Attack Strategies on Networks With a Budget Constraint

In this paper, we develop solutions to the problem of identifying the k most vital cut-sets of a network under limited attacking resources in a network interdiction context. We treat three different versions of the problem, each having a different objective: namely, the highest probability of a successful attack, the least cost attack, and the least expected cost attack combining both success probability and attacking cost. We introduce a budget constraint to reflect the resource limitation of the attacker. We consider both the case of disjoint and non-disjoint cut-sets to target. We develop a simulation-optimization approach accounting for various techniques including the shortest path problem and the min-cut problem. The solution method is found to be very efficient even for large-scale networks. We implement the suggested algorithms for illustration purposes.


I. INTRODUCTION
Many real-world systems can be modeled as networks.
A large class of studies on networks consider finding optimal routes between two or more points. Another class deals with protecting network infrastructure and operations from the impacts of potential threats. These threats could be unintentional (e.g., natural disasters) or intentional (e.g., war, vandalism, and terrorism). Various terminologies are used almost interchangeably in addressing problems of intentional attacks on networks, including, interdiction networks, adversarial networks, and network survivability. The most common terminology however is interdiction networks, which basically deals with the operational side of a network. In this context, at least an attacker attempts to disrupt the functionality of the network while a defender tries to preserve its operation (see for instance Gharbi et al. [1]).
The world has suffered from many attacks on networks that resulted in huge damages and/or casualties. For illustration purposes, we set few examples. Saudi Arabia has frequently witnessed attacks on its oil distribution network. The South West London attack on its underground transportation The associate editor coordinating the review of this manuscript and approving it for publication was Cristian Zambelli . network of September 2017 through an improvised explosive device resulted in 29 injuries. The French Institute of International Relations reported that the power sector has become a prime target for cyber-criminals in the last decade surging by 380% between 2014 and 2015. The US Department of Energy reported 150 successful attacks between 2010 and 2014 that targeted systems holding information regarding electricity grids. The February 2020 Distributed denial of service (DDoS) attacks on Amazon Web Services (AWS) is reported to be the largest in history blocking almost half the BT traffic on its entire UK network during a normal working day.
This article extends interdiction network models by Mrad et al. [2] and Yaghlane et al. [3], [4] by incorporating a budget constraint. In fact, the above studies identify optimal attack strategies without accounting for resource restrictions. This is certainly unrealistic and represents some limitation of the introduced models. The contribution of this article is mainly to overcome this drawback. In particular, the article illustrates the significant change on the attack strategies because of reduced resources. Moreover, it identifies multiple cut-sets to target instead of a single cut as considered in Yaghlane et al. [3], [4]. The problem is however highly challenging from a technical viewpoint. It deals with attacks that disable network links in a way to partition the network and prevent the operations of receiving or sending flow. We assume that the attacker has perfect information related to the outcome of the attack on a single link. This information is instantly obtained so that the attacker may select the next move. That is, the attacker strategy is dynamic and accounts for the results of previous trials when identifying the next link to target.
The paper is organized as follows. Section II reviews the literature. Section III explains and formulates the problem at hand. Section IV proposes solution methodologies with illustrations. Section V explores the large scale of networks through an optimization-simulation approach. Finally, section VI provides conclusions and discussions of future work.
An interdiction problem may naturally be considered as a game (e.g., Kanturska et al. [9], Yaghlane et al. [4], Reilly et al. [17], and Bricha and Nourelfath [18]), where the leader attempts to disrupt the network operation while the follower seeks to make necessary moves/adjustments to preserve the network functionality even under some degraded mode. Common actions by the follower to respond to some nodes/links failure include rerouting. At a strategic level, followers may consider increasing capacities of nodes/links to allow for such rerouting under some limited protection resources, hiding operated paths and using deception plans to mislead the adversary. Attackers try to determine the best links/nodes to target to disturb/disable the network. The problem of each antagonist is often modeled as an optimization problem (both in the deterministic and stochastic frameworks). Yaghlane and Azaiez [19] investigate Nash equilibrium in various settings of the network survivability problem considering both zero and nonzero sum games. Xiao et al. [20] consider cumulative prospect theory (CPT) and derive the Nash equilibria in order to find out the attacker and defender's interaction when each of their actions is made subjectively. Bricha and Nourelfath [18] suggest a game-theoretical model of defense/attack strategies in networks in the context of incapacitated fixed-charge location problem. The model considers a non-cooperative two-period game. Casorrán et al. [21] consider multi attackers and one defender in general for security Stackelberg games. Li et al. [22] studies Stackelberg games with two attackers and one defender that fight over the hub nodes by considering cost-sensitive parameters.
