 Research
 Open Access
 Published:
Anticipating complex network vulnerabilities through abstractionbased analysis
Security Informatics volume 1, Article number: 9 (2012)
Abstract
Large, complex networks are ubiquitous in nature and society, and there is great interest in developing rigorous, scalable methods for identifying and characterizing their vulnerabilities. This paper presents an approach for analyzing the dynamics of complex networks in which the network of interest is first abstracted to a much simpler, but mathematically equivalent, representation, the required analysis is performed on the abstraction, and analytic conclusions are then mapped back to the original network and interpreted there. We begin by identifying a broad and important class of complex networks which admit vulnerabilitypreserving, finite state abstractions, and develop efficient algorithms for computing these abstractions. We then propose a vulnerability analysis methodology which combines these finite state abstractions with formal analytics from theoretical computer science to yield a comprehensive vulnerability analysis process for networks of realworld scale and complexity. The potential of the proposed approach is illustrated via case studies involving a realistic electric power grid, a gene regulatory network, and a general class of social network dynamics.
Introduction
It is widely recognized that technological, biological, and social networks, while impressively robust in most circumstances, can fail catastrophically in response to focused attacks. Indeed, this combination of robustness and fragility appears to be an inherent property of complex, evolving networks ranging from the Internet and electric power grids to gene regulatory networks and financial markets e.g.,[1–5]. As a consequence, there is significant interest in developing methods for reliably detecting and characterizing the vulnerabilities of these networks e.g.,[6, 7].
The challenges of vulnerability analysis are particularly daunting in the case of complex networks. Most such networks are largescale “systems of systems”, so that analysis methods must be computationally efficient. Additionally, because these networks perform reliably almost all of the time, standard techniques for finding vulnerabilities (e.g., computer simulations, “red teaming”) can be ineffective and, in any case, are not guaranteed to identify all vulnerabilities. These observations suggest that, in order to be practically useful, any method for analyzing vulnerabilities of complex networks should be scalable, to enable analysis of networks of realworld complexity, and rigorous, so that for instance it is guaranteed to find all vulnerabilities of a given class.
This paper presents a new approach to vulnerability analysis which possesses these properties. The proposed methodology is based upon aggressive abstraction – dramatically simplifying, property preserving abstraction of the network of interest[4]. Once an aggressive abstraction is derived, all required analysis is performed using the abstraction. Analytic conclusions are then mapped back to the original network and interpreted there; this mapping is possible because of the property preserving nature of the abstraction procedure.
Our focus is on dynamical systems with uncountable state spaces, as many complex networks are of this type. We begin by identifying a large and important class of dynamical networks which admit vulnerabilitypreserving, finite state abstractions, and develop efficient algorithms for recognizing such networks and for computing their abstraction. We then offer a methodology which combines these finite state models with formal analytics from theoretical computer science[8] to provide a comprehensive vulnerability analysis process for largescale networks. The potential utility of the proposed approach to vulnerability analysis is illustrated through case studies involving a realistic electric power grid, a gene regulatory network, and a general class of social network dynamics.
Preliminaries
This section introduces the class of network models to be considered in the paper and briefly summarizes some technical background that will be useful in our development.
The evolution to ensure robust performance in complex networks typically leads to systems that possess a “hybrid” structure, exhibiting both continuous and discrete dynamics[4]. More precisely, these networks often evolve to become hybrid dynamical systems – feedback interconnections of switching systems, which have discrete state sets, with systems whose dynamics evolve on continuous state spaces[9].
More quantitatively, consider the following definitions for hybrid dynamical system (HDS) models:
Definition 2.1: A continuoustime HDS is a control system
where q∈Q (with Q finite) and x∈X⊆ℜ^{n} (with X bounded) are the states of the discrete and continuous systems that make up the HDS, u∈ℜ^{m} is the control input, h defines the discrete system dynamics, {f_{q}} is a family of vector fields characterizing the continuous system dynamics, and p defines a partition of state space X into subsets with labels k∈{1, …, K}.
Definition 2.2: A discretetime HDS is a control system
We sometimes refer to an HDS using the symbol Σ_{HDS} if the nature of the continuous system (continuous or discretetime) is either unimportant or clear from the context.
The concept of finite state abstraction for an infinite state system is illustrated in Figure1. Consider a complex network with states that evolve on a continuous space and an analysis question of interest. Such a situation is depicted at the bottom of Figure1, where the continuous dynamics are shown as curves on a continuous state space (blue region), and the analysis question involves deciding whether states in the green region can evolve to the red region. Reachability questions of this sort are difficult to answer for generic complex networks. However, if it is possible to construct a finite state abstraction of the network which possesses equivalent dynamics, then the analysis task becomes much easier. To see this, observe from Figure1 that a finite state abstraction of the original dynamics takes the form of a graph, where the states are graph vertices (nodes within the blue region at top) and feasible state transitions define the graph’s directed edges. Reachability analysis is straightforward with a graph, and if the complex network and its abstraction have equivalent reachability properties then the much simpler graph analysis also characterizes the reachability of the original system.
