A Games-in-Games Approach to Mosaic Command and Control Design of Dynamic Network-of-Networks for Secure and Resilient Multi-Domain Operations

A Games-in-Games Approach to Mosaic Command and Control Design of Dynamic Network-of-Netw orks for Secure and Resilient Multi-Domain Operations Juntao Chen and Quanyan Zhu Department of Electrical and Computer Engineering, T andon School of Engineering Ne w Y ork Uni versity , Brooklyn, NY 11201 USA Abstract This paper presents a games-in-games approach to provide design guidelines for mosaic command and control that enables the secure and resilient multi-domain operations. Under the mosaic design, pieces or agents in the network are equipped with flexible interoperability and the capability of self-adaptability , self-healing, and resiliency so that they can reconfigure their responses to achiev e the global mission in spite of failures of nodes and links in the adversarial en vironment. The proposed games-in-games approach provides a system-of-systems science for mosaic distributed design of large-scale systems. Specifically , the framework integrates three layers of design for each agent including strategic layer, tactical layer , and mission layer . Each layer in the established model corresponds to a game of a different scale that enables the integration of threat models and achieve self-mitigation and resilience capabilities. The solution concept of the de veloped multi-layer multi-scale mosaic design is characterized by Gestalt Nash equilibrium (GNE) which considers the interactions between agents across dif ferent layers. The dev eloped approach is applicable to modern battlefield networks which are composed of heterogeneous assets that access highly di verse and dynamic information sources ov er multiple domains. By lev eraging mosaic design principles, we can achiev e the desired operational goals of deployed networks in a case study and ensure connectivity among entities for the exchange of information to accomplish the mission. Index T erms Multi-Domain Operation, Dynamic Games, Games-in-Games, System of Systems, Network Systems, Mosaic Design, Security and Resilience Further author information: (Send correspondence to Quanyan Zhu) Juntao Chen: E-mail: jc6412@nyu.edu; Quanyan Zhu: E-mail: qz494@nyu.edu, T elephone: 1-646-997-3371 I . I N T RO D U C T I O N Security and resilience of networked systems become increasingly critical no wadays due to the pre- v ailing adversarial threats from both cyber and physical domains [1]. A number of approaches have been proposed in literature to enhance the system performance under adversarial en vironment through strategic trust [2]–[5], resilient control [6]–[11], mo ving target defense [12]–[15], proactiv e deception [16]–[21], and contracts and insurances [22]–[25]. With the adoption of Internet of things (IoT) devices and information and communications technologies (ICTs), dif ferent systems are integrated together , creating network-of-networks (NoN) [26]–[28]. On one hand, NoN improv es the system dependability and interoperablity [29]. On the other hand, the network interdependency introduces new challenges for the system operator to maintain the NoN performance as the interconnection provides extra opportunity for the propagation of attacks from one network to another , e.g., through lateral mo vement in advanced persistent threat (APT) [30]. T raditional defensi ve strate gies for network ed systems are no longer suf ficient in this emerging NoN framew ork. Therefore, our goal in this paper is to propose an efficient and flexible way to achie ve mission objecti ves while ensuring the security and resilience of NoN through a new paradigm called mosaic design . The associated concept of mosaic warfare has been recently proposed by D ARP A [31]. Mosaic distributed system design refers to engineering agents with flexible interoperability and the capability of self-adaptability , self-healing , and r esiliency . Specifically , systems can achie ve its objective when one node goes away or fails [32], [33]. Furthermore, systems can respond to other systems in a non-deterministic/stochastic way and increases the composability and modularity of the system design. For example, agents can randomly arriv e and respond in a stochastic but structured way to other agents in an uncertain environment. Ho wev er , the structured randomness leads to emerging system beha viors that manifest desirable properties for the objectiv e of entire mission. Systems