Yaghlane et al. [4] adapt system survivability as developed in Ben Yaghlane and Azaiez [19] to networks and distinguish the cases of perfect and absence of information. Under perfect information, the attacker knows with certainty the paths to be operated and plans attack strategies accordingly. In the case of absence of information, the attacker attempts to prevent the destinations from receiving flow by attempting to fully disabling a well-selected cut-set of the network. In a similar setting, Gharbi et al. [1] consider the least-cost attack problem to totally disable a network. They identify the optimal cut-set to target. Optimality is taken with respect to minimizing the expected attack cost. They approach the problem through a chance-constrained integer program where they consider a confidence level for a successful attack. They opt for a branch-and-bound spirit using various operations research tools to generate bounds. Yaghlane et al. [3] identify an exact method for the same problem treated by Gharbi et al. [1].
One of the important classes of interdiction network deals with the k-Most Vital Arcs Problem. The focus is to identify the most critical nodes/arcs susceptible of making the maximum disturbance on the network performance once disabled. In this context, Walteros et al. [27] discuss a framework to detect the set of critical nodes that maximize the possibility of disconnecting the network. Karakose and McGarvey [28] propose a path-based formulation and multi-commodity flow-based formulations to identify the optimal K-node to be attacked on a directed flow network so that to maximize the network disruption.
In a similar spirit, the problem of identifying the most critical network hubs is also investigated. Yahyaei et al. [29] design a single allocation hub network reliable to massive disruption using a bi-objective quadratic model. Lei [30] determines the critical air transportation hub facilities to be protected to reduce the transit time using an integer linear programming formulation. Ramamoorthy et al. [31] identify n critical hubs from a set of candidate hubs to reduce the routing cost using Bender decomposition. Quadros et al. [32] propose a branch and cut technique to fortify n hubs recognizing that m hubs will be attacked in a way to avoid an increase in the total distribution VOLUME 9, 2021 cost. Mrad et al. [2] investigate the most critical cut-sets (instead of hubs) of a network that an attacker may determine to disable the network. They develop algorithms both in the disjoint and non-disjoint cases of cut-sets to identify optimal attack strategies. They investigate the large scale of networks through a simulation-optimization approach. Their contribution naturally extends the min-cut problem of Yaghlane et al. [4] to the most critical k cut-sets to target. While the simulation-optimization approach used in Mrad et al. [2] as well as the current paper relies on the expected performance of attacks in a risk-neutral framework, some other studies incorporate the risk aversion attitudes of the antagonists particularly to avoid disastrous consequences of attacks. For instance, Song and Shen [33] use chance-constrained programming to formulate their risk-averse shortest interdiction path model. Atamtürk et al. [34] suggest a convex quadratic mixed-integer program to model the risk-aversion problem of the leader using a mean-risk approach.
Interdiction network problems under limited attackdefense resource considerations has not been largely investigated. Powell [35] and Zenklusen [36] are among the first papers that explicitly account for resource availability. Powell [35] suggests a framework for analyzing defender scarce resource allocations in front of a strategic antagonist such as a terrorist. The paper considers Nash equilibria for various settings of the problem. Zenklusen [36] investigates a flow-max network problem with attacks on arcs and nodes. The concern was to remove enough links and nodes with the minimum attack budget in a way to make demand dissatisfaction of flow at the destination node. The review paper by Smith and Song [26] discusses additional resource-constrained interdiction problem concepts and approaches. Ravishankar et al. [37] suggest a game theoretic model to approach an attacker-defender game model by identifying the appropriate attack/defense strategies in a cyber security framework under limited resource availability. They introduce reinforcement learning technique to compute the expected payoff using linguistic fuzzy variables.

