Search

US-12625698-B1 - Automated dynamic patch management system and method

US12625698B1US 12625698 B1US12625698 B1US 12625698B1US-12625698-B1

Abstract

Systems and methods are disclosed for managing deployment of software patches across a plurality of client devices. A patch management server acquires vendor-supplied patch data, community-sourced patch data, and/or platform-based data, and evaluates the information using weighting logic that may be implemented by a machine-learning model trained on historical patch outcomes. Based on the weighted evaluation, the system generates a bounded risk representation indicating a likelihood that installation of the patch will have a particular effect on one or more client devices. The server selects a deployment action in accordance with the bounded risk representation and may generate and update deployment rings defining the order in which devices receive the patch. Deployment rings may be dynamically recalculated in response to updated data or anomaly conditions, and post-deployment monitoring may trigger rollback actions when thresholds are satisfied.

Inventors

  • Rahul Hari Hirani
  • Peter Bretton
  • Joel Carusone

Assignees

  • NinjaOne, LLC

Dates

Publication Date
20260512
Application Date
20260114

Claims (20)

  1. 1 . A computer-implemented method for managing deployment of a software patch to one or more client devices using a machine-learning (ML) system, comprising: acquiring, by one or more processors, patch data for the software patch, the patch data including: vendor-supplied patch data associated with the software patch; community-sourced patch data originating from one or more sources other than a patch vendor or a patch management server; platform-based data originating from the one or more client devices; estimating, using at least one ML model, a bounded risk representation associated with deploying the software patch on one or more of the client devices based on a set of weighted input features derived from the patch data; wherein the at least one ML model comprises a plurality of interconnected computational elements having internal numerical parameters learned during training from historical deployment outcomes, the internal numerical parameters defining a trained model state that is not explicitly determined by a human operator; and wherein at least a portion of the internal numerical parameters control weighting applied to the input features, the internal numerical parameters having been learned by a training process comprising: applying initial weighted values to at least a portion of historical vendor-supplied patch data, historical community-sourced patch data, and historical platform-based data; comparing generated outputs of the at least one ML model to target outputs derived from historical deployment outcomes; and altering the plurality of internal model parameters based on the comparison to improve predictive accuracy of the bounded risk representation over successive training iterations.
  2. 2 . The method of claim 1 , further including: selecting, by the ML system based on the bounded risk representation, a deployment action for the software patch, the deployment action comprising at least one of: deploying the software patch to at least a first subset of the client devices; deferring deployment of the software patch; withholding deployment of the software patch; or generating a notification to a technician computer system; and executing, by the patch management server, the deployment action.
  3. 3 . The method of claim 1 , wherein acquiring the community-sourced patch data comprises accessing, via a computer network, one or more public internet forums and collecting data associated with the software patch.
  4. 4 . The method of claim 1 , wherein acquiring the platform-based data comprises collecting telemetry or performance data from one or more client devices via a computer network.
  5. 5 . The method of claim 1 , wherein acquiring the vendor-supplied patch data comprises accessing, via a computer network, a vendor distribution service to retrieve patch information associated with the software patch.
  6. 6 . The method of claim 1 , wherein acquiring the patch data comprises executing an agentic retrieval component configured to autonomously obtain patch-related information from one or more external data sources by performing goal-directed retrieval actions based on identifiers associated with the software patch, and to adapt retrieval behavior based on relevance or usefulness of previously obtained information.
  7. 7 . The method of claim 1 , further comprising establishing, using the at least one trained ML model, one or more threshold values or categorical boundaries for the bounded risk representation, the threshold values or categorical boundaries defining conditions under which different deployment actions are to be executed.
  8. 8 . The method of claim 1 , further comprising: monitoring post-deployment platform-based data for the one or more client devices; and initiating a rollback of the software patch on at least a subset of the one or more client devices when one or more anomaly metrics satisfy a predefined threshold.
  9. 9 . The method of claim 1 , further comprising: generating, based at least in part on the bounded risk representation and device classification information associated with the one or more client devices, a plurality of deployment rings defining different subsets of the one or more client devices and an order in which the software patch is to be deployed to the different subsets; and deploying the software patch to the plurality of deployment rings in accordance with the order.
