An Exact Method for Fortification Games

A fortification game (FG) is a three-level, two-player Stackelberg game, also known as defender-attacker-defender game, in which at the uppermost level, the defender selects some assets to be protected from potential malicious attacks. At the middle level, the attacker solves an interdiction game by depreciating unprotected assets, i.e., reducing the values of such assets for the defender, while at the innermost level the defender solves a recourse problem over the surviving or partially damaged assets. Fortification games have applications in various important areas, such as military operations, design of survivable networks, protection of facilities, or power grid protection. In this work, we present an exact solution algorithm for FGs, in which the recourse problems correspond to (possibly NP-hard) combinatorial optimization problems. The algorithm is based on a new generic mixed-integer linear programming reformulation in the natural space of fortification variables. Our new model makes use of fortification cuts that measure the contribution of a given fortification strategy to the objective function value. These cuts are generated on-the-fly by solving separation problems, which correspond to (modified) middle-level interdiction games. We design a branch-and-cut-based solution algorithm based on fortification cuts, their lifted versions, and other speed-up techniques. We present a computational study using the knapsack fortification game and the shortest path fortification game. For the latter one, we include a comparison with a state-of-the-art solution method from the literature. Our algorithm outperforms this method and allows us to solve previously unsolved instances to optimality.

Finally, we notice that more general types of fortification games have been introduced in the literature.
For example, Alderson et al. (2011) considered the case in which the feasible region of the innermost problem depends on w as well (i.e., we have Y (w, x) instead of Y (x)), whereas Brown et al. (2006) addressed situations in which the third level variables are not necessarily binary and there might exist some available capacity which is invulnerable to the attack (e.g., y ≤ u 0 + u(1 − x)). These more general settings are out of scope of this paper, and we focus on a particular version defined by the problem (0-1 FG).

Contribution and Outline
In this work, we present an exact solution algorithm for (0-1 FG). The algorithm is based on a new generic mixed-integer programming (MIP) formulation for (0-1 FG) which makes use of valid inequalities, denoted as fortification cuts. These cuts are used to measure the objective function value for given fortification strategies, and are generated on-the-fly by solving separation problems, which correspond to (modified) IGs.
The detailed contribution and outline is summarized as follows.
• We present a general solution framework for the problem (0-1 FG) whose recourse can be an arbitrary (possibly NP-hard) combinatorial optimization problem with linear objective function and discrete variables. Thus, we extend theory and methodology of the existing exact algorithms for fortification games, the majority of which requires the recourse problems to be convex.
• We introduce a single-level MIP reformulation for (0-1 FG) using fortification cuts, present alternative methods for strengthening these cuts, and discuss their efficient separation.
• We propose further algorithmic enhancements, that allow to speed-up the separation problem, based on heuristic solutions of the interdiction problem.
• We describe the application of our generic solution algorithm to two concrete problems, namely the knapsack fortification game and the shortest path fortification game, and present an extensive computational study of the performance of our algorithm. This analysis is aimed at evaluating the contribution of different ingredients of our algorithm as well as at comparing its effectiveness with other exact approaches from the literature.
The paper is organized as follows. In the remainder of this section, we provide an overview of previous and related work, whereas in Section 2 we introduce our reformulation and derive the fortification cut for a given intersection strategy. Moreover, we discuss methods for strengthening a given cut and analyze the associated separation problem. Other general speed-up techniques that are used in our solution algorithm are presented in Section 3. Sections 4.1 and 4.2 describe two applications that can be modeled as an FG. A detailed computational study on both problems is given in Section 5, where we discuss further, problem-specific implementation details, assess the efficiency of the various ingredients of the algorithm, and compare the results of our method with state-of-the-art exact approaches from the literature. Finally, Section 6 draws some conclusions and reports possible new lines of research.

