Abstract: A method, apparatus and computer program product for scheduling placement of containers in association with a set of hosts. The technique utilizes metrics that characterize container-specific risks. A first metric is a host interface risk for a container that quantifies how similar or dissimilar the container is relative to other containers running on a host. Preferably, host interface risk is derived with respect to a system call interface comprising a set of system calls, and the metric is based at least in part on a measure of dissimilarity among system calls. A second metric is a data sensitivity score that quantifies a degree to which sensitive data accesses are associated to the container. Based at least in part on the host interface risk scores and the data sensitivity scores, one or more containers are automatically scheduled for placement on the set of hosts to minimize security risk for the set of hosts.

Abstract: Indirect function call target identification in software is provided. A set of explicit data flows that pass a function address between software modules of a program is determined using an explicit data dependency analysis. A set of indirect function call targets is generated from results of the explicit data dependency analysis and a dynamic execution analysis of the program. The set of indirect function call targets is expanded by identifying similar target functions based on feature embeddings generated by a graph neural network.

Abstract: An approach is provided that, after receiving a request to execute a computer program, determines an active set of metadata that corresponds to the requested computer program and then loads basic blocks of the requested computer program into memory. One of the loaded basic blocks is a starting block of the requested computer program. The memory also stores basic blocks corresponding to some previously loaded computer programs. The approach also inactivates basic blocks that are currently stored in the memory, with the inactivated basic blocks being identified based on a comparison of the active set of metadata to the sets of metadata that corresponding to the basic blocks of previously loaded computer programs. After inactivating some basic blocks, the approach executes the starting block of the requested computer program.

Abstract: Indirect function call target identification in software is provided. A set of explicit data flows that pass a function address between software modules of a program is determined using an explicit data dependency analysis. A set of indirect function call targets is generated from results of the explicit data dependency analysis and a dynamic execution analysis of the program. The set of indirect function call targets is expanded by identifying similar target functions based on feature embeddings generated by a graph neural network.

Abstract: An approach is provided that, after receiving a request to execute a computer program, determines an active set of metadata that corresponds to the requested computer program and then loads basic blocks of the requested computer program into memory. One of the loaded basic blocks is a starting block of the requested computer program. The memory also stores basic blocks corresponding to some previously loaded computer programs. The approach also inactivates basic blocks that are currently stored in the memory, with the inactivated basic blocks being identified based on a comparison of the active set of metadata to the sets of metadata that corresponding to the basic blocks of previously loaded computer programs. After inactivating some basic blocks, the approach executes the starting block of the requested computer program.

Abstract: A method, apparatus and computer program product for scheduling placement of containers in association with a set of hosts. The technique utilizes metrics that characterize container-specific risks. A first metric is a host interface risk for a container that quantifies how similar or dissimilar the container is relative to other containers running on a host. Preferably, host interface risk is derived with respect to a system call interface comprising a set of system calls, and the metric is based at least in part on a measure of dissimilarity among system calls. A second metric is a data sensitivity score that quantifies a degree to which sensitive data accesses are associated to the container. Based at least in part on the host interface risk scores and the data sensitivity scores, one or more containers are automatically scheduled for placement on the set of hosts to minimize security risk for the set of hosts.

Abstract: Techniques for distributed federated learning leverage a multi-layered defense strategy to provide for reduced information leakage. In lieu of aggregating model updates centrally, an aggregation function is decentralized into multiple independent and functionally-equivalent execution entities, each running within its own trusted executed environment (TEE). The TEEs enable confidential and remote-attestable federated aggregation. Preferably, each aggregator entity runs within an encrypted virtual machine that support runtime in-memory encryption. Each party remotely authenticates the TEE before participating in the training. By using multiple decentralized aggregators, parties are enabled to partition their respective model updates at model-parameter granularity, and can map single weights to a specific aggregator entity. Parties also can dynamically shuffle fragmentary model updates at each training iteration to further obfuscate the information dispatched to each aggregator execution entity.

Abstract: Techniques for distributed federated learning leverage a multi-layered defense strategy to provide for reduced information leakage. In lieu of aggregating model updates centrally, an aggregation function is decentralized into multiple independent and functionally-equivalent execution entities, each running within its own trusted executed environment (TEE). The TEEs enable confidential and remote-attestable federated aggregation. Preferably, each aggregator entity runs within an encrypted virtual machine that support runtime in-memory encryption. Each party remotely authenticates the TEE before participating in the training. By using multiple decentralized aggregators, parties are enabled to partition their respective model updates at model-parameter granularity, and can map single weights to a specific aggregator entity. Parties also can dynamically shuffle fragmentary model updates at each training iteration to further obfuscate the information dispatched to each aggregator execution entity.

Abstract: Reducing attack surface by selectively collocating applications on host computers is provided. System resources utilized by each application running in a plurality of host computers of a data processing environment are measured. Which applications running in the plurality of host computers that utilize similar system resources are determined. Those applications utilizing similar system resources are collocated on respective host computers.

