An integrated vulnerability-based detection/interception model for the protection of regional infrastructure from covert attack
Justin T. Yates a , Rajan Batta b , Mark Karwan b September 2009 a
Department of Industrial and Systems Engineering, Texas A&M University, 237D Zachry Engineering Center, College Station, TX USA 77843-3131. (E)
[email protected] (O) 979 845 1506 (F) 979 847 9005 Corresponding author b
Department of Industrial and Systems Engineering, University at Buffalo (State University of New York), 432 Bell Hall, Buffalo, NY USA 14260. (E) {batta, mkarwan}@eng.buffalo.edu
Abstract
The expanse of U.S. transportation systems has helped to facilitate persistent national economic growth, its ease of access and reliability vital to the plethora of users who utilize daily the established infrastructure. Recent events have shown cause for concern, however, as the vulnerability inherent in such transportation systems has been exploited by the calculated attacks of highly motivated individuals and groups who have used these networks to target the connected critical infrastructure and human populations. This paper introduces a modified shortest path network interdiction formulation for the placement on detection sensors within a geographic region of interest in lieu of direct placement (or interdiction) of network arcs to assess regional network vulnerability. An integrated interception team model uses these resource location results to allocate interception units on the network and analyze their effectiveness in responding to generated sensor alarms. The p-Median problem and hypercube spatial queuing model are adapted to locate units and assess interception performance respectively. A demonstrative case analysis is offered for the region of Lancaster – Palmdale, CA.
Keywords: Integer programming, multiple objective programming, transportation, critical infrastructure protection.
1
I. Introduction
The U.S. ground transportation network is a dense, complex and highly heterogeneous connection of interstates, state roads and local roads which enable travel within and through the copious towns, cities, counties and states of the country. As a nation, the demands of daily commerce that necessitate a large degree of fluidity and mobility in ground transportation also leave these networks vulnerable to exploitation. Attackers acting in a covert fashion (i.e. obeying traffic laws and typical traffic patterns) pose significant detection difficulty and may utilize road network connectivity and fluidity to gain proximity to population centers, commercial centers, energy infrastructure, national monuments, or other critical infrastructure and key resources (CIKR) as identified by the Department of Homeland Security (Department of Homeland Security 2009). While it is impractical to completely monitor/protect every mile of the 45,000+ highways and 4 million miles of paved roadway in the U.S., it is possible to mathematically model geographic regions and their contained networks in an effort to assess how allocation of defensive resources may mitigate an attacker’s ability to utilize the network without being detected and intercepted (Schrank and Lomax 2005). Optimization techniques have proved especially useful in modeling and assessing such situations, with attention given to the attacker-defender scenario. Formulations derived from minimum cost flow (Awerbuch and Leighton 1994; Goldberg et al. 1998; Leonelli et al. 2000), discrete fractional programming (Sherali et al. 1997), vehicle routing (Zhang et al. 2005) and network design (Kara and Verter 2004; Jenelius et al. 2006) models have all examined similar problems. Many current methods of representation are variations of the network interdiction model, a static Stackelberg game formulated as a multi-level integer program (Qiao et al. 2007; Bayrak and Bailey 2008). The traditional shortest path network interdiction problem (SPNIP) pits an attacker against a defender in a two-player game. The attacker seeks the shortest path through a network from origin to destination while the defender attempts to maximize this shortest path by using available resources (typically constrained by a budget) to increase the arc parameter (e.g. length, traversal time) at a predetermined cost to the defender (Israeli and Wood 2002). The variant formulations described above are adequate in modeling detection of a potential attack and have been applied in numerous homeland security applications (Brown et al. 2
2006; Lim and Smith 2007). Interception of a potential threat and the performance assessment of an interception team, however, remain largely unconnected to this problem. Instances of combined detection-interception models often suffer from strict limiting assumptions on the allocation/response of interception resources in order to maintain tractability in the interception problem (Wein and Atkinson 2007). This work introduces a unified detection-interception model for the attacker-defender game. A modified shortest path network interdiction problem (SPNIP-M) is set up as a bi-level mixed integer program to model detection within a selected region. Detection occurs as a result of placing sensors within the region. A sensor reduces the arc metric of vulnerability, which measures the probability of non-detection on an arc (i.e. sensors reduce non-detection probabilities). A geographic information system (GIS) is used to manage and modify both regional and network data allowing for significant geographic complexity (e.g. line of sight, elevation, topography, etc.) while removing dependence on the network for resource allocation (traditional network interdiction problems allocate resources to specific arcs of a network. The SPNIP-M model allocates resources within the geographic region and then relates these locations to their network influence). A traditional decomposition approach is used to solve for the optimal defender resource placement and the obtained optimal solution is used as input to the interception model. Interception resources are first allocated, and then evaluated for performance within the region. These resources operate similar to police patrol units and are dispatched from their resting location to a given sensor alarm. Interception allocation uses a demand weighted location (p-Median) objective to place resources (ReVelle and Eislet 2005). Once located, the interception team performance is evaluated using a hypercube queuing model to obtain regional and individual interception unit performance measures, including average regional response time, individual unit workload and fraction of inter-region response times, among others (Larson and Franck 1978). These measures are compared to acceptable performance thresholds in order to determine the minimum acceptable number of interception units required for the region (a comparable example is found in the determination of ambulance location or police unit patrols (Chelst 1978) to maximize coverage while ensuring performance remains under an average regional response time threshold).