that hav e such properties are easily composable and resilient-by-design. Without a pre-planned integration among agents, the agents can adapt their response and reconfigure their own systems based on the type of agents that they interact with. For example, in the decision-making of battlefield scenario, the unmanned ground vehicle (UGV) network should intelligently coordinate its actions with the heterogeneous unmanned aerial vehicle (U A V) network and the soldier network in a self-adapti ve manner . Thus, in the paradigm of mosaic design, agents can be easily composed to achie ve a prescribed objectiv e through an unprescribed path. In addition, under the adversarial en vironments, the agents can reconfigure their response and roles to achieve the global mission in spite of failures of nodes and communication links. Returning to the battlefield example, a single remov al of UGV or U A V should not interrupt the action of other agents, and the whole system should still be operable when one piece is missing to achieve the global mission. These features of agile self-recov ery ability and autonomous composability are the epicenter of the mosaic designs. Mosaic design is a migration from a pre-defined protocol for distributed systems that aim to achie ve a single objecti ve. Classical design has a prescribed objecti ve and then uses a top-down design methods to decentralize the operations. For example, the operator of the entire battlefield first designs optimal strategies for the agents globally and then inform each agent ho w to act based on their local information. Ho wev er , when one agent leav es the battlefield which modifies the system, the previous designed strategy is not globally optimal anymore. Therefore, the loss of one piece will loose the entire effect in the classical top-do wn design. Mosaic design is also dif ferent from the classical deterministic bottom-up approach in which agents are programmed to behav e in a designed way of fline which losses the adapti vity . In this work, we de velop a games-in-games approach to provide a system-of-systems science for mosaic distributed design of large-scale systems. Dif ferent from pre vious works in designing resilient operational strategy for interdependent networks based a single game [34]–[37], the games-in-games approach allows an automated composition of systems to achie ve flexible interoperability [33], [38]. Agents can adapt to their neighboring ones and integrate themselves into the en vironment. The game-theoretic approach also enables the integration of threat models and achiev e self-mitigation/resilience capabilities. Related W ork : Game-theoretic approaches have been extensi vely adopted for resilient control of net- worked system and critical infrastructures [1], [7], [34], [37], [39], [40]. T o analyze strategic interactions between attackers and defenders, a large number of works hav e focused on the security modeling and design through game-theoretic frame works [23], [30], [35], [36], [38], [41]. Furthermore, researchers have also used game-theoretic methods to enable decentralized multi-layer netw ork/network-of-networks design [29], [32], [42], [43]. Due to the inte gration between heterogeneous system components, interdependent security and trust mechanisms become critical and they ha ve been addressed through game-theoretic methods from a system-of-systems perspectiv e [2], [3], [22], [24]. When the number of agents in the network grows, secure and resilient control needs to incorporate the feature of large-scale complex systems, e.g., multi-layer IoT networks and epidemic networks [44]–[47]. I I . G A M E S - I N - G A M E S A P P R OAC H F O R M O S A I C D E S I G N In this section, we develop a games-in-games framew ork which enables multi-layer and multi-scale decision-making over network systems. Then, we design the mosaic control based on this games-in-games frame work. A. Games-in-Games F ramework The games-in-games principle is a framew ork that provides a theoretical underpinning and a guideline for mosaic control designs. Specifically , the proposed games-in-games approach integrates three layers of design for each agent: strategic layer , tactical layer , and mission layer . At the strategic layer , the agents learn and respond to their environment quickly to unanticipated e vents such as attacks, disruptions, and changes of other agents. At the tactical layer, the agents plan for a longer period of time by taking into account the long-term interactions with the en vironment and other agents. The agents can make a goal-oriented planning at each stage. At the mission layer , the agents develop a stage-by-stage planning of multi-stage objectiv es to achie ve the mission despite the uncertainties and online changes. Each layer in the established model corresponds to a game of a different scale. 