ShishirNagaraja, Ross Anderson
ComputerLaboratory
JJThomsonAvenue,CambridgeCB30FD,UK
forename.surname l.am.a.uk
Abstrat. Often anattakertries to disonnet a network by destroyingnodes or edges, while
thedefenderountersusingvariousresilienemehanisms.Examplesinludeamusiindustrybody
attemptingtolosedownapeer-to-peerle-sharingnetwork;medisattemptingtohaltthespread
ofaninfetiousdisease byseletivevaination;and apolieagenytryingtodeapitatea
terror-istorganisation. Albert,Jeongand Barabasi famouslyanalysed thestati ase, and showed that
vertex-orderattaksareeetiveagainstsale-freenetworks.Weextendthisworktothedynami
ase by developinga frameworkbasedonevolutionary gametheoryto explore the interationof
attak anddefenestrategies. Weshow,rst,thatnaivedefenes don'tworkagainst vertex-order
attak; seond, that defenesbased onsimpleredundanydon'tworkmuhbetter, but that
de-fenesbasedonliquesworkwell;third,thatattaksbasedonentralityworkbetteragainstlique
defenesthanvertex-orderattaksdo;andfourth,thatdefenesbasedonomplexstrategiessuhas
delegationplusliqueresistentralityattaksbetter thansimpleliquedefenes.Ourmodelsthus
buildabridgebetweennetworkanalysis and evolutionarygametheory,and provide aframework
foranalysing defene andattak innetworkswhere topologymatters.They suggestdenitions of
eÆienyofattakanddefene,andmayevenexplaintheevolutionofinsurgentorganisationsfrom
networksofellstoamorevirtualleadershipthatfailitatesoperationsratherthandiretingthem.
Finally,wedrawsomeonlusionsandpresentpossiblediretionsforfutureresearh.
1 Introdution
Many modernonits turnononnetivity.Inonventionalwar,muheortisexpended
on disrupting the other side's ommand,ontroland ommuniations by jamming or
de-stroyinghisfailities.Counterterrorismoperationsinvolveasimilareortbut with
dier-enttools:traÆanalysistotraeommuniations,oupledwithsurveillaneoftheowsof
money, materialand reruits, followed by the arrest and interrogation ofindividualswho
appear tobe signiantnodes. Terroristsare aware of this, and takemeasures to prevent
their networks being traed. Usama bin Laden desribed his strategy on the videotape
aptured in Afghanistan as `Those who were trained to y didn't know the others. One
group of people didn't know the other group' (see [14℄, whih desribes the hijakers'
networks).
Connetivity matters for soial dominane too, as a handful of leading individuals
do muh of the work of holding a soiety together. Subverting or killing these leaders is
likely to be the heapest way to make an invaded ountry submit. When the Norman
Frenh invaded England inthe eleventhentury, they killedor impoverishedmost of the
indigenous landowners;whenthe Turks, andthen theMongols,invadedIndia,they killed
both landowners and priests; when England suppressed the Sottish highlands after the
1745 uprising, landowners were indued to move to Edinburgh or London; and in many
of the dreadfuleventsof the lastentury, rulerstargeted theelite (Russiankulaks,Polish
oÆers, Tutsi shoolteahers, ...).
Movingfrompolitistoommere,the musiindustryspends alotofmoney
attempt-ingtodisruptpeer-to-peer le-sharingnetworks.Tehniques rangefromtehnialattaks
for example,itoftenhappens thata smallnumber ofindividualsaount formuh ofthe
transmission of a disease.Thus Senegalhas been more eetive attakling the spreadof
HIV/AIDSthanotherAfrianountries,astheytargetedprostitutes[19℄.Infat,interest
in soialnetworks has grown greatly over the last 15 years in the humanitiesand soial
sienes [20,9℄.
Reent advanes in the theory of networks have provided us with the mathematial
andomputationaltoolstounderstandsuhphenomenabetter.Onestrikingresultisthat
a network muh of whose onnetivity omes from a small number of highly-onneted
nodes anbeveryeÆient,butatthe ostof extremevulnerability.As asimpleexample,
if everyone in the ounty ommuniates using one telephone exhange, and that burns
down, then everyone isisolated.
