Approximate Core Allocation for Large Cooperative Security Games

Coalition games have been recently used for modeling a variety of security problems. From securing the wireless transmissions in decentralized networks to employing effective intrusion detection systems in large organizations, cooperation among interested parties has shown to bring significant benefits. Motivating parties to abide to a solution is, however, a key problem in bridging the gap between theoretical models and practical solutions. Benefits should be distributed among players (wireless nodes in a network, different divisions of an organization in security risk management, or organizations cooperating to fight spam), such that no group of players is motivated to break off and form a new coalition. This problem, referred to as core allocation, grows computationally very expensive with a large number of agents. In this paper, we present a novel approximate core allocation algorithm, called the bounding boxed core (BBC), for large cooperative security games in characteristic form that rely on superadditivity. The proposed algorithm is an anytime (an algorithm is called anytime if it can be interrupted at any time point during execution to return an answer whose value, at least in certain classes of stochastic processes, improves in expectation as a function of the computation time) algorithm based on iterative state space search for better solutions. Experimental results on a 25-player game, with roughly 34 million coalitions, show that BBC shrinks the 25-dimensional bounding-box to 10−15 times its initial hypervolume.


Introduction
In the recent years, there has been a growing interest for modeling defenders in different security problems with coalition games.This is mainly due to results which confirm that many security goals can be better reached through cooperation among the interested parties.Millions of connected computers and networks of them have turned security to a problem characterized by interdependence [4].In this interconnected world of computers, the security of a particular user is not independent of others and it heavily depends on the efforts of other users.As a prominent example in Internet security, in combating spam and unsolicited communications, the Organization for Economic Co-operation and Development recommends international cooperation and promotes cross-border enforcement cooperation on spamrelated problems [18].
With regard to cyber attacks originated from any particular country, a recent study [13] shows that international cooperation in enforcement as measured by the indicator of joining the convention on cybercrimes, can deter cyber attacks by up to 24%.Cooperative attack and defense for a range of distributed network applications, with an emphasis on phishing, has been examined in [23] and the results highlight the need for cooperative information sharing.
Building suitable models based on cooperation for a variety of security problems has been the subject of some recent studies.Coalition game theory has been used for security risk management [22] in divisions of an organization as well as secure wireless transmissions [16] in ad hoc wireless networks, and against network security attacks [5].In detecting [12,19] and mitigating [21] DDos attacks, cooperation has been affirmed.While many studies advocate the use of coalition games for modeling large scale security problems, the question of revenue allocation, as an important step in turning these game theoretical models to practical robust solutions, has not been studied and warrants greater attention.
Cooperative game theory studies the problem of revenue allocation for a set of n participants, called players, in a joint project where a value function v is defined for each subset of players, representing the revenue achieved by the players in that subset without assistance of other players.In the context of security, we call these games cooperative security games.In cooperative security games players are the defenders (e.g., organizations cooperating for intrusion detection) and revenue is the security benefit they achieve through cooperation.We will present a formal definition in the next Section.In general, each solution concept defines a set X of allocation vectors.Obtaining X is usually a nontrivial problem and has always been an important issue in the study of cooperative game theory.A particularly interesting theme to the study of such decision problems is that of the bounded rationality, which argues that decisions made by real-life agents may not spend an unbounded amount of resources to evaluate all the possibilities for optimal outcome [17].Much effort has been made in the study of the bounded rationality in computational resource for solution concepts of cooperative games.
The definition of a cooperative game involves an exponential number (in the number of players) of values, one for each subset of players.Moreover, the definitions of many solution concepts, for example, the core [1], would involve an exponential number of constraints.Therefore, it becomes infeasible to get the set of fair allocation vectors X for a large cooperative game using traditional approaches, such as linear programming.Megiddo [25] observed that, for many games, the game value is calculated through succinctly defined structures and for such games, he suggested that finding a solution should be done by a good algorithm (following Edmonds [28]), that is, within time polynomial in the number of players.Deng and Papadimitriou [14] suggested computational complexities be taken into consideration as another measure of fairness for evaluating and comparing different solution concepts.
In this paper, we present bounding-boxed core (BBC), an approximate revenue allocation algorithm for large cooperative security games that are intractable to be solved using traditional algorithms such as linear programming.Previous work in security revenue allocation investigate all coalitions and their corresponding values before computing the core.This is not feasible with large number of players, that is, organizations that attempt to protect security of their assets, because increasing number of players result in exponential growth of the coalition space.Our algorithm, to the best of our knowledge, is the first algorithm to provide an approximate solution to this problem.In addition, we utilize the special characteristics of the core, namely, its convexity, to analyze the approximation error and provide bounds on the worst case errors.
This paper is organized as follows.In Section 2, we describe the security game model and the revenue allocation problem.In Section 3 we present an overview of related background literature.The BBC algorithm is briefly explained in Section 4. Section 5 is devoted to the bounding box shrinking algorithm.Approximate core allocation approach is discussed in Section 6.Finally, experimental results for a case study cooperative game with 25 players is presented in Section 7 and Section 8 concludes the paper.

