This paper shows that no simple,

Save this PDF as:

Size: px
Start display at page:

Transcription

1 ABSTRACT This paper shows that no simple, common-sense rule of thumb can be used to identify a most-vital arc, even in a simple maximum-flow problem. The correct answer requires analysis equivalent in difficulty to completely solving the maximum-flow problem, perhaps repeatedly. This insight generalizes to finding a most-vital component, or set of components, in a system whose operation is described by a more general model. Our paper shows how to evaluate the criticality of sets of components, how to assess the worst-case set of components that might be lost to a given number of simultaneous hostile attacks (or engineering failures, or losses to Mother Nature), and how to allocate limited defensive resources to minimize the maximum damage from a subsequent attack. Collateral insights include the fact that there is no way to prioritize individual components by criticality, and that the analysis that determines critical component sets also yields objective assessments of operational system resilience and can provide constructive advice on how to increase it. INTRODUCTION When determining how best to protect infrastructure systems from attack, a natural question is, What components are most critical? or, equivalently, which set of components will be most disruptive to the system if lost? A critical component (or set of components) is one whose loss would significantly reduce system function relative to the reduction from losing other components. For example, consider a maximum-flow model, in which a network ofcapacitatedarcsisusedtomodelthe possible flows of a single commodity (such as highway traffic, or water, natural gas, rail traffic, telecommunications traffic, jobs in a job shop, etc.) from an origin node to a destination node through a set of intermediate nodes. The system operator seeks to move as much material through the network from origin to destination as the arc capacities will allow. A classic result in the theory of network flows states that the maximum flow volume is equal to the minimum capacity of any cut, where a cut is a set of arcs such that every path from the origin to the destination passes through at least one arc in the set, and the capacity ofthatcutisthesumofthecapacitiesof the arcs in the cut. The loss of all of the arcs in any cut therefore reduces the maximumflow volume to zero, and so any cut is a set of critical arcs. But what about smaller sets of arcs? In this paper, we revisit the definition of a most-vital arc (or, more generally, component) as one whose removal decreases the resulting maximum flow by the greatest amount, illustrating it using a historical example: the Soviet railroad system in the 1950s. Despite the conceptual simplicity of this definition, no simple rule exists for actually identifying such an arc. We use this example to motivate an attacker-defender system interdiction model, which identifies the worstcase disruption that an intelligent and observant adversary can mount given limited attack capability. We then show that tracing out the worst-case disruption as a function of attack capability provides a natural means to assess the resilience of the system as a whole. This analysis yields a corollary result that common-sense rules of thumb for ranking the importance or criticality of individual system components are invalid. Finally, we introduce a definition of operational resilience that follows naturally from this early work on most-vital arcs and maximum-flow problems. BACKGROUND The study of vital arcs is intimately tied to the study of network flow problems, and both have their roots in military operations research. As documented by Schrijver (2002), early work on the maximumflow minimum-cut (max-flow min-cut) theorem for network flows was conducted at the RAND Corporation (e.g., Ford and Fulkerson 1954, Fulkerson and Dantzig 1954, Dantzig and Fulkerson 1955) alongside a study that specifically investigated the carrying capacity of the Soviet railway system to convey military materiel from the Soviet Union to confront North Atlantic Treaty Organization forces (Harris and Ross 1955). Later at RAND, Wollmer (1963) studied rail systems to find the link, which if removed, would reduce the capacity of the network the most. Such a link became known as the most-vital arc. Sometimes There Is No Most-Vital Arc: Assessing and Improving the Operational Resilience of Systems Dr. David L. Alderson, Dr. Gerald G. Brown, and Dr. W. Matthew Carlyle Naval Postgraduate School Dr. Louis Anthony (Tony) Cox, Jr. Cox Associates APPLICATION AREAS: Resilience, Interdiction, Attacker-Defender, Defender-Attacker- Defender, Vulnerability, Operator model, Optimization Military Operations Research, V18 N1 2013, doi / Page 21

2 Wollmer (1964) considers a more general version that we might call the k most-vital arcs problem: given a maximum flow network from which n links are to be removed, which n arcs, if removed, would reduce the maximum flow from source to sink the most and what would be the maximum flow? (Wollmer used n instead of k, but we prefer the latter to avoid confusion with the standard definition of n as the number of nodes in a network flow model.) Wollmer solves this problem by taking the topological dual of the original maximum-flow problem, so that finding the minimum cut is equivalent to finding the shortest path through the dual. A drawback of Wollmer s technique is that it requires the original graph to be planar, meaning that it can be drawn so that no two arcs intersect each other except at nodes. This transformation converts the original maximum-flow problem to a shortest-path formulation where one seeks the k arcs in the dual that when assigned zero length reduce the shortest path the most. This early work spawned a flurry of activity in model extensions for maximum-flow interdiction problems and improvements to the algorithms for solving them. Wollmer (1968) studies a stochastic variation of this problem inwhichthereductionincapacityoneachinterdicted arc is a random variable with known mean and variance, and the overall goal is to identify within specified confidence intervals the k arcs that maximally reduce the expected capacity of the network. Lubore et al. (1971) provide a more efficient algorithm for solving Wollmer s original (1963) problem. McMasters and Mastin (1970) introduce a budgetized version of the problem: given a cost for removing each arc and an overall interdiction budget, find the set of arcs whose removal decreases the maximum flow the most. Ratliff et al. (1975) provide a technique for finding k most-vital arcs that works for both planar and nonplanar networks. Corley and Chang (1974) consider the problem of finding the k most-vital nodes that, if removed, would reduce the maximum flow the most. They show that this can be solved by augmenting the original flow network such that each node is replaced by a pair of nodes connected by a single arc, and then solving for the k most-vital of these augmented arcs. Not surprisingly, the notion of most vital has also been studied from the perspective of shortest path problems. Fulkerson and Harding (1977) show how to use a limited budget for lengthening arcs in order to maximize the shortest path. Golden (1977) solves for the least-cost means of lengthening arcs so as to increase the shortest path in a network above a specified length. Corley and Sha (1982) consider the problem of finding the most-vital arc (and node) within a shortest path problem, where all arc costs are the same. Malik et al. (1989) provide an improved algorithm for solving this problem. Ball et al. (1989) establish the NP-hardness of most-vital-arc (and most-important-arc) problems in a shortest path context. The study of vital arcs has recently continued in the context of network interdiction problems, starting with Wood (1993). An important part of this work has been the connection to two-person zero-sum games (Washburn and Wood 1995), and their application to stochastic network interdiction (Cormican et al. 1998), shortest path problems (Israeli and Wood 2002), and multicommodity network models (Lim and Smith 2007). Most recently, these ideas have been applied to the study of critical infrastructuresystems(e.g.,brownetal.2005,2006), with specific attention toward electric power systems (Salmerón et al. 2004, 2009), facility location problems (e.g., Church and Scaparra 2006, Scaparra and Church 2008), supply chain networks (Snyder et al. 2006), telecommunication systems (Murray et al. 2007), and transportation problems (Alderson et al. 2011). Lunday and Sherali (2012) pose and solve some minmax models depicting interdiction planning to maximize the probability of intercepting a lone evader attempting to traverse a network from some source to some destination. Both overt and covert search efforts are considered, and types of resources, when combined, can return super-additive improvements in search effectiveness. THE 1950S SOVIET RAIL SYSTEM Harris and Ross (1955) model the movement of military materiel from the Soviet Union Page 22 Military Operations Research, V18 N1 2013

3 into Europe as a network flow problem, using vertices to represent geographically distributed railway divisions, and arcs to abstract the aggregate capacity of the rail connections between each pair of adjacent divisions. In this case the minimum cut represents not only the capacity of the network as a whole, but also identifies the arcs whose removal would yield a complete interdiction of network flows. Figure 1 depicts the rail system studied in Harris and Ross. Whereas a maximum-flow problem of this scale was considered large at the time, modern modeling languages and computing power make it the kind of problem that students might solve as a homework assignment. A much more difficult problem to solve, and onethatismorealignedwithmoderninterests, is: which arc or subset of arcs is most vital to the movement of materiel through this network? The operational importance of this question is immediate. An adversary looking to use limited attack resources wants to plan effects-based targeting (e.g., DoD 2002, p. I-5). Or a defender of this system wants to know where to invest limited defensive resources in order to obtain mission assurance, i.e., the ability to maintain throughput capacity even in the presence of limited disruptions. We proceed in support of these objectives. Minimizing Maximum Flow Consider a transportation system operator who is moving some commodity (materiel, fuel, etc.) through a capacitated flow network consisting of a directed graph G ¼ (N, E), where N is a set of nodes, E is a set of undirected edges connecting node pairs (where we assume i, j for all edges (i, j) 2 E), and each edge has two associated directed arcs (i, j) 2 A and (j, i) 2 A, one in each direction, and the combined flows on these two arcs has an upper bound u ij. The Figure 1. The Soviet rail system, circa 1955, as presented by Harris and Ross (1955). Nodes represent organizational units called divisions, and arcs represent the aggregate capacity to move cargo (measured in thousands of tons) between divisions. Military Operations Research, V18 N Page 23