Abstract: Serving data assets based on security policies is provided. A request to access an asset received from a user having a particular context is evaluated based on a set of asset access enforcement policies. An asset access policy enforcement decision is generated based on evaluating the request. It is determined whether the asset access policy enforcement decision is to transform particular data of the asset prior to allowing access. In response to determining that the asset access policy enforcement decision is to transform the particular data of the asset prior to allowing access, a transformation specification that includes an ordered subset of unit transformations for transforming the particular data of the asset is generated based on the particular context of the user and the set of asset access enforcement policies. A transformed asset is generated by applying the transformation specification to the asset transforming the particular data of the asset.

Abstract: Reducing attack surface by selectively collocating applications on host computers is provided. System resources utilized by each application running in a plurality of host computers of a data processing environment are measured. Which applications running in the plurality of host computers that utilize similar system resources are determined. Those applications utilizing similar system resources are collocated on respective host computers.

Abstract: Serving data assets based on security policies is provided. A request to access an asset received from a user having a particular context is evaluated based on a set of asset access enforcement policies. An asset access policy enforcement decision is generated based on evaluating the request. It is determined whether the asset access policy enforcement decision is to transform particular data of the asset prior to allowing access. In response to determining that the asset access policy enforcement decision is to transform the particular data of the asset prior to allowing access, a transformation specification that includes an ordered subset of unit transformations for transforming the particular data of the asset is generated based on the particular context of the user and the set of asset access enforcement policies. A transformed asset is generated by applying the transformation specification to the asset transforming the particular data of the asset.

Abstract: Accepting a job having a job size representing a number or quantity of processors; computing an expected size, and a standard deviation in size, for the accepted job; adding the expected size to the standard deviation in size to determine a sum; comparing the sum to a number or quantity of available clusters at each of a plurality of non-leaf nodes of a tree representing a high-performance computing environment; and when the number or quantity of available clusters is more than the sum at a sub-tree of the tree and, going down one level further in the sub-tree, the number of available clusters is less than the sum, selecting the sub-tree for the accepted job such that the accepted job is placed on one or more clusters associated with the selected sub-tree.

Abstract: Accepting a job having a job size representing a number or quantity of processors; computing an expected size, and a standard deviation in size, for the accepted job; adding the expected size to the standard deviation in size to determine a sum; comparing the sum to a number or quantity of available clusters at each of a plurality of non-leaf nodes of a tree representing a high-performance computing environment; and when the number or quantity of available clusters is more than the sum at a sub-tree of the tree and, going down one level further in the sub-tree, the number of available clusters is less than the sum, selecting the sub-tree for the accepted job such that the accepted job is placed on one or more clusters associated with the selected sub-tree.

Abstract: Accepting a job having a job size representing a number or quantity of processors; computing an expected size, and a standard deviation in size, for the accepted job; adding the expected size to the standard deviation in size to determine a sum; comparing the sum to a number or quantity of available clusters at each of a plurality of non-leaf nodes of a tree representing a high-performance computing environment; and when the number or quantity of available clusters is more than the sum at a sub-tree of the tree and, going down one level further in the sub-tree, the number of available clusters is less than the sum, selecting the sub-tree for the accepted job such that the accepted job is placed on one or more clusters associated with the selected sub-tree.

Abstract: Accepting a job having a job size representing a number or quantity of processors; computing an expected size, and a standard deviation in size, for the accepted job; adding the expected size to the standard deviation in size to determine a sum; comparing the sum to a number or quantity of available clusters at each of a plurality of non-leaf nodes of a tree representing a high-performance computing environment; and when the number or quantity of available clusters is more than the sum at a sub-tree of the tree and, going down one level further in the sub-tree, the number of available clusters is less than the sum, selecting the sub-tree for the accepted job such that the accepted job is placed on one or more clusters associated with the selected sub-tree.

Abstract: A method of dynamic pricing of a resource is presented. For example, the method includes determining a set of anticipated demands for one or more users to acquire the resource according to uncertainty of the one or more users in preferring one or more certain time periods of a plurality of time periods for acquiring the resource. Prices for the resource differ between at least two of the plurality of time periods. Each anticipated demand of the set is associated with a different one of the plurality of time periods. The method further includes setting prices for the resource during each of the plurality of time periods according to the determined set of anticipated demands. The determining of the set of anticipated demands and/or the setting of prices are implemented as instruction code executed on a processor device.

Abstract: A method of dynamic pricing of a resource is presented. For example, the method includes determining a set of anticipated demands for one or more users to acquire the resource according to uncertainty of the one or more users in preferring one or more certain time periods of a plurality of time periods for acquiring the resource. Prices for the resource differ between at least two of the plurality of time periods. Each anticipated demand of the set is associated with a different one of the plurality of time periods. The method further includes setting prices for the resource during each of the plurality of time periods according to the determined set of anticipated demands. The determining of the set of anticipated demands and/or the setting of prices are implemented as instruction code executed on a processor device.