Reduce the attack surface by selectively co-locating applications on the host computer.

CN115362441BActive Publication Date: 2026-06-30INTERNATIONAL BUSINESS MACHINE CORPORATION

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
INTERNATIONAL BUSINESS MACHINE CORPORATION
Filing Date
2021-03-17
Publication Date
2026-06-30

Smart Images

  • Figure CN115362441B_ABST
    Figure CN115362441B_ABST
Patent Text Reader

Abstract

It provides a way to reduce the attack surface by selectively co-locating applications on host computers. It measures the system resources utilized by each application running on multiple host computers in a data processing environment. It identifies which applications running on multiple host computers utilize similar system resources. These applications utilizing similar system resources are then co-located on the appropriate host computers.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention generally relates to network and system security, and more particularly to reducing the attack surface on a host computer by selectively collocating a group of applications with similar system resource utilization footprints on the same host computer. Background Technology

[0002] Network security encompasses policies and practices used to prevent and monitor unauthorized access, misuse, modification, or denial of access to computer networks and their resources. Network security includes authorizing access to computer networks and their resources. For example, when a network user authenticates, a firewall can enforce rules and policies that define what resources the network user is allowed to access.

[0003] However, attackers (i.e., unauthorized users) may exploit one or more system resources corresponding to a target host computer to bypass network security and execute attacks. Such system resources can include, for example, code or shared resources (such as libraries) in applications or system stacks (such as operating systems). Furthermore, attackers can leverage reachable network assets (such as application programming interface endpoints and services) to execute lateral movement attacks. Attackers can also execute privilege escalation attacks against target host computers containing privileged user accounts and / or applications. A privilege escalation attack is a network intrusion that exploits programming errors or design flaws to grant attackers higher access to the network and its resources (such as privileged accounts and applications).

[0004] Currently, numerous solutions exist for network security. Typically, these solutions either prevent known attacks or identify malicious user behavior. Furthermore, using methods such as isolation and restriction, current solutions focus on only one host computer or one application at a time. Additionally, existing holistic control flow solutions have high performance overhead and are not precise enough to prevent evasion. Moreover, existing address space layout randomization schemes can be evaded due to base address leakage. Furthermore, application and library vulnerability scanning may miss certain vulnerabilities and cannot prevent return-oriented programming attacks. Therefore, it is necessary to enhance network and system security to reduce the likelihood of unauthorized user access and attacks. Summary of the Invention

[0005] According to one aspect of the invention, a computer-implemented method is provided for reducing the attack surface by selectively co-locating applications on host computers. The system resources utilized by each application running on multiple host computers in a data processing environment are measured. Which applications running on the multiple host computers use similar system resources are determined. Those applications utilizing similar system resources are configured on their respective host computers. According to other illustrative embodiments, a computer system and computer program product are provided for reducing the attack surface by selectively co-locating applications on host computers.

[0006] The exemplary embodiment also performs a boot strap operation on multiple host computers in the data processing environment, places applications on the multiple host computers, profiling the applications running on the multiple host computers to obtain the system resource utilization footprint of each corresponding application, identifying multiple different sets of applications with similar system resource utilization footprints based on the profiling of the applications, obtaining a list of system resources corresponding to each of the multiple host computers, identifying a set of used system resources in the list of system resources corresponding to each corresponding host computer that are being used by the running resident applications, determining the set of unused system resources corresponding to each corresponding host computer by subtracting the set of used system resources from the list of system resources corresponding to each corresponding host computer, determining the maximum attack surface reduction in each corresponding host computer based on placing a specific set of applications with similar system resource utilization footprints on a specific host computer and removing the determined set of unused system resources corresponding to that specific host computer running the specific set of applications, assigning each corresponding set of applications with similar system resource utilization footprints to a designated host computer with the determined maximum attack surface reduction, and placing each corresponding set of applications with similar system resource utilization footprints on the assigned host computer in the data processing environment.

[0007] As a result, the illustrative embodiments improve the overall security and trust of the data processing environment through application co-location based on application attack surface measurements, which reduces the likelihood of successful attacks. Furthermore, the illustrative embodiments reduce the sensitivity of the data processing environment to access by malicious actors. Therefore, the illustrative embodiments provide technical solutions to overcome technical problems related to providing environment-level security. Thus, this one or more technical solutions provide technical effects and practical applications in the field of network and system security. Attached Figure Description

[0008] Figure 1 It is a graphical representation of a network in which an illustrative embodiment of a data processing system can be implemented;

[0009] Figure 2 This is a diagram of a data processing system in which illustrative embodiments can be implemented;

[0010] Figure 3 This is a diagram illustrating a cloud computing environment in which exemplary embodiments can be implemented;

[0011] Figure 4 This is a diagram illustrating an example of an abstraction layer of a cloud computing environment according to an illustrative embodiment;

[0012] Figure 5 This is a diagram illustrating an example of a system architecture according to an exemplary embodiment;

[0013] Figure 6 This is a diagram illustrating an example of the application co-location and attack surface reduction process according to an exemplary embodiment;

[0014] Figure 7 This is a diagram illustrating an example of shared attack surface resources in different application deployment models according to an exemplary embodiment;

[0015] Figure 8 This is a flowchart illustrating the process of application placement during system boot according to an exemplary embodiment;

[0016] Figure 9 This is a flowchart illustrating the process of application placement during system runtime according to an exemplary embodiment;

[0017] Figure 10 This is a flowchart illustrating a process for reducing the attack surface of a host computer during runtime, according to an exemplary embodiment; and

[0018] Figure 11 This is a flowchart illustrating a process for reducing the attack surface by selectively juxtaposing applications on a host computer, according to an exemplary embodiment. Detailed Implementation

[0019] This invention can be a system, method, and / or computer program product at any possible level of technical detail integration. The computer program product may include a computer-readable storage medium (or media) having computer-readable program instructions thereon for causing a processor to perform aspects of the invention.

[0020] Computer-readable storage media can be tangible devices capable of retaining and storing instructions used by an instruction execution device. Computer-readable storage media can be, for example, but not limited to, electronic storage devices, magnetic storage devices, optical storage devices, electromagnetic storage devices, semiconductor storage devices, or any suitable combination of the foregoing. A non-exhaustive list of more specific examples of computer-readable storage media includes the following: portable computer disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), static random access memory (SRAM), portable optical disc read-only memory (CD-ROM), digital multifunction disc (DVD), memory sticks, floppy disks, mechanical encoding devices such as punch cards or recessed structures with instructions recorded thereon, and any suitable combination of the foregoing. As used herein, computer-readable storage media should not be construed as transient signals (such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through waveguides or other transmission media (e.g., light pulses through fiber optic cables), or electrical signals transmitted through wires) themselves.

[0021] The computer-readable program instructions described herein can be downloaded from a computer-readable storage medium to a suitable computing / processing device, or via a network, such as the Internet, a local area network (LAN), a wide area network (WAN), and / or a wireless network, to an external computer or external storage device. The network may include copper cables, optical fibers, wireless transmission, routers, firewalls, switches, gateway computers, and / or edge servers. A network adapter card or network interface in each computing / processing device receives the computer-readable program instructions from the network and forwards them to a computer-readable storage medium within the respective computing / processing device.

[0022] Computer-readable program instructions used to perform the operations of this invention may be assembly instructions, instruction set architecture (ISA) instructions, machine-dependent instructions, microcode, firmware instructions, status setting data, integrated circuit configuration data, or source code or object code written in any combination of one or more programming languages ​​(including object-oriented programming languages ​​such as Smalltalk, C++, etc.) and procedural programming languages ​​(such as the "C" programming language or similar programming languages). The computer-readable program instructions may be executed entirely on the user's computer, partially on the user's computer, as a standalone software package, partially on the user's computer and partially on a remote computer, or entirely on a remote computer or server. In the latter case, the remote computer may be connected to the user's computer via any type of network, including a local area network (LAN) or a wide area network (WAN), or may be connected to an external computer (e.g., via the Internet using an Internet service provider). In some embodiments, to perform aspects of this invention, electronic circuits, including, for example, programmable logic circuits, field-programmable gate arrays (FPGAs), or programmable logic arrays (PLAs), may execute computer-readable program instructions to personalize the electronic circuits by utilizing the status information of the computer-readable program instructions.