4 operator s objective is to maximize the flow through this network from some distinguished source node s to some other distinguished terminal node t. Suppose that an attacker has the capability to damage a limited number of edges, rendering each arc associated with such a damaged edge useless, and must decide which edges in the network to destroy so that the operator s maximum flow is minimized perhaps to zero. We formulate problem MINMAXFLOW as follows. Index Use i 2 N node (alias j); where n ¼jNj s, t origin (source) node, and destination (terminal) node (i, j) 2 E undirected edge between nodes i and j; where m ¼jEj i, j "(i, j) 2 E (i, j) 2 A arc directed from node i to node j ði; jþ2e5i, j ^ð i; jþ2a ^ðj; iþ2aþ Data [units] u i,j v i,j num_attacks Decision Variables [units] Y i,j X i,j upper bound on total (undirected) flow on edge (i, j) [flow] per-unit penalty cost on damaged arc (i, j) 2 A [cost/flow] maximum number of edges the attacker can destroy [cardinality] defender flow on directed arc (i, j) 2 A [flow] 1 if attacker destroys undirected edge (i, j) 2 E, 0 otherwise [binary] Minimax optimization of flow [dual variables] 8 max Y >< min s:t: X2J >: where Y t;s 2 P 9 ðv i;j Y i;j 1 v j;i Y j;i ÞX i;j ði;jþ2e P Y i;j 2 P >= Y j;i 5 0 "i 2 N [a i ] ðj;iþ2a 0 # Y i;j 1 Y j;i # u i;j "ði; jþ 2E [b i;j ] >; ði;jþ2a ( P ) X i;j # num attacks X 2 J 5 ði;jþ2e X i;j 2f0; 1g "ði; jþ 2E We have added dual variables, a and b, to the balance-of-flow and capacity constraints in the maximum-flow inner problem. These will help us reformulate (and solve) the minmax problem. The (finite) penalty cost v i,j can be chosen to be any number greater than 1; any unit of flow across an attacked edge will contribute one unit of flow to the objective (indirectly via the balance of flow constraints and Y t,s ), but will cost at least that much in terms of penalties paid directly on that arc. If v i,j ¼ 1, then the operator is completely indifferent to sending flow over arcs associated with the interdicted edge, and the resulting problem may therefore have many equivalent optimal solutions. For any value v i,j. 1, he will be penalized for that flow, and therefore will not send any flow across the interdicted arc. Because we typically require that our data be integer, v i,j ¼ 2 is an obvious choice. Thecaseinwhich0, v ij, 1 might be interpreted as fractional losses across a particular arc (perhaps from a leak in a pipe), but, unfortunately, this doesn t work out; the balance of flow constraints still deliver all of the flow to Y t,s, and all that a fractional penalty does is change the objective function without changing the arc flows in the maximum-flow solution. The limitations on the attacker s actions aresimplecardinalityconstraints; however, we can easily adapt these to situations in which some edges are more costly to destroy than others in terms of some resource limiting the attacker, and there could even be multiple constraints on various attacker resources such as manpower, ordnance, delivery capacity, etc. Neither of these poses any conceptual or algorithmic difficulty for solving these problems. If we wish to make an arc (or set of arcs) invulnerable, we just set the penalty cost for each invulnerable arc to v i,j ¼ 0. Then interdiction of the edge associated with that arc has no effect on the operator s flow across the arc, and would be wasted effort for the attacker. By taking the dual of the inner (maximization) problem, we obtain an equivalent mixed integer linear program minimizing flow, denoted DUAL-ILP. Page 24 Military Operations Research, V18 N1 2013

5 X min u i;j b i;j a;b;x ði;jþ2e s:t: a i 2 a j 1 b i;j 1 v i;j X i;j \$ 0 "ði; jþ 2E a j 2 a i 1 b j;i 1 v j;i X i;j \$ 0 "ði; jþ 2E a t 2 a s 1 b t;s \$ 1 X X i;j # num attacks ði;jþ2e a s 5 0 b i;j \$ 0 X i;j 2f0; 1g "ði; jþ 2E "ði; jþ 2E Here we fix a s ¼ 0 as is customary in mincut formulations (see Ahuja et al. 1993): the dual variables a only appear as pairwise differences, and therefore have an extra degree of freedom we can eliminate by fixing any one of them to a constant value. Using a feasible binary attack plan X * from this mixed integer linear program, one can recover the operator s residual flows Y * by solving the operator s maximizing linear program for this fixed X *. (The values of the dual variables do not directly support calculation of the optimal flows; they can, in fact, be noninteger, even though we would expect to be able to interpret them as node and arc labels as they would be in a typical max-flow, min-cut formulation.) The mixed-integer linear program can be embellished by any ILP restrictions on the X variables. Figure 2 presents a cosmetically revised version of the Soviet rail network in Harris and Ross (1955), suitable for use as input to the mixed integer linear program interdiction problem. (We have renumbered some of the nodes, and removed redundant capacity informationonsomearcs). We explore the effect of an increasing number of worst-case attacks on the ability of the operator to move materiel through this system. That is, by solving MINMAXFLOW for num_attacks ¼ 1, 2,.n, wediscoverhowthe system will perform under an increasing number of attacks. Figure 3 presents the results. Figure 2. Network used as input to the network interdiction problem. The set of origin nodes is f1, 2, 3, 5, 10, 15, 16, 17, 26g, and the set of destination nodes is f42, 43, 44, 48, 49, 50g. Edge labels represent capacities (in 1,000s of tons). (This figure displays all data necessary to reproduce the computational experiments reported in this paper.) Military Operations Research, V18 N Page 25

6 Figure 3. Maximum flow through the Soviet rail system after an increasing number of worst-case attacks. The solution of 163,000 tons for zero attacks is exactly the solution to the original maximum-flow problem. It takes seven simultaneous attacks to achieve a complete interdiction of network flow (i.e., a cut). The results in Figure 3 show that an attacker obtains approximately linear returns with each additional attack. This is not good news for the system operator, but it could be worse. Many transport systems are built with minimal redundancy, which, in the extreme case of a spanning tree (e.g., many pipeline systems), means that any single attack can yield a complete interdiction. Table 1 shows the edges associated with each worst-case attack. We observe that the sets of edges for one through five attacks are monotone (or nested, or prioritizable), in the sense that the set of edges for k11 attacks includes all of the edges in the set for k attacks, plus one additional edge. This type of result suggests the use of priority lists as a natural means for organizing a list of potential targets. However, the set of edges associated with num_attacks ¼ 6 does not contain the set for num_attacks ¼ 5. This problem of minimizing the maximum flow is a specific instance of a much broader class of problems involving network (or system) interdiction. Such models have become popular tools for studying the interaction of a strategic attacker and defender. But in the case of our Soviet rail example, this seems like a lot of work for what seems intuitive to anyone who has studied network flows. Identifying the Most-Vital Arc The connection between the maximum flow and the minimum capacity cut is so fundamental that it seems obvious how to identify the bottlenecks, and therefore the most-vital arcs, in a maximum-flow problem. Indeed, the intuitive nature of the problem suggests several appealing rules for identifying them (Ahuja et al. 1993, p. 244): Table 1. Edges associated with worst-case attacks. For one to five attacks, the set of edges is monotone. With seven attacks, we have a complete interdiction of network flow. Attacks Maxflow Attacked Edges (35,40) 2 97 (35,40) (34,39) 3 73 (35,40) (34,39) (37,45) 4 49 (35,40) (34,39) (37,45) (36,41) 5 32 (35,40) (34,39) (37,45) (36,41) (35,39) 6 15 (34,35) (34,39) (26,38) (22,35) (24,36) (23,35) 7 0 (35,39) (34,39) (35,40) (35,41) (36,41) (37,45) (38,46) Page 26 Military Operations Research, V18 N1 2013

7 An arc having the largest capacity is most vital; An arc carrying the largest flow in an optimal solution is most vital; An arc having the largest capacity in a minimum-capacity cut is most vital; or Any most-vital arc is in some minimumcapacity cut. This section shows that none of these intuitive criteria correctly identifies the most-vital arc. Figure 4 illustrates a maximum-flow problem with seven nodes and nine arcs, where the system operator seeks a set of feasible arc flows, y ij, to maximize the total quantity sent from node 1 to node 7 per unit time, while abiding by individual arc capacity limits, u ij, and material balance (inflow ¼ outflow) at all intermediate nodes. For this network, the maximum flow is 20 units, with arc flows as indicatedonthediagram,andtherearetwo minimum-capacity cuts (illustrated by dashed curved lines), each with capacity 20, proving that the flow is optimal. In fact, the most-vital arc is the one from node 1 to node 3, denoted as arc 1-3. If an arc carries zero flow in any optimal solution, then removing that arc will not reduce the maximum volume of flow. But if an arc carries at least some minimum flow in every optimal solution, then its removal will reduce the optimal solution by the amount of that minimum flow. If we let m(a) represent the minimum flow across arc a over all maximum-flow solutions, then an arc a is a most-vital arc if it maximizes m(a) overa. In Figure 1, arc 1-3 has a minimum possible flow of 15 units (and a maximum of 20) over all optimal solutions. Arc 5-7 could also carry as much as 20 units of flow in an optimal solution, but, as illustrated, it could also carry no flow in an optimal solution, and hence cannot be a most-vital arc. This definition of a most-vital arc (maximizing over all optimal solutions the minimum flow over all arcs) is conceptually simple, but computationally complex: We know of no simple rule of thumb that avoids lengthy computations and that can successfully identify which arc(s) satisfy this definition. Determining a most-vital arc (and, more generally, a set of most-vital arcs of any given size) requires solving a maximum-flow interdiction problem like MINMAXFLOW that is of size comparable to the original maximum-flow problem. Although straightforward to formulate, larger instances of this integer linear programming problem can be very difficult to solve. In some cases, it may seem easier or more convenient to use random sampling as an alternate means for selecting vital components of the system. The idea is to specify a probability distribution for the possible combinations of arc failures and then select a large sample of (presumably) representative scenarios, keeping track of the worst ones. There are two potential problems with doing this. First, it is unclear how to choose a good probability distribution. Second, because there are 5 Om m k k Figure 4. Network with a maximum flow of 20 units from node 1 to node 7 and with the two minimum-capacity cuts indicated (dashed curves), illustrating a contradiction for each of several proposed characterizations of a most-vital arc. Notation: The two numbers on each arc are respectively (flow, capacity). Arc 1-3 is the most-vital arc; removing it reduces the maximum flow to five, and removing any other single arc allows at least ten units of flow from 1 to 7 in the resulting network. Arc 5-7 has the largest capacity, arcs 5-6 and 6-7 have the maximum flow, and arcs 3-4, 3-5, and 4-5 are the only arcs in any minimum capacity cut. Military Operations Research, V18 N Page 27