3
The next section of this paper introduces pertinent notation and the SPNIP-M formulation. The adopted decomposition approach is detailed with regards to its performance and solution quality. Section 3 introduces the adapted p-Median interception team allocation objective and illustrates its dependence on the SPNIP-M solution. An algorithmic solution approach to this problem is also detailed. Section 4 discusses the hypercube queuing model as it is adapted for this paper. Two additional performance metrics used in interception team evaluation are also presented here. Section 5 gives results from a geographic case study on Lancaster-Palmdale, California, where network and geographic data (including identification of regional CIKR) was obtained from the U.S. Census Bureau in the form of TIGER files (U.S. Census Bureau 2008). The final section concludes this paper and discusses areas of future work pertaining to the model.
2. Formulating and solving SPNIP-M
2.1 Problem formulation
The SPNIP-M is defined over a set of geographic atoms A and a directed graph G = (N, I) where N is the set of network nodes and I the set of directed network arcs. Preprocessing of the network ensures that nodes exist only at arc intersection points (arcs may not be subdivided by intermediate nodes). This condition is necessary for both the sensor allocation and interception evaluation models and does not result in any loss of generality. Detection sensors are allocated to the geographic atoms (herein referred to as atoms) of the region. Atoms represent a discretization of the geographic region of interest. Their locations are known a-priori but are not restricted within the region. Atoms may or may not coincide with network arcs or nodes and at most one sensor may be placed at each atom. Influence of a placed sensor on the network arcs is determined based on certain sensor parameters and maintained in a relational database R as for each a ri a 0
0
A ( ri as
R as = 1 if arc i
I falls within the range of sensor type s at atom a.
i, a ). The set S represents the single available sensor type and the null-coverage case
such that S
{0, 1} . The current SPNIP-M assumes that only one sensor type is available for
allocation. The sensor parameters used to develop the SPNIP-M model are: sensitivity
s
,
4
range/influence
s
, false positive detection rate f s , and cost c s with
0 { s , f s } 1, c s
0,
1, f 0
0
0, and c0
0.
Sensors are modeled to affect vulnerability, a probabilistic measure of an attacker’s ability to traverse a network arc undetected. In the SPNIP-M, arc vulnerability under the influence of t sensors may be calculated as in (1) where ui 01 represents arc i’s initial vulnerability value ( 0 ui 01
i ).
1
t
u ist
u i 01
(1)
s k 1
Sensor range/influence and the dependent R as sets are modeled in a geographic information system (GIS). A static radius is used to assess range in this paper but more complex models which include line-of-sight, elevation, topography, vegetative coverage, etc. may be modeled with the use of a GIS (Ellefsen and Liu 1994). The false positive rate of a sensor indicates the proportion of raised alarms which did not present a true threat. Combined with an arc flow, the false positive rate may be used to determine arc alarm instantiation rates which are used as demand weights for the interception team location and evaluation models (assuming the network is subject to normal daily flow, the majority of raised alarms will be from false positive sensor readings as the volume of true threats is miniscule by comparison). Three decision variables are introduced for the SPNIP-M and the mathematicalprogramming formulation follows.
