600 likes | 721 Views
Gregory Levitin, Kjell Hausken. Meeting a demand vs. enhancing protections in homogeneous parallel systems. Advisor : Professor Frank Y.S. Lin Presented by Yu-Pu Wu. About. Author Gregory Levitin, Kjell Hausken Title
E N D
GregoryLevitin,KjellHausken Meeting a demand vs. enhancing protections in homogeneous parallel systems Advisor:ProfessorFrankY.S.LinPresentedbyYu-PuWu
About • Author • Gregory Levitin, Kjell Hausken • Title • Meeting a demand vs. enhancing protections in homogeneous parallel systems • Provenance • Reliability Engineering and System Safety 94 (2009) 1711–1717
Agenda • Introduction • TheModel • EvenlyDistributed • Asubset of elements • Conclusions
Introduction • Classical reliability theory considers providing redundancy and improving reliability of elements as measures of system reliability enhancement. • When the defense of systems exposed to intentional attacks is concerned, the separation of elements and their protection against malicious impacts become essential elements of the defense strategy.
Introduction • This article considers a situation when a defender deploys costly separated identical system elements and protects them to minimize the losses associated with not meeting the demand. • The protection is a technical or organizational measure aimed at the reduction of the destruction probability of system elements in the case of attack.
Introduction • Losses may be planned or forced. • Planned losses are those where the producer decides not to meet the demand. • Forced losses are those where a determined adversary seeks to destroy the elements by attacking them which reduce their performance. • Delivery of electricity
Introduction • We think our model applies for any good for which there is a demand, assuming the good is costly to deploy and that it delivers a performance. • Incurring planned and forced losses entail different kinds of assessments.
Introduction • The defender needs to strike a delicate tradeoff between planned and forced losses when determining how many elements to deploy. • The optimal strategies • the cost of deployment • the resources of the defender and attacker • the unit costs of defense and attack efforts • the contest intensity • the demand • the relative unit cost of planned and forced losses
Introduction • Consider as an example an electric power company that plans to supply electricity to new customers in some area. • The company has a limited budget that should be divided between deployment of new generating units and protecting the units. • Forced losses are usually much greater than the planned losses.
Introduction • It was assumed that the defender minimizes the success probability and expected damage of an attack. • This article assumes that successful attack on each element totally destroys this element. Only damage caused by the attack is considered without taking into account the elements’ failures.
Agenda • Introduction • TheModel • EvenlyDistributed • Asubset of elements • Conclusions
TheModel • A system that is built from identical parallel elements with the same functionality each hasthe performance g. • Nmeansnumberofelementsinthesystem. • The existing demand is F.
TheModel • If the number of elements is not enough to meet the demand (Ng<F) the defender has planned losses Lp proportional to the demand deficiency.
TheModel • When the system performance decreases as a result of an attack, the forced losses are proportional to the extent of performance reduction below the demand F (when the demand is initially satisfied Ng≥F) or below the planned cumulative performance Ng (Ng<F).
TheModel • Eqs. (1) and (2) give three scenarios. • First, demand is met both without and with an attack. • Second, demand is met without an attack, but not with a destructiveattack. • Third, demand is met neither without an attack, nor with an attack.
TheModel • The total attacker’s resource is R. • The cost of the attacker’s effort unit is A. • The defender’s resource is r. • This resource is distributed between protection and deployment of elements. • The resource needed to deploy one element is x. • We assume r≥Nxand N≥1. • The cost of the protection effort unit is a.
TheModel • The attacker’s and the defender’s resources R and r can be measured as available budgets. • The attack and the protection efforts T and t can be measured as the cumulative destructive power of attacking weapons and the strength of protection shields respectively.
TheModel • In this paper we assume that the system elements are so simple that they can be totally destroyed by any successful attack. • Therefore we define element vulnerability as a scalar index equal to the conditional probability of element destruction given the element is attacked.
TheModel • The element vulnerability depends on attack and protection efforts allocated to this element. • The vulnerability can be determined by the attacker–defender contest success function modeled with the common ratio.
TheModel • A benchmark intermediate value is m=1, which means that the investments have proportional impact on the vulnerability. • 0<m<1 gives a disproportional advantage of investing less than one’s opponent. • m>1 gives a disproportional advantage of investing more effort than one’s opponent.
TheModel • In the extreme case m=0, the efforts t and T have equal impact on the vulnerability regardless of their size, which gives 50% vulnerability. • The other extreme case m=∞ gives a step function where ‘‘winner-takes-all’’.
TheModel • The contest success function was initially used in rent seeking and expresses agents’ success in securing a rent dependent on efforts exerted. • Higher effort gives higher success, but is also costly. • Traditional reliability theory focused on how reliable a system is, which depends on factors thathave typically been of a non-intentional nature.
