How Bad are Selfish Investments in Network Security?

1 How Bad are Selfsh Investments n Networ Securty? Lbn Jang, Venat Anantharam and Jean Walrand EECS Department, Unversty of Calforna, Bereley {ljang,ananth,wlr}@eecs.bereley.edu Abstract Internet securty does not only depend on the securty-related nvestments of ndvdual users, but also on how these users affect each other. In a non-cooperatve envronment, each user chooses a level of nvestment to mnmze hs own securty rs plus the cost of nvestment. Not surprsngly, ths selfsh behavor often results n undesrable securty degradaton of the overall system. In ths paper, (1) we frst characterze the prce of anarchy (POA) of networ securty under two models: an Effectve-nvestment model, and a Bad-traffc model. We gve nsght on how the POA depends on the networ topology, ndvdual users cost functons, and ther mutual nfluence. We also ntroduce the concept of weghted POA to bound the regon of all feasble payoffs. (2) In a repeated game, on the other hand, users have more ncentve to cooperate for ther long term nterests. We consder the socally best outcome that can be supported by the repeated game, and gve a rato between ths outcome and the socal optmum. (3) Next, we compare the benefts of mprovng securty technology or mprovng ncentves, and show that mprovng technology alone may not offset the effcency loss due to the lac of ncentves. (4) Fnally, we characterze the performance of correlated equlbrum (CE) n the securty game. Although the paper focuses on Internet securty, many results are generally applcable to games wth postve externaltes. Index Terms Internet securty, game theory, prce of anarchy, repeated game, correlated equlbrum, postve externalty I. INTRODUCTION Securty n a communcaton networ depends not only on the securty nvestment made by ndvdual users, but also on the nterdependency among them. If a careless user puts n lttle effort n protectng hs computer system, then t s easy for vruses to nfect ths computer and through t contnue to nfect others. On the contrary, f a user nvests more to protect hmself, then other users wll also beneft snce the chance of contagous nfecton s reduced. Defne each user s strategy as hs nvestment level, then each user s nvestment has a postve externalty on other users. Users n the Internet are heterogeneous. They have dfferent valuatons of securty and dfferent unt cost of nvestment. For example, government and commercal webstes usually prortze ther securty, snce securty breaches would lead to large fnancal losses or other consequences. They are also more wllng and effcent n mplementng securty measures. On the other hand, an ordnary computer user may care less about securty, and also may be less effcent n mprovng t due to the lac of awareness and expertse. There are many Ths wor s supported by the Natonal Scence Foundaton under Grant NeTS-FIND 0627161: Maret Enablng Networ Archtecture other users lyng between these two categores. If users are selfsh, some of them may choose to nvest more, whereas others may choose to free rde, that s, gven that the securty level s already good thans to the nvestment of others, such users mae no nvestment to save cost. However, f every user tends to rely on others, the resultng outcome may be far worse for all users. Ths s the free rdng problem n game theory as studed n, for example, [1]. Besdes user preferences, the networ topology, whch descrbes the (logcal) nterdependent relatonshp among dfferent users, s also mportant. For example, assume that n a local networ, user A drectly connected to the Internet. All other users are connected to A and exchange a large amount of traffc wth A. Intutvely, the securty level of A s partcularly mportant for the local networ snce A has the largest nfluence on other users. If A has a low valuaton of hs own securty, then t wll nvest lttle and the whole networ suffers. How the networ topology affects the effcency of selfsh nvestment n networ securty wll be one of our focuses. In ths paper, we study how networ topology, users preference and ther mutual nfluence affect networ securty n a non-cooperatve settng. In a one-shot game (.e., strategcform game), we derve the Prce of Anarchy (POA) [2] as a functon of the above factors. Here, POA s defned as the worst-case rato between the socal cost at a Nash Equlbrum (NE) and Socal Optmum (SO). Furthermore, we ntroduce the concept of Weghted-POA to bound the regons of all possble vectors of payoffs. In a repeated game, users have more ncentve to cooperate for ther long-term nterest. We study the socally best equlbrum n the repeated game, and compare t to the Socal Optmum. Next, we compare the benefts of mprovng securty technology or mprovng ncentves, and show that mprovng technology alone may not offset the effcency loss due to the lac of ncentves. Fnally, we consder the performance of correlated equlbrum (CE) (a more general noton than NE) n the securty game and characterze the best and worst CE s. Interestngly, some performance bounds of CE concde wth the POA of NE. A. Related Wors Varan studed the networ securty problem usng game theory n [1]. There, the effort of each user (or player) s assumed to be equally mportant to all other users, and the

2 networ topology s not taen nto account. Also, [1] s not focused on the effcency analyss (.e., POA). Prce of Anarchy (POA) [2], measurng the performance of the worst-case equlbrum compared to the Socal Optmum, has been studed n varous games n recent years, most of them wth negatve externalty. Roughgarden et al. shows that the POA s generally unbounded n the selfsh routng game [3], [4], where each user chooses some ln(s) to send hs traffc n order to mnmze hs congeston delay. Ozdaglar et al. derved the POA n a prce competton game n [5] and [6], where a number of networ servce provders choose ther prces to attract users and maxmze ther own revenues. In [7], Johar et al. studed the resource allocaton game, where each user bds for the resource to maxmze hs payoff, and showed that the POA s 3/4 assumng concave utlty functons. In all the above games, there s negatve externalty among the players: for example n the selfsh routng game, f a user sends hs traffc through a ln, other users sharng that ln wll suffer larger delays. On the contrary, n the networ securty game we study here, f a user ncreases hs nvestment, the securty level of other users wll mprove. In ths sense, t falls nto the category of games wth postve externaltes. Therefore, many results n ths paper may be applcable to other smlar scenaros. For example, assume that a number of servce provders (SP) buld networs whch are nterconnected. If a SP nvests to upgrade her own networ, the performance of the whole networ mproves and may brng more revenue to all SP s. In [8], Aspnes et al. formulated an noculaton game and studed ts POA. There, each player n the networ decdes whether to nstall ant-vrus software to avod nfecton. Dfferent from our wor, [8] has assumed bnary decsons and the same cost functon for all players. II. PRICE OF ANARCHY (POA) IN THE STRATEGIC-FORM GAME Assume there are n