An Abstraction-Refinement Methodologyfor Reasoning about Network Games^†

Abstract

Network games (NGs) are played on directed graphs and are extensively used in network design and analysis. Search problems for NGs include finding special strategy profiles such as a Nash equilibrium and a globally-optimal solution. The networks modeled by NGs may be huge. In formal verification, abstraction has proven to be an extremely effective technique for reasoning about systems with big and even infinite state spaces. We describe an abstraction-refinement methodology for reasoning about NGs. Our methodology is based on an abstraction function that maps the state space of an NG to a much smaller state space. We search for a global optimum and a Nash equilibrium by reasoning on an under- and an over-approximation defined on top of this smaller state space. When the approximations are too coarse to find such profiles, we refine the abstraction function. We extend the abstraction-refinement methodology to labeled networks, where the objectives of the players are regular languages. Our experimental results demonstrate the effectiveness of the methodology.

1. Introduction

Network design is a fundamental and well-studied problem. A game-theoretic approach to the analysis of network design has become especially relevant with the emergence of the Internet, where different users share resources like software or communication channels [1,2,3]. Network games (NGs, for short) [3,4,5] constitute a well studied model of non-cooperative games. The game is played among selfish players on a network, which is a directed graph. NGs are used to model resources as edges in a network and the cost involved in sharing these resources. Each player has a source and a target vertex, and a strategy is a choice of a path that connects these two vertices. The cost a player pays is the sum of costs of the edges his path traverses, where a cost of an edge depends on the load on it, namely the number of players using the edge. We distinguish between two types of costs. In cost-sharing games [3], each edge has a cost and the players that use it split the cost among them, thus increased load decreases the cost. For example, when the costs correspond to prices, users that share a resource also share its price. Then, in congestion games [4], increased load increases the cost: each edge has a non-decreasing cost function that maps the load on the edge to its cost given this load. For example, when the network models a road system and costs correspond to the travel time, an increased load on an edge corresponds to a traffic jam, increasing the cost of the players that use it.

Since the players attempt to minimize their own costs, they selfishly select a path. The focus in game theory is on the stable outcomes of a given setting. The most prominent stability concept is that of a Nash equilibrium (NE) [6]: a profile (vector of strategies, one for each player) such that no player can decrease his cost by unilaterally deviating from his current strategy; i.e., assuming that the strategies of the other players do not change1. By [4], there exists an NE in every NG. A social optimum (SO) is a profile that minimizes the sum of the players’ costs; thus the one obtained if the players would have obeyed some centralized authority.

Finding SO and NE profiles is a complex and well studied problem that has been a driving force in the development of the algorithmic game theory field. Finding an SO is NP-complete [7,8]. Finding an NE is PLS-complete [9,10] (the complexity class PLS contains local search problems with polynomial time searchable neighborhoods [11], thus it is between P and NP) and the complexity of finding an approximate NE was only recently settled in normal-form games [12,13]. The theoretical tools that have been developed are finding their way to practical applications such as auction design and network routing. For example, recently [14], researchers have suggested to quantify the performance of a traffic network using the Price of Anarchy measure [15], which is the ratio between the costs the players pay in the SO and in the most expensive NE. This was done by modeling the network as an NG, and finding the SO and the most expensive NE in it. The high complexity of the problems becomes more acute when we keep in mind that the NGs we study often model huge networks. Indeed, the size of nowadays networks increases in an exponential rate, with networks having an increasing amount of information, and becoming more and more complex [16,17,18].

The need to cope with very large models is a major research area in formal verification. There, we check that a system satisfies its specification by translating the system into some formal model, typically a labeled state-transition graph, and applying model-checking procedures on this model [19]. One of the most successful methodologies for reasoning about the huge state space of systems is abstraction [20,21], where we hide some of the information about the system. This enables us to reason about systems that are much smaller, yet it gives rise to approximated solutions. Indeed, hiding of information may result in an under-approximating system: one that has fewer behaviors than the original system, or in an over-approximating system: one that has more behaviors than the original system. Abstraction methodologies use both types of approximations [22,23,24].

An important step in methodologies that are based on abstraction is refinement. Assume that we find an over-approximation of the system that does not satisfy a universal property. That is, the over-approximation has a forbidden behavior. It may be that this forbidden behavior exists also in the concrete system, in which case the verification algorithm terminates and reports a bug in the system. However, it may also be that the forbidden behavior exists only in the over-approximation, thus the counterexample is spurious. Then, one can use the spurious counterexample to refine the over-approximation in a way that eliminates it, and repeat model-checking until either a real counterexample is found, or the over-approximation satisfies the property. This methodology, of counterexample guided abstraction-refinement (CEGAR) has proven to be very effective [25].

Abstraction has been studied in the context of extensive-form games. A strategy for a player in an extensive-form game prescribes which action to perform, given the histories of actions played so far. NGs, on the other hand, are “one-shot” games. The questions studied on NGs focus on stable outcome whereas in extensive-form games one often tries to find an optimal strategy for a player. The abstraction studied in [26,27] tries to merge states in the game tree that are indistinguishable for the players. The idea of merging configurations due to hidden information is the key also in abstractions used in formal methods, yet the technical details are very different. Then, in action abstraction [27,28], some of the actions of the players are disabled, reducing the state space of reachable configurations in the game tree, which is again not similar to the approach taken here. Finally, formal methods often involve reasoning about multi-player games, and abstraction-refinement methodologies have been studied in this setting [29,30,31,32]. Such games model on-going interactions between processes, say a system and its environment, and are infinite-duration games, thus they are again different from the NGs we study here. Moreover, trying to abstract games by standard methods used in formal verification is a known challenge. Indeed, the most conservative form of abstraction is bisimulation, which results in a system that is behaviourally equivalent, and it is proven in [33] that NEs are not preserved under bisimulation. Moreover, given the effectiveness of abstractions, researchers have tried to identify games in which NEs are preserved by bisimulation (as is the case, for example, in iterated Boolean games [34]) and have extended the definition of bisimulation to multi-agent systems [29].

In this paper, we introduce and study an abstraction-refinement methodology for reasoning about network games. Given an NG $\mathcal{N}$ defined over a network with a set V of vertices, an abstraction function for $\mathcal{N}$ is a function $\alpha :V\to A$, for some set A of abstract vertices. We assume that A is smaller than V, thus the function $\alpha$ induces a partition of V. We define the under-approximation of $\mathcal{N}$ with respect to α, denoted ${\mathcal{N}}^{\downarrow }\left[\alpha \right]$, and the over-approximation of $\mathcal{N}$ with respect to α, denoted ${\mathcal{N}}^{\uparrow }\left[\alpha \right]$. Both approximations are NGs that have A as their set of vertices. The under- and over-approximation is in the definition of the edges and the cost functions. Intuitively, ${\mathcal{N}}^{\downarrow }\left[\alpha \right]$ is less appealing to the players than $\mathcal{N}$: they have fewer possible profiles, and the profiles that are possible are at least as expensive as the ones that correspond to them in $\mathcal{N}$. Accordingly, the edges under-approximate these in $\mathcal{N}$: there is an edge from an abstract vertex a to an abstract vertex $a^{\prime }$ if all the concrete vertices that are mapped by $\alpha$ to a have an edge to a concrete vertex that is mapped by $\alpha$ to $a^{\prime }$ (a.k.a. must transitions [21,22]). In addition, the cost of an abstract edge is essentially the maximal cost of a concrete edge that induces it. Dually, ${\mathcal{N}}^{\uparrow }\left[\alpha \right]$ is more appealing to the players: they have more and cheaper profiles than in $\mathcal{N}$. Accordingly, the edges in ${\mathcal{N}}^{\uparrow }\left[\alpha \right]$ over-approximate these in $\mathcal{N}$: there is an edge from a to $a^{\prime }$ if some concrete vertex that is in a has an edge to some concrete vertex that is mapped to $a^{\prime }$ (a.k.a. may transitions), and the cost of an abstract edge is essentially the minimal cost of a concrete edge that induces it. Traditional abstraction-refinement methodologies in formal verification focus on the transition relation. An extension that takes costs into account has been studied in [35], where the costs of a weighted automaton are also abstracted. Here, we take into account the cost functions as well as the load. Indeed, the merging of edges may lead to a spurious increased load in the abstraction.

We show how ${\mathcal{N}}^{\downarrow }\left[\alpha \right]$ and ${\mathcal{N}}^{\uparrow }\left[\alpha \right]$, which may be significantly smaller than $\mathcal{N}$, can be used in order to reason about the SO and the NE profiles of $\mathcal{N}$. Our methodology is based on the observation that each profile in ${\mathcal{N}}^{\downarrow }\left[\alpha \right]$ can be mapped to at least one profile in $\mathcal{N}$ with a lower or equal cost, and that each profile in $\mathcal{N}$ can be mapped to a profile in ${\mathcal{N}}^{\uparrow }\left[\alpha \right]$ with a lower or equal cost. Hence, for example, the cost of the SO in $\mathcal{N}$ is bounded from above and below by the costs of the SOs in ${\mathcal{N}}^{\downarrow }\left[\alpha \right]$ and ${\mathcal{N}}^{\uparrow }\left[\alpha \right]$, respectively. Moreover, refining $\alpha$ tightens these bounds, so the user can control the trade-off between preciseness and complexity.

A more technically-involved use of the under- and over-approximations is an algorithm we present for finding an NE in $\mathcal{N}$. The algorithm, which can be viewed as the NG-analogue of CEGAR, is based on the notion of an abstract NE: we say that a profile P in ${\mathcal{N}}^{\downarrow }\left[\alpha \right]$ is an abstract NE if no player has a beneficial deviation from P even in ${\mathcal{N}}^{\uparrow }\left[\alpha \right]$. Intuitively, an abstract NE has to face two challenges. First, the profile P has to exist in the under-approximation, where fewer strategies exist. In addition, deviations from P are possible in the over-approximation, where more strategies exist, and their cost is lower. Consequently, as we shall formally prove, an abstract NE can direct the search for a concrete NE: once we find an abstract NE P in ${\mathcal{N}}^{\downarrow }\left[\alpha \right]$, it is guaranteed that a concrete NE exists in $\mathcal{N}$ when restricted to profiles that agree with P. Our algorithm finds an abstract NE if one exists and then directs the search for a concrete NE in a much smaller state space. It is, however, not necessary that an abstract NE exists in every abstract game. When a candidate profile in ${\mathcal{N}}^{\downarrow }\left[\alpha \right]$ is an NE in ${\mathcal{N}}^{\downarrow }\left[\alpha \right]$ but is not an abstract NE in $\mathcal{N}$, we use the spurious deviations of the players in ${\mathcal{N}}^{\uparrow }\left[\alpha \right]$ in order to refine $\alpha$, which narrows the search space.

The reachability objectives in NGs enable the players to specify possible sources and targets. Often, it is desirable to refer also to other properties of the selected paths. For example, in a communication setting, edges may belong to different providers, and a user may like to specify requirements like “all edges are operated by the same provider” or “no edge operated by AT&T is followed by an edge operated by Verizon”. Edges may also have different quality or security levels (e.g., “noisy channel”, “high-bandwidth channel”, or “encrypted channel”), and again, users may like to specify their preferences with respect to these properties. In planning or in production systems, nodes of the network correspond to configurations, and edges correspond to the application of actions. The objectives of the players are sequences of actions that fulfill a certain plan, which is often more involved than just reachability [36]; for example “once the arm is up, do not put it down until the block is placed”.