Previous and Related Work
Closely related to FGs are IGs, which are two-player two-level Stackelberg games used to model attackerdefender settings. The attacker, who acts first, has limited resources and an attack consists of disabling the defender's assets, reducing their capacity or increasing their cost. At the lower level, the defender solves the recourse problem over the set of surviving or partially damaged assets. IGs arise in military applications (Brown et al., 2006), in controlling the spread of infectious diseases (Assimakopoulos, 1987;Shen et al., 2012;Furini et al., 2021aFurini et al., , 2020Tanınmış et al., 2021), in counter-terrorism (Wang et al., 2016), or in monitoring of communication networks (Furini et al., 2021b(Furini et al., , 2019. Very often, IGs are defined over networks, in which the attacker reduces the capacities of nodes or edges, or even completely removes some of them from the network (Cochran et al., 2011). Some of the most famous examples of so-called network-interdiction games include interdiction of shortest paths (Israeli and Wood, 2002) or network flows Smith and Lim, 2008;Akgün et al., 2011). However, IGs turn out to be much more difficult if the recourse problem is NP-hard, like maximum knapsack (Caprara et al., 2016;Fischetti et al., 2019;Della Croce and Scatamacchia, 2020) or maximum clique (Furini et al., 2021b(Furini et al., , 2019, making the associated IG a Σ P 2 -hard problem . In FGs, the defender tries to "interdict" the attacker, by anticipating the attacker's malicious activities, i.e., the defender tries to protect the most vulnerable assets before the attack is taking place. Even though there exists a large body of literature dedicated to IGs, see, e.g., the two recent surveys in Smith and Song (2020); Kleinert et al. (2021), there are very few articles dealing with more difficult three-level optimization problems arising in the context of FGs. The applications of FGs stem from similar settings as for the IGs. Three-level DAD models to protect electric power grids have been used by Brown et al. (2006); Yuan et al. (2014); Xiang and Wang (2018); Lai et al. (2019), and Fakhry et al. (2021 proposed to design networks that can survive network-flow attacks by using FGs. Similarly, Sarhadi et al. (2017) used a DAD model for protection planning of freight intermodal transportation networks. Other FG models for protecting transportation networks can be found in Jin et al. (2015); Starita and Scaparra (2016), and Starita et al. (2017). In the context of supply chain networks and protection of facilities, we highlight DAD models presented by Church and Scaparra (2007); Scaparra and Church (2008b), and Zheng and Albert (2018). Recently, a trilevel critical node problem used for limiting the spread of a viral attack in a given network has been considered in Baggio et al. (2021). We point out that our list of applications of FGs is far from being comprehensive, and we refer an interested reader to further references provided in the articles mentioned above.
When it comes to general techniques used to solve FGs, we distinguish between duality-based and reformulation-based methods. Duality-based methods can be applied to FGs in which the recourse prob-lem is a linear/convex program, so that after its dualization (and potential linearization), the three-level model is turned into a bilevel min-max mixed-integer formulation (Brown et al., 2006). The latter can then be solved using some of the state-of-the-art solvers for mixed-integer bilevel optimization (see, e.g., Fischetti et al. (2017Fischetti et al. ( , 2018; Tahernejad et al. (2020)). Reformulation-based methods exploit a particular problem structure of the recourse or interdiction problem (by, e.g., enumerating all possible attack plans), so that an equivalent bilevel or single-level model can be derived (Church and Scaparra, 2007;Scaparra and Church, 2008a;Cappanera and Scaparra, 2011). Heuristics are much more prevalent than exact methods in the existing literature on FGs. The most recent generic heuristics for FGs have been proposed by (Fakhry et al., 2021).
Closest to our work is the backward sampling framework for FGs recently proposed by Lozano and Smith (2017). The authors develop a cutting-plane method assuming discrete fortification and interdiction strategies (i.e., all variables in the first two levels are assumed to be binary). Thanks to the sampling of possible solutions of the third-level, the recourse problem can also be non-convex (non-linear, or involving discrete variables). For any given fortification strategy vector w, a subset of sampled third-level solutions is used as a basis to derive valid lower and upper bounds of the embedded IG. The overall method is completed by an outer optimization over w variables, where specific interdiction strategies are eliminated using no-good-cut-like covering inequalities.

Solution Framework
In this section, we first introduce a single-level reformulation of (0-1 FG) in the space of fortification variables w which uses the family of fortification cuts. Afterwards, we present different methods for strengthening these cuts and discuss methods for their separation.

Single-level Reformulation and Fortification Cuts
Let Φ I (x) be the value function of the interdiction game associated to a given interdiction strategy x ∈ X, i.e., Similarly, let Φ F (w) be the value function of the fortification game for a given fortification strategy w ∈ W , i.e., The last equations holds for sufficiently large coefficients M i , due to the fact that the linking constraints between the fortification and subsequent interdiction are given by x ≤ 1 − w. Using this notation, problem (0-1 FG) can equivalently be written as Equation (1) implies that, for any w ∈ W andx ∈ X, we have which leads to the single level reformulation of the fortification game Given the possible exponential number of inequalities (6), this reformulation is suitable for being solved using a cutting-plane or a branch-and-cut approach in which they are initially omitted and then added on-the-fly when violated. The resulting formulation in which some of the constraints (6) are relaxed, is referred to as relaxed master problem. There are two potential drawbacks in using formulation (5)- (6) in practical applications. First, if not carefully chosen, the values of M i can lead to very weak dual bounds and potentially underperforming branch-and-bound trees. Second, to separate inequalities (6) one has to solve the middle-level IG, a problem which can be Σ P 2 -hard, for NP-hard recourse problems. To address the first issue, we show in Theorem 1 that tight values for the M i coefficients can be easily derived, no matter the structure of the recourse problem. We then show how these fortification cuts, can be strengthened to tighten the dual bounds. We address the separation issue in Section 2.4. Theorem 1. Constraints (6) can be replaced with the following fortification cuts: Proof. We need to show that Φ F (w) ≥ Φ I (x) − i∈N d ixi w i for all w ∈ W andx ∈ X, i.e., that (4) holds This is straightforward in casex ∈ X(w) since, by definition, we havex i w i = 0 for all i ∈ N , and (4) reduces to Φ F (w) ≥ Φ I (x), implying inequality (7).
If insteadx ∈ X(w), we consider interdiction strategy x defined by selecting those assets inx that are not fortified by w, i.e., x i =x i (1 − w i ), for all i ∈ N . Sincex ∈ X, we have x ∈ X(w) and (4), therefore, Φ F (w) ≥ Φ I (x ) holds. We complete the proof by showing that By contradiction, assume that Φ I (x) − i∈N d ixi w i > Φ I (x ), and let y ∈ Y be an optimal recourse strategy for interdiction strategy x . Using the definition of value function Φ I (x ), we obtain Using notations N 1 = {i ∈ N :x i w i = 1} = {i ∈ N :x i = 1, x i = 0}, and N 2 = N \ N 1 , inequality (9) can be rewritten as which shows that y is a feasible recourse strategy for interdiction strategyx whose cost is strictly smaller than Φ I (x). This contradiction concludes the proof.

