1. Introduction
Network design is a fundamental and well-studied problem. A game-theoretic approach to the analysis of network design has become especially relevant with the emergence of the Internet, where different users share resources like software or communication channels [
1,
2,
3]. Network games (NGs, for short) [
3,
4,
5] constitute a well studied model of non-cooperative games. The game is played among selfish players on a network, which is a directed graph. NGs are used to model resources as edges in a network and the cost involved in sharing these resources. Each player has a source and a target vertex, and a strategy is a choice of a path that connects these two vertices. The cost a player pays is the sum of costs of the edges his path traverses, where a cost of an edge depends on the
load on it, namely the number of players using the edge. We distinguish between two types of costs. In
cost-sharing games [
3], each edge has a cost and the players that use it split the cost among them, thus increased load decreases the cost. For example, when the costs correspond to prices, users that share a resource also share its price. Then, in
congestion games [
4], increased load increases the cost: each edge has a non-decreasing
cost function that maps the load on the edge to its cost given this load. For example, when the network models a road system and costs correspond to the travel time, an increased load on an edge corresponds to a traffic jam, increasing the cost of the players that use it.
Since the players attempt to minimize their own costs, they
selfishly select a path. The focus in game theory is on the
stable outcomes of a given setting. The most prominent stability concept is that of a
Nash equilibrium (NE) [
6]: a profile (vector of strategies, one for each player) such that no player can decrease his cost by unilaterally deviating from his current strategy; i.e., assuming that the strategies of the other players do not change
1. By [
4], there exists an NE in every NG. A
social optimum (SO) is a profile that minimizes the sum of the players’ costs; thus the one obtained if the players would have obeyed some centralized authority.
Finding SO and NE profiles is a complex and well studied problem that has been a driving force in the development of the algorithmic game theory field. Finding an SO is NP-complete [
7,
8]. Finding an NE is PLS-complete [
9,
10] (the complexity class PLS contains local search problems with polynomial time searchable neighborhoods [
11], thus it is between P and NP) and the complexity of finding an approximate NE was only recently settled in normal-form games [
12,
13]. The theoretical tools that have been developed are finding their way to practical applications such as auction design and network routing. For example, recently [
14], researchers have suggested to quantify the performance of a traffic network using the
Price of Anarchy measure [
15], which is the ratio between the costs the players pay in the SO and in the most expensive NE. This was done by modeling the network as an NG, and finding the SO and the most expensive NE in it. The high complexity of the problems becomes more acute when we keep in mind that the NGs we study often model huge networks. Indeed, the size of nowadays networks increases in an exponential rate, with networks having an increasing amount of information, and becoming more and more complex [
16,
17,
18].
The need to cope with very large models is a major research area in
formal verification. There, we check that a system satisfies its specification by translating the system into some formal model, typically a labeled state-transition graph, and applying model-checking procedures on this model [
19]. One of the most successful methodologies for reasoning about the huge state space of systems is
abstraction [
20,
21], where we hide some of the information about the system. This enables us to reason about systems that are much smaller, yet it gives rise to approximated solutions. Indeed, hiding of information may result in an
under-approximating system: one that has fewer behaviors than the original system, or in an
over-approximating system: one that has more behaviors than the original system. Abstraction methodologies use both types of approximations [
22,
23,
24].
An important step in methodologies that are based on abstraction is
refinement. Assume that we find an over-approximation of the system that does not satisfy a universal property. That is, the over-approximation has a forbidden behavior. It may be that this forbidden behavior exists also in the concrete system, in which case the verification algorithm terminates and reports a bug in the system. However, it may also be that the forbidden behavior exists only in the over-approximation, thus the counterexample is
spurious. Then, one can use the spurious counterexample to refine the over-approximation in a way that eliminates it, and repeat model-checking until either a real counterexample is found, or the over-approximation satisfies the property. This methodology, of
counterexample guided abstraction-refinement (CEGAR) has proven to be very effective [
25].
Abstraction has been studied in the context of extensive-form games. A strategy for a player in an extensive-form game prescribes which action to perform, given the histories of actions played so far. NGs, on the other hand, are “one-shot” games. The questions studied on NGs focus on stable outcome whereas in extensive-form games one often tries to find an optimal strategy for a player. The abstraction studied in [
26,
27] tries to merge states in the game tree that are indistinguishable for the players. The idea of merging configurations due to hidden information is the key also in abstractions used in formal methods, yet the technical details are very different. Then, in
action abstraction [
27,
28], some of the actions of the players are disabled, reducing the state space of reachable configurations in the game tree, which is again not similar to the approach taken here. Finally, formal methods often involve reasoning about multi-player games, and abstraction-refinement methodologies have been studied in this setting [
29,
30,
31,
32]. Such games model on-going interactions between processes, say a system and its environment, and are infinite-duration games, thus they are again different from the NGs we study here. Moreover, trying to abstract games by standard methods used in formal verification is a known challenge. Indeed, the most conservative form of abstraction is
bisimulation, which results in a system that is behaviourally equivalent, and it is proven in [
33] that NEs are not preserved under bisimulation. Moreover, given the effectiveness of abstractions, researchers have tried to identify games in which NEs are preserved by bisimulation (as is the case, for example, in iterated Boolean games [
34]) and have extended the definition of bisimulation to multi-agent systems [
29].