In automata games (AGs, for short) [37], the edges of the network are labeled by letters from some finite alphabet $\Sigma$, and the players have objectives that refer to these labels and are more involved than the reachability objectives of NGs. Specifically, the objective of each player is a language over $\Sigma$, specifying a property of the path he should traverse. Note that unlike NGs, a strategy in an AG need not be a simple path. For example, if $\Sigma$ includes the letters $\mathit{noise}$ and $\mathit{check}$-$\mathit{sum}$, the objective of a player may be to reach some target via a path in which every visit to a noisy edge is followed eventually by a visit to an edge where a check-sum action is performed. Then, a player might be forced to use an edge several times in a strategy. We extended the abstraction-refinement methodology to AGs. We distinguish between two cost-sharing rules that can be applied in AGs. We show that in uniform AGs, where the cost of an edge is shared uniformly among all the players that use it, our abstraction-refinement framework remains valid. On the other hand, in proportional AGs, where the cost of an edge is shared among the players in proportion to the number of times they have used it, the framework cannot be applied as is. This has to do with the fact that proportional AGs are less stable than NGs, and in fact they need not have an NE [37]. We are still able to use abstract AGs in order to restrict the search for an NE in proportional AGs.

We implemented our methodology and tested its performance on randomly-generated cost-sharing games. We examined the benefit of the abstraction, namely the ratio of the sizes of the concrete game and the abstract NE found in the approximation. We also examined the practicality of our approach, namely the number of CEGAR iterations until an abstract NE is found. We studied these questions for different parameters of the game. Our experimental results demonstrate the efficiency of the methodology. In particular, the results show that the overhead required for abstraction becomes more negligible for larger systems.

The paper is organized as follows. In Section 2, we define NGs, an abstraction-refinement framework for them, and the notion of abstract NEs. In Section 3, we study how the costs of profiles in a concrete NG relate to costs of profiles in its abstraction, and we focus on SO and NE profiles. In Section 4 we describe our methodology for finding an NE in the concrete NG by reasoning about its abstractions, and in Section 5, we describe experimental results that demonstrate the effectiveness of the methodology. Then, in Section 6, we extend the setting to AGs, and in Section 7 we discuss the results and point to directions for future research.

2. Preliminaries

2.1. Network Games

A network is a tuple $\langle V,E\rangle$, where V is a set of vertices and $E\subseteq V\times V$ is a set of directed edges. For an integer $k\in \mathrm{I}\mathrm{N}$, let $\left[k\right]=\{1,\dots ,k\}$. A network game (NG) is $\mathcal{N}=\langle k,V,E,{\left\{l_e\right\}}_{e\in E},{\langle s_i,t_i\rangle }_{i\in \left[k\right]}\rangle$, where k is the number of players; $\langle V,E\rangle$ is a network; for $e\in E$, the cost function $l_e:\left[k\right]\to {\mathrm{I}\mathrm{R}}_{\ge 0}$ maps the load on edge e, namely the number of players that use edge e, to the cost each of them pays for using e with this load; and for $i\in \left[k\right]$, the pair $\langle s_i,t_i\rangle \in V\times V$ describes the objective of Player i: traversing $\mathcal{N}$ from the source vertex $s_i$ to the target vertex $t_i$.

We distinguish between two types of cost functions. In uniform cost-sharing games (CS-NGs, for short) the players that use an edge share its cost equally. Formally, each edge e is associated with a weight $w_e\in {\mathrm{I}\mathrm{R}}_{\ge 0}$, and for all $x\in \left[k\right]$, we have $l_e\left(x\right)=\frac{w_e}{x}$. Thus, increasing the load in uniform cost-sharing games decreases the cost of the players. In contrast, in congestion games (CON-NGs, for short), the cost functions are non-decreasing, thus increasing the load also increases the cost for each player.

A strategy of a player $i\in \left[k\right]$ is a simple path $\pi$ from $s_i$ to $t_i$. Thus, $\pi =\langle v_1,v_2\rangle$, $\langle v_2,v_3\rangle ,\dots$, $\langle v_{n-1},v_n\rangle$, with $v_1=s_i$, $v_n=t_i$, and $(v_j,v_{j+1})\in E$ for all $1\le j<n$. A profile is a tuple of strategies, one for each player. Consider a profile $P=\langle {\pi }_1,{\pi }_2,\cdots ,{\pi }_k\rangle$ in the game. We sometimes refer to a path as the set of edges that it traverses, thus $\pi \subseteq E$. For an edge $e\in E$, we use ${\mathit{load}}_P\left(e\right)$ to denote the number of players that traverse the edge e in P. Each player that uses e then pays $l_e\left({\mathit{load}}_P\left(e\right)\right)$, and the cost of Player i in P, denoted $cos{t}_i\left(P\right)$, is ${\sum }_{e\in {\pi }_i}{l}_e\left({\mathit{load}}_P\left(e\right)\right)$. The cost of the profile P, denoted $\mathit{cost}\left(P\right)$, is the total cost incurred by all the players, i.e., $\mathit{cost}\left(P\right)={\sum }_{i=1}^k{\mathit{cost}}_i\left(P\right)$. For a profile P and a strategy $\pi$ of player $i\in \left[k\right]$, let $P[i\leftarrow \pi ]$ denote the profile obtained from P by replacing the strategy for Player i by $\pi$. Given a profile $P=\langle {\pi }_1,\cdots ,{\pi }_k\rangle$, a best response (BR, for short) of Player i in P is a strategy ${\pi }_i^{\prime }$ such that for all strategies $\pi$ of Player i, we have that ${\mathit{cost}}_i\left(P[i\leftarrow {\pi }_i^{\prime }]\right)\le {\mathit{cost}}_i\left(P[i\leftarrow \pi ]\right)$.

A profile P is a Nash equilibrium (NE) of a game $\mathcal{N}$ if no player has an incentive to deviate for $\mathcal{N}$. Formally, a profile P is an NE if for every Player i and every strategy $\pi$, we have ${\mathit{cost}}_i\left(P[i\leftarrow \pi ]\right)\ge {\mathit{cost}}_i\left(P\right)$. A social optimum (SO) of a game $\mathcal{N}$ is a profile that attains the minimal cost over all profiles. We denote by $SO\left(\mathcal{N}\right)$ the cost of an SO profile; i.e., $SO\left(\mathcal{N}\right)={min}_P\mathit{cost}\left(P\right)$. An SO can be thought of as an optimal solution imposed by a centralized authority, and need not be an NE.

2.2. Abstraction

Consider an NG $\mathcal{N}=\langle k,V,E,{\left\{l_e\right\}}_{e\in E},{\langle s_i,t_i\rangle }_{i\in \left[k\right]}\rangle$. We refer to V as the set of concrete vertices. Let $T=\{t_1,\dots ,t_k\}$. An abstraction function for $\mathcal{N}$ is a function $\alpha :V\to A$, for a set A of abstract vertices. We assume that $T\subseteq A$ and that $\alpha$ is such that for all $t_i\in T$, we have $\alpha \left(t_i\right)=t_i$ and $\alpha \left(v\right)\ne t_i$ for all $v\ne t_i$. We also assume that A is smaller than V, thus the function $\alpha$ induces a partition of V (with a singleton $\left\{t_i\right\}$ for each $t_i\in T$). Accordingly, we sometimes refer to abstract vertices as sets of concrete vertices. In particular, when $\alpha$ is clear from the context, we use $v\in a$, for $v\in V$ and $a\in A$, to indicate that $\alpha \left(v\right)=a$.

Consider the NG $\mathcal{N}$ and an abstraction function $\alpha$. We define the under- and over-approximation of $\mathcal{N}$ formally. Given $\mathcal{N}$, $\alpha$, and $b\in \{\downarrow ,\uparrow \}$, we define ${\mathcal{N}}^b\left[\alpha \right]=\langle k,V,E^b,{\left\{l_e^b\right\}}_{e\in E^b},{\langle \alpha \left(s_i\right),\alpha \left(t_i\right)\rangle }_{i\in \left[k\right]}\rangle$, where the under- and over-approximating transition relations $E^{\downarrow },E^{\uparrow }\subseteq A\times A$, and the under- and over-approximating cost functions $l_e^{\downarrow }$ and $l_e^{\uparrow }$ are defined as follows.

Transition relations: Consider two abstract vertices $a,a^{\prime }\in A$. Then, $E^{\downarrow }(a,a^{\prime })$ holds, that is, there is an abstract edge from the abstract vertex a to the abstract vertex $a^{\prime }$ in the under-approximation ${\mathcal{N}}^{\downarrow }\left[\alpha \right]$, if for every concrete vertex $v\in a$, there is a concrete vertex $v^{\prime }\in a^{\prime }$ such that $E(v,v^{\prime })$. Also, $E^{\uparrow }(a,a^{\prime })$ holds, that is, there is an abstract edge from the abstract vertex a to the abstract vertex $a^{\prime }$ in the over-approximation ${\mathcal{N}}^{\uparrow }\left[\alpha \right]$, if there exist concrete vertices $v\in a$ and $v^{\prime }\in a^{\prime }$ such that $E(v,v^{\prime })$. Note that $E^{\downarrow }\subseteq E^{\uparrow }$. For simplicity, we omit self-loops from $E^{\downarrow }$ and $E^{\uparrow }$, as they are not going to be used anyway in strategies. We follow the common terminology in formal verification and refer to the under- and over-approximating edges as must and may edges, respectively. We extend $\alpha$ to edges in the expected way. Thus, $\alpha \left(h\right)$, for an edge $h=\langle v,v^{\prime }\rangle \in E$, is $\langle \alpha \left(v\right),\alpha \left(v^{\prime }\right)\rangle$. Note that $\alpha \left(h\right)$ is always in $E^{\uparrow }$ and may not be in $E^{\downarrow }$.

Cost Functions: The definition of the under- and over-approximating cost functions depends on the type of $\mathcal{N}$. We first describe the definition and then explain it.

• If $\mathcal{N}$ is a CON-NG, then

  -

  for every $e\in E^{\downarrow }$ and $x\in \left[k\right]$, we have $l_e^{\downarrow }\left(x\right)=max\{l_h\left(x\right):e=\alpha \left(h\right)\}$, and

  -

  for every $e\in E^{\uparrow }$ and $x\in \left[k\right]$, we have $l_e^{\uparrow }\left(x\right)=min\{l_h\left(1\right):e=\alpha \left(h\right)\}$.

• If $\mathcal{N}$ is a CS-NG, then

  -

  for every $e\in E^{\downarrow }$ and $x\in \left[k\right]$, we have $l_e^{\downarrow }\left(x\right)=max\{l_h\left(1\right):e=\alpha \left(h\right)\}$, and

  -

  for every $e\in E^{\uparrow }$ and $x\in \left[k\right]$, we have $l_e^{\uparrow }\left(x\right)=min\{l_h\left(x\right):e=\alpha \left(h\right)\}$.

