Strategic Monitoring of Networked Systems with Heterogeneous Security Levels

To carry out our analysis, we first introduce additional quantities and notations: For any optimization problem $(\mathcal{O})$, we denote by $z^{*}_{(\mathcal{O})}$ its optimal value. Then, for every location $x\in\mathcal{X}$, let $\overline{\varphi}_{x}\coloneqq\min_{u\in U_{x}}\varphi_{u}$ denote the lowest security level of a component in the monitoring set of $x$. This quantity will impact the operator’s monitoring strategy, as the objective is to maximize the worst-case component post-security level. We quantify the criticality of a location $x\in\mathcal{X}$ (resp. component $u\in\mathcal{U}$) from the value of $\overline{\varphi}_{x}$ (resp. $\varphi_{u}$): If $\overline{\varphi}_{x}$ (resp. $\varphi_{u}$) is low, we say that $x\in\mathcal{X}$ (resp. $u\in\mathcal{U}$) is more critical. We additionally define, for every sensor positioning $X\in\mathcal{A}$ and every location $x\in\mathcal{X}$, $\bar{f}(X,x)\coloneqq\overline{\varphi}_{x}\mathds{1}_{\{x\notin X\}}+\mathds{1}_{\{x\in X\}}$ to be the lowest post-security level within the monitoring set $U_{x}$.

For any subset of locations $C\subseteq\mathcal{X}$ (resp. any subset of components $T\subseteq\mathcal{U}$), we denote as $\overline{\varphi}_{C}$ (resp. $\varphi_{T}$) the following vector $(\overline{\varphi}_{x})_{x\in C}$ (resp. $(\varphi_{u})_{u\in T}$), sorted in nondecreasing order. For every subset of components $T\subseteq\mathcal{U}$, we also define the following quantity $S_{T}\coloneqq\sum_{u\in T}(1-\varphi_{u})^{-1}$.

For any vector $y\in\mathbb{R}^{n}$, we denote its support as $\operatorname{supp}(y)\coloneqq\{i\in\llbracket 1,n\rrbracket\ |\ y_{i}\neq 0\}$, where $\llbracket 1,n\rrbracket=\{1,\dots,n\}$. Then, given a monitoring strategy $\sigma^{1}\in\Delta^{1}$, we define its node basis as $\mathcal{X}(\sigma^{1})\coloneqq\cup_{X\in\operatorname{supp}(\sigma^{1})}X$, that is, the set of nodes that are monitored with positive probability under the monitoring strategy $\sigma^{1}$. Note that node bases provide a good indicator of the practical implementability of a monitoring strategy: A strategy that monitors a small number of locations can easily be implemented in practice via a randomized scheduling of operations [36].

We consider the collection of set covers $\mathcal{S}$ of our networked system. Specifically, a subset of locations $C\subseteq\mathcal{X}$ is a set cover if $U_{C}=\mathcal{U}$, i.e., every component is monitored from at least one location in $C$. Let $n^{*}$ denote the minimum set cover size. We note that if $r\geq n^{*}$, then an optimal solution of the network monitoring problem ($\mathcal{M}$) consists of placing sensors on a set cover and ensuring a post-security level of 1 for every component. Henceforth, we assume that $r<n^{*}$.

Finally, we consider the collection of set packings $\mathcal{T}$ of our networked system. Specifically, a subset of components $T\subseteq\mathcal{U}$ is a set packing if $|T\cap U_{x}|\leq 1$ holds for every $x\in\mathcal{X}$. Set packings indicate the spread of the network, which directly impacts the monitoring strategy of the operator: Since components in a set packing must be monitored from distinct sensor locations, a network with large set packings is more challenging to protect. We denote the maximum set packing size as $m^{*}$.

We first analyze the structure of the network monitoring problem ($\mathcal{M}$) and derive bounds on its optimal value. To obtain a lower bound on $z^{*}_{(\mathcal{M})}$, we simplify the problem by supposing that when the operator places a sensor at location $x\in\mathcal{X}$, they protect the component $u$ within the monitoring set $U_{x}$ that is the most critical. The premise is that the post-security level achieved for any component in $U_{x}$ will be at least that of component $u$. Formally, we relax the objective function of ($\mathcal{M}$) and consider the following problem:

Problem ($\overline{\mathcal{M}}$) selects a monitoring strategy $\sigma^{1}$ that partitions the set of components $\mathcal{U}$ into two subsets: the subset of components $\mathcal{U}\setminus U_{\mathcal{X}(\sigma^{1})}$ that are never monitored by $\sigma^{1}$ and for which the post-security levels are given by the corresponding original security levels; and the subset of components $U_{\mathcal{X}(\sigma^{1})}$ that are monitored with positive probability. In this latter set, $\sigma^{1}$ guarantees a post-security level for every component in $U_{\mathcal{X}(\sigma^{1})}$ by improving the lowest security level within each monitoring set $U_{x}$ for $x\in\mathcal{X}(\sigma^{1})$.