Reachability assessment, while valuable, is typically not sufficient to answer realworld vulnerability analysis questions. For instance, suppose that the red region in Figure1 is the set of failure states. It may be of interest to determine if all system trajectories which reach the red region first pass through the white “alerting” region, so there is warning of impending failure, or whether all trajectories which reach the red region subsequently return to the blue “normal” region, and thereby recover from failure. Addressing these more intricate questions requires that the analysis be conducted using a language which allows a nuanced description of, and reasoning about, network dynamics. We show in[4] that linear temporal logic (LTL) provides such a language, enabling quantitative specification of a broad range of complex network vulnerability problems. LTL extends propositional logic by including temporal operators, thereby allowing dynamical phenomena to be analyzed, and is similar to natural language and thus is easy to use[10].
As we wish to use LTL to analyze the dynamics of complex networks and we model these networks as HDS, we tailor our definition of LTL to be compatible with this setting:
Definition 2.3: The syntax of LTL consists of
atomic propositions (q,k), where q ∈ Q is an HDS discrete state and k ∈ K is a label for a subset in the continuous system state space partition;
formulas composed from atomic propositions using a grammar of Boolean (ϕ ∨ θ, ¬ϕ) and temporal (ϕU θ, ○ ϕ) operators.
The semantics of LTL follows from interpreting formulas on trajectories of HDS, that is, on sequences of (q, k) pairs: (q, k) = (q_{0}, k_{0}), (q_{1}, k_{1}), …, (q_{T}, k_{T}).
The Boolean operators ∨ and ¬ are disjunction and negation, as usual. The temporal operators U and ○ are read “until” and “next”, respectively, with ϕU θ specifying that ϕ must hold until θ holds and ○ ϕ signifying that ϕ will be true at the next time instant (see[10] for a more thorough description).
Abstractions which preserve LTL also preserve all vulnerabilities expressible as LTL formulas; this property is stated more precisely in Section 4, where a formal definition is given for system vulnerability, and is also explained in[4]. Thus we seek an abstraction procedure which preserves LTL: given a system representation Σ_{1}, the procedure should generate a system abstraction Σ_{2} which is such that {Σ_{1} = ϕ} ⇔ {Σ_{2} = ϕ} for all LTL formulas ϕ (where  = denotes formula satisfaction). Bisimulation is a powerful method for abstracting finite state systems to yield simpler finite state systems that are equivalent from the perspective of LTL[10]. However, the problem of constructing finite state bisimulations for continuous state systems is largely unexplored (but see the seminal work[11, 12]). Indeed, one of the contributions of this paper is to develop a theoretically sound, practically implementable approach to obtaining finite state bisimulations for complex network models.
Bisimulation is typically defined for transition systems, so we first introduce this notion (see[10] for details):
Definition 2.4: A transition system is a fourtuple T = (S, →, Y, h) with state set S, transition relation → ⊆ S × S, output set Y, and output map h: S → Y. T is finite if S is finite.
Transition relation → defines admissible state transitions, so (q, q^{′})∈→, denoted q → q^{′}, if T can transition from q to q^{′}.
Bisimilar transition systems share a common output set and have dynamics which are equivalent from the perspective of these outputs:
Definition 2.5: Transition systems T_{S} = (S, →_{S}, Y, h_{S}) and T_{P} = (P, →_{P}, Y, h_{P}) are bisimilar via relation R ⊆ S × P if:
s ~ p ⇒ h_{S}(s) = h_{P}(p) (R respects observations);
s ~ p, s →_{S} s^{′} ⇒ ∃ p^{′} ~ s^{′} such that p →_{P} p^{′} (T_{P} simulates T_{S}, denoted T_{S}∟ T_{P});
p ~ s, p →_{P} p^{′} ⇒ ∃ s^{′} ~ p^{′} such that s →_{S} s^{′} (T_{P}∟ T_{S}),
where ~ denotes equivalence under relation R.
A standard result from theoretical computer science e.g.,[10] shows that bisimulation preserves LTL:
Proposition 2.1: If T_{1} and T_{2} are bisimilar transition systems and ϕ is an LTL formula then {T_{1} = ϕ} ⇔ { T_{2} = ϕ}.
The following statements offer an alternative definition for bisimulation, which is easily shown to be equivalent to the one presented in Definition 2.5 and is useful in the subsequent development:
Definition 2.6: A finite partition Φ: S → P of the state space S of transition system T = (S, →, Y, h) naturally induces a quotient transition system T/~ = (P, →_{~}, Y, h_{~}) of T provided that
Φ(s) = Φ(s^{′}) (denoted s ~ s^{′}) ⇒ h(s) = h(s^{′});
h_{~}(p) = h(s) if p = Φ(s);
→_{~} is defined so that Φ(s) →_{~} Φ(s^{′}) iff s → s^{′}.
Transition system T and its quotient T/~ are bisimilar if an additional condition holds:
Proposition 2.2: Suppose T/~ is defined as in Definition 2.6 and, in addition, Φ(s) →_{~} Φ(s^{′}) ⇒ ∀ s^{′′} ~ s ∃ s^{′′′} ~ s^{′} such that s^{′′} → s^{′′′}. Then T and T/~ are bisimilar.