[0023] Various aspects of the present invention are described herein with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer-readable program instructions.

[0024] These computer-readable program instructions may be provided to a processor of a computer or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions / actions specified in one or more blocks of a flowchart and / or block diagram. These computer-readable program instructions may also be stored in a computer-readable storage medium that can direct a computer, programmable data processing apparatus, and / or other devices to operate in a particular manner, such that the computer-readable storage medium in which the instructions are stored includes an article of writing comprising instructions for implementing aspects of the functions / actions specified in one or more blocks of a flowchart and / or block diagram.

[0025] Computer-readable program instructions may also be loaded onto a computer, other programmable data processing apparatus or other device to cause a series of operational steps to be performed on the computer, other programmable apparatus or other device to produce a computer-implemented process, such that the instructions, which execute on the computer, other programmable apparatus or other device, perform the functions / actions specified in one or more boxes of a flowchart and / or block diagram.

[0026] The flowcharts and block diagrams in the accompanying drawings illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of the present invention. In this regard, each block in a flowchart or block diagram may represent a module, segment, or portion of instructions comprising one or more executable instructions for implementing a specified logical function. In some alternative embodiments, the functions indicated in the blocks may occur in a different order than indicated in the figures. For example, two blocks shown consecutively may actually be implemented as a single step, executed simultaneously, substantially simultaneously, with partial or complete time overlap, or these blocks may sometimes be executed in reverse order, depending on the functions involved. It will also be noted that each block in the block diagrams and / or flowcharts, and combinations of blocks in the block diagrams and / or flowcharts, may be implemented by a dedicated hardware-based system that performs the specified function or action or executes a combination of dedicated hardware and computer instructions.

[0027] Now refer to the attached diagram, and in particular, refer to... Figure 1-5 A diagram is provided illustrating a data processing environment in which illustrative embodiments can be implemented. It should be understood that... Figure 1-5 This is merely an example and is not intended to assert or imply any limitation regarding the environments in which different embodiments may be implemented. Many modifications can be made to the described environment.

[0028] Figure 1 A graphical representation of a data processing environment in which illustrative embodiments can be implemented is described. The data processing environment 100 includes a computer network and other devices in which the illustrative embodiments can be implemented. The data processing environment 100 can represent, for example, a computer cluster in a data center or multiple computer nodes in a cloud environment.

[0029] The data processing environment 100 includes a network 102, which is a medium for providing communication links between computers and other devices connected together within the data processing environment 100. The network 102 may include connections such as wired communication links, wireless communication links, optical fibers, etc.

[0030] In the described example, servers 104 and 106 are connected to network 102 along with storage device 108. Servers 104 and 106 may be, for example, server computers with a high-speed connection to network 102. Furthermore, it should be noted that servers 104 and 106 may each represent a group of one or more server computers.

[0031] Furthermore, servers 104 and 106 can provide attack surface reduction services to registered client host computers. For example, servers 104 and 106 can reduce the attack surface on client host computers by selectively co-locating a group of applications with similar system resource utilization footprints on the same client host computer and removing unused system resources from these client host computers. Co-location includes removing applications from the first client host computer and installing applications on the second client host computer. System resources are runtime environments that include shared host computer resources (e.g., processors, memory, storage devices, libraries, kernel system call identifiers, kernel subsystems, hypervisors, etc.) and shared network resources (e.g., network services, network traffic destinations (e.g., Internet Protocol addresses and port numbers), sensitive network user accounts with elevated access privileges, sensitive network applications with elevated access privileges, etc.).

[0032] Host computers 110, 112, and 114 are also connected to network 102. Host computers 110, 112, and 114 are registered clients of servers 104 and 106. In this example, host computers 110, 112, and 114 are network computers hosting multiple different applications. However, it should be noted that host computers 110, 112, and 114 could represent other types of data processing systems with wired or wireless communication links to network 102, such as, for example, desktop computers, laptop computers, handheld computers, smartphones, smartwatches, smart TVs, smart appliances, gaming devices, kiosks, etc.

[0033] Storage device 108 is a network storage device capable of storing any type of data in structured or unstructured formats. Furthermore, storage device 108 can represent multiple network storage devices. Additionally, storage device 108 can store identifiers and network addresses of multiple host computers, a list of system resources corresponding to each host computer, a list of applications loaded on the host computers, and system resource utilization metrics corresponding to each application loaded on the host computers. Furthermore, storage device 108 can store other types of data, such as authentication or credential data, which may include, for example, usernames, passwords, and biometric data associated with system administrators and users.

[0034] Furthermore, it should be noted that the data processing environment 100 may include any number of additional server computers, host computers, storage devices, and other devices not shown. Program code located in the data processing environment 100 may be stored on a computer-readable storage medium and downloaded to a computer or other data processing device for use. For example, program code may be stored on a computer-readable storage medium on server 104 and downloaded to host computer 110 via network 102 for use on host computer 110.

[0035] In the described example, the data processing environment 100 can be implemented as many different types of communication networks, such as the Internet, intranet, local area network (LAN), wide area network (WAN), telecommunications network, or any combination thereof. Figure 1 This is intended only as an example and not as an architectural limitation on different illustrative embodiments.

[0036] Now for reference Figure 2 A diagram of a data processing system is depicted according to an illustrative embodiment. The data processing system 200 is, for example... Figure 1 The example of a server computer, server 104, may contain computer-readable program code or instructions that implement the processes of the illustrative embodiments. In this example, the data processing system 200 includes a communication structure 202 that provides communication between a processor unit 204, a memory 206, a persistent storage device 208, a communication unit 210, an input / output (I / O) unit 212, and a display 214.

[0037] Processor unit 204 is used to execute instructions for software applications and programs that can be loaded into memory 206. Processor unit 204 may be a collection of one or more hardware processor devices, or it may be a multi-core processor, depending on the specific implementation.

[0038] Memory 206 and persistent storage device 208 are examples of storage device 216. A computer-readable storage device is any hardware capable of storing information, such as, but not limited to, data, computer-readable program code in a functional form, and / or other suitable information based on transient or persistent conditions. Furthermore, a computer-readable storage device does not include a propagation medium. In these examples, memory 206 may be, for example, random access memory (RAM), or any other suitable volatile or non-volatile storage device, such as flash memory. Persistent storage device 208 can take various forms depending on the specific implementation. For example, persistent storage device 208 may comprise one or more devices. For example, persistent storage device 208 may be a disk drive, a solid-state drive, a rewritable optical disk, a rewritable magnetic tape, or a combination of the above. The media used in persistent storage device 208 may be removable. For example, a removable hard disk drive may be used for persistent storage device 208.

[0039] In this example, persistent storage device 208 stores attack surface reduction manager 218. However, it should be noted that even though attack surface reduction manager 218 is shown residing in persistent storage device 208, in alternative illustrative embodiments, attack surface reduction manager 218 may be a separate component of data processing system 200. For example, attack surface reduction manager 218 may be a hardware component coupled to communication structure 202 or a combination of hardware and software components. In another alternative illustrative embodiment, a first set of components of attack surface reduction manager 218 may reside in data processing system 200, while a second set of components of attack surface reduction manager 218 may reside in a second data processing system, for example... Figure 1 Server 106 in the middle.

