A Heuristic Search for Identifying Required Application Libraries Supporting a Run-Time Security Policy

On a Windows platform it is possible to inject a DLL into a running process creating a new thread of execution within an authorized process. Security tools monitoring or examining DLLs loaded into the memory space of a given process rely on policies to determine the validity of the library. Two approaches to the policy specification include “all or nothing” and “per executable” rules also referred to as a run-time security policy. Developing the run-time policy requires the running of every executable for a period of time to train the system. An alternative to the training method of the run-time approach is to determine ahead of time which DLL should be loaded before execution. A tool called LibMon was developed to monitor loading of libraries by running applications. A heuristic search algorithm was created based on the analysis of the data collected with LibMon.