Tracking the operation of an application or system can be done to determine if it's working improperly or if it's compromised. Intrusion detection systems (IDS) are often used for the latter, while basic heartbeat tools are sometimes used for the former. BG Networks' AnCyR (pronounced "answer") applies a machine-learning (ML) approach to this task. I talked with Roman Lysecky, BG Networks' CTO, about AnCyR (see video above).
AnCyR is designed to detect real-time attacks as well as differences from normal operations. It can help mitigate zero-day attacks since it's looking at the general operation of the system rather than a signature of a particular operation or message.
"AnCyR is based on five years of research at the University of Arizona with support from the National Science Foundation. AnCyR’s anomaly detection technology combines statistical, probabilistic, and machine-learning algorithms to accurately detect attacks with best-in-class false positives, latency, and overhead."
The system works through instrumentation that's initially employed to obtain training data. The models are then used to monitor that same information, looking for changes in how the system operates over time. It targets high-reliability environments like automotive engine control units (ECUs). AnCyR is operating-system and programming-language agnostic.