1): At the strategic layer , a game associated with an agent describes its interaction with an adversary , e.g. a jammer , a spoofer , or a sudden loss of neighboring node. Solutions to this game can prepare nodes for unanticipated attacks and secure the agents. 2): At the tactical layer, an N -person dynamic game describes the longer- term interactions among cooperati ve agents, each seeking control policies to achiev e individual stage objecti ves. The individual control would lead to achie ving global objecti ves such as connectivity and network formation. 3): At the mission layer , each agent plans at each stage their stage objecti ves at the tactical layer . This planning is obviously under a lot of uncertainties and need to be achieved in a moving-horizon way . In sum, games-in-games framew ork describes a multi-layer and multi-scale game-theoretic framew ork. Furthermore, the games at each layer can be composed together . For example, an N -person game can be composed with an M -person game to create an N + M -person game. Such composition leads to a resolution of the games at each layer . The games across the layers can also be composed together . For example, an N -person tactical layer game is nested in an N -person mission-layer game. In addition, the security game at the strategic layer can be nested in the tactical layer games. For clarity , the games-in- games framew ork is illustrated in Fig. 1. B. Mosaic Command and Contr ol Design The dev eloped games-in-games framew ork can be adopted to address the mosaic control design as the composability of the framew ork provides agility required by the mosaic control objecti ve. This framework is inherently secure and resilient by design. First, the games-in-games frame work anticipates the attack behavior and designs a control polic y that would prepare to defend against the anticipated attacks. The frame work provides a clean-slate design and provides a b uilt-in security for each system component that would lead to security of the integrated system. Second, the games-in-games framew ork enables each Fig. 1. Games-in-Games framework for mosaic command and control design of secure and resilient networks-of-networks. The games-in-games framework contains three layers: strate gic layer for attack and disruption consideration of each agent; tactical layer for interaction consideration between agents within and across different layers at each stage; and mission layer for moving-horizon planning to achieve multi-stage objective. Games at different layers can be composed together , leading to a flexible mosaic control design. system to respond to the unanticipated events at each time instant. Each agent can respond to ev ents that inflict damages on the agent and go through a self-healing process that can recover itself from the attacks and failures if possible. If the full reco very is not achie vable, the agents will dev elop control strate gies that will allow a graceful performance degradation. Therefore, the multi-layer mosaic control enables the agents to achiev e mission despite of failures, uncertainties, and unstructured beha viors. Note that the mosaic control is a fully integrated design which differentiates itself from current existing designs in which only partial aspects are considered, e.g., security , but not all k ey issues. The solution concept of the de veloped multi-layer and multi-scale mosaic design is characterized by Gestalt Nash equilibrium (GNE) [41], [48]. Nash equilibrium provides a solution concept to a well defined static or dynamic game in strategic or extensi ve forms. W e extend this solution concept to GNE for games-in-games framework where multiple games can be composed to capture heterogeneous interactions among dif ferent types of players. The GNE solution concept follows the definition of NE and describes an equilibrium concept in which no agent has incentiv es to deviate aw ay from not only the local game, which captures the local agent-agent level interactions, but also the composed game, which captures the global system-system lev el interactions. The de velopment of GNE provides