In fact, we provide in the next lemma a different perspective on problem ($\overline{\mathcal{M}}$) to guide our analysis:

Thus, ($\overline{\mathcal{M}}$) can be solved by first determining the set of locations $C$ over which to randomize the placement of sensors, and then determining the monitoring strategy that optimizes ($\mathcal{R}_{C}$). Given a preselected subset of $n$ locations $C=\{x_{1},\dots,x_{n}\}\subseteq\mathcal{X}$, indexed such that $\overline{\varphi}_{x_{1}}\leq\cdots\leq\overline{\varphi}_{x_{n}}$, we provide some intuition on the monitoring strategy $\sigma^{1}$ that maximizes $\min_{x\in C}\mathbb{E}_{X\sim\sigma^{1}}[\bar{f}(X,x)]$. Initially, the goal is to randomize the placement of the sensors among the locations in $C$ so as to equalize the post-security level of the most critical component in each of their monitoring sets. However, because of the heterogeneity of the security levels, the operator should instead focus on the most critical locations and not monitor the most secure locations. The number of most critical locations in $C$ to monitor is given by

For simplicity, we also denote $S^{k^{*}}_{C}\coloneqq\sum_{l=1}^{k^{*}_{C}}(1-\overline{\varphi}_{C})^{-1}$.

Using this property and the collection of set packings $\mathcal{T}$, we can then derive the following main theorem:

Interestingly, from this theorem, we find that solving problem ($\overline{\mathcal{M}}$) indeed provides a lower bound on the optimal value of ($\mathcal{M}$). Furthermore, given a subset of sensor locations $C\subseteq\mathcal{X}$ of size greater than $r$, the post-security level that can be guaranteed for any component in $U_{C}$ is given by $1-\frac{k^{*}_{C}-r}{S^{k^{*}}_{C}}$. To achieve this post-security level, the network operator must ensure that the probability that each location in $C$ is monitored follows (1). Importantly, we find that the $k^{*}_{C}$ most critical locations must be monitored, with a probability that is decreasing with the associated lowest security level. In contrast, the remaining locations should not be monitored, as their security levels are already larger than the post-security level achieved for the $k^{*}_{C}$ most critical locations (by definition of $k^{*}_{C}$). We note that a monitoring strategy satisfying (1) is guaranteed to exist by Farkas’ lemma [41, 6].

From Theorem 3.3, we also find that upper bounds on the optimal value of the network monitoring problem ($\mathcal{M}$) can be computed from set packings. We will leverage this finding to efficiently compute optimality gaps for our solutions.

From our structural analysis and Theorem 3.3, we next derive a three-step approach to approximately solve the network monitoring problem ($\mathcal{M}$). Steps 1 and 2 compute a monitoring strategy that optimally solves the relaxed problem ($\overline{\mathcal{M}}$), and step 3 computes a set packing that achieves the upper bound from Theorem 3.3.

In the first step, we formulate a MIP to compute $z^{*}_{(\overline{\mathcal{M}})}$ as well as the marginal probabilities of monitoring each location at optimality of ($\overline{\mathcal{M}}$). In particular, we leverage the fact that the objective function in ($\mathcal{R}_{C}$) can be expressed using these marginal probabilities. Indeed, for every $\sigma^{1}\in\Delta^{1}$ and $x\in\mathcal{X}$,

Using Lemma 3.2, we then formulate the following MIP, which we refer to as a generalized covering set problem:

Here, for every $x\in\mathcal{X}$, the binary variable $y_{x}$ determines if $x$ can receive a sensor, while the continuous variable $\rho_{x}$ determines the marginal probability that $x$ receives a sensor. $M_{1}$ is a “big M”, which we can set to $1-\min_{u\in\mathcal{U}}\varphi_{u}$. Given $C=\{x\in\mathcal{X}\ |\ y_{x}=1\}$, we then observe that constraints (3) (combined with (2)) model $\min_{x\in C}\mathbb{E}_{X\sim\sigma^{1}}[\bar{f}(X,x)]$, while constraints (4) model $\min_{u\notin U_{C}}\varphi_{u}$. In fact, we show the equivalence between ($\overline{\mathcal{M}}$) and ($\mathcal{C}$):

Thus, the optimal value of ($\overline{\mathcal{M}}$) can be computed by solving ($\mathcal{C}$). In addition, given an optimal solution $(y^{*},z^{*},\rho^{*})$ of ($\mathcal{C}$), $\rho^{*}$ provides the marginal probabilities that each node must be monitored at optimality of ($\overline{\mathcal{M}}$).