Strengthening the Fortification Cuts with Enumeration
In this section, we introduce sufficient conditions under which a vector of coefficients produces a valid cut strengthening a given fortification cut.
Theorem 2. Letx ∈ X be a feasible interdiction strategy and denote by S(x) = {i ∈ N :x i = 1} the associated set of interdicted assets. Letd ∈ R n be a vector satisfying the following conditions: such that there exists a feasible fortification strategy w ∈ W : w i = 1 for all i ∈ P , and x is the interdiction strategy with x i = 0 for all i ∈ P , and Then, the inequality is valid for (0-1 FG) and dominates the fortification cut (7) for interdiction strategyx.
Proof. Letx ∈ X be a feasible interdiction strategy,d ∈ R n be a vector satisfying Conditions 1 and 2 above, and w ∈ W be any feasible fortification strategy. Define P = {i ∈ N : which clearly satisfies the description in Condition 2. In addition, consider an interdiction strategy x such that x i =x i (1 − w i ) for all i ∈ N . By definition of P and using Condition 2, we get where the last inequality follows from the fact that θ ≥ Φ F (w) ≥ Φ I (x ) since x ∈ X(w), as in the proof of Theorem 1. Thus, (12) is valid since (13) holds for all w ∈ W .
The theorem above provides conditions for determining stronger cuts. While the trivial choice ofd = d is always feasible with respect to these conditions, a tighter cut could potentially be obtained by finding a vectord which is minimal with respect to some norm. We note that for a given interdiction strategyx, checking whether a given vectord satisfies to Condition 2 may be computationally challenging. Indeed, one has to evaluate the recourse value of the attacker solution S(x) \ P for each P ⊆ S(x) whose elements can be contained in a feasible fortification strategy. In Section 3.3, we describe a heuristic approach to efficiently obtain a non-trivial vectord satisfying the conditions of Theorem 2.
Remark 2. The right-hand-side of Condition 2 in Theorem 2 can be replaced by min{Φ . For the problems whose recourse level is computationally hard to solve, a dual bound could be used to produce a faster strengthening procedure. Although the resulting cut may be weaker than the one obtained using Φ I (x ), it is still as good as (7)

Strengthening the Fortification Cuts with a Lower Bound
In this section we show an alternative and computationally less expensive way to obtain stronger fortification cuts. The theorem below assumes that a valid lower bound on z * is available. For α ∈ R, we define (α) + = max{α, 0}.
Theorem 3. Letx ∈ X be a feasible interdiction strategy and z be a lower bound on z * . Then, the is valid for (0-1 FG) and dominates the fortification cut (7) for interdiction strategyx.
Proof. Since z is a lower bound on z (14) is smaller than in (7). It is clear that (14) is equivalent to (7) if w i = 0 for all i ∈ L. Otherwise, Remark 3. Notice that z * ≥ min y∈Y c T y, i.e., the objective value of the fortification problem cannot be smaller than the recourse objective value in case of no interdiction. Thus, a valid lower bound on z * to be used for deriving strengthened cuts (14) can be computed as z = min y∈Y c T y.
The following corollary shows that the results provided in Theorems 2 and 3 above can be combined to obtain a valid cut. It follows from the validity of (12) and inequality (15).
Corollary 1. Letx ∈ X be a feasible interdiction strategy,d ∈ R n be a vector satisfying the conditions in Theorem 2, and z be a lower bound on z * . Then, the inequality is valid for (0-1 FG).
Remark 4. When Φ I (x) − z is small compared to the original cut coefficient d, it is likely that most of the final coefficients after combined strengthening will be equal to Φ I (x) − z, which renders the effort to initially computed i values unnecessary. In this case, one could opt for the lower bound based strengthening which can be defined in constant time if z is available.