players. The securty nvestment (or effort, we use them nterchangeably) of player s x 0. Ths ncludes both money (e.g., for purchasng antvrus software) and tme/energy (e.g., for system scannng, patchng). So ths s not a one-tme nvestment. The cost per unt of nvestment s c > 0. Denote f (x) as player s securty rs : the loss due to attacs or vrus nfectons from the networ, where x s the vector of nvestments by all players. f (x) s decreasng n each x j (thus reflectng postve externalty) and non-negatve. We assume that t s convex and dfferentable, and that f (x = 0) > 0 s fnte. Then the cost functon of player s g (x) := f (x) + c x (1) Note that the functon f ( ) s generally dfferent for dfferent players. In a Nash game, player chooses hs nvestment x 0 to mnmze g (x). Frst, we prove n Appendx A1 that Proposton 1: There exsts some pure-strategy Nash Equlbrum (NE) n ths game. In ths paper we consder pure-strategy NE. Denote x as the vector of nvestments at some NE, and x as the vector of nvestments at Socal Optmum (SO). Also denote the unt cost vector c = (c 1,c 2,...,c n ) T. We am to fnd the POA, Q, whch upper-bounds ρ( x), where ρ( x) := G( x) G = g ( x) g (x ) s the rato between the socal cost at the NE x and at the socal optmum. For convenence, sometmes we smply wrte ρ( x) as ρ f there s no confuson. Before gettng to the dervaton, we llustrate the POA n a smple example. Assume there are 2 players, wth ther nvestments denoted as x 1 0 and x 2 0. The cost functon s g (x) = f(y) + x, = 1,2, where f(y) s the securty rs of both players, and y = x 1 + x 2 s the total nvestment. Assume that f(y) s non-negatve, decreasng, convex, and satsfes f(y) 0 when y. The socal cost s G(x) = g 1 (x) + g 2 (x) = 2 f(y) + y. Fg. 1. 2.5 2 1.5 1 0.5 0 f (y) A NE ȳ 2*f (y) C B SO y D POA n a smple example y = x 1 + x 2 At a NE x, g( x) = f ( x 1 + x 2 ) + 1 = 0, = 1,2. Denote ȳ = x 1 + x 2, then f (ȳ) = 1. Ths s shown n Fg 1. Then, the socal cost Ḡ = 2 f(ȳ) + ȳ. Note that ȳ ( f (z))dz = f(ȳ) f( ) = f(ȳ) (snce f(y) 0 as y ), therefore n Fg 1, 2 f(ȳ) s the area B + C + D, and Ḡ s equal to the area of A + (B + C + D). At SO (Socal Optmum), on the other hand, the total nvestment y satsfes 2f (y ) = 1. Usng a smlar argument as before, G = 2f(y )+y s equal to the area of (A+B)+D. Then, the rato Ḡ/G = [A+(B+C+D)]/[(A+B)+D] (B + C)/B 2. We wll show later that ths upper bound s tght. So the POA s 2. Now we analyze the POA wth the general cost functon (1). In some sense, t s a generalzaton of the above example. Lemma 1: For any NE x, ρ( x) satsfes ρ( x) max{1,max {( f ( x) f ( x) x )/c }} (2) Note that ( x ) s the margnal beneft to the securty of all users by ncreasng x at the NE; whereas c s the margnal cost of ncreasng x. The second term n the RHS (rght-hand-sde) of (2) s the maxmal rato between these two.

3 Proof: At NE, { f( x) = c f x > 0 f ( x) c f x = 0 By defnton, ρ( x) = G( x) G = f ( x) + c T x f (x ) + c T x Snce f ( ) s convex for all. Then f ( x) f (x )+( x x ) T f ( x). So ρ ( x x ) T f ( x) + c T x + f (x ) f (x ) + c T x = x T f ( x) + x T [c + f ( x)] + f (x ) f (x ) + c T x Note that x T [c + f ( x)] = x [c + f ( x) ] There are two possbltes for every player : (a) If x = 0, then x [c + f ( x) ] = 0. (b) If x > 0, then f( x) = c. Snce f ( x) 0 for all, then f ( x) c, so x [c + f ( x) ] 0. As a result, (3) ρ( x) x T f ( x) + f (x ) f (x ) + c T x (4) () If x = 0 for all, then the RHS s 1, so ρ( x) 1. Snce ρ cannot be smaller than 1, we have ρ = 1. () If not all x = 0, then ct x > 0. Note that the RHS of (4) s not less than 1, by the defnton of ρ( x). So, f we subtract f (x ) (non-negatve) from both the numerator and the denomnator, the resultng rato upper-bounds the RHS. That s, ρ( x) x T f ( x) c T x f ( x) max {( f ( x) x )/c } where x s the th element of the vector f ( x). Combnng case () and (), the proof s completed. In the followng, we gve two models of the networ securty game. Each model defnes a concrete form of f ( ). They are formulated to capture the ey parameters of the system whle beng amenable to mathematcal analyss. A. Effectve-nvestment ( EI ) model Generalzng [1], we consder an Effectve-nvestment (EI) model. In ths model, the securty rs of player depends on an effectve nvestment, whch we assume s a lnear combnaton of the nvestments of hmself and other players. Specfcally, let p ( n j=1 α jz j ) be the probablty that player s nfected by a vrus (or suffers an attac), gven the amount of efforts every player puts n. The effort of player j, z j, s weghted by α j, reflectng the mportance of player j to player. Let v be the cost of player f he suffers an attac; and c be the cost per unt of effort by player. Then, the total cost of player s g (z) = v p ( n j=1 α jz j ) + c z. For convenence, we normalze the expresson n the followng way. Let the normalzed effort be x := c z,. Then g (x) = v p ( n α j = v p ( α c c j x j ) + x n j=1 β jx j ) + x j=1 where β j := c α j α c j (so β = 1). We call β j the relatve mportance of player j to player. Defne the functon V (y) = v p ( α c y), where y s a dummy varable. Then g (x) = f (x) + x, where f (x) = V ( n j=1 β jx j ) (5) Assume that p ( ) s decreasng, non-negatve, convex and dfferentable. Then V ( ) also has these propertes. Proposton 2: In the EI model defned above, ρ max {1 + : β }. Furthermore, the bound s tght. Proof: Let x be some NE. Denote h := f ( x). Then the th element of h h V (Èn j=1 βj xj) x = = β V ( n j=1 β j x j ) V (Èn j=1 βj xj) From (3), we have = β V ( n j=1 β j x j ) = V ( n j=1 β j x j ) 1. So h β. Plug ths nto (2), we obtan an upper bound of ρ: ρ max{1,max { h }} Q := max {1 + β } (6) : whch completes the proof. (6) gves some nterestng nsght nto the game. Snce β s player s relatve mportance to player, then 1 + : β = β s player s relatve mportance to the socety. (6) shows that the POA s bounded by the maxmal socal mportance among the players. Interestngly, the bound does not depend on the specfc form of V ( ) as long as t s convex, decreasng and non-negatve. It also provdes a smple way to compute POA under the model. We defne a dependency graph as n Fg. 2, where each vertex stands for a player, and there s a drected edge from to f β > 0. In Fg. 2, player 3 has the hghest socal mportance, and ρ 1 + (0.6 + 0.8 + 0.8) = 3.2. In another specal case, f for each par (,), ether β = 1 or β = 0, then the POA s bounded by the maxmum out-degree of the graph plus 1. If all players are equally mportant to each other,.e., β = 1,,, then ρ n (.e., POA s the number of players). Ths also explans why the POA s 2 n the example consdered n Fg 1. The followng s a worst case scenaro that shows the bound s tght. Assume there are n players, n 2. β = 1,,; and for all, V (y ) = [(1 ǫ)(1 y )] +, where [ ] + means postve part, y = n j=1 β jx j = n j=1 x j, ǫ > 0 but s very small. 1 Gven x = 0, g (x) = [(1 ǫ)(1 x )] + +x = (1 ǫ)+ ǫ x when x 1, so the best response for player s to let 1 Although V (y ) s not dfferentable at y = 1, t can be approxmated by a dfferentable functon arbtrarly closely, such as the result of the example s not affected.