The second step of our approach consists of reconstructing an optimal solution of ($\overline{\mathcal{M}}$) from $\rho^{*}$. To this end, we utilize the combinatorial algorithm derived in [8] that computes a probability distribution $\sigma^{1^{*}}\in\Delta^{1}$ satisfying $\mathbb{P}_{X\sim\sigma^{1^{*}}}(x\in X)=\rho^{*}_{x}$ for every $x\in\mathcal{X}$. From Proposition 3.4, this guarantees the optimality of $\sigma^{1^{*}}$ for ($\overline{\mathcal{M}}$).

Specifically, the algorithm iteratively expresses a vector $\rho\in[0,1]^{|\mathcal{X}|}$ satisfying (6) as a convex combination of the incidence vector of a sensor positioning $X\in\mathcal{A}$, and another vector $\rho^{\prime}\in[0,1]^{|\mathcal{X}|}$ satisfying (6) and with at least one additional integral component compared to $\rho^{*}$. We refer the reader to [8] for the detailed algorithm, which we henceforth refer to as the coordination algorithm.

Importantly, given $n=|\operatorname{supp}(\rho^{*})|$ the number of locations that must receive a sensor with positive probability, this algorithm runs in time $O(n^{2})$ and constructs a monitoring strategy of support size $n+1$. We recall that a monitoring strategy with small support and/or small node basis can more easily be implemented in practice. We will numerically evaluate the node basis sizes of our solutions in our computational study.

The final step of our approach consists of evaluating the optimality gap of our solution for the network monitoring problem. To this end, we derive a MIP to efficiently compute the upper bound on $z^{*}_{(\mathcal{M})}$ from Theorem 3.3. Specifically, we aim to compute a set packing $T\in\mathcal{T}$ that minimizes $1-\frac{|T|-r}{S_{T}}$, which is equivalent to finding a set packing of size greater than $r$ that minimizes $\frac{S_{T}}{|T|-r}$. Although this is a nonlinear set packing problem, we can reformulate it as the following MIP:

Specifically, the binary variables $y_{u}$, for $u\in\mathcal{U}$ select the components to be part of the set packing. To parametrize the nonlinearity of the problem, we introduced for every $l\in\llbracket r+1,|\mathcal{U}|\rrbracket$ the binary variable $z_{l}$, which is equal to 1 if the set packing is of size $l$. Finally, for every $l\in\llbracket r+1,|\mathcal{U}|\rrbracket$, the continuous variable $t_{l}$ represents the product $z_{l}\sum_{u\in\mathcal{U}}(1-\varphi_{u})^{-1}y_{u}$. Constraints (7) ensure that $\operatorname{supp}(y)$ is a set packing. Constraints (8)-(9) select the set packing size. Then, constraints (10)-(11) ensure that at optimality, the objective value is equal to ${\sum_{u\in\operatorname{supp}(y)}(1-\varphi_{u})^{-1}}/{(|\operatorname{supp}(y)|-r)}$. $M_{2}$ is also a “big M”, which we can set to $|\mathcal{U}|(1-\max_{u\in\mathcal{U}}\varphi_{u})^{-1}$.

As a consequence, the upper bound on the optimal value of ($\mathcal{M}$) from Theorem 3.3 can computed by solving ($\mathcal{P}$):

We note that the number of variables in ($\mathcal{P}$) can be reduced in practice by computing an upper bound on the maximum set packing size in the networked system. Given the maximum set packing size $m^{*}$ (or an upper bound), then we can reduce the variables in ($\mathcal{P}$) from $|\mathcal{U}|+2(|\mathcal{U}|-r)$ to $|\mathcal{U}|+2(m^{*}-r)$, and set $M_{2}$ to $m^{*}(1-\max_{u\in\mathcal{U}}\varphi_{u})^{-1}$, which can provide significant computational benefits.