Separation of Fortification Cuts
As already mentioned, our approach for solving the problem (0-1 FG) is a branch-and-cut algorithm based on reformulation (5) with (strengthened) fortification cuts (7). At each node of the branch-and-cut tree, valid inequalities are added on-the-fly, when violated, to ensure correctness of the algorithm, improve the dual bound at the node, and possibly allow fathoming. Although in principle one could add to the formulation any valid violated inequality, a cut that is maximally violated is typically sought. Thus, given a solution, say (w * , θ * ), for the linear programming (LP)-relaxation of the current model, one is required to solve the separation problem, which is an IG, and check whether Φ F (w * ) > θ * or not. Notice that this separation problem itself is a mixed-integer bilevel linear program, which is at least NP-hard and possibly even Σ P 2 -hard (Caprara et al., 2014) in case of an integer recourse problem. Separation problem (17) can be reformulated as follows using Benders decomposition as done by Israeli (1999).
HereŶ denotes the set of extreme points of the convex hull of the feasible solutions of the recourse problem, see, e.g., Cochran et al. (2011);Fischetti et al. (2019). In our generic framework, we solve (SEP) using a branch-and-cut scheme in which we add violated interdiction cuts (19) on the fly, for both integer and fractional values of x variables. Solving the separation problem yields a violated fortification cut if Φ F (w * ) > θ * , while one can conclude that (w * , θ * ) is a feasible solution to (2)-(3) otherwise.
Strengthening the interdiction cut Given the computational complexity of the separation problem (SEP), one may be interested in determining a violated, but not necessarily maximally violated fortification cut. To this aim, it is enough to find a feasible solution to (SEP) having an objective value strictly larger than θ * . Hence, we propose to reformulate the separation problem by imposing an artificial upper bound, a real number > θ * , on its optimal objective value. To this end, the interdiction cuts (19) can be strengthened as shown in the following theorem.
Theorem 4. Given a solution (w * , θ * ) and a real number > θ * , consider the following formulation: Proof. Observe that the problem (SEP-L) is always feasible and bounded, hence there exists an optimal then there exists someŷ for each x ∈ X(w * ) that makes the RHS of (23) less than or equal to θ * . Moreover, (23) and (19) are identical at suchŷ and x pairs, which means Φ F (w * ) = Φ F (w * ) ≤ θ * .
In this case there exists no violated cut at (w * , θ * ).
In other words, this strengthened interdiction cut may project the true objective value of the recourse problem to a smaller value, but if the optimal objective value Φ F (w * ) of (SEP) is strictly greater than θ * , then the optimal objective value Φ F (w * ) of (SEP-L) is also greater than θ * . As a result, if (SEP-L) yields a solution (x,t) witht > θ * , thent could be less than Φ I (x) which is the constant part of the fortification cut (7). Thus, the recourse problem should be solved forx one more time to obtain Φ I (x). Note that Lozano and Smith (2017) also propose a strengthening procedure for interdiction cuts, however using a global upper bound on z * . Although this approach is valid in our case too, our strengthening is more aggressive since is not necessarily an upper bound, but is treated as one.
In Section 3.2, we propose various additional strategies to speed up the separation procedure.

Algorithmic Details for an Efficient Implementation
In this section we address the most important algorithmic elements necessary for an efficient implementation of our solution framework.

Initialization
We set an initial lower bound on θ by solving the recourse problem with no interdiction as mentioned in Remark 3, i.e., we add the constraint θ ≥ min y∈Y c T y to our model.
We also initialize our model with a set of initial fortification cuts. These cuts are produced using the interdiction strategies computed by Algorithm 1. This algorithm takes an optimal recourse solution y 0 in the absence of interdiction as input, and iterates over the assets used in this solution. For each such asset i, an interdiction strategy is obtained via first interdicting i, then deciding the remaining interdiction actions in a greedy fashion. In the greedy part, we pick one element with maximum depreciation-cost ratio among all those that can still be added to the current interdiction strategy without exceeding the interdiction budget. Notice that the number of initial cuts, i.e., the interdiction strategies that Algorithm 1 generates, depends on the support size of the initial recourse solution y 0 .
Algorithm 1 InitialFortificationCuts Input: An optimal recourse solution y 0 in case of no interdiction Output: A set of initial fortification cuts (7) 1: for each i ∈ N : y 0 i = 1 do 2: Initialize the interdiction strategyx ← e i , defineB I ← B I − g i

3:
Initialize the candidate set for interdiction R N ← N \ {i} 4: Solve the recourse problem forx to obtain an optimal solution y *

6:
Obtain the new candidate set R N = {i ∈ N :

On Implementing the Separation of Fortification Cuts
We solve the formulation (5)-(6) by means of a branch-and-cut algorithm, in which feasible solutions (w * , θ * ) of the relaxed master problem such that w * is integer are separated on the fly. Let (w * , θ * ) be a feasible solution of the relaxed master problem at the current branching node, e.g., the solution of the LP-relaxation at the current node or a heuristic solution, where w * is integer. Generating a violated fortification cut associated to (w * , θ * ) (if such exists) corresponds to findingx ∈ X(w * ) such that Greedy Integer Separation To search for suchx, we first invoke the greedy heuristic described in Algorithm 2. This procedure iteratively defines an interdiction strategy (initiallyx = 0) and a candidate set for interdiction (initially including all assets). At each iteration, the recourse problem associated with the currently interdicted assets is solved, the candidate set is updated accordingly, and an asset is selected and added to the interdiction strategy. The procedure ends when the candidate set for interdiction is empty, meaning that no asset that has been selected in the recourse strategy can be added to the interdiction strategy.

