-[19],
where optimal element separation & protection algorithms were suggested, which can be
applied to complex series-parallel, and bridge systems. However, in these models, the adaptive
attacker's strategy was ignored.
In this paper, the attempt is made to present a generalized model of system defense strategy
that combines the ideas of [1], [2], and [15]-[19]. The paper also presents a defense strategy
optimization methodology, and an algorithm that can be applied to complex series-parallel
multi-state systems.
In Section II, the model of system defense strategy is presented. The problems of the
defense strategy optimization are formulated in Section III. The computational technique for
evaluating the system performance for arbitrary attacker & defender strategies is described in
Section IV. The optimization approach is briefly discussed in Section V. Illustrative examples
of defense strategy optimization for power substations are presented in Section VI. The
directions of further research are briefly outlined in Section VII.
6
II. THE MODEL
The system consists of N s-independent components composing a series-parallel
configuration. Each component n consists of Jn elements of the same functionality connected in
parallel. Each element k in component n is characterized by its nominal performance xnk, and
availability pnk. The states of the elements are independent.
The elements within any component can be separated (to avoid the entire component
destruction by a single attack), and protected. Parallel elements not separated from one another
are considered to belong to the same protection group (PG). All the elements belonging to the
same protection group are destroyed by the same successful attack. More than one protection
group cannot be destroyed by a single attack.
Because system elements with the same functionality can have different performance rates,
and different availability, the way the elements are distributed among the PG affects the system
survivability. The element separation problem for each component n can be considered as a
problem of partitioning a set n of Jn items into a collection of Mn mutually disjoint subsets
nm, i.e. such that
Mn
Φnm  Φn ,
(1)
m 1
Φni Φnj  ø, ij.
(2)
Each set can contain from 0 to Jn elements. If | Φnm |=Jn , and | Φnj |=0 for any jm, all of
the elements of component n are gathered within a single PG; if | Φnm |  1 for any m, all of the
elements are separated. The total number of PG in a component must not be equal to or less
than the number of elements in the component because some PG can remain empty, being used
as false targets for the attacker.
7
The partition of the set n can be represented by the vector {nj, 1jJn}, where nj is the
number of the subset to which element j belongs (1njMn). The matrix  of values nj for
1jJn, and 1nN determines the elements' distribution among the protection groups for the
entire system (separation strategy of the defender).
For each protection group belonging to component n, there exists a set of Bn+1 available
types of protections. For example, the same group of elements can be located outdoor
(cheapest, but most vulnerable protection), within a shed, or in an underground bunker (most
expensive, but most effective protection). Each protection of type nm (0nmBn) is
characterized by its cost, and its vulnerability vn(nm) defined as the conditional probability that
the PG is destroyed given it is attacked. Protection type nm=0 corresponds to the absence of
any protection. By definition, vn(0)=1; however, the cost of protection type 0 can be greater
than zero because it represents the cost of the common infrastructure of the PG (the separation
usually requires additional areas, constructions, communications, etc.) In general, the
protection cost of any PG m in component n can also depend on the number of elements it
comprises: on(nm,| Φnm |) .
The matrix  of the values of nm chosen for any PG m, and component n, represents the
entire protection strategy of the defender. The total cost of the system defense strategy
(separation and protection) ,  can be determined as
N Mn
O(, )=   on (  nm ,| Φnm |).
(3)
n 1 m 1
The strategy of the attacker can be represented by matrix  ={nm | 1nN,1mMn},
where nm is the probability of attack on PG m in component n. Having the attacker's strategy,
one obtains the unconditional probability of destruction for any PG m in component n as
nmvn(nm).
8
For any given attacker's strategy , and defender's strategy  , , one can determine the
probabilistic distribution of the entire system performance (pmf of random value G) in the
form gs, qs(, ,)=Pr(G=gs) (1sS) using the algorithm presented in Section IV).
Let c( g s ,W ) be a function of losses associated with the system performance reduction
below the demand W. The expected cost of these losses for the given attacker's and defender's
strategies can be determined as
S
C (α,β,γ ,W )   qs (α,β,γ )c( g s ,W ) .
(4)
s 1
For
example,
when
the
losses
are
proportional
to
the
unsupplied
demand,
c( g s ,W )   max( W  g s ,0) (where  is the cost of unsupplied demand unit), and
S
C (α,β,γ ,W )    qs (α,β,γ ) max( W  g s ,0) ;
(5)
s 1
if the system totally fails when its performance becomes lower than the demand,
c( g s ,W )   1( g s  W ) (where  is the cost of system failure), and
S
C (α,β,γ ,W )    q s (α,β,γ ) 1( g s  W ) .