Thus, we obtain a three-strep approach to compute an approximate solution to the network monitoring problem ($\mathcal{M}$) and evaluate its optimality gap. Next, we further study our solution for problem instances with particular characteristics.

Problem ($\mathcal{M}$) can be formulated as a linear program with a large number (${|\mathcal{X}|\choose r}+1$) of variables and a small number ($|\mathcal{U}|+1$) of constraints. Such problems can potentially be solved using the column generation algorithm, as long as the pricing problem can be solved efficiently.

Specifically, at each iteration of the column generation algorithm, the following restricted master problem is solved:

where $\mathcal{I}\subseteq\mathcal{A}$ is a subset of feasible sensor positionings. To determine if the optimal solution of ($\mathcal{M}_{\mathcal{I}}$) is optimal for ($\mathcal{M}$), the algorithm then determines the variable in ($\mathcal{M}$) with highest reduced cost. Let $(\alpha^{*},\beta^{*})$ denote the optimal dual variables of ($\mathcal{M}_{\mathcal{I}}$), associated with constraints (12)-(13). Then, the variable with highest reduced cost can be determined by solving the following pricing problem:

In fact, the pricing problem for ($\mathcal{M}$) is a maximum weighted covering problem, and can be solved using the following IP:

In this IP, the binary variables $z_{x}$, for $x\in\mathcal{X}$, represent the nodes that receive a sensor, and the binary variables $y_{u}$, for $u\in\mathcal{U}$, represent the components that are monitored by at least one sensor.

If $z^{*}_{(\mathcal{W})}=0$, then the optimal solution of ($\mathcal{M}_{\mathcal{I}}$) is optimal for ($\mathcal{M}$), and the algorithm terminates. If instead $z^{*}_{(\mathcal{W})}>0$, then given an optimal solution $(y^{*},z^{*})$ of ($\mathcal{W}$), the algorithm adds $X^{*}=\operatorname{supp}(z^{*})$ to the set $\mathcal{I}$ of variable indices, and solves the new restricted master problem ($\mathcal{M}_{\mathcal{I}}$).

Problem ($\mathcal{M}$) is also equivalent to a simultaneous two-person zero-sum game, where the first player is the network operator who places $r$ sensors across the networked system and the second player is an attacker who targets a component. The payoff function is given by $f$, which the operator (resp. attacker) wants to maximize (resp. minimize).

In fact, [48] devised a multiplicative weights update algorithm for computing approximate mixed Nash equilibria of such simultaneous games, as long as one player has a small number of actions and the other player can efficiently compute best responses. The algorithm runs for $N$ iterations, and at each iteration $t\in\llbracket 1,N\rrbracket$, generates a probability distribution $\sigma^{2,t}$ over $\mathcal{U}$ for the attacker as well a feasible sensor positioning $X^{t}\in\mathcal{A}$ for the network operator. The algorithm starts by setting $\sigma^{2,1}$ to the uniform distribution over $\mathcal{U}$. Then, at each iteration $t\in\llbracket 1,N\rrbracket$, the algorithm determines the operator’s best response to $\sigma^{2,t}$ by solving the following problem:

In our setting, this problem can also be formulated as a maximum weighted covering problem and can be solved using the following IP:

Then, the algorithm updates the attacker’s strategy using the following multiplicative weights update:

where $\eta=\left(1+\sqrt{2\frac{\ln|\mathcal{U}|}{N}}\right)^{-1}$. The authors in [48] showed that the monitoring strategy $\bar{\sigma}^{1}\in\Delta^{1}$ that uniformly randomizes over the $N$ best responses $X^{1},\dots,X^{N}$ satisfies:

Thus, if $N=4\lceil\frac{\ln|\mathcal{U}|}{\epsilon^{2}}\rceil$ for $\epsilon>0$, then the (absolute) optimality gap associated with the monitoring strategy $\bar{\sigma}^{1}$ generated by this algorithm is upper bounded by $\epsilon$.

In fact, [7] showed that each iteration of this algorithm can be conducted in polynomial time by approximately solving ($\mathcal{W}^{\prime}$) using a greedy algorithm. However, the resulting guarantee on the monitoring strategy $\bar{\sigma}^{1}$ becomes

for $T=4\lceil\frac{\ln|\mathcal{U}|}{\epsilon^{2}}\rceil$. Since commercial solvers are now highly efficient at solving classical IPs, we instead optimally solve ($\mathcal{W}^{\prime}$) at each iteration of the algorithm.