Algorithm 2 GreedyInterdiction
Input: Current solution (w * , θ * ) of the relaxed master problem Output:x ∈ X(w * ), possibly giving a violated cut (7) 1: Initialize the interdiction strategyx ← 0 and remaining interdiction budgetB I ← B I 2: Initialize the candidate set for interdiction R N ← N 3: while R N = ∅ do 4: Solve the recourse problem forx to obtain an optimal solution y *

5:
Obtain the new candidate set R N = {i ∈ N :

8:
Setx i * ← 1, and update the budgetB I ←B I − g i * 9: end if 10: end while 11: Returnx If this GreedyInterdiction heuristic does not produce a violated cut, the separation problem (SEP) described in Section 2.4 is solved by means of a branch-and-cut algorithm. We now present some strategies that are used to improve the performance when solving the model (SEP).
Solution Limit as a Stopping Criterion As already observed, any feasible solution to (SEP) with an objective value larger than θ * yields a violated cut. Accordingly, one can avoid the computation of a maximally violated cut, and halt the execution of the enumerative algorithm for (SEP) as soon as the incumbent objective value becomes larger than θ * . In general, a solution limit s max ≥ 1 can be imposed to prematurely terminate the solution of (SEP) once at least s max incumbent solutions with an objective value larger than θ * are found.
Setting a Lower Cutoff Value Another strategy that could be helpful in solving (SEP) is to set the lower cutoff value of the used MIP solver to θ * + where is a small constant. In this way, one can prune all the nodes with an upper bound less than θ * + , i.e., nodes that cannot produce a violated interdiction cut. If there is no x ∈ X(w * ) with Φ I (x) ≥ θ * + , then (SEP) becomes infeasible due to the lower cutoff value, which can be considered as an indicator of bilevel feasiblity of (w * , θ * ) since X(w) = ∅ for any value of w. In that case, no cuts are added. With this lower cutoff strategy, whenever the incumbent fortification strategy is updated, the associated interdiction strategy is not readily available. Therefore, when an optimal/incumbent solution (w * , θ * ) to (0-1 FG) is found, it is possible to obtain the optimal attacker response by iterating over all the fortification cuts added to the master problem, i.e., previously obtained interdiction strategiesx. Anyx ∈ X(w * ) with Φ I (x) = θ * is an optimal response to w * . If none is found, the attacker problem is solved optimally for w * .
While solving (SEP), both integer and fractional x * are separated. The lower cutoff and the solution limit strategies described above are employed to speed up the separation process. Based on our preliminary experiments, we set the solution limit parameter s max to one. Finally, all feasible solutions to the recourse problem obtained after solving (SEP) in previous iterations are stored and added as initial cuts of the form (19) in future solving attempts.
We remark that the same enhancements can be applied to the alternative separation model (SEP-L) presented in Section 2.4.

On Implementing the Strengthening of the Fortification Cut
In order to strengthen a fortification cut based on Theorem 2, one may solve an LP, e.g., mind ∈R n i∈S(x)d i subject to the conditions of Theorem 2, after computing all the RHS values appearing in Condition 2. Our preliminary experiments showed that solving this LP was rather time consuming.
We thus developed a heuristic method, reported in Algorithm 3, which is more time efficient and which produces cuts that are usually very similar to the cuts obtained by solving the LP. This procedure receives an interdiction strategyx as input and returns strengthened coefficientsd that satisfy the condition in Theorem 2.
The heuristic works as follows: initially, all coefficients are set to zero. Then, all sets P ⊆ S(x) are considered and, for each set, the corresponding attacker solution x is defined. Then, the cost reduction with respect to the recourse cost forx is split amongd coefficients, provided these figures satisfy Condition 1 of Theorem 2. Note that unnecessary computations can be avoided by considering only the subsets P such that there is a feasible recourse solution with y i = 1, for all i ∈ P , as the combined effect of fortifying any two assets on the recourse objective can be larger than the sum of their individual effects only if they can simultaneously be used in a recourse solution. In order to do that, one may exploit the structures of the recourse problems, if known. This is explained in more detail in Section 5 within the problem specific implementation aspects of the two applications we describe next.
In addition, any iteration could be halted whenever the sum of the currentd coefficients is larger than the maximum value ∆ P could take, i.e., Φ I (x) − min y∈Y c T y.
For what concerns the strengthening of fortification cuts based on a lower bound as described in Section 2.3, we initialize the global lower bound as z = min y∈Y c T y. This value is updated dynamically Algorithm 3 EnumerativeStrengthening Input:x ∈ X Output: Valid coefficientsd for the strengthened fortification cut (12) 1: Initialize the strengthened cut coefficients asd ← 0 2: for all Define attacker solution x such that x i = 0 for all i ∈ P , and x i =x i otherwise 4: Solve the recourse problem to obtain Φ I (x ), compute ∆ P = Φ I (x) − Φ I (x )