Finally, we introduce a class of continuous state (control) systems which is important in applications.
Definition 2.7: The continuoustime system dx/dt = f(x,u), with f: ℜ^{n}×ℜ^{m}→ℜ^{n}, is differentially flat if there exists (flat) outputs z∈ℜ^{m} such that z = H(x), x = F_{1}(z, dz/dt, …, d^{r}z/dt^{r}), and u = F_{2}(z, dz/dt, …, d^{r}z/dt^{r}) for some integer r and maps H, F_{1}, F_{2}.
Definition 2.8: The discretetime system x + = f(x,u) is difference flat (with memory k) if there exists (flat) outputs z∈ℜ^{m} such that z = H(x), x(t) = F_{1}(z(t), z(t + 1), …, z(t + k − 1)), and u(t) = F_{2}(z(t), z(t + 1), …, z(t + k − 1)) for some maps H, F_{1}, F_{2}.
Background on flat systems may be found in[13]. Many realworld control systems are flat, including all controllable linear systems as well as all feedback linearizable systems. Perhaps more importantly, the complex, evolving networks underlying so much of advanced technology, biology, and social processes frequently possess flat subsystems.
Finite state abstraction
In this section we demonstrate that hybrid systems with (differentially or difference) flat continuous systems admit finite state bisimulations and present algorithms for constructing the bisimilar abstractions.
Consider an HDS of the form given in Definition 2.1 or 2.2. The following provides a transition system representation for the continuous system dynamics of HDS:
Definition 3.1: The transition system model T_{ HDSc } for the continuous system portion of Σ_{HDS} is the collection T_{HDSc} = {T_{q}^{k}}, with one transition system T_{q}^{k} = (X_{q}^{k}, →_{q}^{k}, Y_{q}^{k}, h_{q}^{k}) specified for each (q, k) pair. Each T_{q}^{k} has bounded state space X_{q}^{k}, finite output set Y_{q}^{k}, an output map h_{q}^{k}: X_{q}^{k} → Y_{q}^{k} that defines a finite partition of X_{q}^{k} with labels y∈Y_{q}^{k}, and transition relation →_{q}^{k} reflecting the discrete or continuoustime dynamics:
for discretetime continuous systems, x →_{q}^{k} x^{′} iff ∃u such that x^{′} = f_{q}(x,u) on subset k;
for continuoustime continuous systems, x →_{q}^{k} x^{′} iff there is a trajectory x: [0, T] → X_{q}^{k} of dx/dt = f_{q}(x,u), a time t^{′}∈ (0,T), and adjacent partitions of X_{q}^{k} labeled y, y^{′}∈Y_{q}^{k} such that x(0) = x, x(T) = x^{′}, x([0,t^{′}))⊆y, and x((t^{′},T])⊆y^{′}.
We make the standard assumption that k: X → K partitions the HDS continuous system state space X into polytopes and that all HDS discrete system transitions are triggered by k transitions[9] (see Definitions 2.1 and 2.2).
Definition 3.1 allows Σ_{HDS} to be modeled as a feedback interconnection of two transition systems, one with continuous state space and one with finite state set:
Definition 3.2: The transition system T_{ HDS } associated with the HDS given in Definition 2.1 or 2.2 is a feedback interconnection of 1.) the continuous system transition system T_{HDSc} = {T_{q}^{k}} given in Definition 3.1 and 2.) the transition system associated with the HDS discrete system, given by T_{HDSd} = (Q, →_{d}, Q, id), where id is the identity map and q →_{d} q^{′} iff ∃k such that q^{′} = h(q, k). Thus T_{HDS} = (Q × X, →_{HDS}, Q × Y, h_{HDS}), where Q × X = ∪_{q} (∪_{k} {q} × X_{q}^{k}), Q × Y = ∪_{q} (∪_{k} {q} × Y_{q}^{k}), and the definitions for →_{HDS} and h_{HDS} follow immediately from the transition relation and output map definitions specified for T_{HDSc} and T_{HDSd}.
Because the transition system T_{HDSd} corresponding to the HDS discrete system is already a finite state system, the main challenge in abstracting HDS to finite state systems is associated with finding finite state bisimulations for the continuous systems T_{HDSc} = {T_{q}^{k}}. This is made explicit in the following
Theorem 1: If each transition system T_{q}^{k} associated with T_{HDS} is bisimilar to some finite quotient transition system T_{q}^{k}/~ = (Y_{q}^{k}, →_{~}, Y_{q}^{k}, id) and the state space quotient partitions defined by the h_{q}^{k} satisfy a mild compatibility condition then T_{HDS} admits a finite bisimulation.
Proof: The proof is straightforward and is given in[4].
Theorem 1 shows that the key step in obtaining a finite state bisimulation for HDS T_{HDS}, and thus for Σ_{HDS}, is constructing bisimulations for the continuous state transition systems T_{q}^{k}. We therefore focus on this latter problem for the remainder of the section. Our first main result along these lines is for difference flat continuous systems:
Theorem 2: Given any finite partition π: Z → Y of the flat output space Z of a difference flat system, the associated transition system T_{F} = (X, →, Y, π ° H) admits a bisimilar quotient T_{F}/~.