The idea behind the definition is as follows. Recall that in the under-approximation ${\mathcal{N}}^{\downarrow }\left[\alpha \right]$, we want the strategies to be more expensive. This is why we take, in $l_e^{\downarrow }$, the maximal cost of edges that induce e. In CON-NGs, the cost increases with load and hence the cost function $l_e^{\downarrow }$ depends on x since we want more expensive profiles. In CS-NGs, we ignore x and assume that the load is 1. To see why, recall that an abstract edge $e\in E^{\downarrow }$ is obtained by merging several concrete edges. Consequently, the load on e is the sum of the loads on these concrete edges. This load is fake: it is only due to the merging of concrete edges and not due to an actual increased load. In CON-NGs, where the cost functions increase with an increased load, fake load goes well with generating more expensive profiles. In CS-NGs, however, increased load decreases the cost, and we have to cancel the fake load. This is done by dividing the load by itself, which bounds the fake load. Recall that in a CS-NG $\mathcal{N}$, each edge $h\in E$ has a weight $w_h$ such that $l_h\left(x\right)=\frac{w_h}{x}$. Thus, as $l_h\left(1\right)=w_h$, the definition is equivalent to one with $l_e^{\downarrow }\left(x\right)=max\{w_h:e=\alpha \left(h\right)\}$.

Dually, the over-approximating cost function aims at providing cheaper strategies. Accordingly, $l_e^{\uparrow }$ depends on the minimum cost function of edges that induce e. Here, we have to cancel fake load in CON-NGs, as fake load increases the cost and may cause the cost of an abstract edge to go beyond the cost of the concrete edges that induce it.

When $\alpha$ is clear from the context, we denote ${\mathcal{N}}^b\left[\alpha \right]$ by ${\mathcal{N}}^b$. When we refer to the cost of a profile P in ${\mathcal{N}}^b$, we use the notation ${\mathit{cost}}^b\left(P\right)$, to emphasize that the profile P is in ${\mathcal{N}}^b$.

The need for having under- and over approximating cost functions has been illustrated in Example 1.

Example 1.

Consider the CON-NG $\mathcal{N}$ appearing in the left of Figure 1. The under- and over-approximating NGs ${\mathcal{N}}^{\downarrow }$ and ${\mathcal{N}}^{\uparrow }$ appear on the right. The abstraction function α maps both $v_1$ and $v_2$ to $a_1$. Thus $E^{\downarrow }$ and $E^{\uparrow }$ coincide in this example. In $\mathcal{N}$, there are two players: Player 1 with the objective $(s_1,u_1)$ and Player 2 with the objective $(s_2,u_2)$. Note that in $\mathcal{N}$, Player 1 has only one strategy while Player 2 has two strategies. Let P be the profile in $\mathcal{N}$ in which Player 2 has the strategy that uses the edge $(s_2,v_2)$. It is easy to see that P is an NE in $\mathcal{N}$.

Consider the outgoing edge from $a_1$, in both ${\mathcal{N}}^{\downarrow }$ and ${\mathcal{N}}^{\uparrow }$. If Player 2 chooses this edge, then it has a load of 2. This is a fake load due to merging of two concrete edges. Consequently, if we take the cost function to be l with no adjustment to the load, we get that the profile $\alpha \left(P\right)$, which corresponds to P in ${\mathcal{N}}^{\downarrow }$ and ${\mathcal{N}}^{\uparrow }$ and in which both players go via $a_1$ is not an NE in ${\mathcal{N}}^{\downarrow }$ and ${\mathcal{N}}^{\uparrow }$. Indeed, by deviating to the strategy that that uses the edge with cost 5, Player 2 reduces his cost to 5. Moreover, the obtained profile is an NE in ${\mathcal{N}}^{\downarrow }$ and ${\mathcal{N}}^{\uparrow }$, which is bad, as it does not correspond to an NE in $\mathcal{N}$.

The function $l^{\uparrow }$ in ${\mathcal{N}}^{\uparrow }$ cancels the fake load on the abstract edge, and accounts for the fact that single players use the concrete edges that induce it. Using $l^{\uparrow }$, the profile $\alpha \left(P\right)$ becomes an NE in ${\mathcal{N}}^{\uparrow }$, as the cost of using the strategy with the edge $(s_2,a_1)$ is 4.

Below we show a more elaborate example of under- and over-approximations of an NG which will also serve as the running example in this paper.

Example 2.

Consider the concrete NG $\mathcal{N}$ described in the left side of Figure 2. The game is played among three players with a common source vertex s. The target for Player 1 is t. The target for Players 2 and 3 is $t^{\prime }$. Consider an abstraction function α that maps the concrete vertices $v_2$ and $v_3$ to the abstract vertex $a_2$, maps $v_5$ and $v_6$ to $a_5$, and does not merge other concrete vertices.

The under- and over-approximating NGs ${\mathcal{N}}^{\downarrow }\left[\alpha \right]$ and ${\mathcal{N}}^{\uparrow }\left[\alpha \right]$ are described in the right side of the figure. Consider for example the edges from $a_2$ to $a_5$. Each of the concrete vertices $v_2$ and $v_3$ have an edge to a concrete vertex $v_5$ or $v_6$. This is why $(a_2,a_5)\in E^{\downarrow }$. As for the cost, note that there are three concrete edges that induce $\langle a_2,a_5\rangle$. These are $\langle v_2,v_5\rangle$, $\langle v_3,v_5\rangle$ and $\langle v_3,v_6\rangle$, with cost functions x, x and $5x$, respectively. Accordingly, $l_{\langle a_2,a_5\rangle }^{\downarrow }\left(x\right)=5x$, which is the maximal cost for one of these three edges, and $l_{\langle a_2,a_5\rangle }^{\uparrow }\left(x\right)=1$, which is the minimal cost, applied for $x=1$.

Consider the profile P in ${\mathcal{N}}^{\downarrow }\left[\alpha \right]$ in which Player 1 chooses the path $s,a_1,a_4,t$ and Players 2 and 3 choose the path $s,a_2,a_5,t^{\prime }$. In ${\mathcal{N}}^{\downarrow }\left[\alpha \right]$, the cost of Player 1 is ${\mathit{cost}}_1^{\downarrow }\left(P\right)=4\times 1=4$ and the cost of each of Players 2 and 3 is ${\mathit{cost}}_2^{\downarrow }\left(P\right)={\mathit{cost}}_3^{\downarrow }\left(P\right)=5\times 2=10$. The profile P is also a profile in ${\mathcal{N}}^{\uparrow }\left[\alpha \right]$, where $cos{t}_1^{\uparrow }\left(P\right)=4\times 1=4$ and ${\mathit{cost}}_2^{\uparrow }\left(P\right)={\mathit{cost}}_3^{\uparrow }\left(P\right)=1$.

Let us emphasize the confusing fact that when we talk about an under-approximation, we take the maximum cost. This may seem counterintuitive. In order not to get confused, recall that the thing we are approximating is the range and attractiveness of possible profiles. In an under-approximation, we want both fewer and more expensive profiles. Dually, in an over-approximation, we take the minimum cost, as we want more and cheaper profiles. A similar intuition applies for the adjustment of the load.

2.3. Abstract NE

Recall that in an NE profile in a concrete NG $\mathcal{N}$ is a profile from which no player has an incentive to deviate. In this section we define and discuss stable profiles in the abstraction of $\mathcal{N}$.

Definition 1.

[Abstract NE]A profile $P=\langle {\pi }_1,\cdots ,{\pi }_k\rangle$ in ${\mathcal{N}}^{\downarrow }$ is an abstract NE if no player has a beneficial deviation from P even in ${\mathcal{N}}^{\uparrow }$. Formally, for all $i\in \left[k\right]$ and strategies ${\pi }_i^{\prime }\ne {\pi }_i$ of Player i in ${\mathcal{N}}^{\uparrow }$, we have ${\mathit{cost}}_i^{\downarrow }\left(P\right)\le {\mathit{cost}}_i^{\uparrow }\left(P[i\leftarrow {\pi }_i^{\prime }]\right)$.

Intuitively, an abstract NE has to face two challenges. First, the profile P has to exist in the under-approximation, where fewer strategies exist. Second, existence of deviations from P is checked in the over-approximation, where more strategies may exist, and their cost is lower. Consequently, as we formally prove in Theorem 3, an abstract NE directs the search for a concrete NE: once we find an abstract NE P in ${\mathcal{N}}^{\downarrow }$, we know that a concrete NE exists in $\mathcal{N}$ when restricted to profiles that agree with P. Formally, given an NG $\mathcal{N}$ and a profile P in ${\mathcal{N}}^{\downarrow }$, the restriction of $\mathcal{N}$ to P is the NG ${\mathcal{N}}_{|P}=\langle k,V_{|P},E_{|P},{\left\{l_e\right\}}_{e\in E_{|P}},{\langle s_i,t_i\rangle }_{i\in \left[k\right]}\rangle$, where $V_{|P}=\{v\in V:\alpha \left(v\right)\mathrm{appears} \mathrm{in} a \mathrm{strategy} \mathrm{in} P\}$ and $E_{|P}$ $=\{\langle v,v^{\prime }\rangle \in E:\langle \alpha \left(v\right),\alpha \left(v^{\prime }\right)\rangle$ appears in a strategy in $P\}$.

Example 3.

Recall the NG and its abstraction that are described in Example 2. Recall the profile P in which Player 1 chooses the path $s,a_1,a_4,t$ and Players 2 and 3 choose the path $s,a_2,a_5,t^{\prime }$. Note that P is not an abstract NE. First, Player 1 can deviate to the strategy $s,a_1,a_5,a_4,t$ thereby avoiding the costly edge $\langle a_1,a_4\rangle$. Note that this strategy is spurious and has no corresponding concrete strategy. Also, Players 2 and 3 can benefit from unilaterally deviating from P to the strategy $s,a_1,a_5,t^{\prime }$. Indeed, the cost of Player 2 (and similarly 3) in ${\mathcal{N}}^{\downarrow }$ is 10 as the load on the must edge $\langle a_2,a_5\rangle$ is 2, while by deviating to the may edge $\langle a_1,a_5\rangle$, the cost decreases to 2 as the load is 1. We now show that the abstract game in the right side of Figure 2 does not have an abstract NE.

Please note that Player 1 has the following strategies in ${\mathcal{N}}^{\uparrow }$: $A:$$s,a_1,a_4,t$, $B:$$s,a_1,a_5,a_4,t$ and $C:$$s,a_2,a_5,a_4,t$. Please note that the strategies $s,a_2,a_1,a_4,t$ and $s,a_2,a_1,a_5,a_4,t$ of Player 1 are dominated by $s,a_1,a_4,t$. A is the only strategy of Player 1 in ${\mathcal{N}}^{\downarrow }$.

Players 2 and 3 have the following strategies in ${\mathcal{N}}^{\uparrow }$: $E:$$s,a_1,a_5,t^{\prime }$ and $F:$$s,a_2,a_5,t^{\prime }$,

Please note that the strategies $s,a_2,a_1,a_5,t^{\prime }$ of Player 2 is dominated by both strategies E and F. Both E and F are valid strategies of Players 2 and 3 in ${\mathcal{N}}^{\downarrow }$.

