Optimal Welfare in Noncooperative Network Formation under Attack

Communication networks are essential for our economy and our everyday lives. This makes them lucrative targets for attacks. Today, we see an ongoing battle between criminals that try to disrupt our key communication networks and security professionals that try to mitigate these attacks. However, today’s networks, like the Internet or peer-to-peer networks among smart devices, are not controlled by a single authority, but instead consist of many independently administrated entities that are interconnected. Thus, both the decisions of how to interconnect and how to secure against potential attacks are taken in a decentralized way by selfish agents. This strategic setting, with agents that want to interconnect and potential attackers that want to disrupt the network, was captured via an influential game-theoretic model by Goyal, Jabbari, Kearns, Khanna, and Morgenstern (WINE 2016). We revisit this model and show improved tight bounds on the achieved robustness of networks created by selfish agents. As our main result, we show that such networks can resist attacks of a large class of potential attackers, i.e., these networks maintain asymptotically optimal welfare post attack. This improves several bounds and resolves an open problem. Along the way, we show the counter-intuitive result, that attackers that aim at minimizing the social welfare post attack do not actually inflict the greatest possible damage.

💡 Research Summary

The paper revisits the strategic network formation model introduced by Goyal, Jabbari, Kearns, Khanna, and Morgenstern (WINE 2016), where each of n selfish agents can purchase undirected links at cost C_E and optionally immunize themselves at cost C_I. After the network is formed, an adversary attacks a single vulnerable node; the infection then spreads through the subgraph induced by all unprotected nodes, removing the entire vulnerable component that contains the target. Agents derive utility from the expected size of their reachable component after the attack, minus their link and immunization costs. The social welfare is the sum of all agents’ utilities.

Goyal et al. studied three natural attackers: (i) maximum‑carnage (choose a target that infects the most nodes), (ii) random (uniformly pick a vulnerable node), and (iii) maximum‑disruption (choose a target that minimizes post‑attack social welfare). They proved non‑trivial welfare bounds for the first two (n² − O(n^{5/3})) but left the analysis of the maximum‑disruption attacker as an open problem.

Doubez, Lenzner, and Wunderlich extend the model by defining a broad class of “f‑opponents”. An f‑opponent is characterized by a non‑negative function f: {0,…,n} → ℝ₊ with f(0)=0; the attacker selects a vulnerable region that minimizes the sum of f(|K|) over all connected components K that remain after the attack. The maximum‑carnage and maximum‑disruption attackers correspond to f(x)=x¹ and f(x)=x², respectively. This unifies the three original attackers and enables analysis of many other potential adversaries.

A central contribution is the identification of a subclass called “Super‑Quadratic Disruptors” (SQD). An SQD is an f‑opponent whose function f is (1) strictly convex and (2) satisfies that f(x)/x² is non‑decreasing. These conditions guarantee two crucial properties: (a) the attacker is edge‑averse (removing edges never improves the attacker’s objective) and (b) the attacker is biased toward targeting larger components, because larger components contribute disproportionately to the f‑sum. Both the maximum‑carnage and maximum‑disruption attackers are SQDs, as are any attackers whose f grows faster than quadratically.

Using the SQD framework, the authors prove three main results:

1. Structural bounds: Every non‑trivial Nash equilibrium network contains at most 2n − 4 edges, and each vulnerable region forms a tree. These facts were already known for “well‑behaved” opponents, and the authors show they continue to hold for all f‑opponents, including SQDs.

2. Welfare optimality: For any SQD attacker, the social welfare of any equilibrium network is n² − Θ(n). In other words, despite the presence of an adversary, the loss in welfare is only linear in n, which is asymptotically optimal because the baseline welfare without attacks is n² − O(n). This improves the previous bound of n² − O(n^{5/3}) and resolves the open problem for the maximum‑disruption attacker.

3. Counter‑intuitive attacker behavior: The attacker that explicitly minimizes post‑attack welfare (maximum‑disruption) does not inflict the greatest possible damage. Small strategic changes by agents—such as buying an extra edge that costs slightly less than the link price—can shift the attacker’s target region and dramatically reduce the attacker’s impact, even though the attacker is still playing optimally with respect to its objective. This demonstrates that the worst‑case welfare loss is not achieved by the welfare‑minimizing attacker.

The technical proof proceeds in two stages. First, the authors exploit the strict convexity of f to show that any edge removal can only increase the attacker’s objective, establishing edge‑aversion. Second, they analyze the tree structure of vulnerable regions, bounding the total contribution of f over all components after an attack. By carefully relating the size distribution of components to the linear term n² (which comes from the “benefit‑minus‑cost” utility), they derive the n² − Θ(n) lower bound on welfare.

Finally, the paper discusses algorithmic implications. Prior work gave polynomial‑time best‑response algorithms for maximum‑carnage and random attackers; recent independent work extended this to the maximum‑disruption attacker. The present analysis suggests that similar algorithms can be designed for any SQD opponent, because the attacker’s best response can be computed by evaluating f on component sizes, a task that is tractable when f is convex and monotone.

In summary, Doubez, Lenzner, and Wunderlich close a long‑standing gap in the literature on strategic network formation under attack. They show that decentralized, selfish network formation naturally yields networks that are robust to a wide class of sophisticated attackers, achieving asymptotically optimal social welfare. The findings have practical relevance for the design of resilient peer‑to‑peer, IoT, and critical‑infrastructure networks where centralized control is infeasible.