III. THE PROBLEM
In this section, we expose the network interdiction problem of interest to the current study. Actually, we extend previous contributions of Yaghlane et al. [3], [4] and Mrad et al. [2]. We will suggest a solution method that adapts to each of the three problems under consideration, as adequate, accounting for attacker resource availability as well as multiple cut-sets to target. The details are specified below.

A. THE PROBLEM SITUATION
We consider a network subject to intentional attacks. We assume one attacker trying to disable the network operation and one defender aiming to protect it. The attacks on the selected links/nodes of the network are considered as successful if they fully prevent the network of sending any flow from the source to the destination. This occurs if a full cut-set is disabled. As proven in Yaghlane et al. [4], the same problem can easily extend to account for multiple sources and destinations. In addition, the authors show that attacks on nodes can equivalently be reformulated to be considered as attacks on links. Therefore, without loss of generality, we will assume for this paper that the network accounts for a single source and a single destination. Further, attacks occur only on the links of the network.
Yaghlane et al. [4] determine the optimal cut-set to attack in a way to maximize the probability of disabling the network. In a similar context, Yaghlane et al. [3] solve the least expected cost of an attack on a full cut-set using an exact approach. A confidence level of a minimum guaranteed probability of success is modeled as a chance constraint in the problem formulation.
In order to determine a single cut-set to attack, one can use a linear programming (LP) formulation suggested by Yaghlane et al. [4] to generate the min-cut-set as follows: where, V is the set of nodes, E is the set of arcs between nodes i and j, and p ij is the survival probability of each arc(i, j). Node 1 is the source and node n is the sink or the destination of the network. A set of arcs is a cut-set if it fragments the set of nodes V into two disjoint subsets called S 1 and S 2 , where the source belongs to S 1 and the destination belongs to S 2 . We let x i be the binary variable that takes the value 1 if i belongs to S 2 and 0 otherwise. Also, we let y ij be 1 if arc(i, j) is selected for attack and 0 otherwise. In general, attacking a single cut-set will provide a low probability of a successful attack given the necessity of successfully deactivating all corresponding arcs. Therefore, targeting several cut-sets seems to be more plausible to end up disabling the network. Somewhat in analogy with the identification of the k critical network hubs (discussed above), Mrad et al. [2] determine using a simulation-optimization approach the critical k cut-sets to target so that to maximize the probability of a successful attack. The main shortcoming of models by Mrad et al. [2] and Yaghlane et al. [4] resides in ignoring the resource availability of the attacker, which is often unrealistic. Moreover, the models by Yaghlane et al. [3], [4] content by determining a single cut-set to target (usually with very low probability of success). This is limiting, as both attackers and defenders are interested in identifying the most vital cut-sets to target/reinforce.
The current paper suggests considering three versions. Each version will modify one of the models by Yaghlane et al. [3], [4] and Mrad et al. [2] by incorporating a budget constraint to reflect the limited attacking resources that could be available to the attacker. Furthermore, the suggested models extend Yaghlane et al. [3], [4] by identifying the most critical k cut-sets of the network. The treatment will account for both situations of generating disjoint and non-disjoint cut-sets.

B. THE PROBLEM STATEMENT
The attacker will identify up to k cut-sets to target. Attacks are made sequentially over the various links of a given selected cut-set. A cut-set is disabled if all corresponding links fail. The attacker has full knowledge of the outcome of an attack on an attempted link before deciding on the next trial to carry out. Each link having a known probability to survive an attack may be tried at most once. The model treats each of the two cases of attacks on disjoint versus non-disjoint cut-sets. The attack will stop if one of the following situations occurs: 1) A full cut-set is disconnected, in which case the network is disabled, and the attack succeeds.