a solution (a) (b) Fig. 2. (a) shows the evolutionary configuration of secure MAS network at each step with the consideration of jamming attack. (b) shows the corresponding network connectivity . concept for multi-scale interactions, provides a way to assess system-le vel performance, and enables the design of mosaic control systems. Mosaic control design is suitable for multi-domain operations (MDO) [49], [50]. MDO refers to a cross-domain integration of information and assets across air , space, sea, land, and cyber domains to provide a holistic situational awareness and decision-making. W e can le verage mosaic control design to provide a framework to develop a modular , functional, and composable design of command and control systems that can autonomously achie ve the mission objectiv es. C. Examples and Results In this subsection, we study a case study of a multi-layer network of autonomous systems [32], in which U A Vs and UGVs act collaboratively , intelligently , and adaptiv ely to achie ve a high connectivity . Furthermore, the designed decentralized MDO command and control algorithms enable a synchronized response for each layer to respond to others to maintain real-time connectivity despite the adversarial en vironment. Here, we present numerical results of a two-layer mobile autonomous systems using mo- saic design principles. Maintaining connecti vity between different agents is critical which improves the network situational a wareness [42], [43]. In the case studies, the objecti ve of two netw ork operators is to optimize the global network algebraic connecti vity by anticipating the existence of adversary [32]. As sho wn in Fig. 2, the network is robust to jamming attack and maintains connectivity with the presence of a jammer at ev ery step which demonstrates the security of the mosaic control algorithm. In addition, as depicted in 3, the nodes can respond quickly to the spoofing attack and achieve agile resilience through N a s h g a m e J a m m i n g a t t a c k e r N e t w o r k G 2 N e t w o r k G 1 S t a c k e l b e r g g a m e S t a c k e l b e r g g a m e (a) (b) (c) Fig. 3. (a) depicts a games-in-games framework for two-layer autonomous systems. (b) shows the iterative configuration of a two-layer autonomous network under mosaic control. (c) shows the corresponding network connectivity . The spoofing attack launches at step 35 and lasts for 6 steps. The network recov ers and reaches a GNE quickly afterward. the proposed control design. Interested readers can find more results and discussions of case studies in [33], [51]. R E F E R E N C E S [1] J. Chen, C. T ouati, and Q. Zhu, “A Dynamic Game Analysis and Design of Infrastructure Network Protection and Recov ery, ” A CM SIGMETRICS P erformance Evaluation Revie w , vol. 45, no. 2, pp. 125–128, Oct. 2017. [2] J. Pawlick and Q. Zhu, “Strategic trust in cloud-enabled cyber -physical systems with an application to glucose control, ” IEEE T ransactions on Information F orensics and Security , vol. 12, no. 12, pp. 2906–2919, 2017. [3] J. Pawlick, J. Chen, and Q. Zhu, “iSTRICT: An interdependent strategic trust mechanism for the cloud-enabled internet of controlled things, ” IEEE T ransactions on Information F orensics and Security , vol. 14, no. 6, pp. 1654–1669, 2019. [4] Q. Zhu, C. Fung, R. Boutaba, and T . Bas ¸ ar , “Guidex: A game-theoretic incentive-based mechanism for intrusion detection networks, ” Selected Ar eas in Communications, IEEE Journal on , vol. 30, no. 11, pp. 2220–2230, 2012. [5] C. J. Fung and Q. Zhu, “Facid: A trust-based collaborativ e decision framework for intrusion detection networks, ” Ad Hoc Networks , vol. 53, pp. 17–31, 2016. [6] J. Chen, L. Zhou, and Q. Zhu, “Resilient control design for wind turbines using markov jump linear system model with l ´ evy noise, ” in IEEE International Confer ence on Smart Grid Communications (SmartGridComm) , 2015, pp. 828–833. [7] J. Chen and Q. Zhu, “Interdependent strategic cyber defense and robust switching control design for wind energy systems, ” in IEEE P ower & Energy Society General Meeting , 2017, pp. 1–5. [8] Z. Xu and Q. Zhu, “ A Game-Theoretic Approach to Secure Control of Communication-Based T rain Control Systems Under Jamming Attacks, ” in Pr oceedings of the 1st International W orkshop on Safe Contr ol of Connected and Autonomous V ehicles . A CM, 2017, pp. 27–34. [Online]. A vailable: http://dl.acm.org/citation.cfm?id=3055381 [9] Z. Xu and Q. Zhu, “Secure and practical output feedback