(6)
s 1
For variable demand with pmf wk, fk=Pr(W=wk) (1kK), (4) takes the form
K
S
k 1
s 1
C (α,β,γ ,W )   f k  qs (α,β,γ )c( g s , wk ) .
(7)
The total expected damage caused by the attack should include the cost of losses associated
with system performance reduction, and losses of inherent values of the destroyed elements &
the infrastructure
N Mn
D(α,β,γ )    nmvn (  nm )( H nm 
n 1 m 1
9
 hnk )  C (α,β,γ,W ).
k Φnm
(8)
The optimal defender strategy  *, * should minimize the expected damage
D(α,β,γ ) assuming that the attacker uses the most harmful strategy  possible under a given
attacker's resources, and the attacker's information about the system.
III.
DEFENSE STRATEGY OPTIMIZATION PROBLEMS
If the defender has a finite budget O*, the optimal strategy is to minimize the expected
damage subject to the budget constraint. If the budget is unlimited, the defender should
minimize the expected damage plus the total defense investment cost. The optimization
problem can be formulated as
β * ,γ*  arg{ (O( β,γ ))  D(α,β,γ )  min} ,
(9)
β,γ
where for the constrained case
 (O( β,γ ))   1(O( β,γ )  O*) ,
(10)
 is a constant greater than the maximal possible damage; and for the unconstrained case
 (O( β,γ ))  O( β,γ ) .
(11)
According to [2], we consider several cases in which the attacker's strategy depends on
whether the attacker is limited to attacking a single target, or can attack multiple targets; and on
the attacker's knowledge of the system, and the defense strategy.
A. Single attack
The assumption that only a single attack is possible is realistic when the attacker has
limited resources, or when the attack leads to the attacker being detected & disabled. In this
case, the attacks on different PG are mutually exclusive events, and
N Mn
  nm  1.
n 1 m 1
10
(12)
In the case when the attacker has perfect knowledge about the system and its defenses (the
attacker has access to inside information, or information about the system and its defenses is
readily observable), the attacker's strategy is
=(n,m), where
(n, m) =
{D(α(n, m) ,β,γ )  max} .
arg
(13)
1 n  N ,1 m  M n
where (n,m) is the matrix in which all the elements are equal to zero, besides element nm
which is equal to one.
If the attacker has perfect knowledge about the system itself, but not about its defenses, the
attacker tries to maximize the expected damage assuming that different PG are equally
protected (it can be assumed that protections of type 0 are used for any PG). In this case, the
optimal attacker's strategy is
=(n,m), where (n, m) =
{D(α(n, m) ,0,γ )  max}
arg
(14)
1 n  N ,1 m  M n
The optimal defense strategies in the former, and latter cases are
β * ,γ*  arg{ (O( β,γ )) 
β,γ
max
D(α(n, m),β,γ )  min} ,
(15)
max
D(α(n, m),0,γ )  min}
(16)
1 n  N ,1 m  M n
and
β * ,γ*  arg{ (O( β,γ )) 
β,γ
1 n  N ,1 m  M n
respectively.
If the attacker has no information about the system, or cannot direct the attack precisely
(low-precision missile attack), we can assume that the attacker chooses targets at random, and
N
nm=1/  M n
(17)
n 1
for any component n, and PG m. In the case of imperfect attacker's knowledge about the
system, we can assume the existence of positive correlation between the expected damage, and
the attack probability nm  D(α(n, m) ,β,γ ) . In the case of deceptive attacker's knowledge
11
about the system (for example, when the defender succeeds in misinforming the attacker), the
correlation between the expected damage, and the attack probability can be negative.
Having the model  of the attacker's strategy, one can estimate the expected damage as
N Mn
D(α,β,γ )    nm D(α(n, m) ,β,γ ) ,
(18)
n 1 m 1
and find the optimal defense strategy as
N Mn
β * ,γ*  arg{ (O( β,γ ))     nm D(α (n, m) ,β,γ )  min} .
(19)
n 1 m 1
β,γ
B. Multiple attacks
The attacks can take place sequentially, or simultaneously. However, following [2], we
assume that the attacks are independent. Their probabilities cannot be changed in accordance
with achieved results; and successes, and failures of different attacks are independent events.