In this paper, we introduce and study an abstraction-refinement methodology for reasoning about network games. Given an NG
defined over a network with a set
V of vertices, an
abstraction function for
is a function
, for some set
A of abstract vertices. We assume that
A is smaller than
V, thus the function
induces a partition of
V. We define the
under-approximation of with respect to α, denoted
, and the
over-approximation of with respect to α, denoted
. Both approximations are NGs that have
A as their set of vertices. The under- and over-approximation is in the definition of the edges and the cost functions. Intuitively,
is less appealing to the players than
: they have fewer possible profiles, and the profiles that are possible are at least as expensive as the ones that correspond to them in
. Accordingly, the edges under-approximate these in
: there is an edge from an abstract vertex
a to an abstract vertex
if all the concrete vertices that are mapped by
to
a have an edge to a concrete vertex that is mapped by
to
(a.k.a.
must transitions [
21,
22]). In addition, the cost of an abstract edge is essentially the maximal cost of a concrete edge that induces it. Dually,
is more appealing to the players: they have more and cheaper profiles than in
. Accordingly, the edges in
over-approximate these in
: there is an edge from
a to
if some concrete vertex that is in
a has an edge to some concrete vertex that is mapped to
(a.k.a.
may transitions), and the cost of an abstract edge is essentially the minimal cost of a concrete edge that induces it. Traditional abstraction-refinement methodologies in formal verification focus on the transition relation. An extension that takes costs into account has been studied in [
35], where the costs of a weighted automaton are also abstracted. Here, we take into account the cost functions as well as the load. Indeed, the merging of edges may lead to a spurious increased load in the abstraction.
We show how and , which may be significantly smaller than , can be used in order to reason about the SO and the NE profiles of . Our methodology is based on the observation that each profile in can be mapped to at least one profile in with a lower or equal cost, and that each profile in can be mapped to a profile in with a lower or equal cost. Hence, for example, the cost of the SO in is bounded from above and below by the costs of the SOs in and , respectively. Moreover, refining tightens these bounds, so the user can control the trade-off between preciseness and complexity.
A more technically-involved use of the under- and over-approximations is an algorithm we present for finding an NE in . The algorithm, which can be viewed as the NG-analogue of CEGAR, is based on the notion of an abstract NE: we say that a profile P in is an abstract NE if no player has a beneficial deviation from P even in . Intuitively, an abstract NE has to face two challenges. First, the profile P has to exist in the under-approximation, where fewer strategies exist. In addition, deviations from P are possible in the over-approximation, where more strategies exist, and their cost is lower. Consequently, as we shall formally prove, an abstract NE can direct the search for a concrete NE: once we find an abstract NE P in , it is guaranteed that a concrete NE exists in when restricted to profiles that agree with P. Our algorithm finds an abstract NE if one exists and then directs the search for a concrete NE in a much smaller state space. It is, however, not necessary that an abstract NE exists in every abstract game. When a candidate profile in is an NE in but is not an abstract NE in , we use the spurious deviations of the players in in order to refine , which narrows the search space.
The reachability objectives in NGs enable the players to specify possible sources and targets. Often, it is desirable to refer also to other properties of the selected paths. For example, in a
communication setting, edges may belong to different providers, and a user may like to specify requirements like “all edges are operated by the same provider” or “no edge operated by AT&T is followed by an edge operated by Verizon”. Edges may also have different quality or security levels (e.g., “noisy channel”, “high-bandwidth channel”, or “encrypted channel”), and again, users may like to specify their preferences with respect to these properties. In
planning or in
production systems, nodes of the network correspond to configurations, and edges correspond to the application of actions. The objectives of the players are sequences of actions that fulfill a certain plan, which is often more involved than just reachability [
36]; for example “once the arm is up, do not put it down until the block is placed”.
In
automata games (AGs, for short) [
37], the edges of the network are labeled by letters from some finite alphabet
, and the players have objectives that refer to these labels and are more involved than the reachability objectives of NGs. Specifically, the objective of each player is a language over
, specifying a property of the path he should traverse. Note that unlike NGs, a strategy in an AG need not be a simple path. For example, if
includes the letters
and
-
, the objective of a player may be to reach some target via a path in which every visit to a noisy edge is followed eventually by a visit to an edge where a check-sum action is performed. Then, a player might be forced to use an edge several times in a strategy. We extended the abstraction-refinement methodology to AGs. We distinguish between two cost-sharing rules that can be applied in AGs. We show that in
uniform AGs, where the cost of an edge is shared uniformly among all the players that use it, our abstraction-refinement framework remains valid. On the other hand, in
proportional AGs, where the cost of an edge is shared among the players in proportion to the number of times they have used it, the framework cannot be applied as is. This has to do with the fact that proportional AGs are less stable than NGs, and in fact they need not have an NE [
37]. We are still able to use abstract AGs in order to restrict the search for an NE in proportional AGs.
We implemented our methodology and tested its performance on randomly-generated cost-sharing games. We examined the benefit of the abstraction, namely the ratio of the sizes of the concrete game and the abstract NE found in the approximation. We also examined the practicality of our approach, namely the number of CEGAR iterations until an abstract NE is found. We studied these questions for different parameters of the game. Our experimental results demonstrate the efficiency of the methodology. In particular, the results show that the overhead required for abstraction becomes more negligible for larger systems.