control for cloud-enabled cyber-physical systems, ” in Communications and Network Security (CNS), 2017 IEEE Conference on . IEEE, 2017, pp. 416–420. [10] Z. Xu and Q. Zhu, “ A cyber -physical game framew ork for secure and resilient multi-agent autonomous systems, ” in Decision and Contr ol (CDC), 2015 IEEE 54th Annual Conference on . IEEE, 2015, pp. 5156–5161. [11] Z. Xu and Q. Zhu, “Secure and resilient control design for cloud enabled networked control systems, ” in Pr oceedings of the F irst ACM W orkshop on Cyber-Physical Systems-Security and/or PrivaCy . A CM, 2015, pp. 31–42. [12] S. Jajodia, A. K. Ghosh, V . Swarup, C. W ang, and X. S. W ang, Moving tar get defense: creating asymmetric uncertainty for cyber threats . Springer Science & Business Media, 2011, vol. 54. [13] Q. Zhu and T . Bas ¸ar, “Game-theoretic approach to feedback-driv en multi-stage moving target defense, ” in International Confer ence on Decision and Game Theory for Security . Springer , 2013, pp. 246–263. [14] H. Maleki, S. V alizadeh, W . K och, A. Bestavros, and M. van Dijk, “Markov modeling of moving target defense games, ” in Pr oceedings of the 2016 A CM W orkshop on Moving T arget Defense . A CM, 2016, pp. 81–92. [15] J. H. Jafarian, E. Al-Shaer , and Q. Duan, “Openflow random host mutation: transparent moving target defense using software defined networking, ” in Pr oceedings of the first workshop on Hot topics in softwar e defined networks . A CM, 2012, pp. 127–132. [16] E. S. Al-Shaer, J. W ei, K. W . Hamlen, and C. W ang, Autonomous Cyber Deception: Reasoning, Adaptive Planning, and Evaluation of HoneyThings . Springer , 2019. [17] S. Jajodia, V . Subrahmanian, V . Swarup, and C. W ang, Cyber deception . Springer, 2016. [18] L. Huang and Q. Zhu, “Dynamic bayesian games for adversarial and defensive cyber deception, ” in Autonomous Cyber Deception: Reasoning, Adaptive Planning, and Evaluation of HoneyThings , E. Al-Shaer , J. W ei, K. W . Hamlen, and C. W ang, Eds. Springer International Publishing, 2019, pp. 75–97. [19] J. Pawlick, E. Colbert, and Q. Zhu, “Modeling and analysis of leak y deception using signaling games with evidence, ” IEEE T ransactions on Information F orensics and Security , 2018. [20] J. Pa wlick, “ A systems science perspective on deception for cybersecurity in the internet of things, ” Ph.D. dissertation, 2018. [Online]. A vailable: https://search.proquest.com/docview/2051798175?accountid=12768 [21] J. Pa wlick, E. Colbert, and Q. Zhu, “ A game-theoretic taxonomy and survey of defensiv e deception for cybersecurity and priv acy , ” arXiv pr eprint arXiv:1712.05441 , 2017. [22] J. Chen and Q. Zhu, “Optimal contract design under asymmetric information for cloud-enabled internet of controlled things, ” in International Conference on Decision and Game Theory for Security . Springer, 2016, pp. 329–348. [23] R. Zhang, Q. Zhu, and Y . Hayel, “ A bi-lev el game approach to attack-aware cyber insurance of computer networks, ” IEEE Journal on Selected Areas in Communications , vol. 35, no. 3, pp. 779–794, 2017. [24] J. Chen and Q. Zhu, “Security as a service for cloud-enabled internet of controlled things under adv anced persistent threats: a contract design approach, ” IEEE T ransactions on Information F orensics and Security , vol. 12, no. 11, pp. 2736–2750, 2017. [25] J. Chen and Q. Zhu, “ A linear quadratic dif ferential game approach to dynamic contract design for systemic cyber risk management under asymmetric information, ” in 2018 56th Annual Allerton Conference on Communication, Contr ol, and Computing (Allerton) . IEEE, 2018, pp. 575–582. [26] V . Kurian, J. Chen, and Q. Zhu, “Electric power dependent dynamic tariffs for water distribution systems, ” in Proceedings of the 3rd International W orkshop on Cyber-Physical Systems for Smart W ater Networks . A CM, 2017, pp. 35–38. [27] R. Zimmerman, Q. Zhu, F . de Leon, and Z. Guo, “Conceptual modeling frame work to integrate resilient and interdependent infrastructure in extreme weather , ” Journal of Infrastructur e Systems , vol. 23, no. 4, p. 04017034, 2017. [28] R. Zimmerman, Q. Zhu, and C. Dimitri, “ A network framework for dynamic models of urban food, energy and water systems (fews), ” Envir onmental Pro gr ess & Sustainable Ener gy , vol. 37, no. 1, pp. 122–131, 2018. [29] J. Chen and Q. Zhu, “Interdependent network formation games with an application to critical infrastructures, ” in American Contr ol Confer ence (ACC) . IEEE, 2016, pp. 2870–2875. [30] L. Huang and