Proof: Consider the equivalence relation R that identifies state pairs (x, x′) which generate identical sets of klength output symbol sequences y = y_{0} y_{1} … y_{k−1}, and the quotient system T_{F}/~ induced by R. R defines a finite partition of X (both Y and k are finite), and x ~ x^{′} ⇒ π ° H(x) = π ° H(x^{′}) so that R respects observations. T_{F} ∟ T_{F}/~ follows immediately from the definition of quotient systems. To see that T_{F}/~ ∟ T_{F}, note that flatness ensures any symbol string y = y_{k} y_{k+1} … is realizable by transition system T_{F}; thus x ~ x^{′} at time t implies that x and x^{′} can transition to equivalent states at time t + 1. Therefore, from Definition 2.5, T_{F} and T_{F}/~ are bisimilar.
Remark 3.1: Efficient algorithms exist for checking if a given system is difference flat, so Theorem 2 provides a practically implementable means of identifying discretetime continuous state systems which admit finite bisimulation[4].
Remark 3.2: The flat output trajectory completely defines the evolution of a difference flat system. As a consequence, because any finite partition of flat output space induces a finite bisimilar quotient for the flat system, this partition can be refined to yield any desired level of detail in the abstraction.
An analogous result holds for differentially flat HDS continuous systems. Our development of this result requires the following lemmas.
Lemma 3.1: A control system is differentially flat iff it is dynamic feedback linearizable.
Proof: The proof is given in[14].
Lemma 3.2: Control system Σ admits a finite bisimulation iff any representation of Σ obtained through coordinate transformation and/or invertible feedback also admits a finite bisimulation.
Proof: The proof is given in[12].
Lemmas 3.1 and 3.2 suggest the following procedure for constructing finite bisimulations for differentially flat systems: 1.) transform the flat system into a linear control system via feedback linearization, 2.) compute a finite bisimulation for the linear system, and 3.) map the bisimilar model back to the original system representation. As a result, we focus on building finite bisimulations for linear control systems.
In particular, the control system of interest is one “chain” of a Brunovsky normal form (BNF) system Σ_{BNF}[4]:
Concentrating on this system entails no loss of generality, as any controllable linear system can be modeled as a collection of these single chain systems, one for each input, and the decoupled nature of the chains ensures we can abstract each one independently and then “patch” the abstractions together to obtain an abstraction for the full system.
Consider the following partition of the (assumed bounded) state space X ⊆ ℜ^{n} of Σ_{BNF}:
Definition 3.3: Partition π_{ ε } is the map π_{ε}: X → Y that partitions X into subsets y_{is} = {x∈X  x_{1}∈[iε, (i + 1)ε), sign(x_{2}) = s_{1}, …, sign(x_{n}) = s_{n1}}, where i is an integer and s is an (n−1)vector of “signs” specifying a particular orthant of X.
Note that π_{ε} partitions X into “slices” orthogonal to the x_{1}axis.
We are now in a position to state
Theorem 3: The transition system T_{BNF} = (X, →, Y, π_{ε}) associated with system Σ_{BNF} and partition π_{ε} admits a finite bisimilar quotient T_{BNF}/~ = (Y, →_{~}, Y, id).
Proof: T_{BNF}/~ is finite because Y is finite. Assume →_{~} is constructed so that π_{ε}(x) →_{~} π_{ε}(x^{′}) ⇔ x → x^{′}, with the latter specified as in Definition 3.1. Then all the conditions of Definition 2.6 are satisfied, and from Proposition 2.2 we need only show π_{ε}(x) →_{~} π_{ε}(x^{′}) ⇒ ∀x^{′′}~x ∃x^{′′′}~x^{′} such that x^{′′} → x^{′′′}. This amounts to demonstrating that if x can be driven through face F of slice π_{ε}(x) then any x^{′′} in that slice can be driven through F as well, which can be shown by checking this property for the system x_{1}^{(n)} = u on each orthant of X (see e.g.,[13] for a proof that system x_{1}^{(n)} = u possesses this property).
Remark 3.3: The result given in Theorem 3 is most useful in situations where the control input u can be chosen large relative to the system “drift”. Abstraction methods for applications in which control authority is limited are given in[4].
Next we turn to the task of computing finite bisimulations for HDS. We focus on constructing bisimulations for HDS continuous systems, as HDS discrete systems already possess finite state representations, and in particular on abstracting differentially flat continuous systems; the derivation of algorithms for difference flat continuous systems is analogous but simpler and is therefore omitted (see[4]).
Consider, without loss of generality (see Lemma 3.1), the problem of computing a finite state abstraction for continuoustime linear control system Σ_{lc}: dx/dt = Ax + Bu (where A,B are matrices). The transition system associated with Σ_{lc} is T_{lc} = (X, →_{lc}, Y, h), with h: X → Y any finite, hypercubic partition of X and →_{lc} specified as in Definition 3.1. The finite state abstraction of interest is quotient system T_{lc}/~ = (Y, →_{lc~}, Y, id). Observe that in order to obtain T_{lc}/~ it is only necessary to determine the set of admissible transition relations →_{lc~}.
