## Abstract

A broad variety of problems, such as targeted marketing and the spread of viruses and malware, have been modeled as maximizing the reach of diffusion through a network. In cyber-security applications, however, a key consideration largely ignored in this literature is stealth. In particular, an attacker who has a specific target in mind succeeds only if the target is reached before the malicious payload is detected and corresponding countermeasures deployed. The dual side of this problem is deployment of a limited number of monitoring units, such as cyber-forensics specialists, to limit the success of such targeted and stealthy diffusion processes. We investigate the problem of optimal monitoring of targeted stealthy diffusion processes. While natural variants of this problem are NP-hard, we show that if stealthy diffusion starts from randomly selected nodes, the defender’s objective is submodular and can be approximately optimized. In addition, we present approximation algorithms for the setting where the choice of the starting point is adversarial. We further extend our results to settings where the diffusion starts at multiple-seed nodes simultaneously, and where there is an inherent delay in detecting the infection. Our experimental results show that the proposed algorithms are highly effective and scalable.

This is a preview of subscription content, access via your institution.

## Notes

This goal is actually meaningless in the RIC model if a graph is connected, since all nodes will eventually be infected.

Proof of Theorem 7 formalizes this argument for a more general optimization problem discussed in the future section.

The software and dataset used for these experiments are available at http://aronlaszka.com/data/haghtalab2015monitoring.zip.

## References

Adler M, Räcke H, Sivadasan N, Sohler C, Vöcking B (2003) Randomized pursuit-evasion in graphs. Comb Probab Comput 12(03):225–244

Barabási A-L, Albert R (1999) Emergence of scaling in random networks. Science 286(5439):509–512

Bass FM (1969) A new product growth for model consumer durables. Manag Sci 15(5):215–227

Bharathi S, Kempe D, Salek M (2007) Competitive influence maximization in social networks. In: Proceedings of the 3rd conference on web and internet economics (WINE), pp 306–311

Borodin A, Filmus Y, Oren J (2010) Threshold models for competitive influence in social networks. In: Proceedings of the 6th conference on web and internet economics (WINE), pp 539–550

Chen W, Wang C, Wang Y (2010) Scalable influence maximization for prevalent viral marketing in large-scale social networks. In: Proceedings of the 16th international conference on knowledge discovery and data mining (KDD). ACM, pp 1029–1038

Clark A, Poovendran R (2011) Maximizing influence in competitive environments: A game-theoretic approach. In: Proceedings of the 2nd conference on decision and game theory for security (GameSec), pp 151–162

Dinur I, Steurer D (2014) Analytical approach to parallel repetition. In: Proceedings of the 46th annual ACM symposium on theory of computing (STOC). ACM, pp 624–633

Domingos P, Richardson M (2001) Mining the network value of customers. In: Proceedings of the 7th international conference on knowledge discovery and data mining (KDD). ACM, pp 57–66

Erdős P, Rényi A (1959) On random graphs I. Publ Math 6:290–297

Ganesh A, Massoulié L, Towsley D (2005) The effect of network topology on the spread of epidemics. In: Proceedings of the 24th annual IEEE joint conference of the IEEE computer and communications societies, vol 2. IEEE, pp 1455–1466

Haghtalab N, Laszka A, Procaccia AD, Vorobeychik Y, Koutsoukos X (2015) Monitoring stealthy diffusion. In: Proceedings of the 15th IEEE international conference on data mining (ICDM), pp 151–160

He X, Song G, Chen W, Jiang Q (2012) Influence blocking maximization in social networks under the competitive linear threshold model. In: Proceedings of the 12th IEEE international conference on data mining (ICDM), pp 463–474

Isler V, Kannan S, Khanna S (2006) Randomized pursuit-evasion with local visibility. SIAM J Discrete Math 20(1):26–41

Johnson DS (1973) Approximation algorithms for combinatorial problems. In: Proceedings of the 5th annual ACM symposium on theory of computing (STOC). ACM, pp 38–49

Kaspersky Labs’ Global Research & Analysis Team (2012) Gauss: abnormal distribution. https://securelist.com/analysis/36620/gauss-abnormal-distribution/. Accessed 30 May 2015

Kelley MB (2013) The Stuxnet attack on Iran’s nuclear plant was ‘far more dangerous’ than previously thought’, Business Insider. http://www.businessinsider.com/stuxnet-was-far-more-dangerous-than-previous-thought-2013-11. Accessed 30 May 2015

