Dynamic Risk-Aware Patch Scheduling

摘要

Every month, many new software vulnerabilities are discovered and published which will pose security risks to power grid systems if they are exploited by attackers. Thus the vulnerabilities must be patched in a timely manner to reduce the chance of being exploited. However, not all vulnerabilities can be patched quickly due to limited security resources at many electric utility companies. This paper studies dynamic risk-aware patch scheduling to determine the order of patching vulnerabilities and minimize the security risk brought by vulnerabilities. We first predict the dynamic probability of exploit over time for each vulnerability and define a metric to compute the vulnerability’s dynamic risk based on the predicted probability. We then formulate two patch scheduling approaches. Evaluations on real datasets show high accuracy in predicting the dynamic probability of exploit and high effectiveness of our solutions in risk reduction compared with other scheduling methods.