Because several targets can be attacked, the assumption (12) on the attacker's strategy does
not hold. In the worst case of unlimited attacker's resources, any target can be attacked with
probability 1: nm=1 for 1nN, 1mMn. If the attacker's budget is limited, and the attacker’s
knowledge about the system is perfect, the most effective attack strategy is
α  arg{D(α,β,γ )  max}
(20)
α
N Mn
~
subject to   nmo~nm  O , nm={0,1},
n 1 m 1
~
where o~nm is the cost of the attack on PG m in component n, and O is the attacker's budget.
When the attacker's knowledge about the system is imperfect or deceptive, the attack
probabilities can have positive or negative correlation with the expected damage caused by the
attacks.
Because different attacks are not mutually exclusive events, the expected damage cannot
12
be obtained using (18), and the defense strategy optimization problem takes the form
β * ,γ*  arg{ (O( β,γ ))  D(α,β,γ )  min}
(21)
β,γ
IV. EVALUATING THE PMF OF SYSTEM PERFORMANCE
To solve the presented optimization problems, one has to develop an algorithm for
evaluating the expected damage D(α,β,γ ) for arbitrary attacker's, and defender's strategies.
Having the system performance distribution in the form gs, qs(,,) for 1sS, one can obtain
the expected damage using (4) & (8). The system performance distribution can be obtained
using the universal generating function (u-function) technique suggested in [20], proven to be
an effective tool for reliability analysis, and optimization [21].
A. Universal generating function technique
The u-function representing the pmf of a discrete random variable Y is defined as a
polynomial
H
uY ( z )   h z y h ,
(22)
h 0
where the variable Y has H+1 possible values, yh is the h-th realization of Y, and h = Pr(Y =
yh).
To obtain the u-function representing the pmf of a function of two independent random
variables (X, T), the following composition operator is used:
H
U  (Y ,T ) ( z )  uY ( z )  uT ( z )  (  h z

h 0
yh
D
) (  d z

d 0
td
)
H
D
  h d z ( yh ,t d ) .
(23)
h 0 d 0
This polynomial represents all of the possible mutually exclusive combinations of
realizations of the variables Y, and T by relating the probabilities of each combination to the
value of the function (Y, T) for this combination.
13
In our case, the u-functions can represent performance distributions of individual system
elements, and their groups. Any element k of component n can have two states: functioning
with nominal performance xnk (with probability pnk), and total failure (with probability 1-pnk).
The performance of a failed element is zero. The u-function representing this performance
distribution takes the form
u nk ( z )  p nk z xnk  (1  p nk ) z 0 .
(24)
If, for any pair of elements connected in series or in parallel, their cumulative performance is
defined as a function of individual performances of the elements, the pmf of the entire system
performance can be obtained using the following recursive procedure [21].
Procedure 1.
1. Find any pair of system elements connected in parallel, or in series.
2. Obtain the u-function of this pair using the corresponding composition operator  over two

u-functions of the elements, where the function  is determined by the nature of the
interaction between elements' performances.
3. Replace the pair with a single element having the u-function obtained in step 2.
4. If the system contains more than one element, return to step 1.
The choice of the composition functions  depends on the type of connection between the
elements, and on the type of the system. Different types of these functions are considered in
[21]. For example, in systems with performance measure defined as productivity or capacity
(continuous materials or energy transmission systems, manufacturing systems, power supply
systems), the total performance of elements connected in parallel is equal to the sum of the
performances of its elements. Therefore, the composition function for a pair of elements
connected in parallel takes the form
 par(Y, T) = Y+T.
14
(25)
When the elements are connected in series, the element with the lowest performance
becomes the bottleneck of the system. Therefore the composition function for a pair of
elements connected in series is
 ser(Y, T) = min(Y, T).
(26)
B. Incorporating PG destruction probability
The u-function Unm(z) for any PG m in component n can be obtained using Procedure 1
with composition operator  over all the elements belonging to the set nm. This u-function
 par
represents the conditional pmf of the PG's cumulative performance given the PG is not
destroyed by an attack. If the PG is protected by the protection of type nm, it can be destroyed
with probability nmvn(nm). To obtain the unconditional pmf of the PG's performance, one
should multiply by 1-nmvn(nm) the probabilities of all the PG's states in which the group has
~
nonzero performance rates. The u-function U nm ( z) representing the unconditional pmf can be
obtained as follows.
~
U nm ( z) =[1-nmvn(nm)]Unm(z)+nmvn(nm)z0
(27)
Having the operators (23) & (27), we can apply the following procedure for obtaining the
pmf of the entire system performance for any given attacker's strategy , and defender's
strategy  , .
