This paper addresses the challenge of mitigating early-stage malware propagation under delayed patch deployment. We propose a resource-constrained, critical-node-first patching strategy. Methodologically, we introduce patch delay into the S-I epidemic model for the first time and design a constrained graph partitioning algorithm based on critical boundary edge identification. This enables precise characterization of the infection frontier and segmentation of susceptible versus healthy subgraphs, thereby optimizing the spatiotemporal allocation of limited patching resources. Our key contributions are: (1) explicit modeling of how patch delay degrades defense timeliness; and (2) a boundary-edge-driven graph partitioning framework that jointly optimizes dynamic infection boundary tracking and node patching prioritization. Experiments demonstrate that, under identical resource constraints, our strategy significantly improves the protected healthy-node ratio compared to state-of-the-art baselines.

Patching nodes is an effective network defense strategy for malware control at early stages, and its performance is primarily dependent on how accurately the infection propagation is characterized. In this paper, we aim to design a novel patching policy based on the susceptible-infected epidemic network model by incorporating the influence of patching delay--the type of delay that has been largely overlooked in designing patching policies in the literature, while being prevalent in practice. We first identify 'critical edges' that form a boundary to separate the most likely infected nodes from the nodes which would still remain healthy after the patching delay. We next leverage the critical edges to determine which nodes to be patched in light of limited patching resources at early stages. To this end, we formulate a constrained graph partitioning problem and use its solution to identify a set of nodes to patch or vaccinate under the limited resources, to effectively prevent malware propagation from getting through the healthy region. We numerically validate that our patching policy significantly outperforms other baseline policies in protecting the healthy nodes under limited patching resources and in the presence of patching delay.