5:
while i∈Pd i < ∆ P do 6: Randomly pick i ∈ P such thatd i < d i , setd i ←d i + min{d i −d i , ∆ P − i∈Pd i } returnd 10: end if 11: end for 12: returnd as the best known lower bound obtained from the LP relaxation objective value changes in the branching tree. Whenever the fortification cut is strengthened with z, the cut is globally valid and added as a global cut. In addition, let (w * , θ * ) be an optimal solution of the LP-relaxation at the current branching node; if θ * > z, i.e, the lower bound of the current branch is tighter than the global one, a locally valid and tighter cut may be derived by using θ * as the strengthening bound.

Applications
In this section, we present the two applications for which we conduct a numerical study. A main difference between the two test-cases is in the computational complexity of the associated recourse problems; indeed, this turns out to be an NP-hard problem in the first case and a polynomially solvable problem in the second one.

Knapsack Fortification Game
The first case-study we consider is the knapsack fortification game (KFG). The classical 0-1 knapsack problem (KP) has been widely studied in the literature because of its practical and theoretical relevance, and because it arises as a subproblem in many more complex problems (see, e.g., Kellerer et al. (2004)).
In this problem, we are given a set N of items, the i-th item having profit d i ≥ 0 and weight a i ≥ 0 and a knapsack having capacity b. In the three-level fortification version of KP, each item i has associated additional weights f i ≥ 0 and g i ≥ 0 for the fortification and interdiction levels, respectively; in addition, fortification and interdiction strategies are subject to some budget, denoted as B F > 0 and B I > 0, respectively. First the defender chooses a set of items to fortify against interdiction while respecting the fortification budget. Then, the attacker interdicts some of the non-fortified items within the interdiction budget. Lastly, the defender determines the recourse action, by solving a KP over noninterdicted items, i.e., by choosing a subset of non-interdicted items giving the maximum profit while not exceeding the knapsack capacity. The feasible regions of the first and the second levels are denoted The tri-level game is thus formulated by the following program: Since the recourse problem satisfies the down-monotonicty assumption (Fischetti et al., 2019), the interdiction constraints (26) can be replaced by penalty terms in the objective function with M i = d i as explained in Remark 1. With necessary transformations for a defender with a maximization objective, the single level formulation of the KFG becomes We note that the KFG is Σ p 3 -hard already for the special case d i = a i , for all i ∈ N as shown by Nabli et al. (2020).

Shortest Path Fortification Game
The second application we consider is the shortest path fortification game (SPFG). In this game, also considered by Lozano and Smith (2017), we are given a directed graph G = (V, A) where V and A denote the set of nodes and arcs, respectively. The first level of the SPFG consists in selecting a set of arcs to protect from the interdiction by an attacker in order to minimize the length of the shortest s − t path.
Then, the attacker interdicts some of the non-fortified arcs, with the goal of maximizing the shortest path in the interdicted graph. At a third level, a recourse step is executed by solving a shortest path problem in the interdicted network. The mathematical formulation of the game is given as where c ij denotes the nominal cost of each arc (i, j) ∈ A and d ij represents the additional cost due to its interdiction. The feasible regions of the first and second level problems are described by cardinality where m denotes the the number of arcs. The fortification game is reformulated by the following single level formulation following the steps described in Section 2.
where X includes all feasible interdiction patterns. Notice that replacing Φ I (x) with (i,j)∈A (c ij + d ijxij )ŷ ij , whereŷ is an optimal path under costs c ij + d ijxij , gives the following fortification cut: Let (i, j) be an arc such thatx ij = 1 andŷ ij = 0. Then, its contribution to the right-hand-side cost reduces to −d ij w ij . This means that if (i, j) would be fortified (and thus not interdicted), the shortest path length would be reduced by at most d ij .