Procedure 2.
1. For any component n=1, …, N:
1.1.Define Un(z)=z0
1.2.For any nonempty PG (set nm ):
1.1.1. Define Unm(z)=z0.
1.1.2. For any element k belonging to nm, modify Unm(z) as follows:
15
Unm(z)=Unm(z)  unk(z).
 par
~
1.3. Obtain the u-function U nm ( z) representing the unconditional pmf of PG m using (27).
~
1.4. Modify the u-function Un(z) as follows: Un(z)=Un (z)  U nm ( z) .

par
2. Apply Procedure 1 over the u-functions of the components in accordance with the seriesparallel system structure.
V. OPTIMIZATION TECHNIQUE
In Section III, complicated combinatorial optimization problems are formulated. An
exhaustive examination of all possible solutions is not realistic, considering reasonable time
limitations. As in most combinatorial optimization problems, the quality of a given solution is
the only information available during the search for the optimal solution. Therefore, a heuristic
search algorithm is needed which uses only estimates of solution quality, and which does not
require derivative information to determine the next direction of the search.
Several powerful universal optimization meta-heuristics have been designed recently. Such
meta-heuristics as Genetic Algorithm (GA) [22], Ant Colony Optimization [23], Tabu Search
[24], Variable Neighbourhood Descent [25], Great Deluge Algorithm [26], Immune Algorithm
[27], and their combinations (hybrid optimization techniques) proved to be effective in solving
different reliability optimization problems of real size & complexity [28].
All of these algorithms require solution representation in the form of strings. Any defense
strategy  ,  can be represented by concatenation of integer strings {nj, 1nN ,1jJn}, and
N
{nm for 1nN, 1mMn}. The total length of the solution representation string is 2  J n .
n 1
The substring  determines the distribution of elements among protection groups, and the
substring  determines types of protections chosen for the PG. Because the maximal possible
16
number of protections is equal to the total number of elements in the system (in the case of
total element separation), the length of substring  should be equal to the total number of the
elements. If the number of PG defined by substring  is less than the total number of system
elements, the redundant elements of substring  are ignored.
In this work, the GA is used to obtain the solutions presented in the next section. The
details of the GA implementation can be found in [4], [15]-[19].
The basic structure of the version of GA referred to as GENITOR [29] is as follows. First,
an initial population of Ns randomly constructed solutions (strings) is generated. Within this
population, new solutions are obtained during the genetic cycle by using crossover, and
mutation operators. The crossover produces a new solution (offspring) from a randomly
selected pair of parent solutions, facilitating the inheritance of some basic properties from the
parents by the offspring. Mutation results in slight changes to the offspring’s structure, and
maintains a diversity of solutions. This procedure avoids premature convergence to a local
optimum, and facilitates jumps in the solution space.
Each new solution is decoded ( and  are determined), and its objective function (fitness)
values are estimated. In our algorithm, the fitness is determined as D*- D(α,β,γ ) , where D* is a
positive constant (solutions with the minimal expected damage D(α,β,γ ) have maximal
fitness). The fitness values, which are a measure of quality, are used to compare different
solutions. The comparison is accomplished by a selection procedure that determines which
solution is better: the newly obtained solution, or the worst solution in the population. The
better solution joins the population, while the other is discarded. If the population contains
equivalent solutions following selection, redundancies are eliminated, and the population size
decreases as a result.
After new solutions are produced Nrep times, new randomly constructed solutions are
generated to replenish the shrunken population, and a new genetic cycle begins.
17
The GA is terminated after Nc genetic cycles. The final population contains the best
solution achieved. It also contains different near-optimal solutions which may be of interest in
the decision-making process.
VI. ILLUSTRATIVE EXAMPLES
Consider the series-parallel multi-state system (power substation), which consists of five
components connected in series in the reliability block diagram sense:
1. Power transformers,
2. Capacitor banks,
3. Input high voltage line sections,
4. Output medium voltage line sections,
5. Blocks of commutation equipment.
Each component is built from several different elements of the same functionality. The
availability, nominal performance rate, and inherent value of each element are presented in
Table I, where the performances are in MW, and the costs are in thousands of dollars. Within
each component, the elements can be separated in an arbitrary way, and protected. Up to four
different types of protection can be chosen for protection groups in the components: outdoor
location (type 0), shed (type 1), concrete building (type 2), and underground bunker (type 3)
for the transformers, capacitors, and commutation equipment; overhead lines (type 0),
overhead insulated lines (type 1), lines with casing (type 2), and underground lines (type 3) for
input, and output line sections. The vulnerability of each available type of protection; and the
protection costs as functions of protection types, and number of elements in the PG are
presented in Table II. The inherent value of PG infrastructure Hnm is assumed to be equal to
75% of its protection cost.
