AppMon—Untrusted Application Monitoring

Full certification and testing of application programs provides a level of assurance that they will not harm host systems, but it takes a long time. For this reason, software users are often faced with a vexing dilemma: in order to obtain critical new functionality, they must use software that may damage their systems or render it vulnerable to attack. To address this problem, ATC-NY, Cornell University and Architecture Technology Corporation have developed AppMon to provide smart monitors for applications.

A smart monitor acts like a security escort at a military installation: if the escorted application attempts a clearly dangerous action, the smart monitor will prevent it. Otherwise, the escort becomes familiar with the application and takes note if the application engages in unusual behavior. Human guards can do this because they are endowed with human intelligence. AppMon smart monitors enforce an interaction policy based on (a) site security policy and (b) the application's normal use of local resources and interactions with other systems.

This effort is based on profiling the resource use of the target application. The resource-usage profiles are also used to facilitate forensic investigation of untrusted processes. Application of this technology to forensics is carried out in collaboration with the ATC-NY developers of the OnLine Digital Forensic Suite™.