Introduction

The United States Transportation Security Administration (TSA) is tasked with protecting the nation's transportation systems. These systems are often large in scale and protecting them requires many personnel and security activities. One set of systems in particular is the over 400 airports. These airports serve approximately 28,000 commercial flights per day and up to approximately 87,000 total flights [Air Traffic Control]. To protect this large transportation network, the TSA employs approximately 48,000 Transportation Security Officers (TSA); who are responsible for implementing security activities at each.

Many people are aware of the common security activities, especially individual passenger screening. However, this is just one of many security layers TSA personnel implement to help prevent potential threats (TSA). These layers can involve hundreds of heterogeneous security activities executed by limited TSA personnel, leading to a complex resource-allocation challenge. Unfortunately, TSA cannot possibly run every security activity all the time and thus must decide how to appropriately allocate its resources among the layers of security activities.

To aid the TSA in scheduling resources in a risk-based manner, we take a multi-agent game-theoretic approach. Motivated by advantages of such an approach reported at AAMAS conferences (see Section 6.2.2), we utilize Stackelberg games, in which one agent (the leader) must commit to some strategy first and a second agent (the follower) can make his decision with knowledge of this commitment. Here, the TSA acts as a defender (i.e., the leader) who has a set of targets to protect, a number of security activities they can utilize to protect each target, and a limited number of resources to assign to these security activities.

Introduction

Providing security for transportation systems, computer networks, and other critical infrastructure is a large and growing problem. Central to many of these security problems is a resource allocation task. For example, a police force may have limited personnel to conduct patrols, operate checkpoints, and conduct random searches. Other scarce resources including bomb-sniffing canines, vehicles, and security cameras. The key question is how to efficiently allocate these resources to protect against a wide variety of potential threats.

The adversarial aspect of security domains poses unique challenges for resource allocation. A motivated attacker can gather information about security measures using surveillance and plan more effective attacks. Predictable resource allocations may be exploited by an attacker, greatly reducing resource effectiveness. A better approach for deploying security resources is to use randomization to increase the uncertainty of potential attackers. We develop new computational methods that use game-theoretic analysis to generate optimal randomized resource allocations for security domains.

Game theory offers a more sophisticated approach to randomization than simply “rolling dice.” It allows the analyst to factor differential risks and values into the game model, and incorporates game-theoretic predictions of how the attacker will respond to a given security policy. Recent work by Paruchuri et al. uses a game-theoretic approach to create randomized security policies for traffic checkpoints and canine patrols at the Los Angeles International Airport (LAX), which are deployed in the daily airport-security operations (Paruchuri et al., 2008; Pita et al., 2008).

Introduction

Game theory's popularity continues to increase in a whole variety of disciplines, including economics, biology, political science, computer science, electrical engineering, business, law, and public policy. In the arena of security, where game theory has always been popular, there now seems to be an exponential increase in interest. This increase is in part due to the new set of problems our societies face, from terrorism to drugs to crime. These problems are ubiquitous. Yet, limited security resources cannot be everywhere all the time, raising a crucial question of how to best utilize them.

Game theory provides a sound mathematical approach for deploying limited security resources to maximize their effectiveness. While the connection between game theory and security has been studied for the last several decades, there has been a fundamental shift in the relationship due to the emergence of computational game theory. More specifically, with the development of new computational approaches to game theory over the past two decades, very large-scale problems can be cast in game-theoretic contexts, thus providing us computational tools to address problems of security allocations.

My research group has been at the forefront of this effort to apply computational game theory techniques to security problems. We have led a wide range of actual deployed applications of game theory for security. Our first application, Assistant for Randomized Monitoring Over Routes (ARMOR), successfully deployed game-theoretic algorithms at the Los Angeles International Airport (LAX) in 2007 and has been in use there ever since.

Introduction

As discussed in other chapters of this book, an increasing number of technically sophisticated tools are available to support decisionmaking for security resource allocation in many different domains. In this chapter we discuss the question of evaluating these deployed security systems, using examples from our own research to illustrate some of the key challenges in doing evaluation for security systems. Two of the primary difficulties are (1) that we cannot rely on adversaries to cooperate in evaluation, which makes it difficult to validate models, and (2) there is (thankfully) very little data available about real-world terrorist attacks.

Despite the difficulties of comprehensive evaluation in security domains, it is only by asking the question, how well does a system work? that policy makers can decide how to allocate finite resources to to different security measures. We discuss the goals of security systems, the elements that comprise these systems, and different approaches for evaluation. Every approach has drawbacks, so in lieu of an ideal test, we advocate a comprehensive style of evaluation that uses diverse metrics and data to perform cost-benefit analysis for the complete system. We also emphasize that the focus of the evaluation is not, is system X the perfect security system? which is an impossible standard. Rather, the relevant question is which of the available alternatives should be used? Providing strong evidence that one alternative is superior to other approaches is often feasible, even when providing exact quantitative measures of value is not.

