Skip to main content

Monitoring stealthy diffusion

Abstract

A broad variety of problems, such as targeted marketing and the spread of viruses and malware, have been modeled as maximizing the reach of diffusion through a network. In cyber-security applications, however, a key consideration largely ignored in this literature is stealth. In particular, an attacker who has a specific target in mind succeeds only if the target is reached before the malicious payload is detected and corresponding countermeasures deployed. The dual side of this problem is deployment of a limited number of monitoring units, such as cyber-forensics specialists, to limit the success of such targeted and stealthy diffusion processes. We investigate the problem of optimal monitoring of targeted stealthy diffusion processes. While natural variants of this problem are NP-hard, we show that if stealthy diffusion starts from randomly selected nodes, the defender’s objective is submodular and can be approximately optimized. In addition, we present approximation algorithms for the setting where the choice of the starting point is adversarial. We further extend our results to settings where the diffusion starts at multiple-seed nodes simultaneously, and where there is an inherent delay in detecting the infection. Our experimental results show that the proposed algorithms are highly effective and scalable.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16
Fig. 17

Notes

  1. This goal is actually meaningless in the RIC model if a graph is connected, since all nodes will eventually be infected.

  2. Proof of Theorem 7 formalizes this argument for a more general optimization problem discussed in the future section.

  3. The software and dataset used for these experiments are available at http://aronlaszka.com/data/haghtalab2015monitoring.zip.

  4. http://as-rank.caida.org/.

References

  1. Adler M, Räcke H, Sivadasan N, Sohler C, Vöcking B (2003) Randomized pursuit-evasion in graphs. Comb Probab Comput 12(03):225–244

    MathSciNet  Article  MATH  Google Scholar 

  2. Barabási A-L, Albert R (1999) Emergence of scaling in random networks. Science 286(5439):509–512

    MathSciNet  Article  MATH  Google Scholar 

  3. Bass FM (1969) A new product growth for model consumer durables. Manag Sci 15(5):215–227

    Article  MATH  Google Scholar 

  4. Bharathi S, Kempe D, Salek M (2007) Competitive influence maximization in social networks. In: Proceedings of the 3rd conference on web and internet economics (WINE), pp 306–311

  5. Borodin A, Filmus Y, Oren J (2010) Threshold models for competitive influence in social networks. In: Proceedings of the 6th conference on web and internet economics (WINE), pp 539–550

  6. Chen W, Wang C, Wang Y (2010) Scalable influence maximization for prevalent viral marketing in large-scale social networks. In: Proceedings of the 16th international conference on knowledge discovery and data mining (KDD). ACM, pp 1029–1038

  7. Clark A, Poovendran R (2011) Maximizing influence in competitive environments: A game-theoretic approach. In: Proceedings of the 2nd conference on decision and game theory for security (GameSec), pp 151–162

  8. Dinur I, Steurer D (2014) Analytical approach to parallel repetition. In: Proceedings of the 46th annual ACM symposium on theory of computing (STOC). ACM, pp 624–633

  9. Domingos P, Richardson M (2001) Mining the network value of customers. In: Proceedings of the 7th international conference on knowledge discovery and data mining (KDD). ACM, pp 57–66

  10. Erdős P, Rényi A (1959) On random graphs I. Publ Math 6:290–297

    MathSciNet  MATH  Google Scholar 

  11. Ganesh A, Massoulié L, Towsley D (2005) The effect of network topology on the spread of epidemics. In: Proceedings of the 24th annual IEEE joint conference of the IEEE computer and communications societies, vol 2. IEEE, pp 1455–1466

  12. Haghtalab N, Laszka A, Procaccia AD, Vorobeychik Y, Koutsoukos X (2015) Monitoring stealthy diffusion. In: Proceedings of the 15th IEEE international conference on data mining (ICDM), pp 151–160

  13. He X, Song G, Chen W, Jiang Q (2012) Influence blocking maximization in social networks under the competitive linear threshold model. In: Proceedings of the 12th IEEE international conference on data mining (ICDM), pp 463–474

  14. Isler V, Kannan S, Khanna S (2006) Randomized pursuit-evasion with local visibility. SIAM J Discrete Math 20(1):26–41

    MathSciNet  Article  MATH  Google Scholar 

  15. Johnson DS (1973) Approximation algorithms for combinatorial problems. In: Proceedings of the 5th annual ACM symposium on theory of computing (STOC). ACM, pp 38–49

  16. Kaspersky Labs’ Global Research & Analysis Team (2012) Gauss: abnormal distribution. https://securelist.com/analysis/36620/gauss-abnormal-distribution/. Accessed 30 May 2015