2) The budget is not sufficient to carry out additional attacks, in which case the attack fails.
3) The network is guaranteed to send flow to the destination (i.e., a path set is identified to safely operate independently of the outcome of any potential future attacks), in which case the attack fails. 4) All selected k cut-sets are unsuccessfully tried, in which case the attack fails. The attacker seeks to identify the best k cut-sets to target in the appropriate order so that to satisfy one of the three objectives below. (a) The success probability of an attack is maximized (b) The overall attack cost is minimized (c) The expected cost of the overall attack (combining survival probabilities and attack cost) is minimized Objective (a) has been treated in Mrad et al. [2] without accounting for a budget constraint. Objective (b) has been treated in Yaghlane et al. [4] for the special case of k = 1 and without accounting for a budget constraint. Algorithm 1 is used to solve the min-cut problem while minimizing the cost of the attack under a budget constraint. Finally, Objective (c) has been treated in Yaghlane et al. [3] and Algorithm 2 is proposed to solve the least expected cost cut problem.

IV. SOLUTION METHODOLOGY
Algorithms 3 and 4 solve the disjoint and the non-disjoint cases, respectively. Three subroutines are used to take care of each of the three objectives stated above. The next three subsections will elaborate on each version with additional details on the technical treatment.

A. MIN-CUT WITH SUCCESS PROBABILITY (MCSP)
The first version attempts to identify an optimal attack strategy that identifies the most critical k cut-sets so that to maximize the success probability of the attacker. Cost coefficients related to each link of the network are introduced in this formulation based on the survival probability of the specific link. To generate a cut-set using this method, a budget constraint (9) is augmented to the displayed mathematical model on sub-section III-A. This constraint will limit the selected cut-set based on the available resources.
In this formulation, cost ij is the required cost to attack arc(i, j) and budget is the total available resources of the attacker. A subroutine based on this linear programming formulation will be repeatedly called in Algorithms 3 and 4 when solving MCSP.
Links of a selected cut-set under this method are supposed to be sorted according to the descending rule of their survival probabilities as explained in Mrad et al. [2]. In fact, for disabling a cut-set, all its (vulnerable and robust) links must fail. Therefore, when starting by vulnerable ones, this may unnecessarily consume the budget before failing the attack when trying robust ones. However, given the weight of the cost of a given link introduced in this study, the sorting order must combine both survival probability and cost in accordance with equation (18) below as explained in Yaghlane et al. [3].

B. MIN-CUT WITH COST (MCC)
Instead of selecting a cut-set based on the lowest survival probability, one may consider minimizing the total cost of attacking a cut-set by modifying the objective function of the mathematical formulation of sub-section III-A by equation (12) as follows: s.t.
A subroutine based on this linear programming formulation (Algorithm 1) will be repeatedly called in Algorithms 3 and 4 when solving the MCC. If the optimal solution of the above LP turns out to exceed the remaining budget at any call of Algorithms 3 and 4, then the algorithm stops returning the cut-sets generated by that step. Clearly, when the budget is not enough to warrant the first step, the attack problem is infeasible. Algorithm 1 will be used as the subroutine for the MCC version of the problem. The third method to generate budget-constrained k cutsets deals with the least expected cost as treated in Yaghlane et al. [3]. The authors propose an exact solution under a budget constraint accounting for a threshold of success probability of the attack on one targeted cut-set. The objective function is nonlinear, and the authors develop a constraint generation algorithm to determine the cut with the least expected cost as described in Algorithm 2. This algorithm will generate different cut-sets sequentially by solving the ILP provided in the subsection IV-A augmented with the following constraint: where S is the generated cut-set and |S| is the cardinality of S.
The new constraint will ensure that the generated new cut-set is different from the previous cut-set.