[0040] Attack Surface Reduction Manager 218 controls the process of reducing the attack surface on host computer 222 in data processing environment 220 by selectively co-locating applications with similar system resource utilization footprints on the same host computer and removing any unused system resources corresponding to host computer 222. Host computer 222 refers to an identifier of multiple host computers included in data processing environment 220, and can be, for example... Figure 1 In the host computers 110, 112, and 114, data processing environment 220 represents an identifier for a specific data processing environment, such as... Figure 1 The data processing environment in 110.

[0041] Host computer 222 includes system resources 224 and applications 226. System resources include host computer resources and network resources that provide the runtime environment for applications 226. Application 226 represents a resident application running on host computer 222. Application 226 can also represent any type of application, such as banking applications, financial applications, educational applications, government applications, healthcare applications, organizational applications, enterprise applications, etc., which can be hosted by host computer 222.

[0042] System resource utilization metric 228 corresponds to each corresponding application in application 226. System resource utilization metric 228 represents information and measurements about the type and amount of system resources utilized by a particular application. Attack Surface Reduction Manager 218 obtains system resource utilization metric 228 from software agents located on each host computer 222. Attack Surface Reduction Manager 218 uses system resource utilization metric 228 to determine the system resource utilization footprint of each corresponding application in application 226.

[0043] Attack Surface Reduction Manager 218 juxtaposes a set 232 of applications with similar system resource utilization footprints 234 on host computer 230. Juxtaposition is the act of placing or arranging applications together on the same host computer. The application set 232 represents a specific group of applications 226 that have the same or similar resource utilization metric patterns, characteristics, or behaviors (i.e., footprints). Attack Surface Reduction Manager 218 may use, for example, a predetermined range of resource utilization metric similarity to determine whether each application in the application set 232 has comparable resource utilization metrics for juxtaposition on the same host computer (such as host computer 230). In other words, each application in the application set 232 needs to have similar, comparable, or analogous resource utilization metrics within a predetermined range of resource utilization metric similarity to be included in the application set 232. Therefore, Attack Surface Reduction Manager 218 will not include applications with resource utilization metrics outside the predetermined range of resource utilization metric similarity in the application set 232. Host computer 230 refers to a specific host computer in host computer 222. Attack surface reduction manager 218 assigns application set 232 to the specific host computer for hosting based on the determined maximum attack surface reduction (i.e., the maximum number of unused system resources are removed) that the specific host computer has after the application set 232 has been placed on host computer 230.

[0044] Attack Surface Reduction Manager 218 also co-locates other different sets of applications with similar system resource utilization footprints on other host computers in host computer 222, based on other host computers with a determined maximum attack surface reduction. After co-locating all different sets of applications with similar system resource footprints on different host computers, Attack Surface Reduction Manager 218 removes unused system resources 236 from each host computer in host computer 222 to achieve attack surface reduction across data processing environment 220, thereby increasing the security of data processing environment 220.

[0045] In this example, communication unit 210 communicates via a network (e.g., Figure 1 Network 102) provides communication with other computers, data processing systems, and devices. Communication unit 210 can provide communication using both physical and wireless communication links. The physical communication link can be established for data processing system 200 using, for example, wires, cables, universal serial buses, or any other physical technology. The wireless communication link can utilize, for example, shortwave, high frequency, ultra-high frequency, microwave, Wi-Fi, etc. The technology, Global System for Mobile Communications (GSM), Code Division Multiple Access (CDMA), 2G, 3G, 4G, 4G LTE, LTE Advanced, 5G, or any other wireless communication technology or standard is used to establish a wireless communication link for the data processing system 200.

[0046] Input / output unit 212 allows data input and output to other devices that can be connected to data processing system 200. For example, input / output unit 212 can provide a connection for user input via keypad, mouse, microphone and / or some other suitable input device. Display 214 provides a mechanism for displaying information to the user and may include touchscreen capability to allow the user to make on-screen selections or input data via, for example, a user interface.

[0047] Instructions for operating systems, applications, and / or programs may reside in storage device 216, which communicates with processor unit 204 via communication structure 202. In this illustrative example, the instructions reside functionally on persistent storage device 208. These instructions may be loaded into memory 206 for execution by processor unit 204. Processes in different embodiments may be executed by processor unit 204 using computer-implemented instructions, which may reside in memory such as memory 206. These program instructions are referred to as program code, computer-usable program code, or computer-readable program code, and may be read and executed by a processor in processor unit 204. In different embodiments, program instructions may be contained in different physical computer-readable storage devices, such as memory 206 or persistent storage device 208.

[0048] Program code 238 is functionally located on a computer-readable medium 240 (which is selectively removable) and can be loaded into or transferred to the data processing system 200 for execution by the processor unit 204. Program code 238 and computer-readable medium 240 form a computer program product 242. In one example, computer-readable medium 240 may be a computer-readable storage medium 244 or a computer-readable signal medium 246.

[0049] In these illustrative examples, computer-readable storage medium 244 is a physical or tangible storage device for storing program code 238, rather than a medium for disseminating or transmitting program code 238. Computer-readable storage medium 244 may include, for example, an optical disc or disk, which is inserted into or placed into a drive or other device that is part of persistent storage device 208 for transfer to a storage device such as a hard disk drive that is part of persistent storage device 208. Computer-readable storage medium 244 may also take the form of a persistent storage device, such as a hard disk drive, thumb drive, or flash memory connected to data processing system 200.

[0050] Alternatively, program code 238 may be transmitted to data processing system 200 using computer-readable signal medium 246. Computer-readable signal medium 246 may be, for example, a propagated data signal containing program code 238. For example, computer-readable signal medium 246 may be an electromagnetic signal, an optical signal, or any other suitable type of signal. These signals may be transmitted via a communication link, such as a wireless communication link, fiber optic cable, coaxial cable, wire, or any other suitable type of communication link.

[0051] Furthermore, as used herein, "computer-readable medium 240" can be singular or plural. For example, program code 238 may be located in a single storage device or system-type computer-readable medium 240. In another example, program code 238 may be located in computer-readable medium 240 distributed across multiple data processing systems. In other words, some instructions in program code 238 may be located in one data processing system, while other instructions in program code 238 may be located in one or more other data processing systems. For example, a portion of program code 238 may be located in a computer-readable medium 240 in a server computer, while another portion of program code 238 may be located in a computer-readable medium 240 in a group of client computers.

[0052] The different components shown for data processing system 200 do not imply a structural limitation on the ways in which different embodiments may be implemented. In some illustrative examples, one or more components may be incorporated into or otherwise formed part of another component. For example, in some illustrative examples, memory 206 or a portion thereof may be incorporated into processor unit 204. Different illustrative embodiments may be implemented in data processing systems that include components other than or in lieu of those shown for data processing system 200. Figure 2 The other components shown may differ from the illustrative example shown. Different embodiments can be implemented using any hardware device or system capable of running program code 238.

[0053] In another example, a bus system can be used to implement communication structure 202 and can include one or more buses, such as a system bus or input / output bus. Of course, the bus system can be implemented using any suitable type of architecture that provides data transfer between different components or devices attached to the bus system.

[0054] It should be understood that although this disclosure includes a detailed description of cloud computing, the implementation of the teachings set forth herein is not limited to a cloud computing environment. Rather, illustrative embodiments can be implemented in conjunction with any other type of computing environment now known or developed hereafter. Cloud computing is a service delivery model for enabling convenient, on-demand network access to a shared pool of configurable computing resources, such as, for example, networks, network bandwidth, servers, processing, memory, storage devices, applications, virtual machines, and services, which can be rapidly provisioned and released with minimal management effort or interaction with service providers. This cloud model may include at least five features, at least three service models, and at least four deployment models.