4 2 0.5 0.6 3 0.8 5 1 1 0.8 0.3 Fg. 2. Dependency Graph and the Prce of Anarchy (In ths fgure, ρ 1 + (0.6 + 0.8 + 0.8) = 3.2) x = 0. Therefore, x = 0, s a NE, and the resultng socal cost G( x) = [V (0) + x ] = (1 ǫ)n. Snce the socal cost s G(x) = n [(1 ǫ)(1 x )] + + x, the socal optmum s attaned when x = 1 (snce n(1 ǫ) > 1). Then, G(x ) = 1. Therefore ρ = (1 ǫ)n n when ǫ 0. When ǫ = 0, x = 0, s stll a NE. In that case ρ = n. B. Bad-traffc ( BT ) Model Next, we consder a model whch s based on the amount of bad traffc (e.g., traffc that causes vrus nfecton) from one player to another. Let r be the total rate of traffc from to. How much traffc n r wll do harm to player depends on the nvestments of both and. So denote φ, (x,x ) as the probablty that player s traffc does harm to player. Clearly φ, (, ) s a non-negatve, decreasng functon. We also assume t s convex and dfferentable. Then, the rate at whch player s nfected by the traffc from player s r φ, (x,x ). Let v be player s loss when t s nfected by a vrus, then g (x) = f (x)+x, where the nvestment x has been normalzed such that ts coeffcent (the unt cost) s 1, and f (x) = v r φ, (x,x ) If the frewall of each player s symmetrc (.e., t treats the ncomng and outgong traffc n the same way), then t s reasonable to assume that φ, (x,x ) = φ, (x,x ). v Proposton 3: In the BT model, ρ 1+max r j (,j): j v jr j. The bound s also tght. Proof: Let h := f ( x) for some NE x. Then the j-th element h j = = j We have q j := = f ( x) = j v r j φ j, ( x j, x ) f ( x) j f j( x) = f ( x) 1 4 + f j( x) + v j j v r j φ j,( x j, x ) j v jr j φ j,( x j, x ) j r j φ,j ( x, x j ) j v φ j,( x j, x ) r j v j j r j φ,j( x, xj) v r j max : j v j r j where the 3rd equalty holds because φ,j (x,x j ) = φ j, (x j,x ) by assumpton. From (3), we now that fj( x) 1. So h j = (1 + q j ) f j( x) v r j (1 + max ) : j v j r j Accordng to (2), t follows that v r j ρ max{1,max{ h j }} Q := 1 + max (7) j (,j): j v j r j whch completes the proof. Note that v r j s the damage to player caused by player j f player s nfected by all the traffc sent by j, and v j r j s the damage to player j caused by player f player j s nfected by all the traffc sent by. Therefore, (7) means that the POA s upper-bounded by the maxmum mbalance of the networ. As a specal case, f each par of the networ s balanced,.e., v r j = v j r j,,j, then ρ 2! To show the bound s tght, we can use a smlar example as n secton II-A. Let there be two players, and assume v 1 r 21 = v 1 r 12 = 1; φ 1,2 (x 1,x 2 ) = (1 ǫ)(1 x 1 x 2 ) +. Then t becomes the same as the prevous example when n = 2. Therefore ρ 2 as ǫ 0. And ρ = 2 when ǫ = 0. Note that when the networ becomes larger, the mbalance between a certan par of players becomes less mportant. Thus ρ may be much less than the worst case bound n large networs due to the averagng effect. III. BOUNDING THE PAYOFF REGIONS USING WEIGHTED POA So far, the research on POA n varous games has largely focused on the worst-case rato between the socal cost (or welfare) acheved at the Nash Equlbra and Socal Optmum. Gven one of them, the range of the other s bounded. However, ths s only one-dmensonal nformaton. In any mult-player game, the players payoffs form a vector whch s multdmensonal. Suppose that a NE payoff vector s nown, t would be nterestng to characterze or bound the regon of all feasble vectors of ndvdual payoffs, sometmes even wthout nowng the exact cost functons. Ths regon gves much more nformaton than solely the socal optmum, because t characterzes the tradeoff between effcency and farness among dfferent players. Conversely, gven any feasble payoff vector, t s also nterestng to bound the regon of the possble payoff vectors at all Nash Equlbra. We show that ths can be done by generalzng POA to the concept of Weghted POA, Q w, whch s an upper bound of ρ w ( x), where ρ w ( x) := G w( x) G w = w g ( x) w g (x w) Here, w R n ++ s a weght vector, x s the vector of nvestments at a NE of the orgnal game; whereas x w mnmzes a weghted socal cost G w (x) := w g (x). To obtan Q w, consder a modfed game where the cost functon of player s ĝ (x) := ˆf (x) + ĉ x = w g (x) = w f (x) + w c x

5 Note that n ths game, the NE strateges are the same as the orgnal game: gven any x, player s best response remans the same (snce hs cost functon s only multpled by a constant). So the two games are strategcally equvalent, and thus have the same NE s. As a result, the weghted POA Q w of the orgnal game s exactly the POA n the modfed game (Note the defnton of x w). Applyng (2) to the modfed game, we have ρ w ( x) max{1,max {( = max{1, max {( ˆf ( x) x )/ĉ }} w f ( x) x )/(w c )}}(8) Then, one can easly obtan the weghted POA for the two models n the last secton. Proposton 4: In the EI model, ρ w Q w := max {1 + : w β w } (9) In the BT model, w v r j ρ w Q w := 1 + max (10) (,j): j w j v j r j Snce ρ w ( x) = Gw( x) G =È w g( x) w È w g(x w ) Q w, we have w g (x w) w g ( x)/q w. Notce that x w mnmzes G w (x) = w g (x), so for any feasble x, w g (x) w g (x w) w g ( x)/q w Then we have Proposton 5: Gven any NE payoff vector ḡ, then any feasble payoff vector g must be wthn the regon B := {g w T g w T ḡ/q w, w R n ++} Conversely, gven any feasble payoff vector g, any possble NE payoff vector ḡ s n the regon B := {ḡ w T ḡ w T g Q w, w R n ++} In other words, the Pareto fronter of B lower-bounds the Pareto fronter of the feasble regon of g. (A smlar statement can be sad for B.) As an llustratng example, consder the EI model, where the cost functon of player s n the form of g (x) = V ( n j=1 β jx j )+x. Assume there are two players n the game, and β 11 = β 22 = 1, β 12 = β 21 = 0.2. Also assume that g (x) = (1 2 j=1 β jx ) + +x, for = 1,2. It s easy to verfy that x = 0, = 1,2 s a NE, and g 1 ( x) = g 2 ( x) = 1. One can further fnd that the boundary (Pareto fronter) of the feasble payoff regon n ths example s composed of the two axes and the followng lne segments (the computaton s omtted): { g2 = 5 (g1 1 1.2 ) + 1 1.2 g 1 [0, 5 6 ] g 2 = 0.2 (g 1 1 1.2 ) + 1 1.2 g 1 [0,5] whch s the dashed lne n Fg. 3. By Proposton 5, for every weght vector w, there s a straght lne that lower-bounds the feasble payoff regon. After plottng the lower bounds for many dfferent w s, we obtan a bound for the feasble payoff regon (Fg 3). Note that the bound only depends on the coeffcents β j s, but not the specfc form of V 1 ( ) and V 2 ( ). We see that the feasble regon s ndeed wthn the bound. 