Variables:
wi = 1 if arc i is used by the attacker, wi = 0 otherwise y as = 1 if sensor type s is allocated to atom a, y as = 0 otherwise
xist = 1 if arc i is covered by t type s sensors, xist = 0 otherwise Formulation: [SPNIP-M] s.t.
z = min max x, y
Kw
q
w
uist
wi xist
(2)
i , s ,t
(3)
5
1 t
xist
ri as y as
xist s
t
a
s
1
c s y as w, x, y
0
i, s, t (4)
a
i
(5)
B
(6)
Binary
The MinMax path vulnerability value is sought in (2) and may be stated generally as
P(undetected passage on arc i) where I m represents the set of
P(undetected passage on path) i Im
arcs in a given path m. Path vulnerability measures the probability of successful/undetected passage across the entire path where the network is composed of predetermined entry points (origins) and targets (destinations) corresponding to network nodes (a super source node connects all regional origins and a super sink node all destinations, allowing the formulation to be written as a shortest path). (3) enforces the selection of a complete path by the attacker (this constraint represents a set of standard conservation of flow constraints for each node of the network, with K representing a node-arc incidence matrix, q = 1 for the super source node, q = -1 for the super sink node and q = 0 for all other nodes. (4) states that, in order for xist
1 , the arc i
must fall within the detection radius of t placed sensors of type s. Due to the binary restriction placed on x, if this is not the case then
1 t
ri as y as
1 and xist
0 by definition.
(5) defines
a
coverage (each arc is either under sensor influence, xi1t
1 , t 1 , or is not covered, xi 01
1)
and (6) allocates a budgetary restriction to the problem. Constraints (4) – (6) arise from the introduction of atoms and the allocation of resources to atoms instead of direct interdiction of arcs. The SPNIP-M solution will yield the attacker path with min-max path vulnerability, the physical allocation of sensors within the system and the influence of the placed sensors on the arcs of the network.
2.2 Obtaining an optimal solution
6
The SPNIP-M formulation may be written as a bi-level integer program where the outer optimization constraint set includes (4) – (6), the inner optimization constraint set includes (3) and both problems share integrality and a competing objective function. Letting aist (2) may be rewritten as min max x,y
log(uist ) ,
aist wi xist . This linearization reduces the inner optimization
w
i , s ,t
problem (which fixes the variable xist ) to a shortest path problem as the only constraints which contain the attacker variable w are the conservation of flow constraints in (4) and as the objective (2) decreases with increases in the number of arcs on a given path. The SPNIP-MB mathematical program follows.
Formulation: [SPNIP-MB] z* = min x, y
s.t.
1 t
xist
aist wi xist ri as y as
t
a
s
0
i, s, t (8)
a
xist s
(7)
i,s,t
1
c s y as
max
i B
aist wi xist
(9) (10) (11)
i , s ,t
Kw w, x, y
q
(12)
Binary
wi and xist fix the attacker and defender solutions for the outer and inner levels respectively. The SPNIP-MB was solved using a special form of Benders Decomposition (Bard 1998). The node-arc incidence matrix K being totally unimodular, it is possible to relax the integrality assumption on w and still guarantee integral solutions (Nemhauser and Wolsey 1999). Implementing Benders, the inner attacker linear program is solved with the current defense allocation xist . The optimal attacker path, W * is then added to the SPNIP-MB constraint set in the form
wi i W*
V and the outer problem objective (7) becomes min V . The outer integer x, y
7
program is then solved and the procedure iterates. Termination occurs when the inner optimal LP solution W * already exists in the outer constraint set. (12) restricts path solutions of the inner problem to simple paths (cycling must reduce the objective value based on (1) and on the vulnerability bounds) and ensures that the path is complete. The existence of a finite number of complete, simple paths guarantees a finite number of iterations (worst-case, the decomposition must add a constraint for each complete, simple path of the network. As the number of such paths is finite, so is the number of necessary iterations. See (Bard 1998) for further discussion). This instantiation of Benders Decomposition has been proven to yield optimal solutions to bi-level problems of similar form to the SPNIP-MB (Brown et al. 2006). Moreover, each complete iteration provides a lower bound on the defender minmax vulnerability objective value.
3. Interception team location
The SPNIP-M solution details the allocation and subsequent network influence of a group of detection sensors within the examined region. Once detected, these threats must be intercepted, examined and either detained or released. Without successful interception and a clear understanding of how the interception team is performing within the region, the most accurate detection methods will be rendered inconsequential. An interception team is located on the network to respond to sensor alarms whose alarm rate is determined by the influencing sensors’ false positive rate and the influenced arcs’ flow rate. Sensor alarms act as calls-to-service in a traditional queuing model and require the dispatch of an interception unit (these are the system servers) to traverse the network and intercept the suspect vehicle. This section discusses the interception team location model and section 4 details the evaluation procedure for interception team performance. Interception units are located on individual arcs of the network and do not patrol the region. An idle (non-busy) interception unit returns to its indicated arc location. The team is assigned arc placements based on a demand-weighted objective value which minimizes the weighted distance traveled for the entire interception team. The demand weight
i
of each arc is
8
given in (13) where
i
represents the arc flow rate (i.e. number of passing persons, trucks, or
packages, per unit time) and all other variables are as previously defined.
