Trilevel Optimization of Trilevel Optimization of Homeland-Defense ProblemsHomeland-Defense Problems

Jerry BrownMatt CarlyleKevin Wood

Operations Research Dept.

4 October 2007

2

Modeling AdversariesModeling Adversaries• How do we account for the actions of

malicious, intelligent adversaries?

• We can try to assess means, motive, opportunity, etc.– Many experts on various groups and cultures

involved– Many models proposed in DoD, DHS, and in

the literature

3

Bioterrorism MotivationBioterrorism Motivation• Original model we saw was an 18 stage Probabilistic Risk

Assessment (PRA) tree

• Branching for terrorist stages (“events”) modeled with probabilities (and conditional probabilities) – derived from an average over several SME inputs... – ...each of which was derived from a stoplight diagram

• Latin hypercube sampling provided scenario (path) probabilities

• Other models yielded “consequences” at each scenario leaf

• Expected(scenario probability X consequence) = risk• Risk analyses yielded a ranking of terrorist options

4

Models of Random BehaviorModels of Random Behavior• Perfectly suited for Mother Nature

– Storm forecasts– Hurricane tracking– Drought durations– Lightning strikes

• Adapted to other highly complex systems– Stock market– Retail demand forecasting– Engineering reliability– Many other successful applications

5

Models of Random BehaviorModels of Random Behavior• Typically driven by a set of key model

parameters– Means– Rates of growth– Drift– Variance

• Models fit from past performance data– What if no past performance exists?– Or we have poor model fits for estimates...

6

Subject Matter ExpertsSubject Matter Experts• SMEs can provide a wealth of

information for complex models• Data frequently must be elicited by the

modelers– Interviews and questionnaires– Stoplight diagrams (!)

• SMEs rarely (never?) use the words “always” or “never”

7

BioterrorismBioterrorism• Where will a terrorist attack take place?• What pathogen?• How will they release it?• When?

• SMEs using stoplight diagrams will end up providing a positive “probability” on almost every possible outcome.

8

(Bio-)Terrorists(Bio-)Terrorists• Probability-based risk models reduce

terrorist events to “acts of nature”

• We know that terrorists observe the current situation and adapt

• Terrorists are intelligent, malicious adversaries, and will not attack randomly.

9

Our (Very Brief) BackgroundOur (Very Brief) Background• Large-Scale Optimization

• Network Models of Logistics and Infrastructure Systems

• Optimal Attack and Defense of Critical Infrastructure

• Bioterrorism: Strategic Investments to Minimize US Vulnerability to Worst-Case Bio Attacks

10

Critical InfrastructureCritical Infrastructure

Subways

Power grids

Pipelines Railroads

Airports

11

Developing Bilevel and Developing Bilevel and Trilevel Optimization Trilevel Optimization

ModelsModels

12

Bilevel (Attacker-Defender) ModelsBilevel (Attacker-Defender) Models

• Two opponents: attacker and defender• Defender operates efficiently (say, at

minimum cost) using existing infrastructure

• Attacker seeks to damage infrastructure to maximize defender’s costs, with limited resources

13

Bilevel ModelBilevel Model• X: Attacker chooses an attack that

damages defender system components

• Y: Defender observes X, and operates resulting system optimally

14

Optimal AttackOptimal Attack

min 'max

' '0

yxy b A

y G g

x

xy

x

The typical attack problem is formulated as follows:(cost interdiction)

We do not have COTS technology to solve these “max-min” problems directly.