The paper is organized as follows. In
Section 2, we define NGs, an abstraction-refinement framework for them, and the notion of abstract NEs. In
Section 3, we study how the costs of profiles in a concrete NG relate to costs of profiles in its abstraction, and we focus on SO and NE profiles. In
Section 4 we describe our methodology for finding an NE in the concrete NG by reasoning about its abstractions, and in
Section 5, we describe experimental results that demonstrate the effectiveness of the methodology. Then, in
Section 6, we extend the setting to AGs, and in
Section 7 we discuss the results and point to directions for future research.
2. Preliminaries
2.1. Network Games
A network is a tuple , where V is a set of vertices and is a set of directed edges. For an integer , let . A network game (NG) is , where k is the number of players; is a network; for , the cost function maps the load on edge e, namely the number of players that use edge e, to the cost each of them pays for using e with this load; and for , the pair describes the objective of Player i: traversing from the source vertex to the target vertex .
We distinguish between two types of cost functions. In uniform cost-sharing games (CS-NGs, for short) the players that use an edge share its cost equally. Formally, each edge e is associated with a weight , and for all , we have . Thus, increasing the load in uniform cost-sharing games decreases the cost of the players. In contrast, in congestion games (CON-NGs, for short), the cost functions are non-decreasing, thus increasing the load also increases the cost for each player.
A strategy of a player is a simple path from to . Thus, , , , with , , and for all . A profile is a tuple of strategies, one for each player. Consider a profile in the game. We sometimes refer to a path as the set of edges that it traverses, thus . For an edge , we use to denote the number of players that traverse the edge e in P. Each player that uses e then pays , and the cost of Player i in P, denoted , is . The cost of the profile P, denoted , is the total cost incurred by all the players, i.e., . For a profile P and a strategy of player , let denote the profile obtained from P by replacing the strategy for Player i by . Given a profile , a best response (BR, for short) of Player i in P is a strategy such that for all strategies of Player i, we have that .
A profile P is a Nash equilibrium (NE) of a game if no player has an incentive to deviate for . Formally, a profile P is an NE if for every Player i and every strategy , we have . A social optimum (SO) of a game is a profile that attains the minimal cost over all profiles. We denote by the cost of an SO profile; i.e., . An SO can be thought of as an optimal solution imposed by a centralized authority, and need not be an NE.
2.2. Abstraction
Consider an NG . We refer to V as the set of concrete vertices. Let . An abstraction function for is a function , for a set A of abstract vertices. We assume that and that is such that for all , we have and for all . We also assume that A is smaller than V, thus the function induces a partition of V (with a singleton for each ). Accordingly, we sometimes refer to abstract vertices as sets of concrete vertices. In particular, when is clear from the context, we use , for and , to indicate that .
Consider the NG and an abstraction function . We define the under- and over-approximation of formally. Given , , and , we define , where the under- and over-approximating transition relations , and the under- and over-approximating cost functions and are defined as follows.
Transition relations: Consider two abstract vertices . Then, holds, that is, there is an abstract edge from the abstract vertex a to the abstract vertex in the under-approximation , if for every concrete vertex , there is a concrete vertex such that . Also, holds, that is, there is an abstract edge from the abstract vertex a to the abstract vertex in the over-approximation , if there exist concrete vertices and such that . Note that . For simplicity, we omit self-loops from and , as they are not going to be used anyway in strategies. We follow the common terminology in formal verification and refer to the under- and over-approximating edges as must and may edges, respectively. We extend to edges in the expected way. Thus, , for an edge , is . Note that is always in and may not be in .
Cost Functions: The definition of the under- and over-approximating cost functions depends on the type of . We first describe the definition and then explain it.
If is a CON-NG, then
- -
for every and , we have , and
- -
for every and , we have .
If is a CS-NG, then
- -
for every and , we have , and
- -
for every and , we have .
The idea behind the definition is as follows. Recall that in the under-approximation , we want the strategies to be more expensive. This is why we take, in , the maximal cost of edges that induce e. In CON-NGs, the cost increases with load and hence the cost function depends on x since we want more expensive profiles. In CS-NGs, we ignore x and assume that the load is 1. To see why, recall that an abstract edge is obtained by merging several concrete edges. Consequently, the load on e is the sum of the loads on these concrete edges. This load is fake: it is only due to the merging of concrete edges and not due to an actual increased load. In CON-NGs, where the cost functions increase with an increased load, fake load goes well with generating more expensive profiles. In CS-NGs, however, increased load decreases the cost, and we have to cancel the fake load. This is done by dividing the load by itself, which bounds the fake load. Recall that in a CS-NG , each edge has a weight such that . Thus, as , the definition is equivalent to one with .
Dually, the over-approximating cost function aims at providing cheaper strategies. Accordingly, depends on the minimum cost function of edges that induce e. Here, we have to cancel fake load in CON-NGs, as fake load increases the cost and may cause the cost of an abstract edge to go beyond the cost of the concrete edges that induce it.
When is clear from the context, we denote by . When we refer to the cost of a profile P in , we use the notation , to emphasize that the profile P is in .
The need for having under- and over approximating cost functions has been illustrated in Example 1.