In each iteration, Algorithm 2 is also considering the budget availability when solving the ILPs. The cut-set selection from the cut-sets pool is based on the minimum expected cost calculated by using the following equation.
where S is sorted using the non-descending rule of cost ij /P ij . The corresponding explanations and justifications are provided in Yaghlane et al. [3]. Algorithm 2 will be used in the current work as a subroutine for the MCLEC version.
We develop now a compound algorithm (Algorithm 3) to treat all three versions of the problem for the disjoint case and a second one (Algorithm 4) for the general non-disjoint case. In each situation, we let the algorithm repeatedly call the adequate subroutine to generate the optimal solution corresponding to the considered version. The disjoint case of cut-sets refers to the situation of cut-sets to be targeted with empty intersections; while the non-disjoint case is the general case where the same link may belong to more than one targeted cut-set as illustrated in Figure 1. That is, a failed link of a surviving cut-set may be considered in another cut-set and hence may reduce the trials on the new cut-set and at the same time increase the probability of its failure. In either case, the budget constraint plays the role of a new stopping criterion. In fact, the algorithm keeps track of the remaining budget at each iteration, so that when the residual budget is not enough to conduct an attack on any full cut-set, the algorithm stops and the overall attack ceases. It should also be clear that the remaining budget at any iteration plays an important role in selecting the next cut-set to target, which need not be the most attractive one as for the case of unlimited resource situation. Furthermore, the budget limitation may dictate at the final solution a smaller number of cut-sets to identify rather than all k critical cut-sets.
Algorithm 3 below deals with the disjoint cut-set case. In this situation, whenever a cut-set is unsuccessfully tried, all corresponding links will never be further considered for future cut-sets to be identified, even if these links have not been attacked. Nevertheless, the failing links of previously attempted cut-sets are kept in memory to help identify when the network is fully disabled. The algorithm generates the best cut-set to target based on the appropriate objective undertaken (among the three suggested methods). This cut-set must comply with the budget availability restriction. Simulated attacks are sequentially carried out on the links of this cut-set according to the specified order of the non-descending rule of cost a /P a of its links. If the cut-set is disabled, the attack  stops, and the network is disconnected. Otherwise, all links of the identified cut-set are removed from further consideration while keeping in memory failed ones. The process starts over till one of the stopping criteria is met. It is worthwhile mentioning that the dynamic nature of the attack makes full use of the perfect information on the outcomes of previous attacks in selecting the next cut-set to target.
Algorithm 4 below will generate non-disjoint cut-sets until one is fully disabled, all k cut-sets are identified, the budget is depleted, or a path set is identified to survive regardless the outcomes of future attacks, whichever occurs first. The algorithm keeps track of the failed links that could be used to form a new cut-set to try and/or to identify a fully disconnected cut-set.
We provide in the two subsections below illustrative examples for all methods in the situation of disjoint and non-disjoint cut-sets. The network depicted in Figure 2 is used as an initial network for each example. It has seven nodes and nine arcs where each arc(i, j) has triple (id ij , cost ij , p ij ). A cut-set will be generated and attacked sequentially by iterating the procedure as explained in Algorithms 3 and 4. The total budget for the attack is 200 and the allowed k is 3. As soon as a cut-set is fully disabled, the network fails to supply the destination node with flow.

D. CASE OF DISJOINT CUT-SETS
We will start with the MCSP version of the problem. The first iteration is shown in Figure 3a. The yellow dot shows the identified arcs on a cut-set {5, 6, 7} and the numbered arrow shows the sequence of attacks so that the attack starts with the lowest ratio of cost/survival probability. The cross sign on arc {7} means that the attack is successful while the green mark on arc {6} means a failed attack (i.e., a surviving arc).
Consequently, the attack on the current cut-set stops. The remaining budget after the current attack is 156. Therefore, a new cut-set is to be identified using MCSP after artificially removing the tried one by changing the cost to infinity and the survival probability to 1.