i
ri as y as f s
i a
i
(13)
s
In addition to this demand, interception team location is also dependent on the proportion of time that any individual unit is busy. It may not be realistic to assume that the closest interception unit will always be available. (14) shows the p-Median with server unavailability (pSU) location objective function where q represents the predetermined approximate proportion of time an interception unit is responding to a sensor alarm (i.e. busy). d ij is the distance between arc i and arc j and l ik gives the location of the k th preferred interception unit for arc i.
l ik preference values are determined using the network distance between arcs to calculate closest units (the closest unit to the demand arc is preferred first, the second closest preferred second, etc). When q = 0, the pSU reduces to the traditional demand-weighted p-Median objective.
z
min l
i i
d lik i (1 q)q k
1
(14)
k
The p-Median location problem is well studied in optimization literature and many heuristic approaches have been adapted to provide optimal solutions or close approximate solutions quickly (ReVelle and Eislet 2005). In this paper, a genetic algorithm from Erkut, Alp and Drezner was applied to obtain the demand-weighted interception unit locations for the pSU problem (Alp et al. 2003). This approach uses a fixed number of population members and does not implement mutation. Two random members of the population are joined at each iteration to create an infeasible gene whose chromosomes are systematically removed using a greedy metric until the appropriate gene length is reached. If the new gene is distinct, it is added to the population in place of the current lowest performer. If the new gene is not distinct, a new iteration commences. The heuristic terminates after a predetermined number of iterations without a new addition to the population has been reached. In tests, the heuristic exhibits a typical optimality gap between 0 – 2% and performs well even for large cases (Alp et al. 2003). 9
4. Spatial queuing implementation
The previous sections defined a modified shortest path network interdiction problem (SPNIP-M) for allocation of defense detection resources and a demand weighted interception unit location model (pSU) whose demand weights are obtained from the SPNIP-M optimal solution strategy. This section addresses the evaluation of interception team performance via implementation of the hypercube queuing model, a spatial queuing tool which permits evaluation of individual interception unit performance measures (these interception units are the servers of the queuing system) as well as global system performance measures (Larson and Franck 1978). Evaluation is necessary in order to truly assess the interception team and its capability to successfully impede threatening vehicles within the region. The demand-weighted nature of the system suggests representation of the interception task as a queuing process where instantiated alarms are the arrivals to the system, time spent evaluating a potential threat (once intercepted) is the service rate, and the interception team performance is assessed throughout the entire region. Using the demand from the SPNIP-M solution and the interception unit locations as determined by the pSU, the hypercube model is used to determine individual unit work load, average arc response times and global average response time to an alarm. In addition to these measures, an All Arcs (AA) and Path Arcs (PA) statistic is introduced as a means to assess regional interception capabilities of the response team. When the number of interception units is known a-priori (e.g. local law enforcement dedicates a number of its units to intercept alarms), these values provide an overall assessment of the interception team performance. When the number of interception units is unknown (e.g. the county or state creates a separate alarm response department), these values may be used to guide policy makers in determining the minimum number of units necessary to operate within performance thresholds (this approach is similar to the evaluation of emergency response teams such as fire or ambulance, which often require the system to meet or exceed average response time goals).
4.1 Hypercube queuing model
10
The distinction between the hypercube queuing model and other standard queuing methods lies in the definition of the queue states. The states of the hypercube model convey the busy/idle status of each individual interception unit. In the case where three units comprise a regional interception team, the hypercube states {unit 1 busy, unit 2 idle, unit 3 idle}, {unit 1 idle, unit 2 busy, unit 3 idle} and {unit 1 idle, unit 2 idle, unit 3 busy} are distinct and separate whereas the single state {one busy unit} is satisfactory in a traditional model (i.e. M/G/3). This distinction increases the number of states from m in a traditional queuing model (where m is the number of units in the queuing system) to 2 m in the hypercube (Larson and Franck 1978). This exponential growth in the number of states in the system quickly renders the hypercube model intractable (indicated in (Larson and Franck 1978), m is limited to 15). A hypercube approximation alternative is given in (Larson 1975) where the state space is reduced to a system of m equations and the exponential growth effect eliminated. The tradeoff, however, is that accuracy and the breadth of performance measures capable of being derived, is sacrificed (Jarvis 1985). An alternative to either hypercube model would be to develop and run a simulation model for the placed interception team, but this approach suffers from high effort and limited applicability (results would be specific only to the simulated instance). For the remainder of this work, it is assumed that the interception team is a force separate from local law enforcement, set up solely to operate within the region of interest, and responsible only for responding to detection alarms. The hypercube queuing model, even with its computational m 15 limit, will be satisfactory.