Example 1. Consider the CON-NG appearing in the left of Figure 1. The under- and over-approximating NGs and appear on the right. The abstraction function α maps both and to . Thus and coincide in this example. In , there are two players: Player 1 with the objective and Player 2 with the objective . Note that in , Player 1 has only one strategy while Player 2 has two strategies. Let P be the profile in in which Player 2 has the strategy that uses the edge . It is easy to see that P is an NE in . Consider the outgoing edge from , in both and . If Player 2 chooses this edge, then it has a load of 2. This is a fake load due to merging of two concrete edges. Consequently, if we take the cost function to be l with no adjustment to the load, we get that the profile , which corresponds to P in and and in which both players go via is not an NE in and . Indeed, by deviating to the strategy that that uses the edge with cost 5, Player 2 reduces his cost to 5. Moreover, the obtained profile is an NE in and , which is bad, as it does not correspond to an NE in .
The function in cancels the fake load on the abstract edge, and accounts for the fact that single players use the concrete edges that induce it. Using , the profile becomes an NE in , as the cost of using the strategy with the edge is 4.
Below we show a more elaborate example of under- and over-approximations of an NG which will also serve as the running example in this paper.
Example 2. Consider the concrete NG described in the left side of Figure 2. The game is played among three players with a common source vertex s. The target for Player 1 is t. The target for Players 2 and 3 is . Consider an abstraction function α that maps the concrete vertices and to the abstract vertex , maps and to , and does not merge other concrete vertices. The under- and over-approximating NGs and are described in the right side of the figure. Consider for example the edges from to . Each of the concrete vertices and have an edge to a concrete vertex or . This is why . As for the cost, note that there are three concrete edges that induce . These are , and , with cost functions x, x and , respectively. Accordingly, , which is the maximal cost for one of these three edges, and , which is the minimal cost, applied for .
Consider the profile P in in which Player 1 chooses the path and Players 2 and 3 choose the path . In , the cost of Player 1 is and the cost of each of Players 2 and 3 is . The profile P is also a profile in , where and .
Let us emphasize the confusing fact that when we talk about an under-approximation, we take the maximum cost. This may seem counterintuitive. In order not to get confused, recall that the thing we are approximating is the range and attractiveness of possible profiles. In an under-approximation, we want both fewer and more expensive profiles. Dually, in an over-approximation, we take the minimum cost, as we want more and cheaper profiles. A similar intuition applies for the adjustment of the load.
2.3. Abstract NE
Recall that in an NE profile in a concrete NG is a profile from which no player has an incentive to deviate. In this section we define and discuss stable profiles in the abstraction of .
Definition 1. [Abstract NE]A profile in is an abstract NE if no player has a beneficial deviation from P even in . Formally, for all and strategies of Player i in , we have .
Intuitively, an abstract NE has to face two challenges. First, the profile P has to exist in the under-approximation, where fewer strategies exist. Second, existence of deviations from P is checked in the over-approximation, where more strategies may exist, and their cost is lower. Consequently, as we formally prove in Theorem 3, an abstract NE directs the search for a concrete NE: once we find an abstract NE P in , we know that a concrete NE exists in when restricted to profiles that agree with P. Formally, given an NG and a profile P in , the restriction of to P is the NG , where and appears in a strategy in .
Example 3. Recall the NG and its abstraction that are described in Example 2. Recall the profile P in which Player 1 chooses the path and Players 2 and 3 choose the path . Note that P is not an abstract NE. First, Player 1 can deviate to the strategy thereby avoiding the costly edge . Note that this strategy is spurious and has no corresponding concrete strategy. Also, Players 2 and 3 can benefit from unilaterally deviating from P to the strategy . Indeed, the cost of Player 2 (and similarly 3) in is 10 as the load on the must edge is 2, while by deviating to the may edge , the cost decreases to 2 as the load is 1. We now show that the abstract game in the right side of Figure 2 does not have an abstract NE. Please note that Player 1 has the following strategies in : , and . Please note that the strategies and of Player 1 are dominated by . A is the only strategy of Player 1 in .
Players 2 and 3 have the following strategies in : and ,
Please note that the strategies of Player 2 is dominated by both strategies E and F. Both E and F are valid strategies of Players 2 and 3 in .
Thus we consider the following profiles in and check if any of them is an abstract NE:
: Each player has a cost of 4 each. Player 1 can deviate to C and pay 1. Hence this profile is not an abstract NE.
: Player 1 pays 4, while Players 2 and 3 have a cost of 2 and 5 respectively. Again Player 1 can deviate to C and pay 1. Hence this profile is not an abstract NE.
: Player 1 pays 4, while each of Players 2 and 3 has a cost of 10. Again Player 1 can deviate to C and pay 1. Hence this profile is not an abstract NE.
Please note that the profile , is similar to the profile and hence omitted.
Of special interest, especially in the context of software-defined networks [
38], are NGs in which
for some set
X of variables. Then, abstraction functions are based on predicates on the variables in
X. Formally, let
be predicates on
X. Thus, each predicate
defines a subset
of assignments to
X that satisfy it. For example, if
, then
is such that
contains all the assignments to
X in which
or
. The common practice in
predicate abstraction is to start with a small set
of predicates, take
, and define
so that for every
, we have
. Thus, an assignment
S is mapped to the set of predicates that it satisfies.
The generation of and depends on the way is given. When is given in a succinct presentation, it is often possible to construct and on top of this succinct presentation. As an example, consider again the case , and assume that edge relation E is given by formula over the set of variables, where . Thus, for every pair of vertices , we have that if , where is the truth assignment to induced by v and . Then, different costs to transitions are defined by different formulas. A simple special case of predicate abstraction is one in which we hide some of the variables. Thus, , for some , and for all vertices , we have . Thus, the abstraction hides the variables in . Then, the definition of and is done by a suitable quantification on the hidden variables in : Let . Then, and .