This paperstarts to explore the tatial and strategioptions open toombatants in
suh onits. What strategies an one adopt,when buildinga network, toprovide good
trade-os between eÆieny and resiliene? We are partiularly interested in omplex
networks, involving thousands or millions of nodes, whih are so ompliated (or under
suh dispersed ontrol) that the resiliene rules an only be implemented loally, rather
than by a entral planner who deliberately designs a network with multiple redundant
bakbones.
Is itpossible, forexample, toreatea virtual high-degreenode, by ombining a
num-ber of nodes whih appear on external inspetion to have lower degree? For example, a
numberofindividualsmightjointogetherinaring, anduse someovert ommuniations
hannel to route sensitive information round the ring in a manner shielded from asual
external inspetion. There is a loose preedent in Chaum's `dining ryptographers'
on-strution [10℄, in whih a number of ryptographers pass messages round a ring in suh
a way as to mask, from insiders, the soure and destination of enrypted traÆ. Can we
build asimilar onstrution, but in whih the fat of systemati message routingis
on-ealed fromoutsiders,with the result thatthe partiipantsappear to be`ordinary'nodes
making a modest ontribution in the network, rather than important nodes that should
betargeted for lose inspetion and/ordestrution?
2 Previous Work
Therehas beenrapidprogress inreentyearsinunderstandinghownetworksandevelop
organially, how their growth inuenes their topology, and how the topology in turn
aets both their apaityand their robustness.There isnowasubstantialliterature: for
a book-lengthintrodution, see Watts [21℄, whileliterature surveys are [1,17℄
Early work by Erdos and Renyi modelled networks as random graphs [11,7℄; this is
mathematially interesting but does not model most real-world networks aurately. In
real networks,path lengthsaregenerallyshorter;itiswellknown thatanytwopeopleare
linked by a hain of maybe half a dozen others who are pairwise aquainted { known as
the `small-world'phenomenon. This idea waspopularised by Milgram inthe 60s [16℄. An
explanationstartedtoemergein1998whenWattsandStrogatzproduedthealphamodel.
Alpha is a parameterthat expresses the tendeny of nodes to introdue their neighbours
to eah other; with = 0, eah node is onneted to its neighbours' neighbours, so the
model is rather omplex to analyse, so they next introdued the beta network: this is
onstruted by arranging nodes in a ring, eah node being onneted to itsr neighbours
on either side, then replaing existing links with random links aording to a parameter
; for =0no linksare replaed, and for =1 alllinkshave been replaed, sothat the
network has again beome a random graph [22℄. The eet is to provide a mix of loal
and long-distane linksthat models observed phenomena insoialand othernetworks.
Howdonetworkswith short pathlengthsome about inthe realworld?The simplest
explanation involves preferential attahment. Barabasi and Albert showed in 1999 how,
if new nodes in a network prefer to attah to nodes that already have many edges, this
leads to a power-law distribution of vertex order whih in turn gives rise to a sale-free
network[6℄,whihturnsout tobeamoreommontypeofnetworkthanthealphaorbeta
types. Ina soialnetwork, for example,people who already havemany friends are useful
toknow, sotheirfriendshipis partiularlysoughtby newomers.In friendshipterms,the
rih get riher. There are many eonomi ontexts in whih suh dynamis are also of
interest[13℄.
The key paperfor our purposes was written by Albert, Jeong, and Barabasi in 2000.
They observed that the onnetivity of sale-freenetworks,whihdepends onthe
highly-onneted nodes, omes at a prie: the destrution of these nodes will disonnet the
network. If an attaker removes the best-onneted nodes one after another, then past
some threshold pointthe size of the largest omponent ofthe graphollapses [2℄.
