350 likes | 438 Views
Trilevel Optimization of Homeland-Defense Problems. Jerry Brown Matt Carlyle Kevin Wood Operations Research Dept. 4 October 2007. Modeling Adversaries. How do we account for the actions of malicious, intelligent adversaries? We can try to assess means, motive, opportunity, etc.
E N D
Trilevel Optimization of Homeland-Defense Problems Jerry Brown Matt Carlyle Kevin Wood Operations Research Dept. 4 October 2007
Modeling Adversaries • How do we account for the actions of malicious, intelligent adversaries? • We can try to assess means, motive, opportunity, etc. • Many experts on various groups and cultures involved • Many models proposed in DoD, DHS, and in the literature
Bioterrorism Motivation • Original model we saw was an 18 stage Probabilistic Risk Assessment (PRA) tree • Branching for terrorist stages (“events”) modeled with probabilities (and conditional probabilities) • derived from an average over several SME inputs... • ...each of which was derived from a stoplight diagram • Latin hypercube sampling provided scenario (path) probabilities • Other models yielded “consequences” at each scenario leaf • Expected(scenario probability X consequence) = risk • Risk analyses yielded a ranking of terrorist options
Models of Random Behavior • Perfectly suited for Mother Nature • Storm forecasts • Hurricane tracking • Drought durations • Lightning strikes • Adapted to other highly complex systems • Stock market • Retail demand forecasting • Engineering reliability • Many other successful applications
Models of Random Behavior • Typically driven by a set of key model parameters • Means • Rates of growth • Drift • Variance • Models fit from past performance data • What if no past performance exists? • Or we have poor model fits for estimates...
Subject Matter Experts • SMEs can provide a wealth of information for complex models • Data frequently must be elicited by the modelers • Interviews and questionnaires • Stoplight diagrams (!) • SMEs rarely (never?) use the words “always” or “never”
Bioterrorism • Where will a terrorist attack take place? • What pathogen? • How will they release it? • When? • SMEs using stoplight diagrams will end up providing a positive “probability” on almost every possible outcome.
(Bio-)Terrorists • Probability-based risk models reduce terrorist events to “acts of nature” • We know that terrorists observe the current situation and adapt • Terrorists are intelligent, malicious adversaries, and will not attack randomly.
Our (Very Brief) Background • Large-Scale Optimization • Network Models of Logistics and Infrastructure Systems • Optimal Attack and Defense of Critical Infrastructure • Bioterrorism: Strategic Investments to Minimize US Vulnerability to Worst-Case Bio Attacks
Critical Infrastructure Pipelines Railroads Subways Power grids Airports
Bilevel (Attacker-Defender) Models • Two opponents: attacker and defender • Defender operates efficiently (say, at minimum cost) using existing infrastructure • Attacker seeks to damage infrastructure to maximize defender’s costs, with limited resources
Bilevel Model • X: Attacker chooses an attack that damages defender system components • Y: Defender observes X, and operates resulting system optimally
Optimal Attack The typical attack problem is formulated as follows: (cost interdiction) We do not have COTS technology to solve these “max-min” problems directly.
Reformulation However, reformulating the inner problem… (taking the dual…)
Bilevel Applications Crashed PERT Delay Iranian Nuclear Weapon Shortest Path Naval Base Defense Assignment Ballistic Missile Defense Pure Network Materiel Flow from N. Korea Multicommodity Flow Logistics, Fuel Distribution Leontief Models Economic Warfare LP and NLP (Convex) Electrical Grid Over 100 red-team case studies of various real infrastructure systems, and more
Bilevel (Defender-Attacker) Models • Defender invests in defensive options • Attacker maximizes damage based on observed defenses
Detector location Worst case attack Results: Three Detectors Glenmont Shady Grove Greenbelt Dupont Circle Fort Totten 3 Detectors. Detection Opportunity: 31 min New Carrollton Rosslyn China Gallery Metro Vienna/ Fairfax-GMU Stadium - Armory Addison Rd – Seat Pleasant L’ Enfant Plaza Pentagon Branch Ave King Street Franconia - Springfield Huntington
Trilevel Optimization • Defender makes a budget-limited investment in defense option(s) • Attacker observes defense investment, and chooses an attack • Defender observes attack, and responds based on prior investment to reduce impact of attack