Security Model and Basic Definitions
We start by describing a simplified security problem and subsequently formally define a cooperative security game.Assume a finite set of organizations denoted by N = {1, 2, . . ., n}.Each organization has its own security resources and valuable assets which it protects against security attacks.Any subset S ⊆ N is called a coalition.The security profit function v : P (N ) → R is a function with v(φ) = 0, where P (N ) denotes the power set of N .For each coalition S ⊆ N , v(S) is the value of S that is interpreted as the security profit achieved by the collective action of organizations in S without any assistance of organizations in N − S. A security cooperative game is given by specifying the security profit function, that is, a value for every coalition.The security profit can be defined based on different measures, such as security resources of a coalition, the type and probability of successful attacks against these security measures, and the expected cost of such attacks.Instead of a security profit function, a security cost function can be used.In this paper we only deal with profit games, however, symmetric statement holds for cost games.Security profit functions are assumed to be superadditive, that is, the value of a union of disjoint coalitions is no less than the sum of the coalitions' separate values: Given a pair (N , v), the focus is how to fairly distribute the collective income.We denote the income distributed to individual organizations by a payoff vector x = {x 1 , x 2 , . . ., x n } satisfying i∈N x i = v(N ), called an allocation.An allocation vector x is called an imputation of the game (N , v) if it also satisfies the individual rationality condition: (2) As an illustrative example, consider a set of online shopping sites which are willing to cooperate against intrusion detection attacks by sharing worm and virus signatures identified by their antivirus systems.The valuable assets in this scenario consists of a database of credit-card information.
We consider a dollar value as the security profit associated with an attack.Let us consider two of these shopping sites {1, 2}.Let the expected security profit of site 1 be v({1}) = c 1 − 300, while this value is v({2}) = c 2 − 50 for site 2. If they cooperate by sharing their signatures, the expected security profit of their coalition would be v({1, 2}) = c 1 + c 2 − 400.
The allocation problem involves assigning x 1 and x 2 in a fair manner, which also motivates the formation of a coalition.Additional requirements for fairness, stability, and rationality lead to different sets of allocations, which are generally referred to as solution concepts.Here, we shall discuss the most important one that is the core.
Sum of the coalitions' separate values.The concept of the core was first introduced by Gillies [1] based on the concept of subgroup rationality.Definition 1.The core of a game (N , v) is defined by (3) The constraints imposed on C(v) ensure that no coalition would have an incentive to split from the grand coalition N and do better on its own.The core is a subset of the hyperplanes defined by the equation i∈S x i = v(S) [16], and since the inequalities x i ≥ v({i}) are included in (3), the core is bounded.Thus, C(v) is a compact convex polyhedron, and possibly empty, of dimension at most n − 1.The definition of the core, involves an exponential number of constraints, therefore, exact computation of the core is infeasible in large scale games.In this paper, we present an approximate algorithm for core allocation.

