Knowledge and Information Systems

, Volume 52, Issue 3, pp 657–685 | Cite as

Monitoring stealthy diffusion

  • Nika HaghtalabEmail author
  • Aron Laszka
  • Ariel D. Procaccia
  • Yevgeniy Vorobeychik
  • Xenofon Koutsoukos
Regular Paper


A broad variety of problems, such as targeted marketing and the spread of viruses and malware, have been modeled as maximizing the reach of diffusion through a network. In cyber-security applications, however, a key consideration largely ignored in this literature is stealth. In particular, an attacker who has a specific target in mind succeeds only if the target is reached before the malicious payload is detected and corresponding countermeasures deployed. The dual side of this problem is deployment of a limited number of monitoring units, such as cyber-forensics specialists, to limit the success of such targeted and stealthy diffusion processes. We investigate the problem of optimal monitoring of targeted stealthy diffusion processes. While natural variants of this problem are NP-hard, we show that if stealthy diffusion starts from randomly selected nodes, the defender’s objective is submodular and can be approximately optimized. In addition, we present approximation algorithms for the setting where the choice of the starting point is adversarial. We further extend our results to settings where the diffusion starts at multiple-seed nodes simultaneously, and where there is an inherent delay in detecting the infection. Our experimental results show that the proposed algorithms are highly effective and scalable.


Diffusion in networks Security Stealthy diffusion Monitoring diffusions Malware detection 



We thank the anonymous reviewers for their helpful comments on the conference version of this paper. This work was supported in part by the National Science Foundation (CNS-1238959, CCF-1215883, IIS-1350598, IIS-1526860, and CCF-1525932), National Institute of Standards and Technology (70NANB13H169), Air Force Research Laboratory (FA8750-14-2-0180), Office of Naval Research (N00014-15-1-2621), Army Research Office (W911NF-16-1-0069), a Sloan Research Fellowship, an IBM Ph.D. Fellowship, and a Microsoft Research Ph.D. Fellowship.