15

ReformulationReformulation

m max 'a

0

xx

A

g

b

x

G x

x

However, reformulating the inner problem… (taking the dual…)

16

Crashed PERTShortest Path

Logistics, Fuel DistributionMateriel Flow from N. KoreaBallistic Missile DefenseNaval Base DefenseDelay Iranian Nuclear Weapon

AssignmentPure NetworkMulticommodity FlowLeontief Models Economic WarfareLP and NLP (Convex) Electrical Grid

Bilevel ApplicationsBilevel Applications

Over 100 red-team case studies of various real infrastructure systems, and more

17

Bilevel (Defender-Attacker) ModelsBilevel (Defender-Attacker) Models

• Defender invests in defensive options • Attacker maximizes damage based on

observed defenses

Fast Detection of Biological Fast Detection of Biological Attack in the DC MetroAttack in the DC Metro

19

Pentagon

King Street

Metro

China Gallery

Fort Totten

Stadium - Armory

Shady Grove

GlenmontGreenbelt

Vienna/Fairfax-GMU

New Carrollton

Addison Rd – Seat Pleasant

Branch Ave

Franconia - Springfield Huntington

L’ EnfantPlaza

Rosslyn

Dupont Circle

3 Detectors.Detection Opportunity: 31 min

Detector location

Worst case attack

Results: Three Detectors Results: Three Detectors

20

Results: Detectors vs. Time Results: Detectors vs. Time

21

Trilevel OptimizationTrilevel Optimization• Defender makes a budget-limited

investment in defense option(s)

• Attacker observes defense investment, and chooses an attack

• Defender observes attack, and responds based on prior investment to reduce impact of attack

1: Protecting the US 1: Protecting the US Strategic Petroleum ReserveStrategic Petroleum Reserve

23n108

n103

n102n101

n104

t14

n100

n124

n106

n107

t15

t16

n109n112

n105

n110n111

n116

n119

n121

n122

n115

n114

n118

t21

t19

n120

n117

n125

n133

n141

n136

n123

n1002

n128

n130

n126

n127

n132

n139

n138

n137

n131

n129

n140

n135

n134

t2

t13t12

t5

t6

t7

t18

t1

t17

t4

t3

n1001

t22 t9t8

t10

t11

t20

Scenario 2 – “Sources are Scenario 2 – “Sources are Hardened”Hardened”

t11

n121

n1002 SourcesSourcesPumps/Transfer StationsPumps/Transfer StationsSinksSinks

0%

10%20%

30%

40%50%

60%

70%

80%90%

100%

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

Number of Interdictions

Perc

ent o

f Rem

aini

ng F

low

FLOW

24n108

n103

n102n101

n104

t14

n100

n124

n106

n107

t15

t16

n109n112

n105

n110n111

n116

n119

n121

n122

n115

n114

n118

t21

t19

n120

n117

n125

n133

n141

n136

n123

n1002

n128

n130

n126

n127

n132

n139

n138

n137

n131

n129

n140

n135

n134

t2

t13t12

t5

t6

t7

t18

t1

t17

t4

t3

n1001

t22 t9t8

t10

t11

t20

t11

n121

n1002 SourcesSourcesPumps/Transfer StationsPumps/Transfer StationsSinksSinks

FLOW

Scenario 3 – “Backbone Scenario 3 – “Backbone Protection”Protection”

0%

10%20%

30%

40%50%

60%

70%

80%90%

100%

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

Number of Interdictions

Perc

ent o

f Rem

aini

ng F

low

Back to the Bioterrorism Back to the Bioterrorism Application...Application...

26

Trilevel Bioterror ModelTrilevel Bioterror Model• W: Defender makes a budget-limited

investment in defense option(s)

• X: Attacker observes W, and chooses a pathogen, location, time, etc.

• Y: Defender observes X, and activates mitigation options, based on prior decision W, to reduce damage of X

27

Trilevel Optimization ModelTrilevel Optimization Model

,

,, , , ,

, , ,

, , , ,,

,

* min max min (D0)

1 (D1)

1 (A1)

(M1)

, (M2)

{0,1}, 0, 0 , ,d a d m

ad d ma ad a d d a m d mw yx d a d a m

dd

aa

k d m d m k d dd m d

d m d d

d

z damage w x mitigate x y

w

x

q y r w k K

y w d D m M

w x y d D a A m M

28

A Three-stage Decision TreeA Three-stage Decision Tree

.