  17. Kelley MB (2013) The Stuxnet attack on Iran’s nuclear plant was ‘far more dangerous’ than previously thought’, Business Insider. http://www.businessinsider.com/stuxnet-was-far-more-dangerous-than-previous-thought-2013-11. Accessed 30 May 2015

  18. Kempe D, Kleinberg J, Tardos E (2003) Maximizing the spread of influence through a social network. In: Proceedings of the 9th international conference on knowledge discovery and data mining (KDD). ACM, pp 137–146

  19. Kempe D, Kleinberg J, Tardos E (2005) Influential nodes in a diffusion model for social networks, In: Proceedings of the international colloquium on automata, languages and programming (ICALP). Springer, pp 1127–1138

  20. Krause A, McMahan B, Guestrin C, Gupta A (2007) Selecting observations against adversarial objectives. In: Proceedings of the 21st annual conference on neural information processing systems (NIPS), pp 777–784

  21. Lelarge M (2009) Economics of malware: epidemic risks model, network externalities and incentives. In: Proceedings of the 47th annual Allerton conference on communication, control, and computing (Allerton), pp 1353–1360

  22. Mossel E, Roch S (2007) On the submodularity of influence in social networks. In: Proceedings of the 39th annual ACM symposium on theory of computing (STOC). ACM, pp 128–134

  23. Mukhopadhyay A, Zhang C, Vorobeychik Y, Tambe M, Pence K, Speer P (2016) Optimal allocation of police patrol resources using a continuous-time crime model, In: Proceedings of the 7th conference on decision and game theory for security (GameSec). Springer, pp 139–158

  24. Nemhauser GL, Wolsey LA, Fisher ML (1978) An analysis of approximations for maximizing submodular set functions. Math Program 14(1):265–294

    MathSciNet  Article  MATH  Google Scholar 

  25. Omic J, Orda A, Van Mieghem P (2009) Protecting against network infections: A game theoretic perspective. In: Proceedings of the 28th IEEE conference on computer communications (INFOCOM), pp 1485–1493

  26. Parsons TD (1978) Pursuit-evasion in a graph. In: Theory and applications of graphs. Springer, pp 426–441

  27. Richardson M, Domingos P (2002) Mining knowledge-sharing sites for viral marketing. In: Proceedings of the 8th international conference on knowledge discovery and data mining (KDD). ACM, pp 61–70

  28. Tsai J, Nguyen TH, Tambe M (2012) Security games for controlling contagion. In: Proceedings of the 26th AAAI conference on artificial intelligence (AAAI), pp 1464–1470

  29. Tsai J, Qian Y, Vorobeychik Y, Kiekintveld C, Tambe M (2013) Bayesian security games for controlling contagion. In: Proceedings of the 2013 ASE/IEEE international conference on social computing (SocialCom), pp 33–38

  30. Van Mieghem P, Omic J, Kooij R (2009) Virus spread in networks. IEEE/ACM Trans Netw 17(1):1–14

    Article  Google Scholar 

  31. Vorobeychik Y, Letchford J (2015) Securing interdependent assets. J Auton Agents Multiagent Syst 29(2):305–333

    Article  Google Scholar 

  32. Yang J, Leskovec J (2010) Modeling information diffusion in implicit networks. In: Proceedings of the 10th IEEE international conference on data mining (ICDM). IEEE, pp 599–608

  33. Zou CC, Gong W, Towsley D (2002) Code Red worm propagation modeling and analysis. In: Proceedings of the 9th ACM conference on computer and communications security (CCS), pp 138–147

Download references

Acknowledgements

We thank the anonymous reviewers for their helpful comments on the conference version of this paper. This work was supported in part by the National Science Foundation (CNS-1238959, CCF-1215883, IIS-1350598, IIS-1526860, and CCF-1525932), National Institute of Standards and Technology (70NANB13H169), Air Force Research Laboratory (FA8750-14-2-0180), Office of Naval Research (N00014-15-1-2621), Army Research Office (W911NF-16-1-0069), a Sloan Research Fellowship, an IBM Ph.D. Fellowship, and a Microsoft Research Ph.D. Fellowship.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Nika Haghtalab.

Additional information

The preliminary version of this work appeared in the Proceedings of the 15th IEEE International Conference on Data Mining [12].

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Haghtalab, N., Laszka, A., Procaccia, A.D. et al. Monitoring stealthy diffusion. Knowl Inf Syst 52, 657–685 (2017). https://doi.org/10.1007/s10115-017-1023-7

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10115-017-1023-7

Keywords

  • Diffusion in networks
  • Security
  • Stealthy diffusion
  • Monitoring diffusions
  • Malware detection