8 ways to have k failed arcs, for k ¼ 1, 2,., m, the number of combinations could be so large that such sampling is ineffective even on fast computers. To explore this idea of sampling a bit further, we plot in Figure 5 the residual maximum flow of the network under a large number of possible disruptions according to the number of damaged edges k. In general, a system with k damaged components will achieve a range of performance values, depending on which components are damaged. For each value of k, we randomly sample (with replacement) 10,000 possible configurations of disrupted edges, where each edge failure is equally likely and independent of the others, and then solve each configuration for the remaining maximum flow. This allows us to compare the distribution of residual maximum-flow values from random sampling with that of the optimal (worst-case) attack. For small k, this random sampling obtains optimal or near-optimal solutions, largely because the random sample is equal in size or larger than the total number of configurations and therefore is nearly performing an exhaustive enumeration of the solution space. However, for larger k, random sampling fails to find anything close to the worst-case attack because of the enormous number of possible attack configurations (e.g., there are more than ways Figure 5. Random attacks on the Soviet Railway, compared with optimal ones. Maximum flow (system performance) degrades with an increasing number of damaged edges. For num_attacks ¼ 1, 2,., 7, we present the worst-case disruption, along with 10,000 randomly generated attacks. Each subfigure shows a histogram of the frequency with which random attacks impact the maximum flow. As the number of possible attack combinations increases, it becomes harder and harder to find the worst-case attack by random sampling. In the main figure, the dashed line connects the worst-case disruptions for this system. (Here the phrase resilience curve really refers to a discrete frontier of points.) Page 28 Military Operations Research, V18 N1 2013

9 of choosing seven attacks) and because, for this network, there are only a small number of optimal or near-optimal attacks. The implications of Figure 5 are striking: we should not expect random sampling of failure scenarios (e.g., via simulation) to reliably answer the question, How bad could it be? Rather, we need to solve explicitly for worstcase disruptions. All this effort to find the absolute worstcase disruption might seem like unnecessary work,wereitnotforthekeyrolethatworstcase disruptions play in assessing the resilience of the system. A Measure of Operational Resilience The notion of resilience has become an important concept in discussions about critical infrastructure. In its 2006 report, the Critical Infrastructure Task Force of the Homeland Security Advisory Council defined resilience as the capability of a system to maintain its functions and structure in the face of internal and external change and to degrade gracefully when it must. The 2007 National Strategy for Homeland Security recognizes that although we cannot prevent all disruptions, deliberate or nondeliberate, we can work to ensure the structural and operational resilience of critical infrastructures and key resources (HSC 2007, p. 27), adding that We must now focus on the resilience of the system as a whole an approach that centers on investments that make the system better able to absorb the impact of an event without losing the capacity to function (HSC 2007, p. 28). There is now a host of competing definitions for resilience that span applications in human and organizational behavior (e.g., Bennis and Heifetz 2003), system safety (e.g., Hollnagel, Woods, and Leveson 2006, and references therein), systems engineering (e.g., Haimes 2009), and control theory (e.g., Vugrin et al. 2010). In the context of maximum-flow problems, (and, more generally, for infrastructure systems), we propose a definition for operational resilience that follows directly from our discussion of most-vital arcs, and we introduce the notion of a resilience curve that defines the response of a system to a range of disruptions. Consider a network in which each edge is operating, but which might be damaged such that some edges are transformed from operating to nonfunctional, and where the performance of the network (here, the maximum-flow volume) is a function of the collective state of its edges. Let c be a vector of length m, each element of which represents the binary state (operating or not) of an edge, such that there is a total of 2 m distinct configurations of the network. For any scenario defined by the vector c we define the magnitude of disruption as c 5 Xm i 5 1 ð1 2 c i Þ; which, for a vector of binary values, is simply the number of failed edges. In general, the performance of the network will degrade with an increasing number of failed edges, but not all edges are equally critical to the maximum flow. What does this mean for operational resilience? We introduce the resilience curve for the system as that which plots worst-case performance as a function of disruption magnitude (see Figure 5). Although these plots might be more properly referred to as resilience frontiers due to their discrete nature, we retain the term resilience curves to maintain a connection to prior work on risk curves (Kaplan and Garrick 1981), and because we will use stylized continuous approximations when the discreteness of the attacker s (or defender s) level of effort is not critical to the discussion. The resilience curve communicates considerable information about the response of the system to worst-case disruptions of increasing magnitude, where magnitude is simply the number of failed edges. One immediately discerns how the maximum flow degrades as additional edges are damaged. Intervals where there is little or no change in maximum flow are called more resilient, and intervals where there is greater change are called less resilient. When used for relative comparison between networks, these resilience curves allow us to draw conclusions about dominating alternatives just as in Kaplan and Garrick (1981). For example, in the simple case where the resilience curve of one system (say, System A) dominates the resilience curve of another (say, Military Operations Research, V18 N Page 29

10 System B), one can make assertions such as, System A is more resilient than System B (Figure 6a). However, when neither curve dominates (Figure 6b), this type of simple assertion is not possible. In this way, we paraphrase the comment about risk by Kaplan and Garrick, namely that [resilience] is a concept bigger than a single number. Resilience curves as defined here show how the performance of a network changes in response to the loss of edges. When the size of disruption is a linear function of the resources (e.g., the number of people, materials, and money) or level of effort (e.g., number of simultaneous attacks) required to cause it, our resilience curves yield a novel interpretation: how will the system respond in the face of increasing disruption? In the case of an intelligent adversary, the resilience curve of the system reflects the attacker s return-on-investment (ROI) showing how system performance degrades with incremental expenditure of attack resources. Such information can be vital for defensive planning purposes, in that investment to raise the resilience curve can effectively deter an adversary looking to use limited resources to disrupt system performance. Our interest in assessing the operational resilience of the system under any disruption suggests that we focus on the worst-case performance of the system with k damaged components. But assessment is only part of the problem: we need to know how to invest limited resources to maximally improve the resilience of the system. We again show that simple intuitive solutions often fall short of the best that we can do. The Problem with Prioritized Lists The Department of Defense and Department of Homeland Security typically prioritize critical infrastructure assets (system components) into tiers to help inform protection decisions (DoD 2002). A prioritized list of system components can be a helpful planning tool for an attacker or defender when budgets are not completely known beforehand, because this defines a simple rule for allocating resources: If we can afford to attack (or defend) k targets, choose the top k components from the list. This greedy (myopic) decision rule is easy to implement and sometimes serves as a reasonable first guess at a solution, but only in special circumstances does it optimize use of resources (e.g., Magazine et al. 1975). Figure 7 illustrates a weakness inherent in creating any prioritized list of targets (or assets or system components) to protect. In this example, the most-vital single arc is not among the best choices if two (or more) arcs are to be removed. More generally, we observe that none of these most-vital sets is prioritizable, in the sense that none of the k most-vital arcs is included in the set of k11 most-vital arcs. Therefore, the concept of identifying a priority list with a most-vital arc followed by a secondmost-vital arc (or set of arcs), etc., is fundamentally flawed, because how vital an arc is depends (nonmonotonically) on how many arcs an attacker can afford to target simultaneously or, more generally, on the attacker s resources available for inflicting damage. If, instead, we seek asetofk arcs whose simultaneous removal most reduces the resulting maximum flow, then Figure 6. (a) System A has greater resilience than System B. (b) Neither System A nor System B can be said to be more resilient. System A is more resilient to a smaller number of attacks, but System B is more resilient to a larger number of attacks. Page 30 Military Operations Research, V18 N1 2013