.

.

.

.

.

.

.

.

.

.

.

W

X

Y

, , ,d a d a mdamage mitigatedw ax ,d my.

.

.

29

ExtensionsExtensions• What about 18 stages?

– max max max min min max max min min max .....

• In our optimization models, adjacent stages with the same objective can combine into one stage (same decision maker)

• Adjacent stages with continuous decision variables (e.g., probabilities) can be interchanged (a von-Neumann-style min-max theorem)

• This lead us to a three-stage model, hence our trilevel optimization

30

ResultsResults• Our optimization model restricts defender to

making a specific investment (or discrete set of investments)

• Attacker can choose probability distribution over attack options

• Defender responses are specific to each attack

31

Results: Our Key InsightResults: Our Key Insight• We prefer to use the inputs usually provided to

SMES as inputs to our model, with SME guidance

• Our defensive investment is optimal, and any attacker mixed strategy is the worst-case attacker effort

• We have seen instances where it is optimal for the attacker to choose a “mixed strategy”

• These mathematically-derived, mixed-strategy probabilities are a result of our analysis, not an input to it

32

Current Research: SecrecyCurrent Research: Secrecy• What if one side is unaware of some

capabilities of the other?– Example: Terrorists can see investments, but are

unaware of our mitigation capabilities

• Non-zero-sum models. Attacker and defender do not share the same objective.– Bilevel (or multi-level) integer programming– Akin to bimatrix games– Very difficult to solve

33

ExamplesExamples• Electric Power Grid (DoJ, DHS, DoE, funded)

– DAD: harden substations to minimize load shed over time• Counter-proliferation of WMDs (LLNL, unfunded)

– AD: choose project tasks to interdict to cause maximal delay• Ballistic Missile Defense (NWDC, funded)

– DAD: preposition BMD assets to minimize worst-case expected damage• Secure Facility Protection (ONR, funded)

– DAD: install security measures to reduce infiltration risk• Bioterrorism threat reduction (NRC, NAS, unfunded)

– DAD: invest in defensive strategies for future mitigation against array of threats

• (U) Social Network Analysis (DoD, partially funded)– AD: Remove key individuals to maximally retard flow of information,

funds, influence, etc.

34

ContactsContacts

Contact Info: Prof. Gerald Brown gbrown@nps.eduProf. Matthew Carlyle mcarlyle@nps.edu Prof. Kevin Wood kwood@nps.eduOperations Research Dept. Naval Postgraduate School

35

ReferencesReferences• Brown, G., Carlyle, M., Salmerón, J. and Wood, K., 2006a, “

Defending Critical Infrastructure,” Interfaces, 36, pp. 530-544.

• Brown, G., Carlyle, M., Salmerón, J. and Wood, K., 2005a, “Analyzing the Vulnerability of Critical Infrastructure to Attack, and Planning Defenses,” in Tutorials in Operations Research: Emerging Theory, Methods, and Applications, H. Greenberg and J. Smith, eds., Institute for Operations Research and Management Science, Hanover, MD.

• Brown, G., Carlyle M., Harney R., Skroch E., Wood, K., 2006b, “Anatomy of a Project to Produce a First Nuclear Weapon,” Science and Global Security, 14, pp. 163-182.

• Brown, G., Carlyle, M., Diehl, D., Kline, J. and Wood, K., 2005b, “A Two-Sided Optimization for Theater Ballistic Missile Defense,” Operations Research, 53 , pp. 263-275.

• Brown, G., Carlyle, M., Harney, R., Skroch, E. and Wood, K., 2007, “Interdicting a Nuclear Weapons Project,” in review.

• Salmerón, J., Wood, K. and Baldick, R., 2004, “Analysis of Electric Grid Security Under Terrorist Threat,” IEEE Transactions on Power Systems, 19(2), pp. 905-912.