2 1.8 1.6 1.4 1.2 g (x,x ) 2 1 2 1 Fg. 3. 0.8 0.6 0.4 0.2 An NE Feasble regon 0 0 0.5 1 1.5 2 g 1 (x 1,x 2 ) Boundng the feasble regon usng weghted POA IV. REPEATED GAME Unle the strategc-form game, n repeated games the players have more ncentves to cooperate for ther long term nterests. In ths secton we consder the performance gan provded by the repeated game of selfsh nvestments n securty. The Fol Theorem [9] provdes a Subgame Perfect Equlbrum (SPE) n a repeated game wth dscounted costs when the dscount factor suffcently close to 1, to support any cost vector that s Pareto-domnated by the reservaton cost vector g. The th element of g, g, s defned as g := mn x 0 g (x) gven that x j = 0, j and we denote x as a mnmzer. g = g (x = x,x = 0) s the mnmal cost achevable by player when other players are punshng hm by mang mnmal nvestments 0. Wthout loss of generalty, we assume that g (x) = f (x)+ x, nstead of g (x) = f (x)+c x n (1). Ths can be done by normalzng the nvestment and re-defnng the functon f (x). For smplcty, we mae some addtonal assumptons n ths secton: 1) f (x) (and g (x)) s strctly convex n x f x = 0. So x s unque. g 2) (0) < 0 for all. So, x > 0. 3) For each player, f (x) s strctly decreasng wth x j for some j. That s, postve externalty exsts. By assumpton 2 and 3, we have g (x) < g (x = x,x = 0) = g,. Therefore g(x) < g s feasble. A Performance Bound of the best SPE Accordng to the Fol Theorem [9], any feasble vector g < g can be supported by a SPE. So the set of SPE s qute large n general. By negotatng wth each other, the players can

6 agree on some SPE. In ths secton, we are nterested n the performance of the socally best SPE that can be supported, that s, the SPE wth the mnmum socal cost (denoted as G E ). Such a SPE s optmal for the socety, provded that t s also ratonal for ndvdual players. We wll compare t to the socal optmum by consderng the performance rato γ = G E /G, where G s the optmal socal cost, and G E = nf x 0 g (x) s.t. g (x) < g, Snce g ( ) s convex by assumpton, due to contnuty, G E = mn x 0 g (x) s.t. g (x) g, (11) (12) where g (x) g s the ratonalty constrant for each player. Denote by x E a soluton of (12). Then g (x E ) = G E. Recall that g (x) = f (x) + x, where the nvestment x has been normalzed such that ts coeffcent (unt cost) s 1. Then, to solve (12), we form a partal Lagrangan L(x,λ ) := g (x) + λ [g (x) g ] = (1 + λ )g (x) λ g and pose the problem max λ 0 mn x 0 L(x,λ ). Let λ be the vector of dual varables when the problem s solved (.e., when the optmal soluton x E s reached). Then dfferentatng L(x,λ ) n terms of x, we have the optmalty condton { (1 + λ )[ f (x E) ] = 1 + λ f x E, > 0 (1 + λ )[ f (x E) (13) ] 1 + λ f x E, = 0 Proposton 6: The performance rato γ s upper-bounded by γ = G E /G max {1 + λ }. (The proof s gven n Appendx A2.) Ths result can be understood as follows: f λ = 0 for all, then all the ncentve-compatblty constrants are not actve at the optmal pont of (12). So, ndvdual ratonalty s not a constranng factor for achevng the socal optmum. In ths case, γ = 1, meanng that the best SPE acheves the socal optmal. But f λ > 0 for some, the ndvdual ratonalty of player prevent the system from achevng socal optmum. Larger λ leads to a poorer performance bound on the best SPE relatve to SO. Proposton 6 gves an upper bound on γ assumng the general cost functon g (x) = f (x) + x. Although t s applcable to the two specfc models ntroduced before, t s not explctly related to the networ parameters. In the followng, we gve an explct bound for the EI model. Proposton 7: In the EI model where g (x) = V ( n j=1 β jx j ) + x, γ s bounded by γ mn{max,j, β β j,q} where Q = max {1 + : β }. The part γ Q s straghtforward: snce the set of SPE ncludes all NE s, the best SPE must be better than the worst NE. The other part s derved from Proposton 6 (ts proof s ncluded n Appendx A3). β Note that the nequalty γ max,j, β j may not gve a tght bound, especally when β j s very small for some j,. But n the followng smple example, t s tght and shows that the best SPE acheves the socal optmum. Assume n players, and β j = 1,,j. Then, the POA n the strategc-form game s ρ Q = n accordng to (6). In the repeated game, β however, the performance rato γ max m,j,m β jm = 1 (.e., socal optmum s acheved). Ths llustrates the performance gan resultng from the repeated game. It should be noted that, however, although repeated games can provde much better performance, they usually requre more communcaton and coordnaton among the players than strategc-form games. V. IMPROVEMENT OF TECHNOLOGY Recall that the general cost functon of player s g (x) = f (x) + x. (14). Now assume that the securty technology has mproved. We would le to study how effectve s technology mprovement compared to the mprovement of ncentves. Assume that the new cost functon of player s g (x) = f (a x) + x,a > 1. (15) Ths means that the effectveness of the nvestment vector x has mproved by a tmes (.e., the rs decreases faster wth x than before). Equvalently, f we defne x = a x, then (15) s g (x) = f (x )+x /a, whch means a decrease of unt cost f we regard x as the nvestment. Proposton 8: Denote by G the optmal socal cost wth cost functons (14), and by G the optmal socal cost wth cost functons (15). Then, G G G /a. That s, the optmal socal cost decreases but cannot decrease more than a tmes. Proof: Frst, for all x, g (x) g (x). Therefore G G. Let the optmal nvestment vector wth the mproved cost functons be x. We have g (a x ) = f (a x )+a x. Also, g ( x ) = f (a x )+ x. Then, a g ( x ) = a f (a x )+a x g (a x ), because f ( ) s non-negatve and a > 1. Therefore, we have a g ( x ) = a G G(a x ) G(x ) = G, snce x mnmzes G(x) = g (x). Ths completes the proof. Here we have seen that the optmal socal cost (after technology mproved a tmes) s at least a fracton of 1/a of the socal optmum before. On the other hand, we have the followng about the POA after technology mprovement. Proposton 9: The POA of the networ securty game wth mproved technology (.e., cost functon (15)) does not change n the EI model and the BT model. (That s, the expressons of POA are the same as those gven n Proposton 2 and 3.) Proof: The POA n the EI model only depends on the values of β j s, whch does not change wth the new cost functons. To see ths, note that g (x) = f (a x) + x = V (a β j x j ) + x. j