11 Figure 7. Why prioritized lists don t always work. This network has four different minimum cut sets, each yielding a maximum flow of 25 units. The single most-vital arc is the one with capacity 9; losing it reduces the maximum flow to 16. The two most-vital arcs are the pair having capacity 8 units; losing them reduces the maximum flow to 9. The three most-vital arcs are those with capacity 7, and the four most-vital arcs are those with capacity 6. None of these most-vital sets is nested within another, meaning that there is no single priority list that accurately characterizes the importance of each arc. in general we need to abandon tiers or priority rankings, and, instead, actually solve a maximumflow interdiction problem for each value of k. There is no simple rule of thumb for identifying critical sets of arcs (or, in general, components) without analyzing the system s operation as a whole. Although a well-designed set of priority tiers can sometimes be useful as an approximate guide to how to allocate resources, especially when system performance is not strongly affected by multiway interactions among components or subsets of components, simple rules cannot find useful approximations (Magazine et al. 1975). In the Appendix, we show how to construct, for any integer n, a maximum-flow problem for which the sets of k-most-vital arcs for k ¼ 1,.,n are pairwise disjoint. We then discuss how far from this optimal sequence a prioritized list (which induces a monotone collection of sets of arcs as targets) can be, even if the best prioritized list is found. Finally, we show that determining the best prioritized list is a difficult problem in its own right, even when the optimal sequence is known. Improving Resilience with a Limited Budget Assume that we have the ability to defend a limited number of edges in our network, whereby defending an edge makes it invulnerable to attack. Which edges should we defend, and what does this do to improve the resilience of the system? We can formulate this decision problem as follows. Additional Index [cardinality] d 2 D defense options [few, 2-10] Additional Data [units] v d ij increased cost per unit flow on directed arc (i, j) 2 A if attacked under defense option d 2 D [cost/kton] u d ij capacity of edge (i, j) 2 E under defense option d 2 D [tons] num_defenses maximum number of edges the defender can protect [cardinality] Decision Variables [units] Y d ij Flow of traffic on directed arc (i, j) 2 A under defense option d 2 D [tons] W d ij ¼1 if defense option d chosen for edge (i, j) 2 E, 0 otherwise [binary] Formulation MAXRESILIENCE max W s:t: min max X Y X ði; jþ2a d2d Y d i;j 2 X Y d t;s 2 X ðv d i;j Y d i;j 2 vd j;i Y d j;i ÞX i;j d2d X ðj; iþ2a d2d 0 # Y d i;j 1 Y d j;i # ud i;j Wd i;j X ði;jþ2e ði; jþ2e d2d X i;j # num attacks (D0) Y d j;i 5 0 "i 2 N (D1) "ði; jþ 2E; "d 2 D (D2) (D3) Military Operations Research, V18 N Page 31

12 X i;j 2f0; 1g "ði; jþ 2E (D4) X W d i;j 5 1 "ði; jþ 2E (D5) d2d X ði; jþ2e d2d W d i;j W d i;j # num def enses (D6) 2f0; 1g "ði; jþ 2E; "d 2 D (D7) Discussion The objective function (D0) represents the value of the maximum flow, for a defense option chosen for each edge, an attack plan, and a set of flows in the resulting network. We assume there is a do nothing defense plan, d o 2 D, that grants each edge its original capacity, u d o ij 5 u ij, and unhardened attack penalties, v d o ij 5 v ij,fromthepriormodels.there could be several ways to defend a particular edge, each with a different penalty and capacity, but for simplicity of exposition we assume there are exactly two: one, d 0, which does nothing to reduce the damage of an attack (v d 0 ij 5 2), and one, d 1, which completely nullifies any attack (v d 1 ij 5 0). Constraints (D1) enforce balance of flow at each node. Constraints (D2) limit the total flow on the two directed arcs associated with edge (i, j) 2 E to not exceed the total capacity granted by the defense option chosen for that edge. Constraint (D3) limits the number of edges that can be attacked, and (D4) enforces binary decisions about which edges are attacked. Constraints (D5) force the defender to choose exactly one defensive plan per edge. Constraint (D6) limits the number of edges that can be defended. Of course, as was the case with the attacker cardinality constraint, these could be generalized to include several different types of defender budgets. Stipulations (D7) specify that selecting a defense option for each edge is a binary decision. Formulation MAXRESILIENCE is an example of a defender-attacker-defender (DAD) model (Brown et al. 2006, Alderson et al. 2011). For a given level of defensive effort, represented here as num_defenses, anoptimal solution identifies which edges should be defended (syn. hardened) and by how much this helps mitigate the impact of deliberate attacks. Figure 8 shows the resulting resilience curve when defending num_defenses ¼ 1, 2,., 7 possible edges. We observe that a single defended edge provides little benefit in terms of the residual throughput following a worst-case attack, but it does increase the number of attacks needed for complete interdiction from 7 to 8. A second defense increases this number to 10, and a third defense increases this number to more than 10. However, in many cases these defenses provide only a relatively small increase to the actual maximum flow for a given number of attacks. This chart reveals the ROIs (in each attack scenario) that a defender faces when planning defensive investments. If the benefits of increased flow volume can be stated in the same units as the costs of the defenses (e.g., dollars), then the tradeoffs he faces in each attack scenario can be evaluated in terms of absolute benefits. RELATED WORK There are a number of other techniques in use for assessing criticality of infrastructure components and prioritizing their protection. Risk Scoring Techniques Simple formulas such as Risk ¼ Threat 3 Vulnerability 3 Consequence, orrisk ¼ Frequency 3 Impact, with judgment-based rating scales or scores used to assess the inputs on their righthand sides, are widely applied to assess and compare the importance of individual infrastructure components (e.g., see ASME 2008). Most such rating systems do not account for uncertainties, correlations, or dependencies among the inputs; exploit portfolio effects; help to diversify protective investments against common uncertainties in inputs; or optimize risk reductions for resources spent (Cox 2009). Hence, they are seldom satisfactory for supporting objectively good risk management decisions, although their popularity suggests that they may satisfy other needs, such as an urge to impose simple structures on complex problems. Page 32 Military Operations Research, V18 N1 2013

13 Figure 8. Increases to the resilience curve for the Soviet Railway. Defending edges provides marginal increases to the resilience curve when there are only a small number of attacks, but it serves to increase the number of attacks required for complete system interdiction. Graph Connectivity and Network Science Owing in part to the massive size of modern infrastructure networks and the vast amounts of data now being collected about them, recent efforts in the study of network science (NRC 2006) have focused on the structure and behavior of very large networks in physical, biological, and social systems. Network science measures function in these systems primarily in terms of graph connectivity statistics (Newman 2003). In this context, vital arcs are those that contribute most to these graph theoretic measures, such as the average path length between every pair of nodes or the size of the largest connected component (e.g., Albert et al. 2000; Holme et al. 2002). A drawback of this is that when applied to real systems (e.g., Albert et al. 2004; Schneider et al. 2011), these simple measures of connectivity often fail to capture the most salient features of network function (e.g., Doyle et al. 2005, Hines et al. 2010), making them of limited value to operators of real network-centric infrastructure systems (Alderson 2008, Alderson and Doyle 2010). CONCLUSION No simple rule(s) of thumb can identify the most-critical system components when the components work together to deliver system capacity, such as throughput. Rather, the criticality of components depends on which sets are damagedordestroyedbyanattack(or by reliability failures, natural disasters, and other nonadversarial hazards). The maximum-flow problem is an example of a simple, even primitive, operator s model that shows how the system responds to losses of sets of arcs (components). Manipulation of such a model can reveal a system s functional capability and remaining vulnerabilities, and can guide measures to identify protective investments that will maximize the resilience of the system as a whole for resources spent. REFERENCES Ahuja, R. K., Magnanti, T. L., and Orlin, J. B Network Flows: Theory, Algorithms, and Applications. Prentice Hall. Albert, R., Albert, I., and Nakarado, G. L Structural Vulnerability of the North Military Operations Research, V18 N Page 33