4.2 Invoking the hypercube queuing model
Obtained from the SPNIP-M, detection alarms are considered to be independent Poisson arrivals to the queuing system. This results from the demand definition in (13) where vehicular flow is considered as a Poisson rate of arrival to the arc, detection based on the influencing sensor false positive rate, and the defense detection sensors considered to operate independently of one another. It is assumed that the amount of time spent investigating an intercepted vehicle (i.e. service rate ) is the same for all interception units though the hypercube model allows for distinct service rates. Travel time is not reflected in determination of the service rate as time spent investigating the vehicle is significantly larger (Larson and Franck 1978). Alarms that are 11
not successfully intercepted or that arrive when all interception units are busy evaluating possible threats are assumed to be handled by a secondary interception source such as a local law enforcement team. This assumption implies a zero-capacity queue as calls to intercept a potential threat are not saved and answered as units become available. To find the hypercube steady-state transition rate between state s and state t
st
,a
dispatch preference list (the priority order in which interception units are dispatched to alarms such that the highest ranked idle unit is dispatched), arc arrival rates and service rate must first be determined. Dispatch preference is assigned based on proximity, as in the case of l ik in section 3 (ties are broken arbitrarily by selecting the lowest indexed server). Equation (15) is then used to find
(hamming distance identifies the number of servers who change busy/idle status
st
between state s and state t and, when
st
1 , the difference unit indicates the index of the
interception unit changing status). The state transition matrix AS with matrix element a st is subsequently populated as noted.
if st 1 and transition is upward if st 1 and transition if downward 0 otherwise st
a st
12
k 1
[b js hidj ] hik
st i
k
d 1
i
st
(15)
j B(s)
Steady state equations are written as in (16).
[ Ps (a st ) Pt (a st )]
0
s
(16)
t
4.3 Performance evaluation methodology
Individual server workload and the region-wide average travel time are obtained directly from the hypercube queuing model and used in performance evaluation (Larson and Franck 1978). In addition, the AA and PA metrics are introduced in (17) and (18) to further evaluate interception capabilities of the interception team. These metrics rely on the average travel time to arc j (
j
,j
I ) also derived directly from implementation of the hypercube model.
l j length of arc j s j posted speed on arc j average travel time to arc j j 1 if j l j / s j j 0 otherwise I set of arcs under sensor influence P Att set of attacker utilized arcs under sensor influence
(17)
(18)
13
Successful interception of an arc i is assumed to be capable if the average travel time of the interception team to reach arc i is less than the time it would take an attacker to travel the arc length (attackers abide by the posted speed limit of the arc. Interception units are not bound by this limit). The AA case returns the proportion of all arcs influenced by a detection sensor which meet this criterion. The PA case returns the proportion of only path arcs (i.e. those arcs represented in the Benders cuts of the SPNIP-M solution). Higher percentages represent better interception performance and emphasis is placed first on the PA case as these arcs are most likely to be used by the attacker. The next section illustrates how the SPNIP-M, pSU and hypercube queuing model are integrated into one unified approach. The case study region of Lancaster-Palmdale, a subnetwork of Los Angeles County, California, is used as a demonstrative case. 5. Analysis: Lancaster – Palmdale, California
The formulations and methodology presented above were applied to the region of Lancaster-Palmdale, California (LanPalm). Network data was obtained through the U.S. Census Bureau in TIGER file format (U.S. Census Bureau 2008). The network data and relations were managed and modified in ArcGIS 9.1 and all solutions were obtained using CPLEX 9.0 as the optimization tool. In the network, three road types {1, 2, 3} were identified using the census feature class codes (CFCC is a standard classification code for the 2003 TIGER files) and given the following parameters; Posted Speed (mph): {65, 50, 40}, Traffic Flow Rate (trucks per hour): {300, 250, 200} (Proximity 2008). Initial vulnerability ui 01 for i
0.3 ui 01
I was assigned randomly to each arc of the network with
0.7 to represent network heterogeneity, though other initial vulnerability metrics
may be used. The LanPalm network possesses the following properties: | I | = 214, | A | = 743, | N | = 77. The 77 network nodes were divided into sets of origins N O and destinations N D
such that N O
N , ND
N , and N O
ND
. In the LanPalm case study, | N O | = 10.