The new identified cut-set by the next iteration is {0, 1} (Figure 3b). The attempt is successful on arc {0} but not on arc {1}. Here, the new cut-set; namely, {2, 3, 4, 8} with total cost of 149 is identified. However, the remaining budget of only 71 is not sufficient to cover the attack on this new cut-set. Therefore, the overall attack stops and fails. For comparison purposes, in Figure 4, we show the attacking process if the attacker's budget were 500 instead of 200. In iteration 2 (Figure 4b), the attack fails while the remaining budget is 371. Such a budget is enough to cover the 149 cost of targeting cut-set {2, 3, 4, 8}. The attempt on this cut set turns out to be successful (Figure 4c) so that the flow cannot reach destination g from source node a. The overall attack succeeds in this case while it initially failed with the reduced budget. Now, we treat the version of the problem related to MCC. Considering the lowest cost combination, the first identified cut-set is {1, 6, 7}. The simulated attacks yield a success on arc 7 followed by a failure on arc {6} (Figure 5a). The new cut-set is identified as {0, 4, 5}. Figure 5b shows the result of the attack on the new cut-set in which the attack on arc {4} is unsuccessful. A new cut-set needs to be identified but the remaining available arcs will not form any cut-set. Thus, the overall attack fails (Figure 5b). Next, we consider the MCLEC version (exhibited on Figure 6a). As in the MCC example (Figure 5a), cut-set {1, 6, 7} is identified. The simulated attack disables arc {7} but not arc {6}. The new cut-set {2, 3, 4, 5} is then identified (Figure 6b). Observe that this cut-set is different from the one determined in the MCC version of the problem (Figure 5b). The attack on arc {2} is unsuccessful so that the overall attack fails because no new cut-set can be identified.

E. CASE OF NON-DISJOINT CUT-SETS
In this section, we treat the example above in all three versions of the problem using the corresponding proposed solution  methods in the situation of non-disjoint cut-sets (adopting Algorithm 4 rather than Algorithm 3). The MCSP version identifies cut-set {5, 6, 7} as shown in Figure 7a. The first attempt unsuccessfully targets arc {7} so that the attack fails on the current cut-set. The survival probability and cost of arc {7} are then artificially modified to values 1 and ∞, respectively to omit the arc from the next considerations. As opposed to the disjoint case, the survival probability and cost of arc {5, 6} will remain the same, so that it can be used in future cut-set identifications.
The second iteration (Figure 7b) generates cut-set {1, 3, 6}, where arc {6} is the intersection of the current cut-set with the previous one. The attempt on arc {6} fails and a new cut-set needs to be determined. With the remaining budget of 156, cut-set {0, 1} is the one identified in the third iteration  ( Figure 7c). This new cut-set intersects with the previous one in arc {1}. The attack on arc {0} succeeds while that on arc {1} fails. Two stopping criteria are simultaneously met: the remaining budget cannot cover the cost on any remaining cutset and the limit k is reached. Therefore, the algorithm stops, and the overall attack fails.
The treatment of the MCC version of the problem for the non-disjoint case is shown in Figure 8. As in the example   above, Algorithm 4 stops with unsuccessful overall attack at iteration 3 (with the same two stopping criteria). Observe that arc {7} is broken at the first iteration (Figure 8a). In contrast, the attack fails on arc {6}. The survival probability and cost of arc {7} are artificially modified to value 0 and 0, respectively, so that it is selected in the next cut-sets of iterations 2 and 3 (Figures 8b and 8c).
The third treatment concerns the MCLEC version of the example in the non-disjoint case. The generated cut-sets and attacking results are displayed in Figure 9. The algorithm on the current illustration stops following the network failure (or equivalently, the attack success). Cut-set {0, 1, 7} is broken at iteration 3 in Figure 9c preventing any flow from reaching destination g from source node a.
To further emphasize the importance of budget limitation on the choice of the attack strategies, let us reduce the budget from 200 to 150 in one case, say the MCLEC method with non-disjoint cut-set ( Figure 10). After iteration 2 (Figure 10b), the remaining budget is only 32, which is not sufficient to launch any attack on any cut-set. Thus, the attack stops and fails. Observe that the same attack has reached iteration 3 and was successful by VOLUME 9, 2021     disconnecting cut-set {0, 1, 7} when the budget was 200 ( Figure 9).