Thus we consider the following profiles in ${\mathcal{N}}^{\downarrow }$ and check if any of them is an abstract NE:

• $\langle A,E,E\rangle$: Each player has a cost of 4 each. Player 1 can deviate to C and pay 1. Hence this profile is not an abstract NE.
• $\langle A,E,F\rangle$: Player 1 pays 4, while Players 2 and 3 have a cost of 2 and 5 respectively. Again Player 1 can deviate to C and pay 1. Hence this profile is not an abstract NE.
• $\langle A,F,F\rangle$: Player 1 pays 4, while each of Players 2 and 3 has a cost of 10. Again Player 1 can deviate to C and pay 1. Hence this profile is not an abstract NE.

Please note that the profile $\langle A,F,E\rangle$, is similar to the profile $\langle A,E,F\rangle$ and hence omitted.

Of special interest, especially in the context of software-defined networks [38], are NGs in which $V=2^X$ for some set X of variables. Then, abstraction functions are based on predicates on the variables in X. Formally, let $\mathsf{\Psi }=\{{\psi }_1,\dots ,{\psi }_m\}$ be predicates on X. Thus, each predicate $\psi \in \mathsf{\Psi }$ defines a subset $\left[\left[\psi \right]\right]\subseteq 2^X$ of assignments to X that satisfy it. For example, if $X=\{x_1,\dots ,x_n\}$, then $\psi =x_1\vee \neg x_2$ is such that $\left[\right[\psi \left]\right]$ contains all the assignments to X in which $x_1=\mathit{true}$ or $x_2=\mathit{false}$. The common practice in predicate abstraction is to start with a small set $\mathsf{\Psi }$ of predicates, take $A=2^{\mathsf{\Psi }}$, and define $\alpha :2^X\to 2^{\mathsf{\Psi }}$ so that for every $S\in 2^X$, we have $\alpha \left(S\right)=\{\psi :S\in [\left[\psi \right]\left]\right\}$. Thus, an assignment S is mapped to the set of predicates that it satisfies.

The generation of ${\mathcal{N}}^{\downarrow }$ and ${\mathcal{N}}^{\uparrow }$ depends on the way $\mathcal{N}$ is given. When $\mathcal{N}$ is given in a succinct presentation, it is often possible to construct ${\mathcal{N}}^{\downarrow }$ and ${\mathcal{N}}^{\uparrow }$ on top of this succinct presentation. As an example, consider again the case $V=2^X$, and assume that edge relation E is given by formula ${\theta }_E$ over the set $X\cup X^{\prime }$ of variables, where $X^{\prime }=\{x^{\prime }:x\in X\}$. Thus, for every pair of vertices $v,v^{\prime }\in V\times V$, we have that $E(v,v^{\prime })$ if ${\theta }_E\left(S_{v,v^{\prime }}\right)$, where $S_{v,v^{\prime }}$ is the truth assignment to $X\cup X^{\prime }$ induced by v and $v^{\prime }$. Then, different costs to transitions are defined by different formulas. A simple special case of predicate abstraction is one in which we hide some of the variables. Thus, $A=2^Y$, for some $Y\subseteq X$, and for all vertices $v\in 2^X$, we have $\alpha \left(v\right)=v\cap Y$. Thus, the abstraction hides the variables in $X\backslash Y$. Then, the definition of $E^{\downarrow }$ and $E^{\uparrow }$ is done by a suitable quantification on the hidden variables in ${\theta }_E$: Let $X\backslash Y=\{z_1,\dots ,z_l\}$. Then, ${\theta }_E^{\downarrow }=\forall z_1,\dots ,z_l\exists z_1^{\prime },\dots ,z_l^{\prime }{\theta }_E$ and ${\theta }_E^{\uparrow }=\exists z_1,\dots ,z_l,z_1^{\prime },\dots ,z_l^{\prime }{\theta }_E$.

Example 4.

Consider a huge network of routers, describing external and internal communication among some entities. Each entity may be, for example, an intranet of a company or a large autonomous system of routers. Each router is encoded by variables in $X=\{x_1,\dots ,x_n\}$. The variables $x_1,\dots ,x_m$, for some $m<n$, maintain the identity of each entity, and the variables $x_{m+1},\dots ,x_n$ maintain the internal identity of each router within its entity. The transitions in the network are described symbolically by some formula ${\theta }_E={\theta }_{\mathit{out}}(x_1,\dots ,x_m,x_1^{\prime },\dots ,x_m^{\prime })\vee [{\theta }_{\mathit{stay}}\wedge {\theta }_{inter}(x_1,\dots ,x_n,x_1^{\prime },\dots ,x_n^{\prime })]$, where ${\theta }_{\mathit{stay}}={\wedge }_{i=1}^m(x_i=x_i^{\prime })$. In other words, ${\theta }_{\mathit{out}}$ describes the transitions among the different entities, and ${\theta }_{\mathit{inter}}$ describes the internal ones, where ${\theta }_{\mathit{stay}}$ guarantees that they are indeed internal. The network depicted in Figure 2 can be described as such a network. The entities are $v_1,\dots ,v_6$ and we use three variables to identify them as $000,\dots ,101$, respectively. The transition function ${\theta }_{\mathit{out}}$ includes, for example, the disjunct $\left(\neg x_1\wedge \neg x_2\wedge \neg x_3\right)\wedge \left((\neg x_1^{\prime }\leftrightarrow x_2^{\prime })\wedge (x_2^{\prime }\leftrightarrow x_3^{\prime })\right)$ inducing the transitions from $v_1=000$ to $v_4=011$ and $v_5=100$. Please note that there can be many hidden internal nodes, i.e., we have $n>3$. We now abstract the network further by using the predicates $\{\neg x_1\wedge \neg x_2\wedge \neg x_3,\neg x_1\wedge (\neg x_2\leftrightarrow x_3),\neg x_1\wedge x_2\wedge x_3,x_1\}$, which induce respectively the abstract states $a_1,a_2,a_4,$ and $a_5$ in the abstract network in Figure 2. For example, only $v_2=001$ and $v_3=010$ satisfy the second predicate.

2.4. Refinement

Consider two abstraction functions ${\alpha }_1:V\to A_1$ and ${\alpha }_2:V\to A_2$. We say that ${\alpha }_2$refines${\alpha }_1$, denoted ${\alpha }_2⪯{\alpha }_1$, if for all concrete vertices v and $v^{\prime }$, if ${\alpha }_2\left(v\right)={\alpha }_2\left(v^{\prime }\right)$, then ${\alpha }_1\left(v\right)={\alpha }_1\left(v^{\prime }\right)$. That is, the partition of V that is induced by ${\alpha }_2$ refines the partition induced by ${\alpha }_1$. Please note that whenever ${\alpha }_2$ refines ${\alpha }_1$, we can view ${\mathcal{N}}^{\downarrow }\left[{\alpha }_1\right]$ as an under-approximation of ${\mathcal{N}}^{\downarrow }\left[{\alpha }_2\right]$, and view ${\mathcal{N}}^{\uparrow }\left[{\alpha }_1\right]$ as an over-approximation of ${\mathcal{N}}^{\uparrow }\left[{\alpha }_2\right]$. More formally, there is an abstraction function $\alpha :A_2\to A_1$ such that ${\mathcal{N}}^{\downarrow }\left[{\alpha }_1\right]={\left({\mathcal{N}}^{\downarrow }\left[{\alpha }_2\right]\right)}^{\downarrow }\left[\alpha \right]$, and similarly for an over-approximation.

Recall the special interest in NGs in which $V=2^X$, for some set X of variables, and A is defined by a set $\mathsf{\Psi }$ of predicates over X. Then, refinement amounts to enlarging the set $\mathsf{\Psi }$ of predicates. In particular, when $A=2^Y$, for some $Y\subseteq X$, and $\alpha \left(v\right)=v\cap Y$, then, for $Y_1\subseteq Y_2\subseteq X$, an abstraction ${\alpha }_2:V\to 2^{Y_2}$ refines an abstraction ${\alpha }_1:V\to 2^{Y_1}$. For example, we can refine the abstraction that is described in Example 4 by replacing the predicate $x_1$ by two predicates $x_1\wedge x_3$ and $x_1\wedge \neg x_3$, which splits the state $a_5$ in Figure 2 and induces the network in Figure 3.

3. On Abstract SOs and NEs

In this section we study the theoretical properties of abstraction in NGs and show how reasoning about the (much smaller) under- and over-approximations of an NG $\mathcal{N}$ can be used for bounding the cost of an SO and for directing the search for an NE in $\mathcal{N}$. We first relate strategies and profiles in $\mathcal{N}$ with strategies and profiles in its approximations.

Consider a network $\mathcal{N}$ and a strategy $\pi$ of Player i in $\mathcal{N}$. The strategy $\alpha \left(\pi \right)$ that corresponds to $\pi$ in ${\mathcal{N}}^{\uparrow }$ is obtained from $\pi$ by replacing each concrete edge h by the abstract edge $\alpha \left(h\right)$, and removing cycles in the obtained path in ${\mathcal{N}}^{\uparrow }$. Please note that by the definition of $E^{\uparrow }$, the edge $\alpha \left(h\right)$ exists in ${\mathcal{N}}^{\uparrow }$. Formally, we define $\alpha \left(\pi \right)$ as follows. Let $\pi =\langle v_1,v_2\rangle ,\langle v_2,v_3\rangle$, …, $\langle v_{n-1},v_n\rangle$. We first define ${\alpha }^{\prime }\left(\pi \right)=\langle \alpha \left(v_1\right),\alpha \left(v_2\right)\rangle$, $\langle \alpha \left(v_2\right),\alpha \left(v_3\right)\rangle$, $\cdots ,\langle \alpha \left(v_{n-1}\right),\alpha \left(v_n\right)\rangle$. Then, $\alpha \left(\pi \right)$ is obtained from ${\alpha }^{\prime }\left(\pi \right)$ by removing cycles; that is, by repeatedly removing subsequences $\langle \alpha \left(v_j\right)$, $\alpha \left(v_{j+1}\right)\rangle ,\cdots$, $\langle \alpha \left(v_{j+m}\right)$, $\alpha \left(v_{j+m+1}\right)\rangle$ with $\alpha \left(v_j\right)=\alpha \left(v_{j+m+1}\right)$. A profile $P=\langle {\pi }_1,\cdots ,{\pi }_k\rangle$ in $\mathcal{N}$ corresponds to the profile $\alpha \left(P\right)=\langle \alpha \left({\pi }_1\right),\cdots ,\alpha \left({\pi }_k\right)\rangle$ in ${\mathcal{N}}^{\uparrow }$.