Table 1 provides the breakdown of target nodes ( n
N D ) under each of four destination levels
(blue, yellow, orange, red) that influence the type of targets considered and Figure 1 illustrates the network origins and destinations at each level. 14
Table 1: Target selection for LanPalm
Figure 1: LanPalm under each threat level
The SPNIP-M was solved at three sensor budget levels (allowing four, six and eight sensors to be placed within the region) and across all four destination levels. In each case, the pSU problem and hypercube queuing model located and evaluated interception teams comprised of three to ten interception units (the pSU objective (14) was assessed with q = 0). Figure 2 gives a visual representation of the experimental structure.
Figure 2: Illustration of run set considering server number
15
Table 2 shows the optimal vulnerability values for the SPNIP-M formulation under each threat and budget combination. Recall that optimality signifies that the attacker may find no path with higher vulnerability and the defender is unable to further reduce path vulnerability by changing sensor allocation under the given constraints. Table 2: Vulnerability values for Lancaster-Palmdale
The only available sensor type considered in this problem possessed the following parameters (recall the parameter definitions of section 2);
1
0.5, f1
4e 5 , and c1
$200.
The SPNIP-MB formulation resulted in an inner (attacker) constraint set of 79 rows and an outer (defender) constraint set of 2568 rows. Network composition (specifically, I ) and the degree of allowable arc coverage (the maximum t index allowed) were the most significant contributors to problem size (in this instance, t = 4). While solution time for each iteration was relatively stable (averaging 1-2 seconds per attacker and defender optimization), more complex (dense) networks may require evaluation of a larger number of attacker paths leading to an increased overall solution time for the SPNIP-M. In the LanPalm network, altering branching and optimization parameters in CPLEX had dramatic effects on total run-time, suggesting that performance of the Benders decomposition may be further improved by exploiting the properties of the outer defender integer program formulation with specialized branching procedures. Figure 3 illustrates the geographic locations of the placed sensors within the LanPalm region under all threat (x axis) and budget (y axis) combinations. The colored path indicates the highest vulnerable path through the network under optimal sensor placement for each case.
16
Figure 3: LanPalm AST-SPP solutions for all threat and budget levels
Budgetary increases allow more sensors to be placed within the region, but the SPNIP-M objective is modeled such that the additional coverage of an arc by multiple sensors has a reduced impact on vulnerability. This effect of diminishing return in overlapping sensor coverage is demonstrated through Table 2 and in Figure 4. In extreme cases, the addition of a sensor to the network has no reductive effect on the vulnerability value. This occurs when the additional sensor is not capable of influencing an arc of the optimal attacker path due to the location of open geographic atoms and the assumption that, at most, one sensor may occupy a geographic atom. As the proximity between geographic atoms becomes smaller (i.e. the atom network becomes denser), this problem becomes less prevalent.
17
Figure 4: LanPalm AST vulnerability as a function of the maximum sensor limit
In addition, budgetary increases tend to instigate sensor clustering (this is apparent in the eight sensor budget case of Figure 3). Sensor clusters present themselves in areas of high attacker arc utilization (areas where the arc(s) influenced by the cluster appear in many of the added Benders cuts). These areas tended to be near network origins, where intuition would suggest the largest possibility to influence the highest number of attacker arcs exists (similar to a trickledown effect. Arcs closer to an origin are likely to be used by the attacker, regardless of the chosen destination). Using similar intuition, detection sensor placement near network origins increases as the destination set expands. An enumerative approach was taken to evaluate resource unit allocation and performance under the found optimal sensor schema. Recalling that the queuing model for the interception team was assumed to have zero queue capacity and that the desired number of interception units to adequately support the region is unknown, the Erlang Loss Function (ELF) is used to provide insight into the minimum number of interception units needed (as in (Kleinrock 1975), the ELF measures the proportion of time the interception team spends with all units busy. Units are located beginning with the first team of 3 - 10 units which meets a predetermined ELF threshold. For this instance, ELF < 0.01). Once this analytical starting point is established, the pSU problem of section 3 with q = 0 is solved. Table 3 is populated in this way.
18
Table 3: pSU objective value results
The values in Table 3 represent the pSU objective value under the stated threat, budget, and response unit parameters. As the destination level increases with respect to a specific budget level, the displacement of sensors within the region generally increases (the pSU objective increases). The same number of response units become responsible for the coverage of a more geographically dispersed destination set (which from previous discussion has been linked to a more disperse detection sensor allocation) and travel distance (one of two components in the demand-weighted pSU objective function) increases (Figure 5). Adding response units enables a more efficient interception strategy and lowers the demand-weighted pSU value but requires the expenditure of additional defense resources (i.e. person-hours, purchase of vehicles, variable operating costs, etc.).