Q. Zhu, “ Adaptiv e strategic cyber defense for advanced persistent threats in critical infrastructure networks, ” A CM SIGMETRICS P erformance Evaluation Revie w , vol. 46, no. 2, pp. 52–56, 2019. [31] D ARP A, “Darpa tiles together a vision of mosaic warfare: Banking on cost-effecti ve complexity to o verwhelm adversaries, ” [accessed 2019-06-05]. [Online]. A vailable: https://www .darpa.mil/work- with- us/ darpa- tiles- together- a- vision- of- mosiac- warfare [32] J. Chen and Q. Zhu, “Resilient and decentralized control of multi-le vel cooperati ve mobile netw orks to maintain connecti vity under adversarial en vironment, ” in Conference on Decision and Contr ol (CDC) . IEEE, 2016, pp. 5183–5188. [33] J. Chen and Q. Zhu, “Control of multi-layer mobile autonomous systems in adversarial environments: A games-in-games approach, ” IEEE T ransactions on Contr ol of Network Systems, submitted , 2019. [34] L. Huang, J. Chen, and Q. Zhu, “ A factored MDP approach to optimal mechanism design for resilient large-scale interdependent critical infrastructures, ” in W orkshop on Modeling and Simulation of Cyber-Physical Ener gy Systems (MSCPES), CPS W eek , 2017, pp. 1–6. [35] L. Huang, J. Chen, and Q. Zhu, “ A large-scale markov game approach to dynamic protection of interdependent infrastructure networks, ” in International Conference on Decision and Game Theory for Security . Springer , 2017, pp. 357–376. [36] L. Huang, J. Chen, and Q. Zhu, “Factored markov game theory for secure interdependent infrastructure networks, ” in Game Theory for Security and Risk Management . Springer , 2018, pp. 99–126. [37] L. Huang, J. Chen, and Q. Zhu, “Distributed and optimal resilient planning of large-scale interdependent critical infrastructures, ” in W inter Simulation Conference (WSC) , 2018, pp. 1096–1107. [38] Q. Zhu and T . Basar , “Game-theoretic methods for robustness, security , and resilience of cyberphysical control systems: games-in-games principle for optimal cross-layer resilient control systems, ” IEEE Control Systems Magazine , vol. 35, no. 1, pp. 46–65, 2015. [39] J. Chen and Q. Zhu, “ A game-theoretic framework for resilient and distrib uted generation control of rene wable energies in microgrids, ” IEEE T ransactions on Smart Grid , vol. 8, no. 1, pp. 285–295, 2016. [40] J. Chen, C. T ouati, and Q. Zhu, “ A dynamic game approach to strategic design of secure and resilient infrastructure network, ” IEEE T ransactions on Information F orensics and Security , submitted , 2019. [41] J. Chen and Q. Zhu, “Security in vestment under cognitiv e constraints: A gestalt Nash equilibrium approach, ” in 52nd Annual Confer ence on Information Sciences and Systems (CISS) , 2018, pp. 1–6. [42] J. Chen, C. T ouati, and Q. Zhu, “Heterogeneous multi-layer adversarial network design for the IoT-enabled infrastructures, ” in IEEE Global Communications Conference , 2017, pp. 1–6. [43] J. Chen, C. T ouati, and Q. Zhu, “Optimal secure two-layer IoT network design, ” IEEE T ransactions on Contr ol of Network Systems , 2019. [44] J. Chen, R. Zhang, and Q. Zhu, “Optimal quarantining strategy for interdependent epidemics spreading over complex networks, ” submitted , 2019. [45] M. J. Farooq and Q. Zhu, “On the secure and reconfigurable multi-layer network design for critical information dissemination in the internet of battlefield things (IoBT), ” IEEE T ransactions on W ir eless Communications , vol. 17, no. 4, pp. 2618–2632, 2018. [46] M. J. Farooq and Q. Zhu, “ A multi-layer feedback system approach to resilient connectivity of remotely deployed mobile Internet of things, ” IEEE T ransactions on Cognitive Communications and Networking , vol. 4, no. 2, pp. 422–432, 2018. [47] Y . Hayel and Q. Zhu, “Epidemic protection over heterogeneous networks using ev olutionary poisson games, ” IEEE T ransactions on Information F orensics and Security , vol. 12, no. 8, pp. 1786–1800, 2017. [48] J. Chen and Q. Zhu, “Interdependent strategic security risk management with bounded rationality in the internet of things, ” IEEE T ransactions on Information F orensics and Security , 2019. [49] D. G. Perkins, “Multi-domain battle: driving change to win in the future, ” Military Revie w , vol. 97, no. 4, p. 6, 2017. [50] D. G. Perkins, “Multi-domain battle: The advent of twenty-first century war , ” Military Revie w , vol. 97, no. 6, p. 8, 2017. [51] J. Chen and Q. Zhu, A Game- and Decision-Theoretic Appr oach to Resilient Interdependent Network Analysis and Design . Springer , 2020.