Consider now a strategy $\pi =\langle a_1,a_2\rangle$, $\langle a_2,a_3\rangle$, …, $\langle a_{n-1},a_n\rangle$ of Player i in ${\mathcal{N}}^{\downarrow }$. By the definition of $E^{\downarrow }$, for every concrete vertex v with $\alpha \left(v\right)=a_1$, and in particular for $s_i$ – the source vertex of Player i, there is a path in $\mathcal{N}$ from v to some vertex $v^{\prime }$ with $\alpha \left(v^{\prime }\right)=a_{n-1}$. Also, by the definition of ${\mathcal{N}}^{\downarrow }$, we have that $a_n=t_i$ – the target vertex of Player i2, and for all the concrete vertices $v^{\prime }$ with $\alpha \left(v^{\prime }\right)=a_{n-1}$, we have $E(v^{\prime },t_i)$. Hence, the strategy $\pi$ in ${\mathcal{N}}^{\downarrow }$ induces at least one path ${\pi }^{\prime }=\langle v_1,v_2\rangle ,\langle v_2,v_3\rangle ,\dots ,\langle v_{n-1},v_n\rangle$ in $\mathcal{N}$ such that $v_1=s_i$ and $v_n=t_i$. Let ${\alpha }^{-1}\left(\pi \right)$ be the nonempty set of these paths. Finally, a profile $P=\langle {\pi }_1,\cdots ,{\pi }_k\rangle$ in ${\mathcal{N}}^{\downarrow }$ corresponds to the set ${\alpha }^{-1}\left(P\right)$ of profiles $P^{\prime }=\langle {\pi }_1^{\prime },\cdots ,{\pi }_k^{\prime }\rangle$ in $\mathcal{N}$ in which for all $i\in \left[k\right]$, we have ${\pi }_i^{\prime }\in {\alpha }^{-1}\left({\pi }_i\right)$.

We now relate the costs of corresponding profiles in $\mathcal{N}$, ${\mathcal{N}}^{\downarrow }$, and ${\mathcal{N}}^{\uparrow }$.

Lemma 1.

Consider an NG $\mathcal{N}$ and an abstraction function α.

1. 

For every profile P in $\mathcal{N}$, the profile $\alpha \left(P\right)$ in ${\mathcal{N}}^{\uparrow }$ is such that ${\mathit{cost}}^{\uparrow }\left(\alpha \left(P\right)\right)\le \mathit{cost}\left(P\right)$.

2. 

For every profile P in ${\mathcal{N}}^{\downarrow }$ and profile $P^{\prime }\in {\alpha }^{-1}\left(P\right)$ in $\mathcal{N}$, we have that $\mathit{cost}\left(P^{\prime }\right)\le {\mathit{cost}}^{\downarrow }\left(P\right)$.

Proof. 

We start with the first claim. Let $P=\langle {\pi }_1,\dots ,{\pi }_k\rangle$ in $\mathcal{N}$. Consider a strategy ${\pi }_i$. By the definition of the over-approximating cost function $l^{\uparrow }$, we have that for all edges $h\in {\pi }_i$ and for every load $x\in \left[k\right]$, we have that $l_h^{\uparrow }\left(x\right)\le l_{\alpha \left(h\right)}\left(x\right)$. Indeed, if $\mathcal{N}$ is a CON-NG, then $l_{\alpha \left(h\right)}^{\uparrow }\left(x\right)$ is the minimum of a set one of whose elements is $l_h\left(1\right)$, which is smaller than $l_h\left(x\right)$, and if $\mathcal{N}$ is a CS-NG, then $l_{\alpha \left(h\right)}^{\uparrow }\left(x\right)$ is the minimum of a set one of whose elements is $l_h\left(x\right)$. Hence, for every $i\in \left[k\right]$, we have that ${\mathit{cost}}_i^{\uparrow }\left(\alpha \left(P\right)\right)\le {\mathit{cost}}_i\left(P\right)$, implying that ${\mathit{cost}}^{\uparrow }\left(\alpha \left(P\right)\right)\le \mathit{cost}\left(P\right)$, and we are done.

We proceed to the second claim. Let $P=\langle {\pi }_1,\dots ,{\pi }_k\rangle$, with ${\pi }_i=\langle a_1,a_2\rangle$, $\langle a_2,a_3\rangle$,…, $\langle a_{n-1},a_n\rangle$. Consider a strategy ${\pi }_i^{\prime }\in {\alpha }^{-1}\left({\pi }_i\right)$. Let ${\pi }_i^{\prime }=\langle v_1,v_2\rangle$, $\langle v_2,v_3\rangle$, …, $\langle v_{n-1},v_n\rangle$. By the definition of the under-approximating cost function $l^{\downarrow }$, we have that for all $1\le j<n_i$ and for every load $x\in \left[k\right]$, we have that $l_{\langle v_j,v_{j+1}\rangle }\left(x\right)\le l_{\langle a_j,a_{j+1}\rangle }^{\downarrow }\left(x\right)$. Indeed, if $\mathcal{N}$ is a CON-NG, then $l_{\langle a_j,a_{j+1}\rangle }^{\downarrow }\left(x\right)$ is the maximum of a set one of whose elements is $l_{\langle v_j,v_{j+1}\rangle }\left(x\right)$, and if $\mathcal{N}$ is a CS-NG, then $l_{\langle a_j,a_{j+1}\rangle }^{\downarrow }\left(x\right)$ is the maximum of a set one of whose elements is $l_{\langle v_j,v_{j+1}\rangle }\left(1\right)$, which is greater than $l_{\langle v_j,v_{j+1}\rangle }\left(x\right)$. Hence, for every $i\in \left[k\right]$, we have that ${\mathit{cost}}_i\left(P^{\prime }\right)\le {\mathit{cost}}_i^{\downarrow }\left(P\right)$, implying that $\mathit{cost}\left(P^{\prime }\right)\le {\mathit{cost}}^{\downarrow }\left(P\right)$, and we are done. □

Theorem 1.

For every NG $\mathcal{N}$ and abstraction function α, we have $SO\left({\mathcal{N}}^{\uparrow }\left[\alpha \right]\right)\le SO\left(\mathcal{N}\right)\le SO\left({\mathcal{N}}^{\downarrow }\left[\alpha \right]\right)$.

Proof. 

We first show that $SO\left({\mathcal{N}}^{\uparrow }\left[\alpha \right]\right)\le SO\left(\mathcal{N}\right)$. Consider a profile $P=\langle {\pi }_1,\dots ,{\pi }_k\rangle$ in $\mathcal{N}$. By Lemma 1, we have that ${\mathit{cost}}^{\uparrow }\left(\alpha \left(P\right)\right)\le \mathit{cost}\left(P\right)$. In addition, by definition, $SO\left({\mathcal{N}}^{\uparrow }\left[\alpha \right]\right)\le {\mathit{cost}}^{\uparrow }\left(\alpha \left(P\right)\right)$. Since this is valid for every profile P in $\mathcal{N}$, and in particular for SO profiles, it follows that $SO\left({\mathcal{N}}^{\uparrow }\left[\alpha \right]\right)\le SO\left(\mathcal{N}\right)$.

It is left to show that $SO\left(\mathcal{N}\right)\le SO\left({\mathcal{N}}^{\downarrow }\left[\alpha \right]\right)$. Consider a profile P in ${\mathcal{N}}^{\downarrow }$. By Lemma 1, for every profile $P^{\prime }\in {\alpha }^{-1}\left(P\right)$, we have that $\mathit{cost}\left(P^{\prime }\right)\le {\mathit{cost}}^{\downarrow }\left(P\right)$. Also, ${\alpha }^{-1}\left(P\right)$ is not empty. Since the profiles $P^{\prime }\in {\alpha }^{-1}\left(P\right)$ are in $\mathcal{N}$, we also have $SO\left(\mathcal{N}\right)\le \mathit{cost}\left(P^{\prime }\right)$. Hence, $SO\left(\mathcal{N}\right)\le {\mathit{cost}}^{\downarrow }\left(P\right)$, and we are done.  □

Recall that given two abstraction functions ${\alpha }_1$ and ${\alpha }_2$, if ${\alpha }_2$ refines ${\alpha }_1$, then we can view ${\mathcal{N}}^{\downarrow }\left[{\alpha }_1\right]$ as an under-approximation of ${\mathcal{N}}^{\downarrow }\left[{\alpha }_2\right]$, and view ${\mathcal{N}}^{\uparrow }\left[{\alpha }_1\right]$ as an over-approximation of ${\mathcal{N}}^{\uparrow }\left[{\alpha }_2\right]$. Accordingly, Theorem 1 can be viewed as a special case of Theorem 2 below, with ${\alpha }_2$ being the most refined abstraction function (that is, ${\alpha }_2:V\to V$, with ${\alpha }_2\left(v\right)=v$), and ${\alpha }_1$ being the refinement function $\alpha$ studied there.

Theorem 2.

Consider an NG $\mathcal{N}$ and two abstraction functions ${\alpha }_1$ and ${\alpha }_2$. If ${\alpha }_2⪯{\alpha }_1$, then $SO\left({\mathcal{N}}^{\uparrow }\left[{\alpha }_1\right]\right)\le SO\left({\mathcal{N}}^{\uparrow }\left[{\alpha }_2\right]\right)$ and $SO\left({\mathcal{N}}^{\downarrow }\left[{\alpha }_2\right]\right)\le SO\left({\mathcal{N}}^{\downarrow }\left[{\alpha }_1\right]\right)$.

Theorem 1 enables us to approximate the cost of an SO in $\mathcal{N}$ using the costs of the SO in the much smaller ${\mathcal{N}}^{\downarrow }$ and ${\mathcal{N}}^{\uparrow }$. We now turn to study how ${\mathcal{N}}^{\downarrow }$ and ${\mathcal{N}}^{\uparrow }$ can be used in order to direct the search for an NE in $\mathcal{N}$.

Theorem 3.

Consider an NG $\mathcal{N}$, an abstraction function α for it, and an abstract NE P in ${\mathcal{N}}^{\downarrow }\left[\alpha \right]$. There exists a profile in ${\alpha }^{-1}\left(P\right)$ that is a concrete NE in $\mathcal{N}$.

Proof. 

Let $P=\langle {\pi }_1,\cdots ,{\pi }_k\rangle$. Recall that ${\mathcal{N}}_{|P}$ is the NG obtained from $\mathcal{N}$ by restricting it to profiles in ${\alpha }^{-1}\left(P\right)$. Let $P_{NE}=\langle {\sigma }_1,\dots ,{\sigma }_k\rangle$ be a profile in ${\alpha }^{-1}\left(P\right)$ such that for every player $i\in \left[k\right]$, deviation to each strategy ${\sigma }_i^{\prime }\ne {\sigma }_i$ where ${\sigma }_i^{\prime }\in {\alpha }^{-1}\left(P\right)$, is not beneficial for Player i. We prove that $P_{NE}$ is also an NE in $\mathcal{N}$.

Consider a deviation ${\sigma }_i^{\prime }$ of Player i from his strategy ${\sigma }_i$ in $P_{NE}$. Let $P_{NE}^{\prime }=P_{NE}[i\leftarrow {\sigma }_i^{\prime }]$. We distinguish between two cases.

First, if $P_{NE}^{\prime }\in {\alpha }^{-1}\left(P\right)$, then, by the definition of $P_{NE}$, the deviation to ${\sigma }_i^{\prime }$ is not beneficial to Player i.