18
The system demand is constant: W=120. The cost of losses is proportional to the
unsupplied demand (5) with =85.
The defense strategy optimization problem has been solved for a limited defender's budget,
and three different attacker's strategies: single attack with perfect attacker's knowledge about
the system (13), single attack with no attacker's knowledge about the system (17), and multiple
attacks with unlimited attacker's resources (nm=1 for 1nN, 1mMn). For the sake of
simplicity, in this example, no empty PG (false targets) are allowed. The obtained solutions for
different defender's budgets are presented in Tables III-V.
Table I. Characteristics of system elements.
No of
No
component of element
n
k
1
2
1
3
4
5
1
2
2
3
3
1
2
1
4
2
3
4
1
5
2
3
Availability
pnk
0.75
0.70
0.80
0.80
0.85
0.90
0.85
0.80
0.92
0.95
0.70
0.65
0.62
0.63
0.87
0.80
0.77
19
Nominal
performance
xnk
20
25
25
30
35
40
50
60
80
100
35
40
50
40
55
55
65
Inherent
value
hnk
30
32
35
40
50
30
30
42
120
140
8
8
10
8
25
20
25
Table II. Characteristics of available protections.
No of
component
1
2
3
4
5
Protection
type
0
1
2
0
1
2
3
0
1
2
3
0
1
0
1
2
3
Vulnerability
v
1.0
0.8
0.6
1.0
0.6
0.5
0.3
1.0
0.9
0.4
0.2
1.0
0.2
1.0
0.6
0.3
0.2
Protection cost
1 element 2 elements 3 elements 4 elements 5 elements
2
2.5
3
3.5
4
8
12
15
17
18
12
18
22
25
27
3
4
5
12
18
22
20
23
26
26
33
38
4
6
11
13
16
20
24
30
1
1.8
2.5
3
8
12
15
17
1
1.5
2
9
14
17
18
21
27
20
30
38
-
The defense strategies in these tables are presented for each system component in the form of
lists of PG characteristics: nm{
nm}.
For example, 2{1, 3} means that elements 1 & 3
compose a separated PG with protection of type 2.
It can be seen that separation is very effective against single attacks because it reduces the
damage caused by the attack. It is especially important in the case when the attacker has no
knowledge about the system, and any PG can be attacked. In this case, the total separation is
used even for a minimal defense budget (see Table IV), even though this does not allow the
defender to implement effective protections. When the attacker has perfect knowledge about
the system, separation of some elements can be not effective. For example, the optimal defense
strategy for the budget O=125 (last line of Table III) does not presume a separation of elements
1 & 4, and elements 2 & 3 in component 4, because the corresponding PG are less attractive for
the attacker than the PG consisting of a single element 5 in component 1.
In the case of multiple attacks with unlimited attacker resources, all the PG can be attacked
simultaneously. Therefore, in this case, the protection plays a more important role than the
20
separation, and numbers of PG in the best defense strategies obtained for multiple attacks are
less than these numbers for single attacks.
The separation efficiency depends also on the system demand. When the demand is
relatively small, the system tolerates a destruction of its elements, which makes the separation
efficient. When the demand is close to the maximal possible system performance, the
incapacitation of even a small part of the system causes unsupplied demand. In this case,
separation that reduces the amount & the total performance of elements destroyed by a single
impact is less effective. Table VI presents the obtained defense strategies against multiple
attacks with unlimited attacker's resources for different values of system demand, and the same
defense budget. It can be seen that the number of different PG decreases with the growth of the
demand.
The investment–effect relationship provides important information to decision makers. In
the case of defense strategy optimization, it is important to know how the increase of the
defense budget can reduce the expected damage caused by the attacks. The expected damage
costs as functions of the defense budget are presented in Fig. 1. These curves contain the costs
of optimal defense strategy solutions for each budget for different attacker's strategies.
