Researchers have found that over 90% of successful cyber attacks exploit vulnerabilities that could have been fixed with available patches. Vulnerabilities can be weak passwords or software with bugs on personal computers, mobile devices, or printers. Yet, decision-making about manually applying patches is difficult. First, a substantial fraction of vulnerabilities are fixed each month by automatic patching. Second, applying patches can have side-effects, making software unusable. Third, organizations have limited abilities to estimate the profit from applying patches.
This research generates optimized policies that specify which patches should be applied to which hosts. It does this by creating models of related costs that are based on data. The methods include a novel type of error estimation procedure which addresses the fact that data is limited, particularly in relation to the costs of actions that have rarely been applied. The associated mathematics extends a general decision tool called Markov decision processes to address uncertainty from limited data. This extension is achieved by solving open, fundamental mathematical problems.
There are multiple real world applications planned in the transition to practice. The major partner is The Ohio State University which agrees to share monthly data on tens of thousands of computers and teams with the PIs for policy improvement. In addition to tuning individual host vulnerability-related policies, the PIs address password updating and network vulnerability policies.