[0055] These features can include, for example, on-demand self-service, broad network access, resource pooling, rapid elasticity, and metric services. On-demand self-service allows cloud consumers to unilaterally and automatically provision computing power, such as server time and network storage, on demand without requiring human interaction with the service provider. Broad network access provides the ability to be available on the network and accessed through standard mechanisms that facilitate the use of heterogeneous thin or thick client platforms such as mobile phones, laptops, and PDAs. Resource pooling allows the pooling of a provider's computing resources to serve multiple consumers using a multi-tenant model, where different physical and virtual resources are dynamically assigned and reallocated based on demand. Location independence is meaningful because consumers typically do not control or know the exact location of the resources provided, but are able to specify the location at a higher level of abstraction, such as country, state, or data center. Rapid elasticity provides the ability to provision quickly and elastically, automatically scaling out rapidly in some cases and releasing rapidly to scale back in. For consumers, the capacity available for provisioning often appears unlimited and can be purchased in any quantity at any time. Measurement services allow cloud systems to automatically control and optimize resource usage by leveraging metering capabilities at a level of abstraction appropriate to service types such as storage, processing, bandwidth, and active user accounts. Resource usage can be monitored, controlled, and reported, providing transparency to both the providers and consumers of the services being utilized.

[0056] Service models can include, for example, Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). SaaS provides consumers with the ability to use a provider's applications running on cloud infrastructure. Applications can be accessed from various client devices via thin client interfaces, such as web browsers (e.g., web-based email). Consumers do not manage or control the underlying cloud infrastructure, including networks, servers, operating systems, storage, or even individual application capabilities, with possible exceptions of limited user-specific application configuration settings. Platform as a Service provides consumers with the ability to deploy consumer-created or acquired applications onto cloud infrastructure, using programming languages ​​and tools supported by the provider. Consumers do not manage or control the underlying cloud infrastructure, including networks, servers, operating systems, or storage, but have control over the deployed applications and, possibly, the application hosting environment configuration. Infrastructure as a Service provides consumers with the processing, storage, networking, and other basic computing resources that enable them to deploy and run arbitrary software, which may include operating systems and applications. Consumers do not manage or control the underlying cloud infrastructure, but they have control over the operating system, storage, deployed applications, and possibly limited control over selected networking components such as host firewalls.

[0057] Deployment models can include, for example, private clouds, community clouds, public clouds, and hybrid clouds. A private cloud is cloud infrastructure operated solely by an organization. A private cloud can be managed by the organization or a third party and can exist on-site or off-site. A community cloud is cloud infrastructure shared by several organizations and supports a specific community with shared concerns, such as mission, security requirements, policies, and compliance considerations. A community cloud can be managed by the organization or a third party and can exist on-site or off-site. A public cloud is cloud infrastructure available to the general public or a large industrial group and is owned by an organization that sells cloud services. A hybrid cloud is a cloud infrastructure consisting of two or more clouds (such as, for example, private clouds, community clouds, and public clouds) that remain distinct entities but are bound together by standardized or proprietary technologies that enable data and application portability, such as cloud bursting for load balancing between clouds.

[0058] Cloud computing environments are service-oriented, focusing on statelessness, loose coupling, modularity, and semantic interoperability. At the heart of cloud computing is the infrastructure, including the network of interconnected nodes.

[0059] Now for reference Figure 3The diagram illustrates a cloud computing environment in which illustrative embodiments can be implemented. In this illustrative example, the cloud computing environment 300 includes a collection of one or more cloud computing nodes 310 (with which local computing devices used by cloud consumers can communicate), such as, for example, personal digital assistants or smartphones 320A, desktop computers 320B, laptop computers 320C, and / or automotive computer systems 320N. The cloud computing nodes 310 can be, for example... Figure 1 Servers 104 and 106, and local computing devices 320A-320N, can be, for example... Figure 1 The host computers in the middle are 110-114.

[0060] Cloud computing nodes 310 can communicate with each other and can be physically or virtually grouped into one or more networks, such as private clouds, community clouds, public clouds, or hybrid clouds, or combinations thereof, as described above. This allows cloud computing environment 300 to provide infrastructure, platform, and / or software as a service for which cloud consumers do not need to maintain resources on local computing devices such as local computing devices 320A-320N. It should be understood that the types of local computing devices 320A-320N are for illustrative purposes only, and cloud computing nodes 310 and cloud computing environment 300 can communicate with any type of computerized device, for example, using a web browser via any type of network and / or network-addressable connection.

[0061] Now for reference Figure 4 A diagram illustrating abstract model layers is depicted according to an illustrative embodiment. The set of functional abstract layers shown in this illustrative example can be provided by a cloud computing environment, such as... Figure 3 The cloud computing environment in 300. It should be understood in advance that, Figure 4 The components, layers, and functions shown are for illustrative purposes only, and embodiments of the invention are not limited thereto. As described, the following layers and corresponding functions are provided.

[0062] The abstraction layer of the cloud computing environment 400 includes a hardware and software layer 402, a virtualization layer 404, a management layer 406, and a workload layer 408. The hardware and software layer 402 includes the hardware and software components of the cloud computing environment. Hardware components may include, for example, a mainframe 410, servers 412 and 414 based on a RISC (Reduced Instruction Set Computer) architecture, blade servers 416, storage devices 418, and network and networking components 420. In some illustrative embodiments, software components may include, for example, network application server software 422 and database software 424.

[0063] The virtualization layer 404 provides an abstraction layer from which the following examples of virtual entities can be provided: virtual server 426; virtual storage device 428; virtual network 430, including virtual private network; virtual application and operating system 432; and virtual client 434.

[0064] In one example, management layer 406 can provide the functions described below. Resource provisioning 436 provides dynamic procurement of computing resources and other resources used to perform tasks within the cloud computing environment. Metering and pricing 438 provides cost tracking as resources are utilized within the cloud computing environment, as well as billing or charging for the consumption of these resources. In one example, these resources may include application software licenses. Security provides authentication for cloud consumers and tasks, and protection for data and other resources. User portal 440 provides access to the cloud computing environment for consumers and system administrators. Service level management 442 provides cloud resource allocation and management to meet the required service level. Service level agreement (SLA) planning and fulfillment 444 provides pre-scheduling and procurement of cloud resources for anticipated future needs in accordance with the SLA.

[0065] Workload layer 408 provides examples of functionalities that can be leveraged in a cloud computing environment. Examples of workloads and functionalities that may be provided by workload layer 408 may include mapping and navigation 446, software development and lifecycle management 448, virtual classroom education delivery 450, data analytics and processing 452, transaction processing 454, and attack surface reduction management 456.

[0066] Illustrative embodiments reduce an attacker's ability to access network resources by reducing the amount of available system resources corresponding to each host computer in a cluster or cloud environment. Illustrative embodiments reduce the overall attack surface on each host computer by measuring the application system resource utilization footprint on each host computer. For example, for each application across a host computer cluster, illustrative embodiments measure the host computer and network resource utilization footprint of each corresponding application in the host computer cluster. Illustrative embodiments then identify, group, and juxtapose those applications with similar system resource footprints on the same host computer in the cluster. In other words, each host computer in the cluster hosts a different set of applications with similar system resource utilization metrics. On all host computers in the cluster, illustrative embodiments remove or eliminate all unused resources to achieve cluster-wide attack surface reduction. System resources may include, for example, shared network services, shared network service destinations (e.g., Internet Protocol addresses, port numbers, etc.), shared libraries, shared system stacks, shared kernel system calls, shared kernel subsystems, shared network resources, shared sensitive user accounts or groups with elevated access permissions, shared sensitive applications with elevated access permissions, etc.