From the curves, one can see, for example, that the budget greater than O=125 in the case
of a single attack with perfect attacker's knowledge about the system has no sense for the given
set of available protections. Indeed, when O125, the greatest damage D=4266.9 is achieved
by the attack on PG consisting of single element 5 in component 1, and having the highest
protection type 2. The further increase of the defense investment can reduce the expected
damage caused by the destruction of other groups without changing the expected damage
caused by the destruction of this PG (the maximal separation & protection of element 5 in
component 1 is already achieved). Because the attacker chooses the most harmful strategy, and
21
knows that it lies in attacking the element 5 in component 1, further investment cannot reduce
the expected damage.
Table III. Best obtained defense strategies against single attack with
perfect attacker's knowledge about the system.
Budget Defense Expected
cost
damage
O*
O
D
50.0
49.5
4862.48
100.0
98.0
4486.81
125.0
125.0
4266.90
Defense strategy
Component 1
0{1,2} 0{3} 0{4}
0{5}
2{1,2} 0{3} 0{4}
1{5}
0{1} 0{2} 0{3}
1{4} 2{5}
Component 2
0{1} 0{2}
0{3}
0{1} 1{2}
1{3}
1{1} 1{2}
1{3}
Component 3
0{1}
1{2}
0{1}
2{2}
0{1}
2{2}
Component 4
0{1} 1{2,4}
0{3}
0{1} 1{2}
1{3} 0{4}
1{1,4}
1{2,3}
Component 5
0{1} 0{2}
0{3}
0{1} 0{2}
0{3}
1{1} 0{2}
1{3}
Table IV. Best obtained defense strategies against single attack
with no attacker's knowledge about the system.
Budget Defense Expected
cost
damage
O*
O
D
50.0
48.0
4334.35
100.0
100.0
4143.56
150.0
150.0
4040.81
200.0
200.0
3962.46
Defense strategy
Component 1
0{1} 0{2} 0{3}
0{4} 0{5}
0{1} 0{2} 0{3}
0{4} 0{5}
0{1} 0{2} 1{3}
2{4} 2{5}
0{1} 1{2} 2{3}
2{4} 2{5}
Component 2
0{1} 0{2}
0{3}
0{1} 1{2}
1{3}
0{1} 1{2}
1{3}
1{1} 1{2}
1{3}
Component 3
0{1}
0{2}
0{1}
3{2}
0{1}
3{2}
3{1}
3{2}
Component 4
0{1} 1{2}
1{3} 0{4}
1{1} 1{2}
1{3} 1{4}
1{1} 1{2}
1{3} 1{4}
1{1} 1{2}
1{3} 1{4}
Component 5
0{1} 0{2}
0{3}
0{1} 0{2}
0{3}
1{1} 1{2}
1{3}
3{1} 1{2}
1{3}
Table V. Best obtained defense strategies against multiple attacks with unlimited attacker's resources.
Budget Defense Expected
cost
damage
O*
O
D
50.0
44.0
10660.0
100.0
150.0
100.0
150.0
10433.9
9502.9
200.0
200.0
8821.4
Defense strategy
Component 1
0{1,2,3,4,5}
0{1} 0{2}
2{3,4,5}
2{1,2,3,4,5}
2{1,2,3}
2{4} 2{5}
Component 2
0{1,2,3}
0{1,2}
1{3}
3{1,2,3}
3{1,2}
1{3}
Component 3
3{1,2}
2{1,2}
3{1,2}
2{1}
3{2}
Component 4
0{1,2,3,4}
1{1,2,3}
0{4}
1{1,2,3,4}
1{1,4}
1{2} 1{3}
Component 5
0{1,2,3}
2{1,3}
0{2}
3{1,2,3}
3{1}
2{2,3}
Table VI. Best obtained defense strategies against multiple attacks with unlimited attacker's resources
(Defense budget O*=150).
Demand Defense
cost
W
O
30.0
150.0
Expected
damage
D
2294.1
Total No
of PG
11
60.0
149.0
4603.6
9
90.0
150.0
7037.1
8
120.0
150.0
9502.9
5
Defense strategy
Component 1 Component 2 Component 3 Component 4 Component 5
0{1,2} 2{3}
3{1, 3}
3{1,2}
1{1,3}
3{1}
2{4} 2{5}
0{2}
1{2,4}
0{2,3}
2{1,2,3,4}
0{1}
3{1,2}
1{1,2}
2{1,3}
2{5}
3{2,3}
1{3,4}
0{2}
2{1,2,3,4}
0{1}
3{1,2}
1{1,2,3,4}
2{1,2}
2{5}
3{2,3}
1{3}
2{1,2,3,4,5}
3{1,2,3}
3{1,2}
1{1,2,3,4}
3{1,2,3}
22
5050
10500
4850
10000
4650
9500
4450
9000
4250
8500
4050
8000
0
50
Multiple
100
150
O
Single, no inf.