Kempe D, Kleinberg J, Tardos E (2003) Maximizing the spread of influence through a social network. In: Proceedings of the 9th international conference on knowledge discovery and data mining (KDD). ACM, pp 137–146

Kempe D, Kleinberg J, Tardos E (2005) Influential nodes in a diffusion model for social networks, In: Proceedings of the international colloquium on automata, languages and programming (ICALP). Springer, pp 1127–1138

Krause A, McMahan B, Guestrin C, Gupta A (2007) Selecting observations against adversarial objectives. In: Proceedings of the 21st annual conference on neural information processing systems (NIPS), pp 777–784

Lelarge M (2009) Economics of malware: epidemic risks model, network externalities and incentives. In: Proceedings of the 47th annual Allerton conference on communication, control, and computing (Allerton), pp 1353–1360

Mossel E, Roch S (2007) On the submodularity of influence in social networks. In: Proceedings of the 39th annual ACM symposium on theory of computing (STOC). ACM, pp 128–134

Mukhopadhyay A, Zhang C, Vorobeychik Y, Tambe M, Pence K, Speer P (2016) Optimal allocation of police patrol resources using a continuous-time crime model, In: Proceedings of the 7th conference on decision and game theory for security (GameSec). Springer, pp 139–158

Nemhauser GL, Wolsey LA, Fisher ML (1978) An analysis of approximations for maximizing submodular set functions. Math Program 14(1):265–294

Omic J, Orda A, Van Mieghem P (2009) Protecting against network infections: A game theoretic perspective. In: Proceedings of the 28th IEEE conference on computer communications (INFOCOM), pp 1485–1493

Parsons TD (1978) Pursuit-evasion in a graph. In: Theory and applications of graphs. Springer, pp 426–441

Richardson M, Domingos P (2002) Mining knowledge-sharing sites for viral marketing. In: Proceedings of the 8th international conference on knowledge discovery and data mining (KDD). ACM, pp 61–70

Tsai J, Nguyen TH, Tambe M (2012) Security games for controlling contagion. In: Proceedings of the 26th AAAI conference on artificial intelligence (AAAI), pp 1464–1470

Tsai J, Qian Y, Vorobeychik Y, Kiekintveld C, Tambe M (2013) Bayesian security games for controlling contagion. In: Proceedings of the 2013 ASE/IEEE international conference on social computing (SocialCom), pp 33–38

Van Mieghem P, Omic J, Kooij R (2009) Virus spread in networks. IEEE/ACM Trans Netw 17(1):1–14

Vorobeychik Y, Letchford J (2015) Securing interdependent assets. J Auton Agents Multiagent Syst 29(2):305–333

Yang J, Leskovec J (2010) Modeling information diffusion in implicit networks. In: Proceedings of the 10th IEEE international conference on data mining (ICDM). IEEE, pp 599–608

Zou CC, Gong W, Towsley D (2002) Code Red worm propagation modeling and analysis. In: Proceedings of the 9th ACM conference on computer and communications security (CCS), pp 138–147

## Acknowledgements

We thank the anonymous reviewers for their helpful comments on the conference version of this paper. This work was supported in part by the National Science Foundation (CNS-1238959, CCF-1215883, IIS-1350598, IIS-1526860, and CCF-1525932), National Institute of Standards and Technology (70NANB13H169), Air Force Research Laboratory (FA8750-14-2-0180), Office of Naval Research (N00014-15-1-2621), Army Research Office (W911NF-16-1-0069), a Sloan Research Fellowship, an IBM Ph.D. Fellowship, and a Microsoft Research Ph.D. Fellowship.

## Author information

### Authors and Affiliations

### Corresponding author

## Additional information

The preliminary version of this work appeared in the Proceedings of the 15th IEEE International Conference on Data Mining [12].

## Rights and permissions

## About this article

### Cite this article

Haghtalab, N., Laszka, A., Procaccia, A.D. *et al.* Monitoring stealthy diffusion.
*Knowl Inf Syst* **52, **657–685 (2017). https://doi.org/10.1007/s10115-017-1023-7

Received:

Revised:

Accepted:

Published:

Issue Date:

DOI: https://doi.org/10.1007/s10115-017-1023-7

### Keywords

- Diffusion in networks
- Security
- Stealthy diffusion
- Monitoring diffusions
- Malware detection