[0067] Application co-location allows illustrative embodiments to load host computers with only those applications that have the same or similar system resource utilization metrics (i.e., footprints), thereby allowing illustrative embodiments to remove unused system resources on the host computer and reduce the attack surface of that host computer. Illustrative embodiments measure application system resource utilization metric patterns, characteristics, and behaviors across all host computers in the entire cluster or cloud environment to make application co-location decisions that improve the overall security of the cluster or cloud environment based on the obtained attack surface metrics. Illustrative embodiments can utilize an established range of system resource utilization metrics to determine similarity. In other words, illustrative embodiments perform host computer attack surface reduction by co-locating applications with the same or similar system resource utilization metrics (i.e., having the same or similar utilization of host computer and network resources within an established range of resource utilization metric similarity) and removing unused system resources corresponding to the host computer based on attack surface similarity. Therefore, illustrative embodiments utilize scheduling and placement of applications on different host computers to reduce the amount of attack surface on each host computer in a cluster or cloud environment.

[0068] As a result, the illustrative embodiments improve the overall security and trust of the cluster or cloud environment through application co-location based on application attack surface measurements, which reduces the likelihood of a successful attack. Furthermore, the illustrative embodiments reduce the sensitivity of the cluster or cloud environment to malicious actors.

[0069] Therefore, illustrative embodiments provide one or more technical solutions that overcome technical problems related to security across delivery environments (i.e., reducing the attack surface across clusters or clouds on host computers). Thus, these one or more technical solutions provide technical effectiveness and practical application in the field of network and system security.

[0070] Now for reference Figure 5 The illustrated system architecture 500 is depicted as an example diagram of an illustrative embodiment. The system architecture 500 can be implemented in, for example... Figure 1 Implemented in the data processing environment 100, or in a data processing environment such as Figure 3 The cloud computing environment 300 is implemented in the cloud computing environment. System architecture 500 is a system for reducing the attack surface of hardware and software components on a host computer by selectively co-locating a group of applications with similar system resource utilization footprints on the same host computer and removing unused system resources from the host computer.

[0071] In this example, system architecture 500 includes server 502, host computer 504, host computer 506, host computer 508, and host computer 510. However, it should be noted that system architecture 500 is intended only as an example and not as a limitation on the illustrative embodiments. In other words, system architecture 500 may include any number of servers, host computers, and other devices and components not shown.

[0072] A server 502 error could be, for example... Figure 1 Server 104 in Figure 2 Data processing system 200 or Figure 3 In the cloud computing node 310, the host computers 504, 506, 508, and 510 can be, for example... Figure 1 The host computer 110-114 or Figure 3 The local computing device in the 320A-320N.

[0073] In this example, server 502 includes attack surface reduction manager 512, which runs on operating system kernel 514. Host computer 504 includes agent 516 running on operating system kernel 518. Host computer 506 includes agent 520, which runs on operating system kernel 522. Host computer 508 includes agent 524 running on operating system kernel 526. Host computer 510 includes agent 528 running on operating system kernel 530.

[0074] Server 502 utilizes Attack Surface Reduction Manager 512 to obtain host computer and application metrics from agents 516, 520, 524, and 528 located on host computers 504, 506, 508, and 510, respectively. Attack Surface Reduction Manager 512 uses the host computer and application metric information obtained from agents 516, 520, 524, and 528 to make application co-location and host computer attack surface reduction (i.e., removal of unused system resources) decisions for host computers 504, 506, 508, and 510. Agents on the respective host computers are responsible for monitoring and collecting host computer and application metrics for their host computers. However, it should be noted that the respective agents can also handle application migration and attack surface reduction on their corresponding host computers based on instructions received from Attack Surface Reduction Manager 512.

[0075] Attack Surface Reduction Manager 512 performs application co-location to reduce the attack surface on each of host computers 504, 506, 508, and 510. Co-location is the act of placing or arranging a specific set of applications together on a particular host computer. The attack surface corresponding to a host computer is the sum of distinct points (e.g., "attack vectors") that an unauthorized user (i.e., an "attacker") might attempt to gain access to resources (e.g., applications, data, etc.) located on or controlled by the host computer. Examples of attack vectors may include, for example, user input fields, protocols, application programming interfaces, and services.

[0076] Attack Surface Reduction Manager 512 can utilize a greedy concatenation algorithm, such as:

[0077] A represents multiple applications to be assigned to multiple host computers H in a cluster or cloud environment;

[0078] For each host computer h in a plurality of host computers H:

[0079] l = The number of available application slots in the host computer h.

[0080] C = the set of combinations of applications with length l among multiple applications A;

[0081] For each application set c in the set C of application compositions:

[0082] If the resource combination used by application set c The resources of host computer h, then the set of unused resources S c =Resources(h) - R c ;

[0083] Assign the application set c to the host computer h, where the host computer h has a set S of unused resources. c It is the largest.

[0084] Global maximization:

[0085] Perform the above calculations on all permutations of multiple hosts H;

[0086] Select the following application co-assignment, under which the set S of all unused resources in the plurality of host computers H is selected. c The sum of them is the largest.

[0087] Global maximization aims to maximize the reduction of unused resources on all host machines in a cluster or cloud environment. Therefore, this global maximization algorithm illustrates how an illustrative embodiment identifies and analyzes all possible combinations of applications and host machines to find the globally optimal application co-location configuration.

[0088] During the boot process of the new cluster or cloud environment (i.e., host computers 504, 506, 508, and 510), the Attack Surface Reduction Manager 512 deploys applications to host computers 504, 506, 508, and 510. The Attack Surface Reduction Manager 512 then profils the applications to obtain the system resource utilization footprint of each corresponding application running on host computers 504, 506, 508, and 510. The Attack Surface Reduction Manager 512 then identifies and groups each set of applications running in the new cluster or cloud environment with similar system resource utilization footprints. The Attack Surface Reduction Manager 512 then configures a group of applications with similar system resource utilization footprints on the same host computer, such as host computer 504. Similarly, the Attack Surface Reduction Manager 512 co-locates other sets of applications with similar system resource utilization footprints on other host computers, such as host computers 506, 508, and 510. Examples of application migration may include the Attack Surface Reduction Manager 512 utilizing existing technologies for migrating applications, virtual machines, containers, etc.

[0089] Then, the Attack Surface Reduction Manager 512 reduces the attack surface corresponding to each of the host computers 504, 506, 508, and 510 by reducing the amount of unused system resources (such as shared libraries and kernel system calls) on each respective host computer. Other examples of host computer attack surface reduction may include: the Attack Surface Reduction Manager 512 removing unused user-level libraries; the Attack Surface Reduction Manager 512 downloading a new operating system or operating system kernel with a reduced attack surface and initiating a host reboot to swap the current version of the operating system or operating system kernel with the new version, or performing a transparent operating system or operating system kernel update; the Attack Surface Reduction Manager 512 updating firewall rules to restrict network services or activities to certain Internet Protocol addresses and port numbers; and so on.

[0090] During operation in a cluster or cloud environment, the Attack Surface Reduction Manager 512 initially places the new application on server 502. Then, the Attack Surface Reduction Manager 512 profils the new application to obtain its system resource utilization footprint. Furthermore, the Attack Surface Reduction Manager 512 obtains the system resource utilization patterns, characteristics, or behaviors of applications running on all host computers 504, 506, 508, and 510. Additionally, based on the obtained system resource utilization patterns of applications running on selected host computers, the Attack Surface Reduction Manager 512 selects the best-matching host computer (e.g., host computer 506) to place the new application, whose system resource utilization pattern matches the new application's system resource utilization pattern. The Attack Surface Reduction Manager 512 then places the new application on the selected host computer of an application with a similar system resource utilization footprint.

[0091] Now for reference Figure 6 The diagram illustrates an example of an application co-location and attack surface reduction process according to an illustrative embodiment. The application co-location and attack surface reduction process 600 can be implemented in system architecture 500 and is... Figure 5 Attack Surface Reduction Manager 512 Control.