19
Figure 5: pSU objective value as a function of server number
A complete analysis with six sensor budget allowance under all destination levels is given in Table 4. Using the ELF criterion on the Blue destination case, the minimum number of response units necessary was four. Deciding on the appropriate number of response units is then determined by examination of the All Arcs and Path Arcs metrics as well as any additional constraints (i.e. budgetary, vehicular limitations, etc). If there are no other restrictions, these metrics justify either the seven or eight response unit cases as both intercept all path arcs and offer complete or near complete coverage of all network arcs as well. There is no additional gain in coverage by deploying more than eight response units within the region while using any less than seven units stresses system response to the path arcs. As the number of targets increases, the spatial location of the targets leads to increases in the set P Att of (18). This increase, along with the changing sensor schema, often necessitates the deployment of a larger response unit team to adequately cover the alternate options available to an attacker.
20
Table 4: pSU results for the LanPalm 6 sensor budget (all threat)
Performance of the genetic algorithm used to locate servers is measured in the number of replications (population changes) necessary to reach the stopping criteria. Each replication averaged 0.5 seconds of computation time. Figure 6 illustrates replication trends across all threat levels of the LanPalm case study for 3 – 10 response units.
21
Figure 6: pSU replications by server number and threat level
The figure indicates a general upward trend in replication count as the number of response units located increases. Threat level, however, does not have a clear correlation with replication numbers. The rate of increase is a result of the optimal stopping criteria (a set number of replications with no change to the incumbent population), within which the number of response units to be located is a direct factor. Variation in the plot of Figure 6 is attributable to the probabilistic nature with which a new population member is selected. Deciding on the number of response units, the locations may then be located on the regional map as in Figure 7. The seven unit case was selected due to the 1.000 path arcs value, indicating that every potential arc used in the Benders cut set had a quicker response time than arc traversal time.
22
Figure 7: LanPalm response unit location for blue threat with six sensor budget
6. Conclusions and future work
This paper has presented a new formulation and methodology for the network interdiction problem and examined a case study based on its application to the protection of critical infrastructure and key resources in large geographic regions. The capability of the model to handle problems of realistic size and complexity builds upon the current literature and strengthens ties between the allocation of detection resources and the location and evaluation of interception teams handling instantiated alarms. Allocation of defense resources was modeled as a bi-level integer program where the defender placed detection sensors within a region of interest to minimize network vulnerability while the attacker selected the most vulnerable path between a set of potential origins and destinations. Disassociation of sensor locations from the network was accomplished through the implementation of a Geographic Information System (GIS) and resulted in the creation of geographic atoms upon which sensor resources may be allocated (in contrast to the direct interdiction of network arcs in standard network interdiction problems). Sensor detection parameters and network properties were then used as input to a demand-based resource allocation model that located a designated number of interception units within the network. The interception team was then analyzed using a hypercube queuing model (Larson and Odoni 2007) with an All Arcs and Path Arcs metric in order to obtain performance measures and determine the minimum required number of units necessary to meet regional interception performance levels.
23
The framework above attempts to capture and replicate the complexity of real-world defense scenarios. As such problems become more complex or take on larger scale the solution approaches detailed above are hindered computationally by increased iteration times (as in the SPNIP-M problem) and/or strict model limitations (as in the hypercube queuing model). Hypercube approximation techniques may be used in lieu of the exact hypercube method (discussed in section 4) to relax the strict upper bound on the number of response units capable of being evaluated (this is due to the combinatorial expansion seen in the original hypercube model) (Larson 1975). The effect of branching schemes and solver parameter settings on iterative computation time (as discussed in section 5) motivates the need to explore the SPNIP-M formulation properties in order to take advantage of the unique problem structure and to create more computationally time-efficient iterations. Outstanding model improvements include development of a more comprehensive and realistic risk/vulnerability metric to replace the random assignment of initial vulnerability values. Time of day, time of year, topography, weather and surface characteristics are just some of the constantly changing factors which contribute largely to risk/vulnerability and which could benefit from the introduction of stochastic/probabilistic principles implemented and managed via a GIS. The structure of the SPNIP-M formulation may be adapted relatively easily to handle asymmetric information, making the model capable of replicating situations where the attacker, defender, or both, have imperfect or incorrect information regarding the parameters/properties/location of the placed sensors and their influence on the network. The current model assumes perfect information with respect to both the attacker and defender. Depending on the location of geographic atoms and on sensor parameters, the SPNIPM formulation may be used to model network interdiction. Depending on the scale, the SPNIPM formulation may be applied to areas such as airport security, critical facility protection, and border security. Efforts are also being made to apply the model to areas of temporarily localized population clusters such as sports arenas, convention centers and public markets through the introduction and a temporal component and mobile (non-permanent) sensors.