Introduction

There has been significant recent research interest in game-theoretic approaches to security at airports, ports, transportation, shipping and other infrastructure (Basilico, Gatti, and Amigoni, 2009; Conitzer and Sandholm, 2006; Kiekintveld et al., 2009; Pita et al., 2008). Much of this work has used a Stackelberg game framework to model interactions between the security forces and attackers. That is, the defender (i.e., the security forces) acts first by committing to a patrolling or inspection strategy, and the attacker chooses where to attack after observing the defender's choice. The typical solution concept applied to these games is strong Stackelberg equilibrium (SSE), which assumes that the defender will choose an optimal mixed (randomized) strategy based on the assumption that the attacker will observe this strategy and choose an optimal response. This leader-follower paradigm appears to fit many real world security situations. Indeed, Stackelberg games are at the heart two major decision-support applications: the ARMOR program in use at the Los Angeles International Airport since 2007 to randomize allocation of checkpoints and canine patrols (Pita et al., 2008), and the IRIS program in use by the U.S. Federal Air Marshals to randomize assignments of air marshals to flights (Tsai et al., 2009).

However, there are legitimate concerns about whether the Stackelberg model is appropriate in all cases.

Introduction

Algorithms for attacker-defender Stackelberg games, resulting in randomized schedules for deploying limited security resources at airports, subways, ports, and other critical infrastructure have garnered significant research interest (Parachuri et al. 2008; Kiekintveld et al. 2009). Indeed, two important deployed security applications are using such algorithms: ARMOR and IRIS. ARMOR has been in use for over two years by Los Angeles International Airport police to generate canine-patrol and vehicle-checkpoint schedules (Pita et al., 2009). IRIS was recently deployed by the Federal Air Marshals Service (FAMS) to create flight schedules for air marshals (Tsai et al., 2009). These applications use efficient algorithms that solve large-scale games (Parachuri et al., 2008; Conitzer and Sandholm, 2006; Basilico, Gatti, and Amigoni, 2009), the latest being ERASER-C, the algorithm used in IRIS.

Unfortunately, current state-of-the art algorithms for Stackelberg games are inadequate for many applications. For example, U.S. carriers fly over 27,000 domestic and 2,000 international flights daily, presenting a massive scheduling challenge for FAMS. IRIS addresses an important part of this space – the international sector – but only considers schedules with a single departure and return flight. The ERASER-C algorithm used in this application does not provide correct solutions for longer and more complex tours (which are common in the domestic sector). In fact, recent complexity results show that the problem of finding Stackelberg equibria with general scheduling constraints is NP-hard (Korzhyk, Conitzer, and Parr, 2010) and can be solved in polynomial time only for restricted cases.

Since the days of Sparta and Athens the use of the world's Maritime Transportation System (MTS) to move goods and services has been a critical facet of a nation's economic well-being. The MTS served as a “center of gravity” with nations trading as far away as distant continents or as close as two ports located in the same country or region. Corbett and Winebrake (2008: 6) summarized that the MTS “is an integral, if sometimes less publicly visible, part of the global economy” and that the MTS consists of “a network of specialized vessels, the ports they visit, and transportation infrastructure from factories to terminals to distribution centers to market.” The security of this system is imperative as goods move through the ports and waterways within national boundaries, into the littorals, and out into the world-wide Global Maritime Commons.

The issue of security within this global system is complicated because the number of attack vectors and methods an adversary can take are endless. The attackers also hold an advantage in their ability to select the time, place, and method of an attack … and to abort an attack if counterdetection occurs. The introduction of suicide attackers has made the security challenge even more daunting as bombers are willing to give their own lives for their cause. Pape (2003: 344) noted that “suicide terrorism is strategic. The vast majority of suicide attacks are not isolated or random acts by individual fanatics.”

Introduction

In Stackelberg games, one player, the leader, commits to a strategy publicly before the remaining players, the followers, make their decisions (Fudenberg and Tirole, 1991). There are many multi-agent security domains, such as attacker-defender scenarios and patrolling, for which these types of commitments by the security agent are necessary (Agmon et al., 2008; Brown et al., 2006; Kiekintveld et al., 2009; Paruchuri et al., 2006), and it has been shown that Stackelberg games appropriately model these commitments (Paruchuri et al., 2008; Pita et al., 2008). For example, security personnel patrolling an infrastructure decide on a patrolling strategy first, before their adversaries act taking this committed strategy into account. Indeed, Stackelberg games are at the heart of theARMOR system, deployed at LAX since 2007 to schedule security personnel (Paruchuri et al., 2008; Pita et al., 2008), and they have recently been applied to federal air marshals (Kiekintveld et al., 2009). Moreover, these games have potential applications for network routing and pricing in transportation systems, among many others possibilities (Cardinal et al., 2005; Korilis, Lazar, and Orda, 1997).

Existing algorithms for Bayesian Stackelberg games find optimal solutions considering an a priori probability distribution over possible follower types (Conitzer and Sandholm, 2006; Paruchuri et al., 2008). Unfortunately, to guarantee optimality, these algorithms make strict assumptions on the underlying games; namely, that players are perfectly rational and that followers perfectly observe the leader's strategy. However, these assumptions rarely hold in real-world domains, particularly those involving human actors.