Laterwork by Holme,Kim,Yoonand Hanin2002 extended thisfromattakson
ver-ties toattaks onedges;here, the attaker removesedges onneting high-degreenodes,
andagain,pastsomeritialpoint,thenetworkbeomesdisonneted[15℄.Theyalso
sug-gested using entrality { tehnially, this is the `betweenness entrality' of Freeman [12℄
{ as analternativeto degreefor attak targeting. (A node's entrality is, roughly
speak-ing, the proportion of paths on whih it lies.) Computing entrality is harder work for
the attaker than observing vertex degree, but it enables him to attak networks (suh
as beta networks) where there is littleor no variability invertex order. Finally, in 2004,
Zhao, Park and Lai modelled the irumstanes in whih a sale-free network an suer
asading breakdown from the suessive failure of high-onnetivity nodes [23℄. These
ideas nd some resonane in the eld of strategi studies: for example, Soviet dotrine
alledfor destroyingathirdof theenemy's network,jammingafurtherthird,and hoping
that the remainingthird would ollapseunder the inreased weight of traÆ.
3 Naive Defenes Don't Work
Giventheobviousimportaneofthesubjet,andthefatthattheAlbert-Jeong-Barabasi
paper appeared in 2000, one obvious question is why there has been no published work
sineonhowanetworkandefenditselfagainstadeapitationattak.Hereisonepossible
explanation: the two obviousdefenes don't work.
Oneofthese issimplytoreplenishdestroyed nodes withnew nodes, andfurnish them
with edges aording to the same sale-free rule that was used to generate the network
initially. One might hope that some equilibrium would be found between attak and
aording to a random graph model. In this way, we might hope that, under attak, a
network would evolve from an eÆient sale-free struture into a less eÆient but more
resilient random struture. In a real appliation, this might happen either as a result
of nodes learning new behaviour, or by seletive pressure on a node population with
heterogeneous onnetivity preferenes: inpeaetime the nodes with higherdegreewould
beomehubs, while inwartime they would beearly asualties.
Nieastheseideasmayseemintheory,theydonotworkatallwellinpratie.Figure1
shows rst (solid line) how the vertex-order attak of Albert, Jeong and Barabasi works
against a simulated network with no replenishment, then with random replenishment,
then with salefree replenishment. In the vanilla ase the attak takes two rounds to
disonnet the network; with random replenishment it takes three, and with sale-free
replenishment it takes four.
0
2
4
6
8
10
12
14
16
18
20
22
24
26
28
30
32
0
10
20
30
0
100
200
300
400
Rounds
Component
No replenishment
Random replenishment
Scalefree replenishment
Fig.1.Naivedefenesagainstvertex-orderdeapitationattak
It seems that, to defend against these kinds of deapitation attaks on networks, we
will need smarter defene strategies. But how should these be evolved, and what sort of
framework shouldwe use toevaluate them?
4 A Model from Evolutionary Game Theory
Previousresearhersonsidereddisruptiveattaksonnetworkstobeasingle-roundgame.
Suhamodelissuitableforappliationssuhasaonventionalwar,inwhihtheattaker
has toexpend aertainamountofeort to destroy the defender's ommand, ontroland
ommuniations, and one wishes to estimate how muh; or a single epidemi in whih a
ertain amount of resoure must bespent to bring the disease underontrol.
However, there are many appliations in whih attak and defense evolve through
game theory developed by Axelrod and others [3,4℄. This theory studies how games of
multiplerounds dierfromsingle-round games,and ithas turned out to have signiant
explanatory power in appliationsfrom ethologyto eonomis.
We now formalise amodelin whih a game is played with a number of rounds. Eah
round onsists of attak followed by reovery. Reovery in turn onsists of two phases:
replenishment and adaptation.
In the attak phase, the attaker destroys a number of nodes (or, in a variant, of
edges);thisnumberishisbudget. Heseletsnodesfordestrutionaordingtosomerule,
whih is his strategy. For example, he might at eah round destroy the ten nodes with
the largest number of edges onneted tothem.He exeutes this strategy onthe basis of
informationabout the network topology.
In the replenishment phase, the defending nodes reruit a number of new nodes,
and gothrough a phase ofestablishing onnetions {again,aording to given strategies
and information.
Inthe adaptationphase,thedefendingnodesmayrewirelinkswithineahonneted
omponent of the network, in aordane with some defensive strategy. The adaptation
phase isappliedone atthe start ofthe game, beforethe rst roundof attak; thereafter
the gameproeeds attak {replenish {adapt.