200
250
D single attack
D multiple attacks.
11000
3850
300
Single, perfect inf.
Fig. 1. Expected damage costs as functions of defense budget.
VII. CONCLUSIONS AND FURTHER RESEARCH
The suggested model is aimed at developing the optimal defense strategy under different
conditions of the system functioning, and different scenarios of the attacker's behavior. The
composition of the universal generating technique used for evaluating the expected damage
with optimization meta-heuristics used for solving complex optimization problems allows
analysts to solve defense optimization problems for multi-state series-parallel systems of
realistic size, and complexity.
Within the suggested paradigm, the following directions of further research can be
outlined:

Study of the effect of deploying false targets, and misinforming the attacker on the
expected damage reduction.

Study of the importance of the intelligence information that can reduce the
uncertainty of the defender's knowledge about the attacker's strategy in reducing the
expected damage.
23

Incorporating the choice of optimal protection parameters into the defense
optimization problem in cases when the protection survivability is a continuous
function of the parameters (width of a protecting casing, depth of an underground
location etc.)

Optimization of system structure (choice of type and number of system elements,
their separation and protection) for systems developed from scratch (a special case
of this problem was considered in [17]).

Optimization of system defense strategy against attacks causing multiple factor
impacts (such as fire, debris, and pressure impulse) when different system elements
have different sensitivities to these factors.

Optimization of defense strategy for systems with multilevel protection (special
cases of this problem were considered in [18], [19]).

Optimization of the defense strategy for systems where functionally different
elements might reside close together, and be equally susceptible to the same attack.
In such systems, elements from different components could be in the same PG, and
the assumption that the elements belonging to the same PG compose a seriesparallel structure might not hold (for this case, the technique presented in [30] could
be used).

Joint optimization of system performance, and defense measures when improving
availability and/or performance of system elements is considered as an alternative
direction of investment aimed at reducing the expected damage.

Optimization of dynamic defense strategy when the attacker, and the defender can
change their strategy based on the results of previous attacks.
24
REFERENCES
1. V. Bier, and V. Abhichandani, "Optimal allocation of resources for defense of simple series and
parallel systems from determined adversaries," Proceedings of the Engineering Foundation Conference
on Risk-Based Decision making in Water Resources X. Santa Barbara, CA: American Society of Civil
Engineers; 2002.
2. V. Bier, A. Nagaraj, and V. Abhichandani. "Protection of simple series and parallel systems with
components of different values," Reliab. Eng. Syst. Saf., vol. 87, pp. 315-323, 2005.
3. M. Barbacci, "Survivability in the age of vulnerable systems," Computer, vol. 29 (11), p. 8, 1996.
4. A. Lisnianski, and G. Levitin, Multi-state system reliability. Assessment, optimization and
applications. World Scientific, 2003.
5. G. Apostolakis, "The effect of a certain class of potential common mode failures on the reliability of
redundant systems," Nuclear Engineering and Design, vol. 36, pp. 123-133, 1976.
6. W. Vesely, "Estimating common-cause failure probabilities in reliability and risk analyses: MarshallOlkin specializations," Nuclear Systems Reliability Engineering and Risk Assessment, J. Fussell & G.
Burdick, Eds, pp. 314-341: Society of Industrial and Applied Mathematics, 1977.
7. K. Chae, and G. Clark. "System reliability in the presence of common-cause failures," IEEE
Trans.Rel., vol. R-35, pp. 32-35, 1986.
8. L. Page, and J. Perry, "Model for system reliability with common-cause failures," IEEE Trans.Rel.,
vol. 38, pp. 406-410, 1989.
9. D. Bai, W. Yun, and S. Chung, "Redundancy optimization of k-out-of-n systems with common-cause
failures," IEEE Trans.Rel., vol. 40, pp. 56-59, 1991.
10. P. Anderson, and S. Agarwal, "An improved model for protective-system reliability," IEEE
Trans.Rel., vol. 41, pp. 422-426, 1992.
11. B. Dhillon, and O. Anude, "Common-Cause Failures in Engineering Systems: A review," Int’l J.
Reliability, Quality and Safety Engineering, vol. 1, pp. 103-129, 1994.
12. J. Vaurio, "The theory and quantification of common-cause shock events for redundant standby
systems," Reliability Reliab. Eng. Syst. Saf., vol. 43, pp. 289-305, 1994.
