I-Corps: Automated Software Security Vulnerability and Patch Management

I-Corps：自动化软件安全漏洞和补丁管理

• 批准号: 2139458
• 负责人: Qinghua Li
• 金额: $ 5万
• 依托单位: University of Arkansas
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2021
• 资助国家: 美国
• 起止时间: 2021-07-15 至 2023-06-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2139458&HistoricalAwards=false
• 关键词: Corps; Automated; Software; Security; Vulnerability

The broader impact/commercial potential of this I-Corps project is to decrease the vulnerability and improve the patch management practices in the electric power sector as well as many other critical infrastructure sectors such as oil and natural gas, healthcare, and manufacturing. The project may bring automation and optimization to cybersecurity operations that now often rely heavily on manual processes. The project will enhance the cybersecurity of the nation's critical infrastructures by performing more timely and more effective risk assessment and vulnerability mitigation. Through automated analysis and decision-making, the technology also seeks to reduce the cost associated with cybersecurity operations, addressing a pain point faced by many organizations in critical infrastructure sectors. The technology is particularly beneficial to small- and medium-sized organizations that often have limited cybersecurity personnel and resources to keep pace with the large number of potential cybersecurity vulnerabilities.This I-Corps project will explore the feasibility of commercializing an automated vulnerability and patch management technology that leverages recent advances in artificial intelligence to automate and optimize vulnerability analysis and decision-making. This technology's novelty includes: 1) a method for identifying the vulnerabilities applicable to given assets in an organization; 2) methods for assessing the risk of vulnerabilities; 3) a method to predict and recommend risk-aware remediation actions for vulnerabilities; 4) a method to identify potential strategies for mitigating vulnerabilities when patching is unavailable; and 5) a method for optimal scheduling of vulnerability mitigation actions to minimize security risks. The research addresses several key limitations of current solutions and practice, such as the high cost, long delay, and high risk rooted in manual operations. The project also addresses coarse granularity of risk assessment and the largely unguided or poorly guided mitigation action scheduling. Preliminary research results show that the technology may reduce the remediation decision-making time of the current practice from weeks or months to seconds.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

这个I-Corps项目的更广泛的影响/商业潜力是减少脆弱性，改善电力部门以及许多其他关键基础设施部门（如石油和天然气，医疗保健和制造业）的补丁管理实践。 该项目可能会为网络安全操作带来自动化和优化，这些操作现在通常严重依赖手动流程。 该项目将通过进行更及时和更有效的风险评估和脆弱性缓解，加强国家重要基础设施的网络安全。通过自动化分析和决策，该技术还寻求降低与网络安全运营相关的成本，解决关键基础设施领域许多组织面临的痛点。该技术特别有利于中小型组织，这些组织通常只有有限的网络安全人员和资源来应对大量潜在的网络安全漏洞。I-Corps项目将探索将自动漏洞和补丁管理技术商业化的可行性，该技术利用人工智能的最新进展来自动化和优化漏洞分析和决策。该技术的新奇包括：1）用于识别适用于组织中给定资产的漏洞的方法; 2）用于评估漏洞风险的方法; 3）用于预测和推荐针对漏洞的风险感知补救措施的方法; 4）用于识别在修补不可用时用于减轻漏洞的潜在策略的方法;以及5）用于最优调度脆弱性缓解动作以最小化安全风险的方法。该研究解决了当前解决方案和实践的几个关键限制，例如高成本，长延迟和高风险，根源于手动操作。 该项目还解决了风险评估的粗粒度问题，以及在很大程度上没有指导或指导不力的减缓行动时间安排问题。初步研究结果表明，该技术可以将当前实践的补救决策时间从数周或数月缩短到数秒。该奖项反映了NSF的法定使命，并通过使用基金会的知识价值和更广泛的影响审查标准进行评估，被认为值得支持。