As most applications of interest involve largescale systems, it is desirable to develop efficient algorithms for computing →_{lc~}. We now introduce such a procedure. The algorithm decides whether a transition y →_{lc~} y^{′} between two adjacent cells of the lattice y, y^{′} is allowed, and is repeated for all candidate transitions of interest. We begin by summarizing a simple algorithm, based on computational linear system results given in[15], for deciding whether y →_{lc~} y^{′} is admissible. Let k be the number of the coordinate axis orthogonal to the common face between y and y^{′}, V be the set of vertices shared by y and y^{′}, and a_{k}^{T} represent row k of A. Define Π^{k}(w) to be the projection of vector w onto axis k, and suppose y < y^{′}. Then y →_{lc~} y^{′} iff Π^{k}(Av_{i} + Bu) > 0 for some v_{i} ∈V and u∈U. An algorithm which “operationalizes” this observation is
Algorithm 3.1:
If y < y^{′}:
If any element of row k of B is nonzero, y →_{lc~} y^{′} is true. STOP.
Repeat until y →_{lc~} y^{′} is determined to be true or all vertices have been checked:
Select a vertex v_{i} ∈ V.
Compute the inner product p = a_{k}^{T} v_{i}.
If p > 0 then y →_{lc~} y^{′} is true. STOP.
If y →_{lc~} y^{′} has not been found to be true it is false.
If y > y^{′}: Algorithm is the same except that the comparison p > 0 is replaced by p < 0.
A difficulty with Algorithm 3.1 is that the number of vertices shared by two adjacent cells is 2^{n−1}, so that checking them becomes unmanageable even for moderatelysized systems. Interestingly, the algorithm can be modified so that feasibility of a transition can be tested by considering only a single wellchosen vertex, independent of the size of the model. The new algorithm is therefore extremely efficient and can be applied to very large systems. Let v_{0} be the lowest vertex (in a componentwise sense) shared by y, y^{′} and let a_{k}^{+} (a_{k}^{−}) be the sum of positive (negative) elements of row k of A, excluding the diagonal. We can now state
If y < y^{′}:
If any element of row k of B is nonzero, y →_{lc~} y^{′} is true. STOP.
Compute the inner product p = a_{k}^{T} v_{0}.
If p + a_{k}^{+} > 0 then y →_{lc~} y^{′} is true. STOP.
Otherwise y →_{lc~} y^{′} is false.
If y > y^{′}: Algorithm is the same except that the comparison p + a_{k}^{+} > 0 is replaced by p + a_{k}^{−} < 0.
A Matlab program which implements Algorithm 3.2 is presented in[4]. This program has been applied to systems with n = 10 000 state variables using desktop computers. Additionally, standard timing studies reveal that the computational cost of Algorithm 3.2 scales quadratically in the system state space dimension n (while Algorithm 3.1 scale exponentially in n), providing further support for the argument that this approach to abstraction can be applied to problems of realworld scale and complexity.
Vulnerability analysis
This section considers the vulnerability assessment problem: given a complex network and a class of failures of interest, does there exist an attack which causes the system to experience such failure? Other important vulnerability analysis tasks, including vulnerability exploitation and mitigation, are investigated in[4]. The proposed approach to vulnerability assessment leverages the finite state abstraction results derived in the preceding section. The basic idea is straightforward: given an HDS model for a network of interest and a class of failures of concern: 1.) construct a finite bisimulation for the HDS network model, 2.) conduct the vulnerability analysis on the system abstraction, and 3.) map the analysis results back to the original system model.
Observe that the proposed approach possesses desirable characteristics. For instance, the analytic process is scalable, because both the abstraction methodology[4] and the tools available for detecting vulnerabilities in finite state systems [e.g., 8] are scalable. Additionally, the analysis is rigorous. Because HDS vulnerabilities are expressible as LTL formulas, and bisimulation preserves LTL, the original complex network and its abstraction have identical vulnerabilities. Formal analysis tools such as model checking[8] can be structured to identify all vulnerabilities of the finite state abstraction, and bisimilarity then implies that the approach is guaranteed to find all vulnerabilities of the original network as well.
We now quantify the proposed approach to vulnerability assessment. It is supposed that the complex network of interest can be modeled as an HDS, Σ_{HDS}, and that the network’s desired or “normal” behavior can be characterized with an LTL formula ϕ; generalizing the situation to a set of LTL formulas {ϕ_{i}} is straightforward. Consider the following
Definition 4.1: Given an HDS Σ_{HDS} and an LTL encoding ϕ of the desired network behavior, the vulnerability assessment problem involves determining whether Σ_{HDS} can be made to violate ϕ.
The proposed vulnerability assessment method employs bounded model checking (BMC), a powerful technique for deciding whether a given finite state transition system satisfies a particular LTL specification over a finite, userspecified time horizon[8]. Briefly, BMC checks whether a finite transition system T satisfies an LTL specification ϕ on a time interval [0, k], denoted T  = _{k} ϕ, in two steps: 1.) translate T  = _{k} ϕ to a proposition [T, ϕ]_{k} which is satisfied by, and only by, transition system trajectories that violate ϕ (this is always possible), and 2.) check if [T, ϕ]_{k} is satisfiable using a modern SAT solver[8]. Note that because modern SAT solvers are extremely powerful, this approach to model checking can be implemented with problems of realworld scale.