14 American Power Grid, Physical Review E, Vol 69, Albert, R., Jeong, H., and Barabási, A.-L Attack and Error Tolerance of Complex Networks, Nature, Vol 406, Alderson, D.L Catching the Network Science Bug: Insight and Opportunity for the Operations Researcher, Operations Research, Vol 56, No 5, Alderson, D.L., Brown, G.G., Carlyle, W.M., and Wood, R.K Solving Defender- Attacker-Defender Models for Infrastructure Defense, Operations Research, Computing, and Homeland Defense., R.K.WoodandR.F. Dell,eds.InstituteforOperationsResearch and Management Science (INFORMS), Alderson, D.L., Doyle, J.C Contrasting Views of Complexity and Their Implications for Network-Centric Infrastructures, IEEE Transactions on Systems, Man, and Cybernetics- Part A, Vol 40, No 4, ASME Innovative Technologies Institute. RAMCAP, Risk Analysis and Management for Critical Asset Protection Ball, M.O., Golden, B.,L., and Vohra, R.V Finding the Most Vital Arcs in a Network, Operations Research Letters, Vol8,No2, Bennis, W.G., and Heifetz, R.A Harvard Business Review on Building Personal and Organizational Resilience. Harvard Business Press. Brown, G., Carlyle, W.M., Salmerón, J., and Wood, K Analyzing the Vulnerability of Critical Infrastructure to Attack, and Planning Defenses. Tutorials in Operations Research: Emerging Theory, Methods, and Applications, Greenberg, H., and Smith, J., eds. Institute for Operations Research and Management Science (INFORMS), Brown,G.,Carlyle,M.,Salmerón, J., and Wood, K Defending Critical Infrastructure, Interfaces, Vol 36, No 6, Church R. L., and Scaparra, M. P "Protecting Critical Assets: The r-interdiction Median Problem with Fortification. Geographical Analysis, Vol 39, No 2, Corley, H. W., and Chang, H., Finding the n Most Vital Nodes in a Flow Network, Management Science, Vol 21, No 3, Corley, H. W., and Sha, D. Y Most Vital Links and Nodes in Weighted Networks, Operations Research Letters, Vol 1, No 4, Cormican, K. J., Morton, D. P. and Wood, R. K Stochastic Network Interdiction, Operations Research, Vol 46, No 2, Cox, L. A. Jr What s Wrong with Hazard- Ranking Systems? An Expository Note, Risk Analysis, Vol 29, No 7, Dantzig, G. B., and Fulkerson, D. R On the Max Flow-Min Cut Theorem of Networks. The RAND Corporation, Research Memorandum RM Rev. April 15, Department of Defense. Joint Doctrine for Targeting Joint Publication Washington, DC. Doyle, J. C., Alderson, D. Li, L., Low, S., Roughan, M., Shalunov, S., Tanaka, R., and Willinger, W The Robust Yet Fragile Nature of the Internet, Proceedings of the National Academy of Sciences, Vol 102, No 41, Ford, L. R., and Fulkerson, D. R Maximal Flow through a Network. The RAND Corporation, Research Memorandum RM November 19. Fulkerson, D. R., and Dantzig, G. B Computation of Maximal Flows in Networks. The RAND Corporation Research Memorandum RM November 19. Fulkerson, D. R., and Harding, G. C Maximizing the Minimum Source-Sink Path Subject to a Budget Constraint, Mathematical Programming, Vol 13, No 1, Golden, B A Problem in Network Interdiction, Naval Research Logistics Quarterly, Vol 25, No 4, Haimes, Y. Y On the Definition of Resilience in Systems, Risk Analysis, Vol 29, No 4, Harris, T. E., and Ross, F. S Fundamentals of a Method for Evaluating Rail Net Capacities. Research Memorandum RM-1573, The RAND Corporation. Page 34 Military Operations Research, V18 N1 2013

15 Hines, P., Cotilla-Sanchez, E., and Blumsack, S Do Topological Models Provide Good Information About Electricity Infrastructure Vulnerability? Chaos, Vol20,No3, Hollnagel, E., Woods, D. D., and Leveson, N., eds Resilience Engineering: Concepts and Precepts, Ashgate Press. Holme P., Kim, B. J., Yoon, C. N., and Han, S. K Attack Vulnerability of Complex Networks, Physics Review E, Vol 65, Homeland Security Advisory Council, 2006, Report of the Critical Infrastructure Task Force, U.S. Department of Homeland Security, Washington D.C. Homeland Security Council (HSC) National Strategy for Homeland Security, The White House, Washington, DC. Israeli, E. and Wood, R. K Shortest-Path Network Interdiction, Networks, Vol 40, No 2, Kaplan, S., and Garrick, B. J On the Quantitative Definition of Risk, Risk Analysis, Vol 1, No 1, Lim, C., and Smith, J. C Algorithms for Discrete and Continuous Multicommodity Flow Network Interdiction Problems, IIE Transactions, Vol 39, No 1, Lubore, S. H., Ratliff, H. D., and Sicilia, G. T Determining the Most Vital Link in a Flow Network, Naval Research Logistics Quarterly, Vol 18, No 4, Lunday, B. J., and Sherali, H. D Network Interdiction to Minimize the Maximum Probability of Evasion with Synergy between Applied Resources, Annals of Operations Research, Vol 196, No 1, Magazine, M. J., Nemhauser, G. L., and Trotter Jr., L. E When the Greedy Solution Solves a Class of Knapsack Problems, Operations Research, Vol23,No2, Malik, K., Mittal, A. K., and Gupta, S. K The k Most Vital Arcs in the Shortest Path Problem, Operations Research Letters, Vol 8, No 4, McMasters, A. W., and Mastin, T. M Optimal Interdiction of a Supply Network, Naval Research Logistics Quarterly, Vol 17, No 3, Murray, A. T., Matisziw, T. C., and Grubesic, T. H Critical Network Infrastructure Analysis: Interdiction and System Flow, Journal of Geographical Systems, Vol9,No2, National Research Council (NRC), Committee on Network Science for Future Army Applications Network Science. The National Academies Press. Newman, M. E. J The Structure and Function of Complex Networks, SIAM Rev., Vol 45, Ratliff, D. H, Sicilia, G. T., and Lubore, S. H Finding the n Most Vital Links in Flow Networks, Management Science, Vol 21, No 5, Salmerón, J., Wood, K., and Baldick, R Analysis of Electric Grid Security under Terrorist Threat, IEEE Transactions on Power Systems, Vol 19, No 2, Salmerón, J., Wood, K., and Baldick, R Worst-Case Interdiction Analysis of Large-Scale Electric Power Grids, IEEE Transactions on Power Systems, Vol 24, No 1, Scaparra, M. P., and Church, R. L A Bilevel Mixed-Integer Program for Critical Infrastructure Protection Planning, Computers and Operations Research, Vol 35, No 6, Schneider, C. M, Moreira, A. A., Andrade, J. S., Havlin, S., and Herrmann, H. J Mitigation of Malicious Attacks on Networks, Proceedings of the National Academy of Sciences, Vol 108, No 10, Schrijver, A On the History of the Transportation and Maximum Flow Problems, Mathematical Programming Series B, Vol 91, No 3, Snyder, L. V., Scaparra, M. P., Daskin, M. S., and Church, R. L Planning for Disruptions in Supply Chain Networks, Tutorials in Operations Research: Models, Methods, and Applications for Innovative Decision Making, Johnson, M.P., Norman, B., and Secomandi, N., eds. Institute for Operations Research and Management Science, (INFORMS). Vugrin, E. D., Warren, D. E., Ehlen, M. A., and Camphouse, R. C A Framework for Military Operations Research, V18 N Page 35

16 Assessing the Resilience of Infrastructure and Economic Systems, Sustainable and Resilient Critical Infrastructure Systems: Simulation, Modeling, and Intelligent Engineering, Gopalakrishnan, K., and Peeta, S., eds. Springer-Verlag, Washburn, A., and Wood, K Two-Person Zero Sum Games for Network Interdiction, Operations Research, Vol 43, No 2, Wollmer, R. D Some Methods for Determining the Most Vital Link in a Railway Network. RAND Memorandum, RM ISA. April. Wollmer, R. D Removing Arcs from a Network, Operations Research, Vol 12, No 6, Wollmer, R. D Stochastic Sensitivity Analysis of Maximum Flow and Shortest Route Networks, Management Science, Vol 14, No 9, Wood, R. K Deterministic Network Interdiction, Mathematical and Computer Modelling, Vol 17, No 2, APPENDIX In this appendix we show how to construct, for any number of attacks, a, anexplicit counterexample to the notion that a prioritized list of targets can be sufficient for attack planning, for any number of attacks from 1 to a. For this example, the target system consists of a maximum-flow problem on a directed graph, and the optimal attack consisting of k arcs has no arc in common with the optimal attack containing k# arcs, for any k 6¼ k# from 1 to a. We will use parallel, directed arcs to illustrate this property, but it is straightforward to replicate these results for undirected arcs, and to add extra nodes in eachofthesearcstocreateequivalentexamples that do not contain parallel arcs. As a consequence of this result, any prioritized list of targets for this counterexample can only yield the optimal attack plan for one value of k, and the attack plan it suggests for any other number of attacks (except zero or a)will be provably suboptimal. Given an integer, n, we construct our instance as follows. Define a set N of n nodes, numbered 1 to n. Between nodes k and k 1 1 (for 0, k, n) define n parallel arcs. The first k of these arcs have capacity k, and the remaining n k arcs have capacity k 1 n. Each of the n 1 layers of parallel arcs between two consecutive nodes defined in this way has total capacity k 2 1 (n k)(n 1 k) ¼ n 2, and therefore the maximum flow on this graph is n 2,with flow on every arc at its capacity (i.e., all arcs are saturated). The k-most-vital arcs in this maximum-flow problem are the k largest arcs from layer n k, (each of which has capacity k); if they are removed the remaining n k arcs in that layer each have capacity n k, yielding a resulting optimal flow of size (n k ) 2. This result follows because any set of k arcs taken from any other layer will have less total capacity; layers that have largercapacity arcs will have fewer of those arcs available, and layers with only smaller-capacity arcs don t need to be considered. Any set of k mostvital arcs must come from the same layer (because removing arcs from more than one layer at a time yields a resulting maximum flow that is equivalent to removing fewer total arcs from one of those two layers alone), and choosing arcs from any layer other than n k will yield a higher resulting maximum flow. Figure 9 illustrates the case n ¼ 6, where each layer has capacity 25 ¼ n 2, and the optimal one-, two-, three-, and four-arc interdictions reduce the maximum flow by 9, 16, 21, and 124 units, respectively, yielding optimal resulting flows 16, 9, 4, and 1. Any prioritized list that has a chance of being optimal must only involve arcs from a single layer, say, k, (because if not, then for at least one k# the attack for k# arcs will be no more damaging than the attack with k# 1 arcs). That prioritized list will feature the largest arcs first, followed by the smallest, and will have a linear decrease in capacity of size (n 1 k) units of flow per arc until n k arcs are chosen, at which point Page 36 Military Operations Research, V18 N1 2013

