..............................
..............................
..............................
Patching Assignment Optimization for Security
This research is focusing on how IT support center applies the limited resources to elaborate a vulnerability patch in
face of its disclosure in a system. We propose the most optimized procedure to design the patch in que stion and let second*tier
security engineer handle the update for vulnerabili ties with patch release. While the frontline security engineer are able to
provide a firewall to hold the leakage plus create and update the patch in the shortest amount of time . In face of, some system
vulnerabilities, the frontline security engineer ha s to build up a prevention procedure before the pat ch is released. The strategy
of this study is to focus on the transfer of patch demand to the adequate system engineer in a mathema tical programming
problem module. Within it the objective function is minimized to pursue the shortest amount of surviva l time for the
vulnerability (before the patch is released), we al so added some related constraints. The main contrib utions of this study is a
non*linear non*convex mixed integer programming pro blem formulation for patching assignment optimization and a near
optimal solution approach.
[1] Alhazmi O., Malaiya Y., and Ray I., Measuring, Analyzing and Predicting Security Vulnerabilities in Software Systems, Computers and Security , vol. 26, no. 3, pp. 219-168, 2007.
[2] Anderson R. and Moore T., The Economics of Information Security, Science, vol. 314, no. 5799, pp. 610-613, 2006.
[3] Andrew C., The Five Ps of Patch Management: Is there a Simple Way for Businesses to Develop and Deploy an Advanced Security Patch Management Strategy?, Computers and Security , vol. 24, no. 5, pp. 362-363, 2005.
[4] Arbaugh W., Fithen W., and McHugh J., Windows of Vulnerability: A Case Study Analysis, Computer, vol. 33, no. 12, pp. 52-59, 2000.
[5] Arora A., Krishnan R., Telang R., and Yang Y., An Empirical Analysis of Software Vendors Patch Release Behavior: Impact of Vulnerability Disclosure, Information System Research , vol. 21, no. 1, pp. 115-132, 2010.
[6] Arora A., Telang R., and Xu H., Optimal Policy for Software Vulnerability Disclosure, Management Science , vol. 54, no. 4, pp. 642-656, 2008.
[7] August T. and Tunca T., Let the Pirates Patch? an Economic Analysis of Software Security Patch Restrictions, Information Systems Research , vol. 19, no. 1, pp. 48-70, 2008.
[8] Brykczynski B. and Small R., Reducing Internet-based Intrusions: Effective Security Patch Management, IEEE Software, vol. 20, no. 1, pp. 50-57, 2003.
[9] Cavusoglu H., Cavusoglu H., and Zhang J., Security Patch Management: Share the Burden or Share the Damage, Management Science, vol. 54, no. 4, pp. 657-670, 2008.
[10] Fisher M., An Applications Oriented Guide to Lagrangian Relaxation, Interfaces, vol. 15, no. 2, pp. 10-21, 1985.
[11] Fisher M., The Lagrangian Relaxation Method for Solving Integer Programming Problems, Management Science , vol. 27, no. 1, pp. 1-18, 1981.
[12] Geoffrion A., Lagrangean Relaxation and its Use in Integer Programming, Mathematical Programming Study , vol. 2, pp. 82-114, 1974.
[13] Gerace T. and Cavusoglu H., The Critical Elements of the Patch Management Process, (16) Patching Assignment Optimization for Security Vulnerabilities Communications of the ACM, vol. 52, no. 8, pp. 117-121, 2009.
[14] Gordon L. and Loeb M., The Information Security Investme Transactions on Information and System Security vol. 5, no. 4, pp. 438-457, 2002.
[15] Ioannidis C., Pym D., and Information Security Trade-offs and Optimal Patching Policies, European Journal of Operational Research, vol. 216, no. 2, pp. 434-444, 2012.
[16] Karabey B. and Baykal N., Attack Information Security Risk Assessment Method Integrating Enterprise Objectives with Vulnerabilities, the International Arab Journal of Information Technology , vol. 297-304, 2013.
[17] Lai Y. and Hsia P., Using the Information of Computer Systems to Improve the Network Security, Computer Communications vol. 30, no. 9, pp. 2032-2047, 2007.