[0092] The application co-location and attack surface reduction process 600 includes a phase 602 before application co-location and attack surface reduction and a phase 604 after application co-location and attack surface reduction. In this example, phase 602 before application co-location and attack surface reduction and phase 604 after application co-location and attack surface reduction include host computer A 606 and host computer B 608. However, it should be noted that the application co-location and attack surface reduction process 600 is intended only as an example and not as a limitation on the illustrative embodiments. In other words, the application co-location and attack surface reduction process 600 can include any number of host computers.

[0093] In phase 602, prior to application co-location and attack surface reduction, host computer A 606 and host computer B 608 are in a state prior to application co-location and attack surface reduction. For example, host computer A 606 includes application 1 610 and application 2 612. Application 1 610 utilizes library 1 614 and library 2 616. Furthermore, application 1 610 utilizes kernel system call A 618, kernel system call B 620, and kernel system call C 622 in kernel system call AK. Application 2 utilizes library 3 624 and library 4 626. Application 2 612 also utilizes kernel system call I 628, kernel system call J 630, and kernel system call K632 in kernel system call AK. Similarly, host computer B 608 includes application 3 634 and application 4 636. Application 3 634 utilizes library 2 616 and library 5 640. In addition, application 3 634 utilizes kernel system calls B 620, C 622, and D 646 from kernel system calls AK. Application 4 636 utilizes libraries 4 626 and 6 650. Application 4 636 also utilizes kernel system calls H 652, I 628, and J 630 from kernel system calls AK.

[0094] It should be noted that in phase 602, before application co-location and attack surface reduction, applications 1 610 and 3 634 have similar system resource utilization. For example, both applications 1 610 and 3 634 utilize library 2 616, as well as kernel system calls B620 and C622. Similarly, applications 2 612 and 4 636 have similar system resource utilization. For example, both applications 2 612 and 4 636 utilize library 4 626, as well as kernel system calls I628 and J630.

[0095] At 654, the attack surface reduction manager co-locates applications and reduces the attack surface on host computer A 606 and host computer B 608. As a result, in stage 604 after application co-location and attack surface reduction, based on similar application resource utilization patterns, host computer A 606 includes application 1 610 and application 3 634, while host computer B 608 includes application 2 612 and application 4 636. For example, application 1 610 continues to utilize libraries 1 614 and 2 616 in host computer A 606, as in stage 602 before application co-location and attack surface reduction, but now application 3 634 shares library 2 616 with application 1 610, and is migrated along with application 3 634 from host computer B 608 to library 5 640 in host computer A 606 using the attack surface reduction manager. Furthermore, it should be noted that the Attack Surface Reduction Manager removed libraries 3 624 and 4 626 (i.e., unused system resources) from host computer A 606 to reduce the attack surface on host computer A 606, and migrated libraries 3 624 and 4 626 to host computer B 608. Additionally, application 1 610 continues to utilize kernel system calls A 618, B 620, and C 622, as in stage 602 before application co-location and attack surface reduction; however, application 3 634 now shares kernel system calls B 620 and C 622 with application 1 610, and also utilizes kernel system call D 646. Furthermore, it should be noted that the Attack Surface Reduction Manager removed kernel system call EK (i.e., unused system resources) to further reduce the attack surface on host computer A 606.

[0096] Similarly, in stage 604 after application co-location and attack surface reduction, application 2 612 continues to utilize the attack surface reduction manager to migrate libraries 3 624 and 4 626 from host computer A 606 to host computer B 608, and application 4 636 now shares library 4 626 with application 2 612 and utilizes library 6650. Furthermore, it should be noted that the attack surface reduction manager removed libraries 2 616 and 5 640 (i.e., unused system resources) from host computer B 608 to reduce the attack surface on host computer B 608, and migrated library 5 640 to host computer A 606. Furthermore, application 4 636 continues to utilize kernel system calls H 652, I 628, and J 630, as in stage 602 before application co-location and attack surface reduction. However, application 2 612 now shares kernel system calls I 628 and J 630 with application 4 636 and also utilizes kernel system call G 656. Additionally, it should be noted that the attack surface reduction manager removes kernel system calls AF and K (i.e., unused system resources) to further reduce the attack surface on host computer B 608.

[0097] Now for reference Figure 7 The illustration depicts an example of a shared attack surface resource under different application deployment models, according to an illustrative embodiment. In this example, the shared attack surface resource 700 under different application deployment models includes host computer 702, host computer 704, and host computer 706. However, it should be noted that the shared attack surface resource 700 in different application deployment models can include any number of host computers having any type of application deployment model.

[0098] Host computer 702 includes virtual machine 708 running on hypervisor 710. Hypervisor 710 is the shared attack surface resource in this model. Attack surface reduction manager (e.g.) Figure 5 The Attack Surface Reduction Manager (512) can recompile the management program 710 to reduce the attack surface of the management program 710.

[0099] Host computer 704 includes applications 712 and 714, which run on operating system kernel 716 and utilize shared libraries 718 and runtime support 720. Operating system kernel 716, shared libraries 718, and runtime support 720 are the shared attack surface resources in this model. The attack surface reduction manager can download and install updates to operating system kernel 716, which reduces the attack surface of operating system kernel 716. Furthermore, the attack surface reduction manager can remove unused libraries from shared libraries 718 and unused runtime support (such as unused kernel system calls) from runtime support 720 to further reduce the attack surface in host computer 704.

[0100] Host computer 706 includes container 722, which runs on operating system kernel 724 and utilizes runtime support 726. Operating system kernel 724 and runtime support 726 are shared attack surface resources in this model. The attack surface reduction manager can reboot and install a new version of operating system kernel 724 with a reduced attack surface. Furthermore, the attack surface reduction manager can remove unused runtime support from runtime support 726 to further reduce the attack surface in host computer 704.

[0101] Network service 728 also shares attack surface resources with host computers 702, 704, and 706. Attack Surface Reduction Manager can update firewall rules to restrict network traffic to specific Internet Protocol (IP) addresses and port numbers. Attack Surface Reduction Manager can also remove unused IP addresses and port numbers to reduce the attack surface.

[0102] Now for reference Figure 8 The illustrated embodiment shows a flowchart of the process for placing an application during system boot. Figure 8 The process shown can be implemented in a server computer, for example... Figure 1 Server 104 or Figure 2 Data processing system 200 Figure 3 The cloud computing environment 300 in the cloud computing node 310, or Figure 5 The server in the middle is 502.

[0103] The process begins when the server computer receives input for performing a boot operation on multiple host computers included in the data processing environment (step 802). The data processing environment may be, for example, a cluster of host computers or a cloud environment consisting of multiple host computers. In response to receiving input for performing the boot operation in step 802, the server performs the boot operation on the multiple host computers (step 804).

[0104] The server places the application on multiple host computers (step 806). The server profils the application running on the multiple host computers to obtain the system resource utilization footprint for each corresponding application (step 808). The server can obtain application profiling information from the software agent located on each corresponding host computer. The system resource utilization footprint identifies the pattern (i.e., type and amount) of system resource usage by a specific application running on the host computer.

[0105] The server identifies multiple different sets of applications with similar system resource utilization footprints based on application profiling (step 810). Furthermore, the server obtains a list of system resources corresponding to each of the multiple host computers (step 812). The server may also obtain a list of system resources for each corresponding host computer from a software agent.

[0106] The server identifies a set of used system resources by the running resident application in the list of system resources corresponding to each corresponding host computer (step 814). Furthermore, the server determines a set of unused system resources corresponding to each corresponding host computer by subtracting the set of used system resources from the list of system resources corresponding to each corresponding host computer (step 816).

[0107] The server determines the maximum attack surface reduction for each corresponding host computer based on placing a specific set of applications with similar system resource utilization footprints on a specific host computer and removing a determined set of unused system resources corresponding to that specific host computer running that specific set of applications (step 818). The server assigns each corresponding set of applications with similar system resource utilization footprints to the designated host computer with the determined maximum attack surface reduction (step 820).