7 Defne the functon Ṽ(y) = V (a y),, where y s a dummy varable, then g (x) = Ṽ( j β jx j )+x, where Ṽ( ) s stll convex, decreasng and non-negatve. So the β j values do not change. By Proposton 2, the POA remans the same. In the BT model, defne φ, (x,x ) := φ, (a x,a x ), then φ, (x,x ) s stll non-negatve, decreasng and convex, and φ, (x,x ) = φ, (x,x ). So by Proposton 3, the POA has the same expresson as before. To compare the effect of ncentve mprovement and technology mprovement, consder the followng two optons to mprove the networ securty. 1) Wth the current technology, deploy proper ncentvzng mechansms (.e., stc and carrot ) to acheve the socal optmum. 2) All players upgrade to the new technology, wthout solvng the ncentve problem. Wth opton 1, the resultng socal cost s G. Wth opton 2, the socal cost s G( x NE ), where G( ) = g ( ) s the socal cost functon after technology mprovement, wth g ( ) defned n (15), and x NE s a NE n the new game. Defne ρ( x NE ) := G( x NE )/ G, then the rato between the socal costs wth opton 2 and opton 1 s G( x NE )/G = ρ( x NE ) G /G ρ( x NE )/a where the last step follows from Proposton 8. Also, by Proposton 9, n the EI or BT model, ρ( x NE ) s equal to the POA shown n Prop. 2 and 3 n the worst case. For example, assume the EI model wth β j = 1,,j. Then n the worst case, ρ( x NE ) = n. When the number of players n s large, G( x NE )/G may be much larger than 1. From ths dscusson, we see that the technology mprovement may not offset the negatve effect of the lac of ncentves, and solvng the ncentve problem may be more mportant than merely countng on new technologes. VI. CORRELATED EQUILIBRIUM (CE) Correlated equlbrum (CE) [10] s a more general noton of equlbrum whch ncludes the set of NE. In ths secton we consder the performance bounds of CE. Conceptually, one may thn of a CE as beng mplemented wth the help of a medator [11]. Let µ be a probablty dstrbuton over the strategy profles x. Frst the medator selects a strategy profle x wth probablty µ(x). Then the medator confdentally recommends to each player the component x n ths strategy profle. Each player s free to choose whether to obey the medator s recommendatons. µ s a CE ff t would be a Nash equlbrum for all players to obey the medator s recommendatons. Note that gven a recommended x, player only nows µ(x x ) (.e., the condtonal dstrbuton of other players recommended strateges gven x ). Then n a CE, x should be a best response to the randomzed strateges of other players wth dstrbuton µ(x x ). CE can also be mplemented wth a pre-play meetng of the players [9], where they decde the CE µ they wll play. Later they use a devce whch generates strategy profles x wth the dstrbuton µ and separately tells the th component, x, to player. Interestngly, CE can also arse from smple and natural dynamcs (wthout coordnaton va a medator or a preplay meetng). References [12] and [13] showed that n an nfnte repeated game, f each player observes the hstory of other players actons, and decdes hs acton n each perod based on a regret-mnmzng crteron, then the emprcal frequency of the players actons converge to some CE. In these dynamcs, each player does not need to now other players cost functons, but only ther prevous actons [12][13]. (Specfcally n the networ securty game, observng the actons of hs neghbors s suffcent.) Ths s very natural snce n practce, dfferent players tend to adjust ther nvestments based on ther observaton of others nvestments. For smplcty, n ths paper we focus on CE whose support s on a dscrete set of strategy profles. We call such a CE a dscrete CE. More formally, µ s a dscrete CE ff (1) t s a CE; and (2) the dstrbuton µ only assgns postve probabltes to x S µ, where S µ, the support of the dstrbuton µ, s a dscrete set of strategy profles. That s, S µ = {x R n +, = 1,2,...,M µ }, where x denotes a strategy profle, M µ < s the cardnalty of S µ and x S µ µ(x) = 1. (But the strategy set of each player s stll R +.) Dscrete CE exsts n the securty game snce a pure-strategy NE s clearly a dscrete CE, and pure-strategy NE exsts (Proposton 1). Also, any convex combnaton of multple pure-strategy NE s s a dscrete CE. (An example of dscrete CE whch s not a pure-strategy NE or a convex combnaton of pure-strategy NE s s gven n Appendx A3 of [16], due to the lmt of space.) We frst wrte down the condtons for a dscrete CE wth the general cost functon g (x) = f (x) + x,. (16) If µ s a dscrete CE, then for any x wth a postve margnal probablty (.e., (x, x ) S µ for some x ), x s a best response to the condtonal dstrbuton µ(x x ),.e., x arg mn x R + x [f (x,x )+x ]µ(x x ). (Recall that player can choose hs nvestment from R +.) Snce the objectve functon n the rght-hand-sde s convex and dfferentable n x, the frst-order condton s { f (x,x ) x µ(x x ) + 1 = 0 f x > 0 f (x,x ) (17) x µ(x x ) + 1 0 f x = 0 where f (x,x ) x µ(x x ) can also be smply wrtten as E µ ( f(x,x ) x ). A. How good can a CE get? The frst queston we would le to understand s: does there always exst a CE that acheves the socal optmum (SO) n the securty game? The answer s generally not. If a CE acheves SO, then the CE should have probablty 1 on the set of x that mnmzes the socal cost. For convenence, assume there s a unque x that mnmzes the socal cost. In other words, each tme, the medator chooses x and recommends x to player. If x > 0, then t satsfes f (x ) = 1