An attak strategy is more eÆient, for a given defense strategy, if anattakerusing
it requires a smallerbudget to disruptthe network. Similarly,a defense strategy is more
eÆient if, fora given attak strategy, itompelsthe attaker toexpend a higherbudget
to ahieve network disruption. (We will larify this later one we have presented and
disussed afew simulations.)
Weassumeinitiallythattheattakerhasperfetinformationaboutthenetwork
topol-ogy, and that her goal is simply to partitionthe network { that is, divide it into two or
more nontrivial disjoint omponents. We assume that the defender has only loal
infor-mation, that it, eah node shares the information available to those nodes with whih it
is onneted. Thus, for example, if the attaker manages to split the network into two
omponents,thereisnowayforthemtoreonnet.Wealsostartobyassumingthatthe
defene strategy aets onlythe adaptation phase,as onlyone nodes haveonneted to
anetwork anthey beprogrammedtofollowit;sothereplenishment phaseisexogenous.
Afurther initialassumptionisthat theattakand defenebudgets are roughlyequal.
By this we willmean that for eah node destroyed in the attak phase, one node will be
replaed inthe resoure additionphase. Thus the network will neithergrow or shrink in
absolutesizeandweanonentrateononnetivityeets.Wewilldisussotherpossible
assumptions later, but the stati budgets and global attak / loal defene assumptions
will get usstarted.
5 Defene Evolution { First Round
To analyse the vulnerability of a network, the seletion of network elements (nodes or
edges) destroyed in eah roundis the attaker's hoie and onstitutes her strategy. The
attakerwishes tomaximize the network damageaused per unit of work.
Wewillstartobyonsideringastatiattaker,usingwhatweknowtobeareasonable
for a defene against the best attak we found in the lastround, and so on. There is no
guarantee thatthe proess onverges { theremay be aspeialised attak that works well
against eahdefene, and vie versa {but if evolutionarygames onnetworks behave like
more traditionalevolutionary games, we may expet to nd some strategies that do well
overall, as `tit for tat' does in multi-round prisoners' dilemma. We may also expet to
gain useful insights inthe proess.
5.1 Defense strategy 1 { random replenishment
Ourrstdefensivestrategyisthesimplestofall,andisoneofthenaivedefenesintrodued
inthe abovesetion.New nodes are joinedtothe graphatrandom.Weassumethat eah
attak round removes r nodes, and the replenishment round adds exatly r nodes, eah
ofwhihisjoinedtothe survivingvertieswithprobabilityp.rremainsonstantforeah
run ofthesimulation,whilepinreasesfromk=(N r)tok=(N 1)asthe replenishment
proeeds. In this strategy,the defenderdoesnothingin the adaptation phase.
This models the ase where new reruits to a subversive network simply ontat any
other subversives they an nd; no attempt is made to reshape the network in response
to the apture of leaders but the network is simplyallowed tobeome more amorphous.
5.2 Defense strategy 2 { dining steganographers
Ourseonddefensivestrategyismoresophistiated,andisinspiredbythetheoryof
anony-mous ommuniation as developed by omputer sientists, most notably Chaum [10℄. A
node that aquires a high vertex order, and thus ould be threatened by a vertex-order
attak, splits itself into n nodes, arranged in aring. The rings have two funtions. First,
they provideresiliene: aringbroken atone pointstillsupports ommuniationsbetween
all its surviving nodes, and it is the simplest suh struture. Seond, nodes an route
overt traÆ between appropriate input and outputlinks, and use enryption and other
information-hidingmehanismstoonealthetraÆ.Thismodelwasoriginallypresented
in Chaum's seminal`dining ryptographers' paper itedabove, so wemight refertoit as
the `dining steganographers'. The ollaborating nodes in eah ring annot oneal the
existene of ommuniation between them, as the over traÆ is visible to the attaker.
However, fromthe attaker's viewpoint itisnot obvious thatthese n nodes are ating as
a virtual supernode.