Related Work
In the security community, there has been considerable effort in introducing models based on cooperation for defenders of a security attack, see for example [12,19,21,23].Here, we review the ones which explicitly use coalition games as their models.The authors in [22] define a coalition game for modeling risk management.In their model, divisions of an organization are the players of the game.They use an influence graph to specify the positive and negative effects that each division of the organization can have on other divisions.The security benefit of each coalition is then defined as a function involving the influence graph, the security resources of each division, and threats against vulnerabilities.They further enrich their model by introducing a friction graph which denotes the costs associated with cooperation.They analyze the formation of coalitions based on this model.Coalition game theory has also been used in modeling secure transmissions in a wireless network [16].In this problem a set of wireless transmitters try to transmit a message to a set of destinations in presence of eavesdroppers.The goal is to avoid the overhead of cryptography and selforganize the wireless transmitter such that secure wireless communication can be achieved.Coalition of transmitters can decode-and-forward (DF) or amplify-and-forward (AF) a signal, and in this way, completely null the signal at the eavesdroppers.In another recent study, [5] models defenders of a network security attack with coalition games.They analyze coalition formation in three canonical security games described previously in [26] for non-cooperative games.
The above mentioned papers mostly consider the problem of coalition formation.In this paper, we consider another important problem, namely, revenue allocation.Much of cooperative game theory is built around the question of distributing the collective income in fair and rational manners.Different philosophies result in different solution concepts that constitute the bargaining set family, that is, the various bargaining sets [15,24], the Kernel [20] and the Nucleolus [11]; in effect, these notions are defined separately for each coalition structure.By contrast, the Shapley value [3], Core [1], and Von Neumann-Morgenstern solutions [6] are not a priori defined with reference to a coalition structure.In this part, we review related literature on determining the core.
One of the most important problems regarding the core is testing nonemptiness that is determining whether a given instance of the game has a nonempty core.Generally, determining core nonemptiness is NP-complete for cooperative games both with and without transferable utility [8].However, recently there has been increasing interest in investigating this problem in more specific games with a description polynomial in n (number of players).As a case in point, the core nonemptiness testing problem is solvable in polynomial time for weighted graph games [14]; for minimum base game with no all-negative circuits can be solved in oracle-polynomial time [10].
Since the core is usually empty, some related solution concepts arise from the core via relaxing its constraints.Shapley and Shubik [27] recommended the concepts of (strong) ε-core and weak ε-core for a cooperative game.Their main idea is to relax the requirements of subgroup rationality by x(S) ≥ v(S) − ε and x(S) ≥ v(S) − ε|S| for each proper subset S of N , respectively.
Later, Tijs and Driesssen [7] introduced the concept of multiplicative ε-tax core by using Faigle and Kern [9] modified the requirement of Tijs and Driessen as x(S) ≥ (1 − ε)v(S) to define another approximate core, called multiplicative εcore.One explanation of these concepts is that cooperation may not be as hopeless even when the core is empty.Cooperation may be possible with the subsidies of the central authority.
All of the above mentioned algorithms need to investigate all coalitions and their corresponding values before computing the core; however, this is not feasible in cooperative games with large number of players due to the exponential growth of the coalition space.

The Bounding Boxed Core
The bounding-boxed Core (BBC) algorithm is a practical best-effort approach to distribute the collective security profit in an approximately fair manner among the involved organizations (players) in a given large cooperative security game (N , v).
More specifically, BBC consists of two main stages: tightening bounding box, and approximate core allocation.The former is an iterative global search algorithm to solve an axis-aligned smallest enclosing box problem.It finds the minimum-hypervolume n-dimensional bounding box enclosing the core, that is, closed and convex set, subject to the constraint that the edges of the box are parallel to the (Cartesian) coordinate axes.Starting from some initial large bounding box, BBC iteratively tries to tighten the bounding box, obtained at the previous iteration, by heuristically considering some useful subset of constraints by the core (3).

Consequently, a bounding box B
is generated once a given deadline is passed or some convergences condition is met.In the approximate core allocation step, BBC computes a unique payoff vector in the generated bounding box B. The allocation values for individual players are determined by calculating the gravity center of the resulting bounding box B.

Bounding Box Tightening
In this section, the iterative bounding box tightening algorithm is explained in details.The goal is to find the minimum-hypervolume bounding box enclosing the core B(C(v)) using an iterative search algorithm.We use B t to denote the bounding box, obtained at t-th iteration step.Initially, we know that player i gets a payoff of The lower bound denotes individual rationality, that is, no player receives less than what it could get on its own; and the upper bound is obtained using one of the core constraints: along with the efficiency condition: Therefore, we assign as shown in (13) to be the initial, that is, t = 0, bounding box enclosing the core.Throughout this paper, we will use notations B l t (i) and B u t (i) to denote the lower and upper bounds for the ith player in the tth bounding box.
The initial bounding box B 0 is further tightened during several iterations.First, we describe the single iteration t of the tightening procedure given a permutation π ∈ Π on the set of players: where, π is in fact a one-to-one function from N onto N .Moreover, as a shorthand notation, we use π j i (i ≤ j) to denote (π(i), π(i + 1), . . ., π( j)).