Otherwise, recall that $P_{NE}\in {\alpha }^{-1}\left(P\right)$. Therefore, by the proof of Lemma 1, for all players $i\in \left[k\right]$, we have that ${\mathit{cost}}_i\left(P_{NE}\right)\le {\mathit{cost}}_i^{\downarrow }\left(P\right)$. In addition, since P is an abstract NE, we have that ${\mathit{cost}}_i^{\downarrow }\left(P\right)\le {\mathit{cost}}_i^{\uparrow }\left(P[i\leftarrow \alpha \left({\sigma }_i^{\prime }\right)]\right)$. In addition, $P[i\leftarrow \alpha \left({\sigma }_i^{\prime }\right)]=\alpha \left(P_{NE}[i\leftarrow {\sigma }_i^{\prime }]\right)$. Hence, by Lemma 1, we have that ${\mathit{cost}}_i^{\uparrow }\left(P[i\leftarrow \alpha \left({\sigma }_i^{\prime }\right)]\right)\le {\mathit{cost}}_i\left(P_{NE}[i\leftarrow {\sigma }_i^{\prime }]\right)$. It follows that ${\mathit{cost}}_i\left(P_{NE}\right)\le {\mathit{cost}}_i\left(P_{NE}[i\leftarrow {\sigma }_i^{\prime }]\right)$, making the deviation non-beneficial. Hence, $P_{NE}$ is an NE in $\mathcal{N}$, and we are done. □

Please note that profiles in ${\alpha }^{-1}\left(P\right)$ can be searched for in ${\mathcal{N}}_{|P}$. Thus, as we elaborate in Section 4, an NE in $\mathcal{N}$ can be found by a sequence of best response moves restricted to ${\mathcal{N}}_{|P}$.

4. An Abstraction-Refinement Procedure for Finding an NE

In this section we describe an abstraction-refinement procedure for finding an NE in an NG . The input to the procedure is a concrete NG $\mathcal{N}$ and an abstraction function $\alpha$ for it. Experience in formal verification suggests that abstraction functions that are supplied by users familiar with the network, are the most successful ones. Alternatively, one can start with a coarse abstraction and refine it as we do in Section 5.

The output of the procedure is a concrete NE in $\mathcal{N}$. Since the state space of ${\mathcal{N}}^{\downarrow }$ and ${\mathcal{N}}^{\uparrow }$ is much smaller than that of $\mathcal{N}$, we would like to perform as many as possible computations on the approximating networks. Our procedure (see Figure 4 for an overview) consists of two parts. The first, in which an abstract NE $P_{\alpha }$ is found, is done entirely in ${\mathcal{N}}^{\downarrow }$ and ${\mathcal{N}}^{\uparrow }$, and it is the procedure we have implemented. The second, in which a concrete NE is found, is done in $\mathcal{N}$, restricted to ${\mathcal{N}}_{|P_{\alpha }}$. Thus, as is the case of the CEGAR methodology in formal verification, there is no way to avoid $\mathcal{N}$ entirely, yet we can significantly restrict the part of it in which the search proceeds. Moreover, it is possible to refine $\alpha$ and tighten ${\mathcal{N}}_{|P_{\alpha }}$ further. In Section 5, we show that the restriction indeed significantly reduces the size of the network.

There are many ways to refine an abstraction; one can work naively, choose an arbitrary abstract vertex and split it in some way, possibly by adding predicates that appear in the description of the network or the strategies. Even such a naive refinement is guaranteed to eventually lead to a solution. The challenge is to choose the refinements cleverly so that a concrete answer is obtained when the approximating networks are still much smaller than the concrete one. In CEGAR, the refinement is guided by a spurious counterexample. We follow this idea by always refining according to some path in the network that points to a spurious behavior of the approximations. We now describe the methodology in detail.

4.1. Part 1: AbsNE-Loop, Finding an Abstract NE

In the first part, our goal is to find, given $\mathcal{N}$ and $\alpha$, an abstract NE. Recall that such a profile is an NE in ${\mathcal{N}}^{\downarrow }$ that is resistant to deviations of the players even in ${\mathcal{N}}^{\uparrow }$. Since ${\mathcal{N}}^{\downarrow }$ is an NG, it has an NE. In Step 1 in Figure 4, we find such an NE $P_{\alpha }$. This is done by the user’s favorite algorithm for finding an NE in NGs. The important point for us is that this is done in the (much smaller) under-approximation of $\mathcal{N}$. Then, in Step 2, we check whether $P_{\alpha }$ is an abstract NE. Thus, we check whether players have beneficial deviations in ${\mathcal{N}}^{\uparrow }$. Again, this is done in the (much smaller) over-approximation of $\mathcal{N}$. If no player has a beneficial deviation in ${\mathcal{N}}^{\uparrow }$, then $P_{\alpha }$ is an abstract NE, we conclude this part of the procedure, and move to Step 4. Otherwise, there is a player $i\in \left[k\right]$ who can benefit from deviating to a strategy ${\pi }_i^{\prime }$.

We use ${\pi }_i^{\prime }$ in order to guide the refinement. There are several reasons why $P_{\alpha }$ is an NE in ${\mathcal{N}}^{\downarrow }$ yet not an abstract NE in $\mathcal{N}$. Step 3 consists of three possible refinement steps among which the user can choose, corresponding to the above different reasons. Let us start with Step 3a. Since ${\pi }_i^{\prime }$ is a path in ${\mathcal{N}}^{\uparrow }$, there might not be a concrete path in $\mathcal{N}$ that corresponds to it, thus ${\pi }_i^{\prime }$ is a spurious path. Consider two adjacent abstract vertices $a_1$ and $a_2$ that ${\pi }_i^{\prime }$ traverses. If the edge between $a_1$ and $a_2$ is in $E^{\uparrow }\backslash E^{\downarrow }$, we can split $a_1$ into $a_1^{\prime }$ and $a_1^{\prime \prime }$ such that $a_1^{\prime }$ contains exactly the vertices that have a neighbor in $a_2$ (similarly we can split $a_2$). Please note that after refinement, there is a must edge from $a_1^{\prime }$ to $a_2$ and there is not even a may edge between $a_1^{\prime \prime }$ to $a_2$. Since ${\pi }_i^{\prime }$ is spurious, such a candidate vertex is guaranteed to exist (We note that disconnectivity in ${\mathcal{N}}^{\downarrow }$ can be treated in a similar way.).

We continue to Steps 3b and 3c. They have to do with under- and over-approximations of the cost functions that cause ${\pi }_i^{\prime }$ to be a beneficial deviation in ${\mathcal{N}}^{\uparrow }$. By the definition of $l^{\downarrow }$ and $l^{\uparrow }$, we know that if ${\mathit{cost}}_i^{\downarrow }\left(P_{\alpha }[i\leftarrow {\pi }_i^{\prime }]\right)>{\mathit{cost}}_i^{\uparrow }\left(P_{\alpha }[i\leftarrow {\pi }_i^{\prime }]\right)$, then the path ${\pi }_i^{\prime }$ traverses an abstract edge $e\in E^{\downarrow }$ with load x for which $l_e^{\downarrow }\left(x\right)>l_e^{\uparrow }\left(x\right)$. Assume that $e=\langle a_1,a_2\rangle$. In Step 3b, we split $a_1$ or $a_2$ in order to tighten this gap. Finally, it may be that the cost of the strategy of Player i in $P_{\alpha }$ is too big. In Step 3c, we use the strategy ${\pi }_i$ that Player i chooses in $P_{\alpha }$ in order to guide a similar refinement in order to tighten the gap in the costs between ${\mathit{cost}}_i^{\downarrow }\left(P_{\alpha }\right)$ and ${\mathit{cost}}_i^{\uparrow }\left(P_{\alpha }\right)$.

A refinement step can be a single refinement or a combination of the refinements that are described above. After completing such a step, we return to Step 1 and find a new NE in the new under-approximating ${\mathcal{N}}^{\downarrow }$, and repeat the process.

4.2. Part 2: ConcNE-Loop, Finding a Concrete NE

The second part of the procedure gets an abstraction function $\alpha$ as well as an abstract NE $P_{\alpha }=\langle {\pi }_1,\dots ,{\pi }_k\rangle$. The goal is to find a concrete NE P in $\mathcal{N}$ such that $P\in {\alpha }^{-1}\left(P_{\alpha }\right)$. By Theorem 3, such an NE exists. Recall the best-response dynamics (BRD) algorithm for finding an NE in NGs in which we start with an arbitrary profile, and iteratively allow the players to perform beneficial deviations. We follow this algorithm and start in Step 4 with an arbitrary profile $P=\langle {\tau }_1,\dots ,{\tau }_k\rangle$ in ${\alpha }^{-1}\left(P_{\alpha }\right)$. If P is an NE, we are done. Otherwise, there is a concrete beneficial deviation ${\tau }_i^{\prime }$ for some Player i. Please note that by Theorem 3, we can restrict the deviations of Player i to paths in ${\alpha }^{-1}\left({\pi }_i\right)$. If the size of ${\mathcal{N}}_{|P_{\alpha }}$ is small, the user can choose Step 6a and try and find an NE in ${\alpha }^{-1}\left(P_{\alpha }\right)$ by performing a BRD step. However, when ${\mathcal{N}}_{|P_{\alpha }}$ is big, it makes sense to refine the abstraction by choosing Step 6b.

In Step 6b, we let the deviation ${\tau }_i^{\prime }$ guide the refinement. We look for a vertex v from which ${\tau }_i$ and ${\tau }_i^{\prime }$ differ, thus from v, one path continues with a vertex $v^{\prime }$ while the other with $v^{\prime \prime }$, where $v^{\prime }\ne v^{\prime \prime }$, yet $\alpha \left(v^{\prime }\right)=\alpha \left(v^{\prime \prime }\right)$. We refine the abstraction function by splitting $\alpha \left(v^{\prime }\right)$ so that $v^{\prime }$ and $v^{\prime \prime }$ are no longer in the same abstract vertex. We would like to have as many must edges as possible between the new vertices. One way to do it is to make $v^{\prime \prime }$ a singleton abstract state, but it is also possible to split $\alpha \left(v^{\prime }\right)$ as well as $\alpha \left(v\right)$ to achieve this. Once we conclude a refinement, we return to the first part of the procedure, and look for an abstract NE with the new abstraction.

Example 5.

Recall the NG and its abstraction that are described in Examples 2 and 3. Consider the profile $P_{\alpha }$ in which Player 1 chooses the path $s,a_1,a_4,t$ and Player 2 and 3 choose the path $s,a_1,a5,t^{\prime }$. Please note that while $P_{\alpha }$ is an NE in ${\mathcal{N}}^{\downarrow }$, it is not an abstract NE, as Player 2 can deviate to $s,a_2,a_5,t^{\prime }$. We refine α according to this deviation, which leads to splitting $a_5$ into $a_5^1$ and $a_5^2$ (see Figure 3). Consider now the profile $P_1$ in ${\mathcal{N}}^{\downarrow }$ in which Player 1 chooses the strategy $s,a_1,a_4,t$ and Players 2 and 3 choose the strategy $s,a_2,a_5^1,t^{\prime }$. We claim that $P_1$ is an abstract NE. Indeed, Player 1 has no possible deviation, and Players 2 and 3 each pay 2 for $(a_2,a_5^1)$ and deviating to a path that uses $(a_1,a_5^1)$ or $(a_2,a_5^2)$ does not reduce their costs.

For the second part of the refinement procedure, we select the concrete profile P in which Player 1 chooses the path $s,v_1,v_4,t$, and Players 2 and 3 choose the path $s,v_2,v_5,t^{\prime }$. This is not an NE in $\mathcal{N}$ as Player 2 can deviate to ${\tau }_2^{\prime }=s,v_3,v_5,t^{\prime }$. Rather than refining the abstraction, we choose to check if $P[2\leftarrow {\tau }_2^{\prime }]$ is an NE, and indeed it is, so we are done.

Remark 1.