TheModel • In the authors’ view this becomes a question about resource expenditures. • how much effort to exert to ensure, versus not ensure, that the element survives the attack. • If the attacker expends the same amount of resources as before the defender’s improvements, the element will have more chances to survive.
TheModel • In some situations the attacker cannot direct the attack exactly against certain targets and the defender cannot protect only a subset of targets. • In such situations one should assume that both the attacker and the defender distribute their efforts evenly among all elements.
TheModel • If the information about the protected elements is unavailable to the attacker • It may be beneficial for the defender to protect some of the system elements concentrating more resources on protecting this subset. • The attacker can also prefer to attack a subset of the elements to achieve effort superiority or avoid effort inferiority for each of the attacked elements.
Agenda • Introduction • TheModel • EvenlyDistributed • Asubset of elements • Conclusions
EvenlyDistributed • Consider the case when the defender distributes its resource r between deployment of N elements and their protection (the protection investment is evenly distributed among the elements). The cost of single element is x. • The effort allocated at protection of each element is t=(r–Nx)/(aN)=(r/N–x)/a.
EvenlyDistributed • The attacker attacks all N elements and distributes its resource evenly among them. The effort allocated at attacking each element is T=R/(NA). • Thevulnerability of each element is
EvenlyDistributed • The damage caused by an attack is associated with reduction of the cumulative system performance in the case of destruction of some elements. If the number of destroyed elements is k, the forced performance reduction is
EvenlyDistributed • Theexpected forced losses can be obtained as • The total losses are
EvenlyDistributed • We can normalize the losses and obtain • Planned losses require not only F > g but also F > Ng, analysis of 1-out-of-N (F ≤ g) system is out of scope for this paper.
EvenlyDistributed • Consider an example of a power system that should supply a demand F=1 by deploying generating units with capacity g=0.1 each. • Each deployed unit is protected by a casing. • The strength of the casing (protection effort) depends on protection budget allocated to each unit. • Fig. 1 presents the normalized losses as a function of cost x of deploying one generating unit for ε=r=R=m=1, α=2, and different values of the number N of units.
EvenlyDistributed • It can be seen that for any combination of the model parameters one can find the number of elements N that minimizes the expected losses. • Therefore, the optimal defenders strategy is to find the number of elements that minimizes its expected losses
EvenlyDistributed • The minimal achievable normalized expected losses grow with both α and m.
Agenda • Introduction • TheModel • EvenlyDistributed • Asubset of elements • Conclusions
Asubsetofelements • If F≤g, the attacker has to destroy all N elements in order to cause unsupplied demand. • In the case when F>g, unsupplied demand can be caused by partial destruction of the system. • To increase the expected damage the attacker can decide to attack Q<N elements concentrating more effort on attacking each one of the chosen Qelements. • the attacker’s effort per target increases from R/(NA) to R/(QA)
Asubsetofelements • The defender can also decide to protect M out of N elements allocating the effort t=(r– Nx)/(Ma) to each one if the attacker has no information about the defense effort distribution among the elements and chooses the attacked elements randomly. • In this case both the attacker and the defender have free choice variables that determine their strategies: • the defender chooses N and M whereas the attacker chooses Q.
Asubsetofelements • The defender builds the system over time andthe attacker takes it as given when it chooses its attack strategy. • Therefore, we analyze a two periods game where the defender moves in the first period, and the attacker moves in the second period. • Theoptimal defender strategy (N, M) can be found as a solution of a minmax game in which the defender should chose N and M that minimize the expected losses, given that for any N and M the attacker chooses Q that maximizes the expected losses:
Asubsetofelements • For any given defense strategy (N, M), there are M protected and N –M unprotected elements in the system. • When the attacker attacks Q elements, the number of attacked protected elements can vary from max{0, Q–N+M} to min{Q, M}. • According to the hypergeometric distribution, the probability that the attacker attacks exactly q protected elements and Q–q unprotected elements is
Asubsetofelements • The vulnerability of each protected element is
Asubsetofelements • The probability that exactly k elements are destroyed out of q protected elements that are attacked is • All the attacked unprotected elements are destroyed with probability 1.
Asubsetofelements • If the attacker attacks exactly q protected elements and Q –q unprotected elements, it destroys k elements (0<k<q) with probability w(q, k) and Q–q elements with probability 1. • The total number of destroyed elements is k+Q –q, where random k varies from 0 to q. • Note that different q and k can produce the same total number of the destroyed elements s when k=s+q –Q.
Asubsetofelements • The probability of destruction of exactly s elements can be obtained as
Asubsetofelements • For any demand F and number of elements N we can obtain the normalized expected losses as
Asubsetofelements • The optimal values of M and N can be obtained by the following enumerative procedure.