Recursive Tree Construction.
At each iteration t, tightening algorithm starts with constructing a full binary tree on a given permutation of players π, in a top-down manner.The root node, which covers all players π n 1 , has two children nodes denoting two disjoint subsets of N : π i0 1 and π n i0+1 (1 ≤ i 0 < n).Breaking point i 0 is optimally determined in a way that the bounding box is tightened the most (discussed later).Recursively, children nodes are further partitioned into two disjoint subsets of their corresponding players: 1 , and π i2 i0+1 , π n i2+1 ⊆ π n i0+1 .Leaf nodes of the tree represent individual players, for example, π i i = (π(i)).To determine the optimal breaking point, let us consider an arbitrary parent node which covers a subset of players π k i .Suppose j (i ≤ j < k) is the breaking point so that Using the core constraints (3), and the bounding box B t−1 , obtained at the previous iteration t − 1, we know where in the root node both bounds are equal to v(N ), but in lower level nodes Similar conditions hold for children nodes, that is, π j i , π k j+1 .Furthermore, each child node can make use of its sibling's bounds to update, that is, tighten, its own bounds.As a case in point, we update bounds on the left child, that is, π j i : where, The right child also updates her bounds using the same justification.Consequently, the optimal breaking point j * is determined using where, and T k j+1 is defined similarly.Once the optimal breaking point j * is determined: (1) players in the parent node π k i are partitioned into two children coalitions π (2) upper and lower bounds on children are updated.As a result, recursive tree construction procedure is terminated when it gets to leaf nodes, that is, the players' payoffs, and updates their upper and lower bounds.
Figure 1 shows how the recursive tree construction algorithm updates the initial bounding box for a sample 3player game, that is, N = {1, 2, 3}.Characteristic values for different coalitions of the game are given in the Figure 1.The initial bounding box enclosing the core is obtained as 0 ≤ x i ≤ 8 ∀i ∈ N that results in 0 ≤ x 1 +x 3 ≤ 16 as shown in Figure 1.The updated values are illustrated in red font.

Iterative Search.
In the previous section, we described how a given permutation of players is used in constructing a binary tree for tightening the bounding box.The permutation used, can be chosen at random, or as we describe in this section, it can be produced by an evolutionary algorithm which tends to generated permutations which result in larger reductions of the bounding box volume.During each iteration t of the algorithm, we have a population P, for example, P = 100, of permutations Π t ⊆ Π, which are used for tightening the bounding box as explained in Section 5.1.
Once the bounding box around feasible point in the core is updated, the fitness function is calculated as follows for each permutation in current population π ∈ Π t and measures its quality, that is, how helpful it was in tightness improvement: where B t,bπ (B t,aπ ) denote bounds, at iteration t, just before (after) they are updated using recursive tree construction on permutation π.Once we have the population and the fitness function defined, iterative search algorithm proceeds to initialize a population of permutations randomly, then improves tightness of the bounding box through repetitive application of mutation, crossover, inversion and selection operators (discussed later).
Initialization.Initially, P permutations are randomly generated from the search space Π to form an initial population.
Selection.During each iteration t, a proportion 2α ( α ∈ [0, 0.5]) of the existing population Π t is selected to breed a new generation of permutations Π t+1 .Individual permutations are selected through a fitness-based process, where top 2α • P fittest permutations, as measured by ψ t (.) (14), are selected.
Reproduction.The next step is to generate the next generation population of permutations Π t+1 from those selected.
For each new permutation to be produced, a pair of parent permutations, that is, π p1 and π p2 , is selected for breeding from the pool selected previously.By producing a child permutation π child using function composition, that is, , a new permutation is created.New parents are selected for each child, that is, α • P children permutations.Furthermore, (1−α)•P new permutations are randomly generated.These processes ultimately result in the next generation population Π t+1 of permutations.Generally, the average fitness will have increased by this procedure for the population, since only the most useful permutation from the previous generation are selected.
Termination.This iterative search process is repeated until a termination condition has been reached.Terminating conditions can be defined regarding various criteria, such as: (1) all possible permutations Π are investigated; (2) a predefined deadline is passed deadline < t; (3) tightness improvement in the last iteration t was less than some nonnegative threshold , that is, π∈Πt ψ t (π) ≤ .