Example 4. Consider a huge network of routers, describing external and internal communication among some entities. Each entity may be, for example, an intranet of a company or a large autonomous system of routers. Each router is encoded by variables in . The variables , for some , maintain the identity of each entity, and the variables maintain the internal identity of each router within its entity. The transitions in the network are described symbolically by some formula , where . In other words, describes the transitions among the different entities, and describes the internal ones, where guarantees that they are indeed internal. The network depicted in Figure 2 can be described as such a network. The entities are and we use three variables to identify them as , respectively. The transition function includes, for example, the disjunct inducing the transitions from to and . Please note that there can be many hidden internal nodes, i.e., we have . We now abstract the network further by using the predicates , which induce respectively the abstract states and in the abstract network in Figure 2. For example, only and satisfy the second predicate. 2.4. Refinement
Consider two abstraction functions and . We say that refines, denoted , if for all concrete vertices v and , if , then . That is, the partition of V that is induced by refines the partition induced by . Please note that whenever refines , we can view as an under-approximation of , and view as an over-approximation of . More formally, there is an abstraction function such that , and similarly for an over-approximation.
Recall the special interest in NGs in which
, for some set
X of variables, and
A is defined by a set
of predicates over
X. Then, refinement amounts to enlarging the set
of predicates. In particular, when
, for some
, and
, then, for
, an abstraction
refines an abstraction
. For example, we can refine the abstraction that is described in Example 4 by replacing the predicate
by two predicates
and
, which splits the state
in
Figure 2 and induces the network in
Figure 3.
3. On Abstract SOs and NEs
In this section we study the theoretical properties of abstraction in NGs and show how reasoning about the (much smaller) under- and over-approximations of an NG can be used for bounding the cost of an SO and for directing the search for an NE in . We first relate strategies and profiles in with strategies and profiles in its approximations.
Consider a network and a strategy of Player i in . The strategy that corresponds to in is obtained from by replacing each concrete edge h by the abstract edge , and removing cycles in the obtained path in . Please note that by the definition of , the edge exists in . Formally, we define as follows. Let , …, . We first define , , . Then, is obtained from by removing cycles; that is, by repeatedly removing subsequences , , , with . A profile in corresponds to the profile in .
Consider now a strategy
,
,
…,
of Player
i in
. By the definition of
, for every concrete vertex
v with
, and in particular for
– the source vertex of Player
i, there is a path in
from
v to some vertex
with
. Also, by the definition of
, we have that
– the target vertex of Player
i2, and for all the concrete vertices
with
, we have
. Hence, the strategy
in
induces at least one path
in
such that
and
. Let
be the nonempty set of these paths. Finally, a profile
in
corresponds to the set
of profiles
in
in which for all
, we have
.
We now relate the costs of corresponding profiles in , , and .
Lemma 1. Consider an NG and an abstraction function α.
- 1.
For every profile P in , the profile in is such that .
- 2.
For every profile P in and profile in , we have that .
Proof. We start with the first claim. Let in . Consider a strategy . By the definition of the over-approximating cost function , we have that for all edges and for every load , we have that . Indeed, if is a CON-NG, then is the minimum of a set one of whose elements is , which is smaller than , and if is a CS-NG, then is the minimum of a set one of whose elements is . Hence, for every , we have that , implying that , and we are done.
We proceed to the second claim. Let , with , ,…, . Consider a strategy . Let , , …, . By the definition of the under-approximating cost function , we have that for all and for every load , we have that . Indeed, if is a CON-NG, then is the maximum of a set one of whose elements is , and if is a CS-NG, then is the maximum of a set one of whose elements is , which is greater than . Hence, for every , we have that , implying that , and we are done. □
Theorem 1. For every NG and abstraction function α, we have .
Proof. We first show that . Consider a profile in . By Lemma 1, we have that . In addition, by definition, . Since this is valid for every profile P in , and in particular for SO profiles, it follows that .
It is left to show that . Consider a profile P in . By Lemma 1, for every profile , we have that . Also, is not empty. Since the profiles are in , we also have . Hence, , and we are done. □
Recall that given two abstraction functions and , if refines , then we can view as an under-approximation of , and view as an over-approximation of . Accordingly, Theorem 1 can be viewed as a special case of Theorem 2 below, with being the most refined abstraction function (that is, , with ), and being the refinement function studied there.
Theorem 2. Consider an NG and two abstraction functions and . If , then and .
Theorem 1 enables us to approximate the cost of an SO in using the costs of the SO in the much smaller and . We now turn to study how and can be used in order to direct the search for an NE in .
Theorem 3. Consider an NG , an abstraction function α for it, and an abstract NE P in . There exists a profile in that is a concrete NE in .
Proof. Let . Recall that is the NG obtained from by restricting it to profiles in . Let be a profile in such that for every player , deviation to each strategy where , is not beneficial for Player i. We prove that is also an NE in .
Consider a deviation of Player i from his strategy in . Let . We distinguish between two cases.
First, if , then, by the definition of , the deviation to is not beneficial to Player i.
Otherwise, recall that . Therefore, by the proof of Lemma 1, for all players , we have that . In addition, since P is an abstract NE, we have that . In addition, . Hence, by Lemma 1, we have that . It follows that , making the deviation non-beneficial. Hence, is an NE in , and we are done. □
Please note that profiles in
can be searched for in
. Thus, as we elaborate in
Section 4, an NE in
can be found by a sequence of best response moves restricted to
.
