48 CHAPTER 2 Game Theory for Infrastructure Security: The Power of Intent-Based Adversary Models defender's objective can be formalized as maxi- mizing its utility function Equation 2-28 u D (f , A ) = r D · (f ) - (1 - r D ) · u A (f , A ), the defensive strategy is essentially to revise Tor's path selection algorithm to minimize the probability for an adversary to control both entry and exit of a Tor path, that is, how to construct a path with three parties: the entry N 1 , the mid- dle node N 2 , and the exit node N 3 . Such a con- struction algorithm can be modeled as selecting f (b i , c i , b j , c j , b k ) [0, 1], which is the probability for three nodes v i , v j , v k to be chosen as N 1 , N 2 , N 3 , respectively, when c k = 1. The performance of path selection should be measured in terms of two metrics: (1) Security (resilience against linking attacks): the construc- tion of P : v i , v j , v k should minimize the success probability of linking attack, that is, Pr{{v i , v k } A }. (2) Utility (efficiency of communication): the construction of P : v i , v j , v k should maximize the path bandwidth b P = min(b i , b j , b k ). Adversary and Defender's Utility Functions. Adversary's Objective. The adversary only where r D [0, 1] is the preference parameter of the defender while capturing the defender's pref- erence between protecting anonymity and maxi- mizing bandwidth. Objective of Game-Theoretic Analysis. Note that both the attacking and defensive strategies form finite sets. Thus, Nash equilibrium (i.e., a state in which no player can benefit by unilater- ally changing its strategy) always exists for the game. Nonetheless, it may not be practical to expect that the defender and adversary can actu- ally reach this state mainly due to the possible irrationality of players and the intractability of computing the Nash equilibrium. Thus, in this