We now move to computational experiments, where we evaluate the three approaches presented in this article and compare their running times, as well as the performance and implementability of the monitoring strategies they generate.

We first consider the security problem where the operator of a water distribution system aims to allocate sensors to monitor their network against adversarially-induced contamination events. We model the water distribution system as a directed graph, with the vertices representing pumps, junctions, and water tanks, while the edges represent pipes. The direction of every edge is adopted to be in the direction of the water flow. We assume that the operator has access to contaminant detection sensors that can be deployed on valve access points or fire hydrants and measure water quality indicators such as electrical conductivity, free and total chlorine, turbidity, and oxygen reduction potential in the water [49, 50, 51].

In this application, the set of vulnerable components $\mathcal{U}$ (resp. set of sensor locations $\mathcal{X}$) is given by the set of edges (resp. nodes) of the graph modeling the water network. Monitoring sets are constructed through simulations using a hydraulic network solver [52] that tracks the advection and reaction dynamics from a contaminant intrusion event [53]. In practice, the security levels of components can be assessed based on previously deployed security measures and their accessibility to an adversary. One can then use different security scales to determine quantitative values for the security levels based on that assessment [54]. In this application, we adopt the scale $\{0.2,0.4,0.6,0.8\}$ for security levels, and randomly assign them to each component.

Next, we implement the three solution approaches described in Sections 3 and 4 on the water distribution system ky5 [55]. This anonymized real-world water network from Kentucky comprises 496 pipes and 420 nodes (junctions, water tanks, pumps), satisfies a demand of 2.28 million gallons of water per day, and spans 52.3 miles. In Fig. 2, we illustrate the bounds derived in Theorem 3.3 and computed by solving the generalized covering set problem ($\mathcal{C}$) and the nonlinear set packing problem ($\mathcal{P}$), respectively.

From Fig. 2, we observe that the bounds obtained from ($\mathcal{C}$) and ($\mathcal{P}$) are close to the optimal value of ($\mathcal{M}$). On average, the optimality gap given by the bounds does not exceed $4.7\,\%$, while the actual optimality gap is equal to $3.6\,\%$ on average.

In general, we observe that $z^{*}_{(\mathcal{M})}$ increases nonlinearly with respect to the number of sensors. When $r$ is small, the optimal monitoring strategy focuses on protecting the most vulnerable components (with a security level of $0.2$). As the operator has access to more sensors, they randomize their placement to increase the post-security level of less critical components. With 19 sensors, the operator can monitor all components and ensure a post-security level of 1 for the entire network.

Next, we compare the running times of the various approaches. Specifically, we illustrate the time to (a) solve ($\mathcal{P}$) and get an upper bound on $z^{*}_{(\mathcal{M})}$, (b) solve ($\mathcal{C}$) and construct a monitoring strategy using the coordination algorithm (CA), (c) solve ($\mathcal{M}$) using column generation (CG), and (d) solve ($\mathcal{M}$) using multiplicative weights updates (MWU) with $N=2,480$ iterations to ensure a theoretical (absolute) optimality gap of $\epsilon=0.1$. Their running times are illustrated in Fig. 3.

Fig. 3 shows that the upper bound on $z^{*}_{(\mathcal{M})}$ derived in Theorem 3.3 can be efficiently computed; by solving ($\mathcal{P}$), we obtain the upper bound in less than $0.2$ seconds. We also observe that the number of sensors has limited impact on the running time.

Furthermore, we find that CG is approximately 100 times faster than MWU. This is in part due to the number of iterations that are required for MWU to theoretically guarantee a small optimality gap. Interestingly, we find that CG can efficiently compute an optimal solution of ($\mathcal{M}$) when the number of sensors is small. However, as $r$ increases, the running time of CG increases exponentially. Finally, we find that our approximate monitoring strategy, which achieves the lower bound in Theorem 3.3 and is obtained by solving ($\mathcal{C}$) + CA, can be efficiently computed.

Finally, we compare the implementability of the solutions generated by the three approaches by illustrating their node basis sizes in Fig. 4.

Fig. 4 clearly shows the implementability advantage of our monitoring strategy. In particular, we find that our solution requires monitoring at most 20 different locations and achieves an excellent worst-case post-security level (from Fig. 2). In contrast, the optimal post-security level achieved using CG or MWU requires monitoring up to 180 different locations. From an implementation perspective, our monitoring strategy is considerably easier to translate into a daily/weekly scheduling of monitoring operations.