[18] Lesk M., Cybersecurity and Economics Security and Privacy, vol. 9, no. 6, pp. 76 2011.
[19] Lin F., Quasi-static Channel Assignment Algorithms for Wireless Communications Networks, in Proceedings of the 12 International Conference on Information Networking, Tokyo, pp. 434-437, 1998.
[20] Rescorla E., Is Finding Security Holes a Good Idea?, IEEE Security and Privacy pp. 14-19, 2005.
[21] Shih H., Safety Transfer Medical Assignment Algorithm for Emergency Medical Services Master Thesis , Chung Yuan Christian University, 2004.
[22] Okamura H., Tokuzane M., Optimal Security Patch Release Timing under Non-homogeneous Vulnerability Processes, in Proceedings of the 20 International Symposium on Software Reliability Engineering, Mysuru, Karnataka, 2009. Shao-Ming Tong received his MS degree in electrical engineering the National Central 1997. He is currently a PhD in information management at the National Taiwan University. current research interests include computer networks, information security communication/ network forensics. Patching Assignment Optimization for Security Vulne rabilities , vol. 52, no. 8, pp. M., The Economics of tion Security Investment, ACM Transactions on Information and System Security, D., and Williams J., offs and Optimal European Journal of , vol. 216, no. 2, pp. N., Attack Tree based Information Security Risk Assessment Method Integrating Enterprise Objectives with International Arab Journal vol. 10, no. 3, pp. and Hsia P., Using the Vulnerability Information of Computer Systems to Improve the Computer Communications, 2047, 2007. Economics, IEEE , vol. 9, no. 6, pp. 76-79, Channel Assignment Algorithms for Wireless Communications Proceedings of the 12th International Conference on Information 437, 1998. Finding Security Holes a Good Privacy, vol. 3, no. 1, Transfer Medical Assignment Algorithm for Emergency Medical Services, Chung Yuan Christian University, and Dohi T., Security Patch Release Timing under homogeneous Vulnerability-Discovery Proceedings of the 20th International Symposium on Software Reliability Mysuru, Karnataka, pp. 120-128, received his MS electrical engineering from Central University in He is currently a PhD student in information management at the National Taiwan University. His current research interests include information security and Chien- Cheng Huang MS degree in information management from the Nationa Chiao Tung University in 2008 and his PhD management from the National Taiwan University in 2014. adjunct assistant professor with the National Taipe i University of Nursing and Health Sciences. research interests include data mining, business intelligence, information security forensics. Feng- Yu Lin degree from the National Chiao Tung University in 2004 and his second PhD Management Taiwan University in 2014 adjunct assis Department of Criminal Investigation, Central Polic e University in Taiwan. His research interests include communication/network forensics, data mining, and information security. Yeali Sun Computer Science an Engineering department of National Taiwan Un and PhD Science from the University of California, respectively. From 1988 to 1993, she was with Bell Communications Research Inc. ( Telcordia). She jointed National Taiwan University 1993. Currently, she is a professor of the Department of Information Management. Her research interests are in the area of wireless networks, pricing, internet security and forensics, scalable resource management and business model in cloud services and performance modeling and evaluation. 273 Cheng Huang received his degree in information management from the National Chiao Tung University in 2008 and his PhD degree in information management from the National Taiwan University in 2014. He is an adjunct assistant professor with the National Taipe i University of Nursing and Health Sciences. His current research interests include data mining, business e, information security and cyber/network Yu Lin received his PhD degree from the National Chiao Tung University in 2004 and his second PhD degree in Information Management from the National Taiwan University in 2014. He is an adjunct assistant professor with the Department of Criminal Investigation, Central Police University in Taiwan. His research interests include communication/network forensics, data mining, and Yeali Sun received her BS from the Computer Science and Information Engineering department of National Taiwan University in 1982 and MS and PhD degrees in Computer Science from the University of California, USA in 1984 and 1988, respectively. From 1988 to 1993, she was with Bell Communications Research Inc. (Bellcore; now he jointed National Taiwan University in is a professor of the Department of Information Management. Her research interests are in the area of wireless networks, quality of service and security and forensics, scalable resource management and business model in cloud services and performance modeling and evaluation.