[0108] The server places each set of applications with similar system resource utilization footprints on the host computer assigned to it within the data processing environment (step 822). Furthermore, the server removes a determined set of unused system resources corresponding to the host computer assigned to that application to reduce the attack surface across the data processing environment (step 824). The process then terminates.

[0109] Now for reference Figure 9 A flowchart illustrating the process for application placement during system runtime is shown according to an illustrative embodiment. Figure 9 The process shown can be implemented in a server computer, for example... Figure 1 Server 104 or Figure 2 Data processing system 200 Figure 3The cloud computing environment 300 in the cloud computing node 310, or Figure 5 The server in the middle is 502.

[0110] The process begins when the server computer receives input for deploying a new application in a data processing environment comprising multiple host computers (step 902). In response to receiving the input for deploying the new application in step 902, the server initially places the new application on the server (step 904). Additionally, the server profils the new application to determine its system resource utilization footprint (step 906).

[0111] In addition, the server obtains the system resource availability of each host computer in the data processing environment (step 908). Furthermore, the server identifies any host computer with sufficient available system resources to run the new application based on the system resource utilization footprint of the new application (step 910). The server then determines whether any host computer has sufficient available system resources to run the new application (step 912).

[0112] If the server determines that a group of host computers among multiple host computers has sufficient available system resources to run the new application, and step 912 outputs "Yes", then the server assigns the new application to a host computer in that group that has one or more running resident applications with a similar resource utilization footprint to the new application (step 914). The server places the new application on that host computer that has one or more running resident applications with a similar resource utilization footprint to the new application (step 916). The process then terminates.

[0113] Returning to step 912, if the server determines that none of the multiple host computers has sufficient available system resources to run the new application, then the output of step 912 is "No". The server then selects the host computer with the fewest running resident applications among the multiple host computers (step 918). The server temporarily migrates all running resident applications from the selected host computer to the server (step 920). The server resets the selected host computer to its initial default state to form a reset host computer (step 922).

[0114] The server then migrates all applications previously migrated from the selected host computer back to the reset host computer (step 924). The server then places the new application on the reset host computer (step 926). Furthermore, the server removes system resources not utilized by resident applications running on the reset host computer to reduce the attack surface on the reset host computer (step 928). The process then terminates.

[0115] Now for reference Figure 10 The illustrated embodiment shows a flowchart of a process for reducing the attack surface of a host computer during runtime. Figure 10 The process shown can be implemented in a server computer, for example... Figure 1 Server 104 or Figure 2 Data processing system 200 Figure 3 The cloud computing environment 300 in the cloud computing node 310, or Figure 5 The server in the middle is 502.

[0116] The process begins when the server determines whether the defined time interval has expired (step 1002). If the server determines that the defined time interval has not expired, the output of step 1002 is "No," and the process returns to step 1002, where the server continues to wait for the defined time interval to expire. If the server determines that the defined time interval has expired, the output of step 1002 is "Yes," and the server obtains a list of all available system resources corresponding to each of the multiple host computers included in the data processing environment monitored by the server (step 1004). Furthermore, the server obtains the system resource utilization of the resident applications running on each of the multiple host computers (step 1006). The server can obtain the list of available system resources and system resource utilization information from the software agent located on each corresponding host computer.

[0117] The server determines whether any unused system resources exist on any host system based on a list of available system resources corresponding to each corresponding host computer and the system resource utilization of resident applications running on each corresponding host computer (step 1008). If the server determines that no unused system resources exist on any host system based on the list of available system resources corresponding to each corresponding host computer and the system resource utilization of resident applications running on each corresponding host computer, step 1008 outputs "No," and the process returns to step 1002, where the server waits for the next time interval to expire. If the server determines that unused system resources do exist on one or more host systems based on the list of available system resources corresponding to each corresponding host computer and the system resource utilization of resident applications running on each corresponding host computer, step 1008 outputs "Yes," and the server removes the unused system resources existing on those one or more host systems to reduce the attack surface of these host systems in the data processing environment (step 1010). Afterward, the process returns to step 1002, where the server waits for the next time interval to expire.

[0118] Now for reference Figure 11The illustrated embodiment shows a flowchart of a process for reducing the attack surface by selectively juxtaposing applications on a host computer. Figure 11 The process shown can be implemented in a server computer, for example... Figure 1 Server 104 or Figure 2 Data processing system 200 Figure 3 The cloud computing environment 300 in the cloud computing node 310, or Figure 5 The server in the middle is 502.

[0119] The process begins with the server computer receiving input for reducing the attack surface in a data processing environment comprising multiple host computers (step 1102). In this example, the data processing environment is a cloud environment. In response to receiving the input for reducing the attack surface in the data processing environment in step 1102, the server measures the system resources utilized by each cloud application running on the multiple host computers (step 1104). The server determines which cloud applications running on the multiple host computers utilize similar system resources (step 1106).

[0120] The server co-locates these cloud applications, which utilize similar system resources, on their respective assigned host computers (step 1108). The server identifies all unused system resources not used by resident applications running on a group of host computers across multiple host computers (step 1110). The server removes all unused system resources corresponding to each host computer in that group of host computers to reduce the attack surface in the data processing environment (step 1112). The process then terminates.

[0121] Therefore, illustrative embodiments of the present invention provide a computer-implemented method, computer system, and computer program product for reducing the attack surface on a host computer by selectively juxtaposing a group of applications with similar system resource utilization footprints on the same host computer and removing unused system resources from the host computer. Various embodiments of the invention have been described for illustrative purposes, but are not intended to be exhaustive or limited to the disclosed embodiments. Many modifications and variations will be apparent to those skilled in the art without departing from the scope of the described embodiments. The terminology used herein is chosen to best explain the principles of the embodiments, their practical application, or improvements to existing technologies in the market, or to enable others skilled in the art to understand the embodiments disclosed herein.

Claims

1. A method for reducing the attack surface by selectively co-locating multiple applications on a host computer, the method comprising: The system resources utilized by each application running on multiple host computers in the data processing environment are measured. To determine which applications running on the multiple host computers utilize similar system resources; The multiple applications that utilize similar system resources are co-located on their respective host computers. The method further includes: A boot operation is performed on the plurality of host computers in the data processing environment; Place the application on the multiple host computers; The applications running on the multiple host computers are analyzed to obtain the system resource utilization footprint of each corresponding application, wherein the system resource utilization footprint identifies the pattern of system resource usage by a specific application running on the host computer; Based on the profiling of the applications, multiple different sets of applications with similar system resource utilization footprints are identified; Based on placing a specific set of applications with similar system resource utilization footprints on a specific host computer and removing a determined set of unused system resources corresponding to the specific host computer running that specific set of applications, determine the maximum attack surface reduction in each corresponding host computer. Assign each corresponding set of applications with similar system resource utilization footprints to a designated host computer with the largest attack surface reduction; and Each corresponding set of applications with similar system resource utilization footprints is placed on its assigned host computer within the data processing environment.

2. The method according to claim 1, further comprising: Identify unused system resources that are not being utilized by resident applications running on one of the multiple host computers; as well as Remove unused system resources corresponding to each of the respective host computers in the group of host computers to reduce the attack surface in the data processing environment.

3. The method according to claim 2, wherein, Unused system resources not utilized by the resident applications include: Obtain a list of system resources corresponding to each of the plurality of host computers; Identify a list of system resources corresponding to each respective host computer, representing a set of used system resources being utilized by running resident applications; and A set of unused system resources corresponding to each corresponding host computer is determined by subtracting the set of used system resources from the list of system resources corresponding to each corresponding host computer.