  10. 10 . The method of claim 9 , further comprising dynamically recalculating at least one of the plurality of deployment rings in response to updated platform-based data indicating at least one of performance degradation, anomaly rates satisfying a threshold, or stability across one or more of the deployment rings.
  11. 11 . The method of claim 1 , wherein the at least one ML model includes learned internal numerical parameters that control weighting of credibility-related feature values derived from historical accuracy of reporting sources relative to observed patch deployment outcomes.
  12. 12 . The method of claim 1 , wherein the at least one ML model includes learned internal numerical parameters that control weighting of volume-related feature values representing a quantity, frequency, or rate of occurrence of community-sourced patch data associated with the software patch.
  13. 13 . The method of claim 1 , wherein the at least one ML model includes learned internal numerical parameters that control weighting of relevance-related feature values based on similarity between attributes of patch-related information and configuration attributes of the one or more client devices.
  14. 14 . The method of claim 1 , wherein the at least one ML model includes learned internal numerical parameters that control weighting of severity-related feature values.
  15. 15 . The method of claim 1 , wherein the at least one ML model includes learned internal numerical parameters that control weighting of consistency-related feature values representing correlation or similarity across multiple independent sources of community-sourced patch data.
  16. 16 . A system for managing deployment of a software patch to one or more client devices, comprising: one or more processors; and a memory storing instructions that, when executed by the one or more processors, cause the system to: acquire patch data for the software patch, the patch data including vendor-supplied patch data, community-sourced patch data originating from one or more sources other than a patch vendor or the system, and platform-based data originating from the one or more client devices; apply at least one trained machine-learning (ML) model to the patch data to generate a bounded risk representation associated with deploying the software patch, the ML model comprising a plurality of interconnected computational elements having internal numerical parameters learned during training from historical deployment outcomes, the internal numerical parameters defining a trained model state that is not explicitly determined by a human operator; wherein the learned internal numerical parameters encode relative weighting of input features derived from the patch data when generating the bounded risk representation; and wherein the internal numerical parameters have been learned by a training process comprising comparing generated outputs of the ML model to target outputs derived from historical deployment outcomes and altering the internal numerical parameters to improve predictive accuracy of the bounded risk representation.
  17. 17 . The system of claim 16 , wherein the instructions further cause the system to: select, based on the bounded risk representation generated by the at least one trained ML model, a deployment action for the software patch comprising at least one of deploying the software patch to a subset of the one or more client devices, deferring deployment of the software patch, withholding deployment of the software patch, or generating a notification to a technician computer system; and execute the selected deployment action.
  18. 18 . The system of claim 16 , wherein the instructions further cause the system to: generate a plurality of deployment rings defining different subsets of the one or more client devices and an order in which the software patch is deployed to the subsets based at least in part on the bounded risk representation generated by the at least one trained ML model and device classification information; and deploy the software patch to the one or more client devices in accordance with the deployment rings.
  19. 19 . The system of claim 18 , wherein the instructions further cause the system to: monitor post-deployment platform-based data for the one or more client devices; dynamically recalculate at least one of the deployment rings in response to updated platform-based data indicating at least one of performance degradation, anomaly rates satisfying a threshold, or stability across one or more deployment rings; and initiate a rollback of the software patch on at least a subset of the one or more client devices when one or more anomaly metrics satisfy a predefined threshold.
  20. 20 . The system of claim 16 , wherein the learned internal numerical parameters of the at least one trained ML model encode relative weighting of at least one of: credibility-related feature values derived from historical accuracy of reporting sources; volume-related feature values representing a quantity, frequency, or rate of occurrence of community-sourced patch data; relevance-related feature values based on similarity between patch-related information and configuration attributes of the one or more client devices; severity-related feature values generated using at least one of a rule-based classifier or a natural-language processing component; or consistency-related feature values representing correlation or similarity across multiple independent sources of community-sourced patch data.

