Patch Scheduling for Risk Exposure Mitigation under Service Disruption Constraints

We consider a discrete-time model for the spread of computer viruses in a network where the number of times the network can be fixed (i.e., the malware is reduced to a baseline level) is limited. The model consists of a set of viruses which may strike (attempt to infect) the system at each time with fixed probability. Once a virus strikes, it may go on to infect a node with some probability which varies according to the number of nodes that have already been infected. This results in the risk of having a virus in the system that could become active and paralyze some or all vital operations of the system. At each time step, if the remaining number of opportunities to fix the network is non-zero, a network administrator may choose to apply a control which brings the number of viruses back to a safer baseline level. This paper first analyzes the optimal policy using dynamic programming, but due to the curse of dimensionality, we also develop a near optimal heuristic based on policy iteration. We then consider extensions that include cost on control and a modulation parameter that affects transmission rates as well as costs, and present an analogous policy. These policies mathematically capture the tradeoff of mitigating risk in a network where we must not cause service disruptions too many times.