Approximate Core Allocation
Once the bounding box around feasible points in the core is generated (see Section 5) the candidate approximate core is computed as follows: However, C B (v) may not be in the actual core; therefore, here we analyze the worst case error, that is, distance between the core C(v) and the approximate C B (v).First, we need to define the distance between the point C B (v) and the core C(v), that is, a convex set of points: In other words, the distance between a point and a set is the infimum of the distances between the point and those in the set.
Here, we exploit the convexity of the core in analyzing the worst case error of the the approximate core, C B (v), that is defined as follows where C is the convex set space in R |N | ; and B(Q) denotes the minimum-volume axis-aligned bounding box around the set Q.
We first obtain Υ when |N | = 3, and then, generalize the result to higher dimensional spaces.Given and C B (v) = (0, 0, 0), where Δ i = b i − a i .As discussed earlier (Section 2), the core is a convex subset of the hyperplanes.
It can be shown that the worst case error Υ(B ) (see (17)) is caused by Q ∈ C whose closest hyperplane H Q to the point C B (v) includes those 3 vertices of B , any pair of which have exactly one of the 6 bounding box planes in common: , , therefore, Hence, Υ(B ) is obtained as the distance between the point C B (v) and H Q : As a case in point, let Δ i = Δ ∀i ∈ N .Without considering convexity of the core, we know Υ(B ) = Δ.√ 3/2 that is the distance between any of the vertices of B and its gravity center C B (v).But, exploiting the convexity of the core (21) yields a better result Υ(B ) = Δ.√ 3/6 < Δ. √ 3/2.For higher dimensional spaces, that is, games with more than 3 players, discussions remain exactly the same and the worst case error is obtained as:

Evaluations
In this section, we present the results from our prototype implementation of BBC on a case study large cooperative game.The system we used for implementation was a 2.20 GHz AMD Athlon 64 processor 3700+ with 2.00 GB of memory and Windows XP SP3 operating system.Because of large number of coalitions the bottleneck is usually the memory that caused our first prototype to crash; hence, we reimplemented the whole algorithm in C++ from scratch using more sophisticated data structures to speed up the iterative search and reduce memory consumption.
Here, we present the evaluation results of the BBC algorithm for a cooperative game with 25 players in which there are about 34 million coalitions of players.
Figure 2 shows the number of coalitions in each coalition class that is defined based on its size, that is, number of players.As discussed earlier, every cooperative game is determined by its characteristic function for each coalition.Figure 3 shows the maximum characteristic value for each coalition class.As shown in the figure, value for grand coalition is 1604.Furthermore, coalition values satisfy supperadditivity property.
Given the characteristic values for the cooperative game, we start iterative tightening of the 25-dimensional bounding box. Figure 4 illustrates the initial lower and upper bounds for individual dimensions, that is, players' payoffs, of the initial bounding box, as in (13), and their corresponding updated bounds.In this experiment, we assigned P = 100 and α = 0.3.Finally, bounding box volume reduction, during the iterative tightening algorithm, is shown in Figure 5 with 10 20 scale.As illustrated in the logarithmic-scale graph, although the bounding box volume has shrank more than 10 12 units during only a few seconds, tightening speed significantly decreases afterwards.Consequently, after about 25 minutes, bounding-box volume is 10 −15 times its initial value.

Conclusion
In this paper, we present an approximate core allocation algorithm, called the bounding-boxed core (BBC), for cooperative security games with large number of organizations (players).Since the definition of core involves an exponential number of constraints in terms of the number of organizations, it is infeasible to solve this problem for exact solutions.We present an analysis of the maximum approximation error incurred by BBC.We also proposed a heuristic search algorithm based on Genetic algorithms to search the input space.Experimental results show that BBC significantly speeds up core allocation.In modeling cooperation among large number of organizations, this is an important step in achieving a practical solution in limited time.

Figure 2 :Figure 3 :
Figure 2: Number of coalitions in each coalition class with particular no. of players.

Figure 4 :Figure 5 :
Figure 4: Bounding box tightening result for each dimension in R 25 .