Description

PRIORITY INFORMATION This nonprovisional application is a continuation of and claims priority to nonprovisional application Ser. No. 19/411,591, entitled “Dynamic Patch Management System and Method,” filed Dec. 8, 2025, by the same inventors. FIELD OF THE DISCLOSURE Aspects of the present disclosure generally relate to systems and methods for managing deployment of software patches and updates. BACKGROUND In current practice, the evaluation of software patches prior to installation is primarily performed manually by technicians. A technician may delay deployment of a newly released patch to allow time for potential issues to surface in the broader user community. After waiting, the technician often searches publicly available sources for reports of problems attributed to the patch, such as incompatibilities with certain operating systems or failures of specific device components. Based on these findings, the technician makes a judgment call as to whether and where to deploy the patch. This judgment may involve avoiding certain environments where problems have been reported, or weighing the benefits of the patch, such as improved security, against the risks of introducing new failures. While this manual approach can reduce the likelihood of widespread disruption, it suffers from several shortcomings. The process is time-consuming, depends heavily on the skill and discretion of individual technicians, and lacks a consistent or programmatic mechanism for incorporating external findings into deployment decisions. Furthermore, conventional approaches do not dynamically adjust deployment strategies once new information or updated patch versions become available. Accordingly, there exists a need for improved systems and methods that can evaluate patch deployment decisions in a structured, repeatable manner, while incorporating external research and enabling dynamic, ongoing adjustments to deployment strategies. However, in view of the art considered as a whole at the time the present invention was made, it was not obvious to those of ordinary skill in the field of this invention how the shortcomings of the prior art could be overcome. The present invention may address one or more of the problems and deficiencies of the prior art discussed above. However, it is contemplated that the invention may prove useful in addressing other problems and deficiencies in a number of technical areas. Therefore, the claimed invention should not necessarily be construed as limited to addressing any of the particular problems or deficiencies discussed herein. BRIEF SUMMARY Aspects of the present disclosure generally relate to methods, systems, and non-transitory computer-readable media for managing deployment of software patches across a plurality of client devices as substantially described herein and as illustrated in the accompanying drawings and specification. In some embodiments, the aspects may include combinations or sub-combinations of the elements described herein, as would be understood by one of ordinary skill in the art. Some implementations of the present invention described herein relate to a computer-implemented method for managing deployment of a software patch to client devices. In some embodiments, the method includes: receiving, by a patch management server, vendor-supplied patch data associated with the software patch; receiving community-sourced patch data originating from one or more sources other than a patch vendor or the patch management server; receiving platform-based data originating from one or more of the client devices; applying a weighting procedure to at least a portion of the vendor-supplied patch data, the community-sourced patch data, and the platform-based data to generate a weighted evaluation of the software patch; generating, based on the weighted evaluation, a bounded risk representation indicative of a likelihood that installation of the software patch will adversely affect at least one of the client devices; selecting, based on the bounded risk representation, a deployment action for the software patch; and executing the deployment action. In various implementations, the method may further include: acquiring community-sourced patch data by accessing public internet forums; collecting platform-based data (e.g., telemetry or performance data) across the client devices; retrieving vendor-supplied patch information from a vendor distribution service; applying threshold values to map weighted evaluations to bounded risk levels; evaluating the community-sourced patch data based on credibility, report volume, relevance to client configurations, or cross-source consistency; generating the bounded risk representation on a per-device, per-group, or fleet-wide basis; performing the weighting procedure using a machine-learning model trained on historical patch data and deployment outcomes; generating deployment rings based on device-classification information; deploying the patch according to the deplo