An interesting problem in NGs is to find an NE with “good” social cost [39]. Formally, given an NG $\mathcal{N}$ and a value ν, decide whether there is an NE with cost at most ν. Our procedure can be directed to finding a good NE. Indeed, Lemma 1 shows that the cost of an abstract NE $P_{\alpha }$ is an upper bound on the cost of every concrete NE in ${\alpha }^{-1}\left(P_{\alpha }\right)$. Thus, rather than finding an arbitrary abstract NE, we can look for one of a minimal cost, thereby directing the search for a concrete NE to one of a minimal cost too. While this is a harder task than finding an arbitrary abstract NE, it is performed on the much smaller approximation.

5. Experimental Results

We implemented our methodology and tested the performance of its AbsNE loop on randomly-generated cost-sharing games. We examined the benefit of the abstraction, namely we compared the size of the original game with the game that is truncated to the abstract NE we find. We also examined the practicality of our approach, namely the number of CEGAR iterations until an abstract NE is found. We studied these questions for different parameters of the game; size of the graph, range of weights, and number of players. Our implementations are in Python, we use the library Networkx [40] for graph generation and graph algorithms, and we ran our experiments on a personal computer, Intel Core i5 quad core 1.75 GHz processor, with 8 GB memory. Our results are encouraging: we are able to find an abstract NE relatively easily and it significantly reduces the size of the network making it easier to find a concrete NE.

We generate a random game, given the parameters $n,w,k\in \mathrm{I}\mathrm{N}$ and $p\in [0,1]$. We use the Erdos-Réyni $G(n,p)$ model to generate the network. Then, for each edge in the graph, we choose at random a cost in a set $\{0,\dots ,w\}$. For each player $i\in \left[k\right]$, we choose at random a source vertex $s_i$ and a reachable target vertex $t_i$. For the initial abstraction, we choose, for $i\in \left[k\right]$, a shortest path ${\pi }_i$ between $s_i$ and $t_i$, and we let every vertex that ${\pi }_i$ traverses be a singleton abstract state. Thus, in the under approximation, we have at least one path from $s_i$ to $t_i$. All other concrete vertices are mapped to one abstract state.

We perform three types of experiments. We focus on the number $\left|V\right|$ of vertices in the concrete network, the number k of players, and the range $\left|W\right|$ of weights on the edges. The number of edges is approximately $1/2·{\left|V\right|}^2$. We fix two of the parameters and increase the third. In Figure 5, we see how increasing one of the parameters affects the number of iterations of the CEGAR loop. In Figure 6, we compare the sizes of the truncated network, namely, ${\alpha }^{-1}\left(P_{\alpha }\right)$, and the original one; we show the ratio between the number of vertices in the two networks and the ratio between the number of edges.

Analysis of Results

We find the plots with the increasing number of vertices encouraging. As seen in the leftmost plot in Figure 6, since we fix the number of players, the part of the network that is being “used” becomes relatively smaller with increasing $\left|V\right|$, and an abstract NE has a good potential to shrink the network. Indeed, the ratios decrease. The downside of this, as seen in Figure 5, is that since the size of the network increases, we need more iterations of the CEGAR loop to find an abstract NE. Next, observe the number of iterations with increasing k, that is, number of players (the middle plots in both figures). Recall how we find an initial abstraction above. When k increases, there is a growing number of concrete vertices that are mapped to singleton abstract states in the initial abstraction. Thus, the abstraction is closer to the concrete network. On the one hand, as seen in the middle plot in Figure 5, the closer the abstraction is to the concrete network, fewer iterations are needed until an abstract NE is found. On the other hand, as seen in the middle plot in Figure 6, the ratios increase. For increasing $\left|W\right|$ (see the right-most plots in the figures), we observe that beyond a particular value of $\left|W\right|$, it no longer affects the results.

6. Automata Games

As discussed in Section 1, the objectives users of a network are often more involved than reachability. In this section we extend the abstraction-refinement methodology to automata games (AGs, for short) with cost sharing, which model settings with such richer objectives . AGs are similar to NGs, except that edges of the networks are labeled, and the players have objectives that refer to these labels and are more involved than the reachability objectives of NGs [37].

An AG is played on a labeled network $\mathcal{N}=\langle \Sigma ,V,\Delta \rangle$, where $\Sigma$ is a finite alphabet, V is a set of vertices, and $\Delta \subseteq V\times \Sigma \times V$ is a deterministic labeled transition relation, i.e., for $v\in V$ and $\sigma \in \Sigma$, there is at most one $v^{\prime }\in V$ with $\Delta (v,\sigma ,v^{\prime })$. Consider a path $\pi =e_1,\dots ,e_n$ in $\mathcal{N}$, where, for all $1\le i\le n$, we have $e_i=\langle v_i,{\sigma }_i,v_{i+1}\rangle \in \Delta$. The word that corresponds to $\pi$ is $w\left(\pi \right)={\sigma }_1\dots {\sigma }_n$. An AG is a tuple $\mathcal{A}=\langle k,\Sigma ,V,\Delta ,{\left\{l_e\right\}}_{e\in \Delta },{\left\{L_i\right\}}_{i\in \left[k\right]}\rangle$, where, for $i\in \left[k\right]$, we have that $L_i\subseteq {\Sigma }^{\ast }$ is a regular language that specifies the objective of Player i. Thus, a strategy for Player i is a path $\pi$ in $\mathcal{N}$ such that $w\left(\pi \right)\in L_i$. We assume that the languages $L_i$ are given by means of nondeterministic finite automata over $\Sigma$. Our results can be easily extended to other specification formalisms. Please note that unlike NGs, a strategy in an AG need not be simple path. That is, a player might be forced to use an edge several times in a strategy.

We study here cost sharing AGs, and distinguish between two cost-sharing rules that can be applied in AGs. In uniform AGs, the cost of an edge is shared uniformly among all the players that use it. Thus, we ignore the fact that different players may use the edge different number of times. This makes the game-theoretical behavior of uniform AGs similar to that of NGs. In proportional AGs, introduced and studied in [37], the cost of an edge is shared among the players in proportion to the number of times they have used it. For example, if two players use an edge e with cost c, one uses it once and the second twice, then the first pays $\frac{c}{3}$ for e and the second pays $\frac{2c}{3}$. We define the proportional cost-sharing rule formally in Section 6.2.

6.1. Uniform AGs

Abstracting an AG is similar to abstracting an NG, except that we merge only edges that agree on their label. Formally, consider an AG $\mathcal{A}=\langle k,\Sigma ,V,\Delta ,{\left\{l_e\right\}}_{e\in \Delta },{\left\{L_i\right\}}_{i\in \left[k\right]}\rangle$ and an abstraction function $\alpha :V\to A$. We construct two abstract AGs ${\mathcal{A}}^{\downarrow }\left[\alpha \right]$ and ${\mathcal{A}}^{\uparrow }\left[\alpha \right]$ as follows. In ${\mathcal{A}}^{\downarrow }\left[\alpha \right]$, we use labeled must edges: for $\sigma \in \Sigma$ and $a,a^{\prime }\in A$, there is a $\sigma$-labeled must edge from a to $a^{\prime }$ if for every concrete state $c\in a$, there is $c^{\prime }\in a^{\prime }$ with $\langle c,\sigma ,c^{\prime }\rangle \in \Delta$. In ${\mathcal{A}}^{\uparrow }\left[\alpha \right]$, we use labeled may edges: for $\sigma \in \Sigma$ and $a,a^{\prime }\in A$; there is a $\sigma$-labeled may edge from a to $a^{\prime }$ if there exist concrete states $c\in a$ and $c^{\prime }\in a^{\prime }$ with $\langle c,\sigma ,c^{\prime }\rangle \in \Delta$. All the other components are as in abstract NGs. For an AG $\mathcal{A}$, and two states $s,t\in V$, we define the $(s,t)$-language of $\mathcal{A}$, denoted $L^{s,t}\left(\mathcal{A}\right)$ as the set of words obtained by traversing a path from s to t in $\mathcal{A}$. The use of may and must edges, implies Lemma 2 below (c.f. [41]).

Lemma 2.

Consider an AG $\mathcal{A}$ and an abstraction function $\alpha :V\to A$. For every two states s and t in $\mathcal{A}$, we have that $L^{\alpha \left(s\right),\alpha \left(t\right)}\left({\mathcal{A}}^{\downarrow }\left[\alpha \right]\right)\subseteq L^{s,t}\left(\mathcal{A}\right)\subseteq L^{\alpha \left(s\right),\alpha \left(t\right)}\left({\mathcal{A}}^{\uparrow }\left[\alpha \right]\right)$

It is not hard to see that all the considerations applied to NGs remain valid for uniform AGs. Indeed, the correspondence between concrete and abstract strategies is preserved, and, by Lemma 2, so does the application of this correspondence in our methodology. Hence, Theorems 1 and 3 are valid also for uniform AGs:

Theorem 4.

Consider a uniform AG $\mathcal{A}$ and an abstraction function α for it.

• $SO\left({\mathcal{A}}^{\uparrow }\left[\alpha \right]\right)\le SO\left(\mathcal{A}\right)\le SO\left({\mathcal{A}}^{\downarrow }\left[\alpha \right]\right)$.
• If P is an abstract NE in ${\mathcal{A}}^{\downarrow }\left[\alpha \right]$, then there exists a profile in ${\alpha }^{-1}\left(P\right)$ that is a concrete NE in $\mathcal{A}$.

6.2. Proportional AGs

We first formally define the costs of the players in a concrete proportional AG. Consider an AG $\mathcal{A}=\langle k,\Sigma ,V,\Delta ,{\left\{l_e\right\}}_{e\in \Delta },{\left\{L_i\right\}}_{i\in \left[k\right]}\rangle$. Let $P=\langle {\pi }_1,{\pi }_2,\dots ,{\pi }_k\rangle$ be a profile where, for each $i\in \left[k\right]$, we have ${\pi }_i=e_i^1,\dots ,e_i^{{\ell }_i}$. Let ${used}_{i,P}:\Delta \to \mathrm{I}\mathrm{N}$ map each edge to the number of times Player i uses it in profile P. Thus, for $e\in \Delta$, we have ${used}_{i,P}\left(e\right)=\left|\{j:e_i^j=e\}\right|$. When ${used}_{i,P}\left(e\right)>0$, we say that e is in ${\pi }_i$, denoted $e\in {\pi }_i$. Let ${used}_P:\Delta \to \mathrm{I}\mathrm{N}$ denote the total number of times edge e is used in profile P by all players. Thus, for $e\in \Delta$, we have ${used}_P\left(e\right)={\sum }_{i\in \left[k\right]}{used}_{i,P}\left(e\right)$. The cost of Player i in profile P is then $cos{t}_i\left(P\right)={\sum }_{e\in {\pi }_i}{used}_{i,P}\left(e\right)·l_e\left({used}_P\left(e\right)\right)$.

The proportional cost sharing rule cause AGTs to be less stable than NGs:

Theorem 5.

Refs. [37,42] In proportional AGs an NE is not guaranteed to exist, and deciding whether an NE exists in a given game is ${\Sigma }_2^P$-complete.