V. IMPLEMENTATION FOR LARGE SCALE NETWORKS
We carry out experimentation using instances generated by Gharbi et al. [1] for small sizes and by Yaghlane et al. [3] for large sizes to investigate the performance of Algorithms 3 and 4. For each size of instances, we adopt the simulation in Mrad et al. [2] to generate survival probabilities in the ranges of [0.01, 0.25], [0.01, 0.50], and [0.01, 0.99], respectively. The small instances consist of networks with sizes between 10 to 30 nodes and each node size has 40 different arc sizes. The large instances consist of networks with sizes varying between 50 and 200 nodes; and each node size has 20 different arc sizes. For each instance, we also calculate a minimum budget to warrant the feasibility of the problem at least for one cut-set to be generated. Hence, we suggest the following formula: In equation (19), f is the value of the min-cost cut-set and α is a random number in the interval [1,2*kOpt], where kOpt is the average number of attacks computed based on the simulation performed in Mrad et al. [2] for each class of instances (see Table 1 in which the same problem is solved but without budget constraint). This method will ensure that the budget could be sufficiently limiting to have an impactful effect on the success rate of the attack.
We solve all modified instances through an Intel(R) Core(TM) i7 2.00 GHz Personal Computer with 32GB RAM using C++ and CPLEX, version 12.10. The simulation uses 3 different values of k; namely, 3, 5, and 10. We repeat the experiment 100 times for each instance. In addition, we run the approach described in Mrad et al. [2] in order to compare the new results with those of unlimited budget. Tables 2-8 below provide the simulation results for Algorithms 3 and 4.  MCLEC, the min-cut algorithm must run repeatedly while the MCSP and MCC are to be solved only once. It also reveals that when relaxing the budget constraint (MC), the execution time is always smaller than those with the budget constraint (which is trivial). Further, the results show that for each algorithm and probability range, the time to solve large instances is almost double than the run time for small instances. It should be clear that the average run time as displayed in Tables 7 and 8 is very small for all methods proving the efficiency of the developed algorithms. Also the standard deviation shows that the variation of the computational time is very small from one scenario to another. Thus, we can conclude that the computational time of our algorithms is stationary.
The success rate for the situation of the disjoint case is almost the same for each method regardless the k values ( Figure 11). The MC version outperforms the MCSP, MCC, and MCLEC versions by 76%, 94%, and 100%, respectively.
For small instances, the success rate shows the pattern rank of the method given by MC, MCSP, MCC, then MCLEC. However, in large instances, the result tends to vary where the pattern is irregular except for MCLEC which has the lowest success rate among all scenarios.
In the situation of the non-disjoint case, the values of k affect the success rate for each method (Figure 12) except for large instances with [0.01-0.99] survival probability ranges where the values of k are irrelevant to the success rate. The success rate for all methods in the situation of the non-disjoint case ( Figure 12 and Table 4) is mostly outperforming that of the disjoint case ( Figure 11 and Table 3). In fact, the set of feasible solutions in the non-disjoint case is larger. The success rates of MCSP and MCC are comparable in either case. For the MCLEC method, the success rates in the disjoint case are much smaller than those of the MCSP and MCC methods. However, in the non-disjoint case, MCLEC success rates get closer to those of the other methods, particularly for large k. In terms of the number of attempted cut-sets, the disjoint case provides the same results for all methods regardless of the values of k ( Figure 13 and Table 5). This is due to the restriction on alternative paths from the source to the destination. This limitation represents an upper bound of the available disjoint cut-sets (see Mrad et al. [2]). Thus, increasing resources will not result in increasing the number of attempted cut-sets. In contrast, when dealing with the non-disjoint case, the number of attempted cuts increases with k for all three methods ( Figure 14 and Table 6). This number may even get close to k when the links of the network could be sufficiently robust (i.e., in case where the survival probability upon attack may arbitrarily be drawn from the entire range of the interval [0, 1]). In fact, more cut-sets need to be tried to end up disconnecting the network or else ending up with a failed attack. This situation can be beneficial for the attacker when the attacking resources are available to target several cut-sets. It should be clear however that even with a large number of attempted cut-sets, the success rate can be very low. This is due to the resource limitations. In fact, the results in Mrad et al. [2] corresponding to the first version of the problem (with no budget constraint) display success rates exceeding 18% as opposed to the 0-3% success rates obtained in Tables 3 and 4.

