A Simple Pruning Rule for New Edges Is Incorrect 35

Unfortunately, we cannot employ a simple pruning rule that restricts our consideration to those new components whose addition improves the performance of the network or reduces the impact of the worst-case attack. The following counterexample shows why a simple pruning rule does not always generate to the optimal defense.

Consider the simple five node network in Figure 7. The objective of the network is to move resources from source to destination at minimum cost. Define a transshipment node as a node where no source or demand for resources exists. A source node is black, a destination node is white, and a transshipment node is grey. Each destination node requires one resource, and the source node has exactly enough resources to fulfill all requirements. There is a cost of one unit to move one resource over any one edge. Edges

have unlimited capacity, and attacked edges are unusable. There is a penalty cost of 10 units if a destination node does not receive a resource. There is no cost for either using or not using a transshipment node. Existing edges are solid lines, and edges that may be added to the network are dashed. New edges can transport resources only if built. Nodes 1 through 4 are connected as shown, and node 5 is disconnected. Node 5 may be connected with the addition of one or more of the dashed line edges. The attacker has a budget of two units. The defender has a budget of two units, and defending an existing edge or building a new edge both cost one unit. Newly added edges to the network are invulnerable to attack.

Figure 7. A Minimum Cost Flow Network with a Transshipment Node

Proposition 2–2: If new edges that could be added to a network are connected to a transshipment node, then the new edges cannot be considered for exclusion one at a time in an IE tree if no change to the worst-case attack or improvement in network performance is observed.

Proof of Proposition 2–2: Proof via contradiction. Assume to the contrary that new edges connected to transshipment nodes are considered one at a time for addition to the network. We use the five node network of Figure 5 as an example. The undefended attack plan for the root node would be to attack edges (1, 2) and (1, 4) which disconnects that source from the network and stops all flow of resources. The attack is a minimal edge-cut (Chartrand & Zhang, 2012, p. 116) of Figure 7. The undefended objective function would have value 30 because each destination node would each incur the penalty cost and no resources would flow over edges. Considering the addition of edge

(1, 5) by itself to the network as one defense would not have any effect, since no resources would reach their destination with this one addition. No resource would flow from node 1 to node 5 because there is a cost of 1 to use edge (1, 5) and no incentive to move one unit of resource to node 5. A similar argument applies to the addition of edge (3, 5). In both cases, these singular defenses would neither change the worst-case attack nor the network objective function value. If we consider new edges one at a time, both new edges would be excluded from the first set of branches to the IE tree. The optimal solution to this problem, though, is to add both edges (1, 5) and (3, 5) to the network simultaneously. Note that each source and destination node in the network with both new edges added is now 3-connected (Chartrand & Zhang, 2012, p. 117). Since each source and destination is 3-connected, the attacker cannot use two attacks to stop the flow of resources from any source to any destination. Notice that the resulting objective function of the defended network would improve to eight, but the worst-case attack would not change. Thus, a contradiction is reached because the optimal solution for the DAD problem instance can only be found in this network by considering both new edges simultaneously. Figure 8 shows the result, and the numbers above the edges represent the amount of resource flow on that edge.▪

(a) Undefended Worst-case Attack (b) Optimal Defenses and Resulting Attack

Figure 8. New Edge Consideration with Transshipment Nodes

We make another proposition about new edge exclusion in enumeration trees that does not rely on transshipment nodes with the network in Figure 9. In Figure 9, assume source node 1 has supply of three resources and source node 2 has a supply of one

resource. Both of the source nodes have exactly the amount of supply that is required by the destination nodes that they are connected to. Edges (1, 2) and (4, 6) do not currently exist, but they may be added as defenses. The defender has a defense budget of two units, and the attacker has a budget of one unit. Again, destination nodes are white, have a demand of one resource each and have a penalty cost of 10 if the demand is not satisfied. Solid lines are existing edges, and dashed lines are edges that could be built as defenses.

Figure 9. A Minimum Cost Flow Network with No Excess Supply

Proposition 2–3: If source nodes do not have supply in excess of the total demand at destination nodes, then no new edges that could be added to a network can be considered one at a time in an IE tree.

Proof of Proposition 2–3: Proof via counterexample. Assume to the contrary that edges could be excluded one at a time in a network that has nodes with no excess supply and consider Figure 9. In Figure 9, the worst-case attack would be to attack edge (1, 3) which cuts off flow to nodes 3, 5 and 6, resulting in an objective value of 31. The first best defense would be to defend edge (1, 3) to restore flow. Building edge (1,2) by itself would have no effect on either the worst-case attack or optimal value, since the worst- case attack would still occur at (1,3) and cut off the same nodes. Building edge (4, 6) by itself would also have no effect on either the worst-case attack or optimal value, since no resources could travel over the new edge. In this case, the IE tree would exclude both new edges from further consideration. The IE algorithm would next attempt to form the second defense. With edge (1, 3) defended in the first round of enumeration, the new worst-case attack would be edge (3, 5) to cut off flow to nodes 5 and 6. When

considering the second level of defenses, the IE tree algorithm would not be able to consider both new edges together, because the formation of the first layer of depth of the tree would have excluded both edges individually. The IE tree would only consider the new edges individually for the second defense, and they would not be optimal. However, the contradiction occurs because the optimal defense is to build both edges (1, 3) and (4, 6). The worst-case attack in response to this defense is unchanged. This defense would not be found by examining new edges for addition one at a time. When the two new edges are added simultaneously, the network topology becomes a 2-connected graph (Chartrand & Zhang, 2012, p. 115). Any single attack will result in a network that is still a 1-connected graph, and all resources can flow to all destination nodes. Figure 10 illustrates the proof.▪

(a) Undefended Worst-case Attack (b) Optimal Defenses and Resulting Attack

Figure 10. Lack of Supply in Excess of Total Demand