We are now in a position to state our vulnerability assessment algorithm. Let T_{HDS} denote the transition system associated with Σ_{HDS}, and consider the vulnerability assessment problem given in Definition 4.1. We have
Algorithm 4.1: Vulnerability assessment

1.
Construct a finite bisimilar abstraction T for T_{HDS} using the results of Section 3.

2.
Check satisfiability of [T, ϕ]_{k} using BMC:
if [T, ϕ]_{k} is not satisfiable then T is not vulnerable and thus Σ_{HDS} is not vulnerable (on time horizon k);
if [T, ϕ]_{k} is satisfiable then T, and therefore Σ_{HDS}, is vulnerable, and the SAT solver “witness” is an exploitation of the vulnerability.
To illustrate the utility of the proposed approach to vulnerability assessment we apply the analytic method to an important complex network: an electric power (EP) grid. EP grids are naturally represented as HDS, with the continuous system modeling the generator and load dynamics as well as power flow constraints and the discrete system capturing protection logic switching and other “supervisory” behavior:
Definition 4.2: The HDS power grid model Σ_{ EP } takes the form
where q and x are the discrete and continuous system states, v and u denote exogenous inputs, y is the vector of “algebraic variables”, and all other terms are analogous to those introduced in Definition 2.1.
The continuous system portion of grid model Σ_{EP} is feedback linearizable[17], which implies the continuous system is differentially flat and consequently that Σ_{EP} admits a finite abstraction. Additionally, it can be shown that grid vulnerabilities are expressible as LTL formulas composed of atomic propositions which depend only on q and k[18]. Thus Algorithm 4.1 is directly applicable to power grids.
We now summarize the results of a vulnerability assessment for the 20bus grid shown in Figure2. This grid provides a simple but useful representation of a real, nationalscale EP system for which (proprietary) data are available to us[4]. The grid can be modeled as an HDS Σ_{EP} of the form given in Definition 4.2. The report[4] gives a Matlab encoding of the specific HDS model used in this study. Because the model Σ_{EP} corresponds to a realworld grid, the behaviors of the model and the actual grid can be compared. For example, the real grid recently experienced a large cascading voltage collapse, and data was collected for this event. We simulated this cascading outage (see Figure3, top plot) and found close agreement between the behavior of the actual grid and the model Σ_{EP}. Observe that this result is encouraging given the wellknown difficulties associated with reproducing such cascading dynamics with computer models (see, e.g.,[17, 18]).
Vulnerability assessment was performed using Algorithm 4.1. It was assumed that the grid’s attacker wishes to drive the voltage at bus 11 to unacceptably low levels, so that the loads at this bus would not be served, and that the attacker has only limited grid access. In particular, we consider here a scenario in which the attacker can gain assess to the generator at bus 2 via cyber means[18]. Note that this class of vulnerabilities is interesting because the access point – the generator at bus 2 – is geographically remote from the target of the attack – the loads at bus 11.
The first step in the vulnerability assessment procedure specified in Algorithm 4.1 involves constructing a finite state bisimulation T for Σ_{EP}; this abstraction is computed using Algorithm 3.2. The second step in Algorithm 4.1 is to apply BMC to T to determine if it is possible to realize the attack objective, i.e., low voltage at bus 11, through admissible manipulation of the generator at bus 2. We employed NuSMV, an open source software tool for formal verification of finite state systems, for this analysis[19]. This vulnerability assessment reveals that it is possible for the attacker to realize the given objective via the assumed grid access, and gives a finite state “trace” of one means of exploiting the vulnerability. Using this trace, we synthesize an exploitation attack which is directly implementable with the HDS model Σ_{EP}. Sample simulation results are shown in Figure3 (bottom plot). It can be seen from the bus voltage time series in Figure3 that the attacker’s goals can indeed be realized, in this case by initiating a cascading voltage collapse which takes down bus 11 as well as most of the rest of the grid.
Discussion
This paper presents an approach for analyzing complex networks in which the network of interest is first abstracted to a much simpler, but mathematically equivalent, representation, the required analysis is performed using the abstraction, and analytic conclusions are then mapped back to the original network and interpreted there. We identify an important class of complex networks which admit vulnerabilitypreserving, finite state abstractions, provide efficient algorithms for computing these abstractions, and offer a vulnerability analysis methodology that combines finite state network representations with formal analytics to enable rigorous vulnerability analysis for networks of realworld scale and complexity. The considerable potential of the method is demonstrated through a case study involving a realistic electric power grid model.
We now demonstrate that the proposed approach to analyzing complex network dynamics can also be applied to biological and social systems. Consider first a biological example. Many aspects of the physiology of living organisms oscillate with a period of approximately 24 hours, corresponding to the duration of a day, and the molecular basis for this circadian rhythm has been quantified in several organisms. For instance, a useful model for the gene regulatory network responsible for circadian rhythm in Drosophila melanogaster (fruit fly) is[20]:
where M_{P}, P_{0}, P_{1}, P_{2}, C, and C_{N} are state variables corresponding to the concentrations of the constituents of the circadian rhythm gene network, v_{sP} is an exogenous (control) input signal associated with the light–dark cycle of the environment, and all other terms are constant model parameters.