4. An Abstraction-Refinement Procedure for Finding an NE
In this section we describe an abstraction-refinement procedure for finding an NE in an NG . The input to the procedure is a concrete NG
and an abstraction function
for it. Experience in formal verification suggests that abstraction functions that are supplied by users familiar with the network, are the most successful ones. Alternatively, one can start with a coarse abstraction and refine it as we do in
Section 5.
The output of the procedure is a concrete NE in
. Since the state space of
and
is much smaller than that of
, we would like to perform as many as possible computations on the approximating networks. Our procedure (see
Figure 4 for an overview) consists of two parts. The first, in which an abstract NE
is found, is done entirely in
and
, and it is the procedure we have implemented. The second, in which a concrete NE is found, is done in
, restricted to
. Thus, as is the case of the CEGAR methodology in formal verification, there is no way to avoid
entirely, yet we can significantly restrict the part of it in which the search proceeds. Moreover, it is possible to refine
and tighten
further. In
Section 5, we show that the restriction indeed significantly reduces the size of the network.
There are many ways to refine an abstraction; one can work naively, choose an arbitrary abstract vertex and split it in some way, possibly by adding predicates that appear in the description of the network or the strategies. Even such a naive refinement is guaranteed to eventually lead to a solution. The challenge is to choose the refinements cleverly so that a concrete answer is obtained when the approximating networks are still much smaller than the concrete one. In CEGAR, the refinement is guided by a spurious counterexample. We follow this idea by always refining according to some path in the network that points to a spurious behavior of the approximations. We now describe the methodology in detail.
4.1. Part 1: AbsNE-Loop, Finding an Abstract NE
In the first part, our goal is to find, given
and
, an abstract NE. Recall that such a profile is an NE in
that is resistant to deviations of the players even in
. Since
is an NG, it has an NE. In Step 1 in
Figure 4, we find such an NE
. This is done by the user’s favorite algorithm for finding an NE in NGs. The important point for us is that this is done in the (much smaller) under-approximation of
. Then, in Step 2, we check whether
is an abstract NE. Thus, we check whether players have beneficial deviations in
. Again, this is done in the (much smaller) over-approximation of
. If no player has a beneficial deviation in
, then
is an abstract NE, we conclude this part of the procedure, and move to Step 4. Otherwise, there is a player
who can benefit from deviating to a strategy
.
We use in order to guide the refinement. There are several reasons why is an NE in yet not an abstract NE in . Step 3 consists of three possible refinement steps among which the user can choose, corresponding to the above different reasons. Let us start with Step 3a. Since is a path in , there might not be a concrete path in that corresponds to it, thus is a spurious path. Consider two adjacent abstract vertices and that traverses. If the edge between and is in , we can split into and such that contains exactly the vertices that have a neighbor in (similarly we can split ). Please note that after refinement, there is a must edge from to and there is not even a may edge between to . Since is spurious, such a candidate vertex is guaranteed to exist (We note that disconnectivity in can be treated in a similar way.).
We continue to Steps 3b and 3c. They have to do with under- and over-approximations of the cost functions that cause to be a beneficial deviation in . By the definition of and , we know that if , then the path traverses an abstract edge with load x for which . Assume that . In Step 3b, we split or in order to tighten this gap. Finally, it may be that the cost of the strategy of Player i in is too big. In Step 3c, we use the strategy that Player i chooses in in order to guide a similar refinement in order to tighten the gap in the costs between and .
A refinement step can be a single refinement or a combination of the refinements that are described above. After completing such a step, we return to Step 1 and find a new NE in the new under-approximating , and repeat the process.
4.2. Part 2: ConcNE-Loop, Finding a Concrete NE
The second part of the procedure gets an abstraction function as well as an abstract NE . The goal is to find a concrete NE P in such that . By Theorem 3, such an NE exists. Recall the best-response dynamics (BRD) algorithm for finding an NE in NGs in which we start with an arbitrary profile, and iteratively allow the players to perform beneficial deviations. We follow this algorithm and start in Step 4 with an arbitrary profile in . If P is an NE, we are done. Otherwise, there is a concrete beneficial deviation for some Player i. Please note that by Theorem 3, we can restrict the deviations of Player i to paths in . If the size of is small, the user can choose Step 6a and try and find an NE in by performing a BRD step. However, when is big, it makes sense to refine the abstraction by choosing Step 6b.
In Step 6b, we let the deviation guide the refinement. We look for a vertex v from which and differ, thus from v, one path continues with a vertex while the other with , where , yet . We refine the abstraction function by splitting so that and are no longer in the same abstract vertex. We would like to have as many must edges as possible between the new vertices. One way to do it is to make a singleton abstract state, but it is also possible to split as well as to achieve this. Once we conclude a refinement, we return to the first part of the procedure, and look for an abstract NE with the new abstraction.
Example 5. Recall the NG and its abstraction that are described in Examples 2 and 3. Consider the profile in which Player 1 chooses the path and Player 2 and 3 choose the path . Please note that while is an NE in , it is not an abstract NE, as Player 2 can deviate to . We refine α according to this deviation, which leads to splitting into and (see Figure 3). Consider now the profile in in which Player 1 chooses the strategy and Players 2 and 3 choose the strategy . We claim that is an abstract NE. Indeed, Player 1 has no possible deviation, and Players 2 and 3 each pay 2 for and deviating to a path that uses or does not reduce their costs. For the second part of the refinement procedure, we select the concrete profile P in which Player 1 chooses the path , and Players 2 and 3 choose the path . This is not an NE in as Player 2 can deviate to . Rather than refining the abstraction, we choose to check if is an NE, and indeed it is, so we are done.