Computational Results
In this section we discuss the results of our computational study which has two main objectives. First, to assess the computational performances of the proposed algorithms by comparison with the existing literature. Second, to analyze the computational effectiveness of the proposed algorithmic enhancements and determine the limitations of the new approach. We present computational results on two data sets from the literature for each of the two case-studies we consider. Our algorithm has been implemented in C++, and makes use of IBM ILOG CPLEX 12.10 (in its default settings) as mixed-integer linear programming solver. All experiment are executed on a single thread of an Intel Xeon E5-2670v2 machine with 2.5 GHz processor and using a memory limit of 8 GB. Unless otherwise indicated, a time limit of one hour was imposed for each run. Throughout this section we use the following notation to describe the components of our algorithm: bound based strengthening (B), enumerative strengthening (E), greedy integer separation (G), strengthening of interdiction cuts (I), and any combination of these letters to denote the settings involving the corresponding methods.

Results for the KFG
In the following, we first describe problem specific implementation details of the B&C for the KFG. Then, we discuss the results of our experiments on two data sets derived from publicly available instances for the Knapsack Interdiction Problem.

Implementation Details for the KFG
While solving (SEP) for the KFG, separation of integer solutions accounts to solving a KP. Though specific efficient codes are available for the exact solution of KP instances (see, e.g., procedure combo in Martello et al. (1999)), we solve this problem as a general MIP. We perform the separation of fractional solutions using the classical greedy algorithm for the knapsack problem; notice that, an exact separation of fractional solutions is not needed for the correctness of the algorithm. Similarly, in Step 4 of Algorithm 2, the recourse is solved greedily. Preliminary experiments showed that the strengthening of interdiction cuts, though producing violated cuts, leads to attacker solutions of poor quality, which reduces the strength of the fortification cuts. Besides, we did not observe any significant reduction in the solution time of (SEP) for a given leader solution, thus, for the KFG we focus on the algorithm configurations without component I.
As to the enumerative strengthening procedure described in Section 2.2, instead of solving the recourse problem exactly (i.e., solving the KP as an MIP) we only solve its LP relaxation, cf.
Step 4 of Algorithm 3. In this way we obtain, with limited computational effort, a valid dual bound that can be used for strengthening according to the observation in Remark 2. As described in Section 3.3, a set P satisfying the conditions for strengthening can be removed from consideration if it includes items that cannot be used together in some feasible recourse solution. To eliminate such P , we simply check the knapsack constraint for the recourse solution y having y i = 1, ∀i ∈ P and y i = 0, ∀i / ∈ P . If it is violated, we move to the next iteration. During the solution of any instance, if 10 successive trials of enumerative strengthening do not produce a strictly tighter cut, we do not employ this feature for the newly generated cuts.

TRS Knapsack Interdiction Dataset
In this section, we consider the 150 instances introduced by Tang et al. (2016) for the Knapsack Interdiction Problem, and add a fortification level involving a cardinality constraint on the number of items that can be fortified. We use the fortification budget levels B F = 3 and B F = 5, thus producing a set of 300 benchmark instances, denoted as TRS. We solved each instance with several algorithm settings, including components B, E, and G in an incremental way. In Figure 1, we show the cummulative distribution of root gaps and solution times for the TRS instances. It can be seen that bound based strengthening slightly reduces the solution times although it does not produce consistent improvements in terms of root gaps. The next component, enumerative strengthening, improves both measures, while its effect on the root gaps is more evident. It turns out that enhancing the integer separation by the greedy algorithm improves the performance as well, in particular for what concerns the maximum time needed for solving the instances, which is significantly smaller with the setting BEG than with the other settings considered. All 300 instances are solved optimally within 100 seconds under all four settings. With BEG, the maximum solution time is 18 seconds (cf. Figure 1). Figure 1: Root gaps and solution times of TRS data set instances.

CCLW Knapsack Interdiction Dataset
Our second benchmark for the KFG is derived from the instances proposed by Caprara et al. (2016) for the Knapsack Interdiction Problem. In this case too, we introduce an additional fortification level, and impose a cardinality constraint for the leader. For interdiction costs and budgets we used the data available in the original instances. The number of items takes value in {35, 40, 45, 50, 55} and for each size there are ten instances in which the interdiction budget increases with the ID of the instance, 1 ≤ ID ≤ 10. We solved these 50 instances for B F ∈ {3, 5}, thus producing a set of 100 benchmark instances denoted as CCLW. Figure 2 shows the cumulative distribution of root gaps and solution times for the instances in this benchmark set. It can be seen that bound based strengthening does not have an effect in both measures. This is mostly due to the fact that we are able to produce only a few strengthened cuts, as the value of Φ(x) − z is usually larger than d i in our experiments. Enumerative strengthening does not contribute to decreasing the solution times because of its time complexity, which depends on the interdiction budget; however this strategy decreases the root gap on average. Note that the root gap reduction is larger for smaller budget levels. We also observe smaller number of B&C nodes when enumerative strengthening is activated, although we do not report details about this kind of measure here. Similar to the results on the TRS data set, the most effective component regarding the solution time is greedy integer separation (G). We observe in our experiments that Algorithm 2 is able to find good interdiction strategies quickly, which makes the separation process more efficient compared to the default setting where we stop solving (SEP) once a violated fortification is found. We are able to solve 95 out of 100 instances optimally in one hour when using setting BEG.