As is evident from Definition 2.7, a differentially flat system possesses (flat) outputs, equal in number to the number of inputs, which permit the system states and inputs to be recovered through algebraic manipulation of these outputs and their time derivatives. In the case of Drosophila circadian rhythm, C_{N} is one such flat output. To see this, note that C and its time derivatives can be obtained from the sixth equation through manipulation of C_{N} and its derivatives. These terms, in turn, permit P_{2} (and its derivatives) to be obtained from the fifth equation, and continuing in this way up the “chain” of equations gives all of the states and the input v_{sP}. Thus the system states and input can be obtained from knowledge of C_{N} and its derivatives, proving that the above gene network model for Drosophila circadian rhythm is differentially flat. This, in turn, implies that the model admits a finite state bisimulation (Theorem 3).
We have constructed a finite state model for Drosophila using Algorithm 3.2, and then applied Algorithm 4.1 to this finite state representation to identify gene network vulnerabilities. More specifically, this methodology was employed to identify gene network parameters whose manipulation would quickly and efficiently reset the phase of Circadian rhythm. The parameters nominated by this analysis are:
mRNA transcription rate;
mRNA degradation rate;
protein translation rate.
It is worth noting that these Circadian phase vulnerabilities are identical to the “control targets” obtained in[21] through a substantially more involved, computationallyintensive sensitivity analysis.
Consider next the phenomenon of social movements, that is, large, informal groupings of individuals and/or organizations focused on a particular issue, for instance of political, social, economic, or religious significance e.g.,[22]. Given the importance of social movements and the desire to understand their emergence and growth, numerous mathematical representations have been proposed to characterize their dynamics. For example,[23] suggests a model in which each individual in a population of interest can be in one of three states – member (of the movement), potential member, and exmember – and interactions between individuals can lead to transitions between these affiliation states (e.g., potential members can be persuaded to become members). In particular,[23] proposes the following model for social movement dynamics:
where P, M, and E denote the fractions of potential members, members, and exmembers in the population, Λ can be interpreted to be the system’s input, and β, δ_{1}, δ_{2}, δ_{3} are nonnegative constants related to the probabilities of individuals undergoing the various state transitions. It is worth noting that this model is shown in[23] to provide a good description for the growth of realworld social movements.
This model for social dynamics is differentially flat with flat output E. To see this, observe that M and its time derivatives can be obtained from the third equation through manipulation of E and its derivatives. These terms, in turn, permit P (and its derivatives) to be obtained from the second equation. Finally, knowledge of P, M, E, and their derivatives allows the input Λ to be recovered from the first equation. Thus all of the system states as well as the input can be obtained from knowledge of E and its derivatives, which shows that the social movement model is differentially flat. This, in turn, implies that the model admits a finite state bisimilar abstraction (see Theorem 3).
We now consider the vulnerability of social movement dynamics. In order to make this analysis more interesting, the dynamics Σ_{sm} is extended to enable modeling of social movements propagation on networks with realistic topologies. More specifically, it is known that realworld social networks possess community structure, that is, the presence of densely connected groupings of individuals which have only relatively few links to other groups e.g.,[22, 23], and we are interested in modeling and analyzing social movement dynamics on these networks. One way to construct such a representation is to model movement dynamics as consisting of two components: 1.) intracommunity dynamics, involving frequent interactions between individuals within the same community and the resulting gradual change in the concentrations of movement members, and 2.) intercommunity dynamics, in which the movement jumps from one community to another, for instance because a movement member “visits” a new community.
It is natural to model these dynamics via HDS, with the continuous system representing intracommunity dynamics via Σ_{sm}, or its finite state abstraction, the discrete system capturing the intercommunity dynamics (e.g., using a simple switching rule), and the interplay betweenbetween these dynamics being represented by the HDS feedback structure. A detailed description of the manner in which HDS models can be used to capture general social dynamics on networks with realistic topologies is given in[22], and the basic idea is illustrated in Figure4.
We have constructed a finite state model for Σ_{sm} using Algorithm 3.2, and then connected these intracommunity dynamics models together to represent the complete intra and intercommunity dynamics. We applied Algorithm 4.1 to this finite state representation to identify social movement vulnerabilities. More specifically, this methodology was employed to identify the characteristics of social movement dynamics which are most important for movement success. This analysis indicates that a key indicator of the ultimate success of a social movement is significant early dispersion of a movement across network communities; interestingly, this measure should be more predictive than the early volume of movement activity (which is a standard metric for predictive analysis of social dynamics).
Author’s contributions
RC and KG designed the research, RC developed the theoretical results, RC and KG developed the computational algorithms, and RC wrote the paper. All authors read and approved the final manuscript.
Acknowledgements
This work was supported by the U.S. Department of Defense and the Laboratory Directed Research and Development Program at Sandia National Laboratories. Sandia National Laboratories is a multiprogram laboratory managed and operated by Sandia Corporation, a wholly owned subsidiary of Lockheed Martin Corporation, for the U.S. Department of Energy’s National Nuclear Security Administration under contract DEAC0494AL85000.