Since proportional AGs need not have an NE, the computational question we study is deciding whether a given AG has an NE. While we can abstract proportional AGs as described above, our methodology is targeted for finding an NE and not deciding whether one exists. Indeed, the methodology either outputs an abstract NE, which, recall, is a profile of abstract strategies, or it outputs that no abstract NE exists in the abstraction. We claim that both answers are not helpful for deciding the existence of an NE. While in NGs (and uniform AGs) a concrete NE is guaranteed to exist in the game that is restricted to an abstract NE, in proportional AGs, a concrete NE is not guaranteed to exist at all, let alone in a restriction of the game. Hence, existence of an abstract NE does not imply the existence of a concrete NE. Moreover, existence of an abstract NE that has no concrete NE that is mapped to it, does not imply that a concrete NE does not exist, as such an NE might exist elsewhere. Finally, non-existence of an abstract NE also does not imply the non-existence of a concrete NE.

Below we describe applications where abstraction can still be useful in the context of proportional AGs. First, as SO is independent of the cost sharing rule, the considerations for uniform AGs apply:

Theorem 6.

For every proportional AG $\mathcal{A}$ and an abstraction function α for it, we have that $SO\left({\mathcal{A}}^{\uparrow }\left[\alpha \right]\right)\le SO\left(\mathcal{A}\right)\le SO\left({\mathcal{A}}^{\downarrow }\left[\alpha \right]\right)$.

Next, we use abstractions in order to restrict the search space when searching for an NE. Recall that the problem of deciding whether an NE exists in proportional AGs is ${\Sigma }_2^P$-complete. This suggests that the optimal algorithm for finding an NE first guesses a profile and then checks whether it is an NE. In order to speed-up the algorithm, we restrict the search space by removing dominated strategies using the abstraction.

Intuitively, a strategy ${\pi }_i$ for Player i is dominated by a strategy ${\pi }_i^{\prime }$ if no matter how the other players play, it is always better for Player i to use ${\pi }_i^{\prime }$. Thus, a profile in which Player i uses ${\pi }_i$ cannot be an NE and removing dominated strategies does not affect the existence of NE. In other words, a game $\mathcal{A}$ has an NE if the game ${\mathcal{A}}^{\prime }$ that is obtained by removing the dominated strategies for all players, has an NE. Formally, for $i\in \left[k\right]$, we use ${\pi }_{-i}$ to denote a collection of strategies for all players apart from Player i and we denote by $\langle {\pi }_i,{\pi }_{-i}\rangle$ the profile in which Player i uses the strategy ${\pi }_i$ and the other players choose their strategies in ${\pi }_{-i}$. A strategy ${\pi }_i$ for Player i is dominated by a strategy ${\pi }_i^{\prime }$ if for every ${\pi }_{-i}$, we have $cos{t}_i\left(\langle {\pi }_i,{\pi }_{-i}\rangle \right)>cos{t}_i\left(\langle {\pi }_i^{\prime },{\pi }_{-i}\rangle \right)$.

We search for dominated strategies in an AG $\mathcal{A}$ in the abstractions ${\mathcal{N}}^{\uparrow }\left[\alpha \right]$ and ${\mathcal{N}}^{\downarrow }\left[\alpha \right]$. For an abstract strategy ${\tau }_i=t_1,\dots ,t_n$ for Player i, we need an under- and over-approximations on its cost. For a concrete edge $e=\langle c,\sigma ,c^{\prime }\rangle$, we use $\alpha \left(e\right)$ to denote the abstract may edge $\langle \alpha \left(c\right),\sigma ,\alpha \left(c^{\prime }\right)\rangle$. We extend $\alpha$ also to strategies: for a concrete strategy $\pi =e_1,\dots ,e_n$, we denote the corresponding abstract strategy by $\alpha \left(\pi \right)=\alpha \left(e_1\right),\dots ,\alpha \left(e_n\right)$. For an abstract edge t, we define $w_t^{\downarrow }={max}_{e:\alpha \left(e\right)=t}{w}_e$ and $w_t^{\uparrow }={min}_{e:\alpha \left(e\right)=t}{w}_e$. We define an over-approximation on the cost of ${\tau }_i$ as follows $cos{t}^{\downarrow }\left({\tau }_i\right)={\sum }_{1\le j\le n}{w}_{t_j}^{\downarrow }$. This is indeed an over-approximation on the cost: Consider a concrete strategy ${\pi }_i$ for Player i that is mapped to the abstract may strategy ${\tau }_i$. Then, for every ${\pi }_{-i}$, we have $cos{t}_i\left(\langle {\pi }_i,{\pi }_{-i}\rangle \right)\le cos{t}^{\downarrow }\left({\tau }_i\right)$.

We now define an under-approximation on the cost of a must strategy ${\tau }_i$. Let ${\pi }_{-i}$ be a collection of $k-1$ concrete strategies and ${\tau }_{-i}$ be the may strategies to which they are mapped. Consider the may profile $P=\langle {\tau }_i,{\tau }_{-i}\rangle$. For $j\in \left[k\right]$ and a may edge t, the definition of $use{s}_{j,P}\left(t\right)$ and $use{s}_P\left(t\right)$ are similar to the concrete case. Please note that since ${\tau }_i$ is a must path, it is also a may path. We define $cos{t}_i^{\uparrow }\left(P\right)={\sum }_{t\in {\tau }_i}{w}_t^{\uparrow }·use{s}_{j,P}\left(t\right)/use{s}_P\left(t\right)$. We define $cos{t}^{\uparrow }\left({\tau }_i\right)={min}_{{\tau }_{-i}}cos{t}_i^{\uparrow }\left(\langle {\tau }_i,{\tau }_{-i}\rangle \right)$, where the minimum is well-defined since the set of strategies for each player is finite. This is indeed an under-approximation: Consider a concrete strategy ${\pi }_i$ for Player i that is mapped to the must strategy ${\tau }_i$, that is, ${\pi }_i\in {\alpha }^{-1}\left({\tau }_i\right)$. Then, for every ${\pi }_{-i}$, we have $cos{t}_i\left(\langle {\pi }_i,{\pi }_{-i}\rangle \right)\ge cos{t}_i^{\uparrow }\left(\langle {\tau }_i,{\tau }_{-i}\rangle \right)\ge cos{t}^{\uparrow }\left({\tau }_i\right)$.

Definition 2.

Consider an AG $\mathcal{A}$ and an abstraction α for it. We say that a must strategy ${\tau }_i$ for Player i is abstract-dominated by a must strategy ${\tau }_i^{\prime }$ if $cos{t}^{\downarrow }\left({\tau }_i^{\prime }\right)<cos{t}^{\uparrow }\left({\tau }_i\right)$. Let $D_i=\{w\left({\tau }_i\right):{\tau }_i\mathrm{is}\mathrm{an}\mathrm{abstract}-\mathrm{dominated}\mathrm{strategy}\}$.

Theorem 7.

Consider a proportional AG $\mathcal{A}=\langle k,\Sigma ,V,\Delta ,{\left\{l_e\right\}}_{e\in \Delta },{\left\{L_i\right\}}_{i\in \left[k\right]}\rangle$ and an abstraction function α. For $i\in \left[k\right]$, let $D_i\subseteq L_i$ be a collection of abstract-dominated strategies for Player i. Then, the game ${\mathcal{N}}^{\prime }$ that is obtained by setting the strategies of each Player i to be $L_i\backslash D_i$ has an NE iff $\mathcal{N}$ has an NE.

Proof. 

Consider a must strategy ${\tau }_i$ for Player i such that $w\left({\tau }_i\right)\in D_i$ and let ${\tau }_i^{\prime }$ be an abstract-dominating strategy. Since both strategies are must paths, there are concrete strategies ${\pi }_i$ and ${\pi }_i^{\prime }$ that are mapped to ${\tau }_i$ and ${\tau }_i^{\prime }$, respectively. We claim that ${\pi }_i$ is dominated by ${\pi }_i^{\prime }$, thus a profile in which Player i chooses ${\pi }_i$ is not an NE. Let ${\pi }_{-i}$ be a choice of strategies for the other players. As in the above, we have $cos{t}_i\left(\langle {\pi }_i,{\pi }_{-i}\rangle \right)\ge cos{t}^{\uparrow }\left({\tau }_i\right)$ and $cos{t}_i\left(\langle {\pi }_i^{\prime },{\pi }_{-i}\rangle \right)\le cos{t}^{\downarrow }\left({\tau }_i^{\prime }\right)$. The claim follows from combining with $cos{t}^{\downarrow }\left({\tau }_i^{\prime }\right)<cos{t}^{\uparrow }\left({\tau }_i\right)$. □

7. Discussion and Directions for Future Research

The need to reason about networks of increasing size and complexity calls for the development of new techniques for coping with NGs with large state spaces. Abstraction has proven itself as a very effective method for coping with large state spaces in the context of formal verification. We described an abstraction-refinement methodology for reasoning about NGs. The methodology enables the user to search for two kinds of profiles: Nash equilibria and social optimum. This is done by reasoning about under- and over-approximations of the NG, which are defined over a much smaller state space. When the approximations are too coarse to find such profiles, the user may refine the abstraction. We extended the methodology to labeled networks, where the objectives of the players are regular languages, making it possible to specify properties of the paths along which the reachability objectives are satisfied. We implemented our methodology and our experimental results demonstrate its effectiveness.

This work belongs to a line of works that transfer concepts and ideas between the areas of formal verification, AI, and algorithmic game theory [33]: logics for specifying multi-agent systems [43,44,45], studies of equilibria in games related to synthesis and repair problems [46,47,48,49], and of non-zero-sum games in formal verification [50,51]. Closest to this work are works that apply ideas from formal verification to NGs. This includes an extension of NGs to objectives that are richer than reachability [37], NGs in which the players select their paths dynamically [52], reasoning about real-time in NGs [53,54], and efficient reasoning about NGs that are structured in a hierarchical manner [55]. The latter work is of special relevance, as it is motivated by the need to cope with large NGs. We believe that further ideas from formal verification should be examined in the context of this challenge. In particular, already in the direction of abstraction and refinement, researchers have studied techniques for finding effective abstraction functions [25] as well as effective refinements for them [24,56]. In the context of NGs, the abstraction function influences not only the structure of the network but also the costs and loads. Consequently, different considerations should be taken when evaluating the effectiveness of an abstraction function. We hope that research on such an evaluation would lead, in addition to techniques for finding effective abstraction functions, also to tighter definitions of the costs in the approximations. Also, especially in the context of AGs, where the networks are labeled, we believe that predicate-based abstractions would serve as a convenient paradigm to study the effectiveness of abstraction functions and their refinements.

Abstraction-refinement is a general concept that is proven to be highly successful in formal verification, where it is used in a search for a counterexample to the correctness of the system [25]. A promising direction would be to apply the basic framework or its quantitative extensions to search problems in AI that need to cope with large inputs, as is already done in planning [57] and in a search for optimal policies in Markov decision processes [58,59]. Extending the abstraction-refinement framework to cope with selfish players, as we do here, is a delicate procedure that depends on the specific game model at hand. Multiagent systems have been studied extensively in AI in a game theoretic framework [60]. Examples of settings that could benefit from an abstraction-refinement framework include prediction of the quality of a given infrastructure (e.g., traffic or internet network) or an auction mechanism [61], finding equilibrium in automated negotiation settings [62], and resource allocation [4], which is a generalization of network games.