13. J. Vaurio, "An implicit method for incorporating common-cause failures in system analysis," IEEE
Trans.Rel., vol. 47, pp. 173-180, 1998.
14. M. Marseguerra, E. Padovani, and E. Zio, "Impact of the operating environment on the design of
redundant configurations," Reliab. Eng. Syst. Saf., vol. 63, pp. 155-160, 1998.
15. G. Levitin, and A. Lisnianski, "Survivability maximization for vulnerable multi-state system with
bridge topology," Reliab. Eng. Syst. Saf., vol. 70, pp. 125-140, 2000.
16. G. Levitin, and A. Lisnianski, "Optimal separation of elements in vulnerable multi-state systems,"
Reliab. Eng. Syst. Saf., vol. 73, pp. 55-66, 2001.
25
17. G. Levitin, and A. Lisnianski, "Optimizing survivability of vulnerable series-parallel multi-state
systems," Reliab. Eng. Syst. Saf., vol. 79, pp.319-331, 2003.
18. G. Levitin, "Optimal multilevel protection in series-parallel systems," Reliab. Eng. Syst. Saf., vol.
81, pp.93-102, 2003.
19. G. Levitin, et al., "Optimizing survivability of multi-state systems with multi-level protection by
multi-processor genetic algorithm," Reliab. Eng. Syst. Saf., vol. 82, pp.93-104, 2003.
20. I. Ushakov, "Optimal standby problems and a universal generating function," Soviet Journal of
Computer Systems Science, vol. 25, pp. 79-82, 1987.
21. G. Levitin, Universal generating function in reliability analysis and optimization, Springer-Verlag,
London, 2005.
22. D. Coit, and A. Smith, "Reliability optimization of series-parallel systems using a genetic
algorithm," IEEE Trans.Rel., vol. 45(2), pp.254-260, 1996.
23. Y. Liang, and A. Smith, "An ant colony optimization algorithm for the redundancy allocation
problem (RAP)," IEEE Trans.Rel., vol. 53(3), pp. 417-423, 2004.
24. S. Kulturel-Konak, D. Coit, and A. Smith, "Efficiently solving the redundancy allocation problem
using tabu search," IIE Transactions; 35(6), pp. 515-526, 2003.
25. Y. Liang, and C. Wu, "A variable neighborhood descent algorithm for the redundancy allocation
problem," Industrial Engineering and Management Systems, vol. 4(1), pp. 109-116, 2005.
26. V.Ravi, "Optimization of complex system reliability by a modified great deluge algorithm," AsiaPacific Journal of Operational Research, vol. 21(4), pp. 487-497, 2004.
27. T. Chen, and P. You, "Immune algorithms-based approach for redundant reliability problems with
multiple component choices," Computers in Industry, vol. 56, pp. 195-205, 2005.
28. W. Kuo, V. J. Rajendra Prasad, Frank Tillman, C. L. Hwang, Optimal Reliability Design:
Fundamentals and Applications, Cambridge University Press, Cambridge, U.K., 2002.
29. D. Whitley, "The GENITOR Algorithm and Selective Pressure: Why Rank-Based Allocation of
Reproductive Trials is Best," Proc. 3th International Conf. on Genetic Algorithms. D. Schaffer, ed.,
Morgan Kaufmann, pp. 116-121, 1989.
30. E. Korczak, G. Levitin, and H. Ben Haim, "Survivability of series-parallel systems with multilevel
protection," Reliab. Eng. Syst. Saf., vol. 90(1), pp.45-54, 2005.
Gregory Levitin received the BS, and MS degrees in Electrical Engineering from Kharkov Politechnic
Institute, Ukraine, in 1982; the BS degree in Mathematics from Kharkov State University in 1986; and
the PhD degree in Industrial Automation from Moscow Research Institute of Metalworking Machines
in 1989. From 1982 to 1990, he worked as software engineer and research associate in the field of
industrial automation. From 1991 to 1993 he worked at the Technion (Israel Institute of Technology) as
a postdoctoral fellow at the faculty of Industrial Engineering and Management. Dr. Levitin is presently
26
an engineer-expert at the Reliability Department of the Israel Electric Corporation, and adjunct senior
lecturer at the Technion. His current interests are in operations research, and artificial intelligence
applications in reliability, and power engineering. In this field Dr. Levitin has published more than 100
papers, and two books. He serves editorial boards of IEEE Transactions on Reliability, and Reliability
Engineering and System Safety.
27