The Complexity of Cyber Attacks in a New Layered-Security Model and the Maximum-Weight, Rooted-Subtree Problem

  • Geir Agnarsson
  • Raymond Greenlaw
  • Sanpawat KantabutraEmail author
Conference paper
Part of the Lecture Notes in Business Information Processing book series (LNBIP, volume 222)


This paper makes three contributions to cyber-security research. First, we define a model for cyber-security systems and the concept of a cyber-security attack within the model’s framework. The model highlights the importance of game-over components—critical system components which if acquired will give an adversary the ability to defeat a system completely. The model is based on systems that use defense-in-depth/layered-security approaches, as many systems do. In the model we define the concept of penetration cost}, which is the cost that must be paid in order to break into the next layer of security. Second, we define natural decision and optimization problems based on cyber-security attacks in terms of doubly weighted trees, and analyze their complexity. More precisely, given a tree T rooted at a vertex r, a penetrating cost edge function c on T, a target-acquisition vertex function p on T, the attacker’s budget and the game-over threshold B ,GQ + respectively, we consider the problem of determining the existence of a rooted subtree T’ of T within the attacker’s budget (that is, the sum of the costs of the edges in T’ is less than or equal to B) with total acquisition value more than the game-over threshold (that is, the sum of the target values of the nodes in T’ is greater than or equal to G). We prove that the general version of this problem is intractable. We also analyze the complexity of three restricted versions of the problems, where the penetration cost is the constant function, integer-valued, and rational-valued among a given fixed number of distinct values. Using recursion and dynamic-programming techniques, we show that for constant penetration costs an optimal cyber-attack strategy can be found in polynomial time, and for integer-valued and rational-valued penetration costs optimal cyber-attack strategies can be found in pseudo-polynomial time. Third, we provide a list of open problems relating to the architectural design of cyber-security systems and to the model.


Cyber security Defense-in-depth Game over Information security Layered security Weighted rooted trees Complexity Polynomial time Pseudo-polynomial time 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Aghezzaf, E.H., Magnanti, L.T., Wolsey, A.L.: Optimizing Constrained Subtrees of Trees. Mathematical Programming 71(2), 113–126 (1995). Series ACrossRefGoogle Scholar
  2. 2.
    Agnarsson, G., Greenlaw, R.: Graph Theory: Modeling, Applications, and Algorithms. Pearson Prentice Hall, Upper Saddle River (2007)Google Scholar
  3. 3.
    Armstrong, R.C., Mayo, J.R., Siebenlist, F.: Complexity Science Challenges in Cybersecurity. Sandia Report, March 2009Google Scholar
  4. 4.
    Chakrabarti, D., Faloutsos, C.: Graph Mining: Laws, Generators, and Algorithms. ACM Computing Surveys 38(1), article 2, 69 pages (2006)Google Scholar
  5. 5.
    Coene, S., Filippi, C., Spieksma, F., Stevanato, E.: Balancing Profits and Costs on Trees. Networks 61(3), 200–211 (2013)CrossRefGoogle Scholar
  6. 6.
    2012 Cost of Cyber Crime Study: United States. Ponemon Institute, research report, 29, October 2012Google Scholar
  7. 7.
    Dunlavy, D.M., Hendrickson, B., Kolda, T.G.: Mathematical Challenges in Cybersecurity. Sandia Report, February 2009Google Scholar
  8. 8.
    Hsieh, S.-Y., Chou, Ting-Yu.: Finding a weight-constrained maximum-density subtree in a tree. In: Deng, X., Du, D.-Z. (eds.) ISAAC 2005. LNCS, vol. 3827, pp. 944–953. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  9. 9.
    Johnston, R., La Fever, C.,:, Marine Corps Red Team (Power- Point Presentation) (2012)Google Scholar
  10. 10.
    Lau, H.C., Ngo, T.H., Nguyen, B.N.: Finding a Length- constrained Maximum-sum or Maximum-density Subtree and Its Application to Logistics. Discrete Optimization 3(4), 385–391 (2006)CrossRefGoogle Scholar
  11. 11.
    Pfleeger, S.L.: Useful Cybersecurity Metrics. IT Professional 11(3), 38–45 (2009)CrossRefGoogle Scholar
  12. 12.
    Rue, R., Pfleeger, S.L., Ortiz, D.: A framework for clas- sifying and comparing models of cybersecurity investment to support policy and decision-making. In: Proceedings of the Workshop on the Economics of Information Security, p. 23 (2007)Google Scholar
  13. 13.
    Schneider, F.B.: Blueprint for a Science of Cybersecurity. The Next Wave 19(2), 47–57 (2012)Google Scholar
  14. 14.
    Shiva, S., Roy, S., Dasgupta, D.: Game theory for cyber security. In: Proceedings of the ACM 6th Annual Cyber Security and Information Intelligence Research Workshop, 34, April 21–23, 2010Google Scholar
  15. 15.
    Sparrows, P.: Cyber Crime Statistics., October 16, 2013
  16. 16.
    Hsin-Hao, S., Lung, C.H., Tang, C.Y.: An Improved Algorithm for Finding a Length-constrained Maximum-density Subtree in a Tree. Information Processing Letters 109(2), 161–164 (2008)CrossRefGoogle Scholar
  17. 17.
    Agnarsson, G., Greenlaw, R., Kantabutra, S.: On cyber attacks and the maximum-weight rooted-subtree problem. Acta Cybernetica (to appear)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Geir Agnarsson
    • 1
  • Raymond Greenlaw
    • 2
  • Sanpawat Kantabutra
    • 3
    Email author
  1. 1.Department of Mathematical SciencesGeorge Mason University FairfaxFairfaxUSA
  2. 2.Cyber Security StudiesUnited States Naval Academy AnnapolisAnnapolisUSA
  3. 3.The Theory of Computation Group Computer Engineering DepartmentChiang Mai UniversityChiang MaiThailand

Personalised recommendations