4. The method according to claim 1, wherein, The co-location includes placing multiple applications that utilize similar system resources together on the same host computer.

5. The method according to claim 1, further comprising: Place the new application on the server; Analyze the new application to determine its system resource utilization footprint; Obtain the system resource availability of each corresponding host computer among the plurality of host computers; Based on the system resource utilization footprint of the new application, identify any host computer with available system resources for running the new application; as well as Determine if any host computer has available system resources to run the new application.

6. The method according to claim 5, further comprising: In response to determining that a group of host computers among the plurality of host computers has system resources available for running the new application, the new application is assigned to a host computer in the group that has one or more resident applications running with a resource utilization footprint similar to the new application. as well as The new application is placed on the host computer that has one or more running resident applications with a similar resource utilization footprint to the new application.

7. The method according to claim 5, further comprising: In response to determining that none of the plurality of host computers has available system resources for running the new application, the host computer with the fewest number of running resident applications is selected from the plurality of host computers. Migrate the resident application from the selected host computer to the server; Reset the selected host computer to its initial default state to form a reset host computer; Migrate the application that was previously migrated from the selected host computer back from the server to the reset host computer; Place the new application on the reset host computer; as well as Remove system resources not being used by running resident applications on the reset host computer to reduce the attack surface on the reset host computer.

8. The method according to claim 1, further comprising: In response to the expiration of a defined time interval, a list of available system resources corresponding to each of the multiple host computers included in the monitored data processing environment is obtained; Obtain the system resource utilization rate of the resident applications running on each of the plurality of host computers; Based on the list of available system resources corresponding to each corresponding host computer and the system resource utilization of resident applications running on each corresponding host computer, determine whether there are unused system resources on any host system; as well as In response to the determination that unused system resources do indeed exist on one or more host systems, the unused system resources existing on the one or more host systems are removed to reduce the attack surface of these host systems in the data processing environment.

9. The method according to claim 1, wherein, The attack surface is the sum of different points where an unauthenticated user might attempt to gain access to computer resources located on the plurality of host computers, and the method further includes: Identify and analyze all possible applications and combinations of host computers among the plurality of host computers; and Select an application concurrency assignment such that the sum of the sets of all unused resources on the plurality of host computers is maximized, so as to maximize the reduction of unused resources on all host computers in the plurality of host computers.

10. The method according to claim 1, wherein, The co-location includes removing the application from the first client host computer and installing the application on the second client host computer.

11. The method according to claim 1, wherein, The system resources include a runtime environment, which includes host computer resources and network resources, wherein the host computer resources and network resources are selected from a group consisting of libraries, kernel system calls, kernel subsystems, hypervisors, network services, Internet Protocol addresses, port numbers, sensitive network user accounts with elevated access privileges, and sensitive network applications with elevated access privileges.

12. The method according to claim 1, wherein, The data processing environment is one of a group consisting of cluster and cloud environments.

13. A computer system for reducing the attack surface by selectively co-locating multiple applications on a host computer, the computer system comprising: Bus system; A storage device connected to the bus system, wherein the storage device stores program instructions; as well as A processor, connected to the bus system, wherein the processor executes the program instructions to: The system resources utilized by each application running on multiple host computers in the data processing environment are measured. To determine which applications running on the multiple host computers utilize similar system resources; The multiple applications that utilize similar system resources are co-located on their respective host computers. The processor also executes the program instructions to: A boot operation is performed on the plurality of host computers in the data processing environment; Place the application on the multiple host computers; The applications running on the multiple host computers are analyzed to obtain the system resource utilization footprint of each corresponding application, wherein the system resource utilization footprint identifies the pattern of system resource usage by a specific application running on the host computer; Based on the profiling of the applications, multiple different sets of applications with similar system resource utilization footprints are identified; Based on placing a specific set of applications with similar system resource utilization footprints on a specific host computer and removing a determined set of unused system resources corresponding to the specific host computer running that specific set of applications, determine the maximum attack surface reduction in each corresponding host computer. Assign each corresponding set of applications with similar system resource utilization footprints to a designated host computer with the largest determined attack surface reduction; and Each corresponding set of applications with similar system resource utilization footprints is placed on its assigned host computer within the data processing environment.

14. The computer system according to claim 13, wherein, The processor also executes the program instructions to: Identify unused system resources that are not being used by resident applications running on one of the multiple host computers; as well as Remove unused system resources corresponding to each of the respective host computers in the group of host computers to reduce the attack surface in the data processing environment.

15. The computer system according to claim 14, wherein, Unused system resources not utilized by the resident applications include: Obtain a list of system resources corresponding to each of the plurality of host computers; Identify a list of system resources corresponding to each respective host computer, representing a set of used system resources being utilized by running resident applications; and A set of unused system resources corresponding to each corresponding host computer is determined by subtracting the set of used system resources from the list of system resources corresponding to each corresponding host computer.

16. The computer system according to claim 13, wherein, The co-location includes placing multiple applications that utilize similar system resources together on the same host computer.

17. A computer program product for reducing the attack surface by selectively juxtaposing multiple applications on a host computer, the computer program product comprising a computer-readable storage medium having program instructions embodied therein, the program instructions being executable by a computer to cause the computer to perform a method, the method comprising: The system resources utilized by each application running on multiple host computers in the data processing environment are measured. To determine which applications running on the multiple host computers utilize similar system resources; The multiple applications that utilize similar system resources are co-located on their respective host computers. The method further includes: A boot operation is performed on the plurality of host computers in the data processing environment; Place the application on the multiple host computers; The applications running on the multiple host computers are analyzed to obtain the system resource utilization footprint of each corresponding application, wherein the system resource utilization footprint identifies the pattern of system resource usage by a specific application running on the host computer; Based on the profiling of the applications, multiple different sets of applications with similar system resource utilization footprints are identified; Based on placing a specific set of applications with similar system resource utilization footprints on a specific host computer and removing a determined set of unused system resources corresponding to the specific host computer running that specific set of applications, determine the maximum attack surface reduction in each corresponding host computer. Assign each corresponding set of applications with similar system resource utilization footprints to a designated host computer with the largest determined attack surface reduction; and Each corresponding set of applications with similar system resource utilization footprints is placed on its assigned host computer within the data processing environment.

18. The computer program product according to claim 17, further comprising: Identify unused system resources that are not being used by resident applications running on one of the multiple host computers; as well as Remove unused system resources corresponding to each of the respective host computers in the group of host computers to reduce the attack surface in the data processing environment.

19. The computer program product according to claim 18, wherein, Unused system resources not utilized by the resident applications include: Obtain a list of system resources corresponding to each of the plurality of host computers; Identify a list of system resources corresponding to each respective host computer, representing a set of used system resources being utilized by running resident applications; and A set of unused system resources corresponding to each corresponding host computer is determined by subtracting the set of used system resources from the list of system resources corresponding to each corresponding host computer.

20. The computer program product according to claim 17, wherein, The co-location includes placing multiple applications that utilize similar system resources together on the same host computer.

21. The computer program product according to claim 17, further comprising: Place the new application on the server; Analyze the new application to determine its system resource utilization footprint; Obtain the system resource availability of each corresponding host computer among the plurality of host computers; Based on the system resource utilization footprint of the new application, identify any host computer with available system resources for running the new application; as well as Determine if any host computer has available system resources to run the new application.

22. The computer program product according to claim 21, further comprising: In response to determining that none of the plurality of host computers has available system resources for running the new application, the host computer with the fewest number of running resident applications is selected from the plurality of host computers. Migrate the resident application from the selected host computer to the server; Reset the selected host computer to its initial default state to form a reset host computer; Migrate the application that was previously migrated from the selected host computer back from the server to the reset host computer; Place the new application on the reset host computer; as well as Remove system resources not being used by running resident applications on the reset host computer to reduce the attack surface on the reset host computer.