8 Snce f (x ) f(x ), we have g(x ) = f(x ) + 1 0. If the nequalty s strct, then player has ncentve to nvest less than x. Therefore n general, CE cannot acheve SO n ths game. But, a CE can be better than all NE s n ths game. Due to the lmt of space, an example s gven n Appendx A3 of [16]. The example s dfferent n nature from that n [10] snce each player can choose hs nvestment from R +. B. The worst-case dscrete CE As mentoned before, CE can result from smple and natural dynamcs n an nfntely repeated game wthout coordnaton. But le NE s, the resultng CE may not be effcent. In ths secton, we consder the POA of dscrete CE, whch s defned as the performance rato of the worst dscrete CE compared to the SO. In the EI model and BT model, we show that the POA of dscrete CE s dentcal to that of pure-strategy NE derved before, although the set of dscrete CE s s larger than the set of pure-strategy NE s n general. Frst, the followng lemma can be vewed as a generalzaton of Lemma 1. Lemma 2: Wth the general cost functon (16), the POA of dscrete CE, denoted as ρ CE, satsfes ρ CE max{max{1,max [E µ( µ C D f (x) x )]}} where C D s the set of dscrete CE s, the dstrbuton µ defnes a dscrete CE, and the expectaton s taen over the dstrbuton µ. Although the dstrbuton µ seems qute complcated, the proof of Lemma 2 (shown n Appendx A4) s smlar to that of Lemma 1. Proposton 10: In the EI model and the BT model, the POA of dscrete CE s the same as the POA of pure-strategy NE. That s, n the EI model, ρ CE max {1 + β }, : and n the BT model, v r j ρ CE (1 + max ). (,j): j v j r j The proof s ncluded n Appendx A5. VII. CONCLUSIONS We have studed the equlbrum performance of the networ securty game. Our model explctly consdered the networ topology, players dfferent cost functons, and ther relatve mportance to each other. We showed that n the strategcform game, the POA can be very large and tends to ncrease wth the networ sze, and the dependency and mbalance among the players. Ths ndcates severe effcency problems n selfsh nvestment. Not surprsngly, the best equlbrum n the repeated games usually gves much better performance, and t s possble to acheve socal optmum f that does not conflct wth ndvdual nterests. Implementng the strateges supportng an SPE n a repeated game, however, needs more communcatons and cooperaton among the players. We have compared the benefts of mprovng securty technology and mprovng ncentves. In partcular, we show that the POA of pure-strategy NE s nvarant wth the mprovement of technology, under the EI model and the BT model. So, mprovng technology alone may not offset the effcency loss due to the lac of ncentves. Fnally, we have studed the performance of correlated equlbrum (CE). We have shown that although CE cannot acheve SO n general, t can be much better than all pure-strategy NE s. In terms of the worst-case bounds, the POA s of dscrete CE are the same as the POA s of pure-strategy NE under the EI model and the BT model. Gven that the POA s large n many scenaros, a natural queston s how to desgn mechansms to mprove the nvestment ncentves for better networ securty. Ths has not been a focus of ths paper, and we would le to study t more n the future. Possble remedes for the problem nclude new protocols, prcng mechansms, regulatons and cyber-nsurance. For example, a conceptually smple scheme wth a regulator s called due care (see, for example, [1]). In ths scheme, each player s requred to nvest no less than x, the nvestment n the socally optmal confguraton. Otherwse, he s punshed accordng to the negatve effect he causes to other players. Although ths scheme can n prncple acheve the socal optmum, t s not easy to mplement n practce. Frstly, the optmal level of nvestment by each user s not easy to now unless a large amount of networ nformaton s collected. Secondly, to enforce the scheme, the regulator needs to montor the players actual nvestments, whch causes prvacy concerns. In the future, we would le to further explore effectve and practcal schemes to mprove the effcency of securty nvestments. REFERENCES [1] H. R. Varan, System Relablty and Free Rdng, Worshop on Economcs and Informaton Securty, 2002. [2] E. Koutsoupas, C. H. Papadmtrou, Worst-case equlbra, Annual Symposum on Theoretcal Aspects of Computer Scence, 1999. [3] T. Roughgarden, É Tardos, How bad s selfsh routng, Journal of the ACM, 2002. [4] T. Roughgarden, The prce of anarchy s ndependent of the networ topology, Proceedngs of the thry-fourth annual ACM symposum on Theory of computng, 2002, pp. 428-437. [5] D. Acemoglu and A. Ozdaglar, Competton and Effcency n Congested Marets, Mathematcs of Operatons Research, 2007. [6] A. Ozdaglar, Prce Competton wth Elastc Traffc, LIDS report, MIT, 2006. [7] R. Johar and J.N. Tstsls, Effcency loss n a networ resource allocaton game, Mathematcs of Operatons Research, 29(3): 407 435, 2004. [8] J. Aspnes, K. Chang, A. Yampolsy, Inoculaton Strateges for Vctms of Vruses and the Sum-of-Squares Partton Problem, Proceedngs of the sxteenth annual ACM-SIAM symposum on Dscrete algorthms, pp. 43-52, 2005. [9] D. Fudenberg, J. Trole, Game Theory, MIT Press, Cambrdge, 1991. [10] R. J. Aumann, Subjectvty and Correlaton n Randomzed strateges, Journal of Mathematcal Economcs, 1:67-96, 1974. [11] R. B. Myerson, Dual Reducton and Elementary Games, Games and Economc Behavor, vol. 21, no. 1-2, pp. 183-202, 1997. [12] D. Foster, R. Vohra, Calbrated Learnng and Correlated Equlbrum, Games and Economc Behavor, 21:40-55, 1997. [13] G. Stoltz, G. Lugos, Learnng Correlated Equlbra n Games wth Compact Sets of Strateges, Games and Economc Behavor, vol. 59, no. 1, pp. 187-208, Aprl 2007. [14] J. B. Rosen, Exstence and Unqueness of Equlbrum Ponts for Concave N-Person Games, Econometrca, 33, 520-534, July 1965.