VI. CONCLUSION AND DIRECTIONS FOR FUTURE RESEARCH
In this paper, we develop two algorithms to approach the problem of the k vital cut-sets of a network under limited attacking resources in each of three versions. The first one treats the attack on up to k cut-sets that maximizes the probability of disconnecting the network. The second version deals with the min-cost attack of up to k cut-sets. The third version combines the two versions above by identifying the k vital cut-sets that minimize the expected cost of an attack. Resource limitations are reflected by a budget constraint.
The k vital cut-set problem with limited attacking resources may be viewed as an important extension of other interdiction network concepts such as the Most k vital Arc problem and the k-hub problem discussed above.
Each of the proposed algorithms embeds three subroutines corresponding to the three versions of the problem. The algorithm calls any subroutine when appropriate. One algorithm investigates the case of disjoint cut-sets and the other one takes care of the non-disjoint case.
The attack is conducted sequentially over the different links of the selected cut-sets. A link is tried at most once. The attacker has full information on the attack outcome on a particular link before proceeding to select another link. The attack stops if one cut-set is totally disabled, the budget is depleted, a full path set is identified to survive regardless of future possible attacks, or all identified k cut-sets are unsuccessfully tried, whichever occurs first. Obviously, only the first stopping criterion reflects the attack success.
The solution method relies on a simulation-optimization method that extends the approach by Mrad et al. [2] which is restricted to the first version of maximizing the probability of an attack with abundant attacking resources. Techniques from Yaghlane et al. [3], [4] including the min-cut and the shortest path algorithms are adapted to the current problem accounting for the budget constraint. The solution method proved to be efficient as the run-time is very short even for large networks.
The results clearly reflect the dependence of the success rate of attacks on the resource availability. In fact, the first version of the problem as treated by Mrad et al. [2] under the relaxation of the budget constraint yields considerably higher success rates particularly when the network can have high survival probabilities (in the full range of the interval [0, 1]). Further, the illustrations provided in the paper show the effect of budget limitations on the number and the choice of the cut-sets to target. These results can be highly informative both to the attacker and the defender of the network. Indeed, the attackers will be aware that important attacking resources must be available to expect high success rates of their attacks. Defenders on the other hand may opt for defensive strategies that force the attacker to use excessive attacking resources to be able to disconnect the network (such as multiple access barriers, strengthened protecting material, computer firewalls, etc.).
Future work may extend the k Vital cut Problem with constrained attacking resources to account for multiple attacks per link rather than a single attack. From defensive viewpoint, it is possible to consider which vital cut-sets to reinforce under limited defensive resources. Another important avenue for future research would be to identify the most vital path sets to reinforce rather than cut-sets. ASMA BEN YAGHLANE is a Doctor in management science. She also teaches operations research and decision analysis courses with the Tunis Business School. She is also a member of the Business Analytics and DEcision Making Laboratory. She has some publications, including European Journal of Operational Research and Reliability Engineering and System Safety. She has offered a number of presentations at reputed international conferences. Her research interest includes mainly developing operations research tools in approaching the problems of systems under the threats of intentional attacks. Particularly, she attempts to determine optimal defense/attack strategies in the context of terrorist attacks and security threats.
M. NACEUR AZAIEZ is currently a Professor of operations research with the Business Analytics Department, Tunis Business School, University of Tunis, Tunisia. He is also the dean of the school. His research interests include a variety of applications of operations research in several fields, including security management, water management, operations management, and healthcare. VOLUME 9, 2021