We now show how our findings can be used to protect actuators in a networked control system from extended replay attacks. The networked system consists of a set of physical states $\mathcal{X}$ and actuators $\mathcal{U}$, as well as fixed unprotected sensors. We consider an attacker who aims to conduct an undetectable attack on an actuator using an extended replay strategy. More precisely an extended replay attack on an actuator is undetectable if the sensor measurements remain in the steady state during the attack. To this end, the attacker must also compromise a subset of components (i.e., unprotected sensors and other actuators) to ensure that the attack is undetected. Such subset of components typically depends on the dynamics of the networked system, and can be efficiently determined in large-scale systems [10, Chapter 7],[35].

Importantly, the vulnerability of an actuator $u$ with respect to extended replay attacks can be determined based on its security index $\delta_{u}$, which represents the minimum number of sensors and actuators, including $u$ itself, that the attacker must compromise to conduct an undetectable extended replay attack against $u$, in the absence of protected sensors [10, Chapter 7]. If no undetectable extended replay attack against $u$ is possible, then $\delta_{u}=+\infty$. We can then scale these security indices and define security levels for this application, following our modeling framework. Specifically, we adopt an identical scale as in the previous application, and define the security level of each actuator $u\in\mathcal{U}$ as follows:

To defend the networked system, we assume the operator possesses protected sensors that cannot be compromised by the attacker and that can be positioned within the network. We assume that each positioned sensor can only measure one physical state, which is a commonly adopted model of large–scale systems [56, 57, 32]. In particular, a protected sensor can detect if the state it measures deviates from its steady state value during an extended replay attack. Thus, actuator $u\in\mathcal{U}$ belongs to the monitoring set of state $x\in\mathcal{X}$ if placing a protected sensor at $x$ prevents the attacker from conducting an undetectable extended replay attack on $u$.

We now consider the IEEE 2383 bus power system. We model the system using linearized swing equations where the generators are represented by two states (rotor angle and frequency) and load buses with one state (voltage angle) [58]. We assume that all $|\mathcal{X}|=3037$ states are measurable, and that the attacker can conduct an attack using $|\mathcal{U}|=1042$ loads (we randomly selected 30$\%$ of the loads to be attackable) [59]. Table 1 compares the performance of the different solution approaches on this networked system. Note that we set a time limit of 10 minutes for each approach.

We observe that for this network, our solution approach optimally solves the network monitoring problem ($\mathcal{M}$). Indeed, the upper bound obtained by solving ($\mathcal{P}$) guarantees that the monitoring strategy computed from ($\mathcal{C}$) + CA is optimal for ($\mathcal{M}$) for every number of sensors. Although we observe some variance in the running time of our approach, the average running time for this network is 29 seconds. In general, we find that the hardest instances to solve are for which the number of sensors to position is high but not too close to the minimum set cover size. On the other hand, MWU achieves a very high performance, but requires 393 seconds on average. This illustrates the fact that the empirical performance of MWU is better than the theoretical guarantees [48]. In contrast, we find that CG scales poorly with the number of sensors, which is interesting given that MWU and CG solve the very similar IPs ($\mathcal{W}$) and ($\mathcal{W}^{\prime}$). Finally, we similarly note that the node basis (i.e., the locations that are monitored with positive probability) of our monitoring strategy is up to 3 times smaller than when utilizing CG or MWU, thus providing a solution that is more easily implementable in practice.

In summary, we find that by extracting the structure of the network monitoring problem, we could derive an efficient solution approach. Our approach solves two IPs and runs the coordination algorithm to directly obtain a monitoring strategy with strong performance guarantees and that is easier to implement in practice. This contrasts with the classical CG and MWU algorithms that iteratively refine their solutions and generally run more slowly.

Interestingly, more flexibility can be embedded in our solution approach. For instance, if the operator is interested in an even simpler monitoring strategy, we can add the cardinality constraint $\sum_{x\in\mathcal{X}}y_{x}\leq s$ in ($\mathcal{C}$) to find the best monitoring strategy of ($\overline{\mathcal{M}}$) that monitors at most $s$ locations. This permits the operator to achieve the desired tradeoff between solution implementability and guaranteed post-security level.

Finally, we note that the three solution approaches can be combined for an even better performance. Indeed, for the instances for which our approach does not provide an optimal solution to the network monitoring problem ($\mathcal{M}$), we can utilize our solution as a warm start for CG and/or MWU, which will then iteratively improve it.