9 [15] S. Boyd and L. Vandenberghe, Convex Optmzaton, Cambrdge Unversty Press, 2004. [16] L. Jang, V. Anantharam, J. Walrand, How Bad are Selfsh Investments n Networ Securty? Techncal Report, UC Bereley, Dec. 2008. URL: http://www.eecs.bereley.edu/pubs/techrpts/2008/eecs- 2008-183.html A1. Proof of Proposton 1 APPENDIX Consder player s set of best responses, BR (x ), to x 0. Defne x,max := [f (0) + ǫ]/c where ǫ > 0, then due to convexty of f (x) n x, we have f (x = 0,x ) f (x = x,max,x ) x,max ( f (x,max,x ) ) = f (0) + ǫ c ( f (x,max,x ) ). Snce f (x = 0,x ) f (0), and f (x = x,max,x ) 0, t follows that f (0) f (0) + ǫ c ( f (x,max,x ) ) whch means that f(x,max,x ) + c > 0. So, BR (x ) [0,x,max ]. Let x max = max x,max. Consder a modfed game where the strategy set of each player s restrcted to [0,x max ]. Snce the set s compact and convex, and the cost functon s convex, therefore ths s a convex game and has some pure-strategy NE [14], denoted as x. Gven x, x s also a best response n the strategy set [0, ), because the best response cannot be larger than x max as shown above. Therefore, x s also a pure-strategy NE n the orgnal game. A2. Proof of Proposton 6 Consder the followng convex optmzaton problem parametrzed by t = (t 1,t 2,...,t n ), wth optmal value V (t): V (t) = mn x 0 g (x) s.t. g (x) t, (18) When t = g, t s the same as problem (12) that gves the socal cost of the best SPE; when t = g, t gves the same soluton as the Socal Optmum. Accordng to the theory of convex optmzaton ([15], page 250), the value functon V (t) s convex n t. Therefore, V (g) V (g ) V (g)(g g ) Also, V (g) = λ, where λ s the vector of dual varables when the problem wth t = g s solved. So, Then G E = V (g) V (g ) + λ T (g g) = G + λ T (g g) G + λ T g γ = G E G whch completes the proof. 1 + λt g 1 T g max {1 + λ } A3. Proof of Proposton 7 It s useful to frst gve a setch of the proof before gong to the detals. Roughly, the KKT condton [15] (for the best SPE), as n equaton (13), s (1 + λ )[ f (x E) ] = 1 + λ, (except for some corner cases whch wll be taen care of by Lemma 4). Wthout consderng the corner cases, we have the followng by nequalty (19): γ max,j 1 + λ = max 1 + λ j,j max { f (x E ) / f (x E ) },j, (1 + λ )[ f (x E) ] (1 + λ )[ f (x E) ] whch s Proposton 11. Then by pluggng n f ( ) of the EI model, Proposton 7 mmedately follows. Now we begn the detaled proof. As assumed n secton 4, g(x) < g s feasble. Lemma 3: If g(x) < g s feasble, then at the optmal soluton of problem (12), at least one dual varable s 0. That s, 0 such that λ 0 = 0. Proof: Suppose λ > 0,. Then all constrants n (12) are actve. As a result, G E = g. Snce x such that g(x) < g, then for ths x, g (x) < g. x s a feasble pont for (12), so G E g (x) < g, whch contradcts G E = g. From Proposton 6, we need to bound max {1+λ }. Snce 1 + λ 1,, and 1 + λ 0 = 1 (by Lemma 3), t s easy to see that γ max {1 + λ 1 + λ } = max (19),j 1 + λ j Before movng to Proposton 11, we need another observaton: Lemma 4: If for some, (1 + λ )[ f (x E) ] < 1 + λ, then λ = 0. Proof: From (13), t follows that x E, = 0. Snce (1+ λ )[ f (x E) ] < 1 + λ, and every term on the left s nonnegatve, we have (1 + λ )[ f (x E ) ] < 1 + λ That s, f(xe) + 1 = g(xe) > 0. Snce f (x) s convex n x, and x E, = 0, then g (x,x E, ) g (x E,,x E, )+ g (x E ) (x 0) > g (x E ) where we have used the fact that x > 0. Note that g (x,x E, ) g (x,0 ) = g. Therefore, g (x E ) < g So λ = 0. Proposton 11: Wth the general cost functon g (x) = f (x) + x, γ s upper-bounded by γ mn{max { f (x E ) / f (x E ) },Q},j, where Q s the POA derved before for Nash Equlbra n the one-shot game (.e., ρ Q), and x E acheves the optmal socal cost n the set of SPE.