17 Figure 9. Values for optimal (diamonds) and prioritized (squares) interdictions from zero to 6 attacks for an example on n ¼ 6 nodes, where the prioritized list is taken from layer 3. (The three largest arcs in layer 3 have capacity ¼ 9, and the three smaller arcs have capacity 3.) it will be the optimal (n k)-arc interdiction, followed by a linear decrease (by k units of flow per arc) until the capacity is zero. This yields a piecewise linear approximation to the optimal sequence of interdictions, agreeing with the optimalresultonlyatzero,n k, andn interdictions. Figure 9 illustrates the resulting maximumflow capacity for an example with n ¼ 6, for the optimal interdictions of each size and the interdictions resulting from the prioritized list that would be built from layer 3. Because any prioritized list can only agree with the optimal attacks for exactly three numbers of attacks, a prioritized list cannot be optimal for the corresponding counterexample for any n greater than three. Military Operations Research, V18 N Page 37

A Quantitative Decision Support Framework for Optimal Railway Capacity Planning

A Quantitative Decision Support Framework for Optimal Railway Capacity Planning Y.C. Lai, C.P.L. Barkan University of Illinois at Urbana-Champaign, Urbana, USA Abstract Railways around the world are facing

A MULTI-PERIOD INVESTMENT SELECTION MODEL FOR STRATEGIC RAILWAY CAPACITY PLANNING

A MULTI-PERIOD INVESTMENT SELECTION MODEL FOR STRATEGIC RAILWAY Yung-Cheng (Rex) Lai, Assistant Professor, Department of Civil Engineering, National Taiwan University, Rm 313, Civil Engineering Building,

Chapter 10: Network Flow Programming

Chapter 10: Network Flow Programming Linear programming, that amazingly useful technique, is about to resurface: many network problems are actually just special forms of linear programs! This includes,

The Goldberg Rao Algorithm for the Maximum Flow Problem

The Goldberg Rao Algorithm for the Maximum Flow Problem COS 528 class notes October 18, 2006 Scribe: Dávid Papp Main idea: use of the blocking flow paradigm to achieve essentially O(min{m 2/3, n 1/2 }

Uniform Multicommodity Flow through the Complete Graph with Random Edge-capacities

Combinatorics, Probability and Computing (2005) 00, 000 000. c 2005 Cambridge University Press DOI: 10.1017/S0000000000000000 Printed in the United Kingdom Uniform Multicommodity Flow through the Complete

! Solve problem to optimality. ! Solve problem in poly-time. ! Solve arbitrary instances of the problem. !-approximation algorithm.

Approximation Algorithms Chapter Approximation Algorithms Q Suppose I need to solve an NP-hard problem What should I do? A Theory says you're unlikely to find a poly-time algorithm Must sacrifice one of

Fairness in Routing and Load Balancing

Fairness in Routing and Load Balancing Jon Kleinberg Yuval Rabani Éva Tardos Abstract We consider the issue of network routing subject to explicit fairness conditions. The optimization of fairness criteria

Graphs and Network Flows IE411 Lecture 1

Graphs and Network Flows IE411 Lecture 1 Dr. Ted Ralphs IE411 Lecture 1 1 References for Today s Lecture Required reading Sections 17.1, 19.1 References AMO Chapter 1 and Section 2.1 and 2.2 IE411 Lecture

Approximation Algorithms

Approximation Algorithms or: How I Learned to Stop Worrying and Deal with NP-Completeness Ong Jit Sheng, Jonathan (A0073924B) March, 2012 Overview Key Results (I) General techniques: Greedy algorithms

Unraveling versus Unraveling: A Memo on Competitive Equilibriums and Trade in Insurance Markets

Unraveling versus Unraveling: A Memo on Competitive Equilibriums and Trade in Insurance Markets Nathaniel Hendren January, 2014 Abstract Both Akerlof (1970) and Rothschild and Stiglitz (1976) show that

princeton univ. F 13 cos 521: Advanced Algorithm Design Lecture 6: Provable Approximation via Linear Programming Lecturer: Sanjeev Arora

princeton univ. F 13 cos 521: Advanced Algorithm Design Lecture 6: Provable Approximation via Linear Programming Lecturer: Sanjeev Arora Scribe: One of the running themes in this course is the notion of

Approximation Algorithms Chapter Approximation Algorithms Q. Suppose I need to solve an NP-hard problem. What should I do? A. Theory says you're unlikely to find a poly-time algorithm. Must sacrifice one

! Solve problem to optimality. ! Solve problem in poly-time. ! Solve arbitrary instances of the problem. #-approximation algorithm.

Approximation Algorithms 11 Approximation Algorithms Q Suppose I need to solve an NP-hard problem What should I do? A Theory says you're unlikely to find a poly-time algorithm Must sacrifice one of three

Planar Tree Transformation: Results and Counterexample

Planar Tree Transformation: Results and Counterexample Selim G Akl, Kamrul Islam, and Henk Meijer School of Computing, Queen s University Kingston, Ontario, Canada K7L 3N6 Abstract We consider the problem

A Network Flow Approach in Cloud Computing

1 A Network Flow Approach in Cloud Computing Soheil Feizi, Amy Zhang, Muriel Médard RLE at MIT Abstract In this paper, by using network flow principles, we propose algorithms to address various challenges

Max Flow, Min Cut, and Matchings (Solution)

Max Flow, Min Cut, and Matchings (Solution) 1. The figure below shows a flow network on which an s-t flow is shown. The capacity of each edge appears as a label next to the edge, and the numbers in boxes

Game Theory and Poker

Game Theory and Poker Jason Swanson April, 2005 Abstract An extremely simplified version of poker is completely solved from a game theoretic standpoint. The actual properties of the optimal solution are

2.3 Scheduling jobs on identical parallel machines

2.3 Scheduling jobs on identical parallel machines There are jobs to be processed, and there are identical machines (running in parallel) to which each job may be assigned Each job = 1,,, must be processed

Minimize subject to. x S R

Chapter 12 Lagrangian Relaxation This chapter is mostly inspired by Chapter 16 of [1]. In the previous chapters, we have succeeded to find efficient algorithms to solve several important problems such

A Game Theoretical Framework on Intrusion Detection in Heterogeneous Networks Lin Chen, Member, IEEE, and Jean Leneutre

IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL 4, NO 2, JUNE 2009 165 A Game Theoretical Framework on Intrusion Detection in Heterogeneous Networks Lin Chen, Member, IEEE, and Jean Leneutre

Department of Industrial Engineering

Department of Industrial Engineering Master of Engineering Program in Industrial Engineering (International Program) M.Eng. (Industrial Engineering) Plan A Option 2: Total credits required: minimum 39

Alok Gupta. Dmitry Zhdanov

RESEARCH ARTICLE GROWTH AND SUSTAINABILITY OF MANAGED SECURITY SERVICES NETWORKS: AN ECONOMIC PERSPECTIVE Alok Gupta Department of Information and Decision Sciences, Carlson School of Management, University

136 CHAPTER 4. INDUCTION, GRAPHS AND TREES

136 TER 4. INDUCTION, GRHS ND TREES 4.3 Graphs In this chapter we introduce a fundamental structural idea of discrete mathematics, that of a graph. Many situations in the applications of discrete mathematics

Introduction to Algorithms Review information for Prelim 1 CS 4820, Spring 2010 Distributed Wednesday, February 24

Introduction to Algorithms Review information for Prelim 1 CS 4820, Spring 2010 Distributed Wednesday, February 24 The final exam will cover seven topics. 1. greedy algorithms 2. divide-and-conquer algorithms

THE PROBLEM WORMS (1) WORMS (2) THE PROBLEM OF WORM PROPAGATION/PREVENTION THE MINIMUM VERTEX COVER PROBLEM

1 THE PROBLEM OF WORM PROPAGATION/PREVENTION I.E. THE MINIMUM VERTEX COVER PROBLEM Prof. Tiziana Calamoneri Network Algorithms A.y. 2014/15 2 THE PROBLEM WORMS (1)! A computer worm is a standalone malware

Chapter 15 Introduction to Linear Programming

Chapter 15 Introduction to Linear Programming An Introduction to Optimization Spring, 2014 Wei-Ta Chu 1 Brief History of Linear Programming The goal of linear programming is to determine the values of

Week 5 Integral Polyhedra

Week 5 Integral Polyhedra We have seen some examples 1 of linear programming formulation that are integral, meaning that every basic feasible solution is an integral vector. This week we develop a theory

Project and Production Management Prof. Arun Kanda Department of Mechanical Engineering Indian Institute of Technology, Delhi

Project and Production Management Prof. Arun Kanda Department of Mechanical Engineering Indian Institute of Technology, Delhi Lecture - 15 Limited Resource Allocation Today we are going to be talking about

Performance of networks containing both MaxNet and SumNet links

Performance of networks containing both MaxNet and SumNet links Lachlan L. H. Andrew and Bartek P. Wydrowski Abstract Both MaxNet and SumNet are distributed congestion control architectures suitable for

PROBLEM SET 7: PIGEON HOLE PRINCIPLE

PROBLEM SET 7: PIGEON HOLE PRINCIPLE The pigeonhole principle is the following observation: Theorem. Suppose that > kn marbles are distributed over n jars, then one jar will contain at least k + marbles.