7. References Alp, O., E. Erkut and Z. Drezner (2003). "An efficient genetic algorithm for the p-Median problem." Annals of Operations Research 122: 21-42. 24
Awerbuch, B. and T. Leighton (1994). Improved Approximation Algorithms for the MultiCommodity Flow Problem and Local Competitive Routing in Dynamic Networks. Annual ACM Symposium on Theory of Computing, Montreal, Quebec, ACM Press, vol. pp. 487-496. Bard, J. (1998). Practical bilevel optimization: Algorithms and applications. Boston, Kluwer Academic Publishers. Bayrak, H. and M. Bailey (2008). "Shortest Path Network Interdiction with Asymmetric Information." Networks 52(3): 133-140. Brown, G., M. Carlyle, J. Salmeron and K. Wood (2006). "Defending Critical Infrastructure." Interfaces 36(6): 530-544. Chelst, K. (1978). "An algorithm for deploying a crime directed (tactical) patrol force." Management Science 24(12): 1314-1327. Department of Homeland Security. (2009). "Critical Infrastructure and Key Resources." Retrieved August 20, 2009, from http://www.dhs.gov/files/programs/gc_1189168948944.shtm. Ellefsen, R. and J. Liu (1994). Ubran terrain zone based GIS for MOUT. GIS/LIS '94 Annual Conference and Exposition, Phoenix, AZ, ACSM, vol. 1, pp. 254-262. Goldberg, A., J. Oldham, S. Plotkin and C. Stein (1998). An Implementation of a Combinatorial Approximation Algorithm for Minimum-Cost Multi-Commodity Flow. Integer Programming and Combinatorial Optimization. Houston, Texas, Springer Berlin / Heidelberg. 1412/1998: 338. Israeli, E. and K. Wood (2002). "Shortest-Path Network Interdiction." Networks 40(2): 97-111. Jarvis, J. P. (1985). "Approximating the equilibrium behavior of multi-server loss systems." Management Science 31(2): 235-239. Jenelius, E., T. Petersen and L.-G. Mattsson (2006). "Importance and Exposure in Road Network Vulnerability Analysis." Transportation Research Part A 40: 537-560. Kara, B. and V. Verter (2004). "Designing a Road Network for Hazardous Materials Transportation." Transportation Science 38(2): 188-196. Kleinrock, L. (1975). Queuing Systems. New York, John Wiley & Sons. Larson, R. (1975). "Approximating the performance of urban emergency service systems." Operations Research 23(5): 845-868. Larson, R. and E. Franck (1978). "Evaluating dispatching consequences of automatic vehicle locaiton in emergency services." Computers & Operations Research 5: 11-30.
25
Larson, R. and A. Odoni (2007). Urban Operations Research. Belmont, Massachusetts, Dynamic Ideas. Leonelli, P., S. Bonvicini and G. Spadoni (2000). "Hazardous Materials Transportation: A RiskAnalysis-Based Routing Methodology." Journal of Hazardous Materials 71: 283-300. Lim, C. and J. C. Smith (2007). "Algorithms for Discrete and Continuous Multicommodity Flow Network Interdiction Problems." IIE Transactions 39: 15-26. Nemhauser, G. and L. Wolsey (1999). Integer and combinatorial optimization. New York, Wiley-Interscience. Qiao, J., D. Jeong, M. Lawley, J.-P. Richard, D. Abraham and Y. Yih (2007). "Allocating Security Resources to a Water Supply Network." IIE Transactions 39: 95-109. ReVelle, C. S. and H. A. Eislet (2005). "Location analysis: A synthesis and survey." European Journal of Operations Research 165: 1-19. Schrank, D. and T. Lomax (2005). The 2005 Urban Mobility Report. Texas Transportation Institute, Texas A&M University. Sherali, H., L. Brizendine, T. Glickman and S. Subramanian (1997). "Low Probability - High Consequence Considerations in Routing Hazardous Material Shipments." Transportation Science 31(3). U.S. Census Bureau. (2008). "TIGER, TIGER/Line and TIGER-Related Products." Retrieved August 1st, 2008, from http://www.census.gov/geo/www/tiger/. Wein, L. and M. Atkinson (2007). "The Last Line of Defense: Designing Radiation Detectioninterdiction Systems to Protect Cities From a Nuclear Terrorist Attack." IEEE Transactions on Nuclear Science. Zhang, M., Y. Ma and K. Went (2005). Location-Routing Model of Hazardous Materials Distribution System based on Risk Bottleneck. International Conference on Services Systems and Services Management, Proceedings of ICSSSM '05, vol. 1, pp. 362 - 368.
26