Our fous here is on the eets of network topology, rather than onthe higher-layer
mehanisms that atually implement the overtness property and that provide any
on-dentiality of ontent or of routing data. We assume a world in whih there is suÆient
enrypted traÆ(SSL,SSH, DRM,...)thatenrypted traÆisnot ofitselfsuspiiousso
long asitiswrapped inaommoniphertext type.The attaker's inputonsistsoftraÆ
data olleted from the bakbone or from ISPs, and her output onsists of deisions to
sendpolieoÆerstoraidthepremisesassoiatedwithpartiularIPaddresses.Her
prob-lem is this: given an observed pattern of ommuniations, whom should she investigate
rst?
Thepreise mehanism of ringformationin oursimulation isasfollows.A vulnerable
node deides toreate aring and reruits forthe purpose a furthern 1 nodes fromthe
rings may not overlap. Finally, reruits to a ring relinquish any existing links with the
rest of the network, and the ring-formingnode sharesits external linksuniformlyamong
all the members of the ring.
5.3 Defense strategy 3 { revolutionary ells
Ourthirddefensivestrategyisinspiredbyellsofrevolutionaries,alongthemodelfavoured
historially by a number of insurgent organisations. A node that aquires a high vertex
order splits itself inton nodes, all linked with eah other, with the previous outside
on-netions split uniformlybetween them.In graph-theoreti language, eah supernode is a
lique.
As in ring formation, a node that onsiders itself vulnerable is allowed to split itself
into a lique of nodes. The new nodes are drawn either from the pool of new nodes, or,
if they are insuÆient, from low-vertex-order neighbours of the lique-formingnode. As
before, this node's external edgesare distributeduniformlyamong members, while other
member nodes' former external edges are deleted.
Simulations { rst set Forour rstset ofsimulations,we onsider asalefree network
of N =400 nodes.Weuse aBarabasi-Albertnetworkreated bythe followingalgorithm:
1. Growth:Startingwith m
0
=40nodes, ateahround weadd m =10new nodes, eah
with 3edges.
2. Preferential Attahment: Theprobability thata newnode onnets tonode i is(k
i )
=k
i =
P
j k
j
where k
i
isthe degreeof node i.
Havingreatedthesalefreenetwork,wethenraneahoftheabovedefensivestrategies
against avertex-order attak.
Results The results of the initialthree simulationsare given in Figure2.
The blak graph in Figure 2 provides a alibration baseline. As seen in the above
setion, randomreplenishment withoutadaptation isineetive:within three roundsthe
size ofthelargestonneted omponenthas fallenbyahalf,from400 nodestowellunder
200.
The greengraph shows that rings give onlya surprisinglyshort-term defene benet.
They postpone network ollapsefromabout two roundstoabout adozen rounds.
There-after, the network is almostompletely disonneted. In fat, the outome is even worse
than with random replenishment.
Cliques,on the other hand,work well.A fewvertiesare disonneted ateah attak
round, but as the yan graphshows, the network itselfremains robustly onneted.This
mayprovidesomeinsightintowhy,althoughringshaveseemedattrativetotheoretiians,
those real revolutionary movements that have left some trae in the history books have
used a ellstruture instead.
6 Attak Evolution { First Round
Having tried a number of defene strategies and found that one of them { liques { is
eetive, the next step isto tryout anumberof attak strategies tosee if anyof them is
0
4
8
12
16
20
24
28
0
100
200
300
400
Rounds
Component
Fig.2.blak:Vertexorderattak,noadaptation green:Vertexorderattak,rings yan:Vertexorderattak,
liques
Of the attak strategies we tried against a lique defene, the best performer is an
attak based on entrality. We used the entrality algorithmof Brandes [8℄ to selet the
highest-entralitynodes fordestrutionateahround.Asbefore, our alibrationbaseline
is random replenishment. For this, the red and blak graphs show performane against
vertex-order and entrality attaks respetively.Both are equally eetive;within two or
three rounds the size of the largestonneted omponent has been halved.
The green and blue graphs show that the same holds for rings: the network ollapses
ompletelyafterabout adozenrounds.Centralityattaksare veryslightlymore eetive
but there is not muh in it.