References
 1.
Carlson J, Doyle J: Complexity and Robustness. Proc. National Academy of Sciences USA 2002, 99: 2538–2545. 10.1073/pnas.012582499
 2.
Doyle J, Alderson D, Li L, Low S, Roughan M, Shalunov S, Tanaka R, Willinger W: The ‘Robust Yet Fragile’ Nature of the Internet. Proc. National Academy of Sciences USA 2005, 102: 14497–14502. 10.1073/pnas.0501426102
 3.
Ormerod P, Colbaugh R: Cascades of Failure and Extinction in Evolving Complex Systems. J Artificial Societies and Social Simulation 2006, 9: 4.
 4.
Colbaugh R, Glass K, Willard G SAND2008–7327. In Analysis of Complex Networks Using Aggressive Abstraction. Sandia National Laboratories, Albuquerque, NM; 2008. Additional file 1 Additional file 1
 5.
LaViolette R, Glass K, Colbaugh R: Deep Information from Limited Observation of ‘Robust Yet Fragile’ Systems. Physica A 2009, 388: 3283–3287. 10.1016/j.physa.2009.05.019
 6.
National Infrastructure Protection Plan. U.S. Department of Homeland Security, Washington DC; 2009.
 7.
Chen H, Yang C, Chau M, Li S (Eds): Intelligence and Security Informatics. Lecture Notes in Computer Science, Springer, Berlin; 2009.
 8.
Clarke E, Grumberg O, Peled D: Model Checking. MIT Press, Cambridge, MA; 1999.
 9.
Majumdar R, Tabuada P (Eds): Hybrid Systems: Computation and Control. Lecture Notes in Computer Science, Springer, Berlin; 2009.
 10.
Milner R: Communication and Concurrency. PrenticeHall, NJ; 1989.
 11.
Alur R, Henzinger T, Lafferriere G, Pappas G: Discrete Abstractions of Hybrid Systems. Proc. IEEE 2000, 88: 971–984.
 12.
Tabuada P, Pappas G: Linear Time Logic Control of DiscreteTime Linear Systems. IEEE Trans. Automatic Control 2006, 51: 1862–1877.
 13.
Martin P, Murray R, Rouchon P: “Flat Systems, Equivalence, and Trajectory Generation”, CDS Report 2003–008. California Institute of Technology, Pasadena, CA; 2003.
 14.
ArandaBricaire E, Moog C, Pomet J: A Linear Algebraic Framework for Dynamic Feedback Linearization. IEEE Trans. Automatic Control 1995, 40: 127–132. 10.1109/9.362886
 15.
Habets L, van Schuppen J: A Control Problem for Affine Dynamical Systems on a Fulldimensional Polytope. Automatica 2004, 40: 21–35. 10.1016/j.automatica.2003.08.001
 16.
Gardiner J, Colbaugh R: Development of a Scalable Bisimulation Algorithm, ICASA Technical Report. New Mexico Institute of Mining and Technology, Socorro, NM; 2006.
 17.
Ilic M, Zaborszky J: Dynamics and Control of Large Electric Power Systems. Wiley, NY; 2000.
 18.
Stamp J, Colbaugh R, Laviolette R, McIntyre A, Richardson B: “Impacts Analysis for Cyber Attack on Electric Power Systems”, SAND2008–7300. Sandia National Laboratories, Albuquerque, NM; 2008.
 19.
NuSMV: a new symbolic model checker. , downloaded July 2007 http://nusmv.fbk.eu , downloaded July 2007
 20.
Goncalves J, Yi T: “Drosophila Circadian Rhythms: Stability, Robustness Analysis, and Model Reduction”. MTNS, Leuven, Belgium; 2004.
 21.
Bagheri N, Stelling J, Doyle F: Circadian Phase Resetting via Single and Multiple Control Targets. PLoS Comput. Biol. 2008, 4: e1000104. 10.1371/journal.pcbi.1000104
 22.
Colbaugh R, Glass K Proc. IEEE MultiConference on Systems and Control. In “Predictive Analysis for Social Processes I: MultiScale Hybrid System Modeling, and II: Predictability and Warning Analysis”. Saint Petersburg, Russia; 2009.
 23.
Hedstrom P Understanding Choice, Explaining Behavior. In Explaining the Growth Patterns of Social Movements. Oslo University Press, Oslo, Norway; 2006.
Author information
Additional information
Competing interests
The authors declare that they have no competing interests.
Authors’ original submitted files for images
Below are the links to the authors’ original submitted files for images.
Rights and permissions
Open Access This article is distributed under the terms of the Creative Commons Attribution 2.0 International License (https://creativecommons.org/licenses/by/2.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
About this article
Cite this article
Colbaugh, R., Glass, K. Anticipating complex network vulnerabilities through abstractionbased analysis. Secur Inform 1, 9 (2012). https://doi.org/10.1186/2190853219
Received:
Accepted:
Published:
Keywords
 Complex networks
 Finite state abstraction
 Vulnerability analysis
 Electric power grids
 Biological networks
 Social movements