10 Proof: Frst of all, snce any NE s Pareto-domnated by g, the best SPE s at least as good as NE. So γ Q. Consder π,j := 1+λ 1+λ j. (a) If λ = 0, then π,j 1. (b) If λ,λ j > 0, then accordng to Lemma 4, we have (1 + λ )[ f (x E) ] = 1+λ and (1+λ )[ f (x E) ] = 1+λ j. Therefore π,j = (1 + λ )[ f (x E) ] (1 + λ )[ f (x E) ] max{ f (x E ) / f (x E ) } (c) If λ > 0 but λ j = 0, then from Lemma 4, (1 + λ )[ f (x E) ] = 1+λ and (1+λ )[ f (x E) ] 1+λ j. Therefore, π,j (1 + λ )[ f (x E) ] (1 + λ )[ f (x E) ] max{ f (x E ) / f (x E ) } Consderng the cases (a), (b) and (c), and from equaton (19), we have γ max π,j max { f (x E ) / f (x E ) },j,j, whch completes the proof. Proposton 11 apples to any game wth the cost functon g (x) = f (x)+x, where f (x) s non-negatve, decreasng n each x, and satsfes the assumpton (1)-(3) at the begnnng of secton 4. Ths ncludes the EI model and the BT model ntroduced before. It s not easy to fnd an explct form of the upper bound on γ n Proposton 11 for the BT model. However, for the EI model, we have the smple expresson shown n Proposton 7: γ mn{max,j, β β j,q} where Q = max {1 + : β }. Proof: The part γ Q s straghtforward: snce the set of SPE ncludes all NE s, the best SPE must be better than the worst NE. Also, snce f (x E) x = β V ( m β mx E,m ), and f (x E) x j = β j V we have γ max,j, β β j. ( m β mx E,m ), usng Proposton 11, Note that x T [1 + f (x)] = x [1 + have E[x (1+ So, f (x) ]. For every player, for each x wth postve probablty, there are two possbltes: (a) If x = 0, then x [1 + f (x) ] = 0, x; (b) If x > 0, then by (17), E( f(x) x ) = 1. Snce f (x) 0 for all, then E( f (x) x ) 1. Therefore for both (a) and (b), we f (x) ) x ] = x E[1+ f (x) x ] 0. = As a result, E{ [x (1 + E{E[x (1 + f (x) )]} f (x) ) x ]} 0. ρ(µ) E[x T f (x)] + f (x ) f (x ) + 1 T x. (20) Consder two cases: () If x = 0 for all, then the RHS s 1, so ρ(µ) 1. Snce ρ(µ) cannot be smaller than 1, we have ρ(µ) = 1. () If not all x = 0, then 1T x > 0. Note that the RHS of (20) s not less than 1, by the defnton of ρ(µ). So, f we subtract f (x ) (non-negatve) from both the numerator and the denomnator, the resultng rato upper-bounds the RHS. That s, ρ(µ) E[x T f (x)] 1 T x max {E( f ( x) f (x) x )} where x s the th element of the vector f ( x). Combnng cases () and (), we have ρ(µ) max{1,max E( f (x) x )}. Then, ρ CE s upper-bounded by max µ CD ρ(µ). A5. Proof of Proposton 10 A4. Proof of Lemma 2 Proof: The performance rato between the dscrete CE µ(x) and the socal optmal s ρ(µ) := G(µ) G = E[ (f (x) + x )] [f (x ) + x ] where the expectaton (and all other expectatons below) s taen over the dstrbuton µ. Snce f ( ) s convex for all. Then for any x, f (x) f (x ) + (x x ) T f (x). So ρ(µ) E[(x x ) T f (x) + 1 T x] + f (x ) f (x ) + 1 T x = E{ x T f (x) + x T [1 + f (x)]} + f (x ) f (x ) + 1 T x Proof: Snce µ s a dscrete CE, by (17), for any x wth postve probablty, E( f(x) x ) 1. Therefore E( f(x) ) 1. In the EI model, we have Therefore E( f (x) x f (x) ) = E( x = β [ f (x) ]. f (x) β ) β. So, ρ CE max {1 + : β }. In the BT model, smlar to the proof n Proposton 3, t s not dffcult to see that the followng holds for any x: [ : j f (x) ]/[ f j(x) v r j ] max. : j v j r j

11 Then, f (x) v r j (1 + max )[ f j(x) ]. : j v j r j If µ s a dscrete CE, then E( fj(x) ) 1, j. Therefore E( f (x) ρ CE max E( j ) (1 + max : j v r j v jr j ). So, f (x) v r j ) (1 + max ). (,j): j v j r j PLACE PHOTO HERE Lbn Jang receved hs B.Eng. degree n Electronc Engneerng & Informaton Scence from the Unversty of Scence and Technology of Chna n 2003 and the M.Phl. degree n Informaton Engneerng from the Chnese Unversty of Hong Kong n 2005, and s currently worng toward the Ph.D. degree n the Department of Electrcal Engneerng & Computer Scence, Unversty of Calforna, Bereley. Hs research nterest ncludes wreless networs, game theory and networ economcs. PLACE PHOTO HERE Venat Anantharam s on the faculty of the EECS department at UC Bereley. He receved hs B.Tech n Electrcal Engneerng from the Indan Insttute of Technology, 1980, a M.S. n EE from UC Bereley, 1982, a M.A. n Mathematcs, UC Bereley, 1983, a C.Phl n Mathematcs, UC Bereley, 1984 and a Ph.D. n EE, UC Bereley, 1986. He s a corecpent of the 1998 Prze Paper award of the IEEE Informaton Theory Socety and a co-recpent of the 2000 Stephen O. Rce Prze Paper award of the IEEE Communcatons Theory Socety. He s a Fellow of the IEEE. Hs research nterest ncludes nformaton theory, communcatons and game theory. PLACE PHOTO HERE Jean Walrand receved hs Ph.D. n EECS from UC Bereley, where he has been a professor snce 1982. He s the author of An Introducton to Queueng Networs (Prentce Hall, 1988) and of Communcaton Networs: A Frst Course (2nd ed. McGraw- Hll,1998) and co-author of Hgh Performance Communcaton Networs (2nd ed, Morgan Kaufman, 2000). Prof. Walrand s a Fellow of the Belgan Amercan Educaton Foundaton and of the IEEE and a recpent of the Lanchester Prze and of the Stephen O. Rce Prze.