I-Corps: Automated Software Security Vulnerability and Patch Management

The broader impact/commercial potential of this I-Corps project is to decrease the vulnerability and improve the patch management practices in the electric power sector as well as many other critical infrastructure sectors such as oil and natural gas, healthcare, and manufacturing. The project may bring automation and optimization to cybersecurity operations that now often rely heavily on manual processes.

The project will enhance the cybersecurity of the nation's critical infrastructures by performing more timely and more effective risk assessment and vulnerability mitigation. Through automated analysis and decision-making, the technology also seeks to reduce the cost associated with cybersecurity operations, addressing a pain point faced by many organizations in critical infrastructure sectors.

The technology is particularly beneficial to small- and medium-sized organizations that often have limited cybersecurity personnel and resources to keep pace with the large number of potential cybersecurity vulnerabilities.

This I-Corps project will explore the feasibility of commercializing an automated vulnerability and patch management technology that leverages recent advances in artificial intelligence to automate and optimize vulnerability analysis and decision-making. This technology's novelty includes: 1) a method for identifying the vulnerabilities applicable to given assets in an organization; 2) methods for assessing the risk of vulnerabilities; 3) a method to predict and recommend risk-aware remediation actions for vulnerabilities; 4) a method to identify potential strategies for mitigating vulnerabilities when patching is unavailable; and 5) a method for optimal scheduling of vulnerability mitigation actions to minimize security risks.

The research addresses several key limitations of current solutions and practice, such as the high cost, long delay, and high risk rooted in manual operations. The project also addresses coarse granularity of risk assessment and the largely unguided or poorly guided mitigation action scheduling. Preliminary research results show that the technology may reduce the remediation decision-making time of the current practice from weeks or months to seconds.

This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.