5.1 Bipartite Matching

CS787: Advanced Algorithms Lecture 5: Applications of Network Flow In the last lecture, we looked at the problem of finding the maximum flow in a graph, and how it can be efficiently solved using the Ford-Fulkerson

A Practical Scheme for Wireless Network Operation

A Practical Scheme for Wireless Network Operation Radhika Gowaikar, Amir F. Dana, Babak Hassibi, Michelle Effros June 21, 2004 Abstract In many problems in wireline networks, it is known that achieving

Chapter 4 DECISION ANALYSIS

ASW/QMB-Ch.04 3/8/01 10:35 AM Page 96 Chapter 4 DECISION ANALYSIS CONTENTS 4.1 PROBLEM FORMULATION Influence Diagrams Payoff Tables Decision Trees 4.2 DECISION MAKING WITHOUT PROBABILITIES Optimistic Approach

Single-Link Failure Detection in All-Optical Networks Using Monitoring Cycles and Paths

Single-Link Failure Detection in All-Optical Networks Using Monitoring Cycles and Paths Satyajeet S. Ahuja, Srinivasan Ramasubramanian, and Marwan Krunz Department of ECE, University of Arizona, Tucson,

Moral Hazard. Itay Goldstein. Wharton School, University of Pennsylvania

Moral Hazard Itay Goldstein Wharton School, University of Pennsylvania 1 Principal-Agent Problem Basic problem in corporate finance: separation of ownership and control: o The owners of the firm are typically

What mathematical optimization can, and cannot, do for biologists. Steven Kelk Department of Knowledge Engineering (DKE) Maastricht University, NL

What mathematical optimization can, and cannot, do for biologists Steven Kelk Department of Knowledge Engineering (DKE) Maastricht University, NL Introduction There is no shortage of literature about the

Flow and Activity Analysis

Facility Location, Layout, and Flow and Activity Analysis Primary activity relationships Organizational relationships» Span of control and reporting hierarchy Flow relationships» Flow of materials, people,

Cost Models for Vehicle Routing Problems. 8850 Stanford Boulevard, Suite 260 R. H. Smith School of Business

0-7695-1435-9/02 \$17.00 (c) 2002 IEEE 1 Cost Models for Vehicle Routing Problems John Sniezek Lawerence Bodin RouteSmart Technologies Decision and Information Technologies 8850 Stanford Boulevard, Suite

This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.

IEEE/ACM TRANSACTIONS ON NETWORKING 1 A Greedy Link Scheduler for Wireless Networks With Gaussian Multiple-Access and Broadcast Channels Arun Sridharan, Student Member, IEEE, C Emre Koksal, Member, IEEE,

Scheduling Home Health Care with Separating Benders Cuts in Decision Diagrams

Scheduling Home Health Care with Separating Benders Cuts in Decision Diagrams André Ciré University of Toronto John Hooker Carnegie Mellon University INFORMS 2014 Home Health Care Home health care delivery

6.042/18.062J Mathematics for Computer Science October 3, 2006 Tom Leighton and Ronitt Rubinfeld. Graph Theory III

6.04/8.06J Mathematics for Computer Science October 3, 006 Tom Leighton and Ronitt Rubinfeld Lecture Notes Graph Theory III Draft: please check back in a couple of days for a modified version of these

An Evaluation of Network Survivability When Defense Levels Are Discounted by the Accumulated Experience of Attackers

An Evaluation of Network Survivability When Defense Levels Are Discounted by the Accumulated Experience of Attackers Frank Yeong-Sung Lin National Tatiwan University, Taiwan yslin@im.ntu.edu.tw Pei-Yu

1.204 Final Project Network Analysis of Urban Street Patterns

1.204 Final Project Network Analysis of Urban Street Patterns Michael T. Chang December 21, 2012 1 Introduction In this project, I analyze road networks as a planar graph and use tools from network analysis

MINITAB ASSISTANT WHITE PAPER

MINITAB ASSISTANT WHITE PAPER This paper explains the research conducted by Minitab statisticians to develop the methods and data checks used in the Assistant in Minitab 17 Statistical Software. One-Way

An Exact Algorithm for Steiner Tree Problem on Graphs

International Journal of Computers, Communications & Control Vol. I (2006), No. 1, pp. 41-46 An Exact Algorithm for Steiner Tree Problem on Graphs Milan Stanojević, Mirko Vujošević Abstract: The paper

Topology-based network security

Topology-based network security Tiit Pikma Supervised by Vitaly Skachek Research Seminar in Cryptography University of Tartu, Spring 2013 1 Introduction In both wired and wireless networks, there is the

Cross-Layer Survivability in WDM-Based Networks

Cross-Layer Survivability in WDM-Based Networks Kayi Lee, Member, IEEE, Eytan Modiano, Senior Member, IEEE, Hyang-Won Lee, Member, IEEE, Abstract In layered networks, a single failure at a lower layer

I N S T I T U T E F O R D E FE N S E A N A L Y S E S NSD-5216

I N S T I T U T E F O R D E FE N S E A N A L Y S E S NSD-5216 A Consistent Approach for Security Risk Assessments of Dams and Related Critical Infrastructure J. Darrell Morgeson Jason A. Dechant Yev Kirpichevsky

Investment Analysis using the Portfolio Analysis Machine (PALMA 1 ) Tool by Richard A. Moynihan 21 July 2005

Investment Analysis using the Portfolio Analysis Machine (PALMA 1 ) Tool by Richard A. Moynihan 21 July 2005 Government Investment Analysis Guidance Current Government acquisition guidelines mandate the

Good luck, veel succes!

Final exam Advanced Linear Programming, May 7, 13.00-16.00 Switch off your mobile phone, PDA and any other mobile device and put it far away. No books or other reading materials are allowed. This exam

Outline. NP-completeness. When is a problem easy? When is a problem hard? Today. Euler Circuits

Outline NP-completeness Examples of Easy vs. Hard problems Euler circuit vs. Hamiltonian circuit Shortest Path vs. Longest Path 2-pairs sum vs. general Subset Sum Reducing one problem to another Clique

Compact Representations and Approximations for Compuation in Games

Compact Representations and Approximations for Compuation in Games Kevin Swersky April 23, 2008 Abstract Compact representations have recently been developed as a way of both encoding the strategic interactions

A Review on Zero Day Attack Safety Using Different Scenarios

Available online www.ejaet.com European Journal of Advances in Engineering and Technology, 2015, 2(1): 30-34 Review Article ISSN: 2394-658X A Review on Zero Day Attack Safety Using Different Scenarios

IE 680 Special Topics in Production Systems: Networks, Routing and Logistics*

IE 680 Special Topics in Production Systems: Networks, Routing and Logistics* Rakesh Nagi Department of Industrial Engineering University at Buffalo (SUNY) *Lecture notes from Network Flows by Ahuja, Magnanti

Two General Methods to Reduce Delay and Change of Enumeration Algorithms

ISSN 1346-5597 NII Technical Report Two General Methods to Reduce Delay and Change of Enumeration Algorithms Takeaki Uno NII-2003-004E Apr.2003 Two General Methods to Reduce Delay and Change of Enumeration

JUST-IN-TIME SCHEDULING WITH PERIODIC TIME SLOTS. Received December May 12, 2003; revised February 5, 2004

Scientiae Mathematicae Japonicae Online, Vol. 10, (2004), 431 437 431 JUST-IN-TIME SCHEDULING WITH PERIODIC TIME SLOTS Ondřej Čepeka and Shao Chin Sung b Received December May 12, 2003; revised February

Chapter 1, Operations Research (OR)

Chapter 1, Operations Research (OR) Kent Andersen February 7, 2007 The term Operations Research refers to research on operations. In other words, the study of how to operate something in the best possible

A Mathematical Programming Solution to the Mars Express Memory Dumping Problem

A Mathematical Programming Solution to the Mars Express Memory Dumping Problem Giovanni Righini and Emanuele Tresoldi Dipartimento di Tecnologie dell Informazione Università degli Studi di Milano Via Bramante

Module1. x 1000. y 800.

Module1 1 Welcome to the first module of the course. It is indeed an exciting event to share with you the subject that has lot to offer both from theoretical side and practical aspects. To begin with,

Min-cost flow problems and network simplex algorithm

Min-cost flow problems and network simplex algorithm The particular structure of some LP problems can be sometimes used for the design of solution techniques more efficient than the simplex algorithm.

1 Limiting distribution for a Markov chain

Copyright c 2009 by Karl Sigman Limiting distribution for a Markov chain In these Lecture Notes, we shall study the limiting behavior of Markov chains as time n In particular, under suitable easy-to-check

Why? A central concept in Computer Science. Algorithms are ubiquitous.