0
4
8
12
16
20
24
28
0
100
200
300
400
Rounds
Component
Fig.3.blak:Vertex orderattak,noadaptation red: Centrality attak,noadaptation green:Vertexorder
attak,rings blue:Centrality attak, rings yan: Vertex orderattak, liques magenta:Centrality attak,
graphs,whihshowhowliquesbehave.Cyanshows,asbefore,avertex-orderattakwith
severitym=10beingineetiveagainstaliquedefene.Magentashowstheeetonsuh
anetwork ofaentralityattak.Here the largestonnetedomponentretains about400
nodes untilthenetworksuddenlypartitionsat14rounds,whereafteralargest-omponent
size ofabout 200 is maintained stably.
0
4
8
12
16
20
24
28
0
0.1
0.2
0.3
0.4
0.5
Rounds
Average
Inverse
Geodesic
Length
Fig.4.red:Centralityattak,noadaptation blue:Centralityattak,rings magenta:Centralityattak,liques
Some insight into the internal mehanis an be gleaned from Figure 4. This shows
the average inverse geodesilength.Foreahnode,wend thelengthofthe shortestpath
to eah other node, and take the inverse (we take the length tobe innite, and thus the
inverse to be zero, if the nodes are in disjoint omponents). We average this value over
alln(n 1)=2 pairsof nodes. Thisvalue fallssharply fordefensewithoutadaptation,and
falls steadily for defense with rings. These falls reet inreasing diÆulty in internode
ommuniation.Withliques,thevertex-orderattakhaslittleeet,whiletheentrality
attak makes steadily inreasing progress on a graph of 400 verties, until it ahieves
partition and redues the largest omponent to about 200 verties. But it makes only
slowprogress thereafter.
6.1 Clique sizes
We next ran a simulation omparing how well defense works when using dierent sizes
of rings and liques. Ring size appears to make little dierene; rings are just not an
eetivedefeneotherthanintheveryshortterm.However, varyingthelique sizeyields
the resultsdisplayed inFigure 5.
This shows that under a entrality attak, the performane of the defense inreases
steadily withthe size of the lique.Thereis stillaphasetransitionafterabout 14rounds
or soafterwhihthe largest onnetedomponent beomes signiantly smaller,but the
size of thisequilibriumomponent inreasessteadily fromabout 150 withlique size 8to
0
10
20
30
0
100
200
300
400
Rounds
Largest
Component
0
10
20
30
0
0.1
0.2
0.3
0.4
Rounds
Average
Inverse
Geodesic
Length
size 5
size 8
size 11
size 14
size 17
size 20
Fig.5.Cliquereoverywithdierentliquesizesunderaentrality attak
7 Defene Evolution { Seond Round
Now that we know entrality attaks are powerful, we have tried a number of other
possible defenes. The most promising at present appears to be a ompound defene
based on liques and delegation.
Theideabehinddelegationisfairlysimple.Anodethatisbeomingtoowell-onneted
selets one of its neighbours as a `deputy' and onnets it to a seond neighbour, with
whihitthendisonnets.This reets normalhumanbehavioureven inpeaetime: busy
leaders pass new reruits on to olleagues. In wartime, and with an enemy that might
resort to vertex-order attaks, the inentive to delegate is even greater. Thus a terrorist
leader who gets an oer from a wealthy businessman to nane an attak might simply
introdue him to a young militant who wants to arry one out. The leader need now
maintain ommuniationswith at most one of the two.
Delegation on its own is rather slow; it takes dozens of rounds for delegation to
`im-munise' a network against vertex-order attak. If a vanilla sale-free network is going to
beexposed toeitheravertex-orderorentralityattak fromthenext round,then drasti
ation(suhaslique formation)isneededatone;elseitwillbedisonneted withintwo
or three rounds. Slower defenes like delegation an however play a role, provided they
are started from network formation or a reasonable time period (say 20 rounds) before
the attak begins.
It turns out that the delegation defene, on its own, is rather like the rings of dining
steganographers. Network fragmentation ispostponed (about 14roundswith the
param-eters used here) though not ultimatelyaverted.