Remark 1. An interesting problem in NGs is to find an NE with “good” social cost [39]. Formally, given an NG and a value ν, decide whether there is an NE with cost at most ν. Our procedure can be directed to finding a good NE. Indeed, Lemma 1 shows that the cost of an abstract NE is an upper bound on the cost of every concrete NE in . Thus, rather than finding an arbitrary abstract NE, we can look for one of a minimal cost, thereby directing the search for a concrete NE to one of a minimal cost too. While this is a harder task than finding an arbitrary abstract NE, it is performed on the much smaller approximation. 6. Automata Games
As discussed in
Section 1, the objectives users of a network are often more involved than reachability. In this section we extend the abstraction-refinement methodology to
automata games (AGs, for short) with cost sharing, which model settings with such richer objectives . AGs are similar to NGs, except that edges of the networks are labeled, and the players have objectives that refer to these labels and are more involved than the reachability objectives of NGs [
37].
An AG is played on a labeled network , where is a finite alphabet, V is a set of vertices, and is a deterministic labeled transition relation, i.e., for and , there is at most one with . Consider a path in , where, for all , we have . The word that corresponds to is . An AG is a tuple , where, for , we have that is a regular language that specifies the objective of Player i. Thus, a strategy for Player i is a path in such that . We assume that the languages are given by means of nondeterministic finite automata over . Our results can be easily extended to other specification formalisms. Please note that unlike NGs, a strategy in an AG need not be simple path. That is, a player might be forced to use an edge several times in a strategy.
We study here cost sharing AGs, and distinguish between two cost-sharing rules that can be applied in AGs. In
uniform AGs, the cost of an edge is shared uniformly among all the players that use it. Thus, we ignore the fact that different players may use the edge different number of times. This makes the game-theoretical behavior of uniform AGs similar to that of NGs. In
proportional AGs, introduced and studied in [
37], the cost of an edge is shared among the players in proportion to the number of times they have used it. For example, if two players use an edge
e with cost
c, one uses it once and the second twice, then the first pays
for
e and the second pays
. We define the proportional cost-sharing rule formally in
Section 6.2.
6.1. Uniform AGs
Abstracting an AG is similar to abstracting an NG, except that we merge only edges that agree on their label. Formally, consider an AG
and an abstraction function
. We construct two abstract AGs
and
as follows. In
, we use labeled must edges: for
and
, there is a
-labeled must edge from
a to
if for every concrete state
, there is
with
. In
, we use labeled may edges: for
and
; there is a
-labeled may edge from
a to
if there exist concrete states
and
with
. All the other components are as in abstract NGs. For an AG
, and two states
, we define the
-language of
, denoted
as the set of words obtained by traversing a path from
s to
t in
. The use of may and must edges, implies Lemma 2 below (c.f. [
41]).
Lemma 2. Consider an AG and an abstraction function . For every two states s and t in , we have that
It is not hard to see that all the considerations applied to NGs remain valid for uniform AGs. Indeed, the correspondence between concrete and abstract strategies is preserved, and, by Lemma 2, so does the application of this correspondence in our methodology. Hence, Theorems 1 and 3 are valid also for uniform AGs:
Theorem 4. Consider a uniform AG and an abstraction function α for it.
.
If P is an abstract NE in , then there exists a profile in that is a concrete NE in .
6.2. Proportional AGs
We first formally define the costs of the players in a concrete proportional AG. Consider an AG . Let be a profile where, for each , we have . Let map each edge to the number of times Player i uses it in profile P. Thus, for , we have . When , we say that e is in , denoted . Let denote the total number of times edge e is used in profile P by all players. Thus, for , we have . The cost of Player i in profile P is then .
The proportional cost sharing rule cause AGTs to be less stable than NGs:
Theorem 5. Refs. [37,42] In proportional AGs an NE is not guaranteed to exist, and deciding whether an NE exists in a given game is -complete. Since proportional AGs need not have an NE, the computational question we study is deciding whether a given AG has an NE. While we can abstract proportional AGs as described above, our methodology is targeted for finding an NE and not deciding whether one exists. Indeed, the methodology either outputs an abstract NE, which, recall, is a profile of abstract strategies, or it outputs that no abstract NE exists in the abstraction. We claim that both answers are not helpful for deciding the existence of an NE. While in NGs (and uniform AGs) a concrete NE is guaranteed to exist in the game that is restricted to an abstract NE, in proportional AGs, a concrete NE is not guaranteed to exist at all, let alone in a restriction of the game. Hence, existence of an abstract NE does not imply the existence of a concrete NE. Moreover, existence of an abstract NE that has no concrete NE that is mapped to it, does not imply that a concrete NE does not exist, as such an NE might exist elsewhere. Finally, non-existence of an abstract NE also does not imply the non-existence of a concrete NE.
Below we describe applications where abstraction can still be useful in the context of proportional AGs. First, as SO is independent of the cost sharing rule, the considerations for uniform AGs apply:
Theorem 6. For every proportional AG and an abstraction function α for it, we have that .