Analysis of Algorithms: A Brief Introduction Why? A central concept in Computer Science. Algorithms are ubiquitous. Using the Internet (sending email, transferring files, use of search engines, online

1 Uncertainty and Preferences

In this chapter, we present the theory of consumer preferences on risky outcomes. The theory is then applied to study the demand for insurance. Consider the following story. John wants to mail a package

Chapter 15: Dynamic Programming

Chapter 15: Dynamic Programming Dynamic programming is a general approach to making a sequence of interrelated decisions in an optimum way. While we can describe the general characteristics, the details

Fault Localization Using Passive End-to-End Measurement and Sequential Testing for Wireless Sensor Networks

Fault Localization Using Passive End-to-End Measurement and Sequential Testing for Wireless Sensor Networks Bing Wang, Wei Wei, Wei Zeng Computer Science & Engineering Dept. University of Connecticut,

Social Media Mining. Graph Essentials

Graph Essentials Graph Basics Measures Graph and Essentials Metrics 2 2 Nodes and Edges A network is a graph nodes, actors, or vertices (plural of vertex) Connections, edges or ties Edge Node Measures

A Working Knowledge of Computational Complexity for an Optimizer

A Working Knowledge of Computational Complexity for an Optimizer ORF 363/COS 323 Instructor: Amir Ali Ahmadi TAs: Y. Chen, G. Hall, J. Ye Fall 2014 1 Why computational complexity? What is computational

Compression algorithm for Bayesian network modeling of binary systems

Compression algorithm for Bayesian network modeling of binary systems I. Tien & A. Der Kiureghian University of California, Berkeley ABSTRACT: A Bayesian network (BN) is a useful tool for analyzing the

Introduction to time series analysis

Introduction to time series analysis Margherita Gerolimetto November 3, 2010 1 What is a time series? A time series is a collection of observations ordered following a parameter that for us is time. Examples

Offline sorting buffers on Line

Offline sorting buffers on Line Rohit Khandekar 1 and Vinayaka Pandit 2 1 University of Waterloo, ON, Canada. email: rkhandekar@gmail.com 2 IBM India Research Lab, New Delhi. email: pvinayak@in.ibm.com

Operations and Supply Chain Management Prof. G. Srinivasan Department of Management Studies Indian Institute of Technology, Madras

Operations and Supply Chain Management Prof. G. Srinivasan Department of Management Studies Indian Institute of Technology, Madras Lecture - 36 Location Problems In this lecture, we continue the discussion

CALL CENTER SCHEDULING TECHNOLOGY EVALUATION USING SIMULATION. Sandeep Gulati Scott A. Malcolm

Proceedings of the 2001 Winter Simulation Conference B. A. Peters, J. S. Smith, D. J. Medeiros, and M. W. Rohrer, eds. CALL CENTER SCHEDULING TECHNOLOGY EVALUATION USING SIMULATION Sandeep Gulati Scott

CHAPTER 17. Linear Programming: Simplex Method

CHAPTER 17 Linear Programming: Simplex Method CONTENTS 17.1 AN ALGEBRAIC OVERVIEW OF THE SIMPLEX METHOD Algebraic Properties of the Simplex Method Determining a Basic Solution Basic Feasible Solution 17.2

An Efficient Client Server Assignment for Internet Distributed Systems

1 An Efficient Client Server Assignment for Internet Distributed Systems Swathi Balakrishna, Dr. Ling Ding Computer Science and Systems, University of Washington, Tacoma Abstract Internet is a network

Investigación Operativa. The uniform rule in the division problem

Boletín de Estadística e Investigación Operativa Vol. 27, No. 2, Junio 2011, pp. 102-112 Investigación Operativa The uniform rule in the division problem Gustavo Bergantiños Cid Dept. de Estadística e

Game-Theoretic Analysis of Attack and Defense in Cyber-Physical Network Infrastructures

Proceedings of the Industrial and Systems Engineering Research Conference G. Lim and J.W. Herrmann, eds. Game-Theoretic Analysis of Attack and Defense in Cyber-Physical Network Infrastructures Fei He,

Project and Production Management Prof. Arun Kanda Department of Mechanical Engineering Indian Institute of Technology, Delhi

Project and Production Management Prof. Arun Kanda Department of Mechanical Engineering Indian Institute of Technology, Delhi Lecture - 9 Basic Scheduling with A-O-A Networks Today we are going to be talking

CHAPTER 2. QoS ROUTING AND ITS ROLE IN QOS PARADIGM

CHAPTER 2 QoS ROUTING AND ITS ROLE IN QOS PARADIGM 22 QoS ROUTING AND ITS ROLE IN QOS PARADIGM 2.1 INTRODUCTION As the main emphasis of the present research work is on achieving QoS in routing, hence this

Information Theory and Coding Prof. S. N. Merchant Department of Electrical Engineering Indian Institute of Technology, Bombay

Information Theory and Coding Prof. S. N. Merchant Department of Electrical Engineering Indian Institute of Technology, Bombay Lecture - 17 Shannon-Fano-Elias Coding and Introduction to Arithmetic Coding

Branch-and-Price Approach to the Vehicle Routing Problem with Time Windows

TECHNISCHE UNIVERSITEIT EINDHOVEN Branch-and-Price Approach to the Vehicle Routing Problem with Time Windows Lloyd A. Fasting May 2014 Supervisors: dr. M. Firat dr.ir. M.A.A. Boon J. van Twist MSc. Contents

CSC2420 Fall 2012: Algorithm Design, Analysis and Theory

CSC2420 Fall 2012: Algorithm Design, Analysis and Theory Allan Borodin November 15, 2012; Lecture 10 1 / 27 Randomized online bipartite matching and the adwords problem. We briefly return to online algorithms

1 Portfolio Selection

COS 5: Theoretical Machine Learning Lecturer: Rob Schapire Lecture # Scribe: Nadia Heninger April 8, 008 Portfolio Selection Last time we discussed our model of the stock market N stocks start on day with

Accurately and Efficiently Measuring Individual Account Credit Risk On Existing Portfolios

Accurately and Efficiently Measuring Individual Account Credit Risk On Existing Portfolios By: Michael Banasiak & By: Daniel Tantum, Ph.D. What Are Statistical Based Behavior Scoring Models And How Are

GRAPH THEORY and APPLICATIONS. Trees

GRAPH THEORY and APPLICATIONS Trees Properties Tree: a connected graph with no cycle (acyclic) Forest: a graph with no cycle Paths are trees. Star: A tree consisting of one vertex adjacent to all the others.

Analysis of Load Frequency Control Performance Assessment Criteria

520 IEEE TRANSACTIONS ON POWER SYSTEMS, VOL. 16, NO. 3, AUGUST 2001 Analysis of Load Frequency Control Performance Assessment Criteria George Gross, Fellow, IEEE and Jeong Woo Lee Abstract This paper presents

Probability and Statistics

CHAPTER 2: RANDOM VARIABLES AND ASSOCIATED FUNCTIONS 2b - 0 Probability and Statistics Kristel Van Steen, PhD 2 Montefiore Institute - Systems and Modeling GIGA - Bioinformatics ULg kristel.vansteen@ulg.ac.be

The Math. P (x) = 5! = 1 2 3 4 5 = 120.

The Math Suppose there are n experiments, and the probability that someone gets the right answer on any given experiment is p. So in the first example above, n = 5 and p = 0.2. Let X be the number of correct

Applied Algorithm Design Lecture 5

Applied Algorithm Design Lecture 5 Pietro Michiardi Eurecom Pietro Michiardi (Eurecom) Applied Algorithm Design Lecture 5 1 / 86 Approximation Algorithms Pietro Michiardi (Eurecom) Applied Algorithm Design

The Taxman Game. Robert K. Moniot September 5, 2003

The Taxman Game Robert K. Moniot September 5, 2003 1 Introduction Want to know how to beat the taxman? Legally, that is? Read on, and we will explore this cute little mathematical game. The taxman game

STOCHASTIC SERVICE NETWORK DESIGN: THE IMPORTANCE OF TAKING UNCERTAINTY INTO ACCOUNT

Advanced OR and AI Methods in Transportation STOCHASTIC SERVICE NETWORK DESIGN: THE IMPORTANCE OF TAKING UNCERTAINTY INTO ACCOUNT Arnt-Gunnar LIUM, Stein W. WALLACE, Teodor Gabriel CRAINIC Abstract. The

Curriculum Map Statistics and Probability Honors (348) Saugus High School Saugus Public Schools 2009-2010

Curriculum Map Statistics and Probability Honors (348) Saugus High School Saugus Public Schools 2009-2010 Week 1 Week 2 14.0 Students organize and describe distributions of data by using a number of different

Adaptive Tolerance Algorithm for Distributed Top-K Monitoring with Bandwidth Constraints

Adaptive Tolerance Algorithm for Distributed Top-K Monitoring with Bandwidth Constraints Michael Bauer, Srinivasan Ravichandran University of Wisconsin-Madison Department of Computer Sciences {bauer, srini}@cs.wisc.edu

Key words. multi-objective optimization, approximate Pareto set, bi-objective shortest path

SMALL APPROXIMATE PARETO SETS FOR BI OBJECTIVE SHORTEST PATHS AND OTHER PROBLEMS ILIAS DIAKONIKOLAS AND MIHALIS YANNAKAKIS Abstract. We investigate the problem of computing a minimum set of solutions that

6 Scalar, Stochastic, Discrete Dynamic Systems

47 6 Scalar, Stochastic, Discrete Dynamic Systems Consider modeling a population of sand-hill cranes in year n by the first-order, deterministic recurrence equation y(n + 1) = Ry(n) where R = 1 + r = 1

max cx s.t. Ax c where the matrix A, cost vector c and right hand side b are given and x is a vector of variables. For this example we have x

Linear Programming Linear programming refers to problems stated as maximization or minimization of a linear function subject to constraints that are linear equalities and inequalities. Although the study