Whatisinteresting,however,isthis.Ifweformanetworkandimmuniseitbyrunning
the delegationstrategy,then runalique defene aswellfromtheinitiationofhostilities,
this ompound strategy works rather better than ordinary liques. Figure 6 shows the
simulation results.
Figure 7 may give some insight into the mehanisms. Delegation results in shorter
path lengths under attak: it postpones and slows down the growth of path length that
otherwiseresultsfromhubelimination.Asaresult,equilibriumisahievedlater,andwith
0
4
8
12
16
20
24
28
0
100
200
300
400
Rounds
Component
Fig.6.red: Centrality attak, noadaptation pink: liquedefenebrown:immunisationby delegation (20%)
yellow:delegationpluslique
0
4
8
12
16
20
24
28
0
0.1
0.2
0.3
0.4
0.5
Rounds
Average
Inverse
Geodesic
Length
Fig.7.red: Centrality attak, noadaptation pink: liquedefenebrown:immunisationby delegation (20%)
In this paper, we have built a bridge between network siene and evolutionary game
theory.
Forsome years, people have disussed what sort of ommuniations topologies might
be ideal for overt ommuniation in the presene of powerful adversaries, and whether
network siene might be of pratial use in overt onits { whether to insurgents or
to ounterinsurgeny fores [5,18℄. Our work makesa start ondealing withthis question
systematially.
Albert, Jeong and Barabasishowed thatalthough asalefree network providesbetter
onnetivity, this omes at a ost in robustness { an opponent an disonnet a network
quikly by onentrating its repower on well-onneted nodes. In this paper, we have
asked the logial next questions.What sort of defeneshould be planned by operatorsof
suhanetwork?Andwhatsortof frameworkanbedeveloped inwhihtotestsuessive
renements of attak, defense, ounterattak and soon?
First,wehaveshownthat naivedefenesdon'twork.Simply replaingdeadhubswith
newreruitsdoesnotslowdowntheattakermuh,regardlessofwhetherlinkreplaement
follows a randomorsale-free pattern.
Moving from a single-shot game to a repeated game provides a useful framework. It
enables onepts of evolutionarygame theory to be appliedtonetwork problems.
Next,weusedtheframeworktoexploretwomoresophistiateddefensivestrategies.In
one, potentiallyvulnerablehigh-ordernodes are replaed withrings ofnodes, inspiredby
a standard tehnique in anonymous ommuniations. In the other, they are replaed by
liques, inspiredby theellstruture oftenused inrevolutionarywarfare. Toour surprise
we found that ringswere allbut useless,while liques are remarkablyeetive. Thismay
be part of the reason why ell strutures have been widely used by apable insurgent
groups.
Next,wesearhedfor attaks thatwork betteragainstlique defenes.Wefoundthat
the entrality attak of Holme et al does indeed appear to be more powerful, although
it an be more diÆult to mount as evaluating node entrality involves knowledge of
the entire topology of the network. Centrality attaks may reet the modern reality
of ounterinsurgeny based on pervasive ommuniations intelligene and, in partiular,
traÆ analysis.
Now we are searhing for defenes that work better against entrality attaks. A
promising andidate appears to be the delegation defene, ombined with liques. This
ombination may in some ways reet the reported `virtualisation' strategies of some
moderninsurgent networks.
Above all, this work provides a systemati way to evolve and test seurity onepts
relatingtothetopologyofnetworks.Clearlythe oevolutionofattakand defensean be
taken muh further. Further workinludes testing:
1. networksthatgroworshrink, maybewith endogenousreplenishment(urrent
reruit-ment a funtion of past operationalsuess)
2. imperfetly informed attakers, suh as poliemen who have aess to the reords of
some but not allphone ompanies oremail servie providers, orwho must use purely
loalmeasures of entrality
onlyat some ost tohis replenishmentbudget
5. heterogeneous networks, with subpopulations having dierent robustness preferenes
6. dynami strategies that detetopponents'strategies and respond
7. dierent attaker goals.For example,some say that the Iraqi rebel leaderAl-Zarqawi
is not bin Laden's subordinate but his ompetitor. So an attak objetive might be
not justpartition,but to divide the oppositioninto groupsof less thana ertainsize.