Next, we use abstractions in order to restrict the search space when searching for an NE. Recall that the problem of deciding whether an NE exists in proportional AGs is -complete. This suggests that the optimal algorithm for finding an NE first guesses a profile and then checks whether it is an NE. In order to speed-up the algorithm, we restrict the search space by removing dominated strategies using the abstraction.
Intuitively, a strategy for Player i is dominated by a strategy if no matter how the other players play, it is always better for Player i to use . Thus, a profile in which Player i uses cannot be an NE and removing dominated strategies does not affect the existence of NE. In other words, a game has an NE if the game that is obtained by removing the dominated strategies for all players, has an NE. Formally, for , we use to denote a collection of strategies for all players apart from Player i and we denote by the profile in which Player i uses the strategy and the other players choose their strategies in . A strategy for Player i is dominated by a strategy if for every , we have .
We search for dominated strategies in an AG in the abstractions and . For an abstract strategy for Player i, we need an under- and over-approximations on its cost. For a concrete edge , we use to denote the abstract may edge . We extend also to strategies: for a concrete strategy , we denote the corresponding abstract strategy by . For an abstract edge t, we define and . We define an over-approximation on the cost of as follows . This is indeed an over-approximation on the cost: Consider a concrete strategy for Player i that is mapped to the abstract may strategy . Then, for every , we have .
We now define an under-approximation on the cost of a must strategy . Let be a collection of concrete strategies and be the may strategies to which they are mapped. Consider the may profile . For and a may edge t, the definition of and are similar to the concrete case. Please note that since is a must path, it is also a may path. We define . We define , where the minimum is well-defined since the set of strategies for each player is finite. This is indeed an under-approximation: Consider a concrete strategy for Player i that is mapped to the must strategy , that is, . Then, for every , we have .
Definition 2. Consider an AG and an abstraction α for it. We say that a must strategy for Player i is abstract-dominated by a must strategy if . Let .
Theorem 7. Consider a proportional AG and an abstraction function α. For , let be a collection of abstract-dominated strategies for Player i. Then, the game that is obtained by setting the strategies of each Player i to be has an NE iff has an NE.
Proof. Consider a must strategy for Player i such that and let be an abstract-dominating strategy. Since both strategies are must paths, there are concrete strategies and that are mapped to and , respectively. We claim that is dominated by , thus a profile in which Player i chooses is not an NE. Let be a choice of strategies for the other players. As in the above, we have and . The claim follows from combining with . □
7. Discussion and Directions for Future Research
The need to reason about networks of increasing size and complexity calls for the development of new techniques for coping with NGs with large state spaces. Abstraction has proven itself as a very effective method for coping with large state spaces in the context of formal verification. We described an abstraction-refinement methodology for reasoning about NGs. The methodology enables the user to search for two kinds of profiles: Nash equilibria and social optimum. This is done by reasoning about under- and over-approximations of the NG, which are defined over a much smaller state space. When the approximations are too coarse to find such profiles, the user may refine the abstraction. We extended the methodology to labeled networks, where the objectives of the players are regular languages, making it possible to specify properties of the paths along which the reachability objectives are satisfied. We implemented our methodology and our experimental results demonstrate its effectiveness.
This work belongs to a line of works that transfer concepts and ideas between the areas of formal verification, AI, and algorithmic game theory [
33]: logics for specifying multi-agent systems [
43,
44,
45], studies of equilibria in games related to synthesis and repair problems [
46,
47,
48,
49], and of non-zero-sum games in formal verification [
50,
51]. Closest to this work are works that apply ideas from formal verification to NGs. This includes an extension of NGs to objectives that are richer than reachability [
37], NGs in which the players select their paths dynamically [
52], reasoning about real-time in NGs [
53,
54], and efficient reasoning about NGs that are structured in a hierarchical manner [
55]. The latter work is of special relevance, as it is motivated by the need to cope with large NGs. We believe that further ideas from formal verification should be examined in the context of this challenge. In particular, already in the direction of abstraction and refinement, researchers have studied techniques for finding effective abstraction functions [
25] as well as effective refinements for them [
24,
56]. In the context of NGs, the abstraction function influences not only the structure of the network but also the costs and loads. Consequently, different considerations should be taken when evaluating the effectiveness of an abstraction function. We hope that research on such an evaluation would lead, in addition to techniques for finding effective abstraction functions, also to tighter definitions of the costs in the approximations. Also, especially in the context of AGs, where the networks are labeled, we believe that predicate-based abstractions would serve as a convenient paradigm to study the effectiveness of abstraction functions and their refinements.
Abstraction-refinement is a general concept that is proven to be highly successful in formal verification, where it is used in a search for a counterexample to the correctness of the system [
25]. A promising direction would be to apply the basic framework or its quantitative extensions to search problems in AI that need to cope with large inputs, as is already done in planning [
57] and in a search for optimal policies in Markov decision processes [
58,
59]. Extending the abstraction-refinement framework to cope with selfish players, as we do here, is a delicate procedure that depends on the specific game model at hand. Multiagent systems have been studied extensively in AI in a game theoretic framework [
60]. Examples of settings that could benefit from an abstraction-refinement framework include prediction of the quality of a given infrastructure (e.g., traffic or internet network) or an auction mechanism [
61], finding equilibrium in automated negotiation settings [
62], and resource allocation [
4], which is a generalization of network games.