t22 t9 t10 t8 n141 t11 Scenario 2 – “Sources are Hardened” n135 t7 n140 n134 n139 t6 n133 t5 n130 n129 t13 t12 n127 t4 t18 n124 n126 n131 n1002 n136 t3 n137 n121 t17 n138 n132 n122 n117 t19 t2 n1001 n120 n119 t20 t1 n128 n123 n114 n110 n106 n118 n111 n125 n116 SourcesPumps/Transfer StationsSinks n105 n115 n112 FLOW n1002 n109 n104 n100 n101 n121 n108 n102 t16 t11 n103 t21 n107 t14 t15
Scenario 3 – “Backbone Protection” t22 t9 t10 t8 n141 t11 n135 t7 n140 n134 n139 t6 n133 t5 n130 n129 t13 t12 n127 t4 t18 n124 n126 n131 n1002 n136 t3 n137 n121 t17 n138 n132 n122 n117 t19 t2 n1001 n120 n119 t20 t1 n128 n123 n114 n110 n106 n118 n111 n125 n116 SourcesPumps/Transfer StationsSinks n105 n115 n112 FLOW n1002 n109 n104 n100 n101 n121 n108 n102 t16 t11 n103 t21 n107 t14 t15
Trilevel Bioterror Model • W: Defender makes a budget-limited investment in defense option(s) • X: Attacker observes W, and chooses a pathogen, location, time, etc. • Y: Defender observes X, and activates mitigation options, based on prior decision W, to reduce damage of X
Y X . . . W . . . . . . . . . . . . A Three-stage Decision Tree
Extensions • What about 18 stages? • max max maxmin minmax maxmin minmax ..... • In our optimization models, adjacent stages with the same objective can combine into one stage (same decision maker) • Adjacent stages with continuous decision variables (e.g., probabilities) can be interchanged (a von-Neumann-style min-max theorem) • This lead us to a three-stage model, hence our trilevel optimization
Results • Our optimization model restricts defender to making a specific investment (or discrete set of investments) • Attacker can choose probability distribution over attack options • Defender responses are specific to each attack
Results: Our Key Insight • We prefer to use the inputs usually provided to SMES as inputs to our model, with SME guidance • Our defensive investment is optimal, and any attacker mixed strategy is the worst-case attacker effort • We have seen instances where it is optimal for the attacker to choose a “mixed strategy” • These mathematically-derived, mixed-strategy probabilities are a result of our analysis, not an input to it
Current Research: Secrecy • What if one side is unaware of some capabilities of the other? • Example: Terrorists can see investments, but are unaware of our mitigation capabilities • Non-zero-sum models. Attacker and defender do not share the same objective. • Bilevel (or multi-level) integer programming • Akin to bimatrix games • Very difficult to solve
Examples • Electric Power Grid (DoJ, DHS, DoE, funded) • DAD: harden substations to minimize load shed over time • Counter-proliferation of WMDs (LLNL, unfunded) • AD: choose project tasks to interdict to cause maximal delay • Ballistic Missile Defense (NWDC, funded) • DAD: preposition BMD assets to minimize worst-case expected damage • Secure Facility Protection (ONR, funded) • DAD: install security measures to reduce infiltration risk • Bioterrorism threat reduction (NRC, NAS, unfunded) • DAD: invest in defensive strategies for future mitigation against array of threats • (U) Social Network Analysis (DoD, partially funded) • AD: Remove key individuals to maximally retard flow of information, funds, influence, etc.
Contacts Contact Info: Prof. Gerald Brown gbrown@nps.edu Prof. Matthew Carlyle mcarlyle@nps.edu Prof. Kevin Wood kwood@nps.edu Operations Research Dept. Naval Postgraduate School
References • Brown, G., Carlyle, M., Salmerón, J. and Wood, K., 2006a, “Defending Critical Infrastructure,” Interfaces, 36, pp. 530-544. • Brown, G., Carlyle, M., Salmerón, J. and Wood, K., 2005a, “Analyzing the Vulnerability of Critical Infrastructure to Attack, and Planning Defenses,” in Tutorials in Operations Research: Emerging Theory, Methods, and Applications, H. Greenberg and J. Smith, eds., Institute for Operations Research and Management Science, Hanover, MD. • Brown, G., Carlyle M., Harney R., Skroch E., Wood, K., 2006b, “Anatomy of a Project to Produce a First Nuclear Weapon,” Science and Global Security, 14, pp. 163-182. • Brown, G., Carlyle, M., Diehl, D., Kline, J. and Wood, K., 2005b, “A Two-Sided Optimization for Theater Ballistic Missile Defense,” Operations Research, 53 , pp. 263-275. • Brown, G., Carlyle, M., Harney, R., Skroch, E. and Wood, K., 2007, “Interdicting a Nuclear Weapons Project,” in review. • Salmerón, J., Wood, K. and Baldick, R., 2004, “Analysis of Electric Grid Security Under Terrorist Threat,” IEEE Transactions on Power Systems, 19(2), pp. 905-912.