When attaking an ad-ho sensor network, the goalmight be to redue the eetive
bandwidth,and there might beinteration with routingalgorithms.
Preliminarythoughitis,wesuggestthatthis workhas broadpotentialappliability{
from making the Internet more resilient against natural disasters and maliious attaks,
to the question of howbest to disrupt(ordesign) subversive networks.
Aknowledgements:Wehavehaduseful feedbak onanearlyversionof thispaper
fromAlbert-LaszloBarabasi,MikeBond,GeorgeDanezis,Karen Spark Jonesand Chris
Lesniewski-Laas. The rst author was supported by asholarship fromthe Gates Trust.
Referenes
1. R Albert, AL Barabasi, \Statistial Mehanis of Complex Networks", Reviews of Modern Physis 74
(2002)47
2. RAlbert,HJeong, andALBarabasi,\Errorandattaktoleraneofomplexnetworks"inNature v406
(2000)pp387{482
3. RAxelrod,\The EvolutionofCooperation"BasiBooks,NewYork(1984)
4. RAxelrod,\The ComplexityofCooperation"PrinetonUniversityPress(1997)
5. CBallester,ACalvo-ArmengolandYZenou,\Who'sWhoinCrimeNetworks{WantedtheKeyPlayer",
IUIWorkingPaperSeries617,TheResearhInstituteofIndustrialEonomis(2004).
6. ALBarabasi,RAlbert,\Emergene ofsalinginrandomnetworks",inSienev286(1999)pp509{512
7. BBollobas,`RandomGraphs',AademiPress(1985)
8. UBrandes,\AFasterAlgorithmforBetweennessCentrality",J.Math.So.25(2)(2001)pp163{177
9. PJ Carrington, J Sott, S Wassermann, `Models and Methods in Soial Network Analysis', Cambridge
UniversityPress(2005)
10. DChaum,\TheDiningCryptographersProblem:UnonditionalSenderandReipientUntraeability",in
JournalofCryptologyv1(1989)pp65{75
11. PErdos,ARenyi,\OnRandomGraphs",inPubliationes Mathematiaev6(1959)pp290{297
12. LCFreeman,\Asetofmeasuringentralitybasedonbetweenness",inSoiometryv40(1977)p35{41
13. MO Jakson, \A SurveyofModels ofNetworkFormation: Stability and EÆieny"A, inGroup F
orma-tionin Eonomis:Networks, Clubs, andCoalitions,edited by Gabrielle DemangeandMyrnaWooders,
CambridgeUniversityPress.
14. VEKrebs, \MappingNetworksof TerroristCells",inConnetions v12no3;athttp://www.loative.
net/tmreader/index.php?mappi ng;k rebs
15. PHolme,BJKim,CNYoon,andSKHan,\AttakVulnerabilityofComplexNetworks"inPhys.Rev.E
v65art. no.018101,2002
16. SMilgram,\TheSmallWorldProblem",inPsyhology Todayv2(1967)pp60-87
17. MEJNewmann,\StrutureandFuntionofComplexNetworks",SIAMReview45(2003)pp167{256
18. MK Sparrow, \The Appliation of Network Analysis to Criminal Intelligene: An assessment of the
prospets",inSoialNetworksv13(1990)pp253{274
19. NThompson,\TheNetworkEet{WhySenegal'sboldanti-AIDSprogramisworking",inTheBoston
GlobeJanuary5,2003; athttp://www.newameria.net/inde x.f m?pg= arti le& DoID =109 2
20. SWassermann,KFaust,`Soial NetworkAnalysis',CambridgeUniversityPress(1994)
21. DJWatts,`SixDegrees: TheSieneof aConnetedAge',Norton,New York(2003)
22. DJWatts,SHStrogatz,\ColletiveDynamisofSmall-WorldNetworks",inNaturev393(1998)pp440-442
23. LAZhao,KHPark,YCLai,\Attakvulnerabilityofsale-freenetworksduetoasadingbreakdown",in