Results for the SPFG
In the following, we first describe problem specific implementation details of the B&C algorithm for the SPFG. Then, we present the results of our experiments on two existing data sets from the literature.

Implementation Details for the SPFG
The recourse problem, which is the shortest path problem, is solved via Dijkstra's algorithm (Dijkstra et al., 1959) with a priority queue implementation, wherever needed, e.g., in Algorithm 2 and Algorithm 3.
While solving (SEP) to obtain a fortification cut, both integer and fractional solutions are separated exactly. Separation is carried out in O(|A| log |V |) time. In addition to the lower cutoff and solution limit strategies, interdiction cut strengthening is used to speed up the solution of (SEP). Recall that any value l > θ * can be used to lift the interdiction cut. Since all the problem parameters are integers in out data sets, we choose l = θ * + . Remind that fortifying two assets (i.e., arcs) at the same time can be more effective than the sum of their individual effects only if the two arcs can be used together in a recourse solution (see Section 3.3). Accordingly, while executing Algorithm 3, we try to not consider all sets P including pairs of arcs that cannot appear together in an s − t path. Since checking this exactly would be time consuming, we only check if any two arcs in P have the same head or tail and skip the current iteration if there is such an arc pair, which indicates that an s − t path cannot include both of these arcs.

Directed Grid Networks
For the SPFG, the first data set we use is the directed grid network instance set generated by Lozano and Smith (2017) following the topology used by Israeli and Wood (2002) and Cappanera and Scaparra (2011).
These instances and the implementation of the solution algorithm proposed in Lozano and Smith (2017) are available at https://doi.org/10.1287/ijoc.2016.0721. In these networks, in addition to a source and a sink node, there are m × n nodes forming a grid with m rows and n columns. The source (sink) node is linked with each of the grid nodes in the first (last) column. The sizes of the networks are shown in Table 1. We use the cost (c ij ) and delay (d ij ) values provided with the networks, which were generated randomly in [1, c max ] and [1, d max ], respectively, using six different c max and d max combinations. For each network size, ten instances with different arc costs/delays are generated. Each instance is solved for six different fortification and interdiction budget level configurations (B F , B I ) also used in Lozano and Smith (2017).
In Figure 3 the cumulative distributions of root gaps and solution times are plotted for three settings: the basic one "-", the best performing setting for KFG instances (BEG), and a variant additionally considering interdiction cut strengthening (IBEG). The plot on the left hand side shows that the root gaps of variant BEG are substantially smaller than those of the basic setting. It is also clear from the plots that the strengthening of interdiction cuts using l = θ * + produces a remarkable improvement. We observed that, using this strategy the number of B&C nodes increased with respect to BEG, since attacker solutions with smaller objective values (and, in turn, weaker fortification cuts) are produced.
Nevertheless, in this case, the separation problem can be solved extremely efficiently, which overall leads to improved performances. Smith (2017), denoted as LS. Since the implementation of this algorithm is available online, we were able to run it on the same hardware as our algorithm. The algorithm was coded in Java and we ran it with Gurobi 9.2 as MIP solver. In both tables, rows are associated to a network size and a configuration for the fortification and interdiction budget levels, whereas the three blocks of columns refer to different cost-delay configurations (c max -d max ), i.e., (10-5), (10-10), and (10-20) in Table 2; (100-50), (100-100), and (100-200) in Table 3.

Real Road Networks
For the second part of the SPFG experiments, we considered the real road network data sets of the cities Washington (DC), Rhode Island (RI), and New Jersey (NJ), used by Raith and Ehrgott (2009) and Lozano and Smith (2017). While the original undirected data sets are available at http://www.diag.
uniroma1.it//~challenge9/data/tiger/, we used the data sets provided by Lozano and Smith (2017) where each edge is replaced by two arcs to get directed networks and in which connectivity is enforced by additional high-cost arcs. The costs of the arcs are equal to the distances and the delay is 10 000 for each arc. On each of the three networks, the SPFG is solved for nine distinct s − t pairs and using the six fortification and interdiction budget combinations used for the grid networks, resulting in 162 instances.
As these are the most challenging instances considered in our study, the time limit is set to four hours for each run. Table 4 reports the sizes of the networks as well as average and maximum solution times over the nine instances with the same size and budget combination for IBEG and LS, as reported in Lozano and Smith (2017). The table shows that our default setting IBEG is able to solve 159 over 162 instances optimally within the time limit. Notice that our B&C algorithm solves three instances more than the sampling based algorithm by Lozano and Smith (2017), which was run on the same machine as IBEG Finally, we point out that our solution scheme is generic, and it leaves space for problem specific improvements. For example, for a given FG, one could solve the associated separation problem by means of a state-of-the-art exact method or using some specialized heuristic instead of the greedy method proposed in this paper. Moreover, problem-specific valid inequalities or strengthening procedures of the fortification cuts could also be possible.