  1. 1.
    Adler M, Räcke H, Sivadasan N, Sohler C, Vöcking B (2003) Randomized pursuit-evasion in graphs. Comb Probab Comput 12(03):225–244MathSciNetCrossRefzbMATHGoogle Scholar
  2. 2.
    Barabási A-L, Albert R (1999) Emergence of scaling in random networks. Science 286(5439):509–512MathSciNetCrossRefzbMATHGoogle Scholar
  3. 3.
    Bass FM (1969) A new product growth for model consumer durables. Manag Sci 15(5):215–227CrossRefzbMATHGoogle Scholar
  4. 4.
    Bharathi S, Kempe D, Salek M (2007) Competitive influence maximization in social networks. In: Proceedings of the 3rd conference on web and internet economics (WINE), pp 306–311Google Scholar
  5. 5.
    Borodin A, Filmus Y, Oren J (2010) Threshold models for competitive influence in social networks. In: Proceedings of the 6th conference on web and internet economics (WINE), pp 539–550Google Scholar
  6. 6.
    Chen W, Wang C, Wang Y (2010) Scalable influence maximization for prevalent viral marketing in large-scale social networks. In: Proceedings of the 16th international conference on knowledge discovery and data mining (KDD). ACM, pp 1029–1038Google Scholar
  7. 7.
    Clark A, Poovendran R (2011) Maximizing influence in competitive environments: A game-theoretic approach. In: Proceedings of the 2nd conference on decision and game theory for security (GameSec), pp 151–162Google Scholar
  8. 8.
    Dinur I, Steurer D (2014) Analytical approach to parallel repetition. In: Proceedings of the 46th annual ACM symposium on theory of computing (STOC). ACM, pp 624–633Google Scholar
  9. 9.
    Domingos P, Richardson M (2001) Mining the network value of customers. In: Proceedings of the 7th international conference on knowledge discovery and data mining (KDD). ACM, pp 57–66Google Scholar
  10. 10.
    Erdős P, Rényi A (1959) On random graphs I. Publ Math 6:290–297MathSciNetzbMATHGoogle Scholar
  11. 11.
    Ganesh A, Massoulié L, Towsley D (2005) The effect of network topology on the spread of epidemics. In: Proceedings of the 24th annual IEEE joint conference of the IEEE computer and communications societies, vol 2. IEEE, pp 1455–1466Google Scholar
  12. 12.
    Haghtalab N, Laszka A, Procaccia AD, Vorobeychik Y, Koutsoukos X (2015) Monitoring stealthy diffusion. In: Proceedings of the 15th IEEE international conference on data mining (ICDM), pp 151–160Google Scholar
  13. 13.
    He X, Song G, Chen W, Jiang Q (2012) Influence blocking maximization in social networks under the competitive linear threshold model. In: Proceedings of the 12th IEEE international conference on data mining (ICDM), pp 463–474Google Scholar
  14. 14.
    Isler V, Kannan S, Khanna S (2006) Randomized pursuit-evasion with local visibility. SIAM J Discrete Math 20(1):26–41MathSciNetCrossRefzbMATHGoogle Scholar
  15. 15.
    Johnson DS (1973) Approximation algorithms for combinatorial problems. In: Proceedings of the 5th annual ACM symposium on theory of computing (STOC). ACM, pp 38–49Google Scholar
  16. 16.
    Kaspersky Labs’ Global Research & Analysis Team (2012) Gauss: abnormal distribution. Accessed 30 May 2015
  17. 17.
    Kelley MB (2013) The Stuxnet attack on Iran’s nuclear plant was ‘far more dangerous’ than previously thought’, Business Insider. Accessed 30 May 2015
  18. 18.
    Kempe D, Kleinberg J, Tardos E (2003) Maximizing the spread of influence through a social network. In: Proceedings of the 9th international conference on knowledge discovery and data mining (KDD). ACM, pp 137–146Google Scholar
  19. 19.
    Kempe D, Kleinberg J, Tardos E (2005) Influential nodes in a diffusion model for social networks, In: Proceedings of the international colloquium on automata, languages and programming (ICALP). Springer, pp 1127–1138Google Scholar
  20. 20.
    Krause A, McMahan B, Guestrin C, Gupta A (2007) Selecting observations against adversarial objectives. In: Proceedings of the 21st annual conference on neural information processing systems (NIPS), pp 777–784Google Scholar
  21. 21.
    Lelarge M (2009) Economics of malware: epidemic risks model, network externalities and incentives. In: Proceedings of the 47th annual Allerton conference on communication, control, and computing (Allerton), pp 1353–1360Google Scholar
  22. 22.
    Mossel E, Roch S (2007) On the submodularity of influence in social networks. In: Proceedings of the 39th annual ACM symposium on theory of computing (STOC). ACM, pp 128–134Google Scholar
  23. 23.
    Mukhopadhyay A, Zhang C, Vorobeychik Y, Tambe M, Pence K, Speer P (2016) Optimal allocation of police patrol resources using a continuous-time crime model, In: Proceedings of the 7th conference on decision and game theory for security (GameSec). Springer, pp 139–158Google Scholar
  24. 24.
    Nemhauser GL, Wolsey LA, Fisher ML (1978) An analysis of approximations for maximizing submodular set functions. Math Program 14(1):265–294MathSciNetCrossRefzbMATHGoogle Scholar
  25. 25.
    Omic J, Orda A, Van Mieghem P (2009) Protecting against network infections: A game theoretic perspective. In: Proceedings of the 28th IEEE conference on computer communications (INFOCOM), pp 1485–1493Google Scholar
  26. 26.
    Parsons TD (1978) Pursuit-evasion in a graph. In: Theory and applications of graphs. Springer, pp 426–441Google Scholar
  27. 27.
    Richardson M, Domingos P (2002) Mining knowledge-sharing sites for viral marketing. In: Proceedings of the 8th international conference on knowledge discovery and data mining (KDD). ACM, pp 61–70Google Scholar
  28. 28.
    Tsai J, Nguyen TH, Tambe M (2012) Security games for controlling contagion. In: Proceedings of the 26th AAAI conference on artificial intelligence (AAAI), pp 1464–1470Google Scholar
  29. 29.
    Tsai J, Qian Y, Vorobeychik Y, Kiekintveld C, Tambe M (2013) Bayesian security games for controlling contagion. In: Proceedings of the 2013 ASE/IEEE international conference on social computing (SocialCom), pp 33–38Google Scholar
  30. 30.
    Van Mieghem P, Omic J, Kooij R (2009) Virus spread in networks. IEEE/ACM Trans Netw 17(1):1–14CrossRefGoogle Scholar
  31. 31.
    Vorobeychik Y, Letchford J (2015) Securing interdependent assets. J Auton Agents Multiagent Syst 29(2):305–333CrossRefGoogle Scholar
  32. 32.
    Yang J, Leskovec J (2010) Modeling information diffusion in implicit networks. In: Proceedings of the 10th IEEE international conference on data mining (ICDM). IEEE, pp 599–608Google Scholar
  33. 33.
    Zou CC, Gong W, Towsley D (2002) Code Red worm propagation modeling and analysis. In: Proceedings of the 9th ACM conference on computer and communications security (CCS), pp 138–147Google Scholar

Copyright information

© Springer-Verlag London 2017

Authors and Affiliations

  1. 1.Department of Computer ScienceCarnegie Mellon UniversityPittsburghUSA
  